Closed Bug 1849898 Opened 1 years ago Closed 1 years ago

crash near null in [@ nsRefreshDriver::EvaluateMediaQueriesAndReportChanges]

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
118 Branch
Tracking Flags:
Tracking Status
firefox-esr102 --- unaffected
firefox-esr115 --- unaffected
firefox116 --- unaffected
firefox117 --- unaffected
firefox118 --- verified

People

(Reporter: tsmith, Assigned: dholbert)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: regression, testcase, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(2 files)

testcase.html
444 bytes, text/html
Details
Bug 1849898: Null-check the refresh driver's mPresContext before using it to reevaluate media queries. r?emilio
48 bytes, text/x-phabricator-request
Details | Review
Attached file testcase.html

Found while fuzzing m-c 20230819-00ae001484c9 (--enable-address-sanitizer --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -a --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

NOTE: This test case uses window.printPreview() which is only available in fuzzing builds.

==8508==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000028 (pc 0x7ff105f1cb3f bp 0x7ffd5f3919d0 sp 0x7ffd5f391920 T0)
==8508==The signal is caused by a READ memory access.
==8508==Hint: address points to the zero page.
    #0 0x7ff105f1cb3f in get /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:325:27
    #1 0x7ff105f1cb3f in operator mozilla::dom::Document * /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:338:12
    #2 0x7ff105f1cb3f in Document /builds/worker/checkouts/gecko/layout/base/nsPresContext.h:266:12
    #3 0x7ff105f1cb3f in nsRefreshDriver::EvaluateMediaQueriesAndReportChanges() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:1602:40
    #4 0x7ff105f255ec in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2689:7
    #5 0x7ff105f3b98c in TickDriver /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:358:13
    #6 0x7ff105f3b98c in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver>>&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:336:7
    #7 0x7ff105f3b66e in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:352:5
    #8 0x7ff105f3b2e1 in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:965:5
    #9 0x7ff105f3a4ee in mozilla::VsyncRefreshDriverTimer::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:827:5
    #10 0x7ff105f3904b in mozilla::VsyncRefreshDriverTimer::NotifyVsyncOnMainThread(mozilla::VsyncEvent const&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:735:5
    #11 0x7ff105f386d2 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsyncTimerOnMainThread() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:577:14
    #12 0x7ff105f38285 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:534:9
    #13 0x7ff1042427eb in mozilla::dom::VsyncMainChild::RecvNotify(mozilla::VsyncEvent const&, float const&) /builds/worker/checkouts/gecko/dom/ipc/VsyncMainChild.cpp:66:15
    #14 0x7ff10486d44c in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:220:78
    #15 0x7ff10461069d in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PContentChild.cpp:8670:32
    #16 0x7ff0fbce13d5 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1811:25
    #17 0x7ff0fbcdcd5f in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1736:9
    #18 0x7ff0fbcde199 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1536:3
    #19 0x7ff0fbcdf713 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1634:14
    #20 0x7ff0fa0acb8a in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:559:16
    #21 0x7ff0fa0971a8 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:886:26
    #22 0x7ff0fa093bb7 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:709:15
    #23 0x7ff0fa094499 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:495:36
    #24 0x7ff0fa0b4631 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:218:37
    #25 0x7ff0fa0b4631 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548:5
    #26 0x7ff0fa0dee03 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1199:16
    #27 0x7ff0fa0ecc04 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10
    #28 0x7ff0fbcea92e in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
    #29 0x7ff0fbb14c3a in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:370:10
    #30 0x7ff0fbb14c3a in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
    #31 0x7ff0fbb14c3a in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
    #32 0x7ff1055e5959 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
    #33 0x7ff10b2f776e in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:722:20
    #34 0x7ff0fbb14c3a in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:370:10
    #35 0x7ff0fbb14c3a in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
    #36 0x7ff0fbb14c3a in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
    #37 0x7ff10b2f6d09 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:657:34
    #38 0x560777ea729e in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
    #39 0x560777ea729e in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:375:18
    #40 0x7ff121c29d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #41 0x7ff121c29e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #42 0x560777dd08d8 in _start (/home/user/workspace/browsers/m-c-20230821094309-fuzzing-asan-opt/firefox+0x1068d8) (BuildId: 292687f20d2b22b4e9815a3cffd9aca834f893ce)

Verified bug as reproducible on mozilla-central 20230823155856-c3bfc7b73e9f.
The bug appears to have been introduced in the following build range:

Start: 3ba3d3cb9bb7860efcbb623d34fc5d721fc7cfcb (20230816094547)
End: dc9f0909aa3974dbbbab60cea669fb1b2f2b937d (20230816094038)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=3ba3d3cb9bb7860efcbb623d34fc5d721fc7cfcb&tochange=dc9f0909aa3974dbbbab60cea669fb1b2f2b937d

Keywords: regression
Whiteboard: [bugmon:bisected,confirmed]

Likely a regression from bug 1451717, given comment 1.

Blocks: 1451717

Looks like the proximal issue is that mPresContext is nullptr here:
https://searchfox.org/mozilla-central/rev/08d53deb2cf587e68d1825082c955e8a1926be73/layout/base/nsRefreshDriver.cpp#1594-1602

// https://drafts.csswg.org/cssom-view/#evaluate-media-queries-and-report-changes
void nsRefreshDriver::EvaluateMediaQueriesAndReportChanges() {
  if (!mMightNeedMediaQueryListenerUpdate) {
    return;
  }
  mMightNeedMediaQueryListenerUpdate = false;
  AUTO_PROFILER_LABEL_RELEVANT_FOR_JS(
      "Evaluate media queries and report changes", LAYOUT);
  RefPtr<Document> doc = mPresContext->Document();

That probably means nsRefreshDriver::Disconnect() has been called. Presumably we should just null-check mPresContext here.

We use mPresContext in Tick()'s call to EvaluateMediaQueriesAndReportChanges(),
but it's apparently possible for this pointer to have been nulled out as part
of handling events, earlier in Tick(). So, the code in
EvaluateMediaQueriesAndReportChanges() needs to check this pointer before using
it.

Note that Tick() itself has a null-check for this same mPresContext pointer,
shortly after its call to EvaluateMediaQueriesAndReportChanges(). So, it's
reasonable to be suspicious that it could be null a little earlier, within
EvaluateMediaQueriesAndReportChanges(), as well.

Assignee: nobody → dholbert
Status: NEW → ASSIGNED

:dholbert, since this bug is a regression, could you fill (if possible) the regressed_by field?
For more information, please visit BugBot documentation.

Flags: needinfo?(dholbert)

Based on comment #1, this bug contains a bisection range found by bugmon. However, the Regressed by field is still not filled.

:dholbert, if possible, could you fill the Regressed by field and investigate this regression?

For more information, please visit BugBot documentation.

Flags: needinfo?(dholbert)
Pushed by dholbert@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/df03b35a9a9e Null-check the refresh driver's mPresContext before using it to reevaluate media queries. r=emilio
No longer blocks: 1451717
Flags: needinfo?(dholbert)
Regressed by: 1451717

https://hg.mozilla.org/mozilla-central/rev/df03b35a9a9e

Status: ASSIGNED → RESOLVED
Closed: 1 years ago
status-firefox118: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 118 Branch

Verified bug as fixed on rev mozilla-central 20230824214839-6089e7f0fa57.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
status-firefox118: fixedverified
Keywords: bugmon
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: