Closed Bug 1646806 Opened 4 years ago Closed 2 years ago

AddressSanitizer: SEGV /builds/worker/checkouts/gecko/layout/generic/ReflowInput.cpp:2152:17 in mozilla::ReflowInput::InitConstraints(nsPresContext*, mozilla::Maybe<mozilla::LogicalSize> const&, nsMargin const*, nsMargin const*, mozilla::LayoutFrameType)

Categories

(Core :: Layout: Grid, defect)

defect

Tracking

()

RESOLVED FIXED
108 Branch
Tracking Status
firefox-esr102 --- wontfix
firefox79 --- wontfix
firefox106 --- wontfix
firefox107 --- wontfix
firefox108 --- fixed

People

(Reporter: jkratzer, Assigned: emilio)

References

(Blocks 2 open bugs)

Details

(Keywords: crash, testcase, Whiteboard: [bugmon:bisected,confirmed])

Crash Data

Attachments

(1 file)

Attached file testcase.html

Testcase found while fuzzing mozilla-central rev f291dd9e075c.

==24057==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000048 (pc 0x7f11e2f3d3d5 bp 0x7ffd9d40d8e0 sp 0x7ffd9d40d4e0 T0)
==24057==The signal is caused by a READ memory access.
==24057==Hint: address points to the zero page.
    #0 0x7f11e2f3d3d4 in mozilla::ReflowInput::InitConstraints(nsPresContext*, mozilla::Maybe<mozilla::LogicalSize> const&, nsMargin const*, nsMargin const*, mozilla::LayoutFrameType) /builds/worker/checkouts/gecko/layout/generic/ReflowInput.cpp:2152:17
    #1 0x7f11e2f37dfa in mozilla::ReflowInput::Init(nsPresContext*, mozilla::Maybe<mozilla::LogicalSize> const&, nsMargin const*, nsMargin const*) /builds/worker/checkouts/gecko/layout/generic/ReflowInput.cpp:354:3
    #2 0x7f11e31106fd in MeasuringReflow(nsIFrame*, mozilla::ReflowInput const*, gfxContext*, mozilla::LogicalSize const&, mozilla::LogicalSize const&, int, int) /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:4931:15
    #3 0x7f11e31193ef in ContentContribution(nsGridContainerFrame::GridItemInfo const&, nsGridContainerFrame::GridReflowInput const&, gfxContext*, mozilla::WritingMode, mozilla::LogicalAxis, mozilla::Maybe<mozilla::LogicalSize> const&, nsLayoutUtils::IntrinsicISizeType, int, unsigned int) /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:5218:14
    #4 0x7f11e310edc6 in MinContentContribution(nsGridContainerFrame::GridItemInfo const&, nsGridContainerFrame::GridReflowInput const&, gfxContext*, mozilla::WritingMode, mozilla::LogicalAxis, CachedIntrinsicSizes*) /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:5269:15
    #5 0x7f11e310ddda in nsGridContainerFrame::Tracks::ResolveIntrinsicSizeStep1(nsGridContainerFrame::GridReflowInput&, nsGridContainerFrame::TrackSizingFunctions const&, int, nsGridContainerFrame::SizingConstraint, nsGridContainerFrame::LineRange const&, nsGridContainerFrame::GridItemInfo const&) /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:5437:13
    #6 0x7f11e3108f2f in nsGridContainerFrame::Tracks::ResolveIntrinsicSize(nsGridContainerFrame::GridReflowInput&, nsTArray<nsGridContainerFrame::GridItemInfo>&, nsGridContainerFrame::TrackSizingFunctions const&, nsGridContainerFrame::LineRange nsGridContainerFrame::GridArea::*, int, nsGridContainerFrame::SizingConstraint) /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:6101:11
    #7 0x7f11e30f4db5 in nsGridContainerFrame::Tracks::CalculateSizes(nsGridContainerFrame::GridReflowInput&, nsTArray<nsGridContainerFrame::GridItemInfo>&, nsGridContainerFrame::TrackSizingFunctions const&, int, nsGridContainerFrame::LineRange nsGridContainerFrame::GridArea::*, nsGridContainerFrame::SizingConstraint) /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:5378:3
    #8 0x7f11e30f2d27 in nsGridContainerFrame::GridReflowInput::CalculateTrackSizesForAxis(mozilla::LogicalAxis, nsGridContainerFrame::Grid const&, int, nsGridContainerFrame::SizingConstraint) /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:3611:12
    #9 0x7f11e3132ae9 in nsGridContainerFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:8467:21
    #10 0x7f11e2d92b4e in mozilla::PresShell::DoReflow(nsIFrame*, bool, mozilla::OverflowChangedTracker*) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:9605:11
    #11 0x7f11e2da5407 in mozilla::PresShell::ProcessReflowCommands(bool) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:9778:24
    #12 0x7f11e2da3e7d in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4244:11
    #13 0x7f11e2d31587 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2064:20
    #14 0x7f11e2d3e9f6 in TickDriver /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:373:13
    #15 0x7f11e2d3e9f6 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:350:7
    #16 0x7f11e2d3e5f5 in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:367:5
    #17 0x7f11e2d4da72 in RunRefreshDrivers /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:819:5
    #18 0x7f11e2d4da72 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:737:16
    #19 0x7f11e2d4d04f in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyParentProcessVsync() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:639:7
    #20 0x7f11e2d3b9e2 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::ParentProcessVsyncNotifier::Run() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:538:20
    #21 0x7f11da29308e in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1234:14
    #22 0x7f11da29e07c in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:501:10
    #23 0x7f11db6230cf in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:87:21
    #24 0x7f11db5005e7 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:315:10
    #25 0x7f11db5005e7 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:308:3
    #26 0x7f11db5005e7 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:290:3
    #27 0x7f11e288e058 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137:27
    #28 0x7f11e6446b56 in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:913:20
    #29 0x7f11db5005e7 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:315:10
    #30 0x7f11db5005e7 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:308:3
    #31 0x7f11db5005e7 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:290:3
    #32 0x7f11e644613f in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:744:34
    #33 0x55c35d7fdb43 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
    #34 0x55c35d7fdb43 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:303:18
    #35 0x7f11fe06fb96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /builds/worker/checkouts/gecko/layout/generic/ReflowInput.cpp:2152:17 in mozilla::ReflowInput::InitConstraints(nsPresContext*, mozilla::Maybe<mozilla::LogicalSize> const&, nsMargin const*, nsMargin const*, mozilla::LayoutFrameType)
Flags: in-testsuite?
Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]
Bugmon Analysis: Verified bug as reproducible on mozilla-central 20200618094105-f291dd9e075c. Failed to bisect testcase (Start build crashes!): > Start: a440f0629814ea638bdbee6cf2f1a0425dd04c61 (20190620094631) > End: 7f0b0cbecd946aee526a869853a46a14ee44b1f9 (20200618044329) > BuildFlags: BuildFlags(asan=True, tsan=False, debug=False, fuzzing=False, coverage=False, valgrind=False)
Crash Signature: [@ mozilla::ReflowInput::Init ] [@ mozilla::dom::ContentParent::AssertNotInPool ]
Crash Signature: [@ mozilla::ReflowInput::Init ] [@ mozilla::dom::ContentParent::AssertNotInPool ] → [@ mozilla::ReflowInput::Init ]
Keywords: crash
Severity: normal → S3

Testcase crashes using the initial build (mozilla-central 20211106093208-0283aba1bf20) but not with tip (mozilla-central 20221104160427-510fd2811bcd.)

The bug appears to have been fixed in the following build range:

Start: 9e8698175fd4ea34e36bd60e3c8815b9cba1d10c (20221020222429)
End: ce7bd39cd8f854a7fe67ce8a8350ba9e94f6a4e3 (20221020231751)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=9e8698175fd4ea34e36bd60e3c8815b9cba1d10c&tochange=ce7bd39cd8f854a7fe67ce8a8350ba9e94f6a4e3

jkratzer, can you confirm that the above bisection range is responsible for fixing this issue?
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Flags: needinfo?(jkratzer)
Keywords: bugmon

This appears to have been fixed via bug 1679797.

Status: NEW → RESOLVED
Closed: 2 years ago
Flags: needinfo?(jkratzer)
Resolution: --- → FIXED

Is it worth landing the testcase from this bug still or did bug 1679797 cover that?

Assignee: nobody → emilio
Depends on: 1679797
Flags: needinfo?(emilio)
Target Milestone: --- → 108 Branch

It's the same underlying issue, so I think we're fine here.

Flags: needinfo?(emilio)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: