1806905 - Assertion failure: nsContentUtils::IsSafeToRunScript() || mOwnerContent->OwnerDoc()->IsStaticDocument() (FrameLoader should never be initialized during document update or reflow!), at /dom/base/nsFrameLoader.cpp:2171

Status: VERIFIED FIXED

(Core :: Layout, defect, P2)

Description

[Jason Kratzer [:jkratzer]]

Testcase found while fuzzing mozilla-central rev bd78e2e5b1fe (built with: --enable-address-sanitizer --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build bd78e2e5b1fe --asan --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

Assertion failure: nsContentUtils::IsSafeToRunScript() || mOwnerContent->OwnerDoc()->IsStaticDocument() (FrameLoader should never be initialized during document update or reflow!), at /dom/base/nsFrameLoader.cpp:2171

    =================================================================
    ==42074==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 (pc 0x7f12f1894fa1 bp 0x7ffc65cbf990 sp 0x7ffc65cbf980 T0)
    ==42074==The signal is caused by a WRITE memory access.
    ==42074==Hint: address points to the zero page.
        #0 0x7f12f1894fa1 in nsFrameLoader::AssertSafeToInit() /dom/base/nsFrameLoader.cpp:2168:3
        #1 0x7f12f1884f51 in nsFrameLoader::MaybeCreateDocShell() /dom/base/nsFrameLoader.cpp:2183:3
        #2 0x7f12f1886259 in nsFrameLoader::GetDocShell(mozilla::ErrorResult&) /dom/base/nsFrameLoader.cpp:833:19
        #3 0x7f12f1897182 in nsFrameLoader::UpdateBaseWindowPositionAndSize(nsSubDocumentFrame*) /dom/base/nsFrameLoader.cpp:2507:40
        #4 0x7f12f1896ded in nsFrameLoader::UpdatePositionAndSize(nsSubDocumentFrame*) /dom/base/nsFrameLoader.cpp:2463:3
        #5 0x7f12f76fafcc in nsSubDocumentFrame::ReflowFinished() /layout/generic/nsSubDocumentFrame.cpp:771:18
        #6 0x7f12f76fb0df in non-virtual thunk to nsSubDocumentFrame::ReflowFinished() /layout/generic/nsSubDocumentFrame.cpp
        #7 0x7f12f72cab35 in mozilla::PresShell::HandlePostedReflowCallbacks(bool) /layout/base/PresShell.cpp:4195:21
        #8 0x7f12f72bbde7 in mozilla::PresShell::DidDoReflow(bool) /layout/base/PresShell.cpp:9490:3
        #9 0x7f12f72f576c in mozilla::PresShell::ProcessReflowCommands(bool) /layout/base/PresShell.cpp:9888:7
        #10 0x7f12f7412116 in nsPresContext::UpdateContainerQueryStyles() /layout/base/nsPresContext.cpp:1036:16
        #11 0x7f12f730670e in mozilla::RestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) /layout/base/RestyleManager.cpp:3205:18
        #12 0x7f12f72cd9e6 in mozilla::RestyleManager::ProcessPendingRestyles() /layout/base/RestyleManager.cpp:3248:3
        #13 0x7f12f72cc0f0 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /layout/base/PresShell.cpp:4423:39
        #14 0x7f12f1568deb in mozilla::dom::Document::FlushPendingNotifications(mozilla::ChangesToFlush) /dom/base/Document.cpp:10737:16
        #15 0x7f12f71d732c in nsComputedDOMStyle::Flush(mozilla::dom::Document&, mozilla::FlushType) /layout/style/nsComputedDOMStyle.cpp:1007:13
        #16 0x7f12f71d3e1d in nsComputedDOMStyle::UpdateCurrentStyleSources(nsCSSPropertyID) /layout/style/nsComputedDOMStyle.cpp:1059:5
        #17 0x7f12f71d2d6e in nsComputedDOMStyle::GetPropertyValue(nsCSSPropertyID, nsTSubstring<char> const&, nsTSubstring<char>&) /layout/style/nsComputedDOMStyle.cpp:463:3
        #18 0x7f12f26740c4 in GetPropertyValue /layout/style/nsICSSDeclaration.h:102:10
        #19 0x7f12f26740c4 in mozilla::dom::CSSStyleDeclaration_Binding::getPropertyValue(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/CSSStyleDeclarationBinding.cpp:310:24
        #20 0x7f12f358f855 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /dom/bindings/BindingUtils.cpp:3287:13
        #21 0x7f12fbffa48f in CallJSNative /js/src/vm/Interpreter.cpp:459:13
        #22 0x7f12fbffa48f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:547:12
        #23 0x7f12fbfe946a in InternalCall /js/src/vm/Interpreter.cpp:614:10
        #24 0x7f12fbfe946a in CallFromStack /js/src/vm/Interpreter.cpp:619:10
        #25 0x7f12fbfe946a in Interpret(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:3379:16
        #26 0x7f12fbfcd58c in js::RunScript(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:431:13
        #27 0x7f12fbffa5ba in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:579:13
        #28 0x7f12fbffc2ef in InternalCall /js/src/vm/Interpreter.cpp:614:10
        #29 0x7f12fbffc2ef in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /js/src/vm/Interpreter.cpp:646:8
        #30 0x7f12fbffd957 in js::CallGetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) /js/src/vm/Interpreter.cpp:775:10
        #31 0x7f12fc308698 in CallGetter /js/src/vm/NativeObject.cpp:2022:12
        #32 0x7f12fc308698 in GetExistingProperty<(js::AllowGC)1> /js/src/vm/NativeObject.cpp:2050:12
        #33 0x7f12fc308698 in NativeGetPropertyInline<(js::AllowGC)1> /js/src/vm/NativeObject.cpp:2198:14
        #34 0x7f12fc308698 in js::NativeGetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JS::Value>) /js/src/vm/NativeObject.cpp:2229:10
        #35 0x7f12fbf425f1 in GetProperty /js/src/vm/ObjectOperations-inl.h:118:10
        #36 0x7f12fbf425f1 in js::GetProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, js::PropertyName*, JS::MutableHandle<JS::Value>) /js/src/vm/ObjectOperations-inl.h:125:10
        #37 0x7f12fc002373 in js::GetProperty(JSContext*, JS::Handle<JS::Value>, JS::Handle<js::PropertyName*>, JS::MutableHandle<JS::Value>) /js/src/vm/Interpreter.cpp:4737:10
        #38 0x7f12fbfd4110 in GetPropertyOperation /js/src/vm/Interpreter.cpp:245:10
        #39 0x7f12fbfd4110 in Interpret(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:3034:12
        #40 0x7f12fbfcd58c in js::RunScript(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:431:13
        #41 0x7f12fbffa5ba in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:579:13
        #42 0x7f12fcebf713 in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICFallbackStub*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) /js/src/jit/BaselineIC.cpp:1591:10
        #43 0x189148b41da8  (<unknown module>)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV /dom/base/nsFrameLoader.cpp:2168:3 in nsFrameLoader::AssertSafeToInit()
    ==42074==ABORTING

Comment 1

[Jason Kratzer [:jkratzer]]

Attachment: Testcase

Comment 2

[Bugmon [:jkratzer for issues]]

Verified bug as reproducible on mozilla-central 20221221212123-1de20be14b0d.
The bug appears to have been introduced in the following build range:

Start: f75c79d52f563f19c2baa22d60341564a9d31546 (20220810094530)
End: 7b0258915ecac013d6446e8990bccf78dd205f23 (20220810114632)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=f75c79d52f563f19c2baa22d60341564a9d31546&tochange=7b0258915ecac013d6446e8990bccf78dd205f23

Comment 3

[Mayank Bansal]

I got a crash : https://crash-stats.mozilla.org/report/index/788dc43f-e8bc-4dd0-9b6a-c2da20221222#tab-bugzilla

Comment 4

[Olli Pettay [:smaug][bugs@pettay.fi]]

Layout has a script blocker at unexpected time, https://searchfox.org/mozilla-central/rev/e6b709df9b93858364f02ab89f40d78762693db8/layout/base/PresShell.cpp#4413
Or rather, that is in a reasonable place, but I guess RestyleManager::DoProcessPendingRestyles triggering reflow is unexpected.
HandlePostedReflowCallbacks should be called without a script blocker.

Comment 5

[Olli Pettay [:smaug][bugs@pettay.fi]]

I think bug 1778989 added the relevant code. https://searchfox.org/mozilla-central/rev/e6b709df9b93858364f02ab89f40d78762693db8/layout/base/RestyleManager.cpp#3205
https://searchfox.org/mozilla-central/rev/e6b709df9b93858364f02ab89f40d78762693db8/layout/base/nsPresContext.cpp#1036

Comment 6

[BugBot [:suhaib / :marco/ :calixte]]

Set release status flags based on info from the regressing bug 1778989

Comment 7

[Emilio Cobos Álvarez (:emilio)]

Attachment: Bug 1806905 - Tweak reflow callback set-up to deal with container query reentrancy. r=dholbert,smaug

Comment 8

[Dianna Smith [:diannaS]]

Backed out for causing wpt failures in container-queries/auto-scrollbars.html

Push with Failures

Failure log

Comment 9

[Emilio Cobos Álvarez (:emilio)]

Relanded along with bug 1797752 which fixes those.

Comment 11

[Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)]

Tweak reflow callback set-up to deal with container query reentrancy. r=smaug
https://hg.mozilla.org/integration/autoland/rev/b896cfc402ff22ce77749a78c42c1d15c868944d
https://hg.mozilla.org/mozilla-central/rev/b896cfc402ff

Bug 1806905, 1797752: apply code formatting via Lando
https://hg.mozilla.org/integration/autoland/rev/b0a9b9fd9d4f509a9eb83356376a8bf96f4bba10
https://hg.mozilla.org/mozilla-central/rev/b0a9b9fd9d4f

Comment 12

[Bugmon [:jkratzer for issues]]

Verified bug as fixed on rev mozilla-central 20221230044034-3aeca13c7e9e.