Closed Bug 1746934 Opened 3 years ago Closed 3 years ago

src/layout/generic/nsIFrame.cpp:9228:50: runtime error: load of value 224, which is not a valid value for type 'bool'

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
97 Branch
Tracking Flags:
Tracking Status
firefox-esr91 --- wontfix
firefox95 --- wontfix
firefox96 --- wontfix
firefox97 --- fixed

People

(Reporter: tsmith, Assigned: saschanaz)

References

(Blocks 2 open bugs, Regression)

Details

(Keywords: csectype-uninitialized, regression, testcase)

Attachments

(2 files)

testcase.html
211 bytes, text/html
Details
Bug 1746934 - Give default value for LineInfo::mIsWrapped r=emilio
48 bytes, text/x-phabricator-request
Details | Review
Attached file testcase.html

Found while fuzzing m-c 20211217-ba22a155be2e (--enable-undefined-sanitizer --enable-fuzzing)

The attached testcase only seems to be reliable at optimization level -O1.

src/layout/generic/nsIFrame.cpp:9228:50: runtime error: load of value 224, which is not a valid value for type 'bool'
    #0 0x7fe07819b12d in nsIFrame::GetFrameFromDirection(nsDirection, bool, bool, bool, bool) src/layout/generic/nsIFrame.cpp:9228:50
    #1 0x7fe07826c17a in nsIFrame::GetFrameFromDirection(nsPeekOffsetStruct const&) src/layout/generic/nsIFrame.cpp:9284:10
    #2 0x7fe07826c86d in nsIFrame::PeekOffsetForWord(nsPeekOffsetStruct*, int) src/layout/generic/nsIFrame.cpp:8727:49
    #3 0x7fe07826eb7a in nsIFrame::PeekOffset(nsPeekOffsetStruct*) src/layout/generic/nsIFrame.cpp:8994:14
    #4 0x7fe0781972ac in nsFrameSelection::PeekOffsetForCaretMove(nsDirection, bool, nsSelectionAmount, nsFrameSelection::CaretMovementStyle, nsPoint const&) const src/layout/generic/nsFrameSelection.cpp:913:24
    #5 0x7fe078195fc2 in nsFrameSelection::MoveCaret(nsDirection, bool, nsSelectionAmount, nsFrameSelection::CaretMovementStyle) src/layout/generic/nsFrameSelection.cpp:789:49
    #6 0x7fe072e16042 in mozilla::dom::Selection::Modify(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, mozilla::ErrorResult&) src/dom/base/Selection.cpp:3347:24
    #7 0x7fe073d764d3 in mozilla::dom::Selection_Binding::modify(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) src/objdir-ff-ubsan/dom/bindings/SelectionBinding.cpp:1117:24
    #8 0x7fe074b7538e in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) src/dom/bindings/BindingUtils.cpp:3306:13
    #9 0x7fe07ca28d51 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) src/js/src/vm/Interpreter.cpp:388:13
    #10 0x7fe07ca28d51 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) src/js/src/vm/Interpreter.cpp:475:12
    #11 0x7fe07ca2a467 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) src/js/src/vm/Interpreter.cpp:535:10
    #12 0x7fe07ca1319b in js::CallFromStack(JSContext*, JS::CallArgs const&) src/js/src/vm/Interpreter.cpp:539:10
    #13 0x7fe07ca1319b in Interpret(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:3243:16
    #14 0x7fe07c9f60c3 in js::RunScript(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:357:13
    #15 0x7fe07ca28e56 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) src/js/src/vm/Interpreter.cpp:507:13
    #16 0x7fe07ca2a467 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) src/js/src/vm/Interpreter.cpp:535:10
    #17 0x7fe07ca2a66d in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) src/js/src/vm/Interpreter.cpp:552:8
    #18 0x7fe07ccdb705 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) src/js/src/vm/CallAndConstruct.cpp:117:10
    #19 0x7fe0747390a8 in mozilla::dom::EventHandlerNonNull::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) src/objdir-ff-ubsan/dom/bindings/EventHandlerBinding.cpp:283:37
    #20 0x7fe075506c7d in void mozilla::dom::EventHandlerNonNull::Call<nsCOMPtr<mozilla::dom::EventTarget> >(nsCOMPtr<mozilla::dom::EventTarget> const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) src/objdir-ff-ubsan/dist/include/mozilla/dom/EventHandlerBinding.h:365:12
    #21 0x7fe0754eff2f in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) src/dom/events/JSEventHandler.cpp:201:12
    #22 0x7fe0754be3b5 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) src/dom/events/EventListenerManager.cpp:1309:22
    #23 0x7fe0754bf5ed in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) src/dom/events/EventListenerManager.cpp:1500:17
    #24 0x7fe0755094b3 in mozilla::EventListenerManager::HandleEvent(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) src/dom/events/EventListenerManager.h:395:5
    #25 0x7fe0754fc6a7 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) src/dom/events/EventDispatcher.cpp:348:17
    #26 0x7fe0754ae57c in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) src/dom/events/EventDispatcher.cpp:550:16
    #27 0x7fe0754b1b7a in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) src/dom/events/EventDispatcher.cpp:1085:11
    #28 0x7fe077fddab7 in nsDocumentViewer::LoadComplete(nsresult) src/layout/base/nsDocumentViewer.cpp:1085:7
    #29 0x7fe07ba0266e in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) src/docshell/base/nsDocShell.cpp:6309:20
    #30 0x7fe07ba01993 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) src/docshell/base/nsDocShell.cpp:5698:7
    #31 0x7fe07ba0392f in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) src/docshell/base/nsDocShell.cpp
    #32 0x7fe0718acb6e in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) src/uriloader/base/nsDocLoader.cpp:1376:3
    #33 0x7fe0718aba6b in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) src/uriloader/base/nsDocLoader.cpp:974:14
    #34 0x7fe0718a87fa in nsDocLoader::DocLoaderIsEmpty(bool, mozilla::Maybe<nsresult> const&) src/uriloader/base/nsDocLoader.cpp:793:9
    #35 0x7fe0718aa75e in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) src/uriloader/base/nsDocLoader.cpp:676:5
    #36 0x7fe07ba3cb5d in nsDocShell::OnStopRequest(nsIRequest*, nsresult) src/docshell/base/nsDocShell.cpp:13571:23
    #37 0x7fe06f49add7 in mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) src/netwerk/base/nsLoadGroup.cpp:614:22
    #38 0x7fe06f49da54 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) src/netwerk/base/nsLoadGroup.cpp:518:10
    #39 0x7fe072c2020e in mozilla::dom::Document::DoUnblockOnload() src/dom/base/Document.cpp:11555:18
    #40 0x7fe072bcb4b4 in mozilla::dom::Document::UnblockOnload(bool) src/dom/base/Document.cpp:11485:9
    #41 0x7fe072bf69cb in mozilla::dom::Document::DispatchContentLoadedEvents() src/dom/base/Document.cpp:8000:3
    #42 0x7fe072cf94ad in decltype(*(fp).*fp0()) mozilla::detail::RunnableMethodArguments<>::applyImpl<mozilla::dom::Document, void (mozilla::dom::Document::*)()>(mozilla::dom::Document*, void (mozilla::dom::Document::*)(), mozilla::Tuple<>&, std::integer_sequence<unsigned long>) src/objdir-ff-ubsan/dist/include/nsThreadUtils.h:1147:12
    #43 0x7fe072cf94ad in decltype(applyImpl(fp, fp0, *(this).mArguments, std::integer_sequence<unsigned long>{})) mozilla::detail::RunnableMethodArguments<>::apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()>(mozilla::dom::Document*, void (mozilla::dom::Document::*)()) src/objdir-ff-ubsan/dist/include/nsThreadUtils.h:1153:12
    #44 0x7fe072cf94ad in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() src/objdir-ff-ubsan/dist/include/nsThreadUtils.h:1200:13
    #45 0x7fe06f0e4495 in mozilla::SchedulerGroup::Runnable::Run() src/xpcom/threads/SchedulerGroup.cpp:144:20
    #46 0x7fe06f13a596 in mozilla::RunnableTask::Run() src/xpcom/threads/TaskController.cpp:468:16
    #47 0x7fe06f0fb669 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) src/xpcom/threads/TaskController.cpp:771:26
    #48 0x7fe06f0f8abe in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) src/xpcom/threads/TaskController.cpp:607:15
    #49 0x7fe06f0f92e4 in mozilla::TaskController::ProcessPendingMTTask(bool) src/xpcom/threads/TaskController.cpp:391:36
    #50 0x7fe06f12c5c9 in mozilla::TaskController::InitializeInternal()::$_0::operator()() const src/xpcom/threads/TaskController.cpp:124:37
    #51 0x7fe06f12c5c9 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() src/xpcom/threads/nsThreadUtils.h:531:5
    #52 0x7fe06f117d38 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1183:16
    #53 0x7fe06f1211d6 in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:467:10
    #54 0x7fe0706c0ad2 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:85:21
    #55 0x7fe0706c2252 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:268:30
    #56 0x7fe070520235 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:331:10
    #57 0x7fe070520235 in MessageLoop::RunHandler() src/ipc/chromium/src/base/message_loop.cc:324:3
    #58 0x7fe070520235 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:306:3
    #59 0x7fe07792b59d in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:137:27
    #60 0x7fe07c70fcbb in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:864:20
    #61 0x7fe0706c2231 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:235:9
    #62 0x7fe070520235 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:331:10
    #63 0x7fe070520235 in MessageLoop::RunHandler() src/ipc/chromium/src/base/message_loop.cc:324:3
    #64 0x7fe070520235 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:306:3
    #65 0x7fe07c70ee63 in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:701:34
    #66 0x7fe07c723050 in mozilla::BootstrapImpl::XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/Bootstrap.cpp:67:12
    #67 0x557d1b15407a in content_process_main(mozilla::Bootstrap*, int, char**) src/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
    #68 0x557d1b154451 in main src/browser/app/nsBrowserApp.cpp:327:18
    #69 0x7fe09853cbf6 in __libc_start_main /build/glibc-S9d2JN/glibc-2.27/csu/../csu/libc-start.c:310
    #70 0x557d1b0a3138 in _start (src/objdir-ff-ubsan/dist/bin/firefox+0xe5138)
Flags: in-testsuite?

nsTableRowGroupFrame::GetLine doesn't initialize mIsWrapped, and it's not default-initialized: https://searchfox.org/mozilla-central/rev/a11b63915bd7810a03635d733123448ab5bfcad3/layout/generic/nsILineIterator.h#60

Probably a matter of default-initializing it?

Flags: needinfo?(krosylight)
Regressed by: 1623764
Has Regression Range: --- → yes

I guess that's why. Will add = false there.

Assignee: nobody → krosylight
Status: NEW → ASSIGNED
Flags: needinfo?(krosylight)
Pushed by krosylight@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/802e0339b9fb Give default value for LineInfo::mIsWrapped r=emilio
Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/32154 for changes under testing/web-platform/tests

https://hg.mozilla.org/mozilla-central/rev/802e0339b9fb

Status: ASSIGNED → RESOLVED
Closed: 3 years ago
status-firefox97: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 97 Branch
Upstream PR merged by moz-wptsync-bot

Set release status flags based on info from the regressing bug 1623764

status-firefox95: --- → affected
status-firefox96: --- → affected
status-firefox-esr91: --- → affected
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: