1655741 - Assertion failure: frame, at /builds/worker/checkouts/gecko/dom/base/Element.cpp:860

Status: VERIFIED FIXED

(Core :: DOM: Core & HTML, defect)

Description

[Jason Kratzer [:jkratzer]]

Attachment: testcase.html

Testcase found while fuzzing mozilla-central rev eba7e3ce9382 (built with --enable-debug). Testcase must be served over HTTP in order to reproduce.

Assertion failure: frame, at /builds/worker/checkouts/gecko/dom/base/Element.cpp:860

==10870==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f8de89f9368 bp 0x7ffc80a24000 sp 0x7ffc80a23fa0 T10870)
==10870==The signal is caused by a WRITE memory access.
==10870==Hint: address points to the zero page.
    #0 0x7f8de89f9367 in AnnotateMozCrashReason /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:42:19
    #1 0x7f8de89f9367 in mozilla::dom::Element::GetClientAreaRect() /builds/worker/checkouts/gecko/dom/base/Element.cpp:860:5
    #2 0x7f8de9b1d6d2 in ClientHeight /builds/worker/workspace/obj-build/dist/include/mozilla/dom/Element.h:1310:35
    #3 0x7f8de9b1d6d2 in mozilla::dom::Element_Binding::get_clientHeight(JSContext*, JS::Handle<JSObject*>, void*, JSJitGetterCallArgs) /builds/worker/workspace/obj-build/dom/bindings/ElementBinding.cpp:3610:39
    #4 0x7f8de9e48486 in bool mozilla::dom::binding_detail::GenericGetter<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3102:13
    #5 0x7f8deccc1b11 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:485:13
    #6 0x7f8deccc1389 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:577:12
    #7 0x7f8deccc2e4f in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:640:10
    #8 0x7f8deccc302f in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:657:8
    #9 0x7f8decdd34b7 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/jsapi.cpp:2837:10
    #10 0x7f8de7cac9fd in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JSObject*>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/obj-build/dist/include/jsapi.h:1516:10
    #11 0x7f8de7cac6a8 in xpc::XrayWrapper<js::CrossCompartmentWrapper, xpc::DOMXrayTraits>::get(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JS::Value>) const /builds/worker/checkouts/gecko/js/xpconnect/wrappers/XrayWrapper.cpp:2101:10
    #12 0x7f8dece28877 in js::Proxy::getInternal(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/proxy/Proxy.cpp:372:19
    #13 0x7f8dece285c7 in js::Proxy::get(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/proxy/Proxy.cpp:380:10
    #14 0x7f8dece28902 in js::Proxy::getInternal(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/proxy/Proxy.cpp:368:14
    #15 0x7f8dece285c7 in js::Proxy::get(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/proxy/Proxy.cpp:380:10
    #16 0x7f8dece28902 in js::Proxy::getInternal(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/proxy/Proxy.cpp:368:14
    #17 0x7f8dece285c7 in js::Proxy::get(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/proxy/Proxy.cpp:380:10
    #18 0x7f8dece28902 in js::Proxy::getInternal(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/proxy/Proxy.cpp:368:14
    #19 0x7f8dece285c7 in js::Proxy::get(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/proxy/Proxy.cpp:380:10
    #20 0x7f8deccc8a9f in js::GetProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, js::PropertyName*, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/ObjectOperations-inl.h:124:10
    #21 0x7f8deccc7f0d in js::GetProperty(JSContext*, JS::Handle<JS::Value>, JS::Handle<js::PropertyName*>, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:4703:10
    #22 0x7f8deccb3d72 in Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:218:10
    #23 0x7f8deccad086 in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:457:10
    #24 0x7f8deccc12e6 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:612:13
    #25 0x7f8deccc2e4f in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:640:10
    #26 0x7f8ded688fd7 in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/jit/BaselineIC.cpp:2978:10
    #27 0xff3b19a9092  (<unknown module>)

UndefinedBehaviorSanitizer can not provide additional info.

Comment 1

[Emilio Cobos Álvarez (:emilio)]

I added that assertion recently, thanks.

Comment 2

[Emilio Cobos Álvarez (:emilio)]

Attachment: Bug 1655741 - Don't assert that there's a primary frame as long as there's a scroll frame for the root scroll frame. r=mats,#layout-reviewers

There's no correctness issue here, but the assertion is just wrong. For
the scrolling element we may get the root scrollable frame even though
the primary frame is null.

Comment 3

[Pulsebot]

Pushed by ealvarez@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/fc18fa1b110b
Don't assert that there's a primary frame as long as there's a scroll frame for the root scroll frame. r=mats

Comment 4

[Pulsebot]

Pushed by emilio@crisal.io:
https://hg.mozilla.org/integration/autoland/rev/66666abbfefa
Add some metadata to the new test to appease wptlint.

Comment 5

[Web Platform Test Sync Bot [:wpt-sync] (Matrix: #interop:mozilla.org)]

Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/24801 for changes under testing/web-platform/tests

Comment 6

[Alexandru Michis [:malexandru]]

https://hg.mozilla.org/mozilla-central/rev/fc18fa1b110b
https://hg.mozilla.org/mozilla-central/rev/66666abbfefa

Comment 7

[Jason Kratzer [:jkratzer]]

Bugmon Analysis:
Verified bug as fixed on rev mozilla-central 20200730093956-0e4bc84faa30.
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.

Comment 8

[Web Platform Test Sync Bot [:wpt-sync] (Matrix: #interop:mozilla.org)]

Upstream PR merged by jgraham