Closed Bug 1850191 Opened 1 year ago Closed 1 year ago

crash at [@ServoComputedData::StyleDisplay]

Categories

(Core :: Disability Access APIs, defect)

defect

Tracking

()

VERIFIED FIXED
119 Branch
Tracking Status
firefox-esr102 --- wontfix
firefox-esr115 119+ fixed
firefox117 --- wontfix
firefox118 --- wontfix
firefox119 --- fixed

People

(Reporter: tsmith, Assigned: emilio)

References

(Blocks 1 open bug)

Details

(5 keywords, Whiteboard: [fixed by 1851787][adv-main119+r][adv-ESR115.4+r])

Crash Data

Attachments

(2 files)

Attached file testcase.html

Found while fuzzing m-c 20230824-6089e7f0fa57 (--enable-address-sanitizer --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -a --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox --repeat 20 --no-harness testcase.html

This test case is a bit tricky by I am usually able to reproduce within 10 attempts. Enabling a11y might be required and I've only successfully triggered this on Windows.

==11996==ERROR: AddressSanitizer: access-violation on unknown address 0x040467d454ab (pc 0x7fff7bae1e0d bp 0x00542a7f88b0 sp 0x00542a7f8560 T0)
==11996==The signal is caused by a READ memory access.
    #0 0x7fff7bae1e0c in ServoComputedData::StyleDisplay /builds/worker/checkouts/gecko/layout/style/nsStyleStructList.h:46
    #1 0x7fff7bae1e0c in mozilla::ComputedStyle::StyleDisplay /builds/worker/checkouts/gecko/layout/style/nsStyleStructList.h:46
    #2 0x7fff7bae1e0c in nsIFrame::StyleDisplay /builds/worker/checkouts/gecko/layout/style/nsStyleStructList.h:46
    #3 0x7fff7bae1e0c in nsIFrame::StyleDisplayWithOptionalParam /builds/worker/checkouts/gecko/layout/style/nsStyleStructList.h:46
    #4 0x7fff7bae1e0c in nsIFrame::IsAbsolutelyPositioned /builds/worker/checkouts/gecko/layout/generic/nsIFrameInlines.h:77
    #5 0x7fff7bae1e0c in mozilla::PresShell::FrameNeedsReflow(class nsIFrame *, enum mozilla::IntrinsicDirty, enum nsFrameState, enum mozilla::ReflowRootHandling) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:2725
    #6 0x7fff7c0c2579 in nsTextFrame::CharacterDataChanged(struct CharacterDataChangeInfo const &) /builds/worker/checkouts/gecko/layout/generic/nsTextFrame.cpp:4424
    #7 0x7fff7bbf666e in nsCSSFrameConstructor::CharacterDataChanged(class nsIContent *, struct CharacterDataChangeInfo const &) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:7723
    #8 0x7fff7bb00b00 in mozilla::PresShell::CharacterDataChanged(class nsIContent *, struct CharacterDataChangeInfo const &) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4425
    #9 0x7fff747fbc6c in mozilla::dom::MutationObservers::NotifyCharacterDataChanged::<lambda_2>::operator() /builds/worker/checkouts/gecko/dom/base/MutationObservers.cpp:128
    #10 0x7fff747fbc6c in Notify /builds/worker/checkouts/gecko/dom/base/MutationObservers.cpp:99
    #11 0x7fff747fbc6c in mozilla::dom::MutationObservers::NotifyCharacterDataChanged(class nsIContent *, struct CharacterDataChangeInfo const &) /builds/worker/checkouts/gecko/dom/base/MutationObservers.cpp:128
    #12 0x7fff7448ef7b in mozilla::dom::CharacterData::SetTextInternal(unsigned int, unsigned int, char16_t const *, unsigned int, bool, struct CharacterDataChangeInfo::Details *) /builds/worker/checkouts/gecko/dom/base/CharacterData.cpp:334
    #13 0x7fff744921fa in mozilla::dom::CharacterData::SetText(char16_t const *, unsigned int, bool) /builds/worker/checkouts/gecko/dom/base/CharacterData.cpp:525
    #14 0x7fff7bc0f776 in mozilla::dom::CharacterData::SetText /builds/worker/workspace/obj-build/dist/include/mozilla/dom/CharacterData.h:127
    #15 0x7fff7bc0f776 in nsCounterUseNode::Calc(class nsCounterList *, bool) /builds/worker/checkouts/gecko/layout/base/nsCounterManager.cpp:62
    #16 0x7fff7bc117a0 in nsCounterNode::Calc /builds/worker/checkouts/gecko/layout/base/nsCounterManager.h:193
    #17 0x7fff7bc117a0 in nsCounterList::RecalcAll(void) /builds/worker/checkouts/gecko/layout/base/nsCounterManager.cpp:375
    #18 0x7fff7bc13c02 in nsCounterManager::RecalcAll(void) /builds/worker/checkouts/gecko/layout/base/nsCounterManager.cpp:485
    #19 0x7fff7baa7bbf in mozilla::ContainStyleScope::RecalcAllCounters(void) /builds/worker/checkouts/gecko/layout/base/ContainStyleScopeManager.cpp:31
    #20 0x7fff7baa97ec in mozilla::ContainStyleScopeManager::RecalcAllCounters(void) /builds/worker/checkouts/gecko/layout/base/ContainStyleScopeManager.cpp:161
    #21 0x7fff7bbf6d0f in nsCSSFrameConstructor::RecalcQuotesAndCounters(void) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:7741
    #22 0x7fff7bafdef0 in mozilla::PresShell::DoFlushLayout /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:9881
    #23 0x7fff7bafdef0 in mozilla::PresShell::DoFlushPendingNotifications(struct mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4345
    #24 0x7fff7ba62b67 in mozilla::PresShell::FlushPendingNotifications /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:1472
    #25 0x7fff7ba62b67 in nsRefreshDriver::Tick(struct mozilla::layers::BaseTransactionId<class mozilla::VsyncIdType>, class mozilla::TimeStamp, enum nsRefreshDriver::IsExtraTick) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2747
    #26 0x7fff7ba7c09b in mozilla::RefreshDriverTimer::TickDriver /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:358
    #27 0x7fff7ba7c09b in mozilla::RefreshDriverTimer::TickRefreshDrivers(struct mozilla::layers::BaseTransactionId<class mozilla::VsyncIdType>, class mozilla::TimeStamp, class nsTArray<class RefPtr<class nsRefreshDriver>> &) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:336
    #28 0x7fff7ba7bcb4 in mozilla::RefreshDriverTimer::Tick(struct mozilla::layers::BaseTransactionId<class mozilla::VsyncIdType>, class mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:352
    #29 0x7fff7ba7b7b5 in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(struct mozilla::layers::BaseTransactionId<class mozilla::VsyncIdType>, class mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:965
    #30 0x7fff7ba79a27 in mozilla::VsyncRefreshDriverTimer::TickRefreshDriver(struct mozilla::layers::BaseTransactionId<class mozilla::VsyncIdType>, class mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:827
    #31 0x7fff7ba7840b in mozilla::VsyncRefreshDriverTimer::NotifyVsyncOnMainThread(struct mozilla::VsyncEvent const &) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:735
    #32 0x7fff7ba77a59 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsyncTimerOnMainThread(void) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:577
    #33 0x7fff7ba7758f in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(struct mozilla::VsyncEvent const &) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:534
    #34 0x7fff79f3d2ec in mozilla::dom::VsyncMainChild::RecvNotify(struct mozilla::VsyncEvent const &, float const &) /builds/worker/checkouts/gecko/dom/ipc/VsyncMainChild.cpp:66
    #35 0x7fff7a4451ba in mozilla::dom::PVsyncChild::OnMessageReceived(class IPC::Message const &) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:220
    #36 0x7fff72a90340 in mozilla::ipc::PBackgroundChild::OnMessageReceived(class IPC::Message const &) /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundChild.cpp:6269
    #37 0x7fff729db10f in mozilla::ipc::MessageChannel::DispatchAsyncMessage(class mozilla::ipc::ActorLifecycleProxy *, class IPC::Message const &) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1811
    #38 0x7fff729d8961 in mozilla::ipc::MessageChannel::DispatchMessage(class mozilla::ipc::ActorLifecycleProxy *, class mozilla::UniquePtr<class IPC::Message, class mozilla::DefaultDelete<class IPC::Message>>) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1736
    #39 0x7fff729d97fd in mozilla::ipc::MessageChannel::RunMessage(class mozilla::ipc::ActorLifecycleProxy *, class mozilla::ipc::MessageChannel::MessageTask &) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1536
    #40 0x7fff729d9f61 in mozilla::ipc::MessageChannel::MessageTask::Run(void) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1634
    #41 0x7fff712b219e in mozilla::RunnableTask::Run(void) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:559
    #42 0x7fff71293e51 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(class mozilla::detail::BaseAutoLock<class mozilla::Mutex &> const &) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:886
    #43 0x7fff7128f595 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(class mozilla::detail::BaseAutoLock<class mozilla::Mutex &> const &) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:709
    #44 0x7fff71290503 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:495
    #45 0x7fff712b5b01 in mozilla::TaskController::TaskController::<lambda_6>::operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:221
    #46 0x7fff712b5b01 in mozilla::detail::RunnableFunction<`lambda at /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:221:7'>::Run /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548
    #47 0x7fff712e5a8e in nsThread::ProcessNextEvent(bool, bool *) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1199
    #48 0x7fff712f62f1 in NS_ProcessNextEvent(class nsIThread *, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480
    #49 0x7fff729e298b in mozilla::ipc::MessagePump::Run(class base::MessagePump::Delegate *) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:107
    #50 0x7fff728fef83 in MessageLoop::RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:370
    #51 0x7fff728fef83 in MessageLoop::RunHandler(void) /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363
    #52 0x7fff728fed4a in MessageLoop::Run(void) /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345
    #53 0x7fff7b0ce8cc in nsBaseAppShell::Run(void) /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148
    #54 0x7fff7b2ed8a7 in nsAppShell::Run(void) /builds/worker/checkouts/gecko/widget/windows/nsAppShell.cpp:466
    #55 0x7fff7fc27cde in XRE_RunAppShell(void) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:722
    #56 0x7fff728fef83 in MessageLoop::RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:370
    #57 0x7fff728fef83 in MessageLoop::RunHandler(void) /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363
    #58 0x7fff728fed4a in MessageLoop::Run(void) /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345
    #59 0x7fff7fc27298 in XRE_InitChildProcess(int, char **const, struct XREChildData const *) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:657
    #60 0x7ff7859b2953 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57
    #61 0x7ff7859b2953 in NS_internal_main(int, char **, char **) /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:375
    #62 0x7ff7859b169b in wmain /builds/worker/checkouts/gecko/toolkit/xre/nsWindowsWMain.cpp:167
    #63 0x7ff785a934e7 in invoke_main D:\a\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:90
    #64 0x7ff785a934e7 in __scrt_common_main_seh D:\a\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:288
    #65 0x7fffd7d17613  (C:\WINDOWS\System32\KERNEL32.DLL+0x180017613)
    #66 0x7fffd8aa26b0  (C:\WINDOWS\SYSTEM32\ntdll.dll+0x1800526b0)
Flags: in-testsuite?
Component: Layout → CSS Parsing and Computation

If this was reproducible under pernosco it'd be awesome.

Keywords: pernosco-wanted

I've only been able to repro on Windows.

Tentatively triaging as S2. Emilio thinks this might be responsible for some of our weird style-struct UAF crash volume.

(If this turns out to just be frame poisoning or something not-exploitable, we can downgrade.)

Severity: -- → S2
Flags: needinfo?(emilio)

This indeed needs a11y to reproduce. On a debug build on Windows I crash with:

[0x0]   xul!AnnotateMozCrashReason+0x11   0xcb171f6ed0   0x0   
[0x1]   xul!nsLineList_iterator::operator->+0x598   0xcb171f6ed0   0x0   
[0x2]   xul!BuildTextRuns+0xe41   0xcb171f6ed0   0x0   
[0x3]   xul!nsTextFrame::EnsureTextRun+0xf92   0xcb171f6ed0   0x7ffd72f6b83e   
[0x4]   xul!nsTextFrame::GetRenderedText+0x1de   0xcb171f9480   0x7ffd744a2843   
[0x5]   xul!nsTextEquivUtils::AppendTextEquivFromTextContent+0xf3   0xcb171f97e0   0x7ffd744a2268   
[0x6]   xul!nsTextEquivUtils::AppendFromAccessible+0x248   0xcb171f98e0   0x7ffd744a1c3e   
[0x7]   xul!nsTextEquivUtils::AppendFromAccessibleChildren+0x5e   0xcb171f9a10   0x7ffd744a1ade   
[0x8]   xul!nsTextEquivUtils::GetNameFromSubtree+0x12e   0xcb171f9a90   0x7ffd744e371d   
[0x9]   xul!mozilla::a11y::HTMLLabelAccessible::NativeName+0xd   0xcb171f9b80   0x7ffd744b50e0   
[0xa]   xul!mozilla::a11y::LocalAccessible::Name+0x60   0xcb171f9bb0   0x7ffd7446fba7   
[0xb]   xul!mozilla::a11y::EventQueue::PushNameOrDescriptionChange+0x187   0xcb171f9c00   0x7ffd74471651   
[0xc]   xul!mozilla::a11y::NotificationController::QueueMutationEvent+0x281   0xcb171f9d40   0x7ffd74471d59   
[0xd]   xul!mozilla::a11y::TreeMutation::BeforeRemoval+0x69   0xcb171f9df0   0x7ffd744bdf79   
[0xe]   xul!mozilla::a11y::DocAccessible::ContentRemoved+0xb9   0xcb171f9e40   0x7ffd744b8e9f   
[0xf]   xul!mozilla::a11y::DocAccessible::ContentRemoved+0x4f   0xcb171f9ef0   0x7ffd744b8f1b   
[0x10]   xul!mozilla::a11y::DocAccessible::ContentRemoved+0xcb   0xcb171f9f90   0x7ffd744999cc   
[0x11]   xul!nsAccessibilityService::ContentRemoved+0x7c   0xcb171fa030   0x7ffd72cf0352   
[0x12]   xul!mozilla::PresShell::NativeAnonymousContentRemoved+0x82   0xcb171fa070   0x7ffd72ed08b4   
[0x13]   xul!nsIFrame::DestroyAnonymousContent+0xd4   0xcb171fa0c0   0x7ffd72d8556d   
[0x14]   xul!nsIFrame::AutoPostDestroyData::~AutoPostDestroyData+0x6d   0xcb171fa110   0x7ffd72e2a43e   
[0x15]   xul!nsIFrame::Destroy+0x56   0xcb171fa170   0x7ffd72e2a0cb   
[0x16]   xul!nsBlockFrame::DoRemoveOutOfFlowFrame+0x1ee   0xcb171fa170   0x7ffd72e2a0cb   
[0x17]   xul!nsBlockFrame::RemoveFrame+0x28b   0xcb171fa500   0x7ffd72f51c09   
[0x18]   xul!nsPlaceholderFrame::DestroyFrom+0x109   0xcb171fa8a0   0x7ffd72e69621   
[0x19]   xul!nsFrameList::DestroyFramesFrom+0x41   0xcb171fa900   0x7ffd72e0961f   
[0x1a]   xul!nsContainerFrame::DestroyFrom+0x8f   0xcb171fa950   0x7ffd72e69621   
[0x1b]   xul!nsFrameList::DestroyFramesFrom+0x41   0xcb171fa9e0   0x7ffd72e0961f   
[0x1c]   xul!nsContainerFrame::DestroyFrom+0x8f   0xcb171faa30   0x7ffd72e2bad5   
[0x1d]   xul!nsBlockFrame::DoRemoveFrameInternal+0x635   0xcb171faac0   0x7ffd72e29ed5   
[0x1e]   xul!nsBlockFrame::DoRemoveFrame+0x4a   0xcb171fabf0   0x7ffd72d63aea   
[0x1f]   xul!nsBlockFrame::RemoveFrame+0x95   0xcb171fabf0   0x7ffd72d63aea   
[0x20]   xul!nsCSSFrameConstructor::ContentRemoved+0x93a   0xcb171faf90   0x7ffd72d5edf0   
[0x21]   xul!nsCSSFrameConstructor::RecreateFramesForContent+0x2b0   0xcb171fb0c0   0x7ffd72d1ca23   
[0x22]   xul!mozilla::RestyleManager::ProcessRestyledFrames+0x253   0xcb171fb120   0x7ffd72d23909   
[0x23]   xul!mozilla::RestyleManager::DoProcessPendingRestyles+0x699   0xcb171fb760   0x7ffd72cf943b   
[0x24]   xul!mozilla::RestyleManager::ProcessPendingRestyles+0xfb   0xcb171fba80   0x7ffd72cf8561   
[0x25]   xul!mozilla::PresShell::DoFlushPendingNotifications+0x821   0xcb171fbad0   0x7ffd6f386fbf   
[0x26]   xul!mozilla::PresShell::FlushPendingNotifications+0x3a   0xcb171fbcc0   0x7ffd6f3b307a   
[0x27]   xul!mozilla::dom::Document::FlushPendingNotifications+0x2bf   0xcb171fbcc0   0x7ffd6f3b307a   
[0x28]   xul!mozilla::dom::Document::FlushPendingNotifications+0x15   0xcb171fbd30   0x7ffd6f3b6972   
[0x29]   xul!nsIContent::GetPrimaryFrame+0x4a   0xcb171fbd30   0x7ffd6f3b6972   
[0x2a]   xul!mozilla::dom::Element::GetBoundingClientRect+0xe2   0xcb171fbd80   0x7ffd706a34c5   
[0x2b]   xul!mozilla::dom::Element_Binding::getBoundingClientRect+0x95   0xcb171fbe00   0x7ffd709b6658   
[0x2c]   xul!mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy,mozilla::dom::binding_detail::ThrowExceptions>+0x1e8   0xcb171fbe70   0x7ffd75835493   
[0x2d]   xul!CallJSNative+0xf3   0xcb171fbf30   0x7ffd75834d60   
[0x2e]   xul!js::InternalCallOrConstruct+0x2d0   0xcb171fbfb0   0x7ffd758440dc   
[0x2f]   xul!js::CallFromStack+0x5   0xcb171fc0b0   0x7ffd75834406   
[0x30]   xul!js::Interpret+0xa09c   0xcb171fc0b0   0x7ffd75834406   
[0x31]   xul!js::RunScript+0x236   0xcb171fc5b0   0x7ffd75834d7d   
[0x32]   xul!js::InternalCallOrConstruct+0x2ed   0xcb171fc670   0x7ffd758361c3   
[0x33]   xul!js::Call+0x123   0xcb171fc770   0x7ffd74e64b3b   
[0x34]   xul!JS::Call+0x20b   0xcb171fc7d0   0x7ffd70671596   
[0x35]   xul!mozilla::dom::EventListener::HandleEvent+0x426   0xcb171fc950   0x7ffd70f4c0c7   
[0x36]   xul!mozilla::dom::EventListener::HandleEvent<mozilla::dom::EventTarget *>+0x127   0xcb171fcb20   0x7ffd70f4bc7c   
[0x37]   xul!mozilla::EventListenerManager::HandleEventSingleListener+0x25c   0xcb171fcdb0   0x7ffd70f4cf24   
[0x38]   xul!mozilla::EventListenerManager::HandleEventWithListenerArray+0x3f4   0xcb171fcea0   0x7ffd70f4c6ab   
[0x39]   xul!mozilla::EventListenerManager::HandleEventInternal+0x22b   0xcb171fd000   0x7ffd70f3f7f7   
[0x3a]   xul!mozilla::EventListenerManager::HandleEvent+0x9b   0xcb171fd0d0   0x7ffd70f3ee15   
[0x3b]   xul!mozilla::EventTargetChainItem::HandleEvent+0x1e7   0xcb171fd0d0   0x7ffd70f3ee15   
[0x3c]   xul!mozilla::EventTargetChainItem::HandleEventTargetChain+0x675   0xcb171fd130   0x7ffd70f4149a   
[0x3d]   xul!mozilla::EventDispatcher::Dispatch+0x135a   0xcb171fd290   0x7ffd72d75f63   
[0x3e]   xul!nsDocumentViewer::LoadComplete+0xd43   0xcb171fd710   0x7ffd743855ec   
[0x3f]   xul!nsDocShell::EndPageLoad+0x54c   0xcb171fd980   0x7ffd74384fb9   
[0x40]   xul!nsDocShell::OnStateChange+0x6d9   0xcb171fdaf0   0x7ffd6e9add71   
[0x41]   xul!nsDocLoader::DoFireOnStateChange+0x1d1   0xcb171fdbf0   0x7ffd6e9ad320   
[0x42]   xul!nsDocLoader::doStopDocumentLoad+0x1f0   0xcb171fdd10   0x7ffd6e9ab4da   
[0x43]   xul!nsDocLoader::DocLoaderIsEmpty+0x51a   0xcb171fde60   0x7ffd6e9ac768   
[0x44]   xul!nsDocLoader::OnStopRequest+0x528   0xcb171fdfb0   0x7ffd743aaae6   
[0x45]   xul!nsDocShell::OnStopRequest+0x66   0xcb171fe0d0   0x7ffd6ddfa673   
[0x46]   xul!mozilla::net::nsLoadGroup::NotifyRemovalObservers+0x153   0xcb171fe200   0x7ffd6ddfbbba   
[0x47]   xul!mozilla::net::nsLoadGroup::RemoveRequest+0x5a   0xcb171fe290   0x7ffd6f38a60d   
[0x48]   xul!mozilla::dom::Document::DoUnblockOnload+0xfd   0xcb171fe2f0   0x7ffd6f37921c   
[0x49]   xul!mozilla::dom::Document::DispatchContentLoadedEvents+0x6cc   0xcb171fe340   0x7ffd6f3ee621   
[0x4a]   xul!mozilla::detail::RunnableMethodArguments<>::apply<mozilla::dom::Document,void (mozilla::dom::Document::*)()>::<lambda_1>::operator()+0x9   0xcb171fe450   0x7ffd6dbbd84e   
[0x4b]   xul!std::invoke+0x9   0xcb171fe450   0x7ffd6dbbd84e   
[0x4c]   xul!std::_Apply_impl+0x9   0xcb171fe450   0x7ffd6dbbd84e   
[0x4d]   xul!std::apply+0x9   0xcb171fe450   0x7ffd6dbbd84e   
[0x4e]   xul!mozilla::detail::RunnableMethodArguments<>::apply+0x9   0xcb171fe450   0x7ffd6dbbd84e   
[0x4f]   xul!mozilla::detail::RunnableMethodImpl<mozilla::dom::Document *,void (mozilla::dom::Document::*)(),1,0>::Run+0x21   0xcb171fe450   0x7ffd6dbbd84e   
[0x50]   xul!mozilla::RunnableTask::Run+0x1e   0xcb171fe480   0x7ffd6dbb0f35   
[0x51]   xul!mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal+0x9f5   0xcb171fe4b0   0x7ffd6dbaf1c8   
[0x52]   xul!mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal+0x58   0xcb171febf0   0x7ffd6dbaf63a   
[0x53]   xul!mozilla::TaskController::ProcessPendingMTTask+0x6a   0xcb171fec80   0x7ffd6dbc0217   
[0x54]   xul!mozilla::TaskController::TaskController::<lambda_5>::operator()+0x13   0xcb171fed00   0x7ffd6dbd8577   
[0x55]   xul!mozilla::detail::RunnableFunction<`lambda at C:/moz/gecko-2/xpcom/threads/TaskController.cpp:218:7'>::Run+0x17   0xcb171fed00   0x7ffd6dbd8577   
[0x56]   xul!nsThread::ProcessNextEvent+0x7f7   0xcb171fed30   0x7ffd6dbdfac5   
[0x57]   xul!NS_ProcessNextEvent+0x45   0xcb171fef20   0x7ffd6e6ccc7a   
[0x58]   xul!mozilla::ipc::MessagePump::Run+0xca   0xcb171fef70   0x7ffd6e64f300   
[0x59]   xul!MessageLoop::RunHandler+0x50   0xcb171fefe0   0x7ffd6e64f1bf   
[0x5a]   xul!MessageLoop::Run+0x6f   0xcb171ff030   0x7ffd728a8648   
[0x5b]   xul!nsBaseAppShell::Run+0x28   0xcb171ff080   0x7ffd7298616a   
[0x5c]   xul!nsAppShell::Run+0x18a   0xcb171ff0c0   0x7ffd74ba88f9   
[0x5d]   xul!XRE_RunAppShell+0x79   0xcb171ff130   0x7ffd6e6cd4bd   
[0x5e]   xul!mozilla::ipc::MessagePumpForChildProcess::Run+0x3d   0xcb171ff190   0x7ffd6e64f300   
[0x5f]   xul!MessageLoop::RunHandler+0x50   0xcb171ff1e0   0x7ffd6e64f1bf   
[0x60]   xul!MessageLoop::Run+0x6f   0xcb171ff230   0x7ffd74ba806b   
[0x61]   xul!XRE_InitChildProcess+0x8bb   0xcb171ff280   0x7ff6e0a4154e   
[0x62]   firefox!content_process_main+0xa9   0xcb171ff530   0x7ff6e0a4120f   
[0x63]   firefox!NS_internal_main+0x2ce   0xcb171ff530   0x7ff6e0a4120f   
[0x64]   firefox!wmain+0x20f   0xcb171ff700   0x7ff6e0ad0e38   
[0x65]   firefox!invoke_main+0x22   0xcb171ff7c0   0x7ffe16fb26ad   
[0x66]   firefox!__scrt_common_main_seh+0x10c   0xcb171ff7c0   0x7ffe16fb26ad   
[0x67]   KERNEL32!BaseThreadInitThunk+0x1d   0xcb171ff800   0x7ffe18e2aa78   
[0x68]   ntdll!RtlUserThreadStart+0x28   0xcb171ff830   0x0   

Which is hitting this assert.

Relevant call site is this.

So, I think there might be a layout bug with a stale line iterator mid frame destruction. But what a11y is doing is fairly weird. We can't compute reasonable rendered text while tearing down the frame tree...

Component: CSS Parsing and Computation → Disability Access APIs
Flags: needinfo?(emilio)
Depends on: 1851787

The other thing I noticed is that nsBlockFrame::DoRemoveOutOfFlowFrame just forgets about the DestroyFrom arguments and calls directly nsIFrame::Destroy, which is what triggers this notification because of the AutoPostDestroyData destructor. A11Y tries to walk out the out of flow frame subtree, which is still in an inconsistent state, causing this.

So there is something to fix up in layout too. Filed bug 1851787 for it.

But what a11y is doing is fairly weird. We can't compute reasonable rendered text while tearing down the frame tree...

What a11y is trying to do here is figure out whether it needs to fire a name change event on a dependent Accessible (e.g. an ancestor) due to this mutation. To do that, it has to work out whether the name is calculated from the subtree or not, which currently requires doing the calculation.

We might be able to avoid that. However, it'd be useful to know whether there's some way of us knowing whether layout is currently tearing down a frame tree. That would allow us to protect against this kind of thing a bit more defensively.

See also bug 1842943 and bug 1610088, which will both need similar solutions.

In general, poking at the frame tree in a dirty state is asking for trouble.

So let me amend my question, then. Is there a way we can ask whether the frame tree (anywhere within a given document) is dirty? Is calling nsIFrame::IsSubtreeDirty on the root frame sufficient?

I'm not sure that's enough with reflow roots.

Bug 1851787 should've fixed this. I could repro a crash with a11y enabled trivially before that patch using either of the test-cases in comment 0, and they don't crash now.

Mind confirming?

Status: NEW → RESOLVED
Closed: 1 year ago
Duplicate of bug: 1851787
Flags: needinfo?(twsmith)
Resolution: --- → DUPLICATE
Group: layout-core-security → core-security-release
No longer depends on: 1851787

I can't reproduce any crash with this test case, but I'm also not sure whether it would have reproduced for me on earlier builds either.

I am no longer able to reproduce this issue. Verified with m-c 20230911-f867b611aabb. Thank you.

Status: RESOLVED → VERIFIED
Flags: needinfo?(twsmith)

Thank you for asking Tyson to verify the fix, but please don't mark security bugs as a duplicate of a non-security bug. We lose track of them for advisory and bug bounty purposes, and they will be left out of the QA release verification process for security bugs. Instead we generally should make the security bug "Depend on" the non-security bug, and then mark it "FIXED" when the public bug fix lands.

Depends on: 1851787
No longer duplicate of bug: 1851787
Resolution: DUPLICATE → FIXED
Whiteboard: [fixed by 1851787]
Assignee: nobody → emilio
Target Milestone: --- → 119 Branch
Whiteboard: [fixed by 1851787] → [fixed by 1851787][adv-main119+r]
Whiteboard: [fixed by 1851787][adv-main119+r] → [fixed by 1851787][adv-main119+r][adv-ESR115.4+r]

Bulk-unhiding security bugs fixed in Firefox 119-121 (Fall 2023). Use "moo-doctrine-subsidy" to filter

Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: