Closed Bug 2014331 Opened 2 days ago Closed 13 hours ago

crash near null in [@ nsIFrame::CorrectStyleParentFrame]

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
149 Branch
Tracking Flags:
Tracking Status
firefox-esr140 --- unaffected
firefox147 --- unaffected
firefox148 --- unaffected
firefox149 --- fixed

People

(Reporter: tsmith, Assigned: emilio)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: crash, regression, testcase)

Crash Data

Attachments

(2 files)

testcase.html
58 bytes, text/html
Details
Bug 2014331 - New select pseudo-elements should be element-backed. r=#style,#layout
48 bytes, text/x-phabricator-request
Details | Review
Attached file testcase.html

Found while fuzzing m-c 20260203-62b991cbf350 (--enable-address-sanitizer--enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework --upgrade
$ python -m fuzzfetch -a --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>

==1410==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000059 (pc 0x7bffdd6fcec8 bp 0x7fffffff79d0 sp 0x7fffffff7920 T0)
==1410==The signal is caused by a READ memory access.
==1410==Hint: address points to the zero page.
    #0 0x7bffdd6fcec8 in HasAnyStateBits /builds/worker/checkouts/gecko/layout/generic/nsIFrame.h:2559:59
    #1 0x7bffdd6fcec8 in nsIFrame::CorrectStyleParentFrame(nsIFrame*, mozilla::PseudoStyleType) /builds/worker/checkouts/gecko/layout/generic/nsIFrame.cpp:11362:17
    #2 0x7bffdd813678 in GetCorrectedParent(nsIFrame const*) /builds/worker/checkouts/gecko/layout/generic/nsIFrame.cpp:11332:10
    #3 0x7bffdd81327a in nsIFrame::DoGetParentComputedStyle(nsIFrame**) const /builds/worker/checkouts/gecko/layout/generic/nsIFrame.cpp:11461:23
    #4 0x7bffdd2c4079 in mozilla::RestyleManager::DoReparentComputedStyleForFirstLine(nsIFrame*, mozilla::ServoStyleSet&) /builds/worker/checkouts/gecko/layout/style/RestyleManager.cpp:3802:15
    #5 0x7bffdd2c4878 in mozilla::RestyleManager::ReparentFrameDescendants(nsIFrame*, nsIFrame*, mozilla::ServoStyleSet&) /builds/worker/checkouts/gecko/layout/style/RestyleManager.cpp:3905:9
    #6 0x7bffdd2c43b2 in mozilla::RestyleManager::DoReparentComputedStyleForFirstLine(nsIFrame*, mozilla::ServoStyleSet&) /builds/worker/checkouts/gecko/layout/style/RestyleManager.cpp:3891:3
    #7 0x7bffdd2c4878 in mozilla::RestyleManager::ReparentFrameDescendants(nsIFrame*, nsIFrame*, mozilla::ServoStyleSet&) /builds/worker/checkouts/gecko/layout/style/RestyleManager.cpp:3905:9
    #8 0x7bffdd2c43b2 in mozilla::RestyleManager::DoReparentComputedStyleForFirstLine(nsIFrame*, mozilla::ServoStyleSet&) /builds/worker/checkouts/gecko/layout/style/RestyleManager.cpp:3891:3
    #9 0x7bffdd4f5205 in ReparentFrame /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:343:22
    #10 0x7bffdd4f5205 in ReparentFrames /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:353:5
    #11 0x7bffdd4f5205 in nsCSSFrameConstructor::WrapFramesInFirstLineFrame(nsFrameConstructorState&, nsIContent*, nsContainerFrame*, nsFirstLineFrame*, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:9328:3
    #12 0x7bffdd4c526b in nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, mozilla::ComputedStyle*, nsContainerFrame*, bool, nsFrameList&, bool, nsIFrame*) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:9273:5
    #13 0x7bffdd4cd8b7 in nsCSSFrameConstructor::ConstructBlock(nsFrameConstructorState&, nsIContent*, nsContainerFrame*, nsContainerFrame*, mozilla::ComputedStyle*, nsContainerFrame**, nsFrameList&, nsIFrame*) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:10095:3
    #14 0x7bffdd4d5341 in nsCSSFrameConstructor::ConstructScrollableBlock(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItem&, nsContainerFrame*, nsStyleDisplay const*, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:4387:3
    #15 0x7bffdd4d6c33 in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:3732:16
    #16 0x7bffdd4dd891 in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:5368:3
    #17 0x7bffdd4c3977 in nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsContainerFrame*, bool, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:8941:5
    #18 0x7bffdd4c5055 in nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, mozilla::ComputedStyle*, nsContainerFrame*, bool, nsFrameList&, bool, nsIFrame*) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:9233:3
    #19 0x7bffdd4cd8b7 in nsCSSFrameConstructor::ConstructBlock(nsFrameConstructorState&, nsIContent*, nsContainerFrame*, nsContainerFrame*, mozilla::ComputedStyle*, nsContainerFrame**, nsFrameList&, nsIFrame*) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:10095:3
    #20 0x7bffdd4d5341 in nsCSSFrameConstructor::ConstructScrollableBlock(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItem&, nsContainerFrame*, nsStyleDisplay const*, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:4387:3
    #21 0x7bffdd4d6c33 in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:3732:16
    #22 0x7bffdd4dd891 in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:5368:3
    #23 0x7bffdd4c3977 in nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsContainerFrame*, bool, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:8941:5
    #24 0x7bffdd4e2dc7 in nsCSSFrameConstructor::ContentRangeInserted(nsIContent*, nsIContent*, nsCSSFrameConstructor::InsertionKind) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:6530:3
    #25 0x7bffdd2b38de in mozilla::RestyleManager::ProcessRestyledFrames(nsStyleChangeList&) /builds/worker/checkouts/gecko/layout/style/RestyleManager.cpp:1620:27
    #26 0x7bffdd2becbe in mozilla::RestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) /builds/worker/checkouts/gecko/layout/style/RestyleManager.cpp:3250:7
    #27 0x7bffdd2c0efe in mozilla::RestyleManager::ProcessPendingRestyles() /builds/worker/checkouts/gecko/layout/style/RestyleManager.cpp:3340:3
    #28 0x7bffdd43f9a9 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4473:37
    #29 0x7bffd5e1cd82 in FlushPendingNotifications /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:1526:5
    #30 0x7bffd5e1cd82 in mozilla::dom::Document::FlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/dom/base/Document.cpp:11628:16
    #31 0x7bffd5e36e43 in FlushPendingNotifications /builds/worker/checkouts/gecko/dom/base/Document.cpp:11560:3
    #32 0x7bffd5e36e43 in mozilla::dom::Document::FlushAutoFocusCandidates() /builds/worker/checkouts/gecko/dom/base/Document.cpp:13731:26
    #33 0x7bffdd3b9c01 in operator() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2412:29
    #34 0x7bffdd3b9c01 in operator() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:1313:7
    #35 0x7bffdd3b9c01 in RunRenderingPhaseLegacy<(lambda at /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:1292:35)> /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:1285:3
    #36 0x7bffdd3b9c01 in void nsRefreshDriver::RunRenderingPhase<nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick)::$_3>(mozilla::RenderingPhase, nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick)::$_3&&, bool (*)(mozilla::dom::Document const&)) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:1292:3
    #37 0x7bffdd3b3a66 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2409:3
    #38 0x7bffdd3ca696 in TickDriver /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:366:13
    #39 0x7bffdd3ca696 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver>>&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:344:7
    #40 0x7bffdd3ca45a in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:360:5
    #41 0x7bffdd3ca0d1 in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:950:5
    #42 0x7bffdd3c8f79 in mozilla::VsyncRefreshDriverTimer::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:860:5
    #43 0x7bffdd3c7ae2 in mozilla::VsyncRefreshDriverTimer::NotifyVsyncOnMainThread(mozilla::VsyncEvent const&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:757:5
    #44 0x7bffdd3c7118 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsyncTimerOnMainThread() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:591:14
    #45 0x7bffdd3c6d4c in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:548:9
    #46 0x7bffdbc331db in mozilla::dom::VsyncMainChild::RecvNotify(mozilla::VsyncEvent const&, float const&) /builds/worker/checkouts/gecko/dom/ipc/VsyncMainChild.cpp:66:15
    #47 0x7bffdc0ddf11 in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:229:78
    #48 0x7bffd339a072 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundChild.cpp:5102:32
    #49 0x7bffd32f3bf5 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1793:25
    #50 0x7bffd32f00e9 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, std::unique_ptr<IPC::Message, std::default_delete<IPC::Message>>) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1719:9
    #51 0x7bffd32f0f07 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1508:3
    #52 0x7bffd32f2423 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1610:14
    #53 0x7bffd1b8c5ca in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:705:16
    #54 0x7bffd1b7ba0b in mozilla::TaskController::RunTask(mozilla::Task*) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:196:19
    #55 0x7bffd1b82d0d in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:1325:20
    #56 0x7bffd1b807e8 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:1148:15
    #57 0x7bffd1b80e06 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:641:36
    #58 0x7bffd1ba1b81 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:333:37
    #59 0x7bffd1ba1b81 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:549:5
    #60 0x7bffd1bc2c6a in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1168:16
    #61 0x7bffd1bcbe69 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:461:10
    #62 0x7bffd32fc82e in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
    #63 0x7bffd31db5e4 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:373:10
    #64 0x7bffd31db5e4 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:366:3
    #65 0x7bffd31db5e4 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:348:3
    #66 0x7bffdcc15c46 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:152:27
    #67 0x7bffdcdf8b7b in nsAppShell::Run() /builds/worker/checkouts/gecko/widget/gtk/nsAppShell.cpp:555:33
    #68 0x7bffdee672fd in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:656:20
    #69 0x7bffd31db5e4 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:373:10
    #70 0x7bffd31db5e4 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:366:3
    #71 0x7bffd31db5e4 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:348:3
    #72 0x7bffdee6624c in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:594:34
    #73 0x55555570871a in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:465:22
Flags: in-testsuite?

crash from the testcase: https://crash-stats.mozilla.org/report/index/854767e4-b756-4589-aabf-b385b0260204#tab-bugzilla

Crash Signature: [@ nsIFrame::HasAnyStateBits ]
See Also: → 1982701

Unable to reproduce bug 2014331 using build mozilla-central 20260203210813-62b991cbf350. Without a baseline, bugmon is unable to analyze this bug.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon
Duplicate of this bug: 2014401

Regression range:
https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=f1c75460dbfd79bbb1bb34da66b8470993e41fd9&tochange=b967fdc6fff3b5ee0aa58fefd18df0f66f793b28

--> Regression from bug 2011709

We've got at least one site known to trigger this (reported in dupe bug 2014401).

Tentatively triaging as S2 given that it's a crash and we got two reports of this within a day of the regressor landing, suggesting this will be easy for web content to trigger. Probably good to stomp on this quickly.

Severity: -- → S2
status-firefox148: --- → unaffected
Flags: needinfo?(emilio)
Keywords: regression
Regressed by: 2011709

Copying crash signatures from duplicate bugs.

Crash Signature: [@ nsIFrame::HasAnyStateBits ] → [@ nsIFrame::HasAnyStateBits ] [@ nsIFrame::CorrectStyleParentFrame]

Set release status flags based on info from the regressing bug 2011709

status-firefox147: --- → unaffected
status-firefox-esr140: --- → unaffected
Depends on: 2014922

They are, in fact, real elements inside the select shadow tree.

This makes this code-path behave properly, since we otherwise assume
that pseudo-elements are NAC:

https://searchfox.org/firefox-main/rev/286e75a82e5c489d020d18121674809ebf114ae4/layout/generic/nsIFrame.cpp#11312-11316

Assignee: nobody → emilio
Status: NEW → ASSIGNED
Crash Signature: [@ nsIFrame::HasAnyStateBits ] [@ nsIFrame::CorrectStyleParentFrame] → [@ nsIFrame::HasAnyStateBits ] [@ nsIFrame::CorrectStyleParentFrame]
Flags: needinfo?(emilio)
Pushed by ealvarez@mozilla.com: https://github.com/mozilla-firefox/firefox/commit/d828cc1ad4a4 https://hg.mozilla.org/integration/autoland/rev/3439c362bd8d New select pseudo-elements should be element-backed. r=layout-reviewers,dholbert
Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/57603 for changes under testing/web-platform/tests
Pushed by nfay@mozilla.com: https://github.com/mozilla-firefox/firefox/commit/bc03d0c635de https://hg.mozilla.org/integration/autoland/rev/e4baee76ac10 Revert "Bug 2014331 - New select pseudo-elements should be element-backed. r=layout-reviewers,dholbert" for causing backout conflict @ pseudo_elements.toml with Bug 2014922
Flags: needinfo?(emilio)
Flags: needinfo?(emilio)
Pushed by ealvarez@mozilla.com: https://github.com/mozilla-firefox/firefox/commit/c2a6d73aee4b https://hg.mozilla.org/integration/autoland/rev/9fb72a18cdcb New select pseudo-elements should be element-backed. r=layout-reviewers,dholbert

https://hg.mozilla.org/mozilla-central/rev/3439c362bd8d

Status: ASSIGNED → RESOLVED
Closed: 13 hours ago
status-firefox149: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 149 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: