Closed Bug 1680184 Opened 4 years ago Closed 3 years ago

[subgrid] InvalidArrayIndex_CRASH at CopyUsedTrackSizes

Categories

(Core :: Layout: Grid, defect)

defect

Tracking

()

RESOLVED WORKSFORME

People

(Reporter: ahihibughunter, Assigned: MatsPalmgren_bugz)

References

Details

(Keywords: reporter-external, sec-other, Whiteboard: [reporter-external] [client-bounty-form] [verif?])

Crash Data

Attachments

(1 file, 1 obsolete file)

Attached file testcase.html

Firefox nightly version 85.0a1 (2020-12-01) (64-bit)
Result:
AddressSanitizer:DEADLYSIGNAL

=================================================================
==74030==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000128be73e9 bp 0x7ffee2ae9290 sp 0x7ffee2ae9290 T0)
==74030==The signal is caused by a WRITE memory access.
==74030==Hint: address points to the zero page.
==74030==WARNING: failed to spawn external symbolizer (errno: 9)
==74030==WARNING: failed to spawn external symbolizer (errno: 9)
==74030==WARNING: failed to spawn external symbolizer (errno: 9)
==74030==WARNING: failed to spawn external symbolizer (errno: 9)
==74030==WARNING: failed to spawn external symbolizer (errno: 9)
==74030==WARNING: Failed to use and restart external symbolizer!
    #0 0x128be73e9 in InvalidArrayIndex_CRASH(unsigned long, unsigned long)+0x5e (/Volumes/Samsung_T5/code/browsers/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x138a73e9)
    #1 0x12068c4b7 in CopyUsedTrackSizes(nsTArray<nsGridContainerFrame::TrackSize>&, nsGridContainerFrame const*, nsGridContainerFrame::UsedTrackSizes const*, nsGridContainerFrame const*, nsGridContainerFrame::Subgrid const*, mozilla::LogicalAxis)+0xf17 (/Volumes/Samsung_T5/code/browsers/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb34c4b7)
    #2 0x12068d421 in nsGridContainerFrame::GridReflowInput::CalculateTrackSizesForAxis(mozilla::LogicalAxis, nsGridContainerFrame::Grid const&, int, nsGridContainerFrame::SizingConstraint)+0xd81 (/Volumes/Samsung_T5/code/browsers/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb34d421)
    #3 0x1206f7526 in nsGridContainerFrame::IntrinsicISize(gfxContext*, mozilla::IntrinsicISizeType)+0x5a6 (/Volumes/Samsung_T5/code/browsers/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb3b7526)
    #4 0x1206f8b44 in nsGridContainerFrame::GetMinISize(gfxContext*)+0xc4 (/Volumes/Samsung_T5/code/browsers/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb3b8b44)
    #5 0x120593d66 in nsContainerFrame::ComputeAutoSize(gfxContext*, mozilla::WritingMode, mozilla::LogicalSize const&, int, mozilla::LogicalSize const&, mozilla::LogicalSize const&, mozilla::EnumSet<mozilla::ComputeSizeFlag, unsigned char>)+0x3f6 (/Volumes/Samsung_T5/code/browsers/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb253d66)
    #6 0x1205b1b78 in nsIFrame::ComputeSize(gfxContext*, mozilla::WritingMode, mozilla::LogicalSize const&, int, mozilla::LogicalSize const&, mozilla::LogicalSize const&, mozilla::EnumSet<mozilla::ComputeSizeFlag, unsigned char>)+0x1a8 (/Volumes/Samsung_T5/code/browsers/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb271b78)
    #7 0x1204d54e4 in mozilla::ReflowInput::InitAbsoluteConstraints(nsPresContext*, mozilla::ReflowInput const*, mozilla::LogicalSize const&, mozilla::LayoutFrameType)+0x1934 (/Volumes/Samsung_T5/code/browsers/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb1954e4)
    #8 0x1204cb1a4 in mozilla::ReflowInput::InitConstraints(nsPresContext*, mozilla::Maybe<mozilla::LogicalSize> const&, mozilla::Maybe<mozilla::LogicalMargin> const&, mozilla::Maybe<mozilla::LogicalMargin> const&, mozilla::LayoutFrameType)+0x12a4 (/Volumes/Samsung_T5/code/browsers/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb18b1a4)
    #9 0x1204c49d6 in mozilla::ReflowInput::Init(nsPresContext*, mozilla::Maybe<mozilla::LogicalSize> const&, mozilla::Maybe<mozilla::LogicalMargin> const&, mozilla::Maybe<mozilla::LogicalMargin> const&)+0x5a6 (/Volumes/Samsung_T5/code/browsers/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb1849d6)
    #10 0x1204c6630 in mozilla::ReflowInput::ReflowInput(nsPresContext*, mozilla::ReflowInput const&, nsIFrame*, mozilla::LogicalSize const&, mozilla::Maybe<mozilla::LogicalSize> const&, mozilla::EnumSet<mozilla::ReflowInput::InitFlag, unsigned char>, mozilla::EnumSet<mozilla::ComputeSizeFlag, unsigned char>)+0x8c0 (/Volumes/Samsung_T5/code/browsers/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb186630)
    #11 0x12050a6e6 in nsAbsoluteContainingBlock::ReflowAbsoluteFrame(nsIFrame*, nsPresContext*, mozilla::ReflowInput const&, nsRect const&, nsAbsoluteContainingBlock::AbsPosReflowFlags, nsIFrame*, nsReflowStatus&, mozilla::OverflowAreas*)+0x8f6 (/Volumes/Samsung_T5/code/browsers/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb1ca6e6)
    #12 0x120507c59 in nsAbsoluteContainingBlock::Reflow(nsContainerFrame*, nsPresContext*, mozilla::ReflowInput const&, nsReflowStatus&, nsRect const&, nsAbsoluteContainingBlock::AbsPosReflowFlags, mozilla::OverflowAreas*)+0x8b9 (/Volumes/Samsung_T5/code/browsers/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb1c7c59)
    #13 0x1206d8790 in nsGridContainerFrame::ReflowChildren(nsGridContainerFrame::GridReflowInput&, mozilla::LogicalRect const&, nsSize const&, mozilla::ReflowOutput&, nsReflowStatus&)+0x1780 (/Volumes/Samsung_T5/code/browsers/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb398790)
    #14 0x1206da648 in nsGridContainerFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&)+0x14a8 (/Volumes/Samsung_T5/code/browsers/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb39a648)
    #15 0x12059482b in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*)+0x43b (/Volumes/Samsung_T5/code/browsers/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb25482b)
    #16 0x12056a7ab in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&)+0x122b (/Volumes/Samsung_T5/code/browsers/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb22a7ab)
    #17 0x12062c070 in nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput*, bool, bool, mozilla::ReflowOutput*)+0x1420 (/Volumes/Samsung_T5/code/browsers/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb2ec070)
    #18 0x12062e170 in nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput*, mozilla::ReflowOutput const&)+0x320 (/Volumes/Samsung_T5/code/browsers/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb2ee170)
    #19 0x12063acff in nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&)+0xd8f (/Volumes/Samsung_T5/code/browsers/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb2facff)
    #20 0x1205957d5 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*)+0x335 (/Volumes/Samsung_T5/code/browsers/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb2557d5)
    #21 0x120506892 in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&)+0x642 (/Volumes/Samsung_T5/code/browsers/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb1c6892)
    #22 0x1202b6524 in mozilla::PresShell::DoReflow(nsIFrame*, bool, mozilla::OverflowChangedTracker*)+0x1ac4 (/Volumes/Samsung_T5/code/browsers/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xaf76524)
    #23 0x1202ce448 in mozilla::PresShell::ProcessReflowCommands(bool)+0x478 (/Volumes/Samsung_T5/code/browsers/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xaf8e448)
    #24 0x1202cc4a8 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush)+0x1ba8 (/Volumes/Samsung_T5/code/browsers/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xaf8c4a8)
    #25 0x1203c95ae in nsDocumentViewer::LoadComplete(nsresult)+0x23e (/Volumes/Samsung_T5/code/browsers/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb0895ae)
    #26 0x12323df4c in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult)+0x89c (/Volumes/Samsung_T5/code/browsers/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xdefdf4c)
    #27 0x12323d17e in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult)+0xabe (/Volumes/Samsung_T5/code/browsers/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xdefd17e)
    #28 0x12323f7df in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult)+0xf (/Volumes/Samsung_T5/code/browsers/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xdeff7df)
    #29 0x118213c4b in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult)+0x43b (/Volumes/Samsung_T5/code/browsers/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x2ed3c4b)
    #30 0x118212844 in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult)+0x364 (/Volumes/Samsung_T5/code/browsers/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x2ed2844)
