2017-05-24 09:41 UTC

View Issue Details Jump to Notes ]
IDProjectCategoryView StatusLast Update
0013253CentOS-6firefoxpublic2017-05-17 07:50
Reporterpeak 
PrioritynormalSeveritycrashReproducibilitysometimes
StatusnewResolutionopen 
Platformi686OSOS Version
Product Version6.9 
Target VersionFixed in Version 
Summary0013253: Firefox crashes in mozilla::PseudoElementForStyleContext
DescriptionI have been using firefox-52.1.0-2.el6.centos.i686 to browse the web recently, and I have experienced a streak of segfaults occuring at the same point of code, namely at libxul.so + 0x167aa27 (see log messages below) which is the following instruction in mozilla::PseudoElementForStyleContext(nsIFrame*, mozilla::CSSPseudoElementType):

=> 0x029a3a27 <+24>: testb $0x4,-0xafd918(%ebx,%edx,4)

corresponding to kPseudoElementFlags[size_t(aType)] from inlined nsCSSPseudoElements::PseudoElementHasFlags / PseudoElementSupportsStyleAttribute (see full disassembly below).

The problem lies in the use of edx: only the lowest 8 bits (dl) are used to pass the argument from the caller and the rest is undefined (see the disassembly of one piece of code calling the offending function below).

To be honest, I suspect this is actually a compiler bug affecting Firefox rather than a Firefox bug.
Steps To Reproduce<https://arstechnica.com/gaming/2017/04/fan-project-makes-2d-breath-of-the-wild-prototype-a-reality/> appears to crash FF quite reliably. The crash occurred on other pages randomly, perhaps it was triggered by ads.
Additional InformationLogged segfaults:

May 12 23:07:24 xxx kernel: Web Content[17645]: segfault at 8bc812e0 ip 0259da27 sp bfe47380 error 4 in libxul.so[f23000+35c5000]
May 12 23:10:24 xxx kernel: Web Content[18206]: segfault at 9fa80ae0 ip 02665a27 sp bfa782c0 error 4 in libxul.so[feb000+35c5000]
May 12 23:28:39 xxx kernel: Web Content[18509]: segfault at 8ef65ae0 ip 028cda27 sp bffdb010 error 4 in libxul.so[1253000+35c5000]
May 12 23:31:56 xxx kernel: Web Content[18665]: segfault at 8ec376e0 ip 029a3a27 sp bfaf15f0 error 4 in libxul.so[1329000+35c5000]
May 12 23:32:19 xxx kernel: Web Content[19126]: segfault at a2bf6ae0 ip 02918a27 sp bfe0c310 error 4 in libxul.so[129e000+35c5000]
May 13 13:29:47 xxx kernel: Web Content[19162]: segfault at 8d1fb2e0 ip 02881a27 sp bfafd930 error 4 in libxul.so[1207000+35c5000]
May 13 14:09:31 xxx kernel: Web Content[21982]: segfault at 949bd6e0 ip 02122a27 sp bf913b70 error 4 in libxul.so[aa8000+35c5000]
May 13 15:29:41 xxx kernel: Web Content[22059]: segfault at 762186e0 ip 028d4a27 sp bfae0e60 error 4 in libxul.so[125a000+35c5000]

Disassembly of mozilla::PseudoElementForStyleContext:

   0x029a3a0f <+0>: cmp $0x17,%dl
   0x029a3a12 <+3>: ja 0x29a3a4b <mozilla::PseudoElementForStyleContext(nsIFrame*, mozilla::CSSPseudoElementType)+60>
   0x029a3a14 <+5>: push %esi
   0x029a3a15 <+6>: mov %eax,%esi
   0x029a3a17 <+8>: push %ebx
   0x029a3a18 <+9>: call 0x134d2bd <__x86.get_pc_thunk.bx>
   0x029a3a1d <+14>: add $0x1f4b5b7,%ebx
   0x029a3a23 <+20>: lea -0x14(%esp),%esp
=> 0x029a3a27 <+24>: testb $0x4,-0xafd918(%ebx,%edx,4)
   0x029a3a2f <+32>: jne 0x29a3a41 <mozilla::PseudoElementForStyleContext(nsIFrame*, mozilla::CSSPseudoElementType)+50>
   0x029a3a31 <+34>: mov %dl,(%esp)
   0x029a3a34 <+37>: call 0x29116fa <nsCSSPseudoElements::PseudoElementSupportsUserActionState(nsCSSPseudoElements::Type)>
   0x029a3a39 <+42>: test %al,%al
   0x029a3a3b <+44>: jne 0x29a3a41 <mozilla::PseudoElementForStyleContext(nsIFrame*, mozilla::CSSPseudoElementType)+50>
   0x029a3a3d <+46>: xor %eax,%eax
   0x029a3a3f <+48>: jmp 0x29a3a44 <mozilla::PseudoElementForStyleContext(nsIFrame*, mozilla::CSSPseudoElementType)+53>
   0x029a3a41 <+50>: mov 0x14(%esi),%eax
   0x029a3a44 <+53>: lea 0x14(%esp),%esp
   0x029a3a48 <+57>: pop %ebx
   0x029a3a49 <+58>: pop %esi
   0x029a3a4a <+59>: ret
   0x029a3a4b <+60>: xor %eax,%eax
   0x029a3a4d <+62>: ret

Disassembly of the part of mozilla::ElementRestyler::RestyleSelf calling PseudoElementForStyleContext:

   0x029bfecb <+2627>: mov %edi,(%esp)
   0x029bfece <+2630>: mov %eax,0x4(%esp)
   0x029bfed2 <+2634>: call 0x2972af4 <RefPtr<nsStyleContext>::assign_with_AddRef(nsStyleContext*)>
   0x029bfed7 <+2639>: jmp 0x29bf5e9 <mozilla::ElementRestyler::RestyleSelf(nsIFrame*, nsRestyleHint, uint32_t*, nsTArray<mozilla::ElementRestyler::SwapInstruction>&)+353>
   0x029bfedc <+2644>: mov -0x98(%ebp),%dl
                    ^^^^^^^^^^^^^^^^^^^^^^^^^^^
   0x029bfee2 <+2650>: mov 0xc(%ebp),%eax
   0x029bfee5 <+2653>: call 0x29a3a0f <mozilla::PseudoElementForStyleContext(nsIFrame*, mozilla::CSSPseudoElementType)>
=> 0x029bfeea <+2658>: mov %eax,0x14(%esp)
   0x029bfeee <+2662>: mov -0x94(%ebp),%eax
   0x029bfef4 <+2668>: mov %eax,0x10(%esp)
   0x029bfef8 <+2672>: mov -0x98(%ebp),%al
TagsNo tags attached.
Attached Files
  • patch file icon ff52-pseudoelement-crash.patch (682 bytes) 2017-05-16 20:15 -
    --- firefox-52.1.0esr/layout/style/nsCSSPseudoElements.h.old	2017-04-11 04:13:10.000000000 +0200
    +++ firefox-52.1.0esr/layout/style/nsCSSPseudoElements.h	2017-05-15 23:27:57.470258443 +0200
    @@ -109,7 +109,8 @@
     
       // Work around https://gcc.gnu.org/bugzilla/show_bug.cgi?id=64037 ,
       // which is a general gcc bug that we seem to have hit only on Android/x86.
    -#if defined(ANDROID) && defined(__i386__) && defined(__GNUC__) && \
    +  // ...and CentOS 6/x86
    +#if defined(__i386__) && defined(__GNUC__) && \
         !defined(__clang__)
     #if (MOZ_GCC_VERSION_AT_LEAST(4,8,0) && MOZ_GCC_VERSION_AT_MOST(4,8,4)) || \
         (MOZ_GCC_VERSION_AT_LEAST(4,9,0) && MOZ_GCC_VERSION_AT_MOST(4,9,2))
    
    patch file icon ff52-pseudoelement-crash.patch (682 bytes) 2017-05-16 20:15 +

-Relationships
+Relationships

-Notes

~0029275

peak (reporter)

Yes, it is a compiler bug. A known compiler bug that is already known to affect FF under certain conditions. The following comment appears before the definition of PseudoElementHasFlags in layout/style/nsCSSPseudoElements.h:

  // Work around https://gcc.gnu.org/bugzilla/show_bug.cgi?id=64037 ,
  // which is a general gcc bug that we seