Closed Bug 1767364 Opened 3 years ago Closed 3 years ago

crash near null in [@ nsCSSFrameConstructor::ReplicateFixedFrames]

Categories

(Core :: Layout, defect)

defect

Tracking

()

VERIFIED FIXED
103 Branch
Tracking Status
firefox-esr91 --- wontfix
firefox101 --- wontfix
firefox102 --- wontfix
firefox103 --- verified

People

(Reporter: tsmith, Assigned: dshin)

References

(Blocks 1 open bug)

Details

(Keywords: crash, testcase, Whiteboard: [bugmon:bisected,confirmed])

Crash Data

Attachments

(5 files)

Attached file testcase.html

Found while fuzzing m-c 20220429-6921abcd7429 (--enable-address-sanitizer --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -a --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html
==9520==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000020 (pc 0x7f06c4ab1afd bp 0x7fff5edd7430 sp 0x7fff5edd7080 T0)
==9520==The signal is caused by a READ memory access.
==9520==Hint: address points to the zero page.
    #0 0x7f06c4ab1afd in get /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:286:27
    #1 0x7f06c4ab1afd in operator mozilla::ComputedStyle * /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:299:12
    #2 0x7f06c4ab1afd in Style /gecko/layout/generic/nsIFrame.h:802:41
    #3 0x7f06c4ab1afd in nsCSSFrameConstructor::ReplicateFixedFrames(nsPageContentFrame*) /gecko/layout/base/nsCSSFrameConstructor.cpp:8292:50
    #4 0x7f06c4e10669 in nsPageContentFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /gecko/layout/generic/nsPageContentFrame.cpp:41:56
    #5 0x7f06c4bbda34 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /gecko/layout/generic/nsContainerFrame.cpp:1045:14
    #6 0x7f06c4e14a7d in nsPageFrame::ReflowPageContent(nsPresContext*, mozilla::ReflowInput const&) /gecko/layout/generic/nsPageFrame.cpp:146:3
    #7 0x7f06c4e152f4 in nsPageFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /gecko/layout/generic/nsPageFrame.cpp:169:13
    #8 0x7f06c4c06ced in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /gecko/layout/generic/nsContainerFrame.cpp:1005:14
    #9 0x7f06c4b7e3cd in mozilla::PrintedSheetFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /gecko/layout/generic/PrintedSheetFrame.cpp:132:5
    #10 0x7f06c4bbda34 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /gecko/layout/generic/nsContainerFrame.cpp:1045:14
    #11 0x7f06c4e1c93d in nsPageSequenceFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /gecko/layout/generic/nsPageSequenceFrame.cpp:370:5
    #12 0x7f06c4c06ced in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /gecko/layout/generic/nsContainerFrame.cpp:1005:14
    #13 0x7f06c4c05474 in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /gecko/layout/generic/nsCanvasFrame.cpp:791:7
    #14 0x7f06c4c06ced in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /gecko/layout/generic/nsContainerFrame.cpp:1005:14
    #15 0x7f06c4c9267e in nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput&, bool, bool, mozilla::ReflowOutput*) /gecko/layout/generic/nsGfxScrollFrame.cpp:838:3
    #16 0x7f06c4c93f98 in nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput&, mozilla::ReflowOutput const&) /gecko/layout/generic/nsGfxScrollFrame.cpp:974:3
    #17 0x7f06c4c9a5b4 in nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /gecko/layout/generic/nsGfxScrollFrame.cpp:1396:3
    #18 0x7f06c4bbda34 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /gecko/layout/generic/nsContainerFrame.cpp:1045:14
    #19 0x7f06c4bbd069 in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /gecko/layout/generic/ViewportFrame.cpp:374:7
    #20 0x7f06c49f5005 in mozilla::PresShell::DoReflow(nsIFrame*, bool, mozilla::OverflowChangedTracker*) /gecko/layout/base/PresShell.cpp:9610:11
    #21 0x7f06c4a07857 in mozilla::PresShell::ProcessReflowCommands(bool) /gecko/layout/base/PresShell.cpp:9781:24
    #22 0x7f06c4a05ba7 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /gecko/layout/base/PresShell.cpp:4359:11
    #23 0x7f06c5280a6a in nsPrintJob::ReflowPrintObject(mozilla::UniquePtr<nsPrintObject, mozilla::DefaultDelete<nsPrintObject> > const&) /gecko/layout/printing/nsPrintJob.cpp:1598:14
    #24 0x7f06c527f31e in nsPrintJob::ReflowDocList(mozilla::UniquePtr<nsPrintObject, mozilla::DefaultDelete<nsPrintObject> > const&, bool) /gecko/layout/printing/nsPrintJob.cpp:1160:3
    #25 0x7f06c5278785 in nsPrintJob::InitPrintDocConstruction(bool) /gecko/layout/printing/nsPrintJob.cpp:1200:5
    #26 0x7f06c5274f69 in nsPrintJob::DoCommonPrint(bool, nsIPrintSettings*, nsIWebProgressListener*, mozilla::dom::Document*) /gecko/layout/printing/nsPrintJob.cpp:604:3
    #27 0x7f06c5273813 in nsPrintJob::CommonPrint(bool, nsIPrintSettings*, nsIWebProgressListener*, mozilla::dom::Document*) /gecko/layout/printing/nsPrintJob.cpp:449:17
    #28 0x7f06c5278db2 in nsPrintJob::PrintPreview(mozilla::dom::Document*, nsIPrintSettings*, nsIWebProgressListener*, std::function<void (mozilla::dom::PrintPreviewResultInfo const&)>&&) /gecko/layout/printing/nsPrintJob.cpp:632:7
    #29 0x7f06c4ad6126 in nsDocumentViewer::PrintPreview(nsIPrintSettings*, nsIWebProgressListener*, std::function<void (mozilla::dom::PrintPreviewResultInfo const&)>&&) /gecko/layout/base/nsDocumentViewer.cpp:2979:18
    #30 0x7f06beeaf595 in nsGlobalWindowOuter::Print(nsIPrintSettings*, nsIWebProgressListener*, nsIDocShell*, nsGlobalWindowOuter::IsPreview, nsGlobalWindowOuter::IsForWindowDotPrint, std::function<void (mozilla::dom::PrintPreviewResultInfo const&)>&&, mozilla::ErrorResult&) /gecko/dom/base/nsGlobalWindowOuter.cpp:5314:33
    #31 0x7f06bee48cd1 in nsGlobalWindowInner::PrintPreview(nsIPrintSettings*, nsIWebProgressListener*, nsIDocShell*, mozilla::ErrorResult&) /gecko/dom/base/nsGlobalWindowInner.cpp:3869:3
    #32 0x7f06c07a8e4c in mozilla::dom::Window_Binding::printPreview(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/WindowBinding.cpp:3199:59
    #33 0x7f06c0ff5e5b in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::MaybeCrossOriginObjectThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /gecko/dom/bindings/BindingUtils.cpp:3270:13
    #34 0x7f06cafbaa44 in CallJSNative /gecko/js/src/vm/Interpreter.cpp:420:13
    #35 0x7f06cafbaa44 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:507:12
    #36 0x7f06cafa7b7d in InternalCall /gecko/js/src/vm/Interpreter.cpp:574:10
    #37 0x7f06cafa7b7d in CallFromStack /gecko/js/src/vm/Interpreter.cpp:578:10
    #38 0x7f06cafa7b7d in Interpret(JSContext*, js::RunState&) /gecko/js/src/vm/Interpreter.cpp:3314:16
    #39 0x7f06caf8c471 in js::RunScript(JSContext*, js::RunState&) /gecko/js/src/vm/Interpreter.cpp:389:13
    #40 0x7f06cafbab7f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:539:13
    #41 0x7f06cafbc70a in InternalCall /gecko/js/src/vm/Interpreter.cpp:574:10
    #42 0x7f06cafbc70a in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:605:8
    #43 0x7f06c970769d in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /gecko/js/src/vm/CallAndConstruct.cpp:117:10
    #44 0x7f06c05822b1 in mozilla::dom::IdleRequestCallback::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::IdleDeadline&, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/WindowBinding.cpp:836:8
    #45 0x7f06befb5718 in mozilla::dom::IdleRequestCallback::Call(mozilla::dom::IdleDeadline&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/WindowBinding.h:692:12
    #46 0x7f06bf1d2f6e in Call /builds/worker/workspace/obj-build/dist/include/mozilla/dom/WindowBinding.h:705:12
    #47 0x7f06bf1d2f6e in mozilla::dom::IdleRequest::IdleRun(nsPIDOMWindowInner*, double, bool) /gecko/dom/base/IdleRequest.cpp:61:13
    #48 0x7f06bee203bf in nsGlobalWindowInner::RunIdleRequest(mozilla::dom::IdleRequest*, double, bool) /gecko/dom/base/nsGlobalWindowInner.cpp:740:12
    #49 0x7f06bee1ec52 in nsGlobalWindowInner::ExecuteIdleRequest(mozilla::TimeStamp) /gecko/dom/base/nsGlobalWindowInner.cpp:768:3
    #50 0x7f06bee1e994 in IdleRequestExecutor::Run() /gecko/dom/base/nsGlobalWindowInner.cpp:609:13
    #51 0x7f06bc0778c2 in mozilla::RunnableTask::Run() /gecko/xpcom/threads/TaskController.cpp:467:16
    #52 0x7f06bc03e5f5 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:780:26
    #53 0x7f06bc03bac5 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:654:15
    #54 0x7f06bc03bed0 in mozilla::TaskController::ProcessPendingMTTask(bool) /gecko/xpcom/threads/TaskController.cpp:390:36
    #55 0x7f06bc083e51 in operator() /gecko/xpcom/threads/TaskController.cpp:124:37
    #56 0x7f06bc083e51 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
    #57 0x7f06bc05e6d7 in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1180:16
    #58 0x7f06bc0683ec in NS_ProcessNextEvent(nsIThread*, bool) /gecko/xpcom/threads/nsThreadUtils.cpp:465:10
    #59 0x7f06bd75e6bf in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /gecko/ipc/glue/MessagePump.cpp:85:21
    #60 0x7f06bd5d96f1 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:380:10
    #61 0x7f06bd5d96f1 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:373:3
    #62 0x7f06bd5d96f1 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:355:3
    #63 0x7f06c441e287 in nsBaseAppShell::Run() /gecko/widget/nsBaseAppShell.cpp:137:27
    #64 0x7f06c92b292f in XRE_RunAppShell() /gecko/toolkit/xre/nsEmbedFunctions.cpp:870:20
    #65 0x7f06bd5d96f1 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:380:10
    #66 0x7f06bd5d96f1 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:373:3
    #67 0x7f06bd5d96f1 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:355:3
    #68 0x7f06c92b1adb in XRE_InitChildProcess(int, char**, XREChildData const*) /gecko/toolkit/xre/nsEmbedFunctions.cpp:729:34
    #69 0x55e23695bbad in content_process_main(mozilla::Bootstrap*, int, char**) /gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
    #70 0x55e23695bfe0 in main /gecko/browser/app/nsBrowserApp.cpp:327:18
    #71 0x7f06e1bb70b2 in __libc_start_main /build/glibc-sMfBJT/glibc-2.31/csu/../csu/libc-start.c:308:16
    #72 0x55e23689bff9 in _start (/home/worker/builds/m-c-20220429215525-fuzzing-asan-opt/firefox+0x5eff9) (BuildId: 1a4e259c652584a9bdd8c94f9179ad7e68004dbe)
Flags: in-testsuite?
Crash Signature: [@ nsCSSFrameConstructor::ReplicateFixedFrames ]

Bugmon Analysis
Verified bug as reproducible on mozilla-central 20220502213947-a8ce86cf670a.
Unable to bisect testcase (Testcase reproduces on start build!):

Start: 17594d43a3dc47a85f56a98b744405c6cfe55cbf (20210504033521)
End: 6921abcd74295e0b89a234508b730d1ad245456c (20220429215525)
BuildFlags: BuildFlags(asan=True, tsan=False, debug=False, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False)

Whiteboard: [bugmon:bisected,confirmed]

David, maybe you could take a look at this when you've got a chance? See the pernosco link in comment 1, for debugging -- this would be a good opportunity to learn how to use Pernosco. :)

Flags: needinfo?(dshin)
Assignee: nobody → dshin
Flags: needinfo?(dshin)

The ultimate root cause is still under investigation, but the attached patch does prevent the crash (Although the behaviour is likely incorrect).

Attached file table_assert.html

This I believe points to the ultimate root cause - note that in print preview, the entire <td> element goes missing.
In fact, dumping the frame tree indicates that we somehow lose the entirety of <tbody> element. in case of the fixed div crash, in the reflow of the last page, it tries to refer to its principal frame for styling and runs into null deref since the parent is deleted.

Here's what seems to be happening with the assert, with attachment 9278525 [details]:

In the first page's reflow:

  • thead, due to being empty, flows fine
  • table reflow puts tbody into its overflow list, since it can't be placed due to the first page break and there is no next-in-flow.
  • The enclosing div's reflow creates a continuation for table, which sets the original table's next-in-flow
  • First page break, one from break-before: page in div, pushes the original table and the continuation table into its overflow lines list

Second page:

  • tbody correctly drains from overflow on table's reflow.
  • Again, thead, due to being empty, flows fine, tbody can't due to the second page break
  • table reflow puts tbody element to the continuation table, instead of its own overflow list, since now it has next-in-flow
  • Second page break, one from break-before: page in table, pushes the original table and the continuation table into its overflow lines list again

Third page:

  • First table is now consisting of thead only. There is no page break either - this will place.
  • Since the original table's reflow completed, its next-in-flow (i.e. The continuation table) gets deleted, along with tbody.
Attachment #9279445 - Attachment description: Bug 1767364: Return reflow incomplete for tables if it has next-in-flow with `tbody` children. r=dholbert → Bug 1767364: Return an incomplete reflow status for tables if they have next-in-flow with previously unflowed children. r=dholbert
Pushed by archaeopteryx@coole-files.de: https://hg.mozilla.org/integration/autoland/rev/17ea9064fd53 Return an incomplete reflow status for tables if they have next-in-flow with previously unflowed children. r=dholbert

:dshin, since this bug contains a bisection range, could you fill (if possible) the regressed_by field?
For more information, please visit auto_nag documentation.

Flags: needinfo?(dshin)
Has Regression Range: --- → irrelevant
Flags: needinfo?(dshin)

Even if the regression range exists, I did not find any change in code related to the root cause. Likely just surfaced the issue.

Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → 103 Branch

Bugmon Analysis
Verified bug as fixed on rev mozilla-central 20220610213450-46d8ba611632.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
Keywords: bugmon

The patch landed in nightly and beta is affected.
:dshin, is this bug important enough to require an uplift?

  • If yes, please nominate the patch for beta approval.
  • If no, please set status-firefox102 to wontfix.

For more information, please visit auto_nag documentation.

Flags: needinfo?(dshin)

Don't think this needs to be uplifted.
Even if this is a crash issue, the combination of factors involved (Multiple page breaks of ancestors leading up to the table + empty first row group + fixed div in a row group + need to print the page) seems rare.
I don't believe this to be a regression, either.

Flags: needinfo?(dshin)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: