1864396 - Crash in [@ mozilla::SVGContentUtils::GetStrokeOptions::$::operator()] with infinite recursion leading to stack overflow, when using 'transform-box: border-box'

Status: RESOLVED FIXED

(Core :: SVG, defect, P2)

Description

[djinn]

Attachment: testcase 1 (warning: triggers a content-process crash when loaded)

User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/119.0

Steps to reproduce:

Open the minimized testcase attached below with Firefox Nightly 121.0a1 (the newest version, download link: https://www.mozilla.org/en-US/firefox/121.0a1/releasenotes/) or the release-asan self-built firefox 121.0a1.

Actual results:

the browser crashed.
And here is detailed information:
==144037==ERROR: AddressSanitizer: stack-overflow on address 0x7ffcb437cf18 (pc 0x55636770f4f7 bp 0x7ffcb437d750 sp 0x7ffcb437cf20 T0)
backtrace:
__asan_memset
mozilla::SVGGeometryFrame::GetBBoxContribution(mozilla::gfx::BaseMatrix<float> const&, unsigned int)
non-virtual thunk to mozilla::SVGGeometryFrame::GetBBoxContribution(mozilla::gfx::BaseMatrix<float> const&, unsigned int)
mozilla::SVGUtils::GetBBox(nsIFrame*, unsigned int, mozilla::gfx::BaseMatrix<double> const*)
nsLayoutUtils::ComputeSVGReferenceRect(nsIFrame*, mozilla::StyleGeometryBox)
nsStyleTransformMatrix::TransformReferenceBox::EnsureDimensionsAreCached()
mozilla::nsDisplayTransform::FrameTransformProperties::FrameTransformProperties(nsIFrame const*, nsStyleTransformMatrix::TransformReferenceBox&, float)
mozilla::SVGUtils::GetTransformMatrixInUserSpace(nsIFrame const*)
mozilla::GetCTMInternal(mozilla::dom::SVGElement*, bool, bool)::$_0::operator()(mozilla::dom::SVGElement const*, bool) const
mozilla::GetCTMInternal(mozilla::dom::SVGElement*, bool, bool)
mozilla::SVGContentUtils::GetCTM(mozilla::dom::SVGElement*, bool)
mozilla::SVGUtils::GetNonScalingStrokeTransform(nsIFrame const*, mozilla::gfx::BaseMatrix<double>)
mozilla::SVGGeometryFrame::GetBBoxContribution(mozilla::gfx::BaseMatrix<float> const&, unsigned int)
non-virtual thunk to mozilla::SVGGeometryFrame::GetBBoxContribution(mozilla::gfx::BaseMatrix<float> const&, unsigned int)
mozilla::SVGUtils::GetBBox(nsIFrame, unsigned int, mozilla::gfx::BaseMatrix<double> const*)
nsLayoutUtils::ComputeSVGReferenceRect(nsIFrame*, mozilla::StyleGeometryBox)
nsStyleTransformMatrix::TransformReferenceBox::EnsureDimensionsAreCached()
mozilla::nsDisplayTransform::FrameTransformProperties::FrameTransformProperties(nsIFrame const*, nsStyleTransformMatrix::TransformReferenceBox&, float)
mozilla::SVGUtils::GetTransformMatrixInUserSpace(nsIFrame const*)
mozilla::GetCTMInternal(mozilla::dom::SVGElement*, bool, bool)::$_0::operator()(mozilla::dom::SVGElement const*, bool) const
mozilla::GetCTMInternal(mozilla::dom::SVGElement*, bool, bool)
mozilla::SVGContentUtils::GetCTM(mozilla::dom::SVGElement*, bool)
mozilla::SVGUtils::GetNonScalingStrokeTransform(nsIFrame const*, mozilla::gfx::BaseMatrix<double>)
mozilla::SVGGeometryFrame::GetBBoxContribution(mozilla::gfx::BaseMatrix<float> const&, unsigned int)
non-virtual thunk to mozilla::SVGGeometryFrame::GetBBoxContribution(mozilla::gfx::BaseMatrix<float> const&, unsigned int)
mozilla::SVGUtils::GetBBox(nsIFrame, unsigned int, mozilla::gfx::BaseMatrix<double> const*)
nsLayoutUtils::ComputeSVGReferenceRect(nsIFrame*, mozilla::StyleGeometryBox)
nsStyleTransformMatrix::TransformReferenceBox::EnsureDimensionsAreCached()
mozilla::nsDisplayTransform::FrameTransformProperties::FrameTransformProperties(nsIFrame const*, nsStyleTransformMatrix::TransformReferenceBox&, float)
mozilla::SVGUtils::GetTransformMatrixInUserSpace(nsIFrame const*)
mozilla::GetCTMInternal(mozilla::dom::SVGElement*, bool, bool)::$_0::operator()(mozilla::dom::SVGElement const*, bool) const
mozilla::GetCTMInternal(mozilla::dom::SVGElement*, bool, bool)
mozilla::SVGContentUtils::GetCTM(mozilla::dom::SVGElement*, bool)
mozilla::SVGUtils::GetNonScalingStrokeTransform(nsIFrame const*, mozilla::gfx::BaseMatrix<double>)
mozilla::SVGGeometryFrame::GetBBoxContribution(mozilla::gfx::BaseMatrix<float> const&, unsigned int)
non-virtual thunk to mozilla::SVGGeometryFrame::GetBBoxContribution(mozilla::gfx::BaseMatrix<float> const&, unsigned int)
mozilla::SVGUtils::GetBBox(nsIFrame, unsigned int, mozilla::gfx::BaseMatrix<double> const*)
nsLayoutUtils::ComputeSVGReferenceRect(nsIFrame*, mozilla::StyleGeometryBox)
nsStyleTransformMatrix::TransformReferenceBox::EnsureDimensionsAreCached()
mozilla::nsDisplayTransform::FrameTransformProperties::FrameTransformProperties(nsIFrame const*, nsStyleTransformMatrix::TransformReferenceBox&, float)
mozilla::SVGUtils::GetTransformMatrixInUserSpace(nsIFrame const*)
mozilla::GetCTMInternal(mozilla::dom::SVGElement*, bool, bool)::$_0::operator()(mozilla::dom::SVGElement const*, bool) const
mozilla::GetCTMInternal(mozilla::dom::SVGElement*, bool, bool)
mozilla::SVGContentUtils::GetCTM(mozilla::dom::SVGElement*, bool)
mozilla::SVGUtils::GetNonScalingStrokeTransform(nsIFrame const*, mozilla::gfx::BaseMatrix<double>)
mozilla::SVGGeometryFrame::GetBBoxContribution(mozilla::gfx::BaseMatrix<float> const&, unsigned int)
non-virtual thunk to mozilla::SVGGeometryFrame::GetBBoxContribution(mozilla::gfx::BaseMatrix<float> const&, unsigned int)
mozilla::SVGUtils::GetBBox(nsIFrame, unsigned int, mozilla::gfx::BaseMatrix<double> const*)
nsLayoutUtils::ComputeSVGReferenceRect(nsIFrame*, mozilla::StyleGeometryBox)
nsStyleTransformMatrix::TransformReferenceBox::EnsureDimensionsAreCached()
mozilla::nsDisplayTransform::FrameTransformProperties::FrameTransformProperties(nsIFrame const*, nsStyleTransformMatrix::TransformReferenceBox&, float)
mozilla::SVGUtils::GetTransformMatrixInUserSpace(nsIFrame const*)
mozilla::GetCTMInternal(mozilla::dom::SVGElement*, bool, bool)::$_0::operator()(mozilla::dom::SVGElement const*, bool) const
mozilla::GetCTMInternal(mozilla::dom::SVGElement*, bool, bool)
mozilla::SVGContentUtils::GetCTM(mozilla::dom::SVGElement*, bool)
mozilla::SVGUtils::GetNonScalingStrokeTransform(nsIFrame const*, mozilla::gfx::BaseMatrix<double>)
mozilla::SVGGeometryFrame::GetBBoxContribution(mozilla::gfx::BaseMatrix<float> const&, unsigned int)
non-virtual thunk to mozilla::SVGGeometryFrame::GetBBoxContribution(mozilla::gfx::BaseMatrix<float> const&, unsigned int)
mozilla::SVGUtils::GetBBox(nsIFrame, unsigned int, mozilla::gfx::BaseMatrix<double> const*)
nsLayoutUtils::ComputeSVGReferenceRect(nsIFrame*, mozilla::StyleGeometryBox)
nsStyleTransformMatrix::TransformReferenceBox::EnsureDimensionsAreCached()
mozilla::nsDisplayTransform::FrameTransformProperties::FrameTransformProperties(nsIFrame const*, nsStyleTransformMatrix::TransformReferenceBox&, float)
mozilla::SVGUtils::GetTransformMatrixInUserSpace(nsIFrame const*)
mozilla::GetCTMInternal(mozilla::dom::SVGElement*, bool, bool)::$_0::operator()(mozilla::dom::SVGElement const*, bool) const
mozilla::GetCTMInternal(mozilla::dom::SVGElement*, bool, bool)
mozilla::SVGContentUtils::GetCTM(mozilla::dom::SVGElement*, bool)
mozilla::SVGUtils::GetNonScalingStrokeTransform(nsIFrame const*, mozilla::gfx::BaseMatrix<double>)
mozilla::SVGGeometryFrame::GetBBoxContribution(mozilla::gfx::BaseMatrix<float> const&, unsigned int)
non-virtual thunk to mozilla::SVGGeometryFrame::GetBBoxContribution(mozilla::gfx::BaseMatrix<float> const&, unsigned int)
mozilla::SVGUtils::GetBBox(nsIFrame, unsigned int, mozilla::gfx::BaseMatrix<double> const*)
nsLayoutUtils::ComputeSVGReferenceRect(nsIFrame*, mozilla::StyleGeometryBox)
nsStyleTransformMatrix::TransformReferenceBox::EnsureDimensionsAreCached()
mozilla::nsDisplayTransform::FrameTransformProperties::FrameTransformProperties(nsIFrame const*, nsStyleTransformMatrix::TransformReferenceBox&, float)
mozilla::SVGUtils::GetTransformMatrixInUserSpace(nsIFrame const*)
mozilla::GetCTMInternal(mozilla::dom::SVGElement*, bool, bool)::$_0::operator()(mozilla::dom::SVGElement const*, bool) const
mozilla::GetCTMInternal(mozilla::dom::SVGElement*, bool, bool)
mozilla::SVGContentUtils::GetCTM(mozilla::dom::SVGElement*, bool)
mozilla::SVGUtils::GetNonScalingStrokeTransform(nsIFrame const*, mozilla::gfx::BaseMatrix<double>)
mozilla::SVGGeometryFrame::GetBBoxContribution(mozilla::gfx::BaseMatrix<float> const&, unsigned int)
non-virtual thunk to mozilla::SVGGeometryFrame::GetBBoxContribution(mozilla::gfx::BaseMatrix<float> const&, unsigned int)
mozilla::SVGUtils::GetBBox(nsIFrame, unsigned int, mozilla::gfx::BaseMatrix<double> const*)
nsLayoutUtils::ComputeSVGReferenceRect(nsIFrame*, mozilla::StyleGeometryBox)
nsStyleTransformMatrix::TransformReferenceBox::EnsureDimensionsAreCached()
mozilla::nsDisplayTransform::FrameTransformProperties::FrameTransformProperties(nsIFrame const*, nsStyleTransformMatrix::TransformReferenceBox&, float)
mozilla::SVGUtils::GetTransformMatrixInUserSpace(nsIFrame const*)
mozilla::GetCTMInternal(mozilla::dom::SVGElement*, bool, bool)::$_0::operator()(mozilla::dom::SVGElement const*, bool) const
mozilla::GetCTMInternal(mozilla::dom::SVGElement*, bool, bool)
mozilla::SVGContentUtils::GetCTM(mozilla::dom::SVGElement*, bool)
mozilla::SVGUtils::GetNonScalingStrokeTransform(nsIFrame const*, mozilla::gfx::BaseMatrix<double>)
mozilla::SVGGeometryFrame::GetBBoxContribution(mozilla::gfx::BaseMatrix<float> const&, unsigned int)
non-virtual thunk to mozilla::SVGGeometryFrame::GetBBoxContribution(mozilla::gfx::BaseMatrix<float> const&, unsigned int)
mozilla::SVGUtils::GetBBox(nsIFrame, unsigned int, mozilla::gfx::BaseMatrix<double> const*)
nsLayoutUtils::ComputeSVGReferenceRect(nsIFrame*, mozilla::StyleGeometryBox)
nsStyleTransformMatrix::TransformReferenceBox::EnsureDimensionsAreCached()
mozilla::nsDisplayTransform::FrameTransformProperties::FrameTransformProperties(nsIFrame const*, nsStyleTransformMatrix::TransformReferenceBox&, float)
mozilla::SVGUtils::GetTransformMatrixInUserSpace(nsIFrame const*)
mozilla::GetCTMInternal(mozilla::dom::SVGElement*, bool, bool)::$_0::operator()(mozilla::dom::SVGElement const*, bool) const
mozilla::GetCTMInternal(mozilla::dom::SVGElement*, bool, bool)
mozilla::SVGContentUtils::GetCTM(mozilla::dom::SVGElement*, bool)
mozilla::SVGUtils::GetNonScalingStrokeTransform(nsIFrame const*, mozilla::gfx::BaseMatrix<double>)
mozilla::SVGGeometryFrame::GetBBoxContribution(mozilla::gfx::BaseMatrix<float> const&, unsigned int)
non-virtual thunk to mozilla::SVGGeometryFrame::GetBBoxContribution(mozilla::gfx::BaseMatrix<float> const&, unsigned int)
mozilla::SVGUtils::GetBBox(nsIFrame, unsigned int, mozilla::gfx::BaseMatrix<double> const*)
nsLayoutUtils::ComputeSVGReferenceRect(nsIFrame*, mozilla::StyleGeometryBox)
nsStyleTransformMatrix::TransformReferenceBox::EnsureDimensionsAreCached()
mozilla::nsDisplayTransform::FrameTransformProperties::FrameTransformProperties(nsIFrame const*, nsStyleTransformMatrix::TransformReferenceBox&, float)
mozilla::SVGUtils::GetTransformMatrixInUserSpace(nsIFrame const*)
mozilla::GetCTMInternal(mozilla::dom::SVGElement*, bool, bool)::$_0::operator()(mozilla::dom::SVGElement const*, bool) const
mozilla::GetCTMInternal(mozilla::dom::SVGElement*, bool, bool)
mozilla::SVGContentUtils::GetCTM(mozilla::dom::SVGElement*, bool)
mozilla::SVGUtils::GetNonScalingStrokeTransform(nsIFrame const*, mozilla::gfx::BaseMatrix<double>)
mozilla::SVGGeometryFrame::GetBBoxContribution(mozilla::gfx::BaseMatrix<float> const&, unsigned int)
non-virtual thunk to mozilla::SVGGeometryFrame::GetBBoxContribution(mozilla::gfx::BaseMatrix<float> const&, unsigned int)
mozilla::SVGUtils::GetBBox(nsIFrame, unsigned int, mozilla::gfx::BaseMatrix<double> const*)
nsLayoutUtils::ComputeSVGReferenceRect(nsIFrame*, mozilla::StyleGeometryBox)
nsStyleTransformMatrix::TransformReferenceBox::EnsureDimensionsAreCached()
mozilla::nsDisplayTransform::FrameTransformProperties::FrameTransformProperties(nsIFrame const*, nsStyleTransformMatrix::TransformReferenceBox&, float)
mozilla::SVGUtils::GetTransformMatrixInUserSpace(nsIFrame const*)
mozilla::GetCTMInternal(mozilla::dom::SVGElement*, bool, bool)::$_0::operator()(mozilla::dom::SVGElement const*, bool) const
mozilla::GetCTMInternal(mozilla::dom::SVGElement*, bool, bool)
mozilla::SVGContentUtils::GetCTM(mozilla::dom::SVGElement*, bool)
mozilla::SVGUtils::GetNonScalingStrokeTransform(nsIFrame const*, mozilla::gfx::BaseMatrix<double>)
mozilla::SVGGeometryFrame::GetBBoxContribution(mozilla::gfx::BaseMatrix<float> const&, unsigned int)
non-virtual thunk to mozilla::SVGGeometryFrame::GetBBoxContribution(mozilla::gfx::BaseMatrix<float> const&, unsigned int)
mozilla::SVGUtils::GetBBox(nsIFrame, unsigned int, mozilla::gfx::BaseMatrix<double> const*)
nsLayoutUtils::ComputeSVGReferenceRect(nsIFrame*, mozilla::StyleGeometryBox)
nsStyleTransformMatrix::TransformReferenceBox::EnsureDimensionsAreCached()
mozilla::nsDisplayTransform::FrameTransformProperties::FrameTransformProperties(nsIFrame const*, nsStyleTransformMatrix::TransformReferenceBox&, float)
mozilla::SVGUtils::GetTransformMatrixInUserSpace(nsIFrame const*)
mozilla::GetCTMInternal(mozilla::dom::SVGElement*, bool, bool)::$_0::operator()(mozilla::dom::SVGElement const*, bool) const
mozilla::GetCTMInternal(mozilla::dom::SVGElement*, bool, bool)
mozilla::SVGContentUtils::GetCTM(mozilla::dom::SVGElement*, bool)
mozilla::SVGUtils::GetNonScalingStrokeTransform(nsIFrame const*, mozilla::gfx::BaseMatrix<double>)
mozilla::SVGGeometryFrame::GetBBoxContribution(mozilla::gfx::BaseMatrix<float> const&, unsigned int)
non-virtual thunk to mozilla::SVGGeometryFrame::GetBBoxContribution(mozilla::gfx::BaseMatrix<float> const&, unsigned int)
mozilla::SVGUtils::GetBBox(nsIFrame, unsigned int, mozilla::gfx::BaseMatrix<double> const*)
nsLayoutUtils::ComputeSVGReferenceRect(nsIFrame*, mozilla::StyleGeometryBox)
nsStyleTransformMatrix::TransformReferenceBox::EnsureDimensionsAreCached()
mozilla::nsDisplayTransform::FrameTransformProperties::FrameTransformProperties(nsIFrame const*, nsStyleTransformMatrix::TransformReferenceBox&, float)
mozilla::SVGUtils::GetTransformMatrixInUserSpace(nsIFrame const*)
mozilla::GetCTMInternal(mozilla::dom::SVGElement*, bool, bool)::$_0::operator()(mozilla::dom::SVGElement const*, bool) const
mozilla::GetCTMInternal(mozilla::dom::SVGElement*, bool, bool)
mozilla::SVGContentUtils::GetCTM(mozilla::dom::SVGElement*, bool)
mozilla::SVGUtils::GetNonScalingStrokeTransform(nsIFrame const*, mozilla::gfx::BaseMatrix<double>)
mozilla::SVGGeometryFrame::GetBBoxContribution(mozilla::gfx::BaseMatrix<float> const&, unsigned int)
non-virtual thunk to mozilla::SVGGeometryFrame::GetBBoxContribution(mozilla::gfx::BaseMatrix<float> const&, unsigned int)
mozilla::SVGUtils::GetBBox(nsIFrame, unsigned int, mozilla::gfx::BaseMatrix<double> const*)
nsLayoutUtils::ComputeSVGReferenceRect(nsIFrame*, mozilla::StyleGeometryBox)
nsStyleTransformMatrix::TransformReferenceBox::EnsureDimensionsAreCached()
mozilla::nsDisplayTransform::FrameTransformProperties::FrameTransformProperties(nsIFrame const*, nsStyleTransformMatrix::TransformReferenceBox&, float)
mozilla::SVGUtils::GetTransformMatrixInUserSpace(nsIFrame const*)
mozilla::GetCTMInternal(mozilla::dom::SVGElement*, bool, bool)::$_0::operator()(mozilla::dom::SVGElement const*, bool) const
mozilla::GetCTMInternal(mozilla::dom::SVGElement*, bool, bool)
mozilla::SVGContentUtils::GetCTM(mozilla::dom::SVGElement*, bool)
mozilla::SVGUtils::GetNonScalingStrokeTransform(nsIFrame const*, mozilla::gfx::BaseMatrix<double>)
mozilla::SVGGeometryFrame::GetBBoxContribution(mozilla::gfx::BaseMatrix<float> const&, unsigned int)
non-virtual thunk to mozilla::SVGGeometryFrame::GetBBoxContribution(mozilla::gfx::BaseMatrix<float> const&, unsigned int)
mozilla::SVGUtils::GetBBox(nsIFrame, unsigned int, mozilla::gfx::BaseMatrix<double> const*)
nsLayoutUtils::ComputeSVGReferenceRect(nsIFrame*, mozilla::StyleGeometryBox)
nsStyleTransformMatrix::TransformReferenceBox::EnsureDimensionsAreCached()
mozilla::nsDisplayTransform::FrameTransformProperties::FrameTransformProperties(nsIFrame const*, nsStyleTransformMatrix::TransformReferenceBox&, float)
mozilla::SVGUtils::GetTransformMatrixInUserSpace(nsIFrame const*)
mozilla::GetCTMInternal(mozilla::dom::SVGElement*, bool, bool)::$_0::operator()(mozilla::dom::SVGElement const*, bool) const
mozilla::GetCTMInternal(mozilla::dom::SVGElement*, bool, bool)
mozilla::SVGContentUtils::GetCTM(mozilla::dom::SVGElement*, bool)
mozilla::SVGUtils::GetNonScalingStrokeTransform(nsIFrame const*, mozilla::gfx::BaseMatrix<double>)
mozilla::SVGGeometryFrame::GetBBoxContribution(mozilla::gfx::BaseMatrix<float> const&, unsigned int)
non-virtual thunk to mozilla::SVGGeometryFrame::GetBBoxContribution(mozilla::gfx::BaseMatrix<float> const&, unsigned int)
mozilla::SVGUtils::GetBBox(nsIFrame, unsigned int, mozilla::gfx::BaseMatrix<double> const*)
nsLayoutUtils::ComputeSVGReferenceRect(nsIFrame*, mozilla::StyleGeometryBox)
nsStyleTransformMatrix::TransformReferenceBox::EnsureDimensionsAreCached()
mozilla::nsDisplayTransform::FrameTransformProperties::FrameTransformProperties(nsIFrame const*, nsStyleTransformMatrix::TransformReferenceBox&, float)
mozilla::SVGUtils::GetTransformMatrixInUserSpace(nsIFrame const*)
mozilla::GetCTMInternal(mozilla::dom::SVGElement*, bool, bool)::$_0::operator()(mozilla::dom::SVGElement const*, bool) const
mozilla::GetCTMInternal(mozilla::dom::SVGElement*, bool, bool)
mozilla::SVGContentUtils::GetCTM(mozilla::dom::SVGElement*, bool)
mozilla::SVGUtils::GetNonScalingStrokeTransform(nsIFrame const*, mozilla::gfx::BaseMatrix<double>)
mozilla::SVGGeometryFrame::GetBBoxContribution(mozilla::gfx::BaseMatrix<float> const&, unsigned int)
non-virtual thunk to mozilla::SVGGeometryFrame::GetBBoxContribution(mozilla::gfx::BaseMatrix<float> const&, unsigned int)
mozilla::SVGUtils::GetBBox(nsIFrame, unsigned int, mozilla::gfx::BaseMatrix<double> const*)
nsLayoutUtils::ComputeSVGReferenceRect(nsIFrame*, mozilla::StyleGeometryBox)
nsStyleTransformMatrix::TransformReferenceBox::EnsureDimensionsAreCached()
mozilla::nsDisplayTransform::FrameTransformProperties::FrameTransformProperties(nsIFrame const*, nsStyleTransformMatrix::TransformReferenceBox&, float)
mozilla::SVGUtils::GetTransformMatrixInUserSpace(nsIFrame const*)
mozilla::GetCTMInternal(mozilla::dom::SVGElement*, bool, bool)::$_0::operator()(mozilla::dom::SVGElement const*, bool) const
mozilla::GetCTMInternal(mozilla::dom::SVGElement*, bool, bool)
mozilla::SVGContentUtils::GetCTM(mozilla::dom::SVGElement*, bool)
mozilla::SVGUtils::GetNonScalingStrokeTransform(nsIFrame const*, mozilla::gfx::BaseMatrix<double>)
mozilla::SVGGeometryFrame::GetBBoxContribution(mozilla::gfx::BaseMatrix<float> const&, unsigned int)
non-virtual thunk to mozilla::SVGGeometryFrame::GetBBoxContribution(mozilla::gfx::BaseMatrix<float> const&, unsigned int)
mozilla::SVGUtils::GetBBox(nsIFrame, unsigned int, mozilla::gfx::BaseMatrix<double> const*)
nsLayoutUtils::ComputeSVGReferenceRect(nsIFrame*, mozilla::StyleGeometryBox)
nsStyleTransformMatrix::TransformReferenceBox::EnsureDimensionsAreCached()
mozilla::nsDisplayTransform::FrameTransformProperties::FrameTransformProperties(nsIFrame const*, nsStyleTransformMatrix::TransformReferenceBox&, float)
mozilla::SVGUtils::GetTransformMatrixInUserSpace(nsIFrame const*)
mozilla::GetCTMInternal(mozilla::dom::SVGElement*, bool, bool)::$_0::operator()(mozilla::dom::SVGElement const*, bool) const
mozilla::GetCTMInternal(mozilla::dom::SVGElement*, bool, bool)
mozilla::SVGContentUtils::GetCTM(mozilla::dom::SVGElement*, bool)
mozilla::SVGUtils::GetNonScalingStrokeTransform(nsIFrame const*, mozilla::gfx::BaseMatrix<double>)
mozilla::SVGGeometryFrame::GetBBoxContribution(mozilla::gfx::BaseMatrix<float> const&, unsigned int)
non-virtual thunk to mozilla::SVGGeometryFrame::GetBBoxContribution(mozilla::gfx::BaseMatrix<float> const&, unsigned int)
mozilla::SVGUtils::GetBBox(nsIFrame, unsigned int, mozilla::gfx::BaseMatrix<double> const*)
nsLayoutUtils::ComputeSVGReferenceRect(nsIFrame*, mozilla::StyleGeometryBox)
nsStyleTransformMatrix::TransformReferenceBox::EnsureDimensionsAreCached()
mozilla::nsDisplayTransform::FrameTransformProperties::FrameTransformProperties(nsIFrame const*, nsStyleTransformMatrix::TransformReferenceBox&, float)
mozilla::SVGUtils::GetTransformMatrixInUserSpace(nsIFrame const*)
mozilla::GetCTMInternal(mozilla::dom::SVGElement*, bool, bool)::$_0::operator()(mozilla::dom::SVGElement const*, bool) const
mozilla::GetCTMInternal(mozilla::dom::SVGElement*, bool, bool)
mozilla::SVGContentUtils::GetCTM(mozilla::dom::SVGElement*, bool)
mozilla::SVGUtils::GetNonScalingStrokeTransform(nsIFrame const*, mozilla::gfx::BaseMatrix<double>)
mozilla::SVGGeometryFrame::GetBBoxContribution(mozilla::gfx::BaseMatrix<float> const&, unsigned int)
non-virtual thunk to mozilla::SVGGeometryFrame::GetBBoxContribution(mozilla::gfx::BaseMatrix<float> const&, unsigned int)
mozilla::SVGUtils::GetBBox(nsIFrame, unsigned int, mozilla::gfx::BaseMatrix<double> const*)
nsLayoutUtils::ComputeSVGReferenceRect(nsIFrame*, mozilla::StyleGeometryBox)
nsStyleTransformMatrix::TransformReferenceBox::EnsureDimensionsAreCached()
mozilla::nsDisplayTransform::FrameTransformProperties::FrameTransformProperties(nsIFrame const*, nsStyleTransformMatrix::TransformReferenceBox&, float)
mozilla::SVGUtils::GetTransformMatrixInUserSpace(nsIFrame const*)
mozilla::GetCTMInternal(mozilla::dom::SVGElement*, bool, bool)::$_0::operator()(mozilla::dom::SVGElement const*, bool) const
mozilla::GetCTMInternal(mozilla::dom::SVGElement*, bool, bool)
mozilla::SVGContentUtils::GetCTM(mozilla::dom::SVGElement*, bool)
mozilla::SVGUtils::GetNonScalingStrokeTransform(nsIFrame const*, mozilla::gfx::BaseMatrix<double>)
mozilla::SVGGeometryFrame::GetBBoxContribution(mozilla::gfx::BaseMatrix<float> const&, unsigned int)
non-virtual thunk to mozilla::SVGGeometryFrame::GetBBoxContribution(mozilla::gfx::BaseMatrix<float> const&, unsigned int)
mozilla::SVGUtils::GetBBox(nsIFrame, unsigned int, mozilla::gfx::BaseMatrix<double> const*)
nsLayoutUtils::ComputeSVGReferenceRect(nsIFrame*, mozilla::StyleGeometryBox)
nsStyleTransformMatrix::TransformReferenceBox::EnsureDimensionsAreCached()
mozilla::nsDisplayTransform::FrameTransformProperties::FrameTransformProperties(nsIFrame const*, nsStyleTransformMatrix::TransformReferenceBox&, float)
mozilla::SVGUtils::GetTransformMatrixInUserSpace(nsIFrame const*)
mozilla::GetCTMInternal(mozilla::dom::SVGElement*, bool, bool)::$_0::operator()(mozilla::dom::SVGElement const*, bool) const
mozilla::GetCTMInternal(mozilla::dom::SVGElement*, bool, bool)
mozilla::SVGContentUtils::GetCTM(mozilla::dom::SVGElement*, bool)
mozilla::SVGUtils::GetNonScalingStrokeTransform(nsIFrame const*, mozilla::gfx::BaseMatrix<double>)
mozilla::SVGGeometryFrame::GetBBoxContribution(mozilla::gfx::BaseMatrix<float> const&, unsigned int)
non-virtual thunk to mozilla::SVGGeometryFrame::GetBBoxContribution(mozilla::gfx::BaseMatrix<float> const&, unsigned int)
mozilla::SVGUtils::GetBBox(nsIFrame, unsigned int, mozilla::gfx::BaseMatrix<double> const*)
nsLayoutUtils::ComputeSVGReferenceRect(nsIFrame*, mozilla::StyleGeometryBox)
nsStyleTransformMatrix::TransformReferenceBox::EnsureDimensionsAreCached()
mozilla::nsDisplayTransform::FrameTransformProperties::FrameTransformProperties(nsIFrame const*, nsStyleTransformMatrix::TransformReferenceBox&, float)
mozilla::SVGUtils::GetTransformMatrixInUserSpace(nsIFrame const*)
mozilla::GetCTMInternal(mozilla::dom::SVGElement*, bool, bool)::$_0::operator()(mozilla::dom::SVGElement const*, bool) const
mozilla::GetCTMInternal(mozilla::dom::SVGElement*, bool, bool)
mozilla::SVGContentUtils::GetCTM(mozilla::dom::SVGElement*, bool)
mozilla::SVGUtils::GetNonScalingStrokeTransform(nsIFrame const*, mozilla::gfx::BaseMatrix<double>)
mozilla::SVGGeometryFrame::GetBBoxContribution(mozilla::gfx::BaseMatrix<float> const&, unsigned int)
non-virtual thunk to mozilla::SVGGeometryFrame::GetBBoxContribution(mozilla::gfx::BaseMatrix<float> const&, unsigned int)
mozilla::SVGUtils::GetBBox(nsIFrame, unsigned int, mozilla::gfx::BaseMatrix<double> const*)
__asan_memset

Expected results:

the browser won't crash.

Comment 1

[BugBot [:suhaib / :marco/ :calixte]]

:boris, since you are the author of the regressor, bug 1819464, could you take a look? Also, could you set the severity field?

For more information, please visit BugBot documentation.

Comment 2

[Boris Chiou [:boris]]

Yap. This can be reproduced on Nightly (debug build). No useful debug message on my local build, but the call stack in comment 0 is a good hint. Thanks for filing this bug.

Comment 3

[Boris Chiou [:boris]]

Note: disabling layout.css.transform-box-content-stroke.enabled can avoid this bug, and this happened when computing the stroke-box for transform-box.

Comment 5

[Daniel Holbert [:dholbert]]

I've added some crash signatures for crashes that I got when loading the testcase. (The exact signature is somewhat-arbitrary; just one of the functions involved in the infinite recursion.)

[@ mozilla::SVGContentUtils::GetStrokeOptions::$::operator()]: bp-64f4c4b8-af0f-4543-a6d0-194130231120
[@ mozilla::SVGUtils::GetBBox]: bp-821c76ab-8fcc-4da2-b6dc-c7a290231120

Comment 6

[BugBot [:suhaib / :marco/ :calixte]]

Set release status flags based on info from the regressing bug 1819464

Comment 8

[Jonathan Watt [:jwatt]]

Restricting this too, now that a sec bug has been duped to it. Also copying over the keywords/groups that dveditz added to bug 1866663.

Comment 9

[Jonathan Watt [:jwatt]]

Attachment: Minimal POC (crashes content process)

Comment 10

[Jonathan Watt [:jwatt]]

In addition to being a bug in our code, this seems like a spec bug. Basically vector-effect="non-scaling-stroke" and transform-box: stroke-box (or border-box) can create a cyclical dependency. To compute the stroke bounds of an element with non-scaling-stroke (in this case to set the element's overflow bounds) you need the transform to the outer-svg, but if transform-box: stroke-box is present then resolving that transform may require the stroke bounds. (In principal, if the transform doesn't depend on the element's reference box, then there is no cycle.)

Comment 11

[Jonathan Watt [:jwatt]]

Attachment: Bug 1864396. Prevent transform-box:stroke-box crash. r=emilio

Comment 12

[BugBot [:suhaib / :marco/ :calixte]]

The severity field for this bug is set to S3. However, the bug is flagged with the sec-high keyword.
:jwatt, could you consider increasing the severity of this security bug?

For more information, please visit BugBot documentation.

Comment 13

[Jonathan Watt [:jwatt]]

Note that this issue currently only exists in Nightly builds because the pref is only enabled for Nightly:

https://searchfox.org/mozilla-central/rev/f030995a79461379153293c0e07f4982afe9ac28/modules/libpref/init/StaticPrefList.yaml#8153

Comment 14

[Jonathan Watt [:jwatt]]

Comment on attachment 9365521 [details]
Bug 1864396. Prevent transform-box:stroke-box crash. r=emilio

Security Approval Request

• How easily could an exploit be constructed based on the patch?: I don't know. It's a recursive stack overflow, if that helps.
• Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: Unknown
• Which older supported branches are affected by this flaw?: Only Nightly is affected
• If not all supported branches, which bug introduced the flaw?: Bug 1819464
• Do you have backports for the affected branches?: No
• If not, how different, hard to create, and risky will they be?: N/A
• How likely is this patch to cause regressions; how much testing does it need?: Very low. Taking another codepath that is already exposed to the web by forcing a different CSS used value.
• Is Android affected?: Yes

Comment 15

[Jonathan Watt [:jwatt]]

(In reply to Jonathan Watt [:jwatt] from comment #14)

• Which older supported branches are affected by this flaw?: Only Nightly is affected

To me more technically correct, the code is in Firefox 120 (released), but is pref'ed off by default.

Comment 16

[Jonathan Watt [:jwatt]]

Attachment: Bug 1864396 tests. Behaviour of transform-box: stroke-box with vector-effect: non-scaling-stroke. r=emilio

Comment 17

[Jonathan Watt [:jwatt]]

As much for my own notes as anything, a more readable version of the looping stack:

SVGGeometryFrame::GetBBoxContribution
SVGUtils::GetBBox
nsLayoutUtils::ComputeSVGReferenceRect
nsStyleTransformMatrix::GetSVGBox
nsStyleTransformMatrix::TransformReferenceBox::EnsureDimensionsAreCached
nsStyleTransformMatrix::TransformReferenceBox::X
nsDisplayTransform::GetDeltaToTransformOrigin
nsDisplayTransform::FrameTransformProperties::FrameTransformProperties
SVGUtils::GetTransformMatrixInUserSpace
GetCTMInternal
SVGContentUtils::GetCTM
SVGUtils::GetNonScalingStrokeTransform
SVGGeometryFrame::GetBBoxContribution - needs transform to outer-svg
SVGGeometryFrame::ReflowSVG - want to cache overflow bounds

Comment 18

[Emilio Cobos Álvarez (:emilio)]

I think given it only affects nightly you can land without approval, and with tests, fwiw, per https://firefox-source-docs.mozilla.org/bug-mgmt/processes/security-approval.html#on-requesting-sec-approval, but maybe worth checking with Dan.

Comment 19

[Jonathan Watt [:jwatt]]

I requested approval because I don't meet condition 'A' there, since Dan marked dup bug 1866663 as sec-high. He may have given it a lower rating if it hand been clear at the time that the behavior is pref'ed off in Beta/Release, but I'm not sure I can assume that.

Comment 20

[Tom Ritter [:tjr] (OOTO until mid-August)]

Comment on attachment 9365521 [details]
Bug 1864396. Prevent transform-box:stroke-box crash. r=emilio

Approved to land; you can also land the test as this only affects Nightly.

Comment 21

[Pulsebot]

Pushed by jwatt@jwatt.org:
https://hg.mozilla.org/integration/autoland/rev/dd0c250a915f
Prevent transform-box:stroke-box crash. r=emilio,layout-reviewers,longsonr
https://hg.mozilla.org/integration/autoland/rev/a162f6ee0eef
tests. Behaviour of transform-box: stroke-box with vector-effect: non-scaling-stroke. r=longsonr

Comment 22

[Natalia Csoregi [:nataliaCs]]

https://hg.mozilla.org/mozilla-central/rev/dd0c250a915f
https://hg.mozilla.org/mozilla-central/rev/a162f6ee0eef

Comment 23

[Web Platform Test Sync Bot [:wpt-sync] (Matrix: #interop:mozilla.org)]

Upstream PR merged by moz-wptsync-bot