1904421 - crash near null in [@ RemoveFrame]

Status: RESOLVED DUPLICATE of bug 1904409

(Core :: Layout, defect)

Description

[Tyson Smith [:tsmith]]

Attachment: testcase.html

Found while fuzzing 20240620-81bbe3af9834 (--enable-address-sanitizer --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework --upgrade
$ python -m fuzzfetch -a --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>

==38587==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000038 (pc 0x74eb9f4be1f2 bp 0x7ffff9657b20 sp 0x7ffff9657a60 T0)
==38587==The signal is caused by a READ memory access.
==38587==Hint: address points to the zero page.
    #0 0x74eb9f4be1f2 in SetNextSibling /builds/worker/checkouts/gecko/layout/generic/nsIFrame.h:1838:9
    #1 0x74eb9f4be1f2 in RemoveFrame /builds/worker/checkouts/gecko/layout/generic/nsFrameList.cpp:59:18
    #2 0x74eb9f4be1f2 in RemoveLastChild /builds/worker/checkouts/gecko/layout/generic/nsFrameList.cpp:97:5
    #3 0x74eb9f4be1f2 in nsContainerFrame::SafelyDestroyFrameListProp(mozilla::FrameDestroyContext&, mozilla::PresShell*, mozilla::FramePropertyDescriptor<nsFrameList> const*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:214:34
    #4 0x74eb9f44e2e6 in nsBlockFrame::Destroy(mozilla::FrameDestroyContext&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:460:5
    #5 0x74eb9f4beccc in DestroyFrames /builds/worker/checkouts/gecko/layout/generic/nsFrameList.cpp:36:12
    #6 0x74eb9f4beccc in nsContainerFrame::Destroy(mozilla::FrameDestroyContext&) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:234:11
    #7 0x74eb9f4be39d in nsContainerFrame::SafelyDestroyFrameListProp(mozilla::FrameDestroyContext&, mozilla::PresShell*, mozilla::FramePropertyDescriptor<nsFrameList> const*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:216:14
    #8 0x74eb9f4befec in nsContainerFrame::Destroy(mozilla::FrameDestroyContext&) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:285:7
    #9 0x74eb9f4be39d in nsContainerFrame::SafelyDestroyFrameListProp(mozilla::FrameDestroyContext&, mozilla::PresShell*, mozilla::FramePropertyDescriptor<nsFrameList> const*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:216:14
    #10 0x74eb9f4befec in nsContainerFrame::Destroy(mozilla::FrameDestroyContext&) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:285:7
    #11 0x74eb9f4beccc in DestroyFrames /builds/worker/checkouts/gecko/layout/generic/nsFrameList.cpp:36:12
    #12 0x74eb9f4beccc in nsContainerFrame::Destroy(mozilla::FrameDestroyContext&) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:234:11
    #13 0x74eb9f66a0ee in nsLineBox::DeleteLineList(nsPresContext*, nsLineList&, nsFrameList*, mozilla::FrameDestroyContext&) /builds/worker/checkouts/gecko/layout/generic/nsLineBox.cpp:369:14
    #14 0x74eb9f44e311 in nsBlockFrame::Destroy(mozilla::FrameDestroyContext&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:463:3
    #15 0x74eb9f4beccc in DestroyFrames /builds/worker/checkouts/gecko/layout/generic/nsFrameList.cpp:36:12
    #16 0x74eb9f4beccc in nsContainerFrame::Destroy(mozilla::FrameDestroyContext&) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:234:11
    #17 0x74eb9f48c132 in nsCanvasFrame::Destroy(mozilla::FrameDestroyContext&) /builds/worker/checkouts/gecko/layout/generic/nsCanvasFrame.cpp:207:21
    #18 0x74eb9f4beccc in DestroyFrames /builds/worker/checkouts/gecko/layout/generic/nsFrameList.cpp:36:12
    #19 0x74eb9f4beccc in nsContainerFrame::Destroy(mozilla::FrameDestroyContext&) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:234:11
    #20 0x74eb9f3d6c6d in mozilla::ScrollContainerFrame::Destroy(mozilla::FrameDestroyContext&) /builds/worker/checkouts/gecko/layout/generic/ScrollContainerFrame.cpp:364:21
    #21 0x74eb9f4beccc in DestroyFrames /builds/worker/checkouts/gecko/layout/generic/nsFrameList.cpp:36:12
    #22 0x74eb9f4beccc in nsContainerFrame::Destroy(mozilla::FrameDestroyContext&) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:234:11
    #23 0x74eb9f2c129e in Destroy /builds/worker/checkouts/gecko/layout/base/nsFrameManager.cpp:55:17
    #24 0x74eb9f2c129e in nsCSSFrameConstructor::WillDestroyFrameTree() /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:7709:19
    #25 0x74eb9f1e3d05 in mozilla::PresShell::Destroy() /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:1345:22
    #26 0x74eb9f2e545f in nsDocumentViewer::DestroyPresShell() /builds/worker/checkouts/gecko/layout/base/nsDocumentViewer.cpp:3502:15
    #27 0x74eb9f2db780 in nsDocumentViewer::Destroy() /builds/worker/checkouts/gecko/layout/base/nsDocumentViewer.cpp:1709:5
    #28 0x74eb9fbbf0a6 in nsDocShell::Destroy() /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:4427:22
    #29 0x74eba03c377b in nsWebBrowser::SetDocShell(nsDocShell*) /builds/worker/checkouts/gecko/toolkit/components/browser/nsWebBrowser.cpp:1149:18
    #30 0x74eba03c93b2 in InternalDestroy /builds/worker/checkouts/gecko/toolkit/components/browser/nsWebBrowser.cpp:175:3
    #31 0x74eba03c93b2 in Destroy /builds/worker/checkouts/gecko/toolkit/components/browser/nsWebBrowser.cpp:874:3
    #32 0x74eba03c93b2 in non-virtual thunk to nsWebBrowser::Destroy() /builds/worker/checkouts/gecko/toolkit/components/browser/nsWebBrowser.cpp
    #33 0x74eb9da39ed0 in mozilla::dom::BrowserChild::DestroyWindow() /builds/worker/checkouts/gecko/dom/ipc/BrowserChild.cpp:716:31
    #34 0x74eb9da56b10 in mozilla::dom::BrowserChild::RecvDestroy() /builds/worker/checkouts/gecko/dom/ipc/BrowserChild.cpp:2539:3
    #35 0x74eb9dc61ba0 in mozilla::dom::PBrowserChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBrowserChild.cpp:7107:80
    #36 0x74eb9dd60bef in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PContentChild.cpp:8154:32
    #37 0x74eb953d3e15 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1820:25
    #38 0x74eb953cfc0f in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1739:9
    #39 0x74eb953d0ce1 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1530:3
    #40 0x74eb953d2233 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1630:14
    #41 0x74eb93ae582a in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:580:16
    #42 0x74eb93ad16ad in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:907:26
    #43 0x74eb93acec88 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:730:15
    #44 0x74eb93acf2a6 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:516:36
    #45 0x74eb93aeca74 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:237:37
    #46 0x74eb93aeca74 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_1>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548:5
    #47 0x74eb93b0f06d in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1204:16
    #48 0x74eb93b1a358 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10
    #49 0x74eb9e545bc4 in SpinEventLoopUntil<(mozilla::ProcessFailureBehavior)1, (lambda at /builds/worker/checkouts/gecko/dom/xhr/XMLHttpRequestMainThread.cpp:3275:29)> /builds/worker/workspace/obj-build/dist/include/mozilla/SpinEventLoopUntil.h:176:25
    #50 0x74eb9e545bc4 in mozilla::dom::XMLHttpRequestMainThread::SendInternal(mozilla::dom::BodyExtractorBase const*, bool, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/xhr/XMLHttpRequestMainThread.cpp:3274:10
    #51 0x74eb9e543e8d in mozilla::dom::XMLHttpRequestMainThread::Send(mozilla::dom::Nullable<mozilla::dom::DocumentOrBlobOrArrayBufferViewOrArrayBufferOrFormDataOrURLSearchParamsOrUSVString> const&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/xhr/XMLHttpRequestMainThread.cpp:3017:5
    #52 0x74eb99806954 in mozilla::dom::XMLHttpRequest_Binding::send(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/./XMLHttpRequestBinding.cpp:1670:24
    #53 0x74eb99f975e4 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3268:13
    #54 0x74eba0eeb6c4 in CallJSNative /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:487:13
    #55 0x74eba0eeb6c4 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:581:12
    #56 0x74eba1f568b0 in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICFallbackStub*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/jit/BaselineIC.cpp:1670:10
    #57 0x150d5712c923  ([anon:js-executable-memory]+0x2923)

Comment 1

[Daniel Holbert [:dholbert]]

As in bug 1904409, the testcase here uses float and multicol; given that plus being filed around the same time, it seems likely they're a regression from the same change, and maybe the same underlying bug. --> See-also

Comment 2

[Ting-Yu Lin [:TYLin] (PDT, UTC-7)]

This is a duplicate of bug 1904409, and I've added the testcase in comment 0 in the proposed patch.

Comment 3

[Bugmon [:jkratzer for issues]]

Verified bug as reproducible on mozilla-central 20240624213429-fc0f7d3e6a3d.
The bug appears to have been introduced in the following build range:

Start: 03b945622bfdeb3e65f2d108ce19c66a501447a4 (20240619190318)
End: c2ba52894016007c3f5c4f21241f14d3cd7bd7a3 (20240619215332)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=03b945622bfdeb3e65f2d108ce19c66a501447a4&tochange=c2ba52894016007c3f5c4f21241f14d3cd7bd7a3

Successfully recorded a pernosco session. A link to the pernosco session will be added here shortly.

Comment 4

[Bugmon [:jkratzer for issues]]

Verified bug as reproducible on mozilla-central 20240624213429-fc0f7d3e6a3d.
The bug appears to have been introduced in the following build range:

Start: 03b945622bfdeb3e65f2d108ce19c66a501447a4 (20240619190318)
End: c2ba52894016007c3f5c4f21241f14d3cd7bd7a3 (20240619215332)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=03b945622bfdeb3e65f2d108ce19c66a501447a4&tochange=c2ba52894016007c3f5c4f21241f14d3cd7bd7a3

Successfully recorded a pernosco session. A link to the pernosco session will be added here shortly.

Comment 5

[Bugmon [:jkratzer for issues]]

A pernosco session for this bug can be found here.

Comment 6

[Bugmon [:jkratzer for issues]]

A pernosco session for this bug can be found here.

Comment 7

[Bugmon [:jkratzer for issues]]

No valid actions for resolution (DUPLICATE).
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.