Closed Bug 1747851 Opened 3 years ago Closed 2 years ago

crash near null in [@ nsIFrame::SetNextSibling]

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1789934
Tracking Flags:
Tracking Status
firefox-esr91 --- unaffected
firefox95 --- unaffected
firefox96 --- unaffected
firefox97 --- wontfix
firefox98 --- wontfix

People

(Reporter: tsmith, Assigned: jwatt)

References

(Blocks 2 open bugs, Regression)

Details

(Keywords: crash, regression, testcase, Whiteboard: [bugmon:bisected,confirmed])

Crash Data

Attachments

(2 files)

testcase.html
276 bytes, text/html
Details
Bug 1747851 - Don't attempt layout in nsPrintJob during teardown. r=dholbert
48 bytes, text/x-phabricator-request
Details | Review
Attached file testcase.html

Found while fuzzing m-c 20211227-827b488113ac (--enable-address-sanitizer --enable-fuzzing)

The attached testcase requires a fuzzing build because it makes use of window.printPreview().

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -a --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html --xvfb

==12762==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000038 (pc 0x7f214b0258c8 bp 0x7ffcf5e1def0 sp 0x7ffcf5e1def0 T0)
==12762==The signal is caused by a READ memory access.
==12762==Hint: address points to the zero page.
    #0 0x7f214b0258c8 in nsIFrame::SetNextSibling(nsIFrame*) /gecko/layout/generic/nsIFrame.h:1736:9
    #1 0x7f214b025745 in nsFrameList::RemoveFrame(nsIFrame*) /gecko/layout/generic/nsFrameList.cpp:80:18
    #2 0x7f214b025a1d in nsFrameList::DestroyFrame(nsIFrame*) /gecko/layout/generic/nsFrameList.cpp:119:3
    #3 0x7f214ae6a34b in nsCSSFrameConstructor::ContentRemoved(nsIContent*, nsIContent*, nsCSSFrameConstructor::RemoveFlags) /gecko/layout/base/nsCSSFrameConstructor.cpp:7639:5
    #4 0x7f214ae5e617 in nsCSSFrameConstructor::RecreateFramesForContent(nsIContent*, nsCSSFrameConstructor::InsertionKind) /gecko/layout/base/nsCSSFrameConstructor.cpp:8612:7
    #5 0x7f214ae6b894 in nsCSSFrameConstructor::MaybeRecreateContainerForFrameRemoval(nsIFrame*) /gecko/layout/base/nsCSSFrameConstructor.cpp
    #6 0x7f214ae5e5c2 in nsCSSFrameConstructor::RecreateFramesForContent(nsIContent*, nsCSSFrameConstructor::InsertionKind) /gecko/layout/base/nsCSSFrameConstructor.cpp:8601:16
    #7 0x7f214adf66f0 in mozilla::RestyleManager::ProcessRestyledFrames(nsStyleChangeList&) /gecko/layout/base/RestyleManager.cpp:1546:25
    #8 0x7f214adff384 in mozilla::RestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) /gecko/layout/base/RestyleManager.cpp:3099:9
    #9 0x7f214adc5c86 in ProcessPendingRestyles /gecko/layout/base/RestyleManager.cpp:3178:3
    #10 0x7f214adc5c86 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /gecko/layout/base/PresShell.cpp:4258:39
    #11 0x7f2145dbe0ce in FlushPendingNotifications /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:1450:5
    #12 0x7f2145dbe0ce in mozilla::dom::Document::FlushPendingNotifications(mozilla::ChangesToFlush) /gecko/dom/base/Document.cpp:10746:16
    #13 0x7f214adcadd3 in mozilla::PresShell::ReconstructFrames() /gecko/layout/base/PresShell.cpp:4549:14
    #14 0x7f214b649b45 in nsPrintJob::ReconstructAndReflow(bool) /gecko/layout/printing/nsPrintJob.cpp:1085:16
    #15 0x7f214b647581 in nsPrintJob::SetupToPrintContent() /gecko/layout/printing/nsPrintJob.cpp:1170:19
    #16 0x7f214b64ee8c in DocumentReadyForPrinting /gecko/layout/printing/nsPrintJob.cpp:942:17
    #17 0x7f214b64ee8c in nsPrintJob::FinishPrintPreview() /gecko/layout/printing/nsPrintJob.cpp:2467:8
    #18 0x7f214b64e821 in nsPrintJob::MaybeResumePrintAfterResourcesLoaded(bool) /gecko/layout/printing/nsPrintJob.cpp:1450:10
    #19 0x7f214b64f5d2 in nsPrintJob::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /gecko/layout/printing/nsPrintJob.cpp:1471:5
    #20 0x7f2144b8f340 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /gecko/uriloader/base/nsDocLoader.cpp:1377:3
    #21 0x7f2144b8d765 in nsDocLoader::FireOnStateChange(nsIWebProgress*, nsIRequest*, int, nsresult) /gecko/uriloader/base/nsDocLoader.cpp:1340:14
    #22 0x7f2144b8d8d0 in nsDocLoader::doStopURLLoad(nsIRequest*, nsresult) /gecko/uriloader/base/nsDocLoader.cpp:936:3
    #23 0x7f2144b8c7ed in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /gecko/uriloader/base/nsDocLoader.cpp:645:3
    #24 0x7f214e84c5fb in nsDocShell::OnStopRequest(nsIRequest*, nsresult) /gecko/docshell/base/nsDocShell.cpp:13540:23
    #25 0x7f21428b92ee in mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) /gecko/netwerk/base/nsLoadGroup.cpp:614:22
    #26 0x7f21428b7f76 in mozilla::net::nsLoadGroup::Cancel(nsresult) /gecko/netwerk/base/nsLoadGroup.cpp:240:11
    #27 0x7f2144b8943d in nsDocLoader::Stop() /gecko/uriloader/base/nsDocLoader.cpp:258:36
    #28 0x7f214e7b7ba3 in Stop /gecko/docshell/base/nsDocShell.h:185:25
    #29 0x7f214e7b7ba3 in nsDocShell::Stop(unsigned int) /gecko/docshell/base/nsDocShell.cpp:4196:5
    #30 0x7f214e7dc0dc in nsDocShell::Destroy() /gecko/docshell/base/nsDocShell.cpp:4447:3
    #31 0x7f214ee8cddd in nsWebBrowser::SetDocShell(nsDocShell*) /gecko/toolkit/components/browser/nsWebBrowser.cpp:1123:18
    #32 0x7f214ee8c24c in nsWebBrowser::InternalDestroy() /gecko/toolkit/components/browser/nsWebBrowser.cpp:176:3
    #33 0x7f214ee9169c in Destroy /gecko/toolkit/components/browser/nsWebBrowser.cpp:856:3
    #34 0x7f214ee9169c in non-virtual thunk to nsWebBrowser::Destroy() /gecko/toolkit/components/browser/nsWebBrowser.cpp
    #35 0x7f2149eff0d0 in mozilla::dom::BrowserChild::DestroyWindow() /gecko/dom/ipc/BrowserChild.cpp:900:31
    #36 0x7f2149f173fc in mozilla::dom::BrowserChild::RecvDestroy() /gecko/dom/ipc/BrowserChild.cpp:2621:3
    #37 0x7f214479dd77 in mozilla::dom::PBrowserChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBrowserChild.cpp:6619:56
    #38 0x7f2143cdfca2 in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PContentChild.cpp:8249:32
    #39 0x7f2143a68899 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /gecko/ipc/glue/MessageChannel.cpp:2043:25
    #40 0x7f2143a65798 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /gecko/ipc/glue/MessageChannel.cpp:1968:9
    #41 0x7f2143a66fb2 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /gecko/ipc/glue/MessageChannel.cpp:1827:3
    #42 0x7f2143a679c7 in mozilla::ipc::MessageChannel::MessageTask::Run() /gecko/ipc/glue/MessageChannel.cpp:1855:14
    #43 0x7f214256cdc2 in mozilla::RunnableTask::Run() /gecko/xpcom/threads/TaskController.cpp:468:16
    #44 0x7f214253200d in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:771:26
    #45 0x7f214252f568 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:607:15
    #46 0x7f214252fc79 in mozilla::TaskController::ProcessPendingMTTask(bool) /gecko/xpcom/threads/TaskController.cpp:391:36
    #47 0x7f2142576751 in operator() /gecko/xpcom/threads/TaskController.cpp:124:37
    #48 0x7f2142576751 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() /gecko/xpcom/threads/nsThreadUtils.h:531:5
    #49 0x7f2142552537 in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1183:16
    #50 0x7f214255db9c in NS_ProcessNextEvent(nsIThread*, bool) /gecko/xpcom/threads/nsThreadUtils.cpp:467:10
    #51 0x7f2143a7122f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /gecko/ipc/glue/MessagePump.cpp:85:21
    #52 0x7f21438f0721 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:331:10
    #53 0x7f21438f0721 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:324:3
    #54 0x7f21438f0721 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:306:3
    #55 0x7f214a801137 in nsBaseAppShell::Run() /gecko/widget/nsBaseAppShell.cpp:137:27
    #56 0x7f214f471cdf in XRE_RunAppShell() /gecko/toolkit/xre/nsEmbedFunctions.cpp:864:20
    #57 0x7f21438f0721 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:331:10
    #58 0x7f21438f0721 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:324:3
    #59 0x7f21438f0721 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:306:3
    #60 0x7f214f470f12 in XRE_InitChildProcess(int, char**, XREChildData const*) /gecko/toolkit/xre/nsEmbedFunctions.cpp:701:34
    #61 0x55eaeed6e08d in content_process_main(mozilla::Bootstrap*, int, char**) /gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
    #62 0x55eaeed6e4b8 in main /gecko/browser/app/nsBrowserApp.cpp:327:18
    #63 0x7f21668f80b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
    #64 0x55eaeecbd159 in _start (/home/worker/builds/m-c-20211227095553-fuzzing-asan-opt/firefox+0x5d159)

Bugmon Analysis
Verified bug as reproducible on mozilla-central 20211228212943-da44efee8b93.
The bug appears to have been introduced in the following build range:

Start: e8c61e20953952b1c6727143e249656e9ef87cb2 (20211216135031)
End: 9896c12c490709e214030cd99f598e1ffa0076de (20211216153418)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=e8c61e20953952b1c6727143e249656e9ef87cb2&tochange=9896c12c490709e214030cd99f598e1ffa0076de

Whiteboard: [bugmon:bisected,confirmed]

jwatt, maybe you could take a look here? Something going wrong during printing.

Flags: needinfo?(jwatt)

Will do. Presumably this is a regression from bug 1745452.

Assignee: nobody → jwatt
Flags: needinfo?(jwatt)
Regressed by: 1745452
Has Regression Range: --- → yes

The IsSafeToFlush() call in PresShell::DoFlushPendingNotifications doesn't protect us since it PresShell::mIsDestroying hasn't been set to true yet. We should really be aborting out of nsPrintJob::OnStateChange much earlier than that though if aStatus==NS_BINDING_ABORTED.

Set release status flags based on info from the regressing bug 1745452

status-firefox95: --- → unaffected
status-firefox96: --- → unaffected
status-firefox-esr91: --- → unaffected
Attachment #9257937 - Attachment description: Bug 1747851 - Don't attempt layout in nsPrintJob during teardown. r=emilio → Bug 1747851 - Don't attempt layout in nsPrintJob during teardown. r=dholbert

Set release status flags based on info from the regressing bug 1745452

status-firefox98: --- → affected
Crash Signature: [@ nsIFrame::SetNextSibling]

[ran across this when triaging Layout S2 bigs today -- toggling ni=jwatt as a reminder to circle back to address review feedback & get this landed when possible - thanks!]

Flags: needinfo?(jwatt)

Downgrading to S3 given zero crash volume (and given that this is a safe nullptr-deref crash).

Still worth fixing, but doesn't feel S2-worthy in terms of user impact.

Severity: S2 → S3

Bugmon Analysis
Testcase crashes using the initial build (mozilla-central 20211227095553-827b488113ac) but not with tip (mozilla-central 20220923212151-12300304d394.)

The bug appears to have been fixed in the following build range:

Start: 543465fff7edeccd6ae56d6213f728dade6ca4a8 (20220919210524)
End: 5ede133066a3470a3e84989691d6b55b4858e5c7 (20220919235246)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=543465fff7edeccd6ae56d6213f728dade6ca4a8&tochange=5ede133066a3470a3e84989691d6b55b4858e5c7

Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon

In the pushlog, only Bug 1789934 touches frame reconstruction, so I bet this bug is a dup of it.

Status: NEW → RESOLVED
Closed: 2 years ago
Flags: needinfo?(jwatt)
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: