1764863 - crash at null in [@ mozilla::RetainedDisplayListBuilder::PreProcessDisplayList]

Status: NEW

(Core :: Web Painting, defect)

Description

[Tyson Smith [:tsmith]]

Attachment: testcase.html

Found while fuzzing m-c 20220414-b360d0fa4d48 (--enable-address-sanitizer --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -a --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

The attached test case is not 100% reliable. I can usually reproduce the issue within 10 attempts.

==211855==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f2ae539b9d9 bp 0x7ffe6a5fe9d0 sp 0x7ffe6a5fe640 T0)
==211855==The signal is caused by a READ memory access.
==211855==Hint: address points to the zero page.
    #0 0x7f2ae539b9d9 in mozilla::RetainedDisplayListBuilder::PreProcessDisplayList(mozilla::RetainedDisplayList*, nsIFrame*, mozilla::PartialUpdateResult&, nsIFrame*, mozilla::ActiveScrolledRoot const*, nsIFrame*, unsigned int, unsigned int, bool) /builds/worker/checkouts/gecko/layout/painting/RetainedDisplayListBuilder.cpp:329:60
    #1 0x7f2ae539b95d in mozilla::RetainedDisplayListBuilder::PreProcessDisplayList(mozilla::RetainedDisplayList*, nsIFrame*, mozilla::PartialUpdateResult&, nsIFrame*, mozilla::ActiveScrolledRoot const*, nsIFrame*, unsigned int, unsigned int, bool) /builds/worker/checkouts/gecko/layout/painting/RetainedDisplayListBuilder.cpp:297:12
    #2 0x7f2ae53a446e in mozilla::RetainedDisplayListBuilder::AttemptPartialUpdate(unsigned int) /builds/worker/checkouts/gecko/layout/painting/RetainedDisplayListBuilder.cpp:1676:10
    #3 0x7f2ae4d25ceb in nsLayoutUtils::PaintFrame(gfxContext*, nsIFrame*, nsRegion const&, unsigned int, mozilla::nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) /builds/worker/checkouts/gecko/layout/base/nsLayoutUtils.cpp:3337:40
    #4 0x7f2ae4c47711 in mozilla::PresShell::PaintInternal(nsView*, mozilla::PaintInternalFlags) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:6412:5
    #5 0x7f2ae456c89d in nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*) /builds/worker/checkouts/gecko/view/nsViewManager.cpp:440:18
    #6 0x7f2ae456c01f in nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) /builds/worker/checkouts/gecko/view/nsViewManager.cpp:375:22
    #7 0x7f2ae456dfdb in nsViewManager::ProcessPendingUpdates() /builds/worker/checkouts/gecko/view/nsViewManager.cpp:948:5
    #8 0x7f2ae4bbdb8e in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2694:11
    #9 0x7f2ae4bca0d7 in TickDriver /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:368:13
    #10 0x7f2ae4bca0d7 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:346:7
    #11 0x7f2ae4bc9e3d in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:362:5
    #12 0x7f2ae4bc9af5 in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:896:5
    #13 0x7f2ae4bc8bd2 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:771:16
    #14 0x7f2ae4bc7db1 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsyncOnMainThread() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:650:7
    #15 0x7f2ae4bc77d8 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:536:9
    #16 0x7f2ae38e414e in mozilla::dom::VsyncMainChild::RecvNotify(mozilla::VsyncEvent const&, float const&) /builds/worker/checkouts/gecko/dom/ipc/VsyncMainChild.cpp:68:15
    #17 0x7f2ae3ce6222 in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:220:54
    #18 0x7f2adda09129 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundChild.cpp:6518:32
    #19 0x7f2add96a8f9 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1707:25
    #20 0x7f2add9683f2 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message&&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1632:9
    #21 0x7f2add9699b1 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1528:14
    #22 0x7f2adc270e92 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:467:16
    #23 0x7f2adc23749d in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:780:26
    #24 0x7f2adc234998 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:612:15
    #25 0x7f2adc2350c9 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:390:36
    #26 0x7f2adc27dad4 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:127:37
    #27 0x7f2adc27dad4 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_1>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
    #28 0x7f2adc257817 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1180:16
    #29 0x7f2adc26157c in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:465:10
    #30 0x7f2add971fc4 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:107:5
    #31 0x7f2add7ebfb1 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:380:10
    #32 0x7f2add7ebfb1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:373:3
    #33 0x7f2add7ebfb1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:355:3
    #34 0x7f2ae466d337 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137:27
    #35 0x7f2ae950192f in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:870:20
    #36 0x7f2add7ebfb1 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:380:10
    #37 0x7f2add7ebfb1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:373:3
    #38 0x7f2add7ebfb1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:355:3
    #39 0x7f2ae9500b53 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:729:34
    #40 0x55be1750b47d in content_process_main(mozilla::Bootstrap*, int, char**) /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
    #41 0x55be1750b8b0 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:327:18
    #42 0x7f2b00fb90b2 in __libc_start_main /build/glibc-sMfBJT/glibc-2.31/csu/../csu/libc-start.c:308:16
    #43 0x55be1745a569 in _start (/home/user/workspace/browsers/m-c-20220414160428-fuzzing-asan-opt/firefox+0x5e569)

