Open Bug 1706147 Opened 3 years ago Updated 11 months ago

[@ InvalidArrayIndex_CRASH | @ nsGridContainerFrame::TrackSizingFunctions::SizingFor]

Categories

(Core :: Layout: Grid, defect)

Product:
Core
Component:
Layout: Grid
Type:
defect

Tracking

()

Tracking Flags:
Tracking Status
firefox89 --- affected

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: bugmon, crash, testcase, Whiteboard: [bugmon:bisected,confirmed])

Crash Data

Attachments

(1 file)

testcase.html
519 bytes, text/html
Details
Attached file testcase.html

Testcase found while fuzzing mozilla-central rev 8e850fd29a95 (built with --enable-address-sanitizer --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install grizzly-framework
$ python -m grizzly.replay --xvfb ~/builds/mc-asan/firefox ./testcase.html

==724254==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 (pc 0x7f3f1ae7e0af bp 0x7ffcfc1a5e10 sp 0x7ffcfc1a5e10 T0)
==724254==The signal is caused by a WRITE memory access.
==724254==Hint: address points to the zero page.
    #0 0x7f3f1ae7e0af in MOZ_Crash /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:246:3
    #1 0x7f3f1ae7e0af in InvalidArrayIndex_CRASH(unsigned long, unsigned long) /builds/worker/checkouts/gecko/xpcom/ds/nsTArray.cpp:28:3
    #2 0x7f3f2313ed30 in nsTArray_Impl<std::pair<unsigned long, unsigned long>, nsTArrayInfallibleAllocator>::ElementAt(unsigned long) const /builds/worker/workspace/obj-build/dist/include/nsTArray.h:1211:7
    #3 0x7f3f2308d65a in operator[] /builds/worker/workspace/obj-build/dist/include/nsTArray.h:1242:12
    #4 0x7f3f2308d65a in nsGridContainerFrame::TrackSizingFunctions::SizingFor(unsigned int) const /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:1283:31
    #5 0x7f3f2307c9fe in nsGridContainerFrame::Tracks::Initialize(nsGridContainerFrame::TrackSizingFunctions const&, mozilla::StyleGenericLengthPercentageOrNormal<mozilla::StyleLengthPercentageUnion> const&, unsigned int, int) /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:4932:62
    #6 0x7f3f2307bf08 in nsGridContainerFrame::GridReflowInput::CalculateTrackSizesForAxis(mozilla::LogicalAxis, nsGridContainerFrame::Grid const&, int, nsGridContainerFrame::SizingConstraint) /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:3620:12
    #7 0x7f3f230b3879 in nsGridContainerFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:8522:21
    #8 0x7f3f22fc634f in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:1001:14
    #9 0x7f3f230962b5 in MeasuringReflow(nsIFrame*, mozilla::ReflowInput const*, gfxContext*, mozilla::LogicalSize const&, mozilla::LogicalSize const&, int, int) /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:5003:11
    #10 0x7f3f2309dadc in ContentContribution(nsGridContainerFrame::GridItemInfo const&, nsGridContainerFrame::GridReflowInput const&, gfxContext*, mozilla::WritingMode, mozilla::LogicalAxis, mozilla::Maybe<mozilla::LogicalSize> const&, mozilla::IntrinsicISizeType, int, unsigned int) /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:5271:14
    #11 0x7f3f23094f9a in MinSize(nsGridContainerFrame::GridItemInfo const&, nsGridContainerFrame::GridReflowInput const&, gfxContext*, mozilla::WritingMode, mozilla::LogicalAxis, CachedIntrinsicSizes*) /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:5413:23
    #12 0x7f3f230903f3 in nsGridContainerFrame::Tracks::ResolveIntrinsicSize(nsGridContainerFrame::GridReflowInput&, nsTArray<nsGridContainerFrame::GridItemInfo>&, nsGridContainerFrame::TrackSizingFunctions const&, nsGridContainerFrame::LineRange nsGridContainerFrame::GridArea::*, int, nsGridContainerFrame::SizingConstraint) /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:6195:21
    #13 0x7f3f2307da35 in nsGridContainerFrame::Tracks::CalculateSizes(nsGridContainerFrame::GridReflowInput&, nsTArray<nsGridContainerFrame::GridItemInfo>&, nsGridContainerFrame::TrackSizingFunctions const&, int, nsGridContainerFrame::LineRange nsGridContainerFrame::GridArea::*, nsGridContainerFrame::SizingConstraint) /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:5432:3
    #14 0x7f3f2307bff1 in nsGridContainerFrame::GridReflowInput::CalculateTrackSizesForAxis(mozilla::LogicalAxis, nsGridContainerFrame::Grid const&, int, nsGridContainerFrame::SizingConstraint) /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:3649:12
    #15 0x7f3f230b3879 in nsGridContainerFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:8522:21
    #16 0x7f3f22fc634f in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:1001:14
    #17 0x7f3f22fa5667 in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsCanvasFrame.cpp:818:7
    #18 0x7f3f22fc634f in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:1001:14
    #19 0x7f3f230395ee in nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput*, bool, bool, mozilla::ReflowOutput*) /builds/worker/checkouts/gecko/layout/generic/nsGfxScrollFrame.cpp:758:3
    #20 0x7f3f2303af4c in nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput*, mozilla::ReflowOutput const&) /builds/worker/checkouts/gecko/layout/generic/nsGfxScrollFrame.cpp:881:3
    #21 0x7f3f23040f68 in nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsGfxScrollFrame.cpp:1300:3
    #22 0x7f3f22fc6a96 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:1041:14
    #23 0x7f3f22f59e10 in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/ViewportFrame.cpp:372:7
    #24 0x7f3f22d9ed29 in mozilla::PresShell::DoReflow(nsIFrame*, bool, mozilla::OverflowChangedTracker*) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:9597:11
    #25 0x7f3f22dafe57 in mozilla::PresShell::ProcessReflowCommands(bool) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:9768:24
    #26 0x7f3f22dae589 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4245:11
    #27 0x7f3f22d3f7fe in FlushPendingNotifications /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:1406:5
    #28 0x7f3f22d3f7fe in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2216:20
    #29 0x7f3f22d4b825 in TickDriver /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:346:13
    #30 0x7f3f22d4b825 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:324:7
    #31 0x7f3f22d4b58d in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:340:5
    #32 0x7f3f22d4aa91 in RunRefreshDrivers /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:773:5
    #33 0x7f3f22d4aa91 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:702:16
    #34 0x7f3f22d4a04d in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyParentProcessVsync() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:615:7
    #35 0x7f3f22d497d1 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:536:9
    #36 0x7f3f21fa5567 in mozilla::dom::VsyncChild::RecvNotify(mozilla::VsyncEvent const&, float const&) /builds/worker/checkouts/gecko/dom/ipc/VsyncChild.cpp:68:15
    #37 0x7f3f1cae272c in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:178:54
    #38 0x7f3f1c76bd82 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundChild.cpp:6008:32
    #39 0x7f3f1c1f6daa in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:2154:25
    #40 0x7f3f1c1f32ce in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:2078:9
    #41 0x7f3f1c1f4c88 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1926:3
    #42 0x7f3f1c1f57eb in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1957:13
    #43 0x7f3f1afc7c16 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:473:16
    #44 0x7f3f1af940d3 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:757:26
    #45 0x7f3f1af91c17 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:612:15
    #46 0x7f3f1af9206d in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:396:36
    #47 0x7f3f1afd1011 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:135:37
    #48 0x7f3f1afd1011 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:534:5
    #49 0x7f3f1afaee93 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1159:16
    #50 0x7f3f1afb9dbc in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:548:10
    #51 0x7f3f1c1fe6df in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:87:21
    #52 0x7f3f1c108871 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:335:10
    #53 0x7f3f1c108871 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:328:3
    #54 0x7f3f1c108871 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:310:3
    #55 0x7f3f2286e367 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137:27
    #56 0x7f3f2638177f in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:906:20
    #57 0x7f3f1c108871 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:335:10
    #58 0x7f3f1c108871 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:328:3
    #59 0x7f3f1c108871 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:310:3
    #60 0x7f3f2638100f in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:738:34
    #61 0x55b148af2f1d in content_process_main(mozilla::Bootstrap*, int, char**) /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
    #62 0x55b148af3341 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:309:18
    #63 0x7f3f3b5450b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
Flags: in-testsuite?

Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20210419221626-e2fb29057e4c.
Failed to bisect testcase (Testcase reproduces on start build!):

Start: 342710b2598d0c742d2ed782c9bcd73866f1e0be (20200421020837)
End: 8e850fd29a957f505e0355c1326279e06e9040bb (20210419094740)
BuildFlags: BuildFlags(asan=True, tsan=False, debug=False, fuzzing=True, coverage=False, valgrind=False)

Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]

Got a crash : https://crash-stats.mozilla.org/report/index/f6ada1fa-5709-4fd3-8a36-9940f0210420

Crash Signature: [@ InvalidArrayIndex_CRASH | nsGridContainerFrame::TrackSizingFunctions::SizingFor ]

In nsGridContainerFrame::GridReflowInput::CalculateTrackSizesForAxis, we have aGrid.mGridRowEnd == 19999. We crash when the iteration in tracks.Initialize reaches 10000, which sounds suspiciously like the clamping of over-large grid sizes may be getting involved here, and going wrong in some way.

Marking as S3 considering that we crash the content process safely, and the testcase seems pretty far removed from anything a real-world site would have reason to do.

Severity: -- → S3
No longer blocks: domino
Depends on: domino
Blocks: domino
No longer depends on: domino
Crash Signature: [@ InvalidArrayIndex_CRASH | nsGridContainerFrame::TrackSizingFunctions::SizingFor ] → [@ InvalidArrayIndex_CRASH | nsGridContainerFrame::TrackSizingFunctions::SizingFor ] [@ mozilla::detail::InvalidArrayIndex_CRASH | nsGridContainerFrame::TrackSizingFunctions::SizingFor ]

Bugmon was unable reproduce this issue.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon

A change to the Taskcluster build definitions over the weekend caused Bugmon to fail when reproducing issues. This issue has been corrected. Re-enabling bugmon.

Keywords: bugmon
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: