Open
Bug 1707633
Opened 4 years ago
Updated 3 years ago
AddressSanitizer: SEGV /gecko/layout/generic/nsIFrame.h:2363:59 in HasAnyStateBits
Categories
(Core :: Layout: Columns, defect)
Core
Layout: Columns
Tracking
()
NEW
| Tracking | Status | |
|---|---|---|
| firefox90 | --- | affected |
People
(Reporter: jkratzer, Unassigned)
References
(Blocks 2 open bugs)
Details
(Keywords: crash, testcase, Whiteboard: [bugmon:bisected,confirmed])
Crash Data
Attachments
(1 file)
|
(deleted),
text/html
|
Details |
Testcase found while fuzzing mozilla-central rev 289e41464376 (built with --enable-address-sanitizer --enable-fuzzing).
Testcase can be reproduced using the following commands:
$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build 289e41464376 --asan --fuzzing -n mc-asan
$ python -m grizzly.replay --xvfb ./mc-asan/firefox ./testcase.html
==2633176==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000059 (pc 0x7f458d9ac2c6 bp 0x7ffd0edc8370 sp 0x7ffd0edc82a0 T0)
==2633176==The signal is caused by a READ memory access.
==2633176==Hint: address points to the zero page.
#0 0x7f458d9ac2c6 in HasAnyStateBits /builds/worker/checkouts/gecko/layout/generic/nsIFrame.h:2363:59
#1 0x7f458d9ac2c6 in IsFloating /builds/worker/checkouts/gecko/layout/generic/nsIFrameInlines.h:55:10
#2 0x7f458d9ac2c6 in nsPlaceholderFrame::AddInlineMinISize(gfxContext*, nsIFrame::InlineMinISizeData*) /builds/worker/checkouts/gecko/layout/generic/nsPlaceholderFrame.cpp:78:24
#3 0x7f458d765a9f in nsBlockFrame::GetMinISize(gfxContext*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:806:16
#4 0x7f458d6b4f94 in nsLayoutUtils::IntrinsicForAxis(mozilla::PhysicalAxis, gfxContext*, nsIFrame*, mozilla::IntrinsicISizeType, mozilla::Maybe<mozilla::LogicalSize> const&, unsigned int, int) /builds/worker/checkouts/gecko/layout/base/nsLayoutUtils.cpp
#5 0x7f458d6b87bc in nsLayoutUtils::IntrinsicForContainer(gfxContext*, nsIFrame*, mozilla::IntrinsicISizeType, unsigned int) /builds/worker/checkouts/gecko/layout/base/nsLayoutUtils.cpp:5061:10
#6 0x7f458d7fd0e4 in nsFlexContainerFrame::IntrinsicISize(gfxContext*, mozilla::IntrinsicISizeType) /builds/worker/checkouts/gecko/layout/generic/nsFlexContainerFrame.cpp:5657:28
#7 0x7f458d7fd310 in nsFlexContainerFrame::GetMinISize(gfxContext*) /builds/worker/checkouts/gecko/layout/generic/nsFlexContainerFrame.cpp:5690:15
#8 0x7f458d6b4f94 in nsLayoutUtils::IntrinsicForAxis(mozilla::PhysicalAxis, gfxContext*, nsIFrame*, mozilla::IntrinsicISizeType, mozilla::Maybe<mozilla::LogicalSize> const&, unsigned int, int) /builds/worker/checkouts/gecko/layout/base/nsLayoutUtils.cpp
#9 0x7f458d6b87bc in nsLayoutUtils::IntrinsicForContainer(gfxContext*, nsIFrame*, mozilla::IntrinsicISizeType, unsigned int) /builds/worker/checkouts/gecko/layout/base/nsLayoutUtils.cpp:5061:10
#10 0x7f458d7fd0e4 in nsFlexContainerFrame::IntrinsicISize(gfxContext*, mozilla::IntrinsicISizeType) /builds/worker/checkouts/gecko/layout/generic/nsFlexContainerFrame.cpp:5657:28
#11 0x7f458d7fd310 in nsFlexContainerFrame::GetMinISize(gfxContext*) /builds/worker/checkouts/gecko/layout/generic/nsFlexContainerFrame.cpp:5690:15
#12 0x7f458d6b4f94 in nsLayoutUtils::IntrinsicForAxis(mozilla::PhysicalAxis, gfxContext*, nsIFrame*, mozilla::IntrinsicISizeType, mozilla::Maybe<mozilla::LogicalSize> const&, unsigned int, int) /builds/worker/checkouts/gecko/layout/base/nsLayoutUtils.cpp
#13 0x7f458d6b87bc in nsLayoutUtils::IntrinsicForContainer(gfxContext*, nsIFrame*, mozilla::IntrinsicISizeType, unsigned int) /builds/worker/checkouts/gecko/layout/base/nsLayoutUtils.cpp:5061:10
#14 0x7f458d9ac345 in nsPlaceholderFrame::AddInlineMinISize(gfxContext*, nsIFrame::InlineMinISizeData*) /builds/worker/checkouts/gecko/layout/generic/nsPlaceholderFrame.cpp:79:26
#15 0x7f458d765a9f in nsBlockFrame::GetMinISize(gfxContext*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:806:16
#16 0x7f458d7ae6f1 in nsColumnSetFrame::GetMinISize(gfxContext*) /builds/worker/checkouts/gecko/layout/generic/nsColumnSetFrame.cpp:437:35
#17 0x7f458d716b85 in mozilla::ColumnSetWrapperFrame::GetMinISize(gfxContext*) /builds/worker/checkouts/gecko/layout/generic/ColumnSetWrapperFrame.cpp:181:34
#18 0x7f458d7c7141 in ShrinkWidthToFit /builds/worker/checkouts/gecko/layout/generic/nsIFrame.cpp:6460:22
#19 0x7f458d7c7141 in nsContainerFrame::ComputeAutoSize(gfxContext*, mozilla::WritingMode, mozilla::LogicalSize const&, int, mozilla::LogicalSize const&, mozilla::LogicalSize const&, mozilla::StyleSizeOverrides const&, mozilla::EnumSet<mozilla::ComputeSizeFlag, unsigned char>) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:917:11
#20 0x7f458d7d7b35 in nsIFrame::ComputeSize(gfxContext*, mozilla::WritingMode, mozilla::LogicalSize const&, int, mozilla::LogicalSize const&, mozilla::LogicalSize const&, mozilla::StyleSizeOverrides const&, mozilla::EnumSet<mozilla::ComputeSizeFlag, unsigned char>) /builds/worker/checkouts/gecko/layout/generic/nsIFrame.cpp:6093:7
#21 0x7f458d7e148e in nsFlexContainerFrame::ResolveAutoFlexBasisAndMinSize(nsFlexContainerFrame::FlexItem&, mozilla::ReflowInput const&, nsFlexContainerFrame::FlexboxAxisTracker const&, bool) /builds/worker/checkouts/gecko/layout/generic/nsFlexContainerFrame.cpp:1683:54
#22 0x7f458d7de6f5 in nsFlexContainerFrame::GenerateFlexItemForChild(nsFlexContainerFrame::FlexLine&, nsIFrame*, mozilla::ReflowInput const&, nsFlexContainerFrame::FlexboxAxisTracker const&, bool) /builds/worker/checkouts/gecko/layout/generic/nsFlexContainerFrame.cpp:1530:3
#23 0x7f458d7f0090 in nsFlexContainerFrame::GenerateFlexLines(mozilla::ReflowInput const&, int, nsTArray<nsFlexContainerFrame::StrutInfo> const&, nsFlexContainerFrame::FlexboxAxisTracker const&, int, bool, nsTArray<nsIFrame*>&, nsTArray<nsFlexContainerFrame::FlexLine>&) /builds/worker/checkouts/gecko/layout/generic/nsFlexContainerFrame.cpp:4111:7
#24 0x7f458d7f5ade in nsFlexContainerFrame::DoFlexLayout(mozilla::ReflowInput const&, int&, int&, int&, nsTArray<nsFlexContainerFrame::FlexLine>&, nsTArray<nsFlexContainerFrame::StrutInfo>&, nsTArray<nsIFrame*>&, nsFlexContainerFrame::FlexboxAxisTracker const&, int, int, int, bool, ComputedFlexContainerInfo*) /builds/worker/checkouts/gecko/layout/generic/nsFlexContainerFrame.cpp:5017:3
#25 0x7f458d7f3a80 in nsFlexContainerFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsFlexContainerFrame.cpp:4540:5
#26 0x7f458d7c764f in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:1001:14
#27 0x7f458d7a6947 in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsCanvasFrame.cpp:818:7
#28 0x7f458d7c764f in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:1001:14
#29 0x7f458d83a9ae in nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput*, bool, bool, mozilla::ReflowOutput*) /builds/worker/checkouts/gecko/layout/generic/nsGfxScrollFrame.cpp:758:3
#30 0x7f458d83c30c in nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput*, mozilla::ReflowOutput const&) /builds/worker/checkouts/gecko/layout/generic/nsGfxScrollFrame.cpp:881:3
#31 0x7f458d842328 in nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsGfxScrollFrame.cpp:1300:3
#32 0x7f458d7c7d96 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:1041:14
#33 0x7f458d75b320 in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/ViewportFrame.cpp:372:7
#34 0x7f458d5a02c4 in mozilla::PresShell::DoReflow(nsIFrame*, bool, mozilla::OverflowChangedTracker*) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:9597:11
#35 0x7f458d5b1237 in mozilla::PresShell::ProcessReflowCommands(bool) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:9768:24
#36 0x7f458d5afa9d in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4245:11
#37 0x7f458d540e2e in FlushPendingNotifications /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:1406:5
#38 0x7f458d540e2e in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2216:20
#39 0x7f458d54cd85 in TickDriver /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:346:13
#40 0x7f458d54cd85 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:324:7
#41 0x7f458d54caed in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:340:5
#42 0x7f458d54bff1 in RunRefreshDrivers /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:773:5
#43 0x7f458d54bff1 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:702:16
#44 0x7f458d54b5ad in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyParentProcessVsync() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:615:7
#45 0x7f458d54ad31 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:536:9
#46 0x7f458c7a8bc7 in mozilla::dom::VsyncChild::RecvNotify(mozilla::VsyncEvent const&, float const&) /builds/worker/checkouts/gecko/dom/ipc/VsyncChild.cpp:68:15
#47 0x7f45872cfc8c in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:178:54
#48 0x7f4586f5c622 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundChild.cpp:6008:32
#49 0x7f45869f53ba in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:2152:25
#50 0x7f45869f1a6e in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:2076:9
#51 0x7f45869f3428 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1924:3
#52 0x7f45869f3f8b in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1955:13
#53 0x7f45857daf8a in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:473:16
#54 0x7f45857a74f0 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:757:26
#55 0x7f45857a5027 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:612:15
#56 0x7f45857a547d in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:396:36
#57 0x7f45857e4071 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:135:37
#58 0x7f45857e4071 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:534:5
#59 0x7f45857c2163 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1159:16
#60 0x7f45857cd0ec in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:548:10
#61 0x7f45869fccef in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#62 0x7f4586907541 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:335:10
#63 0x7f4586907541 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:328:3
#64 0x7f4586907541 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:310:3
#65 0x7f458d070317 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137:27
#66 0x7f4590b8358f in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:906:20
#67 0x7f4586907541 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:335:10
#68 0x7f4586907541 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:328:3
#69 0x7f4586907541 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:310:3
#70 0x7f4590b82e1f in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:738:34
#71 0x55cc3371320d in content_process_main(mozilla::Bootstrap*, int, char**) /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#72 0x55cc33713631 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:309:18
#73 0x7f45a5e490b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /builds/worker/checkouts/gecko/layout/generic/nsIFrame.h:2363:59 in HasAnyStateBits
Flags: in-testsuite?
|
||
Comment 1•4 years ago
|
||
Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20210426213158-6f8320a4798f.
The bug appears to have been introduced in the following build range:
Start: 416a44f9c59de1a40b59717e3ee33d1b4677b32e (20200908012258)
End: 90bf9d8e0b52a8dbd137a0bf7f5d57d81cc3eb80 (20200908060020)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=416a44f9c59de1a40b59717e3ee33d1b4677b32e&tochange=90bf9d8e0b52a8dbd137a0bf7f5d57d81cc3eb80
Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]
|
||
Comment 2•4 years ago
|
||
I got a crash from the testcase: https://crash-stats.mozilla.org/report/index/1bc59b0a-ceef-4a16-95ba-227730210427#tab-bugzilla
Crash Signature: [@ nsFrameManager::CaptureFrameState ]
|
|
||
Updated•4 years ago
|
|
||
Updated•4 years ago
|
Component: Layout → Layout: Columns
|
||
Updated•4 years ago
|
|
|
||
Comment 4•3 years ago
|
||
Bugmon Analysis
The bug appears to have been fixed in the following build range:
Start: 735ba5802dabbe739a1f6ede60ec052bd17a5008 (20210622000835)
End: 064d1e04ff9f5ddac8fe0889f84106489e15ce13 (20210622024419)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=735ba5802dabbe739a1f6ede60ec052bd17a5008&tochange=064d1e04ff9f5ddac8fe0889f84106489e15ce13
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Keywords: bugmon
|
Reporter | |
Updated•3 years ago
|
|
|
Reporter | |
Updated•3 years ago
|
|
||
Updated•3 years ago
|
Blocks: asan-maintenance
You need to log in
before you can comment on or make changes to this bug.
Description
•