Closed Bug 1832449 Opened 2 years ago Closed 2 years ago

crash near null in [@ _$LT$servo_arc..RawOffsetArc$LT$T$GT$$u20$as$u20$core..ops..deref..Deref$GT$::deref]

Categories

(Core :: Disability Access APIs, defect, P1)

defect

Tracking

()

VERIFIED FIXED
115 Branch
Tracking Status
firefox-esr102 --- unaffected
firefox113 --- unaffected
firefox114 --- unaffected
firefox115 + verified

People

(Reporter: tsmith, Assigned: morgan)

References

(Blocks 1 open bug, Regression)

Details

(4 keywords, Whiteboard: [bugmon:bisected,confirmed])

Crash Data

Attachments

(3 files)

Attached file testcase.html

Found while fuzzing m-c 20230509-a5468e749653 (--enable-address-sanitizer --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -a --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html
#0 0x7f7b66142271 in _$LT$servo_arc..RawOffsetArc$LT$T$GT$$u20$as$u20$core..ops..deref..Deref$GT$::deref::h76ba97fd269cd868 /builds/worker/checkouts/gecko/servo/components/servo_arc/lib.rs:1139:20
#1 0x7f7b66142271 in style::gecko_properties::_$LT$impl$u20$style..gecko_bindings..structs..root..ServoComputedData$GT$::get_box::h14c8d111ce6ac781 /builds/worker/workspace/obj-build/x86_64-unknown-linux-gnu/release/build/style-ba52d9f018cc1d46/out/gecko_properties.rs:579:9
#2 0x7f7b66142271 in style::properties::_$LT$impl$u20$style..gecko_properties..ComputedValues$GT$::clone_overflow_x::h80aadd06a38ab638 /builds/worker/workspace/obj-build/x86_64-unknown-linux-gnu/release/build/style-ba52d9f018cc1d46/out/properties.rs:66845:14
#3 0x7f7b66142271 in style::properties::_$LT$impl$u20$style..gecko_properties..ComputedValues$GT$::computed_or_resolved_declaration::h24ddb18a01f48750 /builds/worker/workspace/obj-build/x86_64-unknown-linux-gnu/release/build/style-ba52d9f018cc1d46/out/properties.rs:74417:51
#4 0x7f7b650f8ab5 in geckoservo::glue::computed_or_resolved_value::h6a25ac593a51d228 /builds/worker/checkouts/gecko/servo/ports/geckolib/glue.rs:6919:13
#5 0x7f7b5bb146b7 in GetComputedPropertyValue /builds/worker/workspace/obj-build/dist/include/mozilla/ComputedStyle.h:69:5
#6 0x7f7b5bb146b7 in nsAccessibilityService::NotifyOfComputedStyleChange(mozilla::PresShell*, nsIContent*) /builds/worker/checkouts/gecko/accessible/base/nsAccessibilityService.cpp:545:15
#7 0x7f7b579500b0 in nsIFrame::DidSetComputedStyle(mozilla::ComputedStyle*) /builds/worker/checkouts/gecko/layout/generic/nsIFrame.cpp:1159:19
#8 0x7f7b575e5b22 in SetComputedStyle /builds/worker/checkouts/gecko/layout/generic/nsIFrame.h:813:7
#9 0x7f7b575e5b22 in mozilla::RestyleManager::DoReparentComputedStyleForFirstLine(nsIFrame*, mozilla::ServoStyleSet&) /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:3739:11
#10 0x7f7b5767be65 in ReparentFrame /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:352:22
#11 0x7f7b5767be65 in ReparentFrames /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:362:5
#12 0x7f7b5767be65 in nsCSSFrameConstructor::WrapFramesInFirstLineFrame(nsFrameConstructorState&, nsIContent*, nsContainerFrame*, nsFirstLineFrame*, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:9894:3
#13 0x7f7b5763ff5f in nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, mozilla::ComputedStyle*, nsContainerFrame*, bool, nsFrameList&, bool, nsIFrame*) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:9839:5
#14 0x7f7b576490cb in nsCSSFrameConstructor::ConstructBlock(nsFrameConstructorState&, nsIContent*, nsContainerFrame*, nsContainerFrame*, mozilla::ComputedStyle*, nsContainerFrame**, nsFrameList&, nsIFrame*) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:10649:3
#15 0x7f7b576532a4 in nsCSSFrameConstructor::ConstructNonScrollableBlock(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItem&, nsContainerFrame*, nsStyleDisplay const*, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:4603:3
#16 0x7f7b57655811 in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:3769:16
#17 0x7f7b5765e0c7 in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:5574:3
#18 0x7f7b5763e166 in nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsContainerFrame*, bool, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:9508:5
#19 0x7f7b57668761 in nsCSSFrameConstructor::ContentAppended(nsIContent*, nsCSSFrameConstructor::InsertionKind) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:6714:3
#20 0x7f7b575d634d in mozilla::RestyleManager::ProcessRestyledFrames(nsStyleChangeList&) /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:1555:27
#21 0x7f7b575e29f4 in mozilla::RestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:3179:9
#22 0x7f7b57592de8 in ProcessPendingRestyles /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:3264:3
#23 0x7f7b57592de8 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4343:39
#24 0x7f7b574fc803 in FlushPendingNotifications /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:1470:5
#25 0x7f7b574fc803 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2624:22
#26 0x7f7b57511aac in TickDriver /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:373:13
#27 0x7f7b57511aac in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver>>&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:351:7
#28 0x7f7b575117ae in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:367:5
#29 0x7f7b57511421 in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:911:5
#30 0x7f7b575106a6 in mozilla::VsyncRefreshDriverTimer::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:825:5
#31 0x7f7b5750f264 in mozilla::VsyncRefreshDriverTimer::NotifyVsyncOnMainThread(mozilla::VsyncEvent const&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:746:5
#32 0x7f7b5750e86d in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsyncTimerOnMainThread() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:592:14
#33 0x7f7b5750e3e5 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:549:9
#34 0x7f7b558d424b in mozilla::dom::VsyncMainChild::RecvNotify(mozilla::VsyncEvent const&, float const&) /builds/worker/checkouts/gecko/dom/ipc/VsyncMainChild.cpp:66:15
#35 0x7f7b55e903e4 in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:220:78
#36 0x7f7b55c65284 in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PContentChild.cpp:8771:32
#37 0x7f7b4d477cb5 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1800:25
#38 0x7f7b4d47362c in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1725:9
#39 0x7f7b4d474a1a in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1525:3
#40 0x7f7b4d475fc3 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1623:14
#41 0x7f7b4b84c15a in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:555:16
#42 0x7f7b4b83ceaa in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:879:26
#43 0x7f7b4b839da7 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:702:15
#44 0x7f7b4b83a68f in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:491:36
#45 0x7f7b4b851881 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:218:37
#46 0x7f7b4b851881 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548:5
#47 0x7f7b4b87d4fb in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1239:16
#48 0x7f7b4b88af94 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:479:10
#49 0x7f7b4d4824ce in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#50 0x7f7b4d2ac7ca in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:369:10
#51 0x7f7b4d2ac7ca in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:362:3
#52 0x7f7b4d2ac7ca in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:344:3
#53 0x7f7b56bd8309 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
#54 0x7f7b5cb997b8 in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:738:20
#55 0x7f7b4d2ac7ca in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:369:10
#56 0x7f7b4d2ac7ca in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:362:3
#57 0x7f7b4d2ac7ca in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:344:3
#58 0x7f7b5cb98e7e in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:673:34
#59 0x56359fac973e in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#60 0x56359fac973e in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:375:18
#61 0x7f7b72229d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#62 0x7f7b72229e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#63 0x56359f9f2d58 in _start (/home/user/workspace/browsers/m-c-20230510213701-fuzzing-asan-opt/firefox+0x107d58) (BuildId: 1a6107a3fe794b68d29433eba1f4d947c1c8bb25)
Flags: in-testsuite?
Attached file prefs.js

prefs.js file for bugmon

frame->Style() can return null. We null check for other properties, but not for overflow.

Flags: needinfo?(mreschenberg)
Keywords: regression
Regressions: 1825611
Regressed by: 1825611
No longer regressions: 1825611
Severity: -- → S2
Priority: -- → P1

Set release status flags based on info from the regressing bug 1825611

frame->Style() can't return null, but frame might be null

Please don't use GetComputedPropertyValue if you have a ComputedStyle handy? You have nsStyleDisplay::OverflowIsVisibleInBothAxis which seems exactly what you want and is more efficient.

Verified bug as reproducible on mozilla-central 20230511040639-da13ef752e22.
The bug appears to have been introduced in the following build range:

Start: a7a328c86d5bab5e73de7abf526304c96addccc3 (20230508201033)
End: cc7b419c4bbea93ee3364cf6749a0d6dcbb0a991 (20230508213519)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=a7a328c86d5bab5e73de7abf526304c96addccc3&tochange=cc7b419c4bbea93ee3364cf6749a0d6dcbb0a991

Whiteboard: [bugmon:bisected,confirmed]

The bug is marked as tracked for firefox115 (nightly). However, the bug still isn't assigned.

:fgriffith, could you please find an assignee for this tracked bug? Given that it is a regression and we know the cause, we could also simply backout the regressor. If you disagree with the tracking decision, please talk with the release managers.

For more information, please visit BugBot documentation.

Flags: needinfo?(fgriffith)
Assignee: nobody → mreschenberg
Flags: needinfo?(fgriffith)

It looks like this is showing up on Nightly Fenix as [@ style::gecko_properties::<T>::box_ptr ]

I looked at a couple of crashes, and they were all null derefs with nsAccessibilityService::NotifyOfComputedStyleChange in the stack.

bp-2a75ea6e-5a8c-4d47-afcf-0c3ea0230514

Crash Signature: [@ style::gecko_properties::<T>::box_ptr ]

It looks like it is also showing up in higher volume as [@ <servo_arc::RawOffsetArc<T> as core::ops::deref::Deref>::deref ] on Fenix and Firefox.

Fenix: bp-9a20e1de-23b6-4487-bd4d-37f2d0230515
Firefox: bp-71d53dc7-d32e-49ab-b706-d847b0230512

Crash Signature: [@ style::gecko_properties::<T>::box_ptr ] → [@ style::gecko_properties::<T>::box_ptr ] [@ <servo_arc::RawOffsetArc<T> as core::ops::deref::Deref>::deref ]

The bug is linked to topcrash signatures, which match the following criterion:

  • Top 10 AArch64 and ARM crashes on nightly

For more information, please visit BugBot documentation.

Keywords: topcrash
Pushed by mreschenberg@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/8b6e154c789c Verify frame exists before querying computed style r=nlapre
Flags: needinfo?(mreschenberg)
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → 115 Branch

Verified bug as fixed on rev mozilla-central 20230517094542-85d90852b1c5.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
Keywords: bugmon

Here's one more signature of this.

Crash Signature: [@ style::gecko_properties::<T>::box_ptr ] [@ <servo_arc::RawOffsetArc<T> as core::ops::deref::Deref>::deref ] → [@ style::gecko_properties::<T>::box_ptr] [@ <servo_arc::RawOffsetArc<T> as core::ops::deref::Deref>::deref] [@ style::gecko_bindings::structs::root::ServoComputedData::box_ptr]
See Also: → 1833924
Duplicate of this bug: 1833924

Copying crash signatures from duplicate bugs.

Crash Signature: [@ style::gecko_properties::<T>::box_ptr] [@ <servo_arc::RawOffsetArc<T> as core::ops::deref::Deref>::deref] [@ style::gecko_bindings::structs::root::ServoComputedData::box_ptr] → [@ style::gecko_properties::<T>::box_ptr] [@ <servo_arc::RawOffsetArc<T> as core::ops::deref::Deref>::deref] [@ style::gecko_bindings::structs::root::ServoComputedData::box_ptr] [@ style::properties::generated::gecko::<T>::box_ptr]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: