1678469 - crash near null in [@ nsFlexContainerFrame::FlexItemIterator::FlexItemIterator]

Status: VERIFIED FIXED

(Core :: Layout: Flexbox, defect)

Description

[Tyson Smith [:tsmith]]

Attachment: testcase.html

==22796==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f1b78069ebe bp 0x7ffe16448450 sp 0x7ffe16448420 T0)
==22796==The signal is caused by a READ memory access.
==22796==Hint: address points to the zero page.
    #0 0x7f1b78069ebe in Length /builds/worker/workspace/obj-build/dist/include/nsTArray.h:413:37
    #1 0x7f1b78069ebe in end /builds/worker/workspace/obj-build/dist/include/nsTArray.h:1246:34
    #2 0x7f1b78069ebe in nsFlexContainerFrame::FlexItemIterator::FlexItemIterator(nsTArray<nsFlexContainerFrame::FlexLine> const&) /builds/worker/checkouts/gecko/layout/generic/nsFlexContainerFrame.cpp:1058:29
    #3 0x7f1b78069a92 in nsFlexContainerFrame::GenerateFlexLines(nsFlexContainerFrame::SharedFlexData const&, nsTArray<nsFlexContainerFrame::FlexLine>&) /builds/worker/checkouts/gecko/layout/generic/nsFlexContainerFrame.cpp:4080:20
    #4 0x7f1b7806cc33 in nsFlexContainerFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsFlexContainerFrame.cpp:4464:5
    #5 0x7f1b77de1ee8 in mozilla::PresShell::DoReflow(nsIFrame*, bool, mozilla::OverflowChangedTracker*) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:9666:11
    #6 0x7f1b77df4547 in mozilla::PresShell::ProcessReflowCommands(bool) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:9839:24
    #7 0x7f1b77df2e34 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4250:11
    #8 0x7f1b77d7a48e in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2250:20
    #9 0x7f1b77d885d9 in TickDriver /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:374:13
    #10 0x7f1b77d885d9 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:353:7
    #11 0x7f1b77d88251 in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:368:5
    #12 0x7f1b77d87464 in RunRefreshDrivers /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:829:5
    #13 0x7f1b77d87464 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:747:16
    #14 0x7f1b77d868a5 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyParentProcessVsync() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:649:7
    #15 0x7f1b77d86060 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:570:9
    #16 0x7f1b7852a248 in mozilla::layout::VsyncChild::RecvNotify(mozilla::VsyncEvent const&) /builds/worker/checkouts/gecko/layout/ipc/VsyncChild.cpp:55:16
    #17 0x7f1b714ca816 in mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:187:54
    #18 0x7f1b710b9de4 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundChild.cpp:6247:32
    #19 0x7f1b70b196ee in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:2146:25
    #20 0x7f1b70b156a4 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:2070:9
    #21 0x7f1b70b174a8 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1918:3
    #22 0x7f1b70b17f78 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1949:13
    #23 0x7f1b6f7fb0f9 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:450:16
    #24 0x7f1b6f7f7bb7 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:720:26
    #25 0x7f1b6f7f5af7 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:579:15
    #26 0x7f1b6f7f5f4d in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:373:36
    #27 0x7f1b6f802c14 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:123:37
    #28 0x7f1b6f802c14 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_4>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:577:5
    #29 0x7f1b6f82361b in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1194:14
    #30 0x7f1b6f82e81c in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:513:10
    #31 0x7f1b70b22294 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:109:5
    #32 0x7f1b70a1a181 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:334:10
    #33 0x7f1b70a1a181 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:327:3
    #34 0x7f1b70a1a181 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:309:3
    #35 0x7f1b77877047 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137:27
    #36 0x7f1b7b59bc2f in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:913:20
    #37 0x7f1b70a1a181 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:334:10
    #38 0x7f1b70a1a181 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:327:3
    #39 0x7f1b70a1a181 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:309:3
    #40 0x7f1b7b59b1cc in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:744:34
    #41 0x5627643fb55d in content_process_main(mozilla::Bootstrap*, int, char**) /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
    #42 0x5627643fb997 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:304:18
    #43 0x7f1b92b71b96 in __libc_start_main /build/glibc-2ORdQG/glibc-2.27/csu/../csu/libc-start.c:310
    #44 0x56276434eef9 in _start (/home/twsmith/workspace/browsers/m-c-20201119095716-fuzzing-asan-opt/firefox+0x5aef9)

Comment 1

[Tyson Smith [:tsmith]]

A Pernosco session is available here: https://pernos.co/debug/Fx_EywogJj0lvya80lvGwg/index.html

Comment 2

[Jason Kratzer [:jkratzer]]

Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20201119214432-b703fa5c3d16.
The bug appears to have been introduced in the following build range:

Start: 97855f04050aad83a2b4249edcffa282c9ad05ec (20200512181304)
End: 76aa4bf4eabd44912cc33a4ccd4d5474fc0e2ca7 (20200512181502)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=97855f04050aad83a2b4249edcffa282c9ad05ec&tochange=76aa4bf4eabd44912cc33a4ccd4d5474fc0e2ca7

Comment 3

[Ting-Yu Lin [:TYLin] (PDT, UTC-7)]

[Child 46646, Main Thread] ###!!! ASSERTION: reflow roots should never split: '!target->GetNextInFlow() && !target->GetPrevInFlow()', file /home/aethanyc/Projects/gecko/layout/base/PresShell.cpp:9617

I see the above assertion in the debug build. It means a reflow root (because of contain:layout ) is still being split even if it has contain:size. I filed bug 1679819 to make abs-pos elements with contain:size monolithic.

Comment 4

[Ting-Yu Lin [:TYLin] (PDT, UTC-7)]

Attachment: Bug 1678469 - Add a wpt crashtest for removing a child under a flex container with size and layout containment.

Depends on D98227

Comment 5

[Pulsebot]

Pushed by aethanyc@gmail.com:
https://hg.mozilla.org/integration/autoland/rev/b015eacef377
Add a wpt crashtest for removing a child under a flex container with size and layout containment. r=emilio

Comment 6

[Web Platform Test Sync Bot (Matrix: #interop:mozilla.org)]

Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/26689 for changes under testing/web-platform/tests

Comment 7

[Andreea Pavel [:apavel]]

https://hg.mozilla.org/mozilla-central/rev/b015eacef377

Comment 8

[Jason Kratzer [:jkratzer]]

Bugmon Analysis:
Verified bug as fixed on rev mozilla-central 20201201093815-abafe6c923eb.
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.

Comment 9

[Web Platform Test Sync Bot (Matrix: #interop:mozilla.org)]

Upstream PR merged by moz-wptsync-bot