1810260 - layout/base/nsLayoutUtils.cpp:9476:49: runtime error: member call on null pointer of type 'mozilla::dom::SVGViewportElement'

Status: VERIFIED FIXED

(Core :: Layout, defect)

Description

[Tyson Smith [:tsmith]]

Attachment: testcase.html

Found while fuzzing m-c 20230112-ee5d2c307738 (--enable-address-sanitizer --enable-undefined-sanitizer --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -a --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

/builds/worker/checkouts/gecko/layout/base/nsLayoutUtils.cpp:9476:49: runtime error: member call on null pointer of type 'mozilla::dom::SVGViewportElement'
    #0 0x7f60c4a74efd in ComputeSVGReferenceRect /builds/worker/checkouts/gecko/layout/base/nsLayoutUtils.cpp:9476:49
    #1 0x7f60c4a74efd in nsLayoutUtils::ComputeGeometryBox(nsIFrame*, mozilla::StyleGeometryBox) /builds/worker/checkouts/gecko/layout/base/nsLayoutUtils.cpp:9579:16
    #2 0x7f60c509c5e9 in nsCSSRendering::GetImageLayerClip(nsStyleImageLayers::Layer const&, nsIFrame*, nsStyleBorder const&, nsRect const&, nsRect const&, bool, int, nsCSSRendering::ImageLayerClipState*) /builds/worker/checkouts/gecko/layout/painting/nsCSSRendering.cpp:2036:23
    #3 0x7f60c4c7ecb0 in ComputeClipForMaskItem /builds/worker/checkouts/gecko/layout/generic/nsIFrame.cpp:3031:9
    #4 0x7f60c4c7ecb0 in nsIFrame::BuildDisplayListForStackingContext(mozilla::nsDisplayListBuilder*, mozilla::nsDisplayList*, bool*) /builds/worker/checkouts/gecko/layout/generic/nsIFrame.cpp:3442:21
    #5 0x7f60c4bf6202 in nsIFrame::BuildDisplayListForChild(mozilla::nsDisplayListBuilder*, nsIFrame*, mozilla::nsDisplayListSet const&, mozilla::EnumSet<nsIFrame::DisplayChildFlag, unsigned int>) /builds/worker/checkouts/gecko/layout/generic/nsIFrame.cpp:4292:12
    #6 0x7f60c4b4e774 in nsContainerFrame::BuildDisplayListForNonBlockChildren(mozilla::nsDisplayListBuilder*, mozilla::nsDisplayListSet const&, mozilla::EnumSet<nsIFrame::DisplayChildFlag, unsigned int>) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:384:5
    #7 0x7f60c4efd867 in mozilla::SVGOuterSVGAnonChildFrame::BuildDisplayList(mozilla::nsDisplayListBuilder*, mozilla::nsDisplayListSet const&) /builds/worker/checkouts/gecko/layout/svg/SVGOuterSVGFrame.cpp:976:3
    #8 0x7f60c4c7b531 in nsIFrame::BuildDisplayListForStackingContext(mozilla::nsDisplayListBuilder*, mozilla::nsDisplayList*, bool*) /builds/worker/checkouts/gecko/layout/generic/nsIFrame.cpp:3464:5
    #9 0x7f60c4bf6202 in nsIFrame::BuildDisplayListForChild(mozilla::nsDisplayListBuilder*, nsIFrame*, mozilla::nsDisplayListSet const&, mozilla::EnumSet<nsIFrame::DisplayChildFlag, unsigned int>) /builds/worker/checkouts/gecko/layout/generic/nsIFrame.cpp:4292:12
    #10 0x7f60c4b4e774 in nsContainerFrame::BuildDisplayListForNonBlockChildren(mozilla::nsDisplayListBuilder*, mozilla::nsDisplayListSet const&, mozilla::EnumSet<nsIFrame::DisplayChildFlag, unsigned int>) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:384:5
    #11 0x7f60c4efc368 in mozilla::SVGOuterSVGFrame::BuildDisplayList(mozilla::nsDisplayListBuilder*, mozilla::nsDisplayListSet const&) /builds/worker/checkouts/gecko/layout/svg/SVGOuterSVGFrame.cpp:737:5
    #12 0x7f60c4c7b531 in nsIFrame::BuildDisplayListForStackingContext(mozilla::nsDisplayListBuilder*, mozilla::nsDisplayList*, bool*) /builds/worker/checkouts/gecko/layout/generic/nsIFrame.cpp:3464:5
    #13 0x7f60c4bf6202 in nsIFrame::BuildDisplayListForChild(mozilla::nsDisplayListBuilder*, nsIFrame*, mozilla::nsDisplayListSet const&, mozilla::EnumSet<nsIFrame::DisplayChildFlag, unsigned int>) /builds/worker/checkouts/gecko/layout/generic/nsIFrame.cpp:4292:12
    #14 0x7f60c4b4e774 in nsContainerFrame::BuildDisplayListForNonBlockChildren(mozilla::nsDisplayListBuilder*, mozilla::nsDisplayListSet const&, mozilla::EnumSet<nsIFrame::DisplayChildFlag, unsigned int>) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:384:5
    #15 0x7f60c4ccdf3a in BuildDisplayListForInline /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.h:565:5
    #16 0x7f60c4ccdf3a in nsInlineFrame::BuildDisplayList(mozilla::nsDisplayListBuilder*, mozilla::nsDisplayListSet const&) /builds/worker/checkouts/gecko/layout/generic/nsInlineFrame.cpp:213:3
    #17 0x7f60c4bf68b1 in nsIFrame::BuildDisplayListForChild(mozilla::nsDisplayListBuilder*, nsIFrame*, mozilla::nsDisplayListSet const&, mozilla::EnumSet<nsIFrame::DisplayChildFlag, unsigned int>) /builds/worker/checkouts/gecko/layout/generic/nsIFrame.cpp:4327:14
    #18 0x7f60c4b39825 in DisplayLine(mozilla::nsDisplayListBuilder*, nsLineList_iterator&, bool, mozilla::nsDisplayListSet const&, nsBlockFrame*, mozilla::css::TextOverflow*, unsigned int, int, int&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:7059:13
    #19 0x7f60c4b37ffe in nsBlockFrame::BuildDisplayList(mozilla::nsDisplayListBuilder*, mozilla::nsDisplayListSet const&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:7214:9
    #20 0x7f60c4bf68b1 in nsIFrame::BuildDisplayListForChild(mozilla::nsDisplayListBuilder*, nsIFrame*, mozilla::nsDisplayListSet const&, mozilla::EnumSet<nsIFrame::DisplayChildFlag, unsigned int>) /builds/worker/checkouts/gecko/layout/generic/nsIFrame.cpp:4327:14
    #21 0x7f60c4b39825 in DisplayLine(mozilla::nsDisplayListBuilder*, nsLineList_iterator&, bool, mozilla::nsDisplayListSet const&, nsBlockFrame*, mozilla::css::TextOverflow*, unsigned int, int, int&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:7059:13
    #22 0x7f60c4b37ffe in nsBlockFrame::BuildDisplayList(mozilla::nsDisplayListBuilder*, mozilla::nsDisplayListSet const&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:7214:9
    #23 0x7f60c4c7b531 in nsIFrame::BuildDisplayListForStackingContext(mozilla::nsDisplayListBuilder*, mozilla::nsDisplayList*, bool*) /builds/worker/checkouts/gecko/layout/generic/nsIFrame.cpp:3464:5
    #24 0x7f60c4bf6202 in nsIFrame::BuildDisplayListForChild(mozilla::nsDisplayListBuilder*, nsIFrame*, mozilla::nsDisplayListSet const&, mozilla::EnumSet<nsIFrame::DisplayChildFlag, unsigned int>) /builds/worker/checkouts/gecko/layout/generic/nsIFrame.cpp:4292:12
    #25 0x7f60c4b41984 in nsCanvasFrame::BuildDisplayList(mozilla::nsDisplayListBuilder*, mozilla::nsDisplayListSet const&) /builds/worker/checkouts/gecko/layout/generic/nsCanvasFrame.cpp:584:5
    #26 0x7f60c4bf68b1 in nsIFrame::BuildDisplayListForChild(mozilla::nsDisplayListBuilder*, nsIFrame*, mozilla::nsDisplayListSet const&, mozilla::EnumSet<nsIFrame::DisplayChildFlag, unsigned int>) /builds/worker/checkouts/gecko/layout/generic/nsIFrame.cpp:4327:14
    #27 0x7f60c4bfb561 in mozilla::ScrollFrameHelper::BuildDisplayList(mozilla::nsDisplayListBuilder*, mozilla::nsDisplayListSet const&) /builds/worker/checkouts/gecko/layout/generic/nsGfxScrollFrame.cpp:4311:15
    #28 0x7f60c4bf68b1 in nsIFrame::BuildDisplayListForChild(mozilla::nsDisplayListBuilder*, nsIFrame*, mozilla::nsDisplayListSet const&, mozilla::EnumSet<nsIFrame::DisplayChildFlag, unsigned int>) /builds/worker/checkouts/gecko/layout/generic/nsIFrame.cpp:4327:14
    #29 0x7f60c4af9f6e in mozilla::ViewportFrame::BuildDisplayList(mozilla::nsDisplayListBuilder*, mozilla::nsDisplayListSet const&) /builds/worker/checkouts/gecko/layout/generic/ViewportFrame.cpp:66:3
    #30 0x7f60c4c7b531 in nsIFrame::BuildDisplayListForStackingContext(mozilla::nsDisplayListBuilder*, mozilla::nsDisplayList*, bool*) /builds/worker/checkouts/gecko/layout/generic/nsIFrame.cpp:3464:5
    #31 0x7f60c4a475ab in nsLayoutUtils::PaintFrame(gfxContext*, nsIFrame*, nsRegion const&, unsigned int, mozilla::nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) /builds/worker/checkouts/gecko/layout/base/nsLayoutUtils.cpp:3386:15
    #32 0x7f60c4954d88 in mozilla::PresShell::PaintInternal(nsView*, mozilla::PaintInternalFlags) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:6462:5
    #33 0x7f60c41d4a6d in nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*) /builds/worker/checkouts/gecko/view/nsViewManager.cpp:433:18
    #34 0x7f60c41d420b in nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) /builds/worker/checkouts/gecko/view/nsViewManager.cpp:368:22
    #35 0x7f60c41d613a in nsViewManager::ProcessPendingUpdates() /builds/worker/checkouts/gecko/view/nsViewManager.cpp:941:5
    #36 0x7f60c48c9b14 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2806:11
    #37 0x7f60c48d6296 in TickDriver /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:374:13
    #38 0x7f60c48d6296 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver>>&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:352:7
    #39 0x7f60c48d5ffe in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:368:5
    #40 0x7f60c48d5d85 in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:912:5
    #41 0x7f60c48d501f in mozilla::VsyncRefreshDriverTimer::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:826:5
    #42 0x7f60c48d4271 in mozilla::VsyncRefreshDriverTimer::NotifyVsyncOnMainThread(mozilla::VsyncEvent const&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:747:5
    #43 0x7f60c48d3a8b in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsyncTimerOnMainThread() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:593:14
    #44 0x7f60c48d3628 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:550:9
    #45 0x7f60c34ab1ec in mozilla::dom::VsyncMainChild::RecvNotify(mozilla::VsyncEvent const&, float const&) /builds/worker/checkouts/gecko/dom/ipc/VsyncMainChild.cpp:68:15
    #46 0x7f60c39181bf in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:220:78
    #47 0x7f60c373c9e6 in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PContentChild.cpp:8716:32
    #48 0x7f60bd0d49b9 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1800:25
    #49 0x7f60bd0d1b0d in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1725:9
    #50 0x7f60bd0d26de in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1525:3
    #51 0x7f60bd0d390e in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1623:14
    #52 0x7f60bb938259 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:539:16
    #53 0x7f60bb92f077 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:852:26
    #54 0x7f60bb92c2f8 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:684:15
    #55 0x7f60bb92ca20 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:462:36
    #56 0x7f60bb93e361 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:188:37
    #57 0x7f60bb93e361 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_2>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:546:5
    #58 0x7f60bb9614c4 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1197:16
    #59 0x7f60bb96b8b4 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:473:10
    #60 0x7f60bd0dc5be in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
    #61 0x7f60bcf5baf7 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
    #62 0x7f60bcf5baf7 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
    #63 0x7f60bcf5baf7 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
    #64 0x7f60c42cc899 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
    #65 0x7f60c9252908 in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:743:20
    #66 0x7f60bcf5baf7 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
    #67 0x7f60bcf5baf7 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
    #68 0x7f60bcf5baf7 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
    #69 0x7f60c925209f in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:676:34
    #70 0x55ed919ba4d4 in content_process_main(mozilla::Bootstrap*, int, char**) /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
    #71 0x55ed919ba997 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:359:18
    #72 0x7f60dde42d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #73 0x7f60dde42e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #74 0x55ed918f8f58 in _start (/home/user/workspace/browsers/m-c-20230113213947-fuzzing-asan-opt/firefox+0x111f58) (BuildId: 4c3b45179460421de0ad9bd64e2f6c39b4437d9d)

Comment 1

[Mayank Bansal]

Got a crash from the testcase: https://crash-stats.mozilla.org/report/index/a3a5a915-e4ff-411e-9d1b-c33da0230114

Comment 2

[Bugmon [:jkratzer for issues]]

Verified bug as reproducible on mozilla-central 20230113234514-9af5d0877b6b.
The bug appears to have been introduced in the following build range:

Start: 81a8708bee340477c90f184bd655c91976ce3e61 (20221213184342)
End: bb2aa25a23c94067ac66cfdc0b360f13c61d8425 (20221213184635)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=81a8708bee340477c90f184bd655c91976ce3e61&tochange=bb2aa25a23c94067ac66cfdc0b360f13c61d8425

Comment 3

[Ting-Yu Lin [:TYLin] (UTC-8)]

Bug 1805095 is the only bug related to SVG in the pushlog range. Robert, any ideas?

Comment 4

[Robert Longson [:longsonr]]

Presumably the patch allows some pre-existing issue to be triggered in a new way.

All it does is treat white-space="pre-line" the same as style="white-space:pre-line;"

Can the testcase be modified to look like that and the regression range rerun?

Comment 5

[Robert Longson [:longsonr]]

Attachment: Bug 1810260 - Stop nsLayoutUtils::ComputeGeometryBox crashing if no viewport is found r=emilio

Comment 6

[Pulsebot]

Pushed by longsonr@gmail.com:
https://hg.mozilla.org/integration/autoland/rev/a933b10d29f4
Stop nsLayoutUtils::ComputeGeometryBox crashing if no viewport is found r=emilio

Comment 7

[Norisz Fay [:noriszfay]]

https://hg.mozilla.org/mozilla-central/rev/a933b10d29f4

Comment 8

[Bugmon [:jkratzer for issues]]

Verified bug as fixed on rev mozilla-central 20230122211034-4ffae7ad22de.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Comment 9

[BugBot [:suhaib / :marco/ :calixte]]

The patch landed in nightly and beta is affected.
:longsonr, is this bug important enough to require an uplift?

• If yes, please nominate the patch for beta approval.
• If no, please set status-firefox110 to wontfix.

For more information, please visit auto_nag documentation.

Comment 10

[BugBot [:suhaib / :marco/ :calixte]]

Based on comment #2, this bug contains a bisection range found by bugmon. However, the Regressed by field is still not filled.

:longsonr, if possible, could you fill the Regressed by field?

For more information, please visit auto_nag documentation.

Comment 11

[Robert Longson [:longsonr]]

I don't know, rather depends on the answer to comment 4. This patch is wallpaper, really this code path should not be called with display: contents SVG but I don't know what caused that to happen.

Comment 12

[Robert Longson [:longsonr]]

Can you look at comment 4 please Tyson?

Comment 13

[Tyson Smith [:tsmith]]

jkratzer: Will bugmon get a regression range after the issue is closed, if we update the test case?

Comment 14

[Jason Kratzer [:jkratzer]]

(In reply to Tyson Smith [:tsmith] from comment #13)

jkratzer: Will bugmon get a regression range after the issue is closed, if we update the test case?

It won't since the bug is marked as closed. The only thing bugmon will do is verify that the fix does in fact correct the issue. I'll run the bisection locally.

Comment 15

[Jason Kratzer [:jkratzer]]

I'm unable to reproduce the issue using the in-line style style="white-space:pre-line".

Comment 16

[Robert Longson [:longsonr]]

Comment on attachment 9313442 [details]
Bug 1810260 - Stop nsLayoutUtils::ComputeGeometryBox crashing if no viewport is found r=emilio

Beta/Release Uplift Approval Request

• User impact if declined: The testcase crashes. I imagine this will be rare in practice.
• Is this code covered by automated tests?: Yes
• Has the fix been verified in Nightly?: Yes
• Needs manual test from QE?: No
• If yes, steps to reproduce: run the testcase in the bug, the tab will crash.
• List of other uplifts needed: None
• Risk to taking this patch: Low
• Why is the change risky/not risky? (and alternatives if risky): Small patch to avoid dereferencing a null pointer.
• String changes made/needed: none
• Is Android affected?: Unknown

Comment 17

[Pascal Chevrel:pascalc]

Comment on attachment 9313442 [details]
Bug 1810260 - Stop nsLayoutUtils::ComputeGeometryBox crashing if no viewport is found r=emilio

Approved for 110 beta 6, thanks.

Comment 18

[Pascal Chevrel:pascalc]

https://hg.mozilla.org/releases/mozilla-beta/rev/cc51ef1f7f94