Closed Bug 1857945 Opened 1 year ago Closed 1 year ago

Assertion failure: !mForbiddenToFlush (This is bad!), at /layout/base/PresShell.cpp:4199

Categories

(Core :: Layout, defect)

x86_64
Linux
defect

Tracking

()

VERIFIED FIXED
120 Branch
Tracking Status
firefox-esr115 --- unaffected
firefox118 --- unaffected
firefox119 --- unaffected
firefox120 --- verified

People

(Reporter: jkratzer, Assigned: emilio)

References

(Blocks 2 open bugs, Regression)

Details

(4 keywords, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(3 files)

Testcase found while fuzzing mozilla-central rev 461a9c98a535 (built with: --enable-debug --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build 461a9c98a535 --debug --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html
Assertion failure: !mForbiddenToFlush (This is bad!), at /layout/base/PresShell.cpp:4199

    ==403871==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fc7c00bc490 bp 0x7ffda6281980 sp 0x7ffda6281840 T403871)
    ==403871==The signal is caused by a WRITE memory access.
    ==403871==Hint: address points to the zero page.
        #0 0x7fc7c00bc490 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /layout/base/PresShell.cpp:4199:3
        #1 0x7fc7bdaa09f6 in FlushPendingNotifications /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:1463:5
        #2 0x7fc7bdaa09f6 in mozilla::dom::CanvasRenderingContext2D::UpdateFilter() /dom/canvas/CanvasRenderingContext2D.cpp:2899:18
        #3 0x7fc7c04034ff in mozilla::SVGFilterObserverListForCanvasContext::OnRenderingChange() /layout/svg/SVGObserverUtils.cpp:963:20
        #4 0x7fc7c0402645 in mozilla::SVGFilterObserver::OnRenderingChange() /layout/svg/SVGObserverUtils.cpp:834:26
        #5 0x7fc7c0403fe4 in OnNonDOMMutationRenderingChange /layout/svg/SVGObserverUtils.cpp:254:3
        #6 0x7fc7c0403fe4 in mozilla::SVGRenderingObserverSet::InvalidateAll() /layout/svg/SVGObserverUtils.cpp:1141:15
        #7 0x7fc7c029bfdb in nsIFrame::Destroy(mozilla::FrameDestroyContext&) /layout/generic/nsIFrame.cpp:777:3
        #8 0x7fc7c01cfc7d in nsContainerFrame::Destroy(mozilla::FrameDestroyContext&) /layout/generic/nsContainerFrame.cpp:299:22
        #9 0x7fc7c0230f56 in nsFrameList::DestroyFrames(mozilla::FrameDestroyContext&) /layout/generic/nsFrameList.cpp:40:12
        #10 0x7fc7c01cfa00 in nsContainerFrame::Destroy(mozilla::FrameDestroyContext&) /layout/generic/nsContainerFrame.cpp:230:11
        #11 0x7fc7c0230f56 in nsFrameList::DestroyFrames(mozilla::FrameDestroyContext&) /layout/generic/nsFrameList.cpp:40:12
        #12 0x7fc7c01cfa00 in nsContainerFrame::Destroy(mozilla::FrameDestroyContext&) /layout/generic/nsContainerFrame.cpp:230:11
        #13 0x7fc7c040a602 in mozilla::SVGOuterSVGFrame::Destroy(mozilla::FrameDestroyContext&) /layout/svg/SVGOuterSVGFrame.cpp:784:29
        #14 0x7fc7c01eead3 in nsBlockFrame::DoRemoveFrame(mozilla::FrameDestroyContext&, nsIFrame*, unsigned int) /layout/generic/nsBlockFrame.cpp:6752:20
        #15 0x7fc7c01ee3f0 in nsBlockFrame::RemoveFrame(mozilla::FrameDestroyContext&, mozilla::FrameChildListID, nsIFrame*) /layout/generic/nsBlockFrame.cpp:6050:5
        #16 0x7fc7c0129cfe in nsCSSFrameConstructor::ContentRemoved(nsIContent*, nsIContent*, nsCSSFrameConstructor::RemoveFlags) /layout/base/nsCSSFrameConstructor.cpp:7529:5
        #17 0x7fc7c0125705 in nsCSSFrameConstructor::RecreateFramesForContent(nsIContent*, nsCSSFrameConstructor::InsertionKind) /layout/base/nsCSSFrameConstructor.cpp:8520:7
        #18 0x7fc7c00e2760 in mozilla::RestyleManager::ProcessRestyledFrames(nsStyleChangeList&) /layout/base/RestyleManager.cpp:1660:25
        #19 0x7fc7c00e9804 in mozilla::RestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) /layout/base/RestyleManager.cpp:3241:9
        #20 0x7fc7c00bcf75 in mozilla::RestyleManager::ProcessPendingRestyles() /layout/base/RestyleManager.cpp:3326:3
        #21 0x7fc7c00bc10e in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /layout/base/PresShell.cpp:4346:39
        #22 0x7fc7bc3e7212 in FlushPendingNotifications /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:1472:5
        #23 0x7fc7bc3e7212 in mozilla::dom::Document::FlushPendingNotifications(mozilla::ChangesToFlush) /dom/base/Document.cpp:10916:16
        #24 0x7fc7bb7cb70e in nsDocLoader::DocLoaderIsEmpty(bool, mozilla::Maybe<nsresult> const&) /uriloader/base/nsDocLoader.cpp:740:14
        #25 0x7fc7bb7ccbe4 in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /uriloader/base/nsDocLoader.cpp:678:5
        #26 0x7fc7c177741f in nsDocShell::OnStopRequest(nsIRequest*, nsresult) /docshell/base/nsDocShell.cpp:13900:23
        #27 0x7fc7ba9f931f in mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) /netwerk/base/nsLoadGroup.cpp:631:22
        #28 0x7fc7ba9fa860 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /netwerk/base/nsLoadGroup.cpp:535:10
        #29 0x7fc7bc3ec0bc in mozilla::dom::Document::DoUnblockOnload() /dom/base/Document.cpp:11701:18
        #30 0x7fc7bc3d21f4 in mozilla::dom::Document::DispatchContentLoadedEvents() /dom/base/Document.cpp:8151:3
        #31 0x7fc7bc482439 in operator()<> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1164:18
        #32 0x7fc7bc482439 in __invoke_impl<void, (lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1163:9)> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/invoke.h:60:14
        #33 0x7fc7bc482439 in __invoke<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1163:9)> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/invoke.h:95:14
        #34 0x7fc7bc482439 in __apply_impl<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1163:9), std::tuple<> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/tuple:1678:14
        #35 0x7fc7bc482439 in apply<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1163:9), std::tuple<> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/tuple:1687:14
        #36 0x7fc7bc482439 in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1162:12
        #37 0x7fc7bc482439 in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1213:13
        #38 0x7fc7ba7bb277 in mozilla::RunnableTask::Run() /xpcom/threads/TaskController.cpp:559:16
        #39 0x7fc7ba7b2e33 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:886:26
        #40 0x7fc7ba7b1677 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:709:15
        #41 0x7fc7ba7b1ad5 in mozilla::TaskController::ProcessPendingMTTask(bool) /xpcom/threads/TaskController.cpp:495:36
        #42 0x7fc7ba7bef86 in operator() /xpcom/threads/TaskController.cpp:218:37
        #43 0x7fc7ba7bef86 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /xpcom/threads/nsThreadUtils.h:548:5
        #44 0x7fc7ba7d57fa in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1198:16
        #45 0x7fc7ba7dc82d in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:480:10
        #46 0x7fc7bb48fd75 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:85:21
        #47 0x7fc7bb3aa431 in RunHandler /ipc/chromium/src/base/message_loop.cc:363:3
        #48 0x7fc7bb3aa431 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:345:3
        #49 0x7fc7bfcc98b8 in nsBaseAppShell::Run() /widget/nsBaseAppShell.cpp:148:27
        #50 0x7fc7c1f00bbb in XRE_RunAppShell() /toolkit/xre/nsEmbedFunctions.cpp:721:20
        #51 0x7fc7bb490c56 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:235:9
        #52 0x7fc7bb3aa431 in RunHandler /ipc/chromium/src/base/message_loop.cc:363:3
        #53 0x7fc7bb3aa431 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:345:3
        #54 0x7fc7c1f00422 in XRE_InitChildProcess(int, char**, XREChildData const*) /toolkit/xre/nsEmbedFunctions.cpp:656:34
        #55 0x55bda3e34236 in content_process_main /browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
        #56 0x55bda3e34236 in main /browser/app/nsBrowserApp.cpp:375:18
        #57 0x7fc7cfdaad8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
        #58 0x7fc7cfdaae3f in __libc_start_main csu/../csu/libc-start.c:392:3
        #59 0x55bda3e09f68 in _start (/home/jkratzer/builds/m-c-20231006092133-fuzzing-debug/firefox-bin+0x58f68) (BuildId: d97922557cda625d0f41e45d0271dc60e71db811)
    
    UndefinedBehaviorSanitizer can not provide additional info.
    SUMMARY: UndefinedBehaviorSanitizer: SEGV /layout/base/PresShell.cpp:4199:3 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush)
    ==403871==ABORTING
Attached file Testcase

Marking as S-S just in case.

Group: layout-core-security

Verified bug as reproducible on mozilla-central 20231009093538-d5fd5e481ff2.
Unable to bisect testcase (Unable to launch the start build!):

Start: d420f9190e2f35e314aa67ee346650f86451792c (20221010033207)
End: 461a9c98a535b9896e9d394bdfee72ce90cf7afd (20231006092133)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False, nyx=False)

Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]
Keywords: sec-high

Successfully recorded a pernosco session. A link to the pernosco session will be added here shortly.

A pernosco session for this bug can be found here.

Flags: needinfo?(longsonr)
Keywords: regression
Regressed by: 1494263
Duplicate of this bug: 1857856

Set release status flags based on info from the regressing bug 1494263

Assignee: nobody → emilio
Status: NEW → ASSIGNED

Ah, I thought that would be enough but it's not. With that patch I get:

Assertion failure: inObserverSet == mInObserverSet (failed to track whether we're in our referenced element's observer set!), at /home/emilio/src/moz/gecko-8/layout/svg/SVGObserverUtils.cpp:1192

Robert, can you take a look if you have the time? Otherwise I can look but I'm a bit busy with other stuff.

Assignee: emilio → nobody
Status: ASSIGNED → NEW
Assignee: nobody → emilio
Status: NEW → ASSIGNED

(In reply to Emilio Cobos Álvarez (:emilio) from comment #9)

Ah, I thought that would be enough but it's not. With that patch I get: Assertion failure: inObserverSet [...]

Robert just landed bug 1859858 which should address comment 9. emilio: Could you re-test your patch on top of that? (Maybe this is good to go?)

(I suspect sec-approval isn't needed here, given that this seems to be a recently-introduced regression (from bug 1494263) that only affects Nightly, per (B) on https://firefox-source-docs.mozilla.org/bug-mgmt/processes/security-approval.html#on-requesting-sec-approval . Though, probably good to get this in before tomorrow's soft-freeze if possible.)

Flags: needinfo?(longsonr) → needinfo?(emilio)

Yeah let's try to land as-is, the assert is specific to the crashtest above, so shouldn't block landing the patch anyways, but we should land a test. once both patches are in central.

Flags: needinfo?(emilio)
Pushed by ealvarez@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/a16c1296d5fc Don't flush from SVGFilterObserverListForCanvasContext::OnRenderingChange. r=longsonr
Group: layout-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 1 year ago
Resolution: --- → FIXED
Target Milestone: --- → 120 Branch
Flags: needinfo?(emilio)
Flags: needinfo?(emilio)

Verified bug as fixed on rev mozilla-central 20231019042043-6bb5ad68d8ba.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
Keywords: bugmon
Depends on: 1859858
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: