Closed
Bug 1678947
Opened 4 years ago
Closed 4 years ago
[Layout] [Generic] SEGV on unknown address 0x000000000058 HasAnyStateBits
Categories
(Core :: SVG, defect, P3)
Core
SVG
Tracking
()
RESOLVED
FIXED
85 Branch
People
(Reporter: simonjohnathan, Assigned: longsonr)
References
(Regression)
Details
(4 keywords, Whiteboard: [reporter-external] [client-bounty-form] [verif?][adv-main85-])
Attachments
(1 file)
Testcase:
<html>
<head>
<style>
ol { float: right; }
</style>
<script>
function start() {
document.elementFromPoint(0,1);
document.dir = "rtl";
}
</script>
</head>
<body>
<svg onload="start()" requiredExtensions="x">
<g id="a"/></g>
<text>
<textPath xlink:href="#a">
</svg>
<ol></ol>
</body>
</html>
Log:
AddressSanitizer: SEGV on unknown address 0x000000000058 (pc 0x7f28999d3fac bp 0x7ffc298
943d0 sp 0x7ffc29893f20 T0)
The signal is caused by a READ memory access.
Hint: address points to the zero page.
#0 0x7f28999d3fac in HasAnyStateBits /builds/worker/checkouts/gecko/layout/generic/nsIFrame.h:2349:59
#1 0x7f28999d3fac in IsSubtreeDirty /builds/worker/checkouts/gecko/layout/generic/nsIFrame.h:4608:12
#2 0x7f28999d3fac in mozilla::PresShell::FrameNeedsReflow(nsIFrame*, mozilla::IntrinsicDirty, nsFrameS
tate, mozilla::ReflowRootHandling) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:2725:34
#3 0x7f2899fe74bb in OnNonDOMMutationRenderingChange /builds/worker/checkouts/gecko/layout/svg/SVGObse
rverUtils.cpp:245:3
#4 0x7f2899fe74bb in mozilla::SVGRenderingObserverSet::InvalidateAll() /builds/worker/checkouts/gecko/
layout/svg/SVGObserverUtils.cpp:1059:19
#5 0x7f2899d46d93 in nsIFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) /builds/
worker/checkouts/gecko/layout/generic/nsIFrame.cpp:789:3
#6 0x7f2899bc1687 in nsContainerFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&)
/builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:296:22
#7 0x7f2899c79f0c in nsFrameList::DestroyFramesFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&)
/builds/worker/checkouts/gecko/layout/generic/nsFrameList.cpp:51:12
#8 0x7f2899bc143e in nsContainerFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&)
/builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:225:11
#9 0x7f2899c79f0c in nsFrameList::DestroyFramesFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&)
/builds/worker/checkouts/gecko/layout/generic/nsFrameList.cpp:51:12
#10 0x7f2899bc143e in nsContainerFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&)
/builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:225:11
#11 0x7f2899ff3528 in mozilla::SVGOuterSVGFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDest
royData&) /builds/worker/checkouts/gecko/layout/svg/SVGOuterSVGFrame.cpp:965:29
#12 0x7f2899e0e6f6 in nsLineBox::DeleteLineList(nsPresContext*, nsLineList&, nsIFrame*, nsFrameList*,
mozilla::layout::PostFrameDestroyData&) /builds/worker/checkouts/gecko/layout/generic/nsLineBox.cpp:387:14
#13 0x7f2899bc0dd7 in nsBlockFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) /bu
ilds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:441:3
#14 0x7f2899e0e6f6 in nsLineBox::DeleteLineList(nsPresContext*, nsLineList&, nsIFrame*, nsFrameList*,
mozilla::layout::PostFrameDestroyData&) /builds/worker/checkouts/gecko/layout/generic/nsLineBox.cpp:387:14
#15 0x7f2899bc0dd7 in nsBlockFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) /bu
ilds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:441:3
#16 0x7f2899c79f0c in nsFrameList::DestroyFramesFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&
) /builds/worker/checkouts/gecko/layout/generic/nsFrameList.cpp:51:12
#17 0x7f2899bc143e in nsContainerFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&)
/builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:225:11
#18 0x7f2899c0b5bc in nsCanvasFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) /b
uilds/worker/checkouts/gecko/layout/generic/nsCanvasFrame.cpp:230:21
#19 0x7f2899c79f0c in nsFrameList::DestroyFramesFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&
) /builds/worker/checkouts/gecko/layout/generic/nsFrameList.cpp:51:12
#20 0x7f2899bc143e in nsContainerFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&)
/builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:225:11
#21 0x7f2899c1ce9e in Destroy /builds/worker/checkouts/gecko/layout/generic/nsIFrame.h:742:5
#22 0x7f2899c1ce9e in nsContainerFrame::RemoveFrame(mozilla::layout::FrameChildListID, nsIFrame*) /bui
lds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:179:19
#23 0x7f2899a8ced7 in nsCSSFrameConstructor::ContentRemoved(nsIContent*, nsIContent*, nsCSSFrameConstr
uctor::RemoveFlags) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:7558:5
#24 0x7f2899a821e7 in nsCSSFrameConstructor::RecreateFramesForContent(nsIContent*, nsCSSFrameConstruct
or::InsertionKind) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:8542:7
#25 0x7f2899a1cd54 in mozilla::RestyleManager::ProcessRestyledFrames(nsStyleChangeList&) /builds/worke
r/checkouts/gecko/layout/base/RestyleManager.cpp:1489:25
#26 0x7f2899a27463 in mozilla::RestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags)
/builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:3033:9
#27 0x7f28999e7624 in ProcessPendingRestyles /builds/worker/checkouts/gecko/layout/base/RestyleManager
.cpp:3112:3
#28 0x7f28999e7624 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds
/worker/checkouts/gecko/layout/base/PresShell.cpp:4182:39
#29 0x7f2894dc2079 in FlushPendingNotifications /builds/worker/workspace/obj-build/dist/include/mozill
a/PresShell.h:1409:5
#30 0x7f2894dc2079 in mozilla::dom::Document::FlushPendingNotifications(mozilla::ChangesToFlush) /buil
ds/worker/checkouts/gecko/dom/base/Document.cpp:10258:16
#31 0x7f2894b97a1b in FlushPendingNotifications /builds/worker/checkouts/gecko/dom/base/nsGlobalWindow
Inner.cpp:6175:11
#32 0x7f2894b97a1b in nsGlobalWindowInner::ScrollBy(double, double) /builds/worker/checkouts/gecko/dom
/base/nsGlobalWindowInner.cpp:3776:3
#33 0x7f2896354b2a in mozilla::dom::Window_Binding::scrollBy(JSContext*, JS::Handle<JSObject*>, void*,
JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/WindowBinding.cpp:4612:28
#34 0x7f2896b943c8 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::M
aybeCrossOriginObjectThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int,
JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3229:13
#35 0x7f289d0c0174 in CallJSNative /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:506:13
#36 0x7f289d0c0174 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct,
js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:598:12
#37 0x7f289d0c254e in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /builds/worke
r/checkouts/gecko/js/src/vm/Interpreter.cpp:663:10
#38 0x7f289d0a8f46 in CallFromStack /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:667:10
#39 0x7f289d0a8f46 in Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/In
terpreter.cpp:3336:16
#40 0x7f289d0899a6 in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/v
m/Interpreter.cpp:476:13
#41 0x7f289d0c037c in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct,
js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:635:13
#42 0x7f289d0c254e in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /builds/worke
r/checkouts/gecko/js/src/vm/Interpreter.cpp:663:10
#43 0x7f289d0c28d0 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvoke
Args const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interp
reter.cpp:680:8
#44 0x7f289da22d62 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleVal
ueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/jsapi.cpp:2829:10
#45 0x7f2896785d29 in mozilla::dom::EventHandlerNonNull::Call(mozilla::dom::BindingCallContext&, JS::H
andle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worke
r/workspace/obj-build/dom/bindings/EventHandlerBinding.cpp:278:37
#46 0x7f289734b5d1 in void mozilla::dom::EventHandlerNonNull::Call<nsCOMPtr<mozilla::dom::EventTarget>
>(nsCOMPtr<mozilla::dom::EventTarget> const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla
::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/w
orkspace/obj-build/dist/include/mozilla/dom/EventHandlerBinding.h:367:12
#47 0x7f2897349792 in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) /builds/worker/checko
uts/gecko/dom/events/JSEventHandler.cpp:201:12
#48 0x7f289730e91e in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager:
:Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/checkouts/gecko/dom/events/Ev
entListenerManager.cpp:1079:22
#49 0x7f28973100e1 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::Widg
etEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/checkout
s/gecko/dom/events/EventListenerManager.cpp:1270:17
#50 0x7f28972fdb6e in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozi
lla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:352:17
#51 0x7f28972fc373 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTar
getChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationD
etector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:554:16
#52 0x7f28973007c9 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::Widget
Event*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::E
ventTarget*>*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:1092:11
#53 0x7f2897305b79 in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*,
mozilla::dom::Event*, nsPresContext*, nsEventStatus*) /builds/worker/checkouts/gecko/dom/events/EventDispa
tcher.cpp
#54 0x7f289509a74f in nsINode::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::
ErrorResult&) /builds/worker/checkouts/gecko/dom/base/nsINode.cpp:1315:17
#55 0x7f2894ae180f in nsContentUtils::DispatchEvent(mozilla::dom::Document*, nsISupports*, nsTSubstrin
g<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, mozilla::Trusted, bool*, m
ozilla::ChromeOnlyDispatch) /builds/worker/checkouts/gecko/dom/base/nsContentUtils.cpp:4072:28
#56 0x7f2894ae1553 in nsContentUtils::DispatchTrustedEvent(mozilla::dom::Document*, nsISupports*, nsTS
ubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, bool*) /builds/work
er/checkouts/gecko/dom/base/nsContentUtils.cpp:4042:10
#57 0x7f28976731c9 in mozilla::dom::HTMLTrackElement::DispatchTrustedEvent(nsTSubstring<char16_t> cons
t&) /builds/worker/checkouts/gecko/dom/html/HTMLTrackElement.cpp:471:3
#58 0x7f28976a70f4 in applyImpl<mozilla::dom::HTMLTrackElement, void (mozilla::dom::HTMLTrackElement::
*)(const nsTSubstring<char16_t> &), StoreCopyPassByConstLRef<const nsTString<char16_t> > , 0> /builds/work
er/workspace/obj-build/dist/include/nsThreadUtils.h:1188:12
#59 0x7f28976a70f4 in apply<mozilla::dom::HTMLTrackElement, void (mozilla::dom::HTMLTrackElement::*)(c
onst nsTSubstring<char16_t> &)> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1194:12
#60 0x7f28976a70f4 in mozilla::detail::RunnableMethodImpl<mozilla::dom::HTMLTrackElement*, void (mozil
la::dom::HTMLTrackElement::*)(nsTSubstring<char16_t> const&), true, (mozilla::RunnableKind)0, nsTString<ch
ar16_t> const>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1240:13
#61 0x7f2891e5bae9 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskCo
ntroller.cpp:245:16
#62 0x7f2891e585d7 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail
::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:51
5:26
#63 0x7f2891e56477 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::
BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:374:
15
#64 0x7f2891e568cd in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gec
ko/xpcom/threads/TaskController.cpp:171:36
#65 0x7f2891e633b1 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:85:37
#66 0x7f2891e633b1 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal():
:$_3>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:577:5
#67 0x7f2891e82ffb in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/thr
eads/nsThread.cpp:1197:14
#68 0x7f2891e8dcfc in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threa
ds/nsThreadUtils.cpp:513:10
#69 0x7f2893016efa in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/chec
kouts/gecko/ipc/glue/MessagePump.cpp:87:21
#70 0x7f2892f3acf1 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc
:334:10
#71 0x7f2892f3acf1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:
327:3
#72 0x7f2892f3acf1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_
loop.cc:309:3
#73 0x7f2899464b77 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:1
37:27
#74 0x7f289cc5831a in nsAppStartup::Run() /builds/worker/checkouts/gecko/toolkit/components/startup/ns
AppStartup.cpp:270:30
#75 0x7f289ce7eb7f in XREMain::XRE_mainRun() /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cp
p:5086:22
#76 0x7f289ce80f3b in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/c
heckouts/gecko/toolkit/xre/nsAppRunner.cpp:5278:8
#77 0x7f289ce81843 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/checkouts/
gecko/toolkit/xre/nsAppRunner.cpp:5334:21
#78 0x55fe65740e5b in do_main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:218:22
#79 0x55fe65740e5b in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:336:16
#80 0x7f28aae95151 in __libc_start_main (/usr/lib/libc.so.6+0x28151)
#81 0x55fe65693cb5 in _start (/mnt/firefox2/firefoxa/firefox/firefox-bin2+0x55cb5)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /builds/worker/checkouts/gecko/layout/generic/nsIFrame.h:2349:59 in HasAny
StateBits
Found On:
84.0a1 (64bit) - Linux
Flags: sec-bounty?
|
||
Updated•4 years ago
|
Group: firefox-core-security → layout-core-security
Component: Security → Layout
Product: Firefox → Core
|
||
Comment 1•4 years ago
|
||
I think this always crashes on a null-pointer access. In a debug build I get:
###!!! ASSERTION: Null out-of-flow for placeholder?: 'outOfFlow', file layout/generic/nsPlaceholderFrame.h:186
Severity: -- → S3
Status: UNCONFIRMED → NEW
Type: task → defect
Component: Layout → SVG
Ever confirmed: true
OS: Unspecified → All
Priority: -- → P3
Hardware: Unspecified → All
|
Assignee | |
Comment 2•4 years ago
|
||
|
||
Updated•4 years ago
|
Assignee: nobody → longsonr
Status: NEW → ASSIGNED
|
|
Assignee | |
Comment 3•4 years ago
|
||
Do you want me to unassign myself from this bug emilio?
Flags: needinfo?(emilio)
|
|
||
Updated•4 years ago
|
Attachment #9189574 -
Attachment is obsolete: true
|
|
Assignee | |
Updated•4 years ago
|
Assignee: longsonr → nobody
Status: ASSIGNED → NEW
|
|
Assignee | |
Updated•4 years ago
|
Flags: needinfo?(emilio)
|
||
Updated•4 years ago
|
Has Regression Range: --- → yes
|
||
Comment 6•4 years ago
|
||
Ok, so the null-check is the right fix, because we destroy the out of flow here, and we invalidate while destroying the in-flow below.
So it's ~ok to just null-check, but it needs a crashtest. Do you want to submit it? Or should I?
Flags: needinfo?(emilio) → needinfo?(longsonr)
|
|
Assignee | |
Comment 7•4 years ago
|
||
Can we add a crashtest to a security bug or should we land my patch and add the test later. Although I'm not sure this is actually security sensitive because it's just a null pointer dereference.
Flags: needinfo?(longsonr)
|
|
||
Updated•4 years ago
|
Assignee: nobody → longsonr
Attachment #9189574 -
Attachment is obsolete: false
Status: NEW → ASSIGNED
|
|
||
Comment 8•4 years ago
|
||
(In reply to Robert Longson [:longsonr] from comment #7)
Can we add a crashtest to a security bug or should we land my patch and add the test later. Although I'm not sure this is actually security sensitive because it's just a null pointer dereference.
Yeah this is not a security bug, it's just a null deref as you said, so I think a crashtest is just fine.
|
||
Comment 9•4 years ago
|
||
https://hg.mozilla.org/integration/autoland/rev/3c7c2938225c4a23d2f4adca50eb3ae573d41308
https://hg.mozilla.org/mozilla-central/rev/3c7c2938225c
Group: layout-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 4 years ago
status-firefox85:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 85 Branch
|
||
Updated•3 years ago
|
Group: core-security-release
status-firefox83:
--- → wontfix
status-firefox84:
--- → wontfix
status-firefox-esr78:
--- → wontfix
Flags: in-testsuite+
|
||
Updated•3 years ago
|
Flags: sec-bounty? → sec-bounty-
|
||
Updated•3 years ago
|
Whiteboard: [reporter-external] [client-bounty-form] [verif?] → [reporter-external] [client-bounty-form] [verif?][adv-main85-]
|
||
Updated•3 years ago
|
Keywords: regression
You need to log in
before you can comment on or make changes to this bug.
Description
•