    #31 0x11820db44 in nsDocLoader::DocLoaderIsEmpty(bool, mozilla::Maybe<nsresult> const&)+0xb14 (/Volumes/Samsung_T5/code/browsers/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x2ecdb44)
    #32 0x118210ff7 in nsDocLoader::OnStopRequest(nsIRequest*, nsresult)+0x737 (/Volumes/Samsung_T5/code/browsers/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x2ed0ff7)
    #33 0x11821241c in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsresult)+0xc (/Volumes/Samsung_T5/code/browsers/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x2ed241c)
    #34 0x115a4b832 in mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult)+0x3f2 (/Volumes/Samsung_T5/code/browsers/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x70b832)
    #35 0x115a4e8ef in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult)+0x6f (/Volumes/Samsung_T5/code/browsers/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x70e8ef)
    #36 0x119b96fb2 in mozilla::dom::Document::UnblockOnload(bool)+0x762 (/Volumes/Samsung_T5/code/browsers/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x4856fb2)
    #37 0x119bc3463 in mozilla::dom::Document::DispatchContentLoadedEvents()+0x10c3 (/Volumes/Samsung_T5/code/browsers/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x4883463)
    #38 0x119ccb925 in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run()+0x75 (/Volumes/Samsung_T5/code/browsers/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x498b925)
    #39 0x1156d86e0 in mozilla::SchedulerGroup::Runnable::Run()+0x80 (/Volumes/Samsung_T5/code/browsers/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x3986e0)
    #40 0x1156e65e7 in mozilla::RunnableTask::Run()+0x347 (/Volumes/Samsung_T5/code/browsers/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x3a65e7)
    #41 0x1156e193a in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&)+0x107a (/Volumes/Samsung_T5/code/browsers/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x3a193a)
    #42 0x1156dee5e in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&)+0xae (/Volumes/Samsung_T5/code/browsers/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x39ee5e)
    #43 0x1156df467 in mozilla::TaskController::ProcessPendingMTTask(bool)+0xf7 (/Volumes/Samsung_T5/code/browsers/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x39f467)
    #44 0x1156ee091 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_4>::Run()+0x11 (/Volumes/Samsung_T5/code/browsers/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x3ae091)
    #45 0x1157113bf in nsThread::ProcessNextEvent(bool, bool*)+0x138f (/Volumes/Samsung_T5/code/browsers/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x3d13bf)
    #46 0x11571d42d in NS_ProcessNextEvent(nsIThread*, bool)+0x11d (/Volumes/Samsung_T5/code/browsers/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x3dd42d)
    #47 0x116c8e10e in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*)+0x40e (/Volumes/Samsung_T5/code/browsers/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x194e10e)
    #48 0x116b64362 in MessageLoop::Run()+0x1d2 (/Volumes/Samsung_T5/code/browsers/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x1824362)
    #49 0x11fb3d7cf in nsBaseAppShell::Run()+0x4f (/Volumes/Samsung_T5/code/browsers/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xa7fd7cf)
    #50 0x11fc9a50c in nsAppShell::Run()+0x3cc (/Volumes/Samsung_T5/code/browsers/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xa95a50c)
    #51 0x123f5277e in XRE_RunAppShell()+0x28e (/Volumes/Samsung_T5/code/browsers/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xec1277e)
    #52 0x116b64362 in MessageLoop::Run()+0x1d2 (/Volumes/Samsung_T5/code/browsers/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x1824362)
    #53 0x123f51bf4 in XRE_InitChildProcess(int, char**, XREChildData const*)+0xf94 (/Volumes/Samsung_T5/code/browsers/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xec11bf4)
    #54 0x10d10e456 in main+0x1b6 (/Volumes/Samsung_T5/code/browsers/firefox/Nightly.app/Contents/MacOS/plugin-container.app/Contents/MacOS/plugin-container:x86_64+0x100001456)
    #55 0x7fff71e9bcc8 in start+0x0 (/usr/lib/system/libdyld.dylib:x86_64+0x1acc8)

==74030==Register values:
rax = 0x0000100000000000  rbx = 0x00007ffee2ae9340  rcx = 0x000000010db18b40  rdx = 0x0000100021b63168
rdi = 0x000000010db1adc0  rsi = 0x0000000000000001  rbp = 0x00007ffee2ae9290  rsp = 0x00007ffee2ae9290
 r8 = 0x00007ffee2ae86b0   r9 = 0x00007ffee2ae9120  r10 = 0x0000000000000001  r11 = 0x0000000128d3ffc8
r12 = 0x0000000000000001  r13 = 0x000062d00033e400  r14 = 0x0000000000000020  r15 = 0x0000000000000001
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/Volumes/Samsung_T5/code/browsers/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x138a73e9) in InvalidArrayIndex_CRASH(unsigned long, unsigned long)+0x5e
==74030==ABORTING
Flags: sec-bounty?
Group: firefox-core-security → core-security
Type: task → defect
Component: Security → Layout
Product: Firefox → Core
Group: core-security → layout-core-security

Subgrid-related. Mats?

Status: UNCONFIRMED → NEW
Component: Layout → Layout: Grid
Ever confirmed: true
Flags: needinfo?(mats)
Summary: InvalidArrayIndex_CRASH at CopyUsedTrackSizes → [subgrid] InvalidArrayIndex_CRASH at CopyUsedTrackSizes

Seems similar to bug 1624356 / bug 1645152, probably a dupe of any of those...

It doesn't seem security-sensitive though, as it's a release assertion.

See Also: → 1645152, 1624356

This patch makes
testing/web-platform/tests/css/css-grid/subgrid/abs-pos-003.html fail,
which was introduced in bug 1606516. I can adjust this if this is the
right fix though.

I'm not sure how it makes sense to subgrid something that's not in the
flow? Out of flows are not grid items generally iirc. Subgridding them
is so prone to cause all sorts of weirdness...

Assignee: nobody → emilio
Status: NEW → ASSIGNED

Confirmed that the patch fixes both bugs.

Crash Signature: [@ InvalidArrayIndex_CRASH | CopyUsedTrackSizes]
Group: layout-core-security
Severity: -- → S2

I can take this bug if you don't mind... It should be a fairly simple fix on top of bug 1638860.

Assignee: emilio → mats
Flags: needinfo?(mats)

It doesn't seem security-sensitive though, as it's a release assertion.

Agreed. It's an nsTArray out-of-bounds read, for which we safely crash the content process.

Keywords: sec-other

Ah, sure, go ahead.

Attachment #9190800 - Attachment is obsolete: true
See Also: → 1641587
Flags: sec-bounty? → sec-bounty-

Closing because no crashes reported for 12 weeks.

Status: ASSIGNED → RESOLVED
Closed: 3 years ago
Resolution: --- → WORKSFORME

The testcase still causes a crash for me on latest nightly
https://crash-stats.mozilla.org/report/index/674a0daf-12eb-4649-99f9-0be070210626

Status: RESOLVED → REOPENED
Resolution: WORKSFORME → ---
QA Whiteboard: qa-not-actionable

Closing because no crashes reported for 12 weeks.

Status: REOPENED → RESOLVED
Closed: 3 years ago3 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: