Closed
Bug 1851726
Opened 1 year ago
Closed 1 year ago
crash near null in [@ mozilla::nsDisplayText::RenderToContext]
Categories
(Core :: Web Painting, defect)
Core
Web Painting
Tracking
()
VERIFIED
FIXED
119 Branch
| Tracking | Status | |
|---|---|---|
| firefox-esr102 | --- | unaffected |
| firefox-esr115 | --- | unaffected |
| firefox117 | --- | wontfix |
| firefox118 | --- | wontfix |
| firefox119 | --- | verified |
People
(Reporter: tsmith, Assigned: jfkthame)
References
(Blocks 1 open bug, Regression)
Details
(Keywords: pernosco, regression, testcase, Whiteboard: [bugmon:bisected,confirmed])
Crash Data
Attachments
(3 files)
Found while fuzzing m-c 20230730-9a9597eb5056 (--enable-address-sanitizer --enable-fuzzing)
To reproduce via Grizzly Replay:
$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -a --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html
==19714==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000014 (pc 0x7f8ab3ff017e bp 0x7ffcbea4c350 sp 0x7ffcbea4c100 T0)
==19714==The signal is caused by a READ memory access.
==19714==Hint: address points to the zero page.
#0 0x7f8ab3ff017e in operator==<mozilla::gfx::ShapedTextFlags> /builds/worker/workspace/obj-build/dist/include/mozilla/TypedEnumBits.h:81:1
#1 0x7f8ab3ff017e in IsRightToLeft /builds/worker/workspace/obj-build/dist/include/gfxFont.h:1074:70
#2 0x7f8ab3ff017e in mozilla::nsDisplayText::RenderToContext(gfxContext*, mozilla::nsDisplayListBuilder*, nsRect const&, float, bool) /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:7629:50
#3 0x7f8ab3fefb0f in mozilla::nsDisplayText::Paint(mozilla::nsDisplayListBuilder*, gfxContext*) /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:7484:3
#4 0x7f8ab3f21b60 in mozilla::nsDisplayList::Paint(mozilla::nsDisplayListBuilder*, gfxContext*, int) /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:2199:11
#5 0x7f8ab3f999b1 in mozilla::nsDisplayList::PaintRoot(mozilla::nsDisplayListBuilder*, gfxContext*, unsigned int, mozilla::Maybe<double>) /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:2267:5
#6 0x7f8ab36cafba in nsLayoutUtils::PaintFrame(gfxContext*, nsIFrame*, nsRegion const&, unsigned int, mozilla::nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) /builds/worker/checkouts/gecko/layout/base/nsLayoutUtils.cpp:3424:9
#7 0x7f8ab3fb54c7 in mozilla::GenerateAndPushTextMask(nsIFrame*, gfxContext*, nsRect const&, mozilla::nsDisplayListBuilder*) /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:323:3
#8 0x7f8ab3fb44f4 in mozilla::nsDisplayBackgroundImage::PaintInternal(mozilla::nsDisplayListBuilder*, gfxContext*, nsRect const&, nsRect*) /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:3555:10
#9 0x7f8ab38216bc in mozilla::nsDisplayCanvasBackgroundImage::Paint(mozilla::nsDisplayListBuilder*, gfxContext*) /builds/worker/checkouts/gecko/layout/generic/nsCanvasFrame.cpp:348:3
#10 0x7f8aaa68614b in mozilla::layers::PaintItemByDrawTarget(mozilla::nsDisplayItem*, mozilla::gfx::DrawTarget*, mozilla::gfx::PointTyped<mozilla::LayoutDevicePixel, float> const&, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::nsDisplayListBuilder*, mozilla::gfx::BaseScaleFactors2D<mozilla::gfx::UnknownUnits, mozilla::gfx::UnknownUnits, float> const&, mozilla::Maybe<mozilla::gfx::DeviceColor>&) /builds/worker/checkouts/gecko/gfx/layers/wr/WebRenderCommandBuilder.cpp:2327:38
#11 0x7f8aaa683400 in mozilla::layers::WebRenderCommandBuilder::GenerateFallbackData(mozilla::nsDisplayItem*, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, mozilla::nsDisplayListBuilder*, mozilla::gfx::RectTyped<mozilla::LayoutDevicePixel, float>&) /builds/worker/checkouts/gecko/gfx/layers/wr/WebRenderCommandBuilder.cpp:2592:7
#12 0x7f8aaa67869d in mozilla::layers::WebRenderCommandBuilder::PushItemAsImage(mozilla::nsDisplayItem*, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, mozilla::nsDisplayListBuilder*) /builds/worker/checkouts/gecko/gfx/layers/wr/WebRenderCommandBuilder.cpp:2880:48
#13 0x7f8aaa674f64 in mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommandsFromDisplayList(mozilla::nsDisplayList*, mozilla::nsDisplayItem*, mozilla::nsDisplayListBuilder*, mozilla::layers::StackingContextHelper const&, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, bool) /builds/worker/checkouts/gecko/gfx/layers/wr/WebRenderCommandBuilder.cpp:2121:7
#14 0x7f8ab3fcf2b7 in CreateWebRenderCommandsNewClipListOption /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:4625:30
#15 0x7f8ab3fcf2b7 in CreateWebRenderCommands /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.h:4941:12
#16 0x7f8ab3fcf2b7 in mozilla::nsDisplayOwnLayer::CreateWebRenderCommands(mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, mozilla::layers::RenderRootStateManager*, mozilla::nsDisplayListBuilder*) /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:5264:22
#17 0x7f8aaa6784c7 in mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommands(mozilla::nsDisplayItem*, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, mozilla::nsDisplayListBuilder*) /builds/worker/checkouts/gecko/gfx/layers/wr/WebRenderCommandBuilder.cpp:1855:41
#18 0x7f8aaa674f64 in mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommandsFromDisplayList(mozilla::nsDisplayList*, mozilla::nsDisplayItem*, mozilla::nsDisplayListBuilder*, mozilla::layers::StackingContextHelper const&, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, bool) /builds/worker/checkouts/gecko/gfx/layers/wr/WebRenderCommandBuilder.cpp:2121:7
#19 0x7f8aaa671545 in mozilla::layers::WebRenderCommandBuilder::BuildWebRenderCommands(mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::nsDisplayList*, mozilla::nsDisplayListBuilder*, mozilla::layers::WebRenderScrollData&, WrFiltersHolder&&) /builds/worker/checkouts/gecko/gfx/layers/wr/WebRenderCommandBuilder.cpp:1776:5
#20 0x7f8aaa69ef82 in mozilla::layers::WebRenderLayerManager::EndTransactionWithoutLayer(mozilla::nsDisplayList*, mozilla::nsDisplayListBuilder*, WrFiltersHolder&&, mozilla::layers::WebRenderBackgroundData*, double) /builds/worker/checkouts/gecko/gfx/layers/wr/WebRenderLayerManager.cpp:370:30
#21 0x7f8ab3f9a330 in mozilla::nsDisplayList::PaintRoot(mozilla::nsDisplayListBuilder*, gfxContext*, unsigned int, mozilla::Maybe<double>) /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:2308:18
#22 0x7f8ab36cafba in nsLayoutUtils::PaintFrame(gfxContext*, nsIFrame*, nsRegion const&, unsigned int, mozilla::nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) /builds/worker/checkouts/gecko/layout/base/nsLayoutUtils.cpp:3424:9
#23 0x7f8ab358880a in mozilla::PresShell::PaintInternal(nsView*, mozilla::PaintInternalFlags) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:6458:5
#24 0x7f8ab2a59780 in nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*) /builds/worker/checkouts/gecko/view/nsViewManager.cpp:408:18
#25 0x7f8ab2a58a6e in nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) /builds/worker/checkouts/gecko/view/nsViewManager.cpp:343:22
#26 0x7f8ab2a5c1a7 in nsViewManager::ProcessPendingUpdates() /builds/worker/checkouts/gecko/view/nsViewManager.cpp:916:5
#27 0x7f8ab34d9caa in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2854:11
#28 0x7f8ab34ee19c in TickDriver /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:358:13
#29 0x7f8ab34ee19c in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver>>&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:336:7
#30 0x7f8ab34ede7e in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:352:5
#31 0x7f8ab34edaf1 in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:965:5
#32 0x7f8ab34eccfe in mozilla::VsyncRefreshDriverTimer::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:827:5
#33 0x7f8ab34eb85b in mozilla::VsyncRefreshDriverTimer::NotifyVsyncOnMainThread(mozilla::VsyncEvent const&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:735:5
#34 0x7f8ab34eaee2 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsyncTimerOnMainThread() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:577:14
#35 0x7f8ab34eaa95 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:534:9
#36 0x7f8ab17f1edb in mozilla::dom::VsyncMainChild::RecvNotify(mozilla::VsyncEvent const&, float const&) /builds/worker/checkouts/gecko/dom/ipc/VsyncMainChild.cpp:66:15
#37 0x7f8ab1e1ceed in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:220:78
#38 0x7f8ab1bbf799 in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PContentChild.cpp:8654:32
#39 0x7f8aa929ef65 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1800:25
#40 0x7f8aa929a8ef in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1725:9
#41 0x7f8aa929bd29 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1525:3
#42 0x7f8aa929d2a3 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1623:14
#43 0x7f8aa765f20a in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:559:16
#44 0x7f8aa7649828 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:886:26
#45 0x7f8aa7646237 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:709:15
#46 0x7f8aa7646b19 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:495:36
#47 0x7f8aa7666ce4 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:221:37
#48 0x7f8aa7666ce4 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_1>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548:5
#49 0x7f8aa7691483 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1199:16
#50 0x7f8aa769f284 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10
#51 0x7f8aa92a84b3 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:107:5
#52 0x7f8aa90d3a6a in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:370:10
#53 0x7f8aa90d3a6a in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#54 0x7f8aa90d3a6a in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#55 0x7f8ab2b986b9 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
#56 0x7f8ab88a665e in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:722:20
#57 0x7f8aa90d3a6a in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:370:10
#58 0x7f8aa90d3a6a in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#59 0x7f8aa90d3a6a in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#60 0x7f8ab88a5bf9 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:657:34
#61 0x558872d411be in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#62 0x558872d411be in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:375:18
#63 0x7f8acf429d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#64 0x7f8acf429e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#65 0x558872c6a7f8 in _start (/home/user/workspace/browsers/m-c-20230905215534-fuzzing-asan-opt/firefox+0x1067f8) (BuildId: bc3e0b8be764ceedfdb30e5cad382b2df28a00a4)
Flags: in-testsuite?
|
||
Updated•1 year ago
|
Keywords: pernosco-wanted
|
||
Comment 1•1 year ago
|
||
Verified bug as reproducible on mozilla-central 20230906035121-ff7e2e9adbc1.
The bug appears to have been introduced in the following build range:
Start: 01e6140780d64b8fa96afd2ca183c5787751fb83 (20230717213556)
End: bbea40f618ed9435d7c989dcb18dc1ba34d55d4c (20230717234015)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=01e6140780d64b8fa96afd2ca183c5787751fb83&tochange=bbea40f618ed9435d7c989dcb18dc1ba34d55d4c
Successfully recorded a pernosco session. A link to the pernosco session will be added here shortly.
Whiteboard: [bugmon:bisected,confirmed]
|
|
||
Comment 3•1 year ago
|
||
mTextRun is null. jfkthame maybe you can shed some light on when/why mTextRun would be null?
Flags: needinfo?(jfkthame)
|
||
Comment 4•1 year ago
|
||
Setting Bug 1843863 as the regressor based on the pushlog in Comment 1
Regressed by: 1843863
|
||
Comment 5•1 year ago
|
||
Set release status flags based on info from the regressing bug 1843863
status-firefox117:
--- → affected
status-firefox118:
--- → affected
status-firefox-esr102:
--- → unaffected
status-firefox-esr115:
--- → unaffected
|
||
Updated•1 year ago
|
Crash Signature: [@ mozilla::nsDisplayText::RenderToContext]
|
|
||
Updated•1 year ago
|
|
Assignee | |
Comment 6•1 year ago
|
||
(In reply to Timothy Nikkel (:tnikkel) from comment #3)
mTextRun is null. jfkthame maybe you can shed some light on when/why mTextRun would be null?
This code looks suspiciously like it could leave us with an nsTextFrame that has no mTextRun even after the document has been reflowed. So we'd better have a null-check-and-bail-out at the beginning of nsDisplayText::RenderToContext, I guess.
Flags: needinfo?(jfkthame)
|
|
Assignee | |
Comment 7•1 year ago
|
||
|
||
Updated•1 year ago
|
Assignee: nobody → jfkthame
Status: NEW → ASSIGNED
|
|
Assignee | |
Comment 8•1 year ago
|
||
Depends on D187698
Pushed by jkew@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/e975cf693948
Add missing null-check in nsDisplayText::RenderToContext. r=dholbert
https://hg.mozilla.org/integration/autoland/rev/f4c21bd187ef
Add crashtest. r=dholbert
|
||
Comment 10•1 year ago
|
||
Backed out for causing mochitest failures on browser_tabclose.js
Flags: needinfo?(jfkthame)
|
|
Assignee | |
Comment 11•1 year ago
|
||
Huh, it's surprising to me that this patch would affect a test like that, but maybe bailing out of the display-list item so early (without doing clip updates, etc) is perturbing behavior in some way. I guess the safest fix here is to just put the null-check immediately around the call to gfxTextRun::IsRightToLeft, rather than short-circuiting the whole method.
Flags: needinfo?(jfkthame)
|
||
Comment 12•1 year ago
|
||
Pushed by jkew@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/8a58fd16b5ea
Add missing null-check in nsDisplayText::RenderToContext. r=dholbert
https://hg.mozilla.org/integration/autoland/rev/16a377bb7b5f
Add crashtest. r=dholbert
|
||
Comment 13•1 year ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/8a58fd16b5ea
https://hg.mozilla.org/mozilla-central/rev/16a377bb7b5f
Status: ASSIGNED → RESOLVED
Closed: 1 year ago
Resolution: --- → FIXED
Target Milestone: --- → 119 Branch
|
|
||
Comment 14•1 year ago
|
||
Verified bug as fixed on rev mozilla-central 20230911154121-d2fd68fd89bb.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
You need to log in
before you can comment on or make changes to this bug.
Description
•