Closed Bug 1674913 Opened 5 years ago Closed 5 years ago

Assertion failure: false (item should have finite clip with respect to aASR), at /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:3000

Categories

(Core :: Web Painting, defect)

Product:
Core
Component:
Web Painting
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1654315

People

(Reporter: hdir.yassine, Unassigned)

References

(Blocks 1 open bug)

Details

Attachments

(1 file)

8f32651f2456c5b8.zip
30.07 KB, application/x-zip-compressed
Details
Attached file 8f32651f2456c5b8.zip

User Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0

Steps to reproduce:

bug found while fuzzing DOM

Name: Firefox
Version: 84.0a1
Build ID: 20201028092421
Distribution ID:
Update Channel: default
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:84.0) Gecko/20100101 Firefox/84.0
OS: Linux 5.4.0-52-generic #57~18.04.1-Ubuntu SMP Thu Oct 15 14:04:49 UTC 2020
Multiprocess Windows: 1/1
Fission Windows: 0/1 Disabled by default
Remote Processes: 4
Enterprise Policies: Inactive
Google Location Service Key: Missing
Google Safebrowsing Key: Missing
Mozilla Location Service Key: Missing
Safe Mode: false

Actual results:

=================================================================
==21657==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fd0bc43b601 bp 0x7ffc253456b0 sp 0x7ffc25345690 T0)
==21657==The signal is caused by a WRITE memory access.
==21657==Hint: address points to the zero page.
#0 0x7fd0bc43b601 in nsDisplayItem::GetClipWithRespectToASR(nsDisplayListBuilder*, mozilla::ActiveScrolledRoot const*) const /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:3000:3
#1 0x7fd0bc379756 in nsDisplayList::GetClippedBoundsWithRespectToASR(nsDisplayListBuilder*, mozilla::ActiveScrolledRoot const*, nsRect*) const /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:2128:35
#2 0x7fd0bc49941f in nsDisplayTransform::UpdateUntransformedBounds(nsDisplayListBuilder*) /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:8354:33
#3 0x7fd0bc49941f in nsDisplayTransform::UpdateBounds(nsDisplayListBuilder*) /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:8309:3
#4 0x7fd0bc4d386d in MergeState::MergeChildLists(nsDisplayItem*, nsDisplayItem*, nsDisplayItem*) /builds/worker/checkouts/gecko/layout/painting/RetainedDisplayListBuilder.cpp:533:15
#5 0x7fd0bc3952a3 in MergeState::ProcessItemFromNewList(nsDisplayItem*, mozilla::Maybe<Index<MergedListUnits> > const&) /builds/worker/checkouts/gecko/layout/painting/RetainedDisplayListBuilder.cpp:486:9
#6 0x7fd0bc393d27 in RetainedDisplayListBuilder::MergeDisplayLists(nsDisplayList*, RetainedDisplayList*, RetainedDisplayList*, mozilla::Maybe<mozilla::ActiveScrolledRoot const*>&, nsDisplayItem*) /builds/worker/checkouts/gecko/layout/painting/RetainedDisplayListBuilder.cpp:840:31
#7 0x7fd0bc4d32b8 in MergeState::MergeChildLists(nsDisplayItem*, nsDisplayItem*, nsDisplayItem*) /builds/worker/checkouts/gecko/layout/painting/RetainedDisplayListBuilder.cpp:517:37
#8 0x7fd0bc3952a3 in MergeState::ProcessItemFromNewList(nsDisplayItem*, mozilla::Maybe<Index<MergedListUnits> > const&) /builds/worker/checkouts/gecko/layout/painting/RetainedDisplayListBuilder.cpp:486:9
#9 0x7fd0bc393d27 in RetainedDisplayListBuilder::MergeDisplayLists(nsDisplayList*, RetainedDisplayList*, RetainedDisplayList*, mozilla::Maybe<mozilla::ActiveScrolledRoot const*>&, nsDisplayItem*) /builds/worker/checkouts/gecko/layout/painting/RetainedDisplayListBuilder.cpp:840:31
#10 0x7fd0bc4d32b8 in MergeState::MergeChildLists(nsDisplayItem*, nsDisplayItem*, nsDisplayItem*) /builds/worker/checkouts/gecko/layout/painting/RetainedDisplayListBuilder.cpp:517:37
#11 0x7fd0bc3952a3 in MergeState::ProcessItemFromNewList(nsDisplayItem*, mozilla::Maybe<Index<MergedListUnits> > const&) /builds/worker/checkouts/gecko/layout/painting/RetainedDisplayListBuilder.cpp:486:9
#12 0x7fd0bc393d27 in RetainedDisplayListBuilder::MergeDisplayLists(nsDisplayList*, RetainedDisplayList*, RetainedDisplayList*, mozilla::Maybe<mozilla::ActiveScrolledRoot const*>&, nsDisplayItem*) /builds/worker/checkouts/gecko/layout/painting/RetainedDisplayListBuilder.cpp:840:31
#13 0x7fd0bc4d32b8 in MergeState::MergeChildLists(nsDisplayItem*, nsDisplayItem*, nsDisplayItem*) /builds/worker/checkouts/gecko/layout/painting/RetainedDisplayListBuilder.cpp:517:37
#14 0x7fd0bc3952a3 in MergeState::ProcessItemFromNewList(nsDisplayItem*, mozilla::Maybe<Index<MergedListUnits> > const&) /builds/worker/checkouts/gecko/layout/painting/RetainedDisplayListBuilder.cpp:486:9
#15 0x7fd0bc393d27 in RetainedDisplayListBuilder::MergeDisplayLists(nsDisplayList*, RetainedDisplayList*, RetainedDisplayList*, mozilla::Maybe<mozilla::ActiveScrolledRoot const*>&, nsDisplayItem*) /builds/worker/checkouts/gecko/layout/painting/RetainedDisplayListBuilder.cpp:840:31
#16 0x7fd0bc4d32b8 in MergeState::MergeChildLists(nsDisplayItem*, nsDisplayItem*, nsDisplayItem*) /builds/worker/checkouts/gecko/layout/painting/RetainedDisplayListBuilder.cpp:517:37
#17 0x7fd0bc3952a3 in MergeState::ProcessItemFromNewList(nsDisplayItem*, mozilla::Maybe<Index<MergedListUnits> > const&) /builds/worker/checkouts/gecko/layout/painting/RetainedDisplayListBuilder.cpp:486:9
#18 0x7fd0bc393d27 in RetainedDisplayListBuilder::MergeDisplayLists(nsDisplayList*, RetainedDisplayList*, RetainedDisplayList*, mozilla::Maybe<mozilla::ActiveScrolledRoot const*>&, nsDisplayItem*) /builds/worker/checkouts/gecko/layout/painting/RetainedDisplayListBuilder.cpp:840:31
#19 0x7fd0bc39d84d in RetainedDisplayListBuilder::AttemptPartialUpdate(unsigned int, mozilla::DisplayListChecker*) /builds/worker/checkouts/gecko/layout/painting/RetainedDisplayListBuilder.cpp:1500:7
#20 0x7fd0bb8b8010 in nsLayoutUtils::PaintFrame(gfxContext*, nsIFrame*, nsRegion const&, unsigned int, nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) /builds/worker/checkouts/gecko/layout/base/nsLayoutUtils.cpp:3327:40
#21 0x7fd0bb71d08f in mozilla::PresShell::Paint(nsView*, nsRegion const&, mozilla::PaintFlags) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:6360:5
#22 0x7fd0bad7bc59 in nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*) /builds/worker/checkouts/gecko/view/nsViewManager.cpp:460:18
#23 0x7fd0bad7ab43 in nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) /builds/worker/checkouts/gecko/view/nsViewManager.cpp:395:22
#24 0x7fd0bad801bd in nsViewManager::ProcessPendingUpdates() /builds/worker/checkouts/gecko/view/nsViewManager.cpp:1018:5
#25 0x7fd0bb653258 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2382:11
#26 0x7fd0bb6696c0 in mozilla::RefreshDriverTimer::TickDriver(nsRefreshDriver*, mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:374:13
#27 0x7fd0bb6696c0 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:353:7
#28 0x7fd0bb669429 in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:368:5
#29 0x7fd0bb667d06 in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:829:5
#30 0x7fd0bb667d06 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:747:16
#31 0x7fd0bb6666b1 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyParentProcessVsync() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:649:7
#32 0x7fd0bb6656e7 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:570:9
#33 0x7fd0bc246756 in mozilla::layout::VsyncChild::RecvNotify(mozilla::VsyncEvent const&) /builds/worker/checkouts/gecko/layout/ipc/VsyncChild.cpp:55:16
#34 0x7fd0b0e40fc2 in mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:187:54
#35 0x7fd0b0890460 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundChild.cpp:6268:32
#36 0x7fd0b00ecbf9 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:2150:25
#37 0x7fd0b00e2ee2 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:2074:9
#38 0x7fd0b00e64eb in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1922:3
#39 0x7fd0b00e819c in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1953:13
#40 0x7fd0ae82d52d in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:450:16
#41 0x7fd0ae8284b2 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:720:26
#42 0x7fd0ae82586b in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:579:15
#43 0x7fd0ae825eb5 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:373:36
#44 0x7fd0ae8387f6 in mozilla::TaskController::InitializeInternal()::$_3::operator()() const /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:120:37
#45 0x7fd0ae8387f6 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_3>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:577:5
#46 0x7fd0ae86a34e in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1197:14
#47 0x7fd0ae87d4c8 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:513:10
#48 0x7fd0b00fafa3 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:87:21
#49 0x7fd0b00fc8f5 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:270:30
#50 0x7fd0aff7f770 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:334:10
#51 0x7fd0aff7f3ac in MessageLoop::RunHandler() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:327:3
#52 0x7fd0aff7f3ac in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:309:3
#53 0x7fd0bae6f7ca in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137:27
#54 0x7fd0bf6b6f5e in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:913:20
#55 0x7fd0b00fc7f2 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:237:9
#56 0x7fd0aff7f770 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:334:10
#57 0x7fd0aff7f3ac in MessageLoop::RunHandler() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:327:3
#58 0x7fd0aff7f3ac in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:309:3
#59 0x7fd0bf6b6319 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:744:34
#60 0x7fd0bf6ce3a0 in mozilla::BootstrapImpl::XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/Bootstrap.cpp:67:12
#61 0x55dffb411088 in content_process_main(mozilla::Bootstrap*, int, char**) /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
#62 0x55dffb411088 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:304:18
#63 0x7fd0d47150b2 in __libc_start_main /build/glibc-ZN95T4/glibc-2.31/csu/../csu/libc-start.c:308:16
#64 0x55dffb363e12 in _start (/home/valentino/code/browsers/firefox/firefox+0x65e12)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:3000:3 in nsDisplayItem::GetClipWithRespectToASR(nsDisplayListBuilder*, mozilla::ActiveScrolledRoot const*) const
==21657==ABORTING

Blocks: grizzly
Status: UNCONFIRMED → RESOLVED
Closed: 5 years ago
Component: Untriaged → Web Painting
Product: Firefox → Core
Resolution: --- → DUPLICATE
Version: 56 Branch → unspecified
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: