Closed Bug 1807944 Opened 2 years ago Closed 2 years ago

Crash [@ MemoryAccess] or [@ nsPresContext::Document ] with fuzzer testcase that uses container queries

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
VERIFIED DUPLICATE of bug 1797752

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 2 open bugs)

Details

(Keywords: regression, testcase, Whiteboard: [bugmon:bisected,confirmed])

Crash Data

Attachments

(2 files)

Detailed Crash Information
13.29 KB, text/plain
Details
Testcase
921 bytes, text/plain
Details

Testcase found while fuzzing mozilla-central rev c5ddc463e9f8 (built with: --enable-fuzzing --enable-thread-sanitizer).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build c5ddc463e9f8 --fuzzing --tsan -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

[@ MemoryAccess]

    ==24827==ERROR: ThreadSanitizer: SEGV on unknown address (pc 0x56395b0dc920 bp 0x000000000000 sp 0x7fffea25a018 T24827)
    ==24827==The signal is caused by a READ memory access.
    ==24827==Hint: this fault was caused by a dereference of a high value address (see register values below).  Disassemble the provided pc to learn which register was used.
        #0 MemoryAccess /builds/worker/fetches/llvm-project/compiler-rt/lib/tsan/rtl/tsan_rtl_access.cpp:435:3 (firefox-bin+0x12a920) (BuildId: cd7b53b22adc0a4c07e332ff99a25bb61082b6fa)
        #1 __tsan_read8 /builds/worker/fetches/llvm-project/compiler-rt/lib/tsan/rtl/tsan_interface.inc:34:3 (firefox-bin+0x12a920)
        #2 get /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:286:27 (libxul.so+0x95a5ea6) (BuildId: 614260e33a84a85624c96b82bef37716a8ef615e)
        #3 operator mozilla::dom::Document * /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:299:12 (libxul.so+0x95a5ea6)
        #4 Document /layout/base/nsPresContext.h:264:12 (libxul.so+0x95a5ea6)
        #5 nsPresContext::IsChrome() const /layout/base/nsPresContext.cpp:415:10 (libxul.so+0x95a5ea6)
        #6 FindTopLevelPresContext /layout/base/GeometryUtils.cpp:236:24 (libxul.so+0x94bd9b7) (BuildId: 614260e33a84a85624c96b82bef37716a8ef615e)
        #7 mozilla::CheckFramesInSameTopLevelBrowsingContext(nsIFrame*, nsIFrame*, mozilla::dom::CallerType) /layout/base/GeometryUtils.cpp:258:39 (libxul.so+0x94bd9b7)
        #8 mozilla::GetBoxQuads(nsINode*, mozilla::dom::BoxQuadOptions const&, nsTArray<RefPtr<mozilla::dom::DOMQuad>>&, mozilla::dom::CallerType, mozilla::ErrorResult&) /layout/base/GeometryUtils.cpp:293:8 (libxul.so+0x94bd656) (BuildId: 614260e33a84a85624c96b82bef37716a8ef615e)
        #9 nsINode::GetBoxQuads(mozilla::dom::BoxQuadOptions const&, nsTArray<RefPtr<mozilla::dom::DOMQuad>>&, mozilla::dom::CallerType, mozilla::ErrorResult&) /dom/base/nsINode.cpp:1325:3 (libxul.so+0x5e92de4) (BuildId: 614260e33a84a85624c96b82bef37716a8ef615e)
        #10 mozilla::dom::Element_Binding::getBoxQuads(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/ElementBinding.cpp:9748:24 (libxul.so+0x6dbb7f9) (BuildId: 614260e33a84a85624c96b82bef37716a8ef615e)
        #11 bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /dom/bindings/BindingUtils.cpp:3287:13 (libxul.so+0x7058e24) (BuildId: 614260e33a84a85624c96b82bef37716a8ef615e)
        #12 CallJSNative /js/src/vm/Interpreter.cpp:459:13 (libxul.so+0xbe217cb) (BuildId: 614260e33a84a85624c96b82bef37716a8ef615e)
        #13 js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:547:12 (libxul.so+0xbe217cb)
        #14 InternalCall /js/src/vm/Interpreter.cpp:614:10 (libxul.so+0xbe178dc) (BuildId: 614260e33a84a85624c96b82bef37716a8ef615e)
        #15 CallFromStack /js/src/vm/Interpreter.cpp:619:10 (libxul.so+0xbe178dc)
        #16 Interpret(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:3379:16 (libxul.so+0xbe178dc)
        #17 js::RunScript(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:431:13 (libxul.so+0xbe0abbf) (BuildId: 614260e33a84a85624c96b82bef37716a8ef615e)
        #18 js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:579:13 (libxul.so+0xbe218a0) (BuildId: 614260e33a84a85624c96b82bef37716a8ef615e)
        #19 InternalCall /js/src/vm/Interpreter.cpp:614:10 (libxul.so+0xbe22553) (BuildId: 614260e33a84a85624c96b82bef37716a8ef615e)
        #20 js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /js/src/vm/Interpreter.cpp:646:8 (libxul.so+0xbe22553)
        #21 JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /js/src/vm/CallAndConstruct.cpp:117:10 (libxul.so+0xbeb6d1b) (BuildId: 614260e33a84a85624c96b82bef37716a8ef615e)
        #22 mozilla::dom::EventListener::HandleEvent(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventListenerBinding.cpp:62:8 (libxul.so+0x6d89f37) (BuildId: 614260e33a84a85624c96b82bef37716a8ef615e)
        #23 HandleEvent<mozilla::dom::EventTarget *> /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventListenerBinding.h:65:12 (libxul.so+0x76a3cd8) (BuildId: 614260e33a84a85624c96b82bef37716a8ef615e)
        #24 mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /dom/events/EventListenerManager.cpp:1308:43 (libxul.so+0x76a3cd8)
        #25 mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /dom/events/EventListenerManager.cpp:1504:17 (libxul.so+0x76a4ad2) (BuildId: 614260e33a84a85624c96b82bef37716a8ef615e)
        #26 HandleEvent /dom/events/EventListenerManager.h:395:5 (libxul.so+0x76997a2) (BuildId: 614260e33a84a85624c96b82bef37716a8ef615e)
        #27 mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /dom/events/EventDispatcher.cpp:347:17 (libxul.so+0x76997a2)
        #28 mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /dom/events/EventDispatcher.cpp:549:16 (libxul.so+0x7698b74) (BuildId: 614260e33a84a85624c96b82bef37716a8ef615e)
        #29 mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /dom/events/EventDispatcher.cpp:1122:11 (libxul.so+0x769b89b) (BuildId: 614260e33a84a85624c96b82bef37716a8ef615e)
        #30 nsDocumentViewer::LoadComplete(nsresult) /layout/base/nsDocumentViewer.cpp:1079:7 (libxul.so+0x955c4a1) (BuildId: 614260e33a84a85624c96b82bef37716a8ef615e)
        #31 nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /docshell/base/nsDocShell.cpp:6447:20 (libxul.so+0xb2fc1ba) (BuildId: 614260e33a84a85624c96b82bef37716a8ef615e)
        #32 nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /docshell/base/nsDocShell.cpp:5840:7 (libxul.so+0xb2fba39) (BuildId: 614260e33a84a85624c96b82bef37716a8ef615e)
        #33 non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /docshell/base/nsDocShell.cpp (libxul.so+0xb2fca0b) (BuildId: 614260e33a84a85624c96b82bef37716a8ef615e)
        #34 nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /uriloader/base/nsDocLoader.cpp:1380:3 (libxul.so+0x51ca42e) (BuildId: 614260e33a84a85624c96b82bef37716a8ef615e)
        #35 nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /uriloader/base/nsDocLoader.cpp:978:14 (libxul.so+0x51c9b1f) (BuildId: 614260e33a84a85624c96b82bef37716a8ef615e)
        #36 nsDocLoader::DocLoaderIsEmpty(bool, mozilla::Maybe<nsresult> const&) /uriloader/base/nsDocLoader.cpp:797:9 (libxul.so+0x51c7ab6) (BuildId: 614260e33a84a85624c96b82bef37716a8ef615e)
        #37 nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /uriloader/base/nsDocLoader.cpp:680:5 (libxul.so+0x51c8ee9) (BuildId: 614260e33a84a85624c96b82bef37716a8ef615e)
        #38 nsDocShell::OnStopRequest(nsIRequest*, nsresult) /docshell/base/nsDocShell.cpp:13864:23 (libxul.so+0xb31ab3e) (BuildId: 614260e33a84a85624c96b82bef37716a8ef615e)
        #39 non-virtual thunk to nsDocShell::OnStopRequest(nsIRequest*, nsresult) /docshell/base/nsDocShell.cpp (libxul.so+0xb31ad68) (BuildId: 614260e33a84a85624c96b82bef37716a8ef615e)
        #40 mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) /netwerk/base/nsLoadGroup.cpp:628:22 (libxul.so+0x440f010) (BuildId: 614260e33a84a85624c96b82bef37716a8ef615e)
        #41 mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /netwerk/base/nsLoadGroup.cpp:532:10 (libxul.so+0x44106c2) (BuildId: 614260e33a84a85624c96b82bef37716a8ef615e)
        #42 DoUnblockOnload /dom/base/Document.cpp:11551:18 (libxul.so+0x5ccd820) (BuildId: 614260e33a84a85624c96b82bef37716a8ef615e)
        #43 mozilla::dom::Document::UnblockOnload(bool) /dom/base/Document.cpp:11489:9 (libxul.so+0x5ccd820)
        #44 mozilla::dom::Document::DispatchContentLoadedEvents() /dom/base/Document.cpp:8016:3 (libxul.so+0x5ce0b6d) (BuildId: 614260e33a84a85624c96b82bef37716a8ef615e)
        #45 applyImpl<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1162:12 (libxul.so+0x5d5a879) (BuildId: 614260e33a84a85624c96b82bef37716a8ef615e)
        #46 apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1168:12 (libxul.so+0x5d5a879)
        #47 mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1215:13 (libxul.so+0x5d5a879)
        #48 mozilla::SchedulerGroup::Runnable::Run() /xpcom/threads/SchedulerGroup.cpp:140:20 (libxul.so+0x41fa4ef) (BuildId: 614260e33a84a85624c96b82bef37716a8ef615e)
        #49 mozilla::RunnableTask::Run() /xpcom/threads/TaskController.cpp:539:16 (libxul.so+0x4206d1f) (BuildId: 614260e33a84a85624c96b82bef37716a8ef615e)
        #50 mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:852:26 (libxul.so+0x420031d) (BuildId: 614260e33a84a85624c96b82bef37716a8ef615e)
        #51 mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:684:15 (libxul.so+0x41fe896) (BuildId: 614260e33a84a85624c96b82bef37716a8ef615e)
        #52 mozilla::TaskController::ProcessPendingMTTask(bool) /xpcom/threads/TaskController.cpp:462:36 (libxul.so+0x41fec70) (BuildId: 614260e33a84a85624c96b82bef37716a8ef615e)
        #53 operator() /xpcom/threads/TaskController.cpp:188:37 (libxul.so+0x42096d7) (BuildId: 614260e33a84a85624c96b82bef37716a8ef615e)
        #54 mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_2>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:546:5 (libxul.so+0x42096d7)
        #55 nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1197:16 (libxul.so+0x421fe70) (BuildId: 614260e33a84a85624c96b82bef37716a8ef615e)
        #56 NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:476:10 (libxul.so+0x4226a16) (BuildId: 614260e33a84a85624c96b82bef37716a8ef615e)
        #57 mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:85:21 (libxul.so+0x4f029fb) (BuildId: 614260e33a84a85624c96b82bef37716a8ef615e)
        #58 mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:268:30 (libxul.so+0x4f0352b) (BuildId: 614260e33a84a85624c96b82bef37716a8ef615e)
        #59 RunInternal /ipc/chromium/src/base/message_loop.cc:381:10 (libxul.so+0x4e1ea37) (BuildId: 614260e33a84a85624c96b82bef37716a8ef615e)
        #60 RunHandler /ipc/chromium/src/base/message_loop.cc:374:3 (libxul.so+0x4e1ea37)
        #61 MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:356:3 (libxul.so+0x4e1ea37)
        #62 nsBaseAppShell::Run() /widget/nsBaseAppShell.cpp:148:27 (libxul.so+0x90c1ba6) (BuildId: 614260e33a84a85624c96b82bef37716a8ef615e)
        #63 XRE_RunAppShell() /toolkit/xre/nsEmbedFunctions.cpp:743:20 (libxul.so+0xbbb5a9c) (BuildId: 614260e33a84a85624c96b82bef37716a8ef615e)
        #64 mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:235:9 (libxul.so+0x4f034dd) (BuildId: 614260e33a84a85624c96b82bef37716a8ef615e)
        #65 RunInternal /ipc/chromium/src/base/message_loop.cc:381:10 (libxul.so+0x4e1ea37) (BuildId: 614260e33a84a85624c96b82bef37716a8ef615e)
        #66 RunHandler /ipc/chromium/src/base/message_loop.cc:374:3 (libxul.so+0x4e1ea37)
        #67 MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:356:3 (libxul.so+0x4e1ea37)
        #68 XRE_InitChildProcess(int, char**, XREChildData const*) /toolkit/xre/nsEmbedFunctions.cpp:676:34 (libxul.so+0xbbb56e9) (BuildId: 614260e33a84a85624c96b82bef37716a8ef615e)
        #69 mozilla::BootstrapImpl::XRE_InitChildProcess(int, char**, XREChildData const*) /toolkit/xre/Bootstrap.cpp:67:12 (libxul.so+0xbbbf952) (BuildId: 614260e33a84a85624c96b82bef37716a8ef615e)
        #70 content_process_main /browser/app/../../ipc/contentproc/plugin-container.cpp:57:28 (firefox-bin+0x142d03) (BuildId: cd7b53b22adc0a4c07e332ff99a25bb61082b6fa)
        #71 main /browser/app/nsBrowserApp.cpp:359:18 (firefox-bin+0x142d03)
        #72 __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16 (libc.so.6+0x29d8f) (BuildId: 69389d485a9793dbe873f0ea2c93e02efaa9aa3d)
        #73 __libc_start_main csu/../csu/libc-start.c:392:3 (libc.so.6+0x29e3f) (BuildId: 69389d485a9793dbe873f0ea2c93e02efaa9aa3d)
        #74 _start <null> (firefox-bin+0x94588) (BuildId: cd7b53b22adc0a4c07e332ff99a25bb61082b6fa)
    
    ThreadSanitizer can not provide additional info.
    SUMMARY: ThreadSanitizer: SEGV /builds/worker/fetches/llvm-project/compiler-rt/lib/tsan/rtl/tsan_rtl_access.cpp:435:3 in MemoryAccess
    ==24827==ABORTING










Attached file

Testcase





Component: DOM: Core & HTML → Layout



FWIW in Nightly this actually crashes with signature [@ nsPresContext::Document ]. (MemoryAccess seems to be some TSAN-build-specific tripwire that gets tripped inside of the nsPresContext::Document call here.)


--> Updating crash signature.


Two crashes from my local Nightly, loading the testcase in a fresh profile just now:

bp-b44bf7f3-f584-4507-b990-679cb0221229

bp-fa52c821-d45d-49bc-b010-fbc070221229


Crash Signature: [@ MemoryAccess] → [@ MemoryAccess]
[@ nsPresContext::Document ]
Summary: Crash [@ MemoryAccess] → Crash [@ MemoryAccess] or [@ nsPresContext::Document ] with fuzzer testcase that uses container queries



I happened to have bug 1797752's patch applied in a local debug build (from taking a look at it locally before Oriol got to the review before I did), and I noticed that I can't repro the crash in my debug build with that patch (but I do crash if I unapply the patch).


Maybe this is fixed by bug 1797752?





--> S3 given this hasn't shipped yet and might be already fixed (comment 4)


jkratzer, would you mind retesting in a day or so after bug 1797752 has merged to mozilla-central and see if you can still repro?


Severity: -- → S3
Depends on: 1797752
Flags: needinfo?(jkratzer)



Verified bug as reproducible on mozilla-central 20221229092636-c5ddc463e9f8.

The bug appears to have been introduced in the following build range:




Start: b1fa33ea226963e423b24648aef55f814fbb3648 (20221223200034)

End: dfbd00b278b023a3f187d55d8caf245f6a057ce4 (20221223222547)

Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=b1fa33ea226963e423b24648aef55f814fbb3648&tochange=dfbd00b278b023a3f187d55d8caf245f6a057ce4




Keywords: regression
Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]



Testcase crashes using the initial build (mozilla-central 20221229092636-c5ddc463e9f8) but not with tip (mozilla-central 20221230213139-0254637cfb2f.)


The bug appears to have been fixed in the following build range:




Start: 9b5c52e4d5ce3d83895213c0f5ffcdce5c46d220 (20221229085942)

End: d3dd3b74e57bf40acc0373cf07e5ca4713cea70e (20221229201843)

Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=9b5c52e4d5ce3d83895213c0f5ffcdce5c46d220&tochange=d3dd3b74e57bf40acc0373cf07e5ca4713cea70e




Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.


Keywords: bugmon
Status: NEW → RESOLVED
Closed: 2 years ago
Duplicate of bug: 1797752
Resolution: --- → DUPLICATE



Status: RESOLVED → VERIFIED
Flags: needinfo?(jkratzer)

You need to log in
before you can comment on or make changes to this bug.

















Attachment


















General



Creator: 






Created: 


Updated: 


Size: