stack-exhaustion crash for testcase with mixed writing-mode inside embeded subgrid
Categories
(Core :: Layout: Grid, defect)
Tracking
()
People
(Reporter: mboudrea, Unassigned)
Details
(Keywords: crash, testcase)
Attachments
(1 file)
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
Steps to reproduce:
View this page :
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Document</title>
<style>
h1 {
border: 3px solid black;
border-style: solid none;
}
main {
display: grid;
gap: 1ch;
grid-template-columns: auto auto;
grid-template-rows: auto;
}
section {
display: grid;
grid-template-columns: subgrid;
grid-template-rows: subgrid;
grid-column: 1 / -1;
}
article {
display: grid;
grid-template-columns: subgrid;
grid-template-rows: subgrid;
grid-column: 1 / -1;
}
h2 {
writing-mode: horizontal-tb;
}
div {
writing-mode: vertical-lr;
}
</style>
</head>
<body>
<h1>Not working</h1>
<main>
<section>
<article>
<h2>Horizontal</h2>
<div>Vertical</div>
</article>
</section>
</main>
<h1>Working</h1>
<main>
<section>
<article>
<h2>Horizontal</h2>
<h2>Horizontal</h2>
</article>
</section>
</main>
<h1>Working</h1>
<main>
<section>
<article>
<div>Vertical</div>
<div>Vertical</div>
</article>
</section>
</main>
<h1>Working</h1>
<main>
<section>
<article>
</article>
<h2>Horizontal</h2>
<div>Vertical</div>
</section>
</main>
</body>
</html>
Actual results:
Crash
Expected results:
Not crash with h2 horizontal and div vertical
|
||
Comment 1•1 month ago
|
||
The Bugbug bot thinks this bug should belong to the 'Core::Layout: Grid' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.
|
||
Updated•1 month ago
|
|
|
||
Comment 2•1 month ago
|
||
Marking as security bug since some early debugging indicates this could cause a stack overflow.
|
|
||
Comment 3•1 month ago
|
||
A stacktrace from debugging shows a lot of repeated frames, following this pattern:
#15566 0x00007f934a9de0af in ContentContribution (aGridItem=..., aState=..., aRC=aRC@entry=0x7f93433dbd40, aCBWM=...,
aAxis=aAxis@entry=mozilla::LogicalAxis::Inline, aPercentageBasis=..., aConstraint=mozilla::IntrinsicISizeType::MinISize,
aMinSizeClamp=1073741823, aFlags=0) at /home/emily/dev/gecko-dev/layout/generic/nsGridContainerFrame.cpp:5624
#15567 0x00007f934a9de96e in MinContentContribution (aGridItem=..., aState=..., aRC=aRC@entry=0x7f93433dbd40, aCBWM=..., aCBWM@entry=...,
aAxis=<optimized out>, aCache=aCache@entry=0x7ffff9e1ddb0) at /home/emily/dev/gecko-dev/layout/generic/nsGridContainerFrame.cpp:5725
#15568 0x00007f934a9df051 in nsGridContainerFrame::Tracks::ResolveIntrinsicSizeForNonSpanningItems (this=this@entry=0x7ffff9e1e4b8, aState=...,
aFunctions=..., aPercentageBasis=aPercentageBasis@entry=0, aConstraint=aConstraint@entry=nsGridContainerFrame::SizingConstraint::NoConstraint,
aRange=..., aGridItem=...) at /home/emily/dev/gecko-dev/layout/generic/nsGridContainerFrame.cpp:5896
#15569 0x00007f934a9df5d7 in nsGridContainerFrame::Tracks::ResolveIntrinsicSize (this=this@entry=0x7ffff9e1e4b8, aState=..., aGridItems=...,
aFunctions=..., aRange=aRange@entry=&nsGridContainerFrame::GridArea::mCols, aPercentageBasis=aPercentageBasis@entry=0,
aConstraint=nsGridContainerFrame::SizingConstraint::NoConstraint) at /home/emily/dev/gecko-dev/layout/generic/nsGridContainerFrame.cpp:6633
#15570 0x00007f934a9e57b0 in nsGridContainerFrame::Tracks::CalculateSizes (this=0x7ffff9e1e4b8, aState=..., aGridItems=..., aFunctions=...,
aContentBoxSize=1073741823, aRange=&nsGridContainerFrame::GridArea::mCols, aConstraint=nsGridContainerFrame::SizingConstraint::NoConstraint)
at /home/emily/dev/gecko-dev/layout/generic/nsGridContainerFrame.cpp:5837
#15571 0x00007f934a9e5930 in nsGridContainerFrame::GridReflowInput::CalculateTrackSizesForAxis (this=this@entry=0x7ffff9e1e440,
aAxis=aAxis@entry=mozilla::LogicalAxis::Inline, aGrid=..., aContentBoxSize=aContentBoxSize@entry=1073741823,
aConstraint=aConstraint@entry=nsGridContainerFrame::SizingConstraint::NoConstraint)
at /home/emily/dev/gecko-dev/layout/generic/nsGridContainerFrame.cpp:3942
#15572 0x00007f934a9dd5cf in nsGridContainerFrame::UsedTrackSizes::ResolveSubgridTrackSizesForAxis (this=0x7f9341444220, aFrame=<optimized out>,
aAxis=mozilla::LogicalAxis::Inline, aSubgrid=<optimized out>, aRC=..., aContentBoxSize=1073741823)
at /home/emily/dev/gecko-dev/layout/generic/nsGridContainerFrame.cpp:3881
#15573 0x00007f934a9ddb3f in nsGridContainerFrame::UsedTrackSizes::ResolveTrackSizesForAxis (this=0x7f93414443c0, aFrame=0x7f9342b7ce70,
aAxis=mozilla::LogicalAxis::Inline, aRC=...) at /home/emily/dev/gecko-dev/layout/generic/nsGridContainerFrame.cpp:3849
(Repeats many, many times)
It looks like this is probably infinite recursion in subgrid.
|
||
Updated•1 month ago
|
|
|
||
Comment 4•1 month ago
|
||
A stack overflow from infinite recursion (as opposed to a buffer overflow on the stack) isn't a big deal security wise.
|
||
Comment 5•1 month ago
|
||
|
|
||
Comment 6•1 month ago
|
||
Yeah, this seems to be stack exhaustion; annoying, but not exploitable. We can remove the sec flag here.
|
|
||
Updated•1 month ago
|
Description
•