Closed Bug 1753132 Opened 4 years ago Closed 3 years ago

stack-overflow in [@ nsCSSFrameConstructor::MaybeRecreateContainerForFrameRemoval]

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1668046
Tracking Flags:
Tracking Status
firefox98 --- wontfix
firefox100 --- wontfix
firefox101 --- affected
firefox102 --- affected

People

(Reporter: tsmith, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash, testcase, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(1 file)

testcase.html
670 bytes, text/html
Details
Attached file testcase.html

Found while fuzzing m-c 20220115-60998033086a (--enable-address-sanitizer --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -a --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

==1024499==ERROR: AddressSanitizer: stack-overflow on address 0x7fff7b713db8 (pc 0x55a5baf18f4b bp 0x7fff7b714600 sp 0x7fff7b713dc0 T0)
    #0 0x55a5baf18f4b in __asan_memset /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:26:3
    #1 0x7f0c5f955976 in mozilla::dom::ExplicitChildIterator::ExplicitChildIterator(nsIContent const*, bool) src/dom/base/ChildIterator.cpp:23:7
    #2 0x7f0c64bedb16 in FlattenedChildIterator src/dom/base/ChildIterator.h:116:9
    #3 0x7f0c64bedb16 in AllChildrenIterator src/dom/base/ChildIterator.h:149:9
    #4 0x7f0c64bedb16 in StyleChildrenIterator src/dom/base/ChildIterator.h:240:9
    #5 0x7f0c64bedb16 in nsCSSFrameConstructor::ContentRemoved(nsIContent*, nsIContent*, nsCSSFrameConstructor::RemoveFlags) src/layout/base/nsCSSFrameConstructor.cpp:7443:27
    #6 0x7f0c64bedc10 in nsCSSFrameConstructor::ContentRemoved(nsIContent*, nsIContent*, nsCSSFrameConstructor::RemoveFlags) src/layout/base/nsCSSFrameConstructor.cpp:7447:31
    #7 0x7f0c64bedc10 in nsCSSFrameConstructor::ContentRemoved(nsIContent*, nsIContent*, nsCSSFrameConstructor::RemoveFlags) src/layout/base/nsCSSFrameConstructor.cpp:7447:31
    #8 0x7f0c64bedc10 in nsCSSFrameConstructor::ContentRemoved(nsIContent*, nsIContent*, nsCSSFrameConstructor::RemoveFlags) src/layout/base/nsCSSFrameConstructor.cpp:7447:31
    #9 0x7f0c64be26a7 in nsCSSFrameConstructor::RecreateFramesForContent(nsIContent*, nsCSSFrameConstructor::InsertionKind) src/layout/base/nsCSSFrameConstructor.cpp:8562:7
    #10 0x7f0c64bef113 in nsCSSFrameConstructor::MaybeRecreateContainerForFrameRemoval(nsIFrame*) src/layout/base/nsCSSFrameConstructor.cpp
    #11 0x7f0c64beda1c in nsCSSFrameConstructor::ContentRemoved(nsIContent*, nsIContent*, nsCSSFrameConstructor::RemoveFlags) src/layout/base/nsCSSFrameConstructor.cpp:7468:9
    #12 0x7f0c64bedc10 in nsCSSFrameConstructor::ContentRemoved(nsIContent*, nsIContent*, nsCSSFrameConstructor::RemoveFlags) src/layout/base/nsCSSFrameConstructor.cpp:7447:31
    #13 0x7f0c64bedc10 in nsCSSFrameConstructor::ContentRemoved(nsIContent*, nsIContent*, nsCSSFrameConstructor::RemoveFlags) src/layout/base/nsCSSFrameConstructor.cpp:7447:31
    #14 0x7f0c64be26a7 in nsCSSFrameConstructor::RecreateFramesForContent(nsIContent*, nsCSSFrameConstructor::InsertionKind) src/layout/base/nsCSSFrameConstructor.cpp:8562:7
    #15 0x7f0c64bef113 in nsCSSFrameConstructor::MaybeRecreateContainerForFrameRemoval(nsIFrame*) src/layout/base/nsCSSFrameConstructor.cpp
    #16 0x7f0c64beda1c in nsCSSFrameConstructor::ContentRemoved(nsIContent*, nsIContent*, nsCSSFrameConstructor::RemoveFlags) src/layout/base/nsCSSFrameConstructor.cpp:7468:9
    #17 0x7f0c64bedc10 in nsCSSFrameConstructor::ContentRemoved(nsIContent*, nsIContent*, nsCSSFrameConstructor::RemoveFlags) src/layout/base/nsCSSFrameConstructor.cpp:7447:31
    #18 0x7f0c64bedc10 in nsCSSFrameConstructor::ContentRemoved(nsIContent*, nsIContent*, nsCSSFrameConstructor::RemoveFlags) src/layout/base/nsCSSFrameConstructor.cpp:7447:31
    #19 0x7f0c64be26a7 in nsCSSFrameConstructor::RecreateFramesForContent(nsIContent*, nsCSSFrameConstructor::InsertionKind) src/layout/base/nsCSSFrameConstructor.cpp:8562:7
    #20 0x7f0c64bef113 in nsCSSFrameConstructor::MaybeRecreateContainerForFrameRemoval(nsIFrame*) src/layout/base/nsCSSFrameConstructor.cpp
    #21 0x7f0c64beda1c in nsCSSFrameConstructor::ContentRemoved(nsIContent*, nsIContent*, nsCSSFrameConstructor::RemoveFlags) src/layout/base/nsCSSFrameConstructor.cpp:7468:9
    #22 0x7f0c64bedc10 in nsCSSFrameConstructor::ContentRemoved(nsIContent*, nsIContent*, nsCSSFrameConstructor::RemoveFlags) src/layout/base/nsCSSFrameConstructor.cpp:7447:31
    #23 0x7f0c64bedc10 in nsCSSFrameConstructor::ContentRemoved(nsIContent*, nsIContent*, nsCSSFrameConstructor::RemoveFlags) src/layout/base/nsCSSFrameConstructor.cpp:7447:31
    #24 0x7f0c64be26a7 in nsCSSFrameConstructor::RecreateFramesForContent(nsIContent*, nsCSSFrameConstructor::InsertionKind) src/layout/base/nsCSSFrameConstructor.cpp:8562:7
    #25 0x7f0c64bef113 in nsCSSFrameConstructor::MaybeRecreateContainerForFrameRemoval(nsIFrame*) src/layout/base/nsCSSFrameConstructor.cpp
    #26 0x7f0c64beda1c in nsCSSFrameConstructor::ContentRemoved(nsIContent*, nsIContent*, nsCSSFrameConstructor::RemoveFlags) src/layout/base/nsCSSFrameConstructor.cpp:7468:9
    #27 0x7f0c64bedc10 in nsCSSFrameConstructor::ContentRemoved(nsIContent*, nsIContent*, nsCSSFrameConstructor::RemoveFlags) src/layout/base/nsCSSFrameConstructor.cpp:7447:31
    #28 0x7f0c64bedc10 in nsCSSFrameConstructor::ContentRemoved(nsIContent*, nsIContent*, nsCSSFrameConstructor::RemoveFlags) src/layout/base/nsCSSFrameConstructor.cpp:7447:31
    #29 0x7f0c64be26a7 in nsCSSFrameConstructor::RecreateFramesForContent(nsIContent*, nsCSSFrameConstructor::InsertionKind) src/layout/base/nsCSSFrameConstructor.cpp:8562:7
    #30 0x7f0c64bef113 in nsCSSFrameConstructor::MaybeRecreateContainerForFrameRemoval(nsIFrame*) src/layout/base/nsCSSFrameConstructor.cpp
...
Flags: in-testsuite?

A Pernosco session is available here: https://pernos.co/debug/ioYurci-duCWHzD9ZDiKIA/index.html

Bugmon Analysis
Verified bug as reproducible on mozilla-central 20220202040916-f66aeabcf86c.
Unable to bisect testcase (Testcase reproduces on start build!):

Start: dbbc60ed8e711cc49819ea49053be5eb3c35d08b (20210203035816)
End: 60998033086a179f73edd702599f93ab75ff443e (20220115094536)
BuildFlags: BuildFlags(asan=True, tsan=False, debug=False, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False)

Whiteboard: [bugmon:bisected,confirmed]

I can take a look here.

Flags: needinfo?(dholbert)

Looking in pernosco, it's clear we've taken a recursive death-spiral; the backtrace is 7910 stack-levels deep.

Looks like we call ContentRemoved for each child of the content node we are recreating frames for

https://searchfox.org/mozilla-central/rev/04dbb1a865894aec20eb02585aa75acccc0b72d5/layout/base/nsCSSFrameConstructor.cpp#7448

because CouldHaveBeenDisplayContents(aChild) and then we call MaybeRecreateContainerForFrameRemoval which hits the IB split parent

https://searchfox.org/mozilla-central/rev/04dbb1a865894aec20eb02585aa75acccc0b72d5/layout/base/nsCSSFrameConstructor.cpp#8465

and so we call ReframeContainingBlock and this looks like it's either the original content node or causes the reconstruction of the original content node, and so we "loop". (I don't plan to work more on this, I was just curious so I looked at the pernosco.)

Bugmon Analysis
Testcase crashes using the initial build (mozilla-central 20220115094536-60998033086a) but not with tip (mozilla-central 20220909212835-b84775bfccf2.)

The bug appears to have been fixed in the following build range:

Start: 90cedc744caaa336fc944da270c6c4a4e7b44ed1 (20220902090626)
End: f29b50d37b8b44da60afb52885a3dfecd96ecfba (20220902095153)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=90cedc744caaa336fc944da270c6c4a4e7b44ed1&tochange=f29b50d37b8b44da60afb52885a3dfecd96ecfba

tsmith, can you confirm that the above bisection range is responsible for fixing this issue?
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Flags: needinfo?(dholbert) → needinfo?(twsmith)
Keywords: bugmon

Bug 1787072 in that range could have avoided a reframe that causes this, but then I would think there is another testcase that causes a reframe in a different way that can still trigger the same problem that the fuzzers will find.

This bug looks similar to bug 1668046 (it has a working test case).

:tnikkel do you think this is a duplicate?

Flags: needinfo?(twsmith) → needinfo?(tnikkel)

Not quite a dupe but follows the same basic pattern. The only difference from comment 5 is this part

(In reply to Timothy Nikkel (:tnikkel) from comment #5)

because CouldHaveBeenDisplayContents(aChild) and then we call MaybeRecreateContainerForFrameRemoval which hits the IB split parent

https://searchfox.org/mozilla-central/rev/04dbb1a865894aec20eb02585aa75acccc0b72d5/layout/base/nsCSSFrameConstructor.cpp#8465

Instead we hit the IsTableOrRubyPseudo bit
https://searchfox.org/mozilla-central/rev/7b36c8b83337c4b4cdfd4ccc2168f3491a86811b/layout/base/nsCSSFrameConstructor.cpp#8508

Flags: needinfo?(tnikkel)

(In reply to Tyson Smith [:tsmith] from comment #9)

This bug looks similar to bug 1668046 (it has a working test case).

Duping, per discussion with emilio.

Severity: S2 → S3
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: