1697262 - crash at null in [@ mozilla::ScrollFrameHelper::GetPageLoadingState]

Status: VERIFIED FIXED

(Core :: Layout: Scrolling and Overflow, defect)

Description

[Tyson Smith [:tsmith]]

Attachment: testcase.html

==20337==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f58cf31ef8c bp 0x7ffc5f081bd0 sp 0x7ffc5f081b00 T0)
==20337==The signal is caused by a READ memory access.
==20337==Hint: address points to the zero page.
    #0 0x7f58cf31ef8c in mozilla::ScrollFrameHelper::GetPageLoadingState() /gecko/layout/generic/nsGfxScrollFrame.cpp:5165:25
    #1 0x7f58cf335bb0 in mozilla::ScrollFrameHelper::ScrollToRestoredPosition() /gecko/layout/generic/nsGfxScrollFrame.cpp:5110:28
    #2 0x7f58cf33babb in mozilla::ScrollFrameHelper::ReflowFinished() /gecko/layout/generic/nsGfxScrollFrame.cpp:6489:5
    #3 0x7f58cf07bea5 in mozilla::PresShell::HandlePostedReflowCallbacks(bool) /gecko/layout/base/PresShell.cpp:4006:21
    #4 0x7f58cf06f31b in mozilla::PresShell::DidDoReflow(bool) /gecko/layout/base/PresShell.cpp:9414:3
    #5 0x7f58cf07eef8 in mozilla::PresShell::ProcessReflowCommands(bool) /gecko/layout/base/PresShell.cpp:9810:7
    #6 0x7f58cf07d4f9 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /gecko/layout/base/PresShell.cpp:4256:11
    #7 0x7f58cf909c6f in FlushPendingNotifications /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:1416:5
    #8 0x7f58cf909c6f in nsPrintJob::ReconstructAndReflow(bool) /gecko/layout/printing/nsPrintJob.cpp:1197:16
    #9 0x7f58cf9077a0 in nsPrintJob::SetupToPrintContent() /gecko/layout/printing/nsPrintJob.cpp:1291:21
    #10 0x7f58cf90e5b4 in DocumentReadyForPrinting /gecko/layout/printing/nsPrintJob.cpp:1032:17
    #11 0x7f58cf90e5b4 in nsPrintJob::MaybeResumePrintAfterResourcesLoaded(bool) /gecko/layout/printing/nsPrintJob.cpp:1537:10
    #12 0x7f58cf905030 in nsPrintJob::InitPrintDocConstruction(bool) /gecko/layout/printing/nsPrintJob.cpp:1493:3
    #13 0x7f58cf9135d8 in nsPrintJob::Observe(nsISupports*, char const*, char16_t const*) /gecko/layout/printing/nsPrintJob.cpp:2688:17
    #14 0x7f58d25b9b99 in mozilla::embedding::PrintProgressDialogChild::RecvDialogOpened() /gecko/toolkit/components/printingui/ipc/PrintProgressDialogChild.cpp:37:18
    #15 0x7f58c8a961c4 in mozilla::embedding::PPrintProgressDialogChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PPrintProgressDialogChild.cpp:234:28
    #16 0x7f58c85e17c3 in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PContentChild.cpp:8701:32
    #17 0x7f58c836c31a in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /gecko/ipc/glue/MessageChannel.cpp:2157:25
    #18 0x7f58c836897e in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /gecko/ipc/glue/MessageChannel.cpp:2081:9
    #19 0x7f58c836a338 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /gecko/ipc/glue/MessageChannel.cpp:1929:3
    #20 0x7f58c836ae9b in mozilla::ipc::MessageChannel::MessageTask::Run() /gecko/ipc/glue/MessageChannel.cpp:1960:13
    #21 0x7f58c71246d6 in mozilla::RunnableTask::Run() /gecko/xpcom/threads/TaskController.cpp:472:16
    #22 0x7f58c7121293 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:760:26
    #23 0x7f58c711f167 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:611:15
    #24 0x7f58c711f5bd in mozilla::TaskController::ProcessPendingMTTask(bool) /gecko/xpcom/threads/TaskController.cpp:395:36
    #25 0x7f58c712bd44 in operator() /gecko/xpcom/threads/TaskController.cpp:136:37
    #26 0x7f58c712bd44 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_4>::Run() /gecko/xpcom/threads/nsThreadUtils.h:534:5
    #27 0x7f58c7147064 in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1158:16
    #28 0x7f58c7151bdc in NS_ProcessNextEvent(nsIThread*, bool) /gecko/xpcom/threads/nsThreadUtils.cpp:548:10
    #29 0x7f58c8373b24 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /gecko/ipc/glue/MessagePump.cpp:109:5
    #30 0x7f58c827df71 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:335:10
    #31 0x7f58c827df71 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:328:3
    #32 0x7f58c827df71 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:310:3
    #33 0x7f58ceb4e8e7 in nsBaseAppShell::Run() /gecko/widget/nsBaseAppShell.cpp:137:27
    #34 0x7f58d262757f in XRE_RunAppShell() /gecko/toolkit/xre/nsEmbedFunctions.cpp:902:20
    #35 0x7f58c827df71 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:335:10
    #36 0x7f58c827df71 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:328:3
    #37 0x7f58c827df71 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:310:3
    #38 0x7f58d2626d0f in XRE_InitChildProcess(int, char**, XREChildData const*) /gecko/toolkit/xre/nsEmbedFunctions.cpp:733:34
    #39 0x558b403ed9fd in content_process_main(mozilla::Bootstrap*, int, char**) /gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
    #40 0x558b403ede21 in main /gecko/browser/app/nsBrowserApp.cpp:309:18
    #41 0x7f58e739c0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16

Comment 1

[Bugmon [:jkratzer for issues]]

Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20210309161138-5f0f6477c734.
The bug appears to have been introduced in the following build range:

Start: 056bbc57ca7c4eaff9ed44bbde2a9595a2258216 (20200904033504)
End: d871d71f519666171d7c300d585125d98ffd6a4e (20200904033328)
Pushlog: https://hg.mozilla.org/mozilla-unified/pushloghtml?fromchange=056bbc57ca7c4eaff9ed44bbde2a9595a2258216&tochange=d871d71f519666171d7c300d585125d98ffd6a4e

Comment 2

[Timothy Nikkel (:tnikkel)]

Do you have an associated prefs.js for this?

Comment 3

[Tyson Smith [:tsmith]]

Attachment: prefs.js

Comment 4

[Timothy Nikkel (:tnikkel)]

Tried on 3 OSes with the prefs file, couldn't reproduce.

Comment 5

[Tyson Smith [:tsmith]]

Let me try to get a Pernosco session for this.

Comment 6

[Tyson Smith [:tsmith]]

A Pernosco session is available here: https://pernos.co/debug/5kb-LBNn_3ZZz0M97om1iw/index.html

Comment 7

[Timothy Nikkel (:tnikkel)]

Attachment: Bug 1697262. Null check content view in ScrollFrameHelper::GetPageLoadingState. r?emilio

Comment 8

[Pulsebot]

Pushed by tnikkel@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/2bfef9531b91
Null check content view in ScrollFrameHelper::GetPageLoadingState. r=emilio

Comment 9

[Natalia Csoregi [:nataliaCs]]

https://hg.mozilla.org/mozilla-central/rev/2bfef9531b91

Comment 10

[Bugmon [:jkratzer for issues]]

Bugmon Analysis:
Verified bug as fixed on rev mozilla-central 20210311220018-fe11dc32ac20.
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.

Comment 11

[BugBot [:suhaib / :marco/ :calixte]]

:tnikkel, since this bug contains a bisection range, could you fill (if possible) the regressed_by field?
For more information, please visit auto_nag documentation.

Comment 12

[Timothy Nikkel (:tnikkel)]

Not sure would could have caused this in that regression range.