Open Bug 1673994 Opened 4 years ago Updated 2 years ago

Stack-overflow near /builds/worker/checkouts/gecko/layout/generic/nsFloatManager.cpp:2250:80 in nsFloatManager::FloatInfo::FloatInfo

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Type:
defect

Tracking

()

Tracking Flags:
Tracking Status
firefox84 --- affected

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash, testcase, Whiteboard: [bugmon:bisected,confirmed])

Crash Data

Attachments

(1 file)

testcase.html
558 bytes, text/html
Details
Attached file testcase.html

Testcase found while fuzzing mozilla-central rev 83bf4fd3b1fb (built with --enable-address-sanitizer --enable-fuzzing).

==3988535==ERROR: AddressSanitizer: stack-overflow on address 0x7ffe31bc2fa8 (pc 0x561260157926 bp 0x7ffe31bc37f0 sp 0x7ffe31bc2fb0 T0)
    #0 0x561260157926 in __asan_memcpy /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:22:3
    #1 0x7fccdc26d552 in nsRect /builds/worker/workspace/obj-build/dist/include/nsRect.h:43:33
    #2 0x7fccdc26d552 in mozilla::gfx::operator+(nsRect, nsPoint const&) /builds/worker/workspace/obj-build/dist/include/mozilla/gfx/BaseRect.h:344:12
    #3 0x7fcce2039f90 in nsFloatManager::FloatInfo::FloatInfo(nsIFrame*, int, int, mozilla::LogicalRect const&, mozilla::WritingMode, nsSize const&) /builds/worker/checkouts/gecko/layout/generic/nsFloatManager.cpp:2250:80
    #4 0x7fcce202e031 in nsFloatManager::AddFloat(nsIFrame*, mozilla::LogicalRect const&, mozilla::WritingMode, nsSize const&) /builds/worker/checkouts/gecko/layout/generic/nsFloatManager.cpp:265:13
    #5 0x7fcce1f33e77 in mozilla::BlockReflowInput::RecoverFloats(nsLineList_iterator, int) /builds/worker/checkouts/gecko/layout/generic/BlockReflowInput.cpp:446:23
    #6 0x7fcce1f341e0 in mozilla::BlockReflowInput::RecoverStateFrom(nsLineList_iterator, int) /builds/worker/checkouts/gecko/layout/generic/BlockReflowInput.cpp:477:5
    #7 0x7fcce1f9923f in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:2811:16
    #8 0x7fcce1f91492 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:1372:3
    #9 0x7fcce1fdc327 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:1081:14
    #10 0x7fcce207090b in nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput*, bool, bool, mozilla::ReflowOutput*) /builds/worker/checkouts/gecko/layout/generic/nsGfxScrollFrame.cpp:756:3
    #11 0x7fcce207256d in nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput*, mozilla::ReflowOutput const&) /builds/worker/checkouts/gecko/layout/generic/nsGfxScrollFrame.cpp:880:3
    #12 0x7fcce2078d6a in nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsGfxScrollFrame.cpp:1278:3
    #13 0x7fcce1faf39b in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) /builds/worker/checkouts/gecko/layout/generic/nsBlockReflowContext.cpp:294:11
    #14 0x7fcce1fbe937 in nsBlockFrame::ReflowFloat(mozilla::BlockReflowInput&, mozilla::LogicalRect const&, nsIFrame*, mozilla::LogicalMargin&, mozilla::LogicalMargin&, bool, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:6619:9
    #15 0x7fcce1f35e7b in mozilla::BlockReflowInput::FlowAndPlaceFloat(nsIFrame*) /builds/worker/checkouts/gecko/layout/generic/BlockReflowInput.cpp:816:13
    #16 0x7fcce1f34721 in mozilla::BlockReflowInput::AddFloat(nsLineLayout*, nsIFrame*, int) /builds/worker/checkouts/gecko/layout/generic/BlockReflowInput.cpp:558:14
    #17 0x7fcce21de48f in nsLineLayout::ReflowFrame(nsIFrame*, nsReflowStatus&, mozilla::ReflowOutput*, bool&) /builds/worker/checkouts/gecko/layout/generic/nsLineLayout.cpp:922:25
    #18 0x7fcce1fb2dbd in nsBlockFrame::ReflowInlineFrame(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsIFrame*, LineReflowStatus*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:4516:15
    #19 0x7fcce1fb1d61 in nsBlockFrame::DoReflowInlineFrames(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:4318:5
    #20 0x7fcce1fa9e8e in nsBlockFrame::ReflowInlineFrames(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:4203:9
    #21 0x7fcce1fa2703 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:3178:5
    #22 0x7fcce1f99491 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:2712:7
    #23 0x7fcce1f91492 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:1372:3
    #24 0x7fcce1fdc327 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:1081:14
    #25 0x7fcce1fdafac in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsCanvasFrame.cpp:757:5
    #26 0x7fcce1fdc327 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:1081:14
    #27 0x7fcce207090b in nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput*, bool, bool, mozilla::ReflowOutput*) /builds/worker/checkouts/gecko/layout/generic/nsGfxScrollFrame.cpp:756:3
    #28 0x7fcce207256d in nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput*, mozilla::ReflowOutput const&) /builds/worker/checkouts/gecko/layout/generic/nsGfxScrollFrame.cpp:880:3
    #29 0x7fcce2078d6a in nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsGfxScrollFrame.cpp:1278:3
    #30 0x7fcce1f81051 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:1121:14
    #31 0x7fcce1f806e2 in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/ViewportFrame.cpp:339:7
    #32 0x7fcce1da00d8 in mozilla::PresShell::DoReflow(nsIFrame*, bool, mozilla::OverflowChangedTracker*) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:9640:11
    #33 0x7fcce1db2687 in mozilla::PresShell::ProcessReflowCommands(bool) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:9813:24
    #34 0x7fcce1db1104 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4225:11
    #35 0x7fcce1da14fa in mozilla::PresShell::DidDoReflow(bool) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:9438:3
    #36 0x7fcce1db27bc in mozilla::PresShell::ProcessReflowCommands(bool) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:9833:7
    #37 0x7fcce1db1104 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4225:11
    #38 0x7fcce1da14fa in mozilla::PresShell::DidDoReflow(bool) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:9438:3
...truncated
Flags: in-testsuite?
Summary: UndefinedBehaviorSanitizer: stack-overflow near /builds/worker/checkouts/gecko/layout/generic/nsFloatManager.cpp:2250:80 in nsFloatManager::FloatInfo::FloatInfo → Stack-overflow near /builds/worker/checkouts/gecko/layout/generic/nsFloatManager.cpp:2250:80 in nsFloatManager::FloatInfo::FloatInfo

Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20201028214727-9b78e4ae32ae.
Failed to bisect testcase (Start build crashes!):

Start: e8b7c48d4e7ed1b63aeedff379b51e566ea499d9 (20191107015224)
End: 83bf4fd3b1fbca9dcbe23de9d1a1503eed62569a (20201028092421)
BuildFlags: BuildFlags(asan=True, tsan=False, debug=False, fuzzing=True, coverage=False, valgrind=False)

Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]

Bugmon Analysis
Unable to reproduce bug 1673994 using build mozilla-central 20201226094423-a7f08169ba3e. Without a baseline, bugmon is unable to analyze this bug.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon

Got a crash on latest nightly

Crash Signature: [@ mozilla::gfx::Matrix4x4Typed<T>::TransformAndClipRect<T> ]

I found at least another crash in the wild that exhibits the same overflow besides the one reported by Mayank.

Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: