Closed Bug 1747307 Opened 4 years ago Closed 3 years ago

runtime error: call to function NS_NewGridContainerFrame(mozilla::PresShell*, mozilla::ComputedStyle*) through pointer to incorrect function type 'nsIFrame *(*)(mozilla::PresShell *, mozilla::ComputedStyle *)'

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1603298

People

(Reporter: truber, Unassigned)

References

(Blocks 1 open bug)

Details

When the function ubsan check is enabled, the following error occurs at startup in m-c b538ca7373143e97e0c5243dfaf6e941d9454d25.

/home/truber/src/m/u/layout/base/nsCSSFrameConstructor.cpp:3697:16: runtime error: call to function NS_NewGridContainerFrame(mozilla::PresShell*, mozilla::ComputedStyle*) through pointer to incorrect function type 'nsIFrame *(*)(mozilla::PresShell *, mozilla::ComputedStyle *)'
/home/truber/src/m/u/layout/generic/nsGridContainerFrame.cpp:3889: note: NS_NewGridContainerFrame(mozilla::PresShell*, mozilla::ComputedStyle*) defined here
    #0 0x7fcb0fbd34ff in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameList&) /home/truber/src/m/u/layout/base/nsCSSFrameConstructor.cpp:3697:16
    #1 0x7fcb0fbdca3e in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameList&) /home/truber/src/m/u/layout/base/nsCSSFrameConstructor.cpp:5658:3
    #2 0x7fcb0fcbf818 in nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsContainerFrame*, bool, nsFrameList&) /home/truber/src/m/u/layout/base/nsCSSFrameConstructor.cpp:9521:5
    #3 0x7fcb0fbc1a7b in nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, mozilla::ComputedStyle*, nsContainerFrame*, bool, nsFrameList&, bool, nsIFrame*) /home/truber/src/m/u/layout/base/nsCSSFrameConstructor.cpp:9681:3
    #4 0x7fcb0fbd429b in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameList&) /home/truber/src/m/u/layout/base/nsCSSFrameConstructor.cpp:3832:9
    #5 0x7fcb0fbdca3e in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameList&) /home/truber/src/m/u/layout/base/nsCSSFrameConstructor.cpp:5658:3
    #6 0x7fcb0fcbf818 in nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsContainerFrame*, bool, nsFrameList&) /home/truber/src/m/u/layout/base/nsCSSFrameConstructor.cpp:9521:5
    #7 0x7fcb0fbc1a7b in nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, mozilla::ComputedStyle*, nsContainerFrame*, bool, nsFrameList&, bool, nsIFrame*) /home/truber/src/m/u/layout/base/nsCSSFrameConstructor.cpp:9681:3
    #8 0x7fcb0fbd429b in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameList&) /home/truber/src/m/u/layout/base/nsCSSFrameConstructor.cpp:3832:9
    #9 0x7fcb0fbdca3e in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameList&) /home/truber/src/m/u/layout/base/nsCSSFrameConstructor.cpp:5658:3
    #10 0x7fcb0fcbf818 in nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsContainerFrame*, bool, nsFrameList&) /home/truber/src/m/u/layout/base/nsCSSFrameConstructor.cpp:9521:5
    #11 0x7fcb0fbc1a7b in nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, mozilla::ComputedStyle*, nsContainerFrame*, bool, nsFrameList&, bool, nsIFrame*) /home/truber/src/m/u/layout/base/nsCSSFrameConstructor.cpp:9681:3
    #12 0x7fcb0fbd429b in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameList&) /home/truber/src/m/u/layout/base/nsCSSFrameConstructor.cpp:3832:9
    #13 0x7fcb0fbdca3e in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameList&) /home/truber/src/m/u/layout/base/nsCSSFrameConstructor.cpp:5658:3
    #14 0x7fcb0fcbf818 in nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsContainerFrame*, bool, nsFrameList&) /home/truber/src/m/u/layout/base/nsCSSFrameConstructor.cpp:9521:5
    #15 0x7fcb0fbc1a7b in nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, mozilla::ComputedStyle*, nsContainerFrame*, bool, nsFrameList&, bool, nsIFrame*) /home/truber/src/m/u/layout/base/nsCSSFrameConstructor.cpp:9681:3
    #16 0x7fcb0fbd429b in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameList&) /home/truber/src/m/u/layout/base/nsCSSFrameConstructor.cpp:3832:9
    #17 0x7fcb0fbdca3e in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameList&) /home/truber/src/m/u/layout/base/nsCSSFrameConstructor.cpp:5658:3
    #18 0x7fcb0fcbf818 in nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsContainerFrame*, bool, nsFrameList&) /home/truber/src/m/u/layout/base/nsCSSFrameConstructor.cpp:9521:5
    #19 0x7fcb0fbc1a7b in nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, mozilla::ComputedStyle*, nsContainerFrame*, bool, nsFrameList&, bool, nsIFrame*) /home/truber/src/m/u/layout/base/nsCSSFrameConstructor.cpp:9681:3
    #20 0x7fcb0fbd429b in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameList&) /home/truber/src/m/u/layout/base/nsCSSFrameConstructor.cpp:3832:9
    #21 0x7fcb0fbdca3e in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameList&) /home/truber/src/m/u/layout/base/nsCSSFrameConstructor.cpp:5658:3
    #22 0x7fcb0fcbf818 in nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsContainerFrame*, bool, nsFrameList&) /home/truber/src/m/u/layout/base/nsCSSFrameConstructor.cpp:9521:5
    #23 0x7fcb0fbc1a7b in nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, mozilla::ComputedStyle*, nsContainerFrame*, bool, nsFrameList&, bool, nsIFrame*) /home/truber/src/m/u/layout/base/nsCSSFrameConstructor.cpp:9681:3
    #24 0x7fcb0fbd429b in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameList&) /home/truber/src/m/u/layout/base/nsCSSFrameConstructor.cpp:3832:9
    #25 0x7fcb0fbdca3e in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameList&) /home/truber/src/m/u/layout/base/nsCSSFrameConstructor.cpp:5658:3
    #26 0x7fcb0fcbf818 in nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsContainerFrame*, bool, nsFrameList&) /home/truber/src/m/u/layout/base/nsCSSFrameConstructor.cpp:9521:5
    #27 0x7fcb0fbc1a7b in nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, mozilla::ComputedStyle*, nsContainerFrame*, bool, nsFrameList&, bool, nsIFrame*) /home/truber/src/m/u/layout/base/nsCSSFrameConstructor.cpp:9681:3
    #28 0x7fcb0fbd429b in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameList&) /home/truber/src/m/u/layout/base/nsCSSFrameConstructor.cpp:3832:9
    #29 0x7fcb0fbdca3e in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameList&) /home/truber/src/m/u/layout/base/nsCSSFrameConstructor.cpp:5658:3
    #30 0x7fcb0fcbf818 in nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsContainerFrame*, bool, nsFrameList&) /home/truber/src/m/u/layout/base/nsCSSFrameConstructor.cpp:9521:5
    #31 0x7fcb0fbc1a7b in nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, mozilla::ComputedStyle*, nsContainerFrame*, bool, nsFrameList&, bool, nsIFrame*) /home/truber/src/m/u/layout/base/nsCSSFrameConstructor.cpp:9681:3
    #32 0x7fcb0fbd429b in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameList&) /home/truber/src/m/u/layout/base/nsCSSFrameConstructor.cpp:3832:9
    #33 0x7fcb0fbdca3e in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameList&) /home/truber/src/m/u/layout/base/nsCSSFrameConstructor.cpp:5658:3
    #34 0x7fcb0fcbf818 in nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsContainerFrame*, bool, nsFrameList&) /home/truber/src/m/u/layout/base/nsCSSFrameConstructor.cpp:9521:5
    #35 0x7fcb0fbc1a7b in nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, mozilla::ComputedStyle*, nsContainerFrame*, bool, nsFrameList&, bool, nsIFrame*) /home/truber/src/m/u/layout/base/nsCSSFrameConstructor.cpp:9681:3
    #36 0x7fcb0fbd429b in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameList&) /home/truber/src/m/u/layout/base/nsCSSFrameConstructor.cpp:3832:9
    #37 0x7fcb0fbdca3e in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameList&) /home/truber/src/m/u/layout/base/nsCSSFrameConstructor.cpp:5658:3
    #38 0x7fcb0fcbf818 in nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsContainerFrame*, bool, nsFrameList&) /home/truber/src/m/u/layout/base/nsCSSFrameConstructor.cpp:9521:5
    #39 0x7fcb0fbc1a7b in nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, mozilla::ComputedStyle*, nsContainerFrame*, bool, nsFrameList&, bool, nsIFrame*) /home/truber/src/m/u/layout/base/nsCSSFrameConstructor.cpp:9681:3
    #40 0x7fcb0fbd429b in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameList&) /home/truber/src/m/u/layout/base/nsCSSFrameConstructor.cpp:3832:9
    #41 0x7fcb0fbdca3e in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameList&) /home/truber/src/m/u/layout/base/nsCSSFrameConstructor.cpp:5658:3
    #42 0x7fcb0fcbf818 in nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsContainerFrame*, bool, nsFrameList&) /home/truber/src/m/u/layout/base/nsCSSFrameConstructor.cpp:9521:5
    #43 0x7fcb0fbc1a7b in nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, mozilla::ComputedStyle*, nsContainerFrame*, bool, nsFrameList&, bool, nsIFrame*) /home/truber/src/m/u/layout/base/nsCSSFrameConstructor.cpp:9681:3
    #44 0x7fcb0fbd429b in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameList&) /home/truber/src/m/u/layout/base/nsCSSFrameConstructor.cpp:3832:9
    #45 0x7fcb0fbdca3e in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameList&) /home/truber/src/m/u/layout/base/nsCSSFrameConstructor.cpp:5658:3
    #46 0x7fcb0fcbf818 in nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsContainerFrame*, bool, nsFrameList&) /home/truber/src/m/u/layout/base/nsCSSFrameConstructor.cpp:9521:5
    #47 0x7fcb0fbc1a7b in nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, mozilla::ComputedStyle*, nsContainerFrame*, bool, nsFrameList&, bool, nsIFrame*) /home/truber/src/m/u/layout/base/nsCSSFrameConstructor.cpp:9681:3
    #48 0x7fcb0fbd429b in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameList&) /home/truber/src/m/u/layout/base/nsCSSFrameConstructor.cpp:3832:9
    #49 0x7fcb0fbdca3e in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameList&) /home/truber/src/m/u/layout/base/nsCSSFrameConstructor.cpp:5658:3
    #50 0x7fcb0fcbf818 in nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsContainerFrame*, bool, nsFrameList&) /home/truber/src/m/u/layout/base/nsCSSFrameConstructor.cpp:9521:5
    #51 0x7fcb0fbc1a7b in nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, mozilla::ComputedStyle*, nsContainerFrame*, bool, nsFrameList&, bool, nsIFrame*) /home/truber/src/m/u/layout/base/nsCSSFrameConstructor.cpp:9681:3
    #52 0x7fcb0fbc9448 in nsCSSFrameConstructor::ConstructBlock(nsFrameConstructorState&, nsIContent*, nsContainerFrame*, nsContainerFrame*, mozilla::ComputedStyle*, nsContainerFrame**, nsFrameList&, nsIFrame*) /home/truber/src/m/u/layout/base/nsCSSFrameConstructor.cpp:10570:3
    #53 0x7fcb0fbc5ed3 in nsCSSFrameConstructor::ConstructDocElementFrame(mozilla::dom::Element*) /home/truber/src/m/u/layout/base/nsCSSFrameConstructor.cpp:2439:5
    #54 0x7fcb0fbe0954 in nsCSSFrameConstructor::ContentRangeInserted(nsIContent*, nsIContent*, nsCSSFrameConstructor::InsertionKind) /home/truber/src/m/u/layout/base/nsCSSFrameConstructor.cpp:6956:9
    #55 0x7fcb0fbe02ae in nsCSSFrameConstructor::ContentInserted(nsIContent*, nsCSSFrameConstructor::InsertionKind) /home/truber/src/m/u/layout/base/nsCSSFrameConstructor.cpp:6874:3
    #56 0x7fcb0faaa814 in mozilla::PresShell::Initialize() /home/truber/src/m/u/layout/base/PresShell.cpp:1852:26
    #57 0x7fcb0dc9ef22 in mozilla::dom::PrototypeDocumentContentSink::StartLayout() /home/truber/src/m/u/dom/prototype/PrototypeDocumentContentSink.cpp:700:30
    #58 0x7fcb0dc9e9ac in mozilla::dom::PrototypeDocumentContentSink::DoneWalking() /home/truber/src/m/u/dom/prototype/PrototypeDocumentContentSink.cpp:669:3
    #59 0x7fcb0dc9e605 in mozilla::dom::PrototypeDocumentContentSink::MaybeDoneWalking() /home/truber/src/m/u/dom/prototype/PrototypeDocumentContentSink.cpp:645:10
    #60 0x7fcb0dc9e634 in mozilla::dom::PrototypeDocumentContentSink::InitialTranslationCompleted() /home/truber/src/m/u/dom/prototype/PrototypeDocumentContentSink.cpp:632:3
    #61 0x7fcb0f05f31e in mozilla::dom::DocumentL10n::InitialTranslationCompleted(bool) /home/truber/src/m/u/dom/l10n/DocumentL10n.cpp:321:19
    #62 0x7fcb0f06d02a in L10nReadyHandler::ResolvedCallback(JSContext*, JS::Handle<JS::Value>) /home/truber/src/m/u/dom/l10n/DocumentL10n.cpp:73:20
    #63 0x7fcb0e70cf47 in mozilla::dom::(anonymous namespace)::PromiseNativeHandlerShim::ResolvedCallback(JSContext*, JS::Handle<JS::Value>) /home/truber/src/m/u/dom/promise/Promise.cpp:385:12
    #64 0x7fcb0e70e71f in mozilla::dom::NativeHandlerCallback(JSContext*, unsigned int, JS::Value*) /home/truber/src/m/u/dom/promise/Promise.cpp:338:29
    #65 0x7fcb2a379863 in CallJSNative /home/truber/src/m/u/js/src/vm/Interpreter.cpp:425:13
    #66 0x7fcb2a379863 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /home/truber/src/m/u/js/src/vm/Interpreter.cpp:512:12
    #67 0x7fcb2a37af10 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /home/truber/src/m/u/js/src/vm/Interpreter.cpp:572:10
    #68 0x7fcb2a37b1d9 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /home/truber/src/m/u/js/src/vm/Interpreter.cpp:589:8
    #69 0x7fcb2a6de091 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) /home/truber/src/m/u/js/src/vm/Interpreter.h:106:10
    #70 0x7fcb2accc584 in PromiseReactionJob(JSContext*, unsigned int, JS::Value*) /home/truber/src/m/u/js/src/builtin/Promise.cpp:2067:10
    #71 0x7fcb2a379863 in CallJSNative /home/truber/src/m/u/js/src/vm/Interpreter.cpp:425:13
    #72 0x7fcb2a379863 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /home/truber/src/m/u/js/src/vm/Interpreter.cpp:512:12
    #73 0x7fcb2a37af10 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /home/truber/src/m/u/js/src/vm/Interpreter.cpp:572:10
    #74 0x7fcb2a37b1d9 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /home/truber/src/m/u/js/src/vm/Interpreter.cpp:589:8
    #75 0x7fcb2a957b51 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /home/truber/src/m/u/js/src/vm/CallAndConstruct.cpp:117:10
    #76 0x7fcb0734986a in mozilla::dom::PromiseJobCallback::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::ErrorResult&) /home/truber/src/m/u/obj/ff-asan-fuzzing/dom/bindings/PromiseBinding.cpp:35:8
    #77 0x7fcafea691f5 in mozilla::dom::PromiseJobCallback::Call(mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /home/truber/src/m/u/obj/ff-asan-fuzzing/dist/include/mozilla/dom/PromiseBinding.h:89:12
    #78 0x7fcafea68ac6 in mozilla::dom::PromiseJobCallback::Call(char const*) /home/truber/src/m/u/obj/ff-asan-fuzzing/dist/include/mozilla/dom/PromiseBinding.h:102:12
    #79 0x7fcafea6734b in mozilla::PromiseJobRunnable::Run(mozilla::AutoSlowOperation&) /home/truber/src/m/u/xpcom/base/CycleCollectedJSContext.cpp:213:18
    #80 0x7fcafea15e79 in mozilla::CycleCollectedJSContext::PerformMicroTaskCheckPoint(bool) /home/truber/src/m/u/xpcom/base/CycleCollectedJSContext.cpp:674:17
    #81 0x7fcafea16906 in mozilla::CycleCollectedJSContext::AfterProcessTask(unsigned int) /home/truber/src/m/u/xpcom/base/CycleCollectedJSContext.cpp:463:3
    #82 0x7fcb03156529 in XPCJSContext::AfterProcessTask(unsigned int) /home/truber/src/m/u/js/xpconnect/src/XPCJSContext.cpp:1424:28
    #83 0x7fcafee7b94c in nsThread::ProcessNextEvent(bool, bool*) /home/truber/src/m/u/xpcom/threads/nsThread.cpp:1220:24
    #84 0x7fcafee86747 in NS_ProcessNextEvent(nsIThread*, bool) /home/truber/src/m/u/xpcom/threads/nsThreadUtils.cpp:467:10
    #85 0x7fcb015a6814 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /home/truber/src/m/u/ipc/glue/MessagePump.cpp:85:21
    #86 0x7fcb0125f284 in MessageLoop::RunInternal() /home/truber/src/m/u/ipc/chromium/src/base/message_loop.cc:331:10
    #87 0x7fcb0125f1e4 in MessageLoop::RunHandler() /home/truber/src/m/u/ipc/chromium/src/base/message_loop.cc:324:3
    #88 0x7fcb0125f14c in MessageLoop::Run() /home/truber/src/m/u/ipc/chromium/src/base/message_loop.cc:306:3
    #89 0x7fcb0f1bdf75 in nsBaseAppShell::Run() /home/truber/src/m/u/widget/nsBaseAppShell.cpp:137:27
    #90 0x7fcb29a01c37 in nsAppStartup::Run() /home/truber/src/m/u/toolkit/components/startup/nsAppStartup.cpp:295:30
    #91 0x7fcb29dad041 in XREMain::XRE_mainRun() /home/truber/src/m/u/toolkit/xre/nsAppRunner.cpp:5362:22
    #92 0x7fcb29dae7fe in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /home/truber/src/m/u/toolkit/xre/nsAppRunner.cpp:5547:8
    #93 0x7fcb29daedef in XRE_main(int, char**, mozilla::BootstrapConfig const&) /home/truber/src/m/u/toolkit/xre/nsAppRunner.cpp:5606:21
    #94 0x7fcb29de06d6 in mozilla::BootstrapImpl::XRE_main(int, char**, mozilla::BootstrapConfig const&) /home/truber/src/m/u/toolkit/xre/Bootstrap.cpp:45:12
    #95 0x564f51bb1355 in do_main(int, char**, char**) /home/truber/src/m/u/browser/app/nsBrowserApp.cpp:225:22
    #96 0x564f51bafe7f in main /home/truber/src/m/u/browser/app/nsBrowserApp.cpp:395:16
    #97 0x7fcb57c6eb24 in __libc_start_main (/usr/lib/libc.so.6+0x27b24)
    #98 0x564f51afe403 in _start (/home/truber/src/m/u/obj/ff-asan-fuzzing/dist/bin/firefox+0xf2403)

Building with the function check is not straightforward, but there are instructions at the end of bug 1747298 comment 0.

Blocks: ubsan

The severity field is not set for this bug.
:dholbert, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(dholbert)

I looked into this a bit and it seems that mCreationFunc called here:

https://searchfox.org/mozilla-central/rev/6b4e19ad33650fdf9cd8529cd68eeb98bff1b935/layout/base/nsCSSFrameConstructor.cpp#3697

is declared as FrameCreationFunc with typedef nsIFrame* (*FrameCreationFunc)(PresShell*, ComputedStyle*);, so this returns nsIFrame*.

However, the function pointer stored there points to NS_NewGridContainerFrame which returns nsContainerFrame* instead. While nsContainerFrame inherits from nsIFrame, I think this is indeed UB, we are not allowed to simply take one pointer here for the other.

Emilio, do you have any clue how we should solve this? I tried to find where this is assigned and maybe there needs to be a wrapper around NS_NewGridContainerFrame for this purpose, but that's just a guess.

Flags: needinfo?(emilio)

Alternatively we could probably change the return type of NS_NewGridContainerFrame to match and add casts to where this function is called explicitly (which doesn't seem to be very often).

But I guess this problem here could only be the tip of the iceberg if there are more functions being used like this.

Blocks: 1748880

I confirmed that wrapping NS_NewGridContainerFrame into a function that uses dynamic_cast<nsIFrame*> on the return type, and then using that wrapper as the FrameCreationFunc instead fixes this particular error.

However, looking at the source, I think there is a ton of functions that don't match exactly, so I ended up removing the casts here:

https://searchfox.org/mozilla-central/rev/6b4e19ad33650fdf9cd8529cd68eeb98bff1b935/layout/base/nsCSSFrameConstructor.cpp#300,304

to figure out how deep this problem goes. I was expecting a few errors of the form where the function does not match, but I got further results like:

 0:10.89 mozilla-central/layout/base/nsCSSFrameConstructor.cpp:3409:29: error: cannot initialize a member subobject of type 'nsCSSFrameConstructor::FrameCreationFunc' (aka 'nsIFrame *(*)
(mozilla::PresShell *, mozilla::ComputedStyle *)') with an lvalue of type 'const nsCSSFrameConstructor::FrameConstructionData *(const nsCSSFrameConstructor::Element &, nsCSSFrameConstructor::Comput
edStyle &)' (aka 'const nsCSSFrameConstructor::FrameConstructionData *(const mozilla::dom::Element &, mozilla::ComputedStyle &)'): type mismatch at 1st parameter ('nsCSSFrameConstructor::PresShell 
*' (aka 'mozilla::PresShell *') vs 'const nsCSSFrameConstructor::Element &' (aka 'const mozilla::dom::Element &'))
 0:10.89       SIMPLE_TAG_CHAIN(img, nsCSSFrameConstructor::FindImgData),

which seems surprising. I was not expecting mismatches in arguments here, esp. not of the kind shown.

Group: core-security

Comment 4 is not an issue, it's just using the wrong field of the union. This is a dupe of bug 1603298, let's keep the discussion there.

Status: NEW → RESOLVED
Closed: 3 years ago
Flags: needinfo?(emilio)
Flags: needinfo?(dholbert)
Resolution: --- → DUPLICATE
Group: core-security → layout-core-security
Group: layout-core-security
You need to log in before you can comment on or make changes to this bug.