Comment 1

[Tyson Smith [:tsmith]]

A Pernosco session is available here: https://pernos.co/debug/thJs7AEdLG85uHW6fo2OOQ/index.html

Comment 2

[Bugmon [:jkratzer for issues]]

Bugmon Analysis
Verified bug as reproducible on mozilla-central 20220415034931-93272b6f162c.
Unable to bisect testcase (Testcase does not reproduce on end build!):

Start: d26e6241a27381f7d94a055d1dc8297a9d7a7fc2 (20210416030733)
End: b360d0fa4d48b5f8fbe160ee92accffabc508624 (20220414160428)
BuildFlags: BuildFlags(asan=True, tsan=False, debug=False, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False)

Comment 3

[Bugmon [:jkratzer for issues]]

Bugmon Analysis
Testcase crashes using the initial build (mozilla-central 20220414160428-b360d0fa4d48) but not with tip (mozilla-central 20220429215525-6921abcd7429.)
The bug appears to have been fixed in the following build range:

Start: eaa4213b9e08455979861b31f1b8dd8f78afead5 (20220425135723)
End: 66db1b50931634a3daad56bf7edd42d3a39cb37b (20220425213655)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=eaa4213b9e08455979861b31f1b8dd8f78afead5&tochange=66db1b50931634a3daad56bf7edd42d3a39cb37b
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Comment 4

[Timothy Nikkel (:tnikkel)]

Tyson, since the bot thinks this is fixed but with an empty pushlog, do you still see this in your fuzzers?

Comment 5

[Tyson Smith [:tsmith]]

It was last reported by fuzzers targeting m-c 20220414-b360d0fa4d48.

Comment 6

[Kelsey Gilbert [:jgilbert]]

->S3 because it's not very actionable, and probably just content process crashes that we recover from.

Comment 8

[Jeff Muizelaar [:jrmuizel]]

I agree that this is an S3.

Tim, can you take a look at this again when you get a chance?

Comment 10

[BugBot [:suhaib / :marco/ :calixte]]

Copying crash signatures from duplicate bugs.

Comment 11

[BugBot [:suhaib / :marco/ :calixte]]

The bug is linked to a topcrash signature, which matches the following criteria:

• Top 20 desktop browser crashes on beta
• Top 10 content process crashes on beta

:tnikkel, could you consider increasing the severity of this top-crash bug?

For more information, please visit BugBot documentation.

Comment 12

[Timothy Nikkel (:tnikkel)]

There's only a few crashes on beta and the graph looks pretty steady, so I think this is a false signal, I don't think it has changed in frequency or spiked.

Comment 13

[BugBot [:suhaib / :marco/ :calixte]]

Based on the topcrash criteria, the crash signatures linked to this bug are not in the topcrash signatures anymore.

For more information, please visit BugBot documentation.

Comment 14

[Gabriele Svelto [:gsvelto]]

This is spiking a lot but I suspect it's because of changes in external websites rather than in Firefox, given the following:

• The bulk of the new crashes is in the release channel
• More than half of the crashes are coming from the Polish locale
• The domain that comes up more often in the crash URLs is a Polish dating site: https://sympatia.onet.pl
• Other affected domains appear to be https://hub.monta.app, https://kundenportal.teambank.at and https://new.express.adobe.com

The bug appears to be reproducible on all platforms and given the volume I feel like we should prioritize fixing it. I'm not familiar with this code but from a glance it seems to be caused by an interaction with scrolling. I suppose it should be possible to reproduce it within rr to understand what's going on, or maybe we could point site-scout at those pages and see if the debugging builds catch something useful.

Comment 15

[Gabriele Svelto [:gsvelto]]

Let me know if I can help, cracking up Windows minidumps in Visual Studio to find out about what's on the stack or anything else that might help debugging this.

Comment 16

[Timothy Nikkel (:tnikkel)]

I tried to reproduce from the urls in crash stats but no luck (they mostly are sites that require logins).

I tried to reproduce with the attached testcase extensively and I was unable to.

Unfortunately the crash reports aren't super helpful because they point to something going wrong well before the crashing site and there aren't many clues at the later crashing site.

Good news though, I was able to debug the pernosco, and even though the testcase it records no longer reproduces any problem, the problem in the pernosco I think still exists and could be responsible for these crashes. Since this bug has sort of been morphed into tracking the crash signatures and not the testcase I will likely file a new bug to land a patch for that issue.

Comment 17

[Timothy Nikkel (:tnikkel)]

Tyson, have you seen anything like this crash recently? It would be good to have a recently reproducible testcase if possible.

Comment 18

[Tyson Smith [:tsmith]]

(In reply to Timothy Nikkel (:tnikkel) from comment #17)

Tyson, have you seen anything like this crash recently? It would be good to have a recently reproducible testcase if possible.

No sorry, the last report from the fuzzers was from April 24. None of the reports I have are reproducible.

Comment 19

[Timothy Nikkel (:tnikkel)]

(In reply to Timothy Nikkel (:tnikkel) from comment #16)

Good news though, I was able to debug the pernosco, and even though the testcase it records no longer reproduces any problem, the problem in the pernosco I think still exists and could be responsible for these crashes. Since this bug has sort of been morphed into tracking the crash signatures and not the testcase I will likely file a new bug to land a patch for that issue.

Patch posted to bug 1984898.

Comment 20

[Timothy Nikkel (:tnikkel)]

Hopefuly work around upliftable patch in bug 1986191.

Comment 21

[Roman Masarovic]

Hello, everyone. I prepared a demo that crashes. You can see it at this link: https://squirrels-jamy.github.io/flutter_pulltorefresh/ The crash occurs in Firefox when you click the button to refresh. Here is code https://github.com/squirrels-jamy/flutter_pulltorefresh/tree/bugzilla

Comment 22

[Timothy Nikkel (:tnikkel)]

(In reply to Roman Masarovic from comment #21)

Hello, everyone. I prepared a demo that crashes. You can see it at this link: https://squirrels-jamy.github.io/flutter_pulltorefresh/ The crash occurs in Firefox when you click the button to refresh. Here is code https://github.com/squirrels-jamy/flutter_pulltorefresh/tree/bugzilla

Amazing! Thanks for that!

I can reproduce a crash that is fixed by bug 1984898.

Are you associated with one of the sites that is experiencing Firefox crashing on it? It would be helpful to know if this crash represents the issue that we are seeing with a spike in crashes with this signature.

Comment 23

[Roman Masarovic]

I am a developer from sympatia.onet.pl and we use a list in a web application in a similar way as the demo

Comment 24

[Timothy Nikkel (:tnikkel)]

Thanks. Your demo will be very useful in order to verify fixes. Apologies for crashing on your website.

A workaround for the problem is currently in Firefox beta, you can download that and test to make sure it works for your site. The fix will be released to Firefox users in version 143 on Sept 16.

Comment 25

[Timothy Nikkel (:tnikkel)]

Debugged the testcase. It does indeed look like the same issue captured in the pernosco here. There is a transform item, it contains an abs pos scroll frame. It looks like something is tweaked inside that scroll frame, we succeed in doing a partial display list update, but incorrectly change the asr of the transform item to the asr of the scroll frame, then the scroll frame is tweaked so its just a block (no more scroll frame), and then we attempt another partial update and find that our asr's scroll container frame has disappeared. I'll attempt to create a small testcase from that description (the description above seems a bit too easy, so it might be more complicated, otherwise our fuzzers would have found a testcase by now).

Comment 26

[Timothy Nikkel (:tnikkel)]

I was able to come up with a reduced automated testcase from the example provided, which I landed in bug 1987340. Much thanks!