Closed Bug 1708007 Opened 5 months ago Closed 3 months ago

AddressSanitizer: SEGV /builds/worker/workspace/obj-build/dist/include/nsIFrame.h:1761:5 in nsIFrame::ChildLists() const

Categories

(Core :: Layout: Flexbox, defect, P3)

defect

Tracking

()

VERIFIED FIXED
91 Branch
Tracking Status
firefox-esr78 --- wontfix
firefox89 --- wontfix
firefox90 --- wontfix
firefox91 --- verified

People

(Reporter: jkratzer, Assigned: mats, NeedInfo)

References

(Blocks 1 open bug)

Details

(Keywords: crash, testcase, Whiteboard: [bugmon:bisected,confirmed], [wptsync upstream])

Crash Data

Attachments

(2 files)

Attached file testcase.html

Testcase found while fuzzing mozilla-central rev 1c01cb995fc9 (built with --enable-address-sanitizer --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build 1c01cb995fc9 --asan --fuzzing -n build
$ python -m grizzly.replay --xvfb ./build/firefox ./testcase.html
==2696226==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f2546e73eb1 bp 0x7ffc097c7d90 sp 0x7ffc097c7d80 T0)
==2696226==The signal is caused by a READ memory access.
==2696226==Hint: address points to the zero page.
    #0 0x7f2546e73eb1 in nsIFrame::ChildLists() const /builds/worker/workspace/obj-build/dist/include/nsIFrame.h:1761:5
    #1 0x7f2546fe0b2b in nsFrameManager::CaptureFrameState(nsIFrame*, nsILayoutHistoryState*) /builds/worker/checkouts/gecko/layout/base/nsFrameManager.cpp:166:40
    #2 0x7f2546fe0c13 in nsFrameManager::CaptureFrameState(nsIFrame*, nsILayoutHistoryState*) /builds/worker/checkouts/gecko/layout/base/nsFrameManager.cpp:175:7
    #3 0x7f2546fe0c13 in nsFrameManager::CaptureFrameState(nsIFrame*, nsILayoutHistoryState*) /builds/worker/checkouts/gecko/layout/base/nsFrameManager.cpp:175:7
    #4 0x7f2546fe0c13 in nsFrameManager::CaptureFrameState(nsIFrame*, nsILayoutHistoryState*) /builds/worker/checkouts/gecko/layout/base/nsFrameManager.cpp:175:7
    #5 0x7f2546fe0c13 in nsFrameManager::CaptureFrameState(nsIFrame*, nsILayoutHistoryState*) /builds/worker/checkouts/gecko/layout/base/nsFrameManager.cpp:175:7
    #6 0x7f2546fe0c13 in nsFrameManager::CaptureFrameState(nsIFrame*, nsILayoutHistoryState*) /builds/worker/checkouts/gecko/layout/base/nsFrameManager.cpp:175:7
    #7 0x7f2546fe0c13 in nsFrameManager::CaptureFrameState(nsIFrame*, nsILayoutHistoryState*) /builds/worker/checkouts/gecko/layout/base/nsFrameManager.cpp:175:7
    #8 0x7f2546fe0c13 in nsFrameManager::CaptureFrameState(nsIFrame*, nsILayoutHistoryState*) /builds/worker/checkouts/gecko/layout/base/nsFrameManager.cpp:175:7
    #9 0x7f2546fe0c13 in nsFrameManager::CaptureFrameState(nsIFrame*, nsILayoutHistoryState*) /builds/worker/checkouts/gecko/layout/base/nsFrameManager.cpp:175:7
    #10 0x7f2546fe0c13 in nsFrameManager::CaptureFrameState(nsIFrame*, nsILayoutHistoryState*) /builds/worker/checkouts/gecko/layout/base/nsFrameManager.cpp:175:7
    #11 0x7f2546fe0c13 in nsFrameManager::CaptureFrameState(nsIFrame*, nsILayoutHistoryState*) /builds/worker/checkouts/gecko/layout/base/nsFrameManager.cpp:175:7
    #12 0x7f2546fdab9d in nsCSSFrameConstructor::CaptureStateForFramesOf(nsIContent*, nsILayoutHistoryState*) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:8109:5
    #13 0x7f2546fd9e3d in nsCSSFrameConstructor::ContentRemoved(nsIContent*, nsIContent*, nsCSSFrameConstructor::RemoveFlags) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:7379:7
    #14 0x7f2546fcf097 in nsCSSFrameConstructor::RecreateFramesForContent(nsIContent*, nsCSSFrameConstructor::InsertionKind) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:8479:7
    #15 0x7f2546f6bb60 in mozilla::RestyleManager::ProcessRestyledFrames(nsStyleChangeList&) /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:1503:25
    #16 0x7f2546f74dc3 in mozilla::RestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:3048:9
    #17 0x7f2546f3bda4 in ProcessPendingRestyles /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:3127:3
    #18 0x7f2546f3bda4 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4202:39
    #19 0x7f2546ecd3bf in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2183:22
    #20 0x7f2546eea1a0 in operator() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:1460:25
    #21 0x7f2546eea1a0 in mozilla::detail::RunnableFunction<nsRefreshDriver::EnsureTimerStarted(nsRefreshDriver::EnsureTimerStartedFlags)::$_0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:534:5
    #22 0x7f253f160cca in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:473:16
    #23 0x7f253f12d230 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:757:26
    #24 0x7f253f12ad67 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:612:15
    #25 0x7f253f12b1bd in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:396:36
    #26 0x7f253f169db1 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:135:37
    #27 0x7f253f169db1 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:534:5
    #28 0x7f253f147ea3 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1159:16
    #29 0x7f253f152e2c in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:548:10
    #30 0x7f2540382edf in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
    #31 0x7f254028d731 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:335:10
    #32 0x7f254028d731 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:328:3
    #33 0x7f254028d731 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:310:3
    #34 0x7f25469f8447 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137:27
    #35 0x7f254a51029f in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:906:20
    #36 0x7f254028d731 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:335:10
    #37 0x7f254028d731 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:328:3
    #38 0x7f254028d731 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:310:3
    #39 0x7f254a50fb2f in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:738:34
    #40 0x563feaabb20d in content_process_main(mozilla::Bootstrap*, int, char**) /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
    #41 0x563feaabb631 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:309:18
    #42 0x7f255f7d90b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /builds/worker/workspace/obj-build/dist/include/nsIFrame.h:1761:5 in nsIFrame::ChildLists() const
Flags: in-testsuite?

Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20210427221830-3009bdef939c.
The bug appears to have been introduced in the following build range:

Start: dbed1cdf588fd625840b079816a748ffd2d200bb (20201227212342)
End: a51c269df2edd93947d019d8bc17fa025a3ab1c8 (20201228205313)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=dbed1cdf588fd625840b079816a748ffd2d200bb&tochange=a51c269df2edd93947d019d8bc17fa025a3ab1c8

Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]
Crash Signature: [@ nsFrameManager::CaptureFrameState ]
See Also: → 1707633, 1250844

Assertions leading up to the crash:

###!!! ASSERTION: frame tree not empty, but caller reported complete status: 'aSubtreeRoot->GetPrevInFlow()', file layout/base/nsLayoutUtils.cpp:7532
###!!! ASSERTION: Placeholder relationship should have been torn down already; this might mean we have a stray placeholder in the tree.: '!placeholder || nsLayoutUtils::IsProperAncestorFrame( aDestructRoot, placeholder)', file layout/generic/nsIFrame.cpp:837
###!!! ASSERTION: Null out-of-flow for placeholder?: 'outOfFlow', file nsPlaceholderFrame.h:186
###!!! ASSERTION: How did that happen?: 'outOfFlowFrame && outOfFlowFrame->IsFloating()', file layout/base/nsLayoutUtils.cpp:1020
###!!! ASSERTION: Null out-of-flow for placeholder?: 'outOfFlow', file nsPlaceholderFrame.h:186
Assertion failure: nullptr != aFrame && nullptr != aState (null parameters passed in), at layout/base/nsFrameManager.cpp:161

There's a FlexContainerFrame reporting FullyComplete status even though it has a next-in-flow with a non-empty flex item continuation (it contains some floats).

Assignee: nobody → mats
Severity: -- → S3
Component: Layout → Layout: Flexbox
OS: Unspecified → All
Priority: -- → P3
Hardware: Unspecified → All

The root cause of the crash was that FlexItem::NeedsFinalReflow
returned false even though the item had a non-empty next-in-flow.
This made the flex container skip the item's reflow and consider
the item's reflow status as COMPLETE, which triggers the removal
of the container's own next-in-flow, which causes the assertions
and eventually the crash.

BTW, the testcase still triggers an assertion even after this fix:

###!!! ASSERTION: Shouldn't be incomplete if availableBSize is UNCONSTRAINED.: 'aReflowInput.AvailableBSize() != NS_UNCONSTRAINEDSIZE', file layout/generic/nsBlockFrame.cpp:1964

which is caused by:
https://searchfox.org/mozilla-central/rev/c114db74a92cf15096dfda02255e125949b0e070/layout/generic/nsBlockFrame.cpp#1375-1398
but we've lived with that for years now so I suspect it's harmless (although we ought to fix that someday).

Pushed by mpalmgren@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/a595bed7a99e
Make sure we always reflow flex items that have a continuation.  r=dholbert
Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/29450 for changes under testing/web-platform/tests
Whiteboard: [bugmon:bisected,confirmed] → [bugmon:bisected,confirmed], [wptsync upstream]

:mats, since this bug contains a bisection range, could you fill (if possible) the regressed_by field?
For more information, please visit auto_nag documentation.

Flags: needinfo?(mats)
Status: NEW → RESOLVED
Closed: 3 months ago
Resolution: --- → FIXED
Target Milestone: --- → 91 Branch
Flags: in-testsuite? → in-testsuite+
Upstream PR merged by moz-wptsync-bot

Bugmon Analysis
Verified bug as fixed on rev mozilla-central 20210622212907-536a892dd51f.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
Keywords: bugmon
You need to log in before you can comment on or make changes to this bug.