Closed Bug 821360 Opened 12 years ago Closed 6 years ago

Crash in nsRuleNode

Categories

(Core :: CSS Parsing and Computation, defect)

Product:
Core
Component:
CSS Parsing and Computation
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED INCOMPLETE

People

(Reporter: mwobensmith, Unassigned)

References

Details

(4 keywords, Whiteboard: testcase in bug 762280) 

While regressing the fix for bug #762280, we ran into a different crash. The ASan log is below.

Use the bug files provided from the related bug #762280 to recreate this crash.

This was reproduced with an ASan build, built from trunk 2012-12-12.


###!!! ABORT: negative lengths and percents should be rejected by parser: 'sizeValue->IsCalcUnit()', file /Users/mwobensmith/asan_moz_central/layout/style/nsRuleNode.cpp, line 2920
ASAN:SIGSEGV
=================================================================
==883== ERROR: AddressSanitizer crashed on unknown address 0x000000000000 (pc 0x00010274272f sp 0x7fff5fbe7a60 bp 0x7fff5fbe7a70 T0)
AddressSanitizer can not provide additional info.
    #0 0x10274272e in mozalloc_abort mozalloc_abort.cpp:23
    #1 0x109c2e5e5 in Abort nsDebugImpl.cpp:423
    #2 0x109c2dea7 in NS_DebugBreak_P nsDebugImpl.cpp:410
    #3 0x106123809 in nsRuleNode::SetFontSize nsRuleNode.cpp:2918
    #4 0x106127657 in nsRuleNode::SetFont nsRuleNode.cpp:3285
    #5 0x1060d85ea in nsRuleNode::ComputeFontData nsRuleNode.cpp:3540
    #6 0x1060d673d in nsRuleNode::WalkRuleTree nsStyleStructList.h:47
    #7 0x1060d7f5f in nsRuleNode::ComputeFontData nsStyleStructList.h:47
    #8 0x1060d673d in nsRuleNode::WalkRuleTree nsStyleStructList.h:47
    #9 0x10612fcd4 in nsRuleNode::GetStyleData nsRuleNode.cpp:7640
    #10 0x1060d628b in nsRuleNode::WalkRuleTree nsRuleNode.cpp:2049
    #11 0x10612fcd4 in nsRuleNode::GetStyleData nsRuleNode.cpp:7640
    #12 0x1060d628b in nsRuleNode::WalkRuleTree nsRuleNode.cpp:2049
    #13 0x10612fcd4 in nsRuleNode::GetStyleData nsRuleNode.cpp:7640
    #14 0x1060d628b in nsRuleNode::WalkRuleTree nsRuleNode.cpp:2049
    #15 0x10612fcd4 in nsRuleNode::GetStyleData nsRuleNode.cpp:7640
    #16 0x1060d628b in nsRuleNode::WalkRuleTree nsRuleNode.cpp:2049
    #17 0x10612fcd4 in nsRuleNode::GetStyleData nsRuleNode.cpp:7640
    #18 0x1060d628b in nsRuleNode::WalkRuleTree nsRuleNode.cpp:2049
    #19 0x10612fcd4 in nsRuleNode::GetStyleData nsRuleNode.cpp:7640
    #20 0x1060d628b in nsRuleNode::WalkRuleTree nsRuleNode.cpp:2049
    #21 0x10612fdd9 in nsRuleNode::GetStyleFont nsStyleStructList.h:47
    #22 0x105b48b67 in nsLayoutUtils::GetFontMetricsForStyleContext nsStyleStructList.h:47
    #23 0x105dfa1e8 in nsHTMLReflowState::CalcLineHeight nsHTMLReflowState.cpp:2389
    #24 0x105ce77e1 in nsBlockReflowState::nsBlockReflowState nsBlockReflowState.cpp:113
    #25 0x105ce6aa1 in nsBlockReflowState::nsBlockReflowState nsBlockReflowState.cpp:114
    #26 0x105ca547f in nsBlockFrame::Reflow nsBlockFrame.cpp:994
    #27 0x105d78225 in nsFrame::BoxReflow nsFrame.cpp:8034
    #28 0x105d767fa in nsFrame::RefreshSizeCache nsFrame.cpp:7584
    #29 0x105d78baf in nsFrame::GetPrefSize nsFrame.cpp:7661
    #30 0x106287700 in nsSprocketLayout::GetPrefSize nsSprocketLayout.cpp:1318
    #31 0x1062756f7 in nsBoxFrame::GetPrefSize nsBoxFrame.cpp:757
    #32 0x106287700 in nsSprocketLayout::GetPrefSize nsSprocketLayout.cpp:1318
    #33 0x1062756f7 in nsBoxFrame::GetPrefSize nsBoxFrame.cpp:757
    #34 0x106287700 in nsSprocketLayout::GetPrefSize nsSprocketLayout.cpp:1318
    #35 0x1062756f7 in nsBoxFrame::GetPrefSize nsBoxFrame.cpp:757
    #36 0x106287700 in nsSprocketLayout::GetPrefSize nsSprocketLayout.cpp:1318
    #37 0x1062756f7 in nsBoxFrame::GetPrefSize nsBoxFrame.cpp:757
    #38 0x10628a98c in nsStackLayout::GetPrefSize nsStackLayout.cpp:69
    #39 0x1062756f7 in nsBoxFrame::GetPrefSize nsBoxFrame.cpp:757
    #40 0x106285709 in nsSprocketLayout::PopulateBoxSizes nsSprocketLayout.cpp:737
    #41 0x10627dc1a in nsSprocketLayout::Layout nsSprocketLayout.cpp:215
    #42 0x106276795 in nsBoxFrame::DoLayout nsBoxFrame.cpp:900
    #43 0x10626fb90 in nsIFrame::Layout nsBox.cpp:510
    #44 0x10627a86b in nsBoxFrame::LayoutChildAt nsBoxFrame.cpp:1928
    #45 0x105f4150c in nsVideoFrame::Reflow nsVideoFrame.cpp:296
    #46 0x105e3707a in nsLineLayout::ReflowFrame nsLineLayout.cpp:840
    #47 0x105cc84c8 in nsBlockFrame::ReflowInlineFrame nsBlockFrame.cpp:3723
    #48 0x105cc6262 in nsBlockFrame::DoReflowInlineFrames nsBlockFrame.cpp:3520
    #49 0x105cc15a9 in nsBlockFrame::ReflowInlineFrames nsBlockFrame.cpp:3374
    #50 0x105caf54e in nsBlockFrame::ReflowDirtyLines nsBlockFrame.cpp:1998
    #51 0x105ca58f7 in nsBlockFrame::Reflow nsBlockFrame.cpp:1041
    #52 0x105ce4eb4 in nsBlockReflowContext::ReflowBlock nsBlockReflowContext.cpp:268
    #53 0x105cbe1b4 in nsBlockFrame::ReflowBlockFrame nsBlockFrame.cpp:3099
    #54 0x105caf54e in nsBlockFrame::ReflowDirtyLines nsBlockFrame.cpp:1998
    #55 0x105ca58f7 in nsBlockFrame::Reflow nsBlockFrame.cpp:1041
    #56 0x105d0adfc in nsContainerFrame::ReflowChild nsContainerFrame.cpp:952
    #57 0x105de22e1 in nsCanvasFrame::Reflow nsCanvasFrame.cpp:472
    #58 0x105d0adfc in nsContainerFrame::ReflowChild nsContainerFrame.cpp:952
    #59 0x105dad4e9 in nsHTMLScrollFrame::ReflowScrolledFrame nsGfxScrollFrame.cpp:433
    #60 0x105dadd22 in nsHTMLScrollFrame::ReflowContents nsGfxScrollFrame.cpp:533
    #61 0x105db0ec1 in nsHTMLScrollFrame::Reflow nsGfxScrollFrame.cpp:774
    #62 0x105d0adfc in nsContainerFrame::ReflowChild nsContainerFrame.cpp:952
    #63 0x105f2c593 in ViewportFrame::Reflow nsViewportFrame.cpp:202
    #64 0x105ba0e9e in PresShell::DoReflow nsPresShell.cpp:7554
    #65 0x105bb69aa in PresShell::ProcessReflowCommands nsPresShell.cpp:7695
    #66 0x105bb5d14 in PresShell::FlushPendingNotifications nsPresShell.cpp:3907
    #67 0x105bb4e97 in PresShell::FlushPendingNotifications nsPresShell.cpp:3757
    #68 0x10655541f in nsDocument::FlushPendingNotifications nsDocument.cpp:6099
    #69 0x1065ea39a in mozilla::dom::Element::GetScrollFrame Element.cpp:1630
    #70 0x1065eb240 in mozilla::dom::Element::GetClientAreaRect Element.cpp:633
    #71 0x1098f451e in mozilla::dom::ElementBinding::get_clientWidth Element.h:677
    #72 0x1098f1ead in mozilla::dom::ElementBinding::genericGetter ElementBinding.cpp:1623
    #73 0x10b2a77fa in js::CallJSNative, JS::CallArgs const&) jscntxtinlines.h:364
    #74 0x10b29810a in js::InvokeKernel jsinterp.cpp:382
    #75 0x10b299a3d in js::Invoke jsinterp.h:112
    #76 0x10b29af00 in js::InvokeGetterOrSetter jsinterp.cpp:510
    #77 0x10b33fc3e in js::Shape::get jsscopeinlines.h:295
    #78 0x10b326f26 in js_NativeGetInline jsobj.cpp:4208
    #79 0x10b3280df in js_GetPropertyHelperInline Root.h:706
    #80 0x10b3c29d7 in js::DirectProxyHandler::get jsobjinlines.h:173
    #81 0x10b5a0a83 in js::Wrapper::get jswrapper.cpp:268
    #82 0x10b3e30d1 in js::Proxy::get jsproxy.cpp:2353
    #83 0x10b3e7ad8 in proxy_GetGeneric jsproxy.cpp:2619
    #84 0x10b2b3acb in js::GetPropertyGenericMaybeCallXML jsobjinlines.h:170
    #85 0x10b2a9c96 in js::GetPropertyOperation jsinterpinlines.h:286
    #86 0x10b276cec in js::Interpret jsinterp.cpp:2227
    #87 0x10b873f20 in js::mjit::EnterMethodJIT MethodJIT.cpp:1066
    #88 0x10b874d42 in CheckStackAndEnterMethodJIT MethodJIT.cpp:1097
    #89 0x10b87490b in js::mjit::JaegerShot MethodJIT.cpp:1115
    #90 0x10b26ec09 in js::RunScript jsinterp.cpp:343
    #91 0x10b298024 in js::InvokeKernel jsinterp.cpp:404
    #92 0x10b299a3d in js::Invoke jsinterp.h:112
    #93 0x10b0b099e in JS_CallFunctionValue jsapi.cpp:5789
    #94 0x106ff2413 in nsXBLProtoImplAnonymousMethod::Execute nsXBLProtoImplMethod.cpp:330
    #95 0x10702630e in nsBindingManager::ProcessAttachedQueue nsBindingManager.cpp:1004
    #96 0x105bb5afe in PresShell::FlushPendingNotifications nsPresShell.cpp:3882
    #97 0x105bfbfd1 in nsRefreshDriver::Tick nsRefreshDriver.cpp:877
    #98 0x105c00931 in mozilla::RefreshDriverTimer::Tick nsRefreshDriver.cpp:164
    #99 0x109c1bdbe in nsTimerImpl::Fire nsTimerImpl.cpp:482
    #100 0x109c1c95e in nsTimerEvent::Run nsTimerImpl.cpp:565
    #101 0x109c09f3e in nsThread::ProcessNextEvent nsThread.cpp:627
    #102 0x109af8918 in NS_ProcessPendingEvents_P nsThreadUtils.cpp:171
    #103 0x109013f1e in nsBaseAppShell::NativeEventCallback nsBaseAppShell.cpp:97
    #104 0x108f57b0c in nsAppShell::ProcessGeckoEvents nsAppShell.mm:387
    #105 0x7fff91b4e100 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ (in CoreFoundation) + 16
    #106 0x7fff91b4da24 in __CFRunLoopDoSources0 (in CoreFoundation) + 244
    #107 0x7fff91b70dc4 in __CFRunLoopRun (in CoreFoundation) + 788
    #108 0x7fff91b706b1 in CFRunLoopRunSpecific (in CoreFoundation) + 289
    #109 0x7fff8b5140a3 in RunCurrentEventLoopInMode (in HIToolbox) + 208
    #110 0x7fff8b513d83 in ReceiveNextEventCommon (in HIToolbox) + 165
    #111 0x7fff8b513cd2 in BlockUntilNextEventMatchingListInMode (in HIToolbox) + 61
    #112 0x7fff8d811612 in _DPSNextEvent (in AppKit) + 684
    #113 0x7fff8d810ed1 in -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] (in AppKit) + 127
    #114 0x108f55bd7 in -[GeckoNSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] nsAppShell.mm:164
    #115 0x7fff8d808282 in -[NSApplication run] (in AppKit) + 516
    #116 0x108f588a9 in nsAppShell::Run nsAppShell.mm:741
    #117 0x10887b2b0 in nsAppStartup::Run nsAppStartup.cpp:291
    #118 0x1050c56ae in XREMain::XRE_mainRun nsAppRunner.cpp:3824
    #119 0x1050c6cdc in XREMain::XRE_main nsAppRunner.cpp:3891
    #120 0x1050c76ca in XRE_main nsAppRunner.cpp:4089
    #121 0x10000294f in main nsBrowserApp.cpp:174
    #122 0x100001553 in start (in firefox-bin) + 51
    #123 0x0 in 0x0000000100000000 (in firefox-bin)
Stats: 918M malloced (761M for red zones) by 1301900 calls
Stats: 118M realloced by 51626 calls
Stats: 843M freed by 1067789 calls
Stats: 711M really freed by 722662 calls
Stats: 860M (220301 full pages) mmaped in 199 calls
  mmaps   by size class: 8:524256; 9:90101; 10:24570; 11:18423; 12:7168; 13:3584; 14:1792; 15:1920; 16:1408; 17:1312; 18:64; 19:48; 20:24; 21:18; 22:7; 23:7; 24:3;
  mallocs by size class: 8:983250; 9:162680; 10:64109; 11:49856; 12:16763; 13:10532; 14:4987; 15:4661; 16:2496; 17:2231; 18:151; 19:90; 20:41; 21:25; 22:13; 23:9; 24:6;
  frees   by size class: 8:790756; 9:137172; 10:55162; 11:46746; 12:14831; 13:9440; 14:4582; 15:4454; 16:2164; 17:2200; 18:124; 19:73; 20:35; 21:23; 22:13; 23:8; 24:6;
  rfrees  by size class: 8:502841; 9:101422; 10:46980; 11:41539; 12:10784; 13:7647; 14:4058; 15:3877; 16:1215; 17:2040; 18:114; 19:63; 20:34; 21:23; 22:12; 23:8; 24:5;
Stats: malloc large: 2655 small slow: 8246
Component: DOM → Style System (CSS)
Keywords: crash, csec-dos, testcase
Whiteboard: testcase in bug 762280
Group: core-security
Keywords: sec-other
Fwiw, the testcase in bug 762280 no longer asserts (on Linux).
nsRuleNode is gone so it's not worth tracking these signatures anymore.
Please file new bugs as appropriate.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.