Closed Bug 1829256 Opened 1 years ago Closed 1 year ago

use-after-poison in [@ Contains]

Categories

(Core :: Layout: Block and Inline, defect)

defect

Tracking

()

VERIFIED FIXED
118 Branch
Tracking Status
firefox-esr102 --- unaffected
firefox-esr115 --- wontfix
firefox112 --- wontfix
firefox113 --- wontfix
firefox114 --- wontfix
firefox115 --- wontfix
firefox116 --- wontfix
firefox117 --- wontfix
firefox118 --- fixed

People

(Reporter: tsmith, Assigned: boris)

References

(Blocks 1 open bug, Regression)

Details

(5 keywords, Whiteboard: [bugmon:confirmed,bisected][adv-main118-])

Attachments

(1 file, 2 obsolete files)

Attached file testcase.html (obsolete) —

Found while fuzzing m-c 20230418-b57f595130ac (--enable-address-sanitizer --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -a --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html
==53023==ERROR: AddressSanitizer: use-after-poison on address 0x6250002aafe4 at pc 0x7fcdc443bebc bp 0x7ffd41ef0b00 sp 0x7ffd41ef0af8
READ of size 2 at 0x6250002aafe4 thread T0 (Isolated Web Co)
    #0 0x7fcdc443bebb in Contains /builds/worker/checkouts/gecko/layout/generic/nsLineBox.h:437:12
    #1 0x7fcdc443bebb in nsLineIterator::FindLineContaining(nsIFrame*, int) /builds/worker/checkouts/gecko/layout/generic/nsLineBox.cpp:555:15
    #2 0x7fcdc424317e in nsIFrame::GetFrameFromDirection(nsDirection, mozilla::EnumSet<mozilla::PeekOffsetOption, unsigned char> const&) /builds/worker/checkouts/gecko/layout/generic/nsIFrame.cpp:9488:28
    #3 0x7fcdc424240e in nsFrameSelection::GetPrevNextBidiLevels(nsIContent*, unsigned int, mozilla::CaretAssociationHint, bool) /builds/worker/checkouts/gecko/layout/generic/nsFrameSelection.cpp:985:21
    #4 0x7fcdc42420fc in nsFrameSelection::GetPrevNextBidiLevels(nsIContent*, unsigned int, bool) const /builds/worker/checkouts/gecko/layout/generic/nsFrameSelection.cpp:941:10
    #5 0x7fcdc3ff6555 in nsCaret::GetCaretFrameForNodeOffset(nsFrameSelection*, nsIContent*, int, mozilla::CaretAssociationHint, mozilla::intl::BidiEmbeddingLevel, nsIFrame**, int*) /builds/worker/checkouts/gecko/layout/base/nsCaret.cpp:719:28
    #6 0x7fcdc3ff5f01 in nsCaret::GetFrameAndOffset(mozilla::dom::Selection const*, nsINode*, int, int*, nsIFrame**) /builds/worker/checkouts/gecko/layout/base/nsCaret.cpp:387:10
    #7 0x7fcdc3ff7860 in nsCaret::GetGeometry(mozilla::dom::Selection const*, nsRect*) /builds/worker/checkouts/gecko/layout/base/nsCaret.cpp:395:21
    #8 0x7fcdbf9de77b in mozilla::ContentEventHandler::Init(mozilla::WidgetQueryContentEvent*) /builds/worker/checkouts/gecko/dom/events/ContentEventHandler.cpp:442:21
    #9 0x7fcdbf9e8a60 in OnQueryEditorRect /builds/worker/checkouts/gecko/dom/events/ContentEventHandler.cpp:2623:17
    #10 0x7fcdbf9e8a60 in mozilla::ContentEventHandler::HandleQueryContentEvent(mozilla::WidgetQueryContentEvent*) /builds/worker/checkouts/gecko/dom/events/ContentEventHandler.cpp:1285:12
    #11 0x7fcdbfa9c658 in mozilla::IMEContentObserver::HandleQueryContentEvent(mozilla::WidgetQueryContentEvent*) /builds/worker/checkouts/gecko/dom/events/IMEContentObserver.cpp:660:25
    #12 0x7fcdbf98a3d3 in mozilla::EventStateManager::HandleQueryContentEvent(mozilla::WidgetQueryContentEvent*) /builds/worker/checkouts/gecko/dom/events/EventStateManager.cpp:1091:22
    #13 0x7fcdbf98831d in mozilla::EventStateManager::PreHandleEvent(nsPresContext*, mozilla::WidgetEvent*, nsIFrame*, nsIContent*, nsEventStatus*, nsIContent*) /builds/worker/checkouts/gecko/dom/events/EventStateManager.cpp:644:5
    #14 0x7fcdc3f30ae7 in mozilla::PresShell::EventHandler::DispatchEvent(mozilla::EventStateManager*, mozilla::WidgetEvent*, bool, nsEventStatus*, nsIContent*) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:8228:39
    #15 0x7fcdc3f2803f in mozilla::PresShell::EventHandler::HandleEventWithCurrentEventInfo(mozilla::WidgetEvent*, nsEventStatus*, bool, nsIContent*) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:8197:17
    #16 0x7fcdc3f28e13 in mozilla::PresShell::EventHandler::HandleEventAtFocusedContent(mozilla::WidgetGUIEvent*, nsEventStatus*) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:7944:7
    #17 0x7fcdc3f24b49 in mozilla::PresShell::EventHandler::HandleEvent(nsIFrame*, mozilla::WidgetGUIEvent*, bool, nsEventStatus*) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:6969:12
    #18 0x7fcdc3f23041 in mozilla::PresShell::HandleEvent(nsIFrame*, mozilla::WidgetGUIEvent*, bool, nsEventStatus*) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:6887:23
    #19 0x7fcdc340ff8b in nsViewManager::DispatchEvent(mozilla::WidgetGUIEvent*, nsView*, nsEventStatus*) /builds/worker/checkouts/gecko/view/nsViewManager.cpp:678:18
    #20 0x7fcdc340fb3e in nsView::HandleEvent(mozilla::WidgetGUIEvent*, bool) /builds/worker/checkouts/gecko/view/nsView.cpp:1149:9
    #21 0x7fcdc34a5ce9 in mozilla::widget::PuppetWidget::DispatchEvent(mozilla::WidgetGUIEvent*, nsEventStatus&) /builds/worker/checkouts/gecko/widget/PuppetWidget.cpp:351:37
    #22 0x7fcdc344b232 in mozilla::ContentCacheInChild::CacheEditorRect(nsIWidget*, mozilla::widget::IMENotification const*) /builds/worker/checkouts/gecko/widget/ContentCache.cpp:202:12
    #23 0x7fcdc34affa3 in NotifyIMEOfPositionChange /builds/worker/checkouts/gecko/widget/PuppetWidget.cpp:869:7
    #24 0x7fcdc34affa3 in mozilla::widget::PuppetWidget::NotifyIME(mozilla::widget::TextEventDispatcher*, mozilla::widget::IMENotification const&) /builds/worker/checkouts/gecko/widget/PuppetWidget.cpp:1136:14
    #25 0x7fcdc34dc73c in mozilla::widget::TextEventDispatcher::NotifyIME(mozilla::widget::IMENotification const&) /builds/worker/checkouts/gecko/widget/TextEventDispatcher.cpp:486:40
    #26 0x7fcdc343ce77 in nsBaseWidget::NotifyIME(mozilla::widget::IMENotification const&) /builds/worker/checkouts/gecko/widget/nsBaseWidget.cpp:1894:43
    #27 0x7fcdbfa99446 in mozilla::IMEStateManager::NotifyIME(mozilla::widget::IMENotification const&, nsIWidget*, mozilla::dom::BrowserParent*) /builds/worker/checkouts/gecko/dom/events/IMEStateManager.cpp:2144:22
    #28 0x7fcdbfaae3f9 in mozilla::IMEContentObserver::IMENotificationSender::SendPositionChange() /builds/worker/checkouts/gecko/dom/events/IMEContentObserver.cpp:2017:3
    #29 0x7fcdbfaaaeca in mozilla::IMEContentObserver::IMENotificationSender::Run() /builds/worker/checkouts/gecko/dom/events/IMEContentObserver.cpp:1745:7
    #30 0x7fcdc3e6c191 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2521:13
    #31 0x7fcdc3e82ddc in TickDriver /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:373:13
    #32 0x7fcdc3e82ddc in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver>>&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:351:7
    #33 0x7fcdc3e82ade in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:367:5
    #34 0x7fcdc3e82751 in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:911:5
    #35 0x7fcdc3e819d6 in mozilla::VsyncRefreshDriverTimer::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:825:5
    #36 0x7fcdc3e80594 in mozilla::VsyncRefreshDriverTimer::NotifyVsyncOnMainThread(mozilla::VsyncEvent const&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:746:5
    #37 0x7fcdc3e7fb9d in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsyncTimerOnMainThread() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:592:14
    #38 0x7fcdc3e7f715 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:549:9
    #39 0x7fcdc225c40b in mozilla::dom::VsyncMainChild::RecvNotify(mozilla::VsyncEvent const&, float const&) /builds/worker/checkouts/gecko/dom/ipc/VsyncMainChild.cpp:66:15
    #40 0x7fcdc2816b54 in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:220:78
    #41 0x7fcdc25ebdad in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PContentChild.cpp:8767:32
    #42 0x7fcdb9e31435 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1800:25
    #43 0x7fcdb9e2cdac in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1725:9
    #44 0x7fcdb9e2e19a in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1525:3
    #45 0x7fcdb9e2f743 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1623:14
    #46 0x7fcdb821d32a in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:555:16
    #47 0x7fcdb820e07a in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:879:26
    #48 0x7fcdb820af77 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:702:15
    #49 0x7fcdb820b85f in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:491:36
    #50 0x7fcdb8222a51 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:218:37
    #51 0x7fcdb8222a51 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548:5
    #52 0x7fcdb824e6cb in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1239:16
    #53 0x7fcdb825c164 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:479:10
    #54 0x7fcdb9e3bc4e in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
    #55 0x7fcdb9c668ea in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:369:10
    #56 0x7fcdb9c668ea in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:362:3
    #57 0x7fcdb9c668ea in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:344:3
    #58 0x7fcdc354ce09 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
    #59 0x7fcdc94f63f8 in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:738:20
    #60 0x7fcdb9c668ea in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:369:10
    #61 0x7fcdb9c668ea in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:362:3
    #62 0x7fcdb9c668ea in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:344:3
    #63 0x7fcdc94f5abe in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:673:34
    #64 0x5598821bdb4e in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
    #65 0x5598821bdb4e in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:375:18
    #66 0x7fcddee29d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #67 0x7fcddee29e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #68 0x5598820e76f8 in _start (/home/user/workspace/browsers/m-c-20230420160012-fuzzing-asan-opt/firefox+0x1066f8) (BuildId: 2dc3c5bd5a09c1350a0fd981e0afd40ad4deb5cf)

0x6250002aafe4 is located 1764 bytes inside of 8192-byte region [0x6250002aa900,0x6250002ac900)
allocated by thread T0 (Isolated Web Co) here:
    #0 0x55988217fabe in malloc /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:69:3
    #1 0x7fcdb81f05bf in mozilla::ArenaAllocator<8192ul, 8ul>::AllocateChunk(unsigned long) /builds/worker/workspace/obj-build/dist/include/mozilla/ArenaAllocator.h:170:15
    #2 0x7fcdc409b114 in InternalAllocate /builds/worker/workspace/obj-build/dist/include/mozilla/ArenaAllocator.h:204:25
    #3 0x7fcdc409b114 in Allocate /builds/worker/workspace/obj-build/dist/include/mozilla/ArenaAllocator.h:66:12
    #4 0x7fcdc409b114 in mozilla::ArenaAllocator<8192ul, 8ul>::Allocate(unsigned long) /builds/worker/workspace/obj-build/dist/include/mozilla/ArenaAllocator.h:70:15
    #5 0x7fcdc42648b1 in AllocateByObjectID /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:284:32
    #6 0x7fcdc42648b1 in AllocateFrame /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:276:12
    #7 0x7fcdc42648b1 in operator new /builds/worker/checkouts/gecko/layout/generic/nsGfxScrollFrame.cpp:227:1
    #8 0x7fcdc42648b1 in NS_NewHTMLScrollFrame(mozilla::PresShell*, mozilla::ComputedStyle*, bool) /builds/worker/checkouts/gecko/layout/generic/nsGfxScrollFrame.cpp:223:10
    #9 0x7fcdc3fbb3ee in nsCSSFrameConstructor::BeginBuildingScrollFrame(nsFrameConstructorState&, nsIContent*, mozilla::ComputedStyle*, nsContainerFrame*, mozilla::PseudoStyleType, bool, nsContainerFrame*&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:4239:22
    #10 0x7fcdc3fc4c5c in nsCSSFrameConstructor::ConstructScrollableBlock(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItem&, nsContainerFrame*, nsStyleDisplay const*, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:4552:48
    #11 0x7fcdc3fc6d21 in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:3769:16
    #12 0x7fcdc3fcf5d7 in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:5574:3
    #13 0x7fcdc3faf676 in nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsContainerFrame*, bool, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:9508:5
    #14 0x7fcdc3fb1262 in nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, mozilla::ComputedStyle*, nsContainerFrame*, bool, nsFrameList&, bool, nsIFrame*) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:9797:3
    #15 0x7fcdc3fc7b83 in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:3897:9
    #16 0x7fcdc3fcf5d7 in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:5574:3
    #17 0x7fcdc3faf676 in nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsContainerFrame*, bool, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:9508:5
    #18 0x7fcdc3fb1262 in nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, mozilla::ComputedStyle*, nsContainerFrame*, bool, nsFrameList&, bool, nsIFrame*) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:9797:3
    #19 0x7fcdc3fba5db in nsCSSFrameConstructor::ConstructBlock(nsFrameConstructorState&, nsIContent*, nsContainerFrame*, nsContainerFrame*, mozilla::ComputedStyle*, nsContainerFrame**, nsFrameList&, nsIFrame*) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:10649:3
    #20 0x7fcdc3fc47b4 in nsCSSFrameConstructor::ConstructNonScrollableBlock(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItem&, nsContainerFrame*, nsStyleDisplay const*, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:4603:3
    #21 0x7fcdc3fc6d21 in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:3769:16
    #22 0x7fcdc3fcf5d7 in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:5574:3
    #23 0x7fcdc3faf676 in nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsContainerFrame*, bool, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:9508:5
    #24 0x7fcdc3fb1262 in nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, mozilla::ComputedStyle*, nsContainerFrame*, bool, nsFrameList&, bool, nsIFrame*) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:9797:3
    #25 0x7fcdc3fba5db in nsCSSFrameConstructor::ConstructBlock(nsFrameConstructorState&, nsIContent*, nsContainerFrame*, nsContainerFrame*, mozilla::ComputedStyle*, nsContainerFrame**, nsFrameList&, nsIFrame*) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:10649:3
    #26 0x7fcdc3fc47b4 in nsCSSFrameConstructor::ConstructNonScrollableBlock(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItem&, nsContainerFrame*, nsStyleDisplay const*, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:4603:3
    #27 0x7fcdc3fc6d21 in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:3769:16
    #28 0x7fcdc3fcf5d7 in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:5574:3
    #29 0x7fcdc3faf676 in nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsContainerFrame*, bool, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:9508:5
    #30 0x7fcdc3fb1262 in nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, mozilla::ComputedStyle*, nsContainerFrame*, bool, nsFrameList&, bool, nsIFrame*) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:9797:3
    #31 0x7fcdc3fba5db in nsCSSFrameConstructor::ConstructBlock(nsFrameConstructorState&, nsIContent*, nsContainerFrame*, nsContainerFrame*, mozilla::ComputedStyle*, nsContainerFrame**, nsFrameList&, nsIFrame*) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:10649:3
    #32 0x7fcdc3fb64f8 in nsCSSFrameConstructor::ConstructDocElementFrame(mozilla::dom::Element*) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:2558:5
    #33 0x7fcdc3fd51a7 in nsCSSFrameConstructor::ContentRangeInserted(nsIContent*, nsIContent*, nsCSSFrameConstructor::InsertionKind) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:6882:9
    #34 0x7fcdc3ee8281 in mozilla::PresShell::Initialize() /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:1839:26
Flags: in-testsuite?

Verified bug as reproducible on mozilla-central 20230420212414-b109fa8d1c86.
The bug appears to have been introduced in the following build range:

Start: b800c8fae7e34c74fec3bbcbde0e2cb892e8ad3d (20230306230634)
End: 6540301e0260407e35b383e1539f2a4558a8e9f8 (20230307012540)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=b800c8fae7e34c74fec3bbcbde0e2cb892e8ad3d&tochange=6540301e0260407e35b383e1539f2a4558a8e9f8

Keywords: regression
Whiteboard: [bugmon:bisected,confirmed]

Emilio, looks like you either wrote or reviewed all the non-wpt, non-test-only, non-frontend patches in the pushlog in comment #1 - can you take a look? :-)

Flags: needinfo?(emilio)

Bug 1820071 made offset-path: ray(-911832865.61grad); valid, but it should be reproducible before that with offset-path: ray(-911832865.61grad closest-side);. Any chance of a bisection with that tweak?

Flags: needinfo?(emilio) → needinfo?(jkratzer)
Attached file testcase.html (obsolete) —
Attachment #9329607 - Attachment is obsolete: true
Flags: needinfo?(jkratzer)
Whiteboard: [bugmon:bisected,confirmed] → [bugmon:bisect,confirmed]

The bug appears to have been introduced in the following build range:

Start: e43939ccc33a9fa15af1ab22e83083a955fa68ac (20230222210555)
End: 0ffdce32d6278f756e3855de73c002f91745c2dc (20230222223528)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=e43939ccc33a9fa15af1ab22e83083a955fa68ac&tochange=0ffdce32d6278f756e3855de73c002f91745c2dc

Whiteboard: [bugmon:bisect,confirmed] → [bugmon:confirmed,bisected]

Based on the regression range in comment 5, and the * { columns: ...} in the testcase (triggering nested multicolumn layout), that means this was probably a regression from bug 1816574.

Regressed by: 1816574

Successfully recorded a pernosco session. A link to the pernosco session will be added here shortly.

A pernosco session for this bug can be found here.

Flags: needinfo?(aethanyc)

Set release status flags based on info from the regressing bug 1816574

Tyson found framepoisoning addresses in the pernosco session (mFrames is a poisoned address). But then why doesn't it crash in an release nightly?

Tyson and mcc8 hit an assertion in debug builds that appears related, that talked about running past the end of the line.

Flags: needinfo?(dholbert)

The testcase in comment 4 does crash on Nightly (2023-05-04) on my Linux machine, but it only crashes < 10% of the time.

When loading in my local debug build, the testcase causes an infinite loop. I'm seeing log print like the following non-stop.

[Child 12994, Main Thread] ###!!! ASSERTION: Computed overflow area must contain frame bounds: 'aNewSize.width == 0 || aNewSize.height == 0 || r->width == nscoord_MAX || r->height == nscoord_MAX || HasAnyStateBits(NS_FRAME_SVG_LAYOUT) || r->Contains(nsRect(nsPoint(0, 0), aNewSize))', file /home/aethanyc/Projects/gecko/layout/generic/nsIFrame.cpp:9984
nsBlockReflowContext: ColumnSetWrapper(nav)(7)@7f43ed2c79b0 metrics=51742522,1089305582!
nsLineLayout: HTMLVideo(video)(1)@7f43ed2c7c18 metrics=1089323582,51751522!
nsBlockReflowContext: ColumnSet(nav)(0)@7f43ed2c7040 metrics=1923,1089305582!
[Child 12994, Main Thread] ###!!! ASSERTION: non-root frame's desired size changed during an incremental reflow: '(isRoot && size.BSize(wm) == NS_UNCONSTRAINEDSIZE) || (desiredSize.ISize(wm) == size.ISize(wm) && desiredSize.BSize(wm) == size.BSize(wm))', file /home/aethanyc/Projects/gecko/layout/base/PresShell.cpp:9646
nsBlockReflowContext: ColumnSetWrapper(nav)(1)@7f43ed2c7200 metrics=51742522,1089305582!
nsBlockReflowContext: ColumnSetWrapper(nav)(3)@7f43ed2c7490 metrics=51742522,1089305582!
Severity: -- → S3
Flags: needinfo?(dholbert)

(In reply to Daniel Veditz [:dveditz] from comment #10)

Tyson found framepoisoning addresses in the pernosco session (mFrames is a poisoned address). But then why doesn't it crash in an release nightly?

Comment 11 answers that -- it does crash release Nightly some of the time, and there's just some variable timing involved at some level that impacts whether it reproduces or not.

(Triaging as S3 given that this is mitigated by frame poisoning)

Set release status flags based on info from the regressing bug 1816574

Group: layout-core-security

Bugmon was unable reproduce this issue.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon

A change to the Taskcluster build definitions over the weekend caused Bugmon to fail when reproducing issues. This issue has been corrected. Re-enabling bugmon.

Keywords: bugmon

Testcase crashes using the initial build (mozilla-central 20230418213511-b57f595130ac) but not with tip (mozilla-central 20230804211014-8b506ab41451.)

The bug appears to have been fixed in the following build range:

Start: 61d2e733a10cda7402d3a793706f79bf2b197497 (20230803175553)
End: 8527a2500a35867e4319772e3be1f2756dfcfced (20230803191036)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=61d2e733a10cda7402d3a793706f79bf2b197497&tochange=8527a2500a35867e4319772e3be1f2756dfcfced

tsmith, can you confirm that the above bisection range is responsible for fixing this issue?
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Flags: needinfo?(aethanyc) → needinfo?(twsmith)
Keywords: bugmon

I am no longer able to reproduce the issue.

Status: NEW → RESOLVED
Closed: 1 year ago
Flags: needinfo?(twsmith)
Resolution: --- → FIXED
Assignee: nobody → boris.chiou
Depends on: 1846817
Target Milestone: --- → 118 Branch

Based on the range & the updates, it looks like we're suspecting bug 1846817 would've fixed this.

However, that bug simply changed the initial value for offset-position. If we update the testcase to manually specify offset-position:auto (restoring the value that we were getting automatically, before that patch landed), then presumably the bug would still reproduce...

Tyson, could you see if this still reproduces with this updated version of the testcase? I suspect it should.

Flags: needinfo?(twsmith)
Attachment #9348925 - Attachment description: testcase 2: same as original but with explicit `offset-position:auto` → testcase 2: same as the previous one, with explicit `offset-position:auto` added

Using the new test case I could reproduce the issue with 20230801-8e6d6287c0af (after a few refreshes) but I could not reproduce the issue with 20230814-a5bcd3edffd7.

Thoughts?

Flags: needinfo?(twsmith) → needinfo?(dholbert)

Interesting. Is it easy to get bugmon to bisect when that one became fixed? (or to confirm whether the fix range matches comment 16)?

I didn't think that bug 1846817 (the supposed fix) was supposed to impact behavior when offset-position:auto was manually specified, but it's possible I misunderstood/forgot.

Flags: needinfo?(dholbert) → needinfo?(twsmith)

(Boris, does it make sense to you that bug 1846817 would have produced a behavioral difference in a testcase like comment 18's testcase 2 that explicitly sets *{offset-position:auto}?

Flags: needinfo?(boris.chiou)

(In reply to Daniel Holbert [:dholbert] from comment #21)

(Boris, does it make sense to you that bug 1846817 would have produced a behavioral difference in a testcase like comment 18's testcase 2 that explicitly sets *{offset-position:auto}?

I just changed the default value in bug 1846817 (so yes, the behavior is different).

Your updated test makes senses to me. We have to explicit set offset-position:auto in the test. This may be a good hint for this bug as well.

Flags: needinfo?(boris.chiou)

So we have to check this bug again by testcase 2.

Thanks! We did, I think (comment 19) and it apparently is still fixed. So: tyson, putting bugmon on finding a fix-range for testcase 2 would indeed be helpful. If it turns up the same fix-range as in comment 16, then that would be surprising to me and I think to Boris.

Hmm I'm not sure bugmon supports multiple test cases in that manner. That would be a question for Jason.

Flags: needinfo?(twsmith) → needinfo?(jkratzer)

If it's easiest bugmon-wise, we could just obsolete your testcase and rename my testcase to "testcase.html" or whatever is necessary to make bugmon happy to bisect a fix range (again). :)

Comment on attachment 9330380 [details]
testcase.html

Oh yep that works. Let me get that going...

Attachment #9330380 - Attachment is obsolete: true
Flags: needinfo?(jkratzer)
Comment on attachment 9348925 [details] testcase 2: same as the previous one, with explicit `offset-position:auto` added ><style> >* { > columns: 463002844.45ch ! important; > border-block-start-style: groove; > padding-inline: 3439889097% 1734363043% !important; > writing-mode: vertical-rl; > padding-block: 257955692.19rem 1556357883%; > offset-position: auto; > offset-path: ray(-911832865.61grad closest-side); > transform: skewY(0) perspective(61296149.29cm) rotateX(-840881230.15turn) matrix3d(1, 231, 32, 55, -56, 1.5617783523981084, 100, -2350.2257804862784, 27.592627817369223, -119, 106, 205, 32, 177, -29, 192); > content-visibility: auto; >} ></style> ><nav contenteditable> ><nav></nav> ><nav></nav> ><nav></nav> ><nav></nav> ><slot> ><video autofocus controls src=""> ></nav> ><nav dir="rtl">
Attachment #9348925 - Attachment filename: testcase2.html → testcase.html
Keywords: bugmon
Whiteboard: [bugmon:confirmed,bisected] → [bugmon:confirmed,bisect]

Verified bug as fixed on rev mozilla-central 20230814214038-27c67d619752.

Status: RESOLVED → VERIFIED

The bug appears to have been fixed in the following build range:

Start: b19ed5a6579d312e71c03201698107835378c612 (20230808212319)
End: 4abb9ce2fb8e4174171b3478d6f28b78bf3f214a (20230808212709)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=b19ed5a6579d312e71c03201698107835378c612&tochange=4abb9ce2fb8e4174171b3478d6f28b78bf3f214a

Whiteboard: [bugmon:confirmed,bisect] → [bugmon:confirmed,bisected]

(In reply to Daniel Holbert [:dholbert] from comment #24)

Thanks! We did, I think (comment 19) and it apparently is still fixed. So: tyson, putting bugmon on finding a fix-range for testcase 2 would indeed be helpful. If it turns up the same fix-range as in comment 16, then that would be surprising to me and I think to Boris.

Sorry for the late response here. In order to have bugmon pick up the other testcase, you will need to obsolete the original testcase. The filename itself doesn't matter. You will also likely have to reset the whiteboard so that it runs again.

Whiteboard: [bugmon:confirmed,bisected] → [bugmon:confirmed,bisected][adv-main118-]
Keywords: bugmon
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: