1835370 - Assertion failure: mStart == kAutoLine || mEnd > mStart (invalid line range), at /layout/generic/nsGridContainerFrame.cpp:478 (in fuzzer testcase with grid and popover)

Status: NEW

(Core :: Layout: Grid, defect)

Description

[Jason Kratzer [:jkratzer]]

Testcase found while fuzzing mozilla-central rev d49f009b89ad (built with: --enable-debug --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build d49f009b89ad --debug --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

Assertion failure: mStart == kAutoLine || mEnd > mStart (invalid line range), at /layout/generic/nsGridContainerFrame.cpp:478

    ==96861==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fabeb5ab515 bp 0x7ffcf5979be0 sp 0x7ffcf5979be0 T96861)
    ==96861==The signal is caused by a WRITE memory access.
    ==96861==Hint: address points to the zero page.
        #0 0x7fabeb5ab515 in nsGridContainerFrame::LineRange::AdjustAbsPosForRemovedTracks(nsTArray<unsigned int> const&) /layout/generic/nsGridContainerFrame.cpp:478:7
        #1 0x7fabeb5b4b93 in nsGridContainerFrame::Grid::PlaceGridItems(nsGridContainerFrame::GridReflowInput&, RepeatTrackSizingInput const&) /layout/generic/nsGridContainerFrame.cpp:4927:14
        #2 0x7fabeb5b2269 in nsGridContainerFrame::Grid::SubgridPlaceGridItems(nsGridContainerFrame::GridReflowInput&, nsGridContainerFrame::Grid*, nsGridContainerFrame::GridItemInfo const&) /layout/generic/nsGridContainerFrame.cpp:4495:3
        #3 0x7fabeb5b4292 in nsGridContainerFrame::Grid::PlaceGridItems(nsGridContainerFrame::GridReflowInput&, RepeatTrackSizingInput const&) /layout/generic/nsGridContainerFrame.cpp:4785:14
        #4 0x7fabeb5b2269 in nsGridContainerFrame::Grid::SubgridPlaceGridItems(nsGridContainerFrame::GridReflowInput&, nsGridContainerFrame::Grid*, nsGridContainerFrame::GridItemInfo const&) /layout/generic/nsGridContainerFrame.cpp:4495:3
        #5 0x7fabeb5b4292 in nsGridContainerFrame::Grid::PlaceGridItems(nsGridContainerFrame::GridReflowInput&, RepeatTrackSizingInput const&) /layout/generic/nsGridContainerFrame.cpp:4785:14
        #6 0x7fabeb5b2269 in nsGridContainerFrame::Grid::SubgridPlaceGridItems(nsGridContainerFrame::GridReflowInput&, nsGridContainerFrame::Grid*, nsGridContainerFrame::GridItemInfo const&) /layout/generic/nsGridContainerFrame.cpp:4495:3
        #7 0x7fabeb5b4292 in nsGridContainerFrame::Grid::PlaceGridItems(nsGridContainerFrame::GridReflowInput&, RepeatTrackSizingInput const&) /layout/generic/nsGridContainerFrame.cpp:4785:14
        #8 0x7fabeb5c9381 in nsGridContainerFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/generic/nsGridContainerFrame.cpp:8614:12
        #9 0x7fabeb53e169 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /layout/generic/nsContainerFrame.cpp:893:14
        #10 0x7fabeb53d5b5 in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/generic/nsCanvasFrame.cpp:755:7
        #11 0x7fabeb53e169 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /layout/generic/nsContainerFrame.cpp:893:14
        #12 0x7fabeb587c1e in nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput&, bool, bool, mozilla::ReflowOutput*) /layout/generic/nsGfxScrollFrame.cpp:937:3
        #13 0x7fabeb58893e in nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput&, mozilla::ReflowOutput const&) /layout/generic/nsGfxScrollFrame.cpp:1070:3
        #14 0x7fabeb58d29c in nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/generic/nsGfxScrollFrame.cpp:1507:3
        #15 0x7fabeb50e327 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /layout/generic/nsContainerFrame.cpp:933:14
        #16 0x7fabeb50dacf in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/generic/ViewportFrame.cpp:385:7
        #17 0x7fabeb407c52 in mozilla::PresShell::DoReflow(nsIFrame*, bool, mozilla::OverflowChangedTracker*) /layout/base/PresShell.cpp:9643:11
        #18 0x7fabeb42c08f in mozilla::PresShell::ProcessReflowCommands(bool) /layout/base/PresShell.cpp:9821:22
        #19 0x7fabeb41111b in DoFlushLayout /layout/base/PresShell.cpp:9892:10
        #20 0x7fabeb41111b in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /layout/base/PresShell.cpp:4360:11
        #21 0x7fabe788499e in FlushPendingNotifications /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:1470:5
        #22 0x7fabe788499e in mozilla::dom::Document::FlushPendingNotifications(mozilla::ChangesToFlush) /dom/base/Document.cpp:10855:16
        #23 0x7fabe6ce3a8e in nsDocLoader::DocLoaderIsEmpty(bool, mozilla::Maybe<nsresult> const&) /uriloader/base/nsDocLoader.cpp:742:14
        #24 0x7fabe6ce4e87 in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /uriloader/base/nsDocLoader.cpp:680:5
        #25 0x7fabecb2410f in nsDocShell::OnStopRequest(nsIRequest*, nsresult) /docshell/base/nsDocShell.cpp:13848:23
        #26 0x7fabe5f761ff in mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) /netwerk/base/nsLoadGroup.cpp:631:22
        #27 0x7fabe5f77720 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /netwerk/base/nsLoadGroup.cpp:535:10
        #28 0x7fabe788994c in mozilla::dom::Document::DoUnblockOnload() /dom/base/Document.cpp:11643:18
        #29 0x7fabe7870569 in mozilla::dom::Document::DispatchContentLoadedEvents() /dom/base/Document.cpp:8114:3
        #30 0x7fabe79166e9 in operator()<> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1164:18
        #31 0x7fabe79166e9 in __invoke_impl<void, (lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1163:9)> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7/../../../../include/c++/7/bits/invoke.h:60:14
        #32 0x7fabe79166e9 in __invoke<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1163:9)> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7/../../../../include/c++/7/bits/invoke.h:95:14
        #33 0x7fabe79166e9 in __apply_impl<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1163:9), std::tuple<> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7/../../../../include/c++/7/tuple:1662:14
        #34 0x7fabe79166e9 in apply<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1163:9), std::tuple<> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7/../../../../include/c++/7/tuple:1671:14
        #35 0x7fabe79166e9 in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1162:12
        #36 0x7fabe79166e9 in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1213:13
        #37 0x7fabe5d59852 in mozilla::SchedulerGroup::Runnable::Run() /xpcom/threads/SchedulerGroup.cpp:114:20
        #38 0x7fabe5d64317 in mozilla::RunnableTask::Run() /xpcom/threads/TaskController.cpp:555:16
        #39 0x7fabe5d5f51a in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:879:26
        #40 0x7fabe5d5dff7 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:702:15
        #41 0x7fabe5d5e375 in mozilla::TaskController::ProcessPendingMTTask(bool) /xpcom/threads/TaskController.cpp:491:36
        #42 0x7fabe5d678c6 in operator() /xpcom/threads/TaskController.cpp:218:37
        #43 0x7fabe5d678c6 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /xpcom/threads/nsThreadUtils.h:548:5
        #44 0x7fabe5d7dc5a in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1240:16
        #45 0x7fabe5d8427d in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:479:10
        #46 0x7fabe69cfde5 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:85:21
        #47 0x7fabe68f1751 in RunHandler /ipc/chromium/src/base/message_loop.cc:361:3
        #48 0x7fabe68f1751 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:343:3
        #49 0x7fabeb057758 in nsBaseAppShell::Run() /widget/nsBaseAppShell.cpp:148:27
        #50 0x7fabed2ac3cb in XRE_RunAppShell() /toolkit/xre/nsEmbedFunctions.cpp:724:20
        #51 0x7fabe69d0c96 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:235:9
        #52 0x7fabe68f1751 in RunHandler /ipc/chromium/src/base/message_loop.cc:361:3
        #53 0x7fabe68f1751 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:343:3
        #54 0x7fabed2abc92 in XRE_InitChildProcess(int, char**, XREChildData const*) /toolkit/xre/nsEmbedFunctions.cpp:659:34
        #55 0x55b659f9c7a6 in content_process_main /browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
        #56 0x55b659f9c7a6 in main /browser/app/nsBrowserApp.cpp:375:18
        #57 0x7fabf9629d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
        #58 0x7fabf9629e3f in __libc_start_main csu/../csu/libc-start.c:392:3
        #59 0x55b659f73a28 in _start (/home/jkratzer/builds/m-c-20230526040655-fuzzing-debug/firefox-bin+0x58a28) (BuildId: 088286da3f865fe4abd3877a445ec08e07fcc006)
    
    UndefinedBehaviorSanitizer can not provide additional info.
    SUMMARY: UndefinedBehaviorSanitizer: SEGV /layout/generic/nsGridContainerFrame.cpp:478:7 in nsGridContainerFrame::LineRange::AdjustAbsPosForRemovedTracks(nsTArray<unsigned int> const&)
    ==96861==ABORTING

Comment 1

[Jason Kratzer [:jkratzer]]

Attachment: Testcase

Comment 2

[Bugmon [:jkratzer for issues]]

Verified bug as reproducible on mozilla-central 20230526215433-fc6056442a0f.
The bug appears to have been introduced in the following build range:

Start: 57b39eab64606b74c842eea85329799f81f6b6ce (20230322181158)
End: 3009f8659153ed85d556927f05a53934b4f69d35 (20230322194956)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=57b39eab64606b74c842eea85329799f81f6b6ce&tochange=3009f8659153ed85d556927f05a53934b4f69d35

Comment 3

[BugBot [:suhaib / :marco/ :calixte]]

This bug has been marked as a regression. Setting status flag for Nightly to affected.

Comment 4

[Donal Meehan [:dmeehan]]

:dholbert could this be triaged for severity?
I'm not sure which patch in the pushlog in Comment 2 introduced it

Comment 5

[Daniel Holbert [:dholbert]]

RE regression / regression-range: the testcase uses the .popover attribute. So in the push range, that points to bug 180884 as the only popover-related thing.

From the perspective of this testcase, that patch was just introducing a new way to get fixed-position descendants, I think. So I'd bet that a variant of this testcase would reproduce this in earlier builds as well?

Also, popover is off by default, though I'll bet we have it enabled for fuzzing, maybe? (jkratzer, can you confirm whether we have that explicitly turned on for this fuzzing run?)

In the meantime, I think this is likely S3, and the pernosco-wanted-triggered recording will hopefully help us learn more.

Comment 6

[Daniel Holbert [:dholbert]]

(restoring ni=me to take a look one we have a pernosco recording)

Comment 7

[Bugmon [:jkratzer for issues]]

Successfully recorded a pernosco session. A link to the pernosco session will be added here shortly.

Comment 8

[Bugmon [:jkratzer for issues]]

A pernosco session for this bug can be found here.

Comment 9

[Jason Kratzer [:jkratzer]]

(In reply to Daniel Holbert [:dholbert] from comment #5)

Also, popover is off by default, though I'll bet we have it enabled for fuzzing, maybe? (jkratzer, can you confirm whether we have that explicitly turned on for this fuzzing run?)

Yes, this was enabled about two months ago in https://github.com/MozillaSecurity/prefpicker/commit/f9ced6805c13ebef4c1b0415d7d14f347b39362c.

Comment 10

[Bugmon [:jkratzer for issues]]

Testcase crashes using the initial build (mozilla-central 20230526040655-d49f009b89ad) but not with tip (mozilla-central 20231222213932-8989af6649bf.)

The bug appears to have been fixed in the following build range:

Start: a63bafb44df0811c56c57b1fadd1c10261fd8c3e (20231219233048)
End: 9ac6d461916454c17cd8c7dfc7f73401ef3da12a (20231220020601)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=a63bafb44df0811c56c57b1fadd1c10261fd8c3e&tochange=9ac6d461916454c17cd8c7dfc7f73401ef3da12a

jkratzer, can you confirm that the above bisection range is responsible for fixing this issue?
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Comment 11

[Jason Kratzer [:jkratzer]]

:dholbert, can you confirm if this was fixed via bug 1800563 or bug 1870906?