1825623 - Hit MOZ_CRASH(unexpected frame type) at /layout/base/nsCSSFrameConstructor.cpp:8030

Status: VERIFIED FIXED

(Core :: Layout, defect)

Description

[Jason Kratzer [:jkratzer]]

Testcase found while fuzzing mozilla-central rev 5aa2b55eb19b (built with: --enable-address-sanitizer --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build 5aa2b55eb19b --asan --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

Hit MOZ_CRASH(unexpected frame type) at /layout/base/nsCSSFrameConstructor.cpp:8030

    =================================================================
    ==128476==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 (pc 0x7f1ed5b82720 bp 0x7ffd1b03d060 sp 0x7ffd1b03ce40 T0)
    ==128476==The signal is caused by a WRITE memory access.
    ==128476==Hint: address points to the zero page.
        #0 0x7f1ed5b82720 in nsCSSFrameConstructor::CreateContinuingFrame(nsIFrame*, nsContainerFrame*, bool) /layout/base/nsCSSFrameConstructor.cpp:8030:5
        #1 0x7f1ed5ccc8b8 in nsBlockFrame::SplitFloat(mozilla::BlockReflowState&, nsIFrame*, nsReflowStatus const&) /layout/generic/nsBlockFrame.cpp:4900:42
        #2 0x7f1ed5c4e601 in mozilla::BlockReflowState::FlowAndPlaceFloat(nsIFrame*, mozilla::Maybe<int>) /layout/generic/BlockReflowState.cpp:959:13
        #3 0x7f1ed5cb220d in nsBlockFrame::ReflowPushedFloats(mozilla::BlockReflowState&, mozilla::OverflowAreas&) /layout/generic/nsBlockFrame.cpp:6897:16
        #4 0x7f1ed5cac7e9 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/generic/nsBlockFrame.cpp:1464:3
        #5 0x7f1ed5ce364d in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /layout/generic/nsContainerFrame.cpp:890:14
        #6 0x7f1ed5ce7654 in nsColumnSetFrame::ReflowColumns(mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&, nsColumnSetFrame::ReflowConfig const&, bool) /layout/generic/nsColumnSetFrame.cpp:694:7
        #7 0x7f1ed5cec22d in nsColumnSetFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/generic/nsColumnSetFrame.cpp:1239:37
        #8 0x7f1ed5cc75e4 in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowState&) /layout/generic/nsBlockReflowContext.cpp:290:11
        #9 0x7f1ed5cbfd20 in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowState&, nsLineList_iterator, bool*) /layout/generic/nsBlockFrame.cpp:4062:11
        #10 0x7f1ed5cbcd4b in nsBlockFrame::ReflowLine(mozilla::BlockReflowState&, nsLineList_iterator, bool*) /layout/generic/nsBlockFrame.cpp:3406:5
        #11 0x7f1ed5cb4096 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowState&) /layout/generic/nsBlockFrame.cpp:2923:9
        #12 0x7f1ed5cac954 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/generic/nsBlockFrame.cpp:1484:3
        #13 0x7f1ed5ce364d in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /layout/generic/nsContainerFrame.cpp:890:14
        #14 0x7f1ed5ce23f2 in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/generic/nsCanvasFrame.cpp:755:7
        #15 0x7f1ed5ce364d in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /layout/generic/nsContainerFrame.cpp:890:14
        #16 0x7f1ed5d6c492 in nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput&, bool, bool, mozilla::ReflowOutput*) /layout/generic/nsGfxScrollFrame.cpp:940:3
        #17 0x7f1ed5d6dd68 in nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput&, mozilla::ReflowOutput const&) /layout/generic/nsGfxScrollFrame.cpp:1073:3
        #18 0x7f1ed5d746d8 in nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/generic/nsGfxScrollFrame.cpp:1520:3
        #19 0x7f1ed5c9bf26 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /layout/generic/nsContainerFrame.cpp:930:14
        #20 0x7f1ed5c9b54c in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/generic/ViewportFrame.cpp:385:7
        #21 0x7f1ed5ac7bc1 in mozilla::PresShell::DoReflow(nsIFrame*, bool, mozilla::OverflowChangedTracker*) /layout/base/PresShell.cpp:9625:11
        #22 0x7f1ed5b02ff7 in mozilla::PresShell::ProcessReflowCommands(bool) /layout/base/PresShell.cpp:9803:22
        #23 0x7f1ed5ad8c3b in DoFlushLayout /layout/base/PresShell.cpp:9874:10
        #24 0x7f1ed5ad8c3b in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /layout/base/PresShell.cpp:4351:11
        #25 0x7f1ecf9d0927 in mozilla::dom::Document::FlushPendingNotifications(mozilla::ChangesToFlush) /dom/base/Document.cpp:10769:16
        #26 0x7f1ece4276de in nsDocLoader::DocLoaderIsEmpty(bool, mozilla::Maybe<nsresult> const&) /uriloader/base/nsDocLoader.cpp:742:14
        #27 0x7f1ece42a379 in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /uriloader/base/nsDocLoader.cpp:680:5
        #28 0x7f1ed94e408a in nsDocShell::OnStopRequest(nsIRequest*, nsresult) /docshell/base/nsDocShell.cpp:13849:23
        #29 0x7f1ecca6ad22 in mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) /netwerk/base/nsLoadGroup.cpp:631:22
        #30 0x7f1ecca6d6b4 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /netwerk/base/nsLoadGroup.cpp:535:10
        #31 0x7f1ecf9d84b1 in mozilla::dom::Document::DoUnblockOnload() /dom/base/Document.cpp:11550:18
        #32 0x7f1ecf9887de in mozilla::dom::Document::UnblockOnload(bool) /dom/base/Document.cpp:11488:9
        #33 0x7f1ecf9b11f4 in mozilla::dom::Document::DispatchContentLoadedEvents() /dom/base/Document.cpp:8026:3
        #34 0x7f1ecfa91d1a in operator()<> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1164:18
        #35 0x7f1ecfa91d1a in __invoke_impl<void, (lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1163:9)> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/invoke.h:60:14
        #36 0x7f1ecfa91d1a in __invoke<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1163:9)> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/invoke.h:95:14
        #37 0x7f1ecfa91d1a in __apply_impl<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1163:9), std::tuple<> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/tuple:1662:14
        #38 0x7f1ecfa91d1a in apply<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1163:9), std::tuple<> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/tuple:1671:14
        #39 0x7f1ecfa91d1a in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1162:12
        #40 0x7f1ecfa91d1a in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1213:13
        #41 0x7f1ecc69900f in mozilla::SchedulerGroup::Runnable::Run() /xpcom/threads/SchedulerGroup.cpp:114:20
        #42 0x7f1ecc6ad239 in mozilla::RunnableTask::Run() /xpcom/threads/TaskController.cpp:553:16
        #43 0x7f1ecc6a35cc in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:867:26
        #44 0x7f1ecc6a0898 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:698:15
        #45 0x7f1ecc6a0fb1 in mozilla::TaskController::ProcessPendingMTTask(bool) /xpcom/threads/TaskController.cpp:464:36
        #46 0x7f1ecc6b3111 in operator() /xpcom/threads/TaskController.cpp:188:37
        #47 0x7f1ecc6b3111 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_3>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:548:5
        #48 0x7f1ecc6d7a1e in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1239:16
        #49 0x7f1ecc6e1f94 in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:477:10
        #50 0x7f1ecdec47de in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:85:21
        #51 0x7f1ecdd42687 in RunInternal /ipc/chromium/src/base/message_loop.cc:381:10
        #52 0x7f1ecdd42687 in RunHandler /ipc/chromium/src/base/message_loop.cc:374:3
        #53 0x7f1ecdd42687 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:356:3
        #54 0x7f1ed542d5c9 in nsBaseAppShell::Run() /widget/nsBaseAppShell.cpp:148:27
        #55 0x7f1eda409868 in XRE_RunAppShell() /toolkit/xre/nsEmbedFunctions.cpp:738:20
        #56 0x7f1ecdd42687 in RunInternal /ipc/chromium/src/base/message_loop.cc:381:10
        #57 0x7f1ecdd42687 in RunHandler /ipc/chromium/src/base/message_loop.cc:374:3
        #58 0x7f1ecdd42687 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:356:3
        #59 0x7f1eda408fff in XRE_InitChildProcess(int, char**, XREChildData const*) /toolkit/xre/nsEmbedFunctions.cpp:673:34
        #60 0x55f9323de504 in content_process_main(mozilla::Bootstrap*, int, char**) /browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
        #61 0x55f9323de9c7 in main /browser/app/nsBrowserApp.cpp:353:18
        #62 0x7f1eef429d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
        #63 0x7f1eef429e3f in __libc_start_main csu/../csu/libc-start.c:392:3
        #64 0x55f93231cf88 in _start (/home/jkratzer/builds/m-c-20230328041913-fuzzing-asan-opt/firefox+0x112f88) (BuildId: 9da4b70695591c74a0f8d458a9ae68c0ef406e22)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV /layout/base/nsCSSFrameConstructor.cpp:8030:5 in nsCSSFrameConstructor::CreateContinuingFrame(nsIFrame*, nsContainerFrame*, bool)
    ==128476==ABORTING

Comment 1

[Jason Kratzer [:jkratzer]]

Attachment: Testcase

Comment 2

[Bugmon [:jkratzer for issues]]

Verified bug as reproducible on mozilla-central 20230330214245-9754c55103ef.
The bug appears to have been introduced in the following build range:

Start: 4a92205e0d4075884895f244e8b7e2dec304925b (20230327211143)
End: 68cd13be1b19bbde298613f9623727a13d204689 (20230327191609)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=4a92205e0d4075884895f244e8b7e2dec304925b&tochange=68cd13be1b19bbde298613f9623727a13d204689

Comment 3

[Mayank Bansal]

https://crash-stats.mozilla.org/report/index/2a078ef7-9fc0-45bf-9d7f-fb6bb0230331

Comment 4

[Timothy Nikkel (:tnikkel)]

The unknown frametype is file control frame, so seems like bug 1824667.

Comment 5

[BugBot [:suhaib / :marco/ :calixte]]

:emilio, since you are the author of the regressor, bug 1824667, could you take a look? Also, could you set the severity field?

For more information, please visit auto_nag documentation.

Comment 6

[BugBot [:suhaib / :marco/ :calixte]]

Set release status flags based on info from the regressing bug 1824667

Comment 7

[Emilio Cobos Álvarez (:emilio)]

Attachment: Bug 1825623 - Restore nsFileControlFrame fragmentation behavior. r=jfkthame,TYLin,#layout

Use QueryFrame instead of a new frame type to check for
nsFileControlFrame for frame construction.

Comment 8

[Pulsebot]

Pushed by ealvarez@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/4a13bf07d9cd
Restore nsFileControlFrame fragmentation behavior. r=TYLin

Comment 9

[Web Platform Test Sync Bot [:wpt-sync] (Matrix: #interop:mozilla.org)]

Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/39463 for changes under testing/web-platform/tests

Comment 10

[Natalia Csoregi [:nataliaCs]]

https://hg.mozilla.org/mozilla-central/rev/4a13bf07d9cd

Comment 11

[Web Platform Test Sync Bot [:wpt-sync] (Matrix: #interop:mozilla.org)]

Upstream PR merged by moz-wptsync-bot

Comment 12

[Bugmon [:jkratzer for issues]]

Verified bug as fixed on rev mozilla-central 20230411092751-25045b498bff.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Comment 13

[BugBot [:suhaib / :marco/ :calixte]]

The patch landed in nightly and beta is affected.
:emilio, is this bug important enough to require an uplift?

• If yes, please nominate the patch for beta approval.
• If no, please set status-firefox113 to wontfix.

For more information, please visit auto_nag documentation.

Comment 14

[Emilio Cobos Álvarez (:emilio)]

Comment on attachment 9327818 [details]
Bug 1825623 - Restore nsFileControlFrame fragmentation behavior. r=jfkthame,TYLin,#layout

Beta/Release Uplift Approval Request

• User impact if declined: crash
• Is this code covered by automated tests?: Yes
• Has the fix been verified in Nightly?: Yes
• Needs manual test from QE?: No
• If yes, steps to reproduce:
• List of other uplifts needed: none
• Risk to taking this patch: Low
• Why is the change risky/not risky? (and alternatives if risky): Restores pre-regression behavior.
• String changes made/needed: none
• Is Android affected?: No

Comment 15

[Pascal Chevrel:pascalc]

Comment on attachment 9327818 [details]
Bug 1825623 - Restore nsFileControlFrame fragmentation behavior. r=jfkthame,TYLin,#layout

Approved for 113 beta 3, thanks.

Comment 16

[Pascal Chevrel:pascalc]

https://hg.mozilla.org/releases/mozilla-beta/rev/0fc2dbb6cb0a