Open Bug 1845417 Opened 1 year ago Updated 1 year ago

Assertion failure: nullptr != aFrame && nullptr != aState (null parameters passed in), at /builds/worker/checkouts/gecko/layout/base/nsFrameManager.cpp:164

Tracking

()

Status:

NEW

Tracking Flags:

Tracking

Status

firefox117

---

affected

People

(Reporter: tsmith, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, pernosco)

Attachments

(1 file)

frametree.txt 1 year ago Timothy Nikkel (:tnikkel) (deleted), text/plain		Details

Tyson Smith [:tsmith]

Reporter

Description

•

1 year ago

Found while fuzzing m-c 20230715-1e09c6aabfcd (--enable-debug --enable-fuzzing)

A reduced test case is not available. A Pernosco session is available here: https://pernos.co/debug/6cr6oIKUlZ7YNa_Teg_gYQ/index.html

Assertion failure: nullptr != aFrame && nullptr != aState (null parameters passed in), at /builds/worker/checkouts/gecko/layout/base/nsFrameManager.cpp:164

#0 0x7fae2b54e312 in nsFrameManager::CaptureFrameState(nsIFrame*, nsILayoutHistoryState*) /builds/worker/checkouts/gecko/layout/base/nsFrameManager.cpp:163:3
#1 0x7fae2b54e22a in nsFrameManager::CaptureFrameState(nsIFrame*, nsILayoutHistoryState*) /builds/worker/checkouts/gecko/layout/base/nsFrameManager.cpp:178:7
#2 0x7fae2b54e22a in nsFrameManager::CaptureFrameState(nsIFrame*, nsILayoutHistoryState*) /builds/worker/checkouts/gecko/layout/base/nsFrameManager.cpp:178:7
#3 0x7fae2b54e22a in nsFrameManager::CaptureFrameState(nsIFrame*, nsILayoutHistoryState*) /builds/worker/checkouts/gecko/layout/base/nsFrameManager.cpp:178:7
#4 0x7fae2b54e22a in nsFrameManager::CaptureFrameState(nsIFrame*, nsILayoutHistoryState*) /builds/worker/checkouts/gecko/layout/base/nsFrameManager.cpp:178:7
#5 0x7fae2b54e22a in nsFrameManager::CaptureFrameState(nsIFrame*, nsILayoutHistoryState*) /builds/worker/checkouts/gecko/layout/base/nsFrameManager.cpp:178:7
#6 0x7fae2b54e22a in nsFrameManager::CaptureFrameState(nsIFrame*, nsILayoutHistoryState*) /builds/worker/checkouts/gecko/layout/base/nsFrameManager.cpp:178:7
#7 0x7fae2b54e22a in nsFrameManager::CaptureFrameState(nsIFrame*, nsILayoutHistoryState*) /builds/worker/checkouts/gecko/layout/base/nsFrameManager.cpp:178:7
#8 0x7fae2b54e22a in nsFrameManager::CaptureFrameState(nsIFrame*, nsILayoutHistoryState*) /builds/worker/checkouts/gecko/layout/base/nsFrameManager.cpp:178:7
#9 0x7fae2b54e22a in nsFrameManager::CaptureFrameState(nsIFrame*, nsILayoutHistoryState*) /builds/worker/checkouts/gecko/layout/base/nsFrameManager.cpp:178:7
#10 0x7fae2b54e22a in nsFrameManager::CaptureFrameState(nsIFrame*, nsILayoutHistoryState*) /builds/worker/checkouts/gecko/layout/base/nsFrameManager.cpp:178:7
#11 0x7fae2b54e22a in nsFrameManager::CaptureFrameState(nsIFrame*, nsILayoutHistoryState*) /builds/worker/checkouts/gecko/layout/base/nsFrameManager.cpp:178:7
#12 0x7fae2b54e22a in nsFrameManager::CaptureFrameState(nsIFrame*, nsILayoutHistoryState*) /builds/worker/checkouts/gecko/layout/base/nsFrameManager.cpp:178:7
#13 0x7fae2b54e22a in nsFrameManager::CaptureFrameState(nsIFrame*, nsILayoutHistoryState*) /builds/worker/checkouts/gecko/layout/base/nsFrameManager.cpp:178:7
#14 0x7fae2b4dce37 in mozilla::PresShell::CaptureHistoryState(nsILayoutHistoryState**) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:3946:22
#15 0x7fae2cc1ccb3 in nsDocShell::PersistLayoutHistoryState() /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:12145:23
#16 0x7fae2cbf4b59 in nsDocShell::Destroy() /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:4552:3
#17 0x7fae2d064370 in nsWebBrowser::SetDocShell(nsDocShell*) /builds/worker/checkouts/gecko/toolkit/components/browser/nsWebBrowser.cpp:1143:18
#18 0x7fae2d063912 in nsWebBrowser::InternalDestroy() /builds/worker/checkouts/gecko/toolkit/components/browser/nsWebBrowser.cpp:175:3
#19 0x7fae2d067a1c in Destroy /builds/worker/checkouts/gecko/toolkit/components/browser/nsWebBrowser.cpp:868:3
#20 0x7fae2d067a1c in non-virtual thunk to nsWebBrowser::Destroy() /builds/worker/checkouts/gecko/toolkit/components/browser/nsWebBrowser.cpp
#21 0x7fae2a7ffc89 in mozilla::dom::BrowserChild::DestroyWindow() /builds/worker/checkouts/gecko/dom/ipc/BrowserChild.cpp:759:31
#22 0x7fae2a80ff60 in mozilla::dom::BrowserChild::RecvDestroy() /builds/worker/checkouts/gecko/dom/ipc/BrowserChild.cpp:2465:3
#23 0x7fae2a93dcdf in mozilla::dom::PBrowserChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBrowserChild.cpp:7092:80
#24 0x7fae2a9c9310 in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PContentChild.cpp:8671:32
#25 0x7fae2679d59f in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1811:25
#26 0x7fae2679a2f2 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1736:9
#27 0x7fae2679af72 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1536:3
#28 0x7fae2679c0bf in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1634:14
#29 0x7fae25ad9cd7 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:555:16
#30 0x7fae25ad1863 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:880:26
#31 0x7fae25ad00b7 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:704:15
#32 0x7fae25ad0515 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:491:36
#33 0x7fae25adda69 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:221:37
#34 0x7fae25adda69 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_1>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548:5
#35 0x7fae25af420a in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1199:16
#36 0x7fae25afb06d in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10
#37 0x7fae2ae2e739 in SpinEventLoopUntil<(mozilla::ProcessFailureBehavior)1, (lambda at /builds/worker/checkouts/gecko/dom/xhr/XMLHttpRequestMainThread.cpp:3109:29)> /builds/worker/workspace/obj-build/dist/include/mozilla/SpinEventLoopUntil.h:176:25
#38 0x7fae2ae2e739 in mozilla::dom::XMLHttpRequestMainThread::SendInternal(mozilla::dom::BodyExtractorBase const*, bool, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/xhr/XMLHttpRequestMainThread.cpp:3108:10
#39 0x7fae288b5e5a in mozilla::dom::XMLHttpRequest_Binding::send(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/XMLHttpRequestBinding.cpp:1663:24
#40 0x7fae28e2f748 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3327:13
#41 0x7fae2d667284 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:486:13
#42 0x7fae2d666b9d in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:580:12
#43 0x7fae2d67b916 in CallFromStack /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:652:10
#44 0x7fae2d67b916 in js::Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3395:16
#45 0x7fae2d6660f2 in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:458:13
#46 0x7fae2d666bb9 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:612:13
#47 0x7fae2d66805d in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:679:8
#48 0x7fae2d753364 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/CallAndConstruct.cpp:119:10
#49 0x7fae28c40e0d in mozilla::dom::Function::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, nsTArray<JS::Value> const&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/FunctionBinding.cpp:50:8
#50 0x7fae278a26e3 in void mozilla::dom::Function::Call<nsCOMPtr<nsIGlobalObject>>(nsCOMPtr<nsIGlobalObject> const&, nsTArray<JS::Value> const&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/FunctionBinding.h:71:12
#51 0x7fae278a2483 in mozilla::dom::CallbackTimeoutHandler::Call(char const*) /builds/worker/checkouts/gecko/dom/base/TimeoutHandler.cpp:167:29
#52 0x7fae275338dd in nsGlobalWindowInner::RunTimeoutHandler(mozilla::dom::Timeout*, nsIScriptContext*) /builds/worker/checkouts/gecko/dom/base/nsGlobalWindowInner.cpp:6298:38
#53 0x7fae2789eee7 in mozilla::dom::TimeoutManager::RunTimeout(mozilla::TimeStamp const&, mozilla::TimeStamp const&, bool) /builds/worker/checkouts/gecko/dom/base/TimeoutManager.cpp:879:44
#54 0x7fae2789decb in mozilla::dom::TimeoutExecutor::MaybeExecute() /builds/worker/checkouts/gecko/dom/base/TimeoutExecutor.cpp:179:11
#55 0x7fae278a0659 in Notify /builds/worker/checkouts/gecko/dom/base/TimeoutExecutor.cpp:246:5
#56 0x7fae278a0659 in non-virtual thunk to mozilla::dom::TimeoutExecutor::Notify(nsITimer*) /builds/worker/checkouts/gecko/dom/base/TimeoutExecutor.cpp
#57 0x7fae25ae71b2 in operator() /builds/worker/checkouts/gecko/xpcom/threads/nsTimerImpl.cpp:675:44
#58 0x7fae25ae71b2 in matchN<mozilla::Variant<nsTimerImpl::UnknownCallback, nsCOMPtr<nsITimerCallback>, nsCOMPtr<nsIObserver>, nsTimerImpl::FuncCallback, nsTimerImpl::ClosureCallback> &, (lambda at /builds/worker/checkouts/gecko/xpcom/threads/nsTimerImpl.cpp:675:7), (lambda at /builds/worker/checkouts/gecko/xpcom/threads/nsTimerImpl.cpp:676:7), (lambda at /builds/worker/checkouts/gecko/xpcom/threads/nsTimerImpl.cpp:679:7), (lambda at /builds/worker/checkouts/gecko/xpcom/threads/nsTimerImpl.cpp:680:7)> /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:309:16
#59 0x7fae25ae71b2 in matchN<mozilla::Variant<nsTimerImpl::UnknownCallback, nsCOMPtr<nsITimerCallback>, nsCOMPtr<nsIObserver>, nsTimerImpl::FuncCallback, nsTimerImpl::ClosureCallback> &, (lambda at /builds/worker/checkouts/gecko/xpcom/threads/nsTimerImpl.cpp:674:7), (lambda at /builds/worker/checkouts/gecko/xpcom/threads/nsTimerImpl.cpp:675:7), (lambda at /builds/worker/checkouts/gecko/xpcom/threads/nsTimerImpl.cpp:676:7), (lambda at /builds/worker/checkouts/gecko/xpcom/threads/nsTimerImpl.cpp:679:7), (lambda at /builds/worker/checkouts/gecko/xpcom/threads/nsTimerImpl.cpp:680:7)> /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:318:14
#60 0x7fae25ae71b2 in matchN<mozilla::Variant<nsTimerImpl::UnknownCallback, nsCOMPtr<nsITimerCallback>, nsCOMPtr<nsIObserver>, nsTimerImpl::FuncCallback, nsTimerImpl::ClosureCallback> &, (lambda at /builds/worker/checkouts/gecko/xpcom/threads/nsTimerImpl.cpp:674:7), (lambda at /builds/worker/checkouts/gecko/xpcom/threads/nsTimerImpl.cpp:675:7), (lambda at /builds/worker/checkouts/gecko/xpcom/threads/nsTimerImpl.cpp:676:7), (lambda at /builds/worker/checkouts/gecko/xpcom/threads/nsTimerImpl.cpp:679:7), (lambda at /builds/worker/checkouts/gecko/xpcom/threads/nsTimerImpl.cpp:680:7)> /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:902:12
#61 0x7fae25ae71b2 in match<(lambda at /builds/worker/checkouts/gecko/xpcom/threads/nsTimerImpl.cpp:674:7), (lambda at /builds/worker/checkouts/gecko/xpcom/threads/nsTimerImpl.cpp:675:7), (lambda at /builds/worker/checkouts/gecko/xpcom/threads/nsTimerImpl.cpp:676:7), (lambda at /builds/worker/checkouts/gecko/xpcom/threads/nsTimerImpl.cpp:679:7), (lambda at /builds/worker/checkouts/gecko/xpcom/threads/nsTimerImpl.cpp:680:7)> /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:857:12
#62 0x7fae25ae71b2 in nsTimerImpl::Fire(int) /builds/worker/checkouts/gecko/xpcom/threads/nsTimerImpl.cpp:673:22
#63 0x7fae25ae6349 in nsTimerEvent::Run() /builds/worker/checkouts/gecko/xpcom/threads/TimerThread.cpp:476:11
#64 0x7fae25b0bd40 in mozilla::ThrottledEventQueue::Inner::ExecuteRunnable() /builds/worker/checkouts/gecko/xpcom/threads/ThrottledEventQueue.cpp:254:22
#65 0x7fae25b08781 in mozilla::ThrottledEventQueue::Inner::Executor::Run() /builds/worker/checkouts/gecko/xpcom/threads/ThrottledEventQueue.cpp:81:15
#66 0x7fae25ad9cd7 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:555:16
#67 0x7fae25ad1863 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:880:26
#68 0x7fae25ad00b7 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:704:15
#69 0x7fae25ad0515 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:491:36
#70 0x7fae25adda69 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:221:37
#71 0x7fae25adda69 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_1>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548:5
#72 0x7fae25af420a in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1199:16
#73 0x7fae25afb06d in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10
#74 0x7fae267a34b3 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:107:5
#75 0x7fae266be3d1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#76 0x7fae266be3d1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#77 0x7fae2b0f5188 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
#78 0x7fae2d4259ab in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:717:20
#79 0x7fae267a43e6 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
#80 0x7fae266be3d1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#81 0x7fae266be3d1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#82 0x7fae2d4251fc in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:652:34
#83 0x555ad7a27566 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#84 0x555ad7a27566 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:375:18
#85 0x7fae39a29d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#86 0x7fae39a29e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#87 0x555ad79fe808 in _start (/home/user/workspace/browsers/m-c-20230724160807-fuzzing-debug/firefox-bin+0x58808) (BuildId: eb265df4a615b60c9ab0623b656a711ed09203ed)

Timothy Nikkel (:tnikkel)

Comment 1

•

1 year ago

Attached file frametree.txt (deleted) — Details

We try to get the oof frame from a placeholder frame but its null. Here is the frame tree.

Daniel Holbert [:dholbert]

Comment 2

•

1 year ago

Looks like this will be a null-deref if we proceed past the assertion (and reach the call to aFrame->ChildLists()).

Presumably non-exploitable; triaging as S3.

Severity: -- → S3

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Assertion failure: nullptr != aFrame && nullptr != aState (null parameters passed in), at /builds/worker/checkouts/gecko/layout/base/nsFrameManager.cpp:164

Categories

(Core :: Layout, defect)

Tracking

()

People

(Reporter: tsmith, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, pernosco)

Crash Data

Security

(public)

User Story

Attachments

(1 file)

Description

Comment 1

Comment 2

Attachment

General

Description

File Name

Content Type