Closed Bug 1776079 Opened 2 years ago Closed 2 years ago

crash at null in [@ nsFlexContainerFrame::FlexItemIterator::FlexItemIterator]

Categories

(Core :: Layout: Flexbox, defect)

Product:
Core
Component:
Layout: Flexbox
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
103 Branch
Tracking Flags:
Tracking Status
firefox-esr91 --- unaffected
firefox-esr102 --- unaffected
firefox101 --- unaffected
firefox102 --- unaffected
firefox103 --- verified

People

(Reporter: tsmith, Assigned: TYLin)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: crash, regression, testcase, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(2 files)

testcase.html
292 bytes, text/html
Details
Bug 1776079 - Delete SharedFlexData() only if there's no flex container's next-in-flow. r?dholbert
48 bytes, text/x-phabricator-request
Details | Review
Attached file testcase.html

Found while fuzzing m-c 20220622-0242545b34ca (--enable-address-sanitizer --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -a --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

==28045==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fde0bdff9be bp 0x7ffc40141370 sp 0x7ffc40141340 T0)
==28045==The signal is caused by a READ memory access.
==28045==Hint: address points to the zero page.
    #0 0x7fde0bdff9be in Length /builds/worker/workspace/obj-build/dist/include/nsTArray.h:410:37
    #1 0x7fde0bdff9be in end /builds/worker/workspace/obj-build/dist/include/nsTArray.h:1266:34
    #2 0x7fde0bdff9be in nsFlexContainerFrame::FlexItemIterator::FlexItemIterator(nsTArray<nsFlexContainerFrame::FlexLine> const&) src/gecko/layout/generic/nsFlexContainerFrame.cpp:1118:29
    #3 0x7fde0bdff413 in nsFlexContainerFrame::GenerateFlexLayoutResult() src/gecko/layout/generic/nsFlexContainerFrame.cpp:4263:20
    #4 0x7fde0be01a96 in nsFlexContainerFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/gecko/layout/generic/nsFlexContainerFrame.cpp:4643:11
    #5 0x7fde0bdc254d in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) src/gecko/layout/generic/nsContainerFrame.cpp:1005:14
    #6 0x7fde0bd8d568 in nsContainerFrame::ReflowOverflowContainerChildren(nsPresContext*, mozilla::ReflowInput const&, mozilla::OverflowAreas&, nsIFrame::ReflowChildFlags, nsReflowStatus&, void (*)(nsFrameList&, nsFrameList&, nsContainerFrame*), mozilla::Maybe<nsSize>) src/gecko/layout/generic/nsContainerFrame.cpp:1272:7
    #7 0x7fde0bd896a2 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/gecko/layout/generic/nsBlockFrame.cpp:1382:5
    #8 0x7fde0bdc254d in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) src/gecko/layout/generic/nsContainerFrame.cpp:1005:14
    #9 0x7fde0bd8d568 in nsContainerFrame::ReflowOverflowContainerChildren(nsPresContext*, mozilla::ReflowInput const&, mozilla::OverflowAreas&, nsIFrame::ReflowChildFlags, nsReflowStatus&, void (*)(nsFrameList&, nsFrameList&, nsContainerFrame*), mozilla::Maybe<nsSize>) src/gecko/layout/generic/nsContainerFrame.cpp:1272:7
    #10 0x7fde0bd896a2 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/gecko/layout/generic/nsBlockFrame.cpp:1382:5
    #11 0x7fde0bda3eb2 in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowState&) src/gecko/layout/generic/nsBlockReflowContext.cpp:288:11
    #12 0x7fde0bd9beb6 in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowState&, nsLineList_iterator, bool*) src/gecko/layout/generic/nsBlockFrame.cpp:3906:11
    #13 0x7fde0bd98df6 in nsBlockFrame::ReflowLine(mozilla::BlockReflowState&, nsLineList_iterator, bool*) src/gecko/layout/generic/nsBlockFrame.cpp:3256:5
    #14 0x7fde0bd8fef0 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowState&) src/gecko/layout/generic/nsBlockFrame.cpp:2783:7
    #15 0x7fde0bd8992d in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/gecko/layout/generic/nsBlockFrame.cpp:1415:3
    #16 0x7fde0bdc254d in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) src/gecko/layout/generic/nsContainerFrame.cpp:1005:14
    #17 0x7fde0bdc63a4 in nsColumnSetFrame::ReflowChildren(mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&, nsColumnSetFrame::ReflowConfig const&, bool) src/gecko/layout/generic/nsColumnSetFrame.cpp:686:7
    #18 0x7fde0bdc5210 in nsColumnSetFrame::ReflowColumns(mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&, nsColumnSetFrame::ReflowConfig&, bool) src/gecko/layout/generic/nsColumnSetFrame.cpp:396:37
    #19 0x7fde0bdca38c in nsColumnSetFrame::FindBestBalanceBSize(mozilla::ReflowInput const&, nsPresContext*, nsColumnSetFrame::ReflowConfig&, nsColumnSetFrame::ColumnBalanceData, mozilla::ReflowOutput&, bool, nsReflowStatus&) src/gecko/layout/generic/nsColumnSetFrame.cpp:1118:9
    #20 0x7fde0bdcb104 in nsColumnSetFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/gecko/layout/generic/nsColumnSetFrame.cpp:1235:5
    #21 0x7fde0bda3eb2 in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowState&) src/gecko/layout/generic/nsBlockReflowContext.cpp:288:11
    #22 0x7fde0bd9beb6 in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowState&, nsLineList_iterator, bool*) src/gecko/layout/generic/nsBlockFrame.cpp:3906:11
    #23 0x7fde0bd98df6 in nsBlockFrame::ReflowLine(mozilla::BlockReflowState&, nsLineList_iterator, bool*) src/gecko/layout/generic/nsBlockFrame.cpp:3256:5
    #24 0x7fde0bd8fef0 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowState&) src/gecko/layout/generic/nsBlockFrame.cpp:2783:7
    #25 0x7fde0bd8992d in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/gecko/layout/generic/nsBlockFrame.cpp:1415:3
    #26 0x7fde0bdc254d in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) src/gecko/layout/generic/nsContainerFrame.cpp:1005:14
    #27 0x7fde0bdc0cd4 in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/gecko/layout/generic/nsCanvasFrame.cpp:793:7
    #28 0x7fde0bdc254d in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) src/gecko/layout/generic/nsContainerFrame.cpp:1005:14
    #29 0x7fde0be4da8e in nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput&, bool, bool, mozilla::ReflowOutput*) src/gecko/layout/generic/nsGfxScrollFrame.cpp:838:3
    #30 0x7fde0be4f725 in nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput&, mozilla::ReflowOutput const&) src/gecko/layout/generic/nsGfxScrollFrame.cpp:1009:7
    #31 0x7fde0be54be4 in nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/gecko/layout/generic/nsGfxScrollFrame.cpp:1399:3
    #32 0x7fde0bd78ee4 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) src/gecko/layout/generic/nsContainerFrame.cpp:1045:14
    #33 0x7fde0bd78519 in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/gecko/layout/generic/ViewportFrame.cpp:374:7
    #34 0x7fde0bba8235 in mozilla::PresShell::DoReflow(nsIFrame*, bool, mozilla::OverflowChangedTracker*) src/gecko/layout/base/PresShell.cpp:9619:11
    #35 0x7fde0bbbaae7 in mozilla::PresShell::ProcessReflowCommands(bool) src/gecko/layout/base/PresShell.cpp:9790:24
    #36 0x7fde0bbb8e37 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) src/gecko/layout/base/PresShell.cpp:4358:11
    #37 0x7fde0bb418bd in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) src/gecko/layout/base/nsRefreshDriver.cpp:2585:20
    #38 0x7fde0bb4f0c7 in TickDriver src/gecko/layout/base/nsRefreshDriver.cpp:375:13
    #39 0x7fde0bb4f0c7 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) src/gecko/layout/base/nsRefreshDriver.cpp:353:7
    #40 0x7fde0bb4ee2d in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) src/gecko/layout/base/nsRefreshDriver.cpp:369:5
    #41 0x7fde0bb4e695 in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) src/gecko/layout/base/nsRefreshDriver.cpp:896:5
    #42 0x7fde0bb4dd5f in mozilla::VsyncRefreshDriverTimer::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) src/gecko/layout/base/nsRefreshDriver.cpp:810:5
    #43 0x7fde0bb4d4a9 in mozilla::VsyncRefreshDriverTimer::NotifyVsyncOnMainThread(mozilla::VsyncEvent const&) src/gecko/layout/base/nsRefreshDriver.cpp:731:5
    #44 0x7fde0bb4cdd9 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsyncTimerOnMainThread() src/gecko/layout/base/nsRefreshDriver.cpp:594:14
    #45 0x7fde0bb4c984 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) src/gecko/layout/base/nsRefreshDriver.cpp:551:9
    #46 0x7fde0a77f50d in mozilla::dom::VsyncMainChild::RecvNotify(mozilla::VsyncEvent const&, float const&) src/gecko/dom/ipc/VsyncMainChild.cpp:68:15
    #47 0x7fde0abcb942 in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:220:78
    #48 0x7fde046a7693 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundChild.cpp:6085:32
    #49 0x7fde04606669 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) src/gecko/ipc/glue/MessageChannel.cpp:1749:25
    #50 0x7fde046036d7 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message> >) src/gecko/ipc/glue/MessageChannel.cpp:1674:9
    #51 0x7fde04604324 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) src/gecko/ipc/glue/MessageChannel.cpp:1474:3
    #52 0x7fde046055b2 in mozilla::ipc::MessageChannel::MessageTask::Run() src/gecko/ipc/glue/MessageChannel.cpp:1572:14
    #53 0x7fde02eaf732 in mozilla::RunnableTask::Run() src/gecko/xpcom/threads/TaskController.cpp:538:16
    #54 0x7fde02e7007d in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) src/gecko/xpcom/threads/TaskController.cpp:851:26
    #55 0x7fde02e6d1e8 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) src/gecko/xpcom/threads/TaskController.cpp:683:15
    #56 0x7fde02e6d910 in mozilla::TaskController::ProcessPendingMTTask(bool) src/gecko/xpcom/threads/TaskController.cpp:461:36
    #57 0x7fde02eb8661 in operator() src/gecko/xpcom/threads/TaskController.cpp:187:37
    #58 0x7fde02eb8661 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
    #59 0x7fde02e912b7 in nsThread::ProcessNextEvent(bool, bool*) src/gecko/xpcom/threads/nsThread.cpp:1205:16
    #60 0x7fde02e9b734 in NS_ProcessNextEvent(nsIThread*, bool) src/gecko/xpcom/threads/nsThreadUtils.cpp:465:10
    #61 0x7fde0460de2f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/gecko/ipc/glue/MessagePump.cpp:85:21
    #62 0x7fde0448ed91 in RunInternal src/gecko/ipc/chromium/src/base/message_loop.cc:380:10
    #63 0x7fde0448ed91 in RunHandler src/gecko/ipc/chromium/src/base/message_loop.cc:373:3
    #64 0x7fde0448ed91 in MessageLoop::Run() src/gecko/ipc/chromium/src/base/message_loop.cc:355:3
    #65 0x7fde0b5a26c7 in nsBaseAppShell::Run() src/gecko/widget/nsBaseAppShell.cpp:150:27
    #66 0x7fde105898e7 in XRE_RunAppShell() src/gecko/toolkit/xre/nsEmbedFunctions.cpp:875:20
    #67 0x7fde0448ed91 in RunInternal src/gecko/ipc/chromium/src/base/message_loop.cc:380:10
    #68 0x7fde0448ed91 in RunHandler src/gecko/ipc/chromium/src/base/message_loop.cc:373:3
    #69 0x7fde0448ed91 in MessageLoop::Run() src/gecko/ipc/chromium/src/base/message_loop.cc:355:3
    #70 0x7fde10588a4f in XRE_InitChildProcess(int, char**, XREChildData const*) src/gecko/toolkit/xre/nsEmbedFunctions.cpp:734:34
    #71 0x56368cdfd6d5 in content_process_main(mozilla::Bootstrap*, int, char**) src/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
    #72 0x56368cdfda86 in main src/gecko/browser/app/nsBrowserApp.cpp:338:18
    #73 0x7fde3176cc86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
    #74 0x56368cd3db19 in _start (/home/twsmith/workspace/browsers/m-c-20220622094342-fuzzing-asan-opt/firefox+0x77b19) (BuildId: 2c6d2cf27ef1cd84962ff162ff0efc57f5bfe74f)
Flags: in-testsuite?

A Pernosco session is available here: https://pernos.co/debug/t8_fd9OqDykBDQi-wxJw4Q/index.html

Bugmon Analysis
Verified bug as reproducible on mozilla-central 20220622161022-952fc558850b.
The bug appears to have been introduced in the following build range:

Start: a0c3c1742a62612e926a417daac7c347c2bccd51 (20220614222053)
End: 466d30a90a012ce9d5a620c6d61b9176be8d8641 (20220615005821)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=a0c3c1742a62612e926a417daac7c347c2bccd51&tochange=466d30a90a012ce9d5a620c6d61b9176be8d8641

Keywords: regression
Whiteboard: [bugmon:bisected,confirmed]
Flags: needinfo?(aethanyc)
Regressed by: 1739561

Set release status flags based on info from the regressing bug 1739561

status-firefox101: --- → unaffected
status-firefox102: --- → unaffected
status-firefox-esr91: --- → unaffected
Assignee: nobody → aethanyc
Status: NEW → ASSIGNED
Flags: needinfo?(aethanyc)
Pushed by aethanyc@gmail.com: https://hg.mozilla.org/integration/autoland/rev/2fc6cac0eb1d Delete SharedFlexData() only if there's no flex container's next-in-flow. r=dholbert

https://hg.mozilla.org/mozilla-central/rev/2fc6cac0eb1d

Status: ASSIGNED → RESOLVED
Closed: 2 years ago
status-firefox103: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 103 Branch

Bugmon Analysis
Verified bug as fixed on rev mozilla-central 20220624160242-824ad1e067c3.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
status-firefox103: fixedverified
Keywords: bugmon

Set release status flags based on info from the regressing bug 1739561

status-firefox-esr102: --- → unaffected
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: