Closed
Bug 1806898
Opened 1 year ago
Closed 1 year ago
Crash [@ Length]
Categories
(Core :: CSS Parsing and Computation, defect)
Tracking
()
VERIFIED
FIXED
110 Branch
| Tracking | Status | |
|---|---|---|
| firefox-esr102 | --- | unaffected |
| firefox108 | --- | disabled |
| firefox109 | --- | disabled |
| firefox110 | --- | verified |
People
(Reporter: jkratzer, Assigned: emilio)
References
(Blocks 2 open bugs, Regression)
Details
(Keywords: regression, testcase, Whiteboard: [bugmon:bisected,confirmed], [wptsync upstream])
Crash Data
Attachments
(2 files)
Testcase found while fuzzing mozilla-central rev bd78e2e5b1fe (built with: --enable-debug --enable-fuzzing).
Testcase can be reproduced using the following commands:
$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build bd78e2e5b1fe --debug --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html
[@ Length]
==33596==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fad1c8345b0 bp 0x7fffd05ac290 sp 0x7fffd05ac250 T33596)
==33596==The signal is caused by a READ memory access.
==33596==Hint: address points to the zero page.
#0 0x7fad1c8345b0 in Length /builds/worker/workspace/obj-build/dist/include/nsTArray.h:410:37
#1 0x7fad1c8345b0 in ElementAt /builds/worker/workspace/obj-build/dist/include/nsTArray.h:1204:9
#2 0x7fad1c8345b0 in operator[] /builds/worker/workspace/obj-build/dist/include/nsTArray.h:1236:12
#3 0x7fad1c8345b0 in nsCellMapColumnIterator::GetNextFrame(int*, int*) /layout/tables/nsCellMap.cpp:2459:43
#4 0x7fad1c833c3e in BasicTableLayoutStrategy::ComputeColumnIntrinsicISizes(gfxContext*) /layout/tables/BasicTableLayoutStrategy.cpp:287:36
#5 0x7fad1c8333e8 in BasicTableLayoutStrategy::ComputeIntrinsicISizes(gfxContext*) /layout/tables/BasicTableLayoutStrategy.cpp:400:3
#6 0x7fad1c83339e in BasicTableLayoutStrategy::GetMinISize(gfxContext*) /layout/tables/BasicTableLayoutStrategy.cpp:42:5
#7 0x7fad1c852487 in TableShrinkISizeToFit /layout/tables/nsTableFrame.cpp:1432:22
#8 0x7fad1c852487 in nsTableFrame::ComputeAutoSize(gfxContext*, mozilla::WritingMode, mozilla::LogicalSize const&, int, mozilla::LogicalSize const&, mozilla::LogicalSize const&, mozilla::StyleSizeOverrides const&, mozilla::EnumSet<mozilla::ComputeSizeFlag, unsigned char>) /layout/tables/nsTableFrame.cpp:1462:27
#9 0x7fad1c756cdf in nsIFrame::ComputeSize(gfxContext*, mozilla::WritingMode, mozilla::LogicalSize const&, int, mozilla::LogicalSize const&, mozilla::LogicalSize const&, mozilla::StyleSizeOverrides const&, mozilla::EnumSet<mozilla::ComputeSizeFlag, unsigned char>) /layout/generic/nsIFrame.cpp:6230:7
#10 0x7fad1c8521d1 in nsTableFrame::ComputeSize(gfxContext*, mozilla::WritingMode, mozilla::LogicalSize const&, int, mozilla::LogicalSize const&, mozilla::LogicalSize const&, mozilla::StyleSizeOverrides const&, mozilla::EnumSet<mozilla::ComputeSizeFlag, unsigned char>) /layout/tables/nsTableFrame.cpp:1400:35
#11 0x7fad1c87470d in nsTableWrapperFrame::InnerTableShrinkWrapSize(gfxContext*, nsTableFrame*, mozilla::WritingMode, mozilla::LogicalSize const&, int, mozilla::StyleSizeOverrides const&, mozilla::EnumSet<mozilla::ComputeSizeFlag, unsigned char>) const /layout/tables/nsTableWrapperFrame.cpp:348:13
#12 0x7fad1c8758df in nsTableWrapperFrame::ComputeAutoSize(gfxContext*, mozilla::WritingMode, mozilla::LogicalSize const&, int, mozilla::LogicalSize const&, mozilla::LogicalSize const&, mozilla::StyleSizeOverrides const&, mozilla::EnumSet<mozilla::ComputeSizeFlag, unsigned char>) /layout/tables/nsTableWrapperFrame.cpp:497:14
#13 0x7fad1c756cdf in nsIFrame::ComputeSize(gfxContext*, mozilla::WritingMode, mozilla::LogicalSize const&, int, mozilla::LogicalSize const&, mozilla::LogicalSize const&, mozilla::StyleSizeOverrides const&, mozilla::EnumSet<mozilla::ComputeSizeFlag, unsigned char>) /layout/generic/nsIFrame.cpp:6230:7
#14 0x7fad1c87547c in nsTableWrapperFrame::ComputeSize(gfxContext*, mozilla::WritingMode, mozilla::LogicalSize const&, int, mozilla::LogicalSize const&, mozilla::LogicalSize const&, mozilla::StyleSizeOverrides const&, mozilla::EnumSet<mozilla::ComputeSizeFlag, unsigned char>) /layout/tables/nsTableWrapperFrame.cpp:440:35
#15 0x7fad1c65ca29 in mozilla::ReflowInput::InitConstraints(nsPresContext*, mozilla::Maybe<mozilla::LogicalSize> const&, mozilla::Maybe<mozilla::LogicalMargin> const&, mozilla::Maybe<mozilla::LogicalMargin> const&, mozilla::LayoutFrameType) /layout/generic/ReflowInput.cpp:2410:19
#16 0x7fad1c659634 in mozilla::ReflowInput::Init(nsPresContext*, mozilla::Maybe<mozilla::LogicalSize> const&, mozilla::Maybe<mozilla::LogicalMargin> const&, mozilla::Maybe<mozilla::LogicalMargin> const&) /layout/generic/ReflowInput.cpp:360:3
#17 0x7fad1c659ffa in mozilla::ReflowInput::ReflowInput(nsPresContext*, mozilla::ReflowInput const&, nsIFrame*, mozilla::LogicalSize const&, mozilla::Maybe<mozilla::LogicalSize> const&, mozilla::EnumSet<mozilla::ReflowInput::InitFlag, unsigned char>, mozilla::StyleSizeOverrides const&, mozilla::EnumSet<mozilla::ComputeSizeFlag, unsigned char>) /layout/generic/ReflowInput.cpp:219:5
#18 0x7fad1c69769b in nsBlockReflowContext::ComputeCollapsedBStartMargin(mozilla::ReflowInput const&, nsCollapsingMargin*, nsIFrame*, bool*, bool*) /layout/generic/nsBlockReflowContext.cpp:157:25
#19 0x7fad1c693b01 in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowState&, nsLineList_iterator, bool*) /layout/generic/nsBlockFrame.cpp:3810:11
#20 0x7fad1c691e11 in nsBlockFrame::ReflowLine(mozilla::BlockReflowState&, nsLineList_iterator, bool*) /layout/generic/nsBlockFrame.cpp:3378:5
#21 0x7fad1c68c244 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowState&) /layout/generic/nsBlockFrame.cpp:2895:9
#22 0x7fad1c6879db in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/generic/nsBlockFrame.cpp:1470:3
#23 0x7fad1c6ab599 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /layout/generic/nsContainerFrame.cpp:1029:14
#24 0x7fad1c6aaaf9 in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/generic/nsCanvasFrame.cpp:754:7
#25 0x7fad1c6ab599 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /layout/generic/nsContainerFrame.cpp:1029:14
#26 0x7fad1c6f3c10 in nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput&, bool, bool, mozilla::ReflowOutput*) /layout/generic/nsGfxScrollFrame.cpp:841:3
#27 0x7fad1c6f499f in nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput&, mozilla::ReflowOutput const&) /layout/generic/nsGfxScrollFrame.cpp:977:3
#28 0x7fad1c6f94ad in nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/generic/nsGfxScrollFrame.cpp:1404:3
#29 0x7fad1c67c306 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /layout/generic/nsContainerFrame.cpp:1069:14
#30 0x7fad1c67ba54 in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/generic/ViewportFrame.cpp:384:7
#31 0x7fad1c5765ea in mozilla::PresShell::DoReflow(nsIFrame*, bool, mozilla::OverflowChangedTracker*) /layout/base/PresShell.cpp:9696:11
#32 0x7fad1c59a89f in mozilla::PresShell::ProcessReflowCommands(bool) /layout/base/PresShell.cpp:9868:24
#33 0x7fad1c63aa90 in nsPresContext::UpdateContainerQueryStyles() /layout/base/nsPresContext.cpp:1036:16
#34 0x7fad1c5a7ccb in mozilla::RestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) /layout/base/RestyleManager.cpp:3093:18
#35 0x7fad1c580a30 in mozilla::RestyleManager::ProcessPendingRestyles() /layout/base/RestyleManager.cpp:3248:3
#36 0x7fad1c57ff8f in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /layout/base/PresShell.cpp:4423:39
#37 0x7fad1c543be3 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) /layout/base/nsRefreshDriver.cpp:2605:22
#38 0x7fad1c54d32d in TickDriver /layout/base/nsRefreshDriver.cpp:374:13
#39 0x7fad1c54d32d in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver>>&) /layout/base/nsRefreshDriver.cpp:352:7
#40 0x7fad1c54d233 in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /layout/base/nsRefreshDriver.cpp:368:5
#41 0x7fad1c54d110 in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /layout/base/nsRefreshDriver.cpp:912:5
#42 0x7fad1c54c47a in mozilla::VsyncRefreshDriverTimer::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /layout/base/nsRefreshDriver.cpp:826:5
#43 0x7fad1c54bc36 in mozilla::VsyncRefreshDriverTimer::NotifyVsyncOnMainThread(mozilla::VsyncEvent const&) /layout/base/nsRefreshDriver.cpp:747:5
#44 0x7fad1c54b749 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsyncTimerOnMainThread() /layout/base/nsRefreshDriver.cpp:593:14
#45 0x7fad1c54b35d in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) /layout/base/nsRefreshDriver.cpp:550:9
#46 0x7fad1ba09ceb in mozilla::dom::VsyncMainChild::RecvNotify(mozilla::VsyncEvent const&, float const&) /dom/ipc/VsyncMainChild.cpp:68:15
#47 0x7fad1bc90a08 in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:220:78
#48 0x7fad17e36a3a in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundChild.cpp:6306:32
#49 0x7fad17dcf21a in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /ipc/glue/MessageChannel.cpp:1756:25
#50 0x7fad17dcbe77 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>) /ipc/glue/MessageChannel.cpp:1681:9
#51 0x7fad17dcc9c5 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /ipc/glue/MessageChannel.cpp:1481:3
#52 0x7fad17dcdcff in mozilla::ipc::MessageChannel::MessageTask::Run() /ipc/glue/MessageChannel.cpp:1579:14
#53 0x7fad171c34f5 in mozilla::RunnableTask::Run() /xpcom/threads/TaskController.cpp:538:16
#54 0x7fad171beadc in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:851:26
#55 0x7fad171bd6aa in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:683:15
#56 0x7fad171bda05 in mozilla::TaskController::ProcessPendingMTTask(bool) /xpcom/threads/TaskController.cpp:461:36
#57 0x7fad171c6e69 in operator() /xpcom/threads/TaskController.cpp:190:37
#58 0x7fad171c6e69 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_3>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:546:5
#59 0x7fad171dc7a8 in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1204:16
#60 0x7fad171e2fed in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:474:10
#61 0x7fad17dd4aa3 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:107:5
#62 0x7fad17cf9a88 in MessageLoop::RunInternal() /ipc/chromium/src/base/message_loop.cc:381:10
#63 0x7fad17cf9991 in RunHandler /ipc/chromium/src/base/message_loop.cc:374:3
#64 0x7fad17cf9991 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:356:3
#65 0x7fad1c1f2298 in nsBaseAppShell::Run() /widget/nsBaseAppShell.cpp:150:27
#66 0x7fad1e41f4bb in XRE_RunAppShell() /toolkit/xre/nsEmbedFunctions.cpp:884:20
#67 0x7fad17dd59b9 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:235:9
#68 0x7fad17cf9a88 in MessageLoop::RunInternal() /ipc/chromium/src/base/message_loop.cc:381:10
#69 0x7fad17cf9991 in RunHandler /ipc/chromium/src/base/message_loop.cc:374:3
#70 0x7fad17cf9991 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:356:3
#71 0x7fad1e41ea4c in XRE_InitChildProcess(int, char**, XREChildData const*) /toolkit/xre/nsEmbedFunctions.cpp:743:34
#72 0x557ba226aca0 in content_process_main /browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#73 0x557ba226aca0 in main /browser/app/nsBrowserApp.cpp:359:18
#74 0x7fad2c497d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#75 0x7fad2c497e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#76 0x557ba2241308 in _start (/home/jkratzer/builds/m-c-20221213041109-fuzzing-debug/firefox-bin+0x5b308) (BuildId: be85c748d6fca08f1793e5d193145523e881d675)
UndefinedBehaviorSanitizer can not provide additional info.
SUMMARY: UndefinedBehaviorSanitizer: SEGV /builds/worker/workspace/obj-build/dist/include/nsTArray.h:410:37 in Length
==33596==ABORTING
|
Reporter | |
Comment 1•1 year ago
|
||
|
|
Reporter | |
Updated•1 year ago
|
Blocks: container-queries
|
Assignee | |
Updated•1 year ago
|
Flags: needinfo?(emilio)
|
||
Comment 2•1 year ago
|
||
Verified bug as reproducible on mozilla-central 20221221212123-1de20be14b0d.
The bug appears to have been introduced in the following build range:
Start: 1995acac9f11fb8c9bfad8b71d6c32f26ed57e18 (20220810070434)
End: 7b0258915ecac013d6446e8990bccf78dd205f23 (20220810114632)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=1995acac9f11fb8c9bfad8b71d6c32f26ed57e18&tochange=7b0258915ecac013d6446e8990bccf78dd205f23
Keywords: regression
Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]
|
|
Assignee | |
Comment 3•1 year ago
|
||
If style is dirty, we'll do the CQ update after restyling inside the
while loop.
This prevents reflowing frames with pending restyle changes, which is
important for e.g., tables, which rely on
nsChangeHint_UpdateTableCellSpans to update their cell map.
|
||
Updated•1 year ago
|
Assignee: nobody → emilio
Status: NEW → ASSIGNED
|
|
Assignee | |
Updated•1 year ago
|
Flags: needinfo?(emilio)
Pushed by ealvarez@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/10b293db5106 Don't reflow elements with dirty styles to update container queries. r=dholbert
Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/37677 for changes under testing/web-platform/tests
Whiteboard: [bugmon:bisected,confirmed] → [bugmon:bisected,confirmed], [wptsync upstream]
|
||
Comment 6•1 year ago
|
||
| bugherder | ||
Status: ASSIGNED → RESOLVED
Closed: 1 year ago
status-firefox110:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 110 Branch
|
|
||
Comment 7•1 year ago
|
||
Verified bug as fixed on rev mozilla-central 20221224090645-dfbd00b278b0.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
|
||
Comment 8•1 year ago
|
||
Based on comment #2, this bug contains a bisection range found by bugmon. However, the Regressed by field is still not filled.
:emilio, if possible, could you fill the Regressed by field?
For more information, please visit auto_nag documentation.
Flags: needinfo?(emilio)
|
|
||
Comment 9•1 year ago
|
||
Set release status flags based on info from the regressing bug 1778989
status-firefox108:
--- → affected
status-firefox109:
--- → affected
status-firefox-esr102:
--- → unaffected
Upstream PR merged by moz-wptsync-bot
|
|
||
Comment 11•1 year ago
|
||
The patch landed in nightly and beta is affected.
:emilio, is this bug important enough to require an uplift?
- If yes, please nominate the patch for beta approval.
- If no, please set
status-firefox109towontfix.
For more information, please visit auto_nag documentation.
Flags: needinfo?(emilio)
|
|
Assignee | |
Updated•1 year ago
|
Flags: needinfo?(emilio)
You need to log in
before you can comment on or make changes to this bug.
Description
•