Closed
Bug 1899840
Opened 4 months ago
Closed 4 months ago
Assertion failure: IsInBounds(mStart, mLength, aRange) (Range out of bounds), at /layout/generic/nsTextFrame.cpp:3901
Categories
(Core :: Layout, defect)
Tracking
()
VERIFIED
FIXED
128 Branch
| Tracking | Status | |
|---|---|---|
| firefox-esr115 | --- | unaffected |
| firefox126 | --- | unaffected |
| firefox127 | --- | unaffected |
| firefox128 | --- | fixed |
People
(Reporter: jkratzer, Unassigned, NeedInfo)
References
(Blocks 1 open bug, Regression)
Details
(Keywords: pernosco, regression, testcase, Whiteboard: [bugmon:bisected,confirmed])
Attachments
(1 file)
|
142 bytes,
text/plain
|
Details |
Testcase found while fuzzing mozilla-central rev b05a24f15850 (built with: --enable-debug --enable-fuzzing).
Testcase can be reproduced using the following commands:
$ pip install fuzzfetch grizzly-framework --upgrade
$ python -m fuzzfetch --build b05a24f15850 --debug --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>
Assertion failure: IsInBounds(mStart, mLength, aRange) (Range out of bounds), at /layout/generic/nsTextFrame.cpp:3901
==127445==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7c0a4f747e69 bp 0x7ffe3bd1c430 sp 0x7ffe3bd1c380 T127445)
==127445==The signal is caused by a WRITE memory access.
==127445==Hint: address points to the zero page.
#0 0x7c0a4f747e69 in nsTextFrame::PropertyProvider::GetHyphenationBreaks(gfxTextRun::Range, gfxTextRun::HyphenType*) const /layout/generic/nsTextFrame.cpp:3901:3
#1 0x7c0a4f75f185 in nsTextFrame::AddInlineMinISizeForFlow(gfxContext*, nsIFrame::InlineMinISizeData*, nsTextFrame::TextRunType) /layout/generic/nsTextFrame.cpp:8667:16
#2 0x7c0a4f760e03 in nsTextFrame::AddInlineMinISize(gfxContext*, nsIFrame::InlineMinISizeData*) /layout/generic/nsTextFrame.cpp:8877:10
#3 0x7c0a4f645f62 in operator()<nsContainerFrame *, nsIFrame::InlineMinISizeData *> /layout/generic/nsContainerFrame.cpp:795:12
#4 0x7c0a4f645f62 in DoInlineIntrinsicISize<nsIFrame::InlineMinISizeData, (lambda at /layout/generic/nsContainerFrame.cpp:793:25)> /layout/generic/nsContainerFrameInlines.h:75:5
#5 0x7c0a4f645f62 in nsContainerFrame::DoInlineMinISize(gfxContext*, nsIFrame::InlineMinISizeData*) /layout/generic/nsContainerFrame.cpp:798:3
#6 0x7c0a4f60850d in nsBlockFrame::GetMinISize(gfxContext*) /layout/generic/nsBlockFrame.cpp:875:16
#7 0x7c0a4f575b79 in nsLayoutUtils::IntrinsicForAxis(mozilla::PhysicalAxis, gfxContext*, nsIFrame*, mozilla::IntrinsicISizeType, mozilla::Maybe<mozilla::LogicalSize> const&, unsigned int, int) /layout/base/nsLayoutUtils.cpp
#8 0x7c0a4f57764f in nsLayoutUtils::IntrinsicForContainer(gfxContext*, nsIFrame*, mozilla::IntrinsicISizeType, unsigned int) /layout/base/nsLayoutUtils.cpp:5039:10
#9 0x7c0a4f7288f9 in nsPlaceholderFrame::AddInlineMinISize(gfxContext*, nsIFrame::InlineMinISizeData*) /layout/generic/nsPlaceholderFrame.cpp:59:26
#10 0x7c0a4f60850d in nsBlockFrame::GetMinISize(gfxContext*) /layout/generic/nsBlockFrame.cpp:875:16
#11 0x7c0a4f575b79 in nsLayoutUtils::IntrinsicForAxis(mozilla::PhysicalAxis, gfxContext*, nsIFrame*, mozilla::IntrinsicISizeType, mozilla::Maybe<mozilla::LogicalSize> const&, unsigned int, int) /layout/base/nsLayoutUtils.cpp
#12 0x7c0a4f57764f in nsLayoutUtils::IntrinsicForContainer(gfxContext*, nsIFrame*, mozilla::IntrinsicISizeType, unsigned int) /layout/base/nsLayoutUtils.cpp:5039:10
#13 0x7c0a4f7288f9 in nsPlaceholderFrame::AddInlineMinISize(gfxContext*, nsIFrame::InlineMinISizeData*) /layout/generic/nsPlaceholderFrame.cpp:59:26
#14 0x7c0a4f60850d in nsBlockFrame::GetMinISize(gfxContext*) /layout/generic/nsBlockFrame.cpp:875:16
#15 0x7c0a4f6465f1 in ShrinkISizeToFit /layout/generic/nsIFrame.cpp:6759:22
#16 0x7c0a4f6465f1 in nsContainerFrame::ComputeAutoSize(gfxContext*, mozilla::WritingMode, mozilla::LogicalSize const&, int, mozilla::LogicalSize const&, mozilla::LogicalSize const&, mozilla::StyleSizeOverrides const&, mozilla::EnumSet<mozilla::ComputeSizeFlag, unsigned char>) /layout/generic/nsContainerFrame.cpp:828:11
#17 0x7c0a4f6525e0 in nsIFrame::ComputeSize(gfxContext*, mozilla::WritingMode, mozilla::LogicalSize const&, int, mozilla::LogicalSize const&, mozilla::LogicalSize const&, mozilla::StyleSizeOverrides const&, mozilla::EnumSet<mozilla::ComputeSizeFlag, unsigned char>) /layout/generic/nsIFrame.cpp:6358:7
#18 0x7c0a4f5bd5e5 in mozilla::ReflowInput::InitConstraints(nsPresContext*, mozilla::Maybe<mozilla::LogicalSize> const&, mozilla::Maybe<mozilla::LogicalMargin> const&, mozilla::Maybe<mozilla::LogicalMargin> const&, mozilla::LayoutFrameType) /layout/generic/ReflowInput.cpp:2424:19
#19 0x7c0a4f5b9eb1 in mozilla::ReflowInput::Init(nsPresContext*, mozilla::Maybe<mozilla::LogicalSize> const&, mozilla::Maybe<mozilla::LogicalMargin> const&, mozilla::Maybe<mozilla::LogicalMargin> const&) /layout/generic/ReflowInput.cpp:392:3
#20 0x7c0a4f5bab60 in mozilla::ReflowInput::ReflowInput(nsPresContext*, mozilla::ReflowInput const&, nsIFrame*, mozilla::LogicalSize const&, mozilla::Maybe<mozilla::LogicalSize> const&, mozilla::EnumSet<mozilla::ReflowInput::InitFlag, unsigned char>, mozilla::StyleSizeOverrides const&, mozilla::EnumSet<mozilla::ComputeSizeFlag, unsigned char>) /layout/generic/ReflowInput.cpp:253:5
#21 0x7c0a4f5cc948 in mozilla::detail::MaybeStorageBase<mozilla::ReflowInput, false>::Union::Union<nsPresContext* const&, mozilla::ReflowInput const&, nsIFrame*&, mozilla::LogicalSize>(std::in_place_t, nsPresContext* const&, mozilla::ReflowInput const&, nsIFrame*&, mozilla::LogicalSize&&) /builds/worker/workspace/obj-build/dist/include/mozilla/MaybeStorageBase.h:41:11
#22 0x7c0a4f5af8d2 in MaybeStorageBase<nsPresContext *const &, const mozilla::ReflowInput &, nsIFrame *&, mozilla::LogicalSize> /builds/worker/workspace/obj-build/dist/include/mozilla/MaybeStorageBase.h:54:9
#23 0x7c0a4f5af8d2 in MaybeStorage<nsPresContext *const &, const mozilla::ReflowInput &, nsIFrame *&, mozilla::LogicalSize> /builds/worker/workspace/obj-build/dist/include/mozilla/Maybe.h:260:9
#24 0x7c0a4f5af8d2 in Maybe<nsPresContext *const &, const mozilla::ReflowInput &, nsIFrame *&, mozilla::LogicalSize> /builds/worker/workspace/obj-build/dist/include/mozilla/Maybe.h:392:9
#25 0x7c0a4f5af8d2 in mozilla::BlockReflowState::FlowAndPlaceFloat(nsIFrame*, mozilla::Maybe<int>) /layout/generic/BlockReflowState.cpp:740:22
#26 0x7c0a4f5af122 in mozilla::BlockReflowState::AddFloat(nsLineLayout*, nsIFrame*, int) /layout/generic/BlockReflowState.cpp:584:9
#27 0x7c0a4f70e5e8 in nsLineLayout::ReflowFrame(nsIFrame*, nsReflowStatus&, mozilla::ReflowOutput*, bool&) /layout/generic/nsLineLayout.cpp:937:23
#28 0x7c0a4f61e35f in nsBlockFrame::ReflowInlineFrame(mozilla::BlockReflowState&, nsLineLayout&, nsLineList_iterator, nsIFrame*, LineReflowStatus*) /layout/generic/nsBlockFrame.cpp:5074:15
#29 0x7c0a4f61d54d in nsBlockFrame::DoReflowInlineFrames(mozilla::BlockReflowState&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool) /layout/generic/nsBlockFrame.cpp:4876:5
#30 0x7c0a4f619478 in nsBlockFrame::ReflowInlineFrames(mozilla::BlockReflowState&, nsLineList_iterator, bool*) /layout/generic/nsBlockFrame.cpp:4734:9
#31 0x7c0a4f615878 in nsBlockFrame::ReflowLine(mozilla::BlockReflowState&, nsLineList_iterator, bool*) /layout/generic/nsBlockFrame.cpp:3702:24
#32 0x7c0a4f60fc92 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowState&) /layout/generic/nsBlockFrame.cpp:3208:29
#33 0x7c0a4f60c825 in nsBlockFrame::TrialReflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsBlockFrame::TrialReflowState&) /layout/generic/nsBlockFrame.cpp:1888:35
#34 0x7c0a4f60ab3c in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/generic/nsBlockFrame.cpp:1531:9
#35 0x7c0a4f63d7d4 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /layout/generic/nsContainerFrame.cpp:889:14
#36 0x7c0a4f62e701 in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/generic/nsCanvasFrame.cpp:720:7
#37 0x7c0a4f63d7d4 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /layout/generic/nsContainerFrame.cpp:889:14
#38 0x7c0a4f5d16c2 in mozilla::ScrollContainerFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput&, bool, bool, mozilla::ReflowOutput*) /layout/generic/ScrollContainerFrame.cpp:915:3
#39 0x7c0a4f5d260e in mozilla::ScrollContainerFrame::ReflowContents(mozilla::ScrollReflowInput&, mozilla::ReflowOutput const&) /layout/generic/ScrollContainerFrame.cpp:1050:3
#40 0x7c0a4f5d4a94 in mozilla::ScrollContainerFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/generic/ScrollContainerFrame.cpp:1518:3
#41 0x7c0a4f646b31 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /layout/generic/nsContainerFrame.cpp:930:14
#42 0x7c0a4f600b90 in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/generic/ViewportFrame.cpp:356:7
#43 0x7c0a4f4c4450 in mozilla::PresShell::DoReflow(nsIFrame*, bool, mozilla::OverflowChangedTracker*) /layout/base/PresShell.cpp:9825:11
#44 0x7c0a4f4edf0f in mozilla::PresShell::ProcessReflowCommands(bool) /layout/base/PresShell.cpp:9998:22
#45 0x7c0a4f4ce657 in DoFlushLayout /layout/base/PresShell.cpp:10045:10
#46 0x7c0a4f4ce657 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /layout/base/PresShell.cpp:4380:9
#47 0x7c0a4f490dee in FlushPendingNotifications /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:1460:5
#48 0x7c0a4f490dee in nsRefreshDriver::FlushLayoutOnPendingDocsAndFixUpFocus() /layout/base/nsRefreshDriver.cpp:2229:31
#49 0x7c0a4f48fb99 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) /layout/base/nsRefreshDriver.cpp:2716:3
#50 0x7c0a4f499491 in TickDriver /layout/base/nsRefreshDriver.cpp:368:13
#51 0x7c0a4f499491 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver>>&) /layout/base/nsRefreshDriver.cpp:346:7
#52 0x7c0a4f499390 in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /layout/base/nsRefreshDriver.cpp:362:5
#53 0x7c0a4f49922d in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /layout/base/nsRefreshDriver.cpp:952:5
#54 0x7c0a4f4984ec in mozilla::VsyncRefreshDriverTimer::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /layout/base/nsRefreshDriver.cpp:862:5
#55 0x7c0a4f497769 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsyncTimerOnMainThread() /layout/base/nsRefreshDriver.cpp:593:14
#56 0x7c0a4e7cb94b in mozilla::dom::VsyncMainChild::RecvNotify(mozilla::VsyncEvent const&, float const&) /dom/ipc/VsyncMainChild.cpp:66:15
#57 0x7c0a4ea92247 in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:222:78
#58 0x7c0a49eaee91 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundChild.cpp:5061:32
#59 0x7c0a49e49b7f in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /ipc/glue/MessageChannel.cpp:1820:25
#60 0x7c0a49e468d2 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>) /ipc/glue/MessageChannel.cpp:1739:9
#61 0x7c0a49e47552 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /ipc/glue/MessageChannel.cpp:1530:3
#62 0x7c0a49e4869f in mozilla::ipc::MessageChannel::MessageTask::Run() /ipc/glue/MessageChannel.cpp:1630:14
#63 0x7c0a491489e7 in mozilla::RunnableTask::Run() /xpcom/threads/TaskController.cpp:580:16
#64 0x7c0a4913dff6 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:907:26
#65 0x7c0a4913c7b7 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:730:15
#66 0x7c0a4913cc35 in mozilla::TaskController::ProcessPendingMTTask(bool) /xpcom/threads/TaskController.cpp:516:36
#67 0x7c0a4914c936 in operator() /xpcom/threads/TaskController.cpp:234:37
#68 0x7c0a4914c936 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /xpcom/threads/nsThreadUtils.h:548:5
#69 0x7c0a4916198d in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1199:16
#70 0x7c0a49168a0f in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:480:10
#71 0x7c0a49e4fa85 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:85:21
#72 0x7c0a49d664e1 in RunHandler /ipc/chromium/src/base/message_loop.cc:363:3
#73 0x7c0a49d664e1 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:345:3
#74 0x7c0a4f0b6a98 in nsBaseAppShell::Run() /widget/nsBaseAppShell.cpp:148:27
#75 0x7c0a4f178538 in nsAppShell::Run() /widget/gtk/nsAppShell.cpp:469:33
#76 0x7c0a5021af8b in XRE_RunAppShell() /toolkit/xre/nsEmbedFunctions.cpp:712:20
#77 0x7c0a49e50966 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:235:9
#78 0x7c0a49d664e1 in RunHandler /ipc/chromium/src/base/message_loop.cc:363:3
#79 0x7c0a49d664e1 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:345:3
#80 0x7c0a5021a7ab in XRE_InitChildProcess(int, char**, XREChildData const*) /toolkit/xre/nsEmbedFunctions.cpp:647:34
#81 0x55b253497b6f in content_process_main /browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#82 0x55b253497b6f in main /browser/app/nsBrowserApp.cpp:378:18
#83 0x7c0a5de62d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#84 0x7c0a5de62e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#85 0x55b25346ce78 in _start (/home/jkratzer/builds/m-c-20240530040816-fuzzing-debug/firefox-bin+0x59e78) (BuildId: f10c4640339d648f7b8c1a22f25cfa12d64016b3)
UndefinedBehaviorSanitizer can not provide additional info.
SUMMARY: UndefinedBehaviorSanitizer: SEGV /layout/generic/nsTextFrame.cpp:3901:3 in nsTextFrame::PropertyProvider::GetHyphenationBreaks(gfxTextRun::Range, gfxTextRun::HyphenType*) const
==127445==ABORTING
|
Reporter | |
Comment 1•4 months ago
|
||
|
||
Comment 2•4 months ago
|
||
Verified bug as reproducible on mozilla-central 20240530213713-8bc6fa2ba2e8.
The bug appears to have been introduced in the following build range:
Start: 90f074b25bea311c1becc74363be744dc8fe5683 (20240528091330)
End: e77b76a2a22df588531dad70811a755b46798779 (20240528101915)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=90f074b25bea311c1becc74363be744dc8fe5683&tochange=e77b76a2a22df588531dad70811a755b46798779
Keywords: regression
Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]
|
||
Comment 3•4 months ago
|
||
This bug has been marked as a regression. Setting status flag for Nightly to affected.
status-firefox128:
--- → affected
|
|
||
Comment 4•4 months ago
|
||
Set release status flags based on info from the regressing bug 385615
:jfkthame, since you are the author of the regressor, bug 385615, could you take a look? Also, could you set the severity field?
For more information, please visit BugBot documentation.
status-firefox126:
--- → unaffected
status-firefox127:
--- → unaffected
status-firefox-esr115:
--- → unaffected
Flags: needinfo?(jfkthame)
|
||
Updated•4 months ago
|
Flags: needinfo?(jfkthame)
Keywords: pernosco-wanted
|
|
||
Comment 5•4 months ago
|
||
Marking as S2 for now, as it looks like there could be potential for out-of-bounds accesses. Might be related to bug 1900169, which is a also regression from the same patch.
Leaving needinfo flag in place for now, pending a look at pernosco...
|
|
||
Comment 6•4 months ago
|
||
Successfully recorded a pernosco session. A link to the pernosco session will be added here shortly.
Keywords: pernosco-wanted → pernosco
|
||
Comment 8•4 months ago
|
||
Drive-by observation: just before the fatal assertion, we also trip this non-fatal assertion, while working with the same nsTextFrame instance:
###!!! ASSERTION: frame crosses fixed continuation boundary: 'flowLength->mEndFlowOffset >= GetContentEnd()', file /builds/worker/checkouts/gecko/layout/generic/nsTextFrame.cpp:691
That might conceivably be related / a sign of things-having-already-gone-wrong slightly earlier.
|
|
||
Comment 9•4 months ago
•
|
||
But given that this was a regression from bug 385615, I think we can call this fixed-by-backout of bug 385615 (merged to central a few hours ago in bug 385615 comment 75).
Status: NEW → RESOLVED
Closed: 4 months ago
Resolution: --- → FIXED
|
|
||
Updated•4 months ago
|
|
||
Updated•4 months ago
|
Target Milestone: --- → 128 Branch
|
|
||
Comment 10•4 months ago
|
||
Verified bug as fixed on rev mozilla-central 20240603160728-709248f1fc69.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Status: RESOLVED → VERIFIED
Keywords: bugmon
You need to log in
before you can comment on or make changes to this bug.
Description
•