Closed Bug 1795051 Opened 2 years ago Closed 2 years ago

Crash [@ GetStylePosition]

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
107 Branch
Tracking Flags:
Tracking Status
firefox-esr102 --- unaffected
firefox105 --- unaffected
firefox106 --- unaffected
firefox107 --- verified

People

(Reporter: jkratzer, Assigned: TYLin)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: regression, testcase, Whiteboard: [bugmon:bisected,confirmed])

Crash Data

Attachments

(3 files)

Detailed Crash Information
12.57 KB, text/plain
Details
Testcase
764 bytes, text/plain
Details
Bug 1795051 - Fix the condition before calling ResetColIndices in nsTableFrame::InsertColGroups. r?emilio
48 bytes, text/x-phabricator-request
Details | Review

Testcase found while fuzzing mozilla-central rev cbbf6a7e34a3 (built with: --enable-debug --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build cbbf6a7e34a3 --debug --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

[@ GetStylePosition]

    ==291277==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address (pc 0x7f202533b24f bp 0x7ffdb52a0f30 sp 0x7ffdb52a0e30 T291277)
    ==291277==The signal is caused by a READ memory access.
    ==291277==Hint: this fault was caused by a dereference of a high value address (see register values below).  Disassemble the provided pc to learn which register was used.
        #0 0x7f202533b24f in GetStylePosition /layout/style/nsStyleStructList.h:44:1
        #1 0x7f202533b24f in StylePosition /layout/style/nsStyleStructList.h:44:1
        #2 0x7f202533b24f in StylePosition /layout/style/nsStyleStructList.h:44:1
        #3 0x7f202533b24f in GetISizeInfo(gfxContext*, nsIFrame*, mozilla::WritingMode, bool) /layout/tables/BasicTableLayoutStrategy.cpp:80:45
        #4 0x7f20252f51eb in GetColISizeInfo /layout/tables/BasicTableLayoutStrategy.cpp:231:10
        #5 0x7f20252f51eb in BasicTableLayoutStrategy::ComputeColumnIntrinsicISizes(gfxContext*) /layout/tables/BasicTableLayoutStrategy.cpp:262:29
        #6 0x7f20252f4c68 in BasicTableLayoutStrategy::ComputeIntrinsicISizes(gfxContext*) /layout/tables/BasicTableLayoutStrategy.cpp:400:3
        #7 0x7f20252f5005 in BasicTableLayoutStrategy::GetPrefISize(gfxContext*, bool) /layout/tables/BasicTableLayoutStrategy.cpp:55:5
        #8 0x7f20250e04f1 in nsLayoutUtils::IntrinsicForAxis(mozilla::PhysicalAxis, gfxContext*, nsIFrame*, mozilla::IntrinsicISizeType, mozilla::Maybe<mozilla::LogicalSize> const&, unsigned int, int) /layout/base/nsLayoutUtils.cpp
        #9 0x7f20250e1ecc in nsLayoutUtils::IntrinsicForContainer(gfxContext*, nsIFrame*, mozilla::IntrinsicISizeType, unsigned int) /layout/base/nsLayoutUtils.cpp:5187:10
        #10 0x7f2025335b64 in nsTableWrapperFrame::GetPrefISize(gfxContext*) /layout/tables/nsTableWrapperFrame.cpp:267:14
        #11 0x7f20250e04f1 in nsLayoutUtils::IntrinsicForAxis(mozilla::PhysicalAxis, gfxContext*, nsIFrame*, mozilla::IntrinsicISizeType, mozilla::Maybe<mozilla::LogicalSize> const&, unsigned int, int) /layout/base/nsLayoutUtils.cpp
        #12 0x7f20250e1ecc in nsLayoutUtils::IntrinsicForContainer(gfxContext*, nsIFrame*, mozilla::IntrinsicISizeType, unsigned int) /layout/base/nsLayoutUtils.cpp:5187:10
        #13 0x7f2025148393 in nsBlockFrame::GetPrefISize(gfxContext*) /layout/generic/nsBlockFrame.cpp:926:29
        #14 0x7f20250e04f1 in nsLayoutUtils::IntrinsicForAxis(mozilla::PhysicalAxis, gfxContext*, nsIFrame*, mozilla::IntrinsicISizeType, mozilla::Maybe<mozilla::LogicalSize> const&, unsigned int, int) /layout/base/nsLayoutUtils.cpp
        #15 0x7f20250e1ecc in nsLayoutUtils::IntrinsicForContainer(gfxContext*, nsIFrame*, mozilla::IntrinsicISizeType, unsigned int) /layout/base/nsLayoutUtils.cpp:5187:10
        #16 0x7f2025148393 in nsBlockFrame::GetPrefISize(gfxContext*) /layout/generic/nsBlockFrame.cpp:926:29
        #17 0x7f202521a4fe in nsIFrame::ComputeISizeValue(gfxContext*, mozilla::WritingMode, mozilla::LogicalSize const&, mozilla::LogicalSize const&, int, nsIFrame::ExtremumLength, mozilla::Maybe<int>, mozilla::StyleSizeOverrides const&, mozilla::EnumSet<mozilla::ComputeSizeFlag, unsigned char>) /layout/generic/nsIFrame.cpp:6686:16
        #18 0x7f202512ff90 in nsIFrame::ISizeComputationResult nsIFrame::ComputeISizeValue<mozilla::StyleGenericMaxSize<mozilla::StyleLengthPercentageUnion> >(gfxContext*, mozilla::WritingMode, mozilla::LogicalSize const&, mozilla::LogicalSize const&, int, mozilla::StyleGenericMaxSize<mozilla::StyleLengthPercentageUnion> const&, mozilla::StyleSizeOverrides const&, mozilla::EnumSet<mozilla::ComputeSizeFlag, unsigned char>) /layout/generic/nsIFrame.h:4853:12
        #19 0x7f202512fcf4 in int mozilla::SizeComputationInput::ComputeISizeValue<mozilla::StyleGenericMaxSize<mozilla::StyleLengthPercentageUnion> >(mozilla::WritingMode, mozilla::LogicalSize const&, mozilla::LogicalSize const&, int, mozilla::StyleGenericMaxSize<mozilla::StyleLengthPercentageUnion> const&) const /layout/generic/ReflowInput.cpp:229:9
        #20 0x7f202512902e in int mozilla::SizeComputationInput::ComputeISizeValue<mozilla::StyleGenericMaxSize<mozilla::StyleLengthPercentageUnion> >(mozilla::LogicalSize const&, mozilla::StyleBoxSizing, mozilla::StyleGenericMaxSize<mozilla::StyleLengthPercentageUnion> const&) const /layout/generic/ReflowInput.cpp:248:10
        #21 0x7f2025127288 in mozilla::ReflowInput::ComputeMinMaxValues(mozilla::LogicalSize const&) /layout/generic/ReflowInput.cpp:2975:9
        #22 0x7f202511efd9 in mozilla::ReflowInput::InitConstraints(nsPresContext*, mozilla::Maybe<mozilla::LogicalSize> const&, mozilla::Maybe<mozilla::LogicalMargin> const&, mozilla::Maybe<mozilla::LogicalMargin> const&, mozilla::LayoutFrameType) /layout/generic/ReflowInput.cpp:2286:5
        #23 0x7f202511c368 in mozilla::ReflowInput::Init(nsPresContext*, mozilla::Maybe<mozilla::LogicalSize> const&, mozilla::Maybe<mozilla::LogicalMargin> const&, mozilla::Maybe<mozilla::LogicalMargin> const&) /layout/generic/ReflowInput.cpp:364:3
        #24 0x7f202511ccab in mozilla::ReflowInput::ReflowInput(nsPresContext*, mozilla::ReflowInput const&, nsIFrame*, mozilla::LogicalSize const&, mozilla::Maybe<mozilla::LogicalSize> const&, mozilla::EnumSet<mozilla::ReflowInput::InitFlag, unsigned char>, mozilla::StyleSizeOverrides const&, mozilla::EnumSet<mozilla::ComputeSizeFlag, unsigned char>) /layout/generic/ReflowInput.cpp:219:5
        #25 0x7f202516ce42 in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/generic/nsCanvasFrame.cpp:782:19
        #26 0x7f202516e0a5 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /layout/generic/nsContainerFrame.cpp:1023:14
        #27 0x7f20251b76d9 in nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput&, bool, bool, mozilla::ReflowOutput*) /layout/generic/nsGfxScrollFrame.cpp:838:3
        #28 0x7f20251b843f in nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput&, mozilla::ReflowOutput const&) /layout/generic/nsGfxScrollFrame.cpp:974:3
        #29 0x7f20251bc716 in nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/generic/nsGfxScrollFrame.cpp:1398:3
        #30 0x7f202513edc6 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /layout/generic/nsContainerFrame.cpp:1063:14
        #31 0x7f202513e52c in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/generic/ViewportFrame.cpp:375:7
        #32 0x7f202503943c in mozilla::PresShell::DoReflow(nsIFrame*, bool, mozilla::OverflowChangedTracker*) /layout/base/PresShell.cpp:9627:11
        #33 0x7f202505cb6f in mozilla::PresShell::ProcessReflowCommands(bool) /layout/base/PresShell.cpp:9799:24
        #34 0x7f2025042ba3 in DoFlushLayout /layout/base/PresShell.cpp:9869:10
        #35 0x7f2025042ba3 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /layout/base/PresShell.cpp:4396:11
        #36 0x7f2025007973 in FlushPendingNotifications /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:1479:5
        #37 0x7f2025007973 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) /layout/base/nsRefreshDriver.cpp:2597:20
        #38 0x7f20250105f0 in TickDriver /layout/base/nsRefreshDriver.cpp:375:13
        #39 0x7f20250105f0 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /layout/base/nsRefreshDriver.cpp:353:7
        #40 0x7f20250104f3 in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /layout/base/nsRefreshDriver.cpp:369:5
        #41 0x7f20250101c0 in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /layout/base/nsRefreshDriver.cpp:896:5
        #42 0x7f202500f82a in mozilla::VsyncRefreshDriverTimer::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /layout/base/nsRefreshDriver.cpp:810:5
        #43 0x7f202500f215 in mozilla::VsyncRefreshDriverTimer::NotifyVsyncOnMainThread(mozilla::VsyncEvent const&) /layout/base/nsRefreshDriver.cpp:731:5
        #44 0x7f202500ee4a in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsyncTimerOnMainThread() /layout/base/nsRefreshDriver.cpp:594:14
        #45 0x7f202500ea5c in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) /layout/base/nsRefreshDriver.cpp:551:9
        #46 0x7f20244db5eb in mozilla::dom::VsyncMainChild::RecvNotify(mozilla::VsyncEvent const&, float const&) /dom/ipc/VsyncMainChild.cpp:68:15
        #47 0x7f202476b706 in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:220:78
        #48 0x7f20208e02c4 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundChild.cpp:6267:32
        #49 0x7f20208715c1 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /ipc/glue/MessageChannel.cpp:1756:25
        #50 0x7f202086e115 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message> >) /ipc/glue/MessageChannel.cpp:1681:9
        #51 0x7f202086ecb6 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /ipc/glue/MessageChannel.cpp:1481:3
        #52 0x7f2020870041 in mozilla::ipc::MessageChannel::MessageTask::Run() /ipc/glue/MessageChannel.cpp:1579:14
        #53 0x7f201fc97e6e in mozilla::RunnableTask::Run() /xpcom/threads/TaskController.cpp:538:16
        #54 0x7f201fc70389 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:851:26
        #55 0x7f201fc6ef13 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:683:15
        #56 0x7f201fc6f183 in mozilla::TaskController::ProcessPendingMTTask(bool) /xpcom/threads/TaskController.cpp:461:36
        #57 0x7f201fc9b716 in operator() /xpcom/threads/TaskController.cpp:187:37
        #58 0x7f201fc9b716 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
        #59 0x7f201fc84fdf in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1205:16
        #60 0x7f201fc8b5ed in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:465:10
        #61 0x7f2020877046 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:85:21
        #62 0x7f202079b187 in MessageLoop::RunInternal() /ipc/chromium/src/base/message_loop.cc:381:10
        #63 0x7f202079b092 in RunHandler /ipc/chromium/src/base/message_loop.cc:374:3
        #64 0x7f202079b092 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:356:3
        #65 0x7f2024cbebc8 in nsBaseAppShell::Run() /widget/nsBaseAppShell.cpp:150:27
        #66 0x7f2026ecc6db in XRE_RunAppShell() /toolkit/xre/nsEmbedFunctions.cpp:880:20
        #67 0x7f2020877f3a in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:235:9
        #68 0x7f202079b187 in MessageLoop::RunInternal() /ipc/chromium/src/base/message_loop.cc:381:10
        #69 0x7f202079b092 in RunHandler /ipc/chromium/src/base/message_loop.cc:374:3
        #70 0x7f202079b092 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:356:3
        #71 0x7f2026ecbcbe in XRE_InitChildProcess(int, char**, XREChildData const*) /toolkit/xre/nsEmbedFunctions.cpp:739:34
        #72 0x5654762b3c19 in content_process_main /browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
        #73 0x5654762b3c19 in main /browser/app/nsBrowserApp.cpp:357:18
        #74 0x7f2037185d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
        #75 0x7f2037185e3f in __libc_start_main csu/../csu/libc-start.c:392:3
        #76 0x5654762898dc in _start (/home/jkratzer/builds/m-c-20221012213343-fuzzing-debug/firefox-bin+0x168dc) (BuildId: 79de1d6fe4f74fe64c1836d51ad7afe42e2e9e06)
    
    UndefinedBehaviorSanitizer can not provide additional info.
    SUMMARY: UndefinedBehaviorSanitizer: SEGV /layout/style/nsStyleStructList.h:44:1 in GetStylePosition
    ==291277==ABORTING
Attached file Testcase

Bugmon Analysis
Verified bug as reproducible on mozilla-central 20221013154647-4563dd583110.
The bug appears to have been introduced in the following build range:

Start: cd243979744cb162120fc13c0fe9ed4eb62bb6fe (20221011201302)
End: 2796a36d754343ffbe7ecce367ae76a26bf45b96 (20221011222538)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=cd243979744cb162120fc13c0fe9ed4eb62bb6fe&tochange=2796a36d754343ffbe7ecce367ae76a26bf45b96

Keywords: regression
Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]

Probably due to bug 1794456.

Severity: -- → S3
Flags: needinfo?(aethanyc)
Regressed by: 1794456

Set release status flags based on info from the regressing bug 1794456

status-firefox105: --- → unaffected
status-firefox106: --- → unaffected
status-firefox107: --- → affected
status-firefox-esr102: --- → unaffected
Crash Signature: [@ GetStylePosition] → [@ GetStylePosition] [@ ServoComputedData::GetStylePosition ]
Assignee: nobody → aethanyc
Status: NEW → ASSIGNED
Flags: needinfo?(aethanyc)
Pushed by tlin@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/de9e12276d8e Fix the condition before calling ResetColIndices in nsTableFrame::InsertColGroups. r=emilio

https://hg.mozilla.org/mozilla-central/rev/de9e12276d8e

Status: ASSIGNED → RESOLVED
Closed: 2 years ago
status-firefox107: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 107 Branch
Blocks: 1795030

Bugmon Analysis
Verified bug as fixed on rev mozilla-central 20221014215500-0bf2cd2f9e73.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
status-firefox107: fixedverified
Keywords: bugmon
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: