Crash [@ Hdr] with subgrid (null deref on subgrid frame property)
Categories
(Core :: Layout: Grid, defect)
Tracking
()
People
(Reporter: jkratzer, Unassigned, NeedInfo)
References
(Blocks 1 open bug)
Details
(Keywords: testcase, Whiteboard: [bugmon:bisected,confirmed])
Crash Data
Attachments
(1 file)
466 bytes,
text/html
|
Details |
Testcase found while fuzzing mozilla-central rev eaf3521f3b37 (built with: --enable-address-sanitizer --enable-fuzzing).
Testcase can be reproduced using the following commands:
$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build eaf3521f3b37 --asan --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html
[@ Hdr]
=================================================================
==3047609==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fa0ab76b1a7 bp 0x7ffd670a7870 sp 0x7ffd670a7870 T0)
==3047609==The signal is caused by a READ memory access.
==3047609==Hint: address points to the zero page.
#0 0x7fa0ab76b1a7 in Hdr /builds/worker/workspace/obj-build/dist/include/nsTArray.h:575:51
#1 0x7fa0ab76b1a7 in Elements /builds/worker/workspace/obj-build/dist/include/nsTArray.h:1188:47
#2 0x7fa0ab76b1a7 in nsTArrayInfallibleAllocator::ResultType nsTArray_Impl<nsGridContainerFrame::GridItemInfo, nsTArrayInfallibleAllocator>::Assign<nsTArrayInfallibleAllocator, nsTArrayInfallibleAllocator>(nsTArray_Impl<nsGridContainerFrame::GridItemInfo, nsTArrayInfallibleAllocator> const&) /builds/worker/workspace/obj-build/dist/include/nsTArray.h:1454:47
#3 0x7fa0ab68d10a in nsTArray<nsGridContainerFrame::GridItemInfo>::Clone() const /builds/worker/workspace/obj-build/dist/include/nsTArray.h:2820:12
#4 0x7fa0ab6d3d4e in nsGridContainerFrame::IntrinsicISize(gfxContext*, mozilla::IntrinsicISizeType) /layout/generic/nsGridContainerFrame.cpp:9312:44
#5 0x7fa0ab6d4453 in nsGridContainerFrame::GetPrefISize(gfxContext*) /layout/generic/nsGridContainerFrame.cpp:9372:30
#6 0x7fa0ab64d598 in nsHTMLScrollFrame::GetPrefISize(gfxContext*) /layout/generic/nsGfxScrollFrame.cpp:1181:37
#7 0x7fa0ab701c3d in nsIFrame::ComputeISizeValue(gfxContext*, mozilla::WritingMode, mozilla::LogicalSize const&, mozilla::LogicalSize const&, int, nsIFrame::ExtremumLength, mozilla::Maybe<int>, mozilla::StyleSizeOverrides const&, mozilla::EnumSet<mozilla::ComputeSizeFlag, unsigned char>) /layout/generic/nsIFrame.cpp:6811:16
#8 0x7fa0ab554c8c in nsIFrame::ISizeComputationResult nsIFrame::ComputeISizeValue<mozilla::StyleGenericSize<mozilla::StyleLengthPercentageUnion> >(gfxContext*, mozilla::WritingMode, mozilla::LogicalSize const&, mozilla::LogicalSize const&, int, mozilla::StyleGenericSize<mozilla::StyleLengthPercentageUnion> const&, mozilla::StyleSizeOverrides const&, mozilla::EnumSet<mozilla::ComputeSizeFlag, unsigned char>) /layout/generic/nsIFrame.h:4808:12
#9 0x7fa0ab5db38d in nsIFrame::ComputeSize(gfxContext*, mozilla::WritingMode, mozilla::LogicalSize const&, int, mozilla::LogicalSize const&, mozilla::LogicalSize const&, mozilla::StyleSizeOverrides const&, mozilla::EnumSet<mozilla::ComputeSizeFlag, unsigned char>) /layout/generic/nsIFrame.cpp:6410:24
#10 0x7fa0ab5449e4 in mozilla::ReflowInput::InitAbsoluteConstraints(nsPresContext*, mozilla::ReflowInput const*, mozilla::LogicalSize const&, mozilla::LayoutFrameType) /layout/generic/ReflowInput.cpp:1714:26
#11 0x7fa0ab53b4d5 in mozilla::ReflowInput::InitConstraints(nsPresContext*, mozilla::Maybe<mozilla::LogicalSize> const&, mozilla::Maybe<mozilla::LogicalMargin> const&, mozilla::Maybe<mozilla::LogicalMargin> const&, mozilla::LayoutFrameType) /layout/generic/ReflowInput.cpp:2301:7
#12 0x7fa0ab53533d in mozilla::ReflowInput::Init(nsPresContext*, mozilla::Maybe<mozilla::LogicalSize> const&, mozilla::Maybe<mozilla::LogicalMargin> const&, mozilla::Maybe<mozilla::LogicalMargin> const&) /layout/generic/ReflowInput.cpp:356:3
#13 0x7fa0ab536615 in mozilla::ReflowInput::ReflowInput(nsPresContext*, mozilla::ReflowInput const&, nsIFrame*, mozilla::LogicalSize const&, mozilla::Maybe<mozilla::LogicalSize> const&, mozilla::EnumSet<mozilla::ReflowInput::InitFlag, unsigned char>, mozilla::StyleSizeOverrides const&, mozilla::EnumSet<mozilla::ComputeSizeFlag, unsigned char>) /layout/generic/ReflowInput.cpp:216:5
#14 0x7fa0ab574805 in nsAbsoluteContainingBlock::ReflowAbsoluteFrame(nsIFrame*, nsPresContext*, mozilla::ReflowInput const&, nsRect const&, nsAbsoluteContainingBlock::AbsPosReflowFlags, nsIFrame*, nsReflowStatus&, mozilla::OverflowAreas*) /layout/generic/nsAbsoluteContainingBlock.cpp:796:15
#15 0x7fa0ab57230d in nsAbsoluteContainingBlock::Reflow(nsContainerFrame*, nsPresContext*, mozilla::ReflowInput const&, nsReflowStatus&, nsRect const&, nsAbsoluteContainingBlock::AbsPosReflowFlags, mozilla::OverflowAreas*) /layout/generic/nsAbsoluteContainingBlock.cpp:221:7
#16 0x7fa0ab6c5299 in nsGridContainerFrame::ReflowChildren(nsGridContainerFrame::GridReflowInput&, mozilla::LogicalRect const&, nsSize const&, mozilla::ReflowOutput&, nsReflowStatus&) /layout/generic/nsGridContainerFrame.cpp:8520:37
#17 0x7fa0ab6c6c9f in nsGridContainerFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/generic/nsGridContainerFrame.cpp:8694:11
#18 0x7fa0ab5ba73d in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /layout/generic/nsContainerFrame.cpp:1005:14
#19 0x7fa0ab6472f6 in nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput&, bool, bool, mozilla::ReflowOutput*) /layout/generic/nsGfxScrollFrame.cpp:838:3
#20 0x7fa0ab648bb9 in nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput&, mozilla::ReflowOutput const&) /layout/generic/nsGfxScrollFrame.cpp:973:3
#21 0x7fa0ab64f244 in nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/generic/nsGfxScrollFrame.cpp:1395:3
#22 0x7fa0ab574af7 in nsAbsoluteContainingBlock::ReflowAbsoluteFrame(nsIFrame*, nsPresContext*, mozilla::ReflowInput const&, nsRect const&, nsAbsoluteContainingBlock::AbsPosReflowFlags, nsIFrame*, nsReflowStatus&, mozilla::OverflowAreas*) /layout/generic/nsAbsoluteContainingBlock.cpp:813:14
#23 0x7fa0ab57230d in nsAbsoluteContainingBlock::Reflow(nsContainerFrame*, nsPresContext*, mozilla::ReflowInput const&, nsReflowStatus&, nsRect const&, nsAbsoluteContainingBlock::AbsPosReflowFlags, mozilla::OverflowAreas*) /layout/generic/nsAbsoluteContainingBlock.cpp:221:7
#24 0x7fa0ab6c5299 in nsGridContainerFrame::ReflowChildren(nsGridContainerFrame::GridReflowInput&, mozilla::LogicalRect const&, nsSize const&, mozilla::ReflowOutput&, nsReflowStatus&) /layout/generic/nsGridContainerFrame.cpp:8520:37
#25 0x7fa0ab6c6c9f in nsGridContainerFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/generic/nsGridContainerFrame.cpp:8694:11
#26 0x7fa0ab574af7 in nsAbsoluteContainingBlock::ReflowAbsoluteFrame(nsIFrame*, nsPresContext*, mozilla::ReflowInput const&, nsRect const&, nsAbsoluteContainingBlock::AbsPosReflowFlags, nsIFrame*, nsReflowStatus&, mozilla::OverflowAreas*) /layout/generic/nsAbsoluteContainingBlock.cpp:813:14
#27 0x7fa0ab57230d in nsAbsoluteContainingBlock::Reflow(nsContainerFrame*, nsPresContext*, mozilla::ReflowInput const&, nsReflowStatus&, nsRect const&, nsAbsoluteContainingBlock::AbsPosReflowFlags, mozilla::OverflowAreas*) /layout/generic/nsAbsoluteContainingBlock.cpp:221:7
#28 0x7fa0ab702694 in nsIFrame::ReflowAbsoluteFrames(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&, bool) /layout/generic/nsIFrame.cpp:6932:24
#29 0x7fa0ab6017d7 in nsIFrame::FinishReflowWithAbsoluteFrames(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&, bool) /layout/generic/nsIFrame.cpp:6899:3
#30 0x7fa0ab5b9f0d in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/generic/nsCanvasFrame.cpp:885:3
#31 0x7fa0ab5ba73d in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /layout/generic/nsContainerFrame.cpp:1005:14
#32 0x7fa0ab6472f6 in nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput&, bool, bool, mozilla::ReflowOutput*) /layout/generic/nsGfxScrollFrame.cpp:838:3
#33 0x7fa0ab648bb9 in nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput&, mozilla::ReflowOutput const&) /layout/generic/nsGfxScrollFrame.cpp:973:3
#34 0x7fa0ab64f244 in nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/generic/nsGfxScrollFrame.cpp:1395:3
#35 0x7fa0ab57114b in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /layout/generic/nsContainerFrame.cpp:1045:14
#36 0x7fa0ab570779 in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/generic/ViewportFrame.cpp:374:7
#37 0x7fa0ab3a70a8 in mozilla::PresShell::DoReflow(nsIFrame*, bool, mozilla::OverflowChangedTracker*) /layout/base/PresShell.cpp:9558:11
#38 0x7fa0ab3b8f87 in mozilla::PresShell::ProcessReflowCommands(bool) /layout/base/PresShell.cpp:9729:24
#39 0x7fa0ab3b72a7 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /layout/base/PresShell.cpp:4307:11
#40 0x7fa0ab3404da in FlushPendingNotifications /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:1448:5
#41 0x7fa0ab3404da in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) /layout/base/nsRefreshDriver.cpp:2536:20
#42 0x7fa0ab34e0e7 in TickDriver /layout/base/nsRefreshDriver.cpp:367:13
#43 0x7fa0ab34e0e7 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /layout/base/nsRefreshDriver.cpp:345:7
#44 0x7fa0ab34de4d in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /layout/base/nsRefreshDriver.cpp:361:5
#45 0x7fa0ab34db05 in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /layout/base/nsRefreshDriver.cpp:882:5
#46 0x7fa0ab34cba6 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /layout/base/nsRefreshDriver.cpp:762:16
#47 0x7fa0ab34be91 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsyncOnMainThread() /layout/base/nsRefreshDriver.cpp:642:7
#48 0x7fa0ab34b8b8 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) /layout/base/nsRefreshDriver.cpp:534:9
#49 0x7fa0aa07461e in mozilla::dom::VsyncMainChild::RecvNotify(mozilla::VsyncEvent const&, float const&) /dom/ipc/VsyncMainChild.cpp:68:15
#50 0x7fa0aa4752d2 in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:220:54
#51 0x7fa0a41d6891 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundChild.cpp:6479:32
#52 0x7fa0a4138c19 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /ipc/glue/MessageChannel.cpp:1707:25
#53 0x7fa0a4136712 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message&&) /ipc/glue/MessageChannel.cpp:1632:9
#54 0x7fa0a4137cd1 in mozilla::ipc::MessageChannel::MessageTask::Run() /ipc/glue/MessageChannel.cpp:1528:14
#55 0x7fa0a2a4e892 in mozilla::RunnableTask::Run() /xpcom/threads/TaskController.cpp:467:16
#56 0x7fa0a2a14c2d in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:778:26
#57 0x7fa0a2a12148 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:612:15
#58 0x7fa0a2a12859 in mozilla::TaskController::ProcessPendingMTTask(bool) /xpcom/threads/TaskController.cpp:390:36
#59 0x7fa0a2a5b221 in operator() /xpcom/threads/TaskController.cpp:124:37
#60 0x7fa0a2a5b221 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
#61 0x7fa0a2a35137 in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1187:16
#62 0x7fa0a2a3f21c in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:465:10
#63 0x7fa0a41402ef in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:85:21
#64 0x7fa0a3fbbe01 in RunInternal /ipc/chromium/src/base/message_loop.cc:380:10
#65 0x7fa0a3fbbe01 in RunHandler /ipc/chromium/src/base/message_loop.cc:373:3
#66 0x7fa0a3fbbe01 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:355:3
#67 0x7fa0aadf7047 in nsBaseAppShell::Run() /widget/nsBaseAppShell.cpp:137:27
#68 0x7fa0afc1dfdf in XRE_RunAppShell() /toolkit/xre/nsEmbedFunctions.cpp:870:20
#69 0x7fa0a3fbbe01 in RunInternal /ipc/chromium/src/base/message_loop.cc:380:10
#70 0x7fa0a3fbbe01 in RunHandler /ipc/chromium/src/base/message_loop.cc:373:3
#71 0x7fa0a3fbbe01 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:355:3
#72 0x7fa0afc1d203 in XRE_InitChildProcess(int, char**, XREChildData const*) /toolkit/xre/nsEmbedFunctions.cpp:729:34
#73 0x560df65e047d in content_process_main(mozilla::Bootstrap*, int, char**) /browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#74 0x560df65e08b0 in main /browser/app/nsBrowserApp.cpp:327:18
#75 0x7fa0c758d0b2 in __libc_start_main /build/glibc-sMfBJT/glibc-2.31/csu/../csu/libc-start.c:308:16
#76 0x560df652f569 in _start (/home/jkratzer/builds/mc-asan/firefox+0x5e569)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /builds/worker/workspace/obj-build/dist/include/nsTArray.h:575:51 in Hdr
==3047609==ABORTING
Reporter | ||
Comment 1•2 years ago
|
||
Comment 2•2 years ago
|
||
Bugmon Analysis
Verified bug as reproducible on mozilla-central 20220328093900-eaf3521f3b37.
Unable to bisect testcase (Testcase reproduces on start build!):
Start: a9aedd83b8322dd2008c677dd8b183d9f0cef55f (20210329095128)
End: eaf3521f3b377e4d87e4bf2c13e788a3e97dd95e (20220328093900)
BuildFlags: BuildFlags(asan=True, tsan=False, debug=False, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False)
Updated•2 years ago
|
Comment 3•2 years ago
|
||
We're getting a null pointer for subgrid
here, and then we crash when we dereference it on the next line:
if (MOZ_LIKELY(!IsSubgrid())) {
grid.PlaceGridItems(state, repeatSizing); // XXX optimize
} else {
auto* subgrid = GetProperty(Subgrid::Prop());
state.mGridItems = subgrid->mGridItems.Clone();
So we think we have a subgrid, but then the subgrid frame-property is not set.
Comment 4•2 years ago
|
||
Tentatively S3 for now, given that this is a fuzzer testcase & we're apparently not seeing this in the wild based on the crash-stats chart here.
Worth investigating before long, though, possibly by me or Emily who might be working on grid stuff at some point in the future.
Updated•2 years ago
|
Updated•1 year ago
|
Comment 5•11 months ago
|
||
Bugmon was unable reproduce this issue.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Reporter | ||
Comment 6•10 months ago
|
||
A change to the Taskcluster build definitions over the weekend caused Bugmon to fail when reproducing issues. This issue has been corrected. Re-enabling bugmon.
Comment 7•4 months ago
|
||
Testcase crashes using the initial build (mozilla-central 20221224090645-dfbd00b278b0) but not with tip (mozilla-central 20231222213932-8989af6649bf.)
The bug appears to have been fixed in the following build range:
Start: a63bafb44df0811c56c57b1fadd1c10261fd8c3e (20231219233048)
End: 9ac6d461916454c17cd8c7dfc7f73401ef3da12a (20231220020601)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=a63bafb44df0811c56c57b1fadd1c10261fd8c3e&tochange=9ac6d461916454c17cd8c7dfc7f73401ef3da12a
jkratzer, can you confirm that the above bisection range is responsible for fixing this issue?
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Reporter | ||
Comment 8•4 months ago
|
||
:dholbert, can you confirm if this was fixed via bug 1800563 or bug 1870906?
Description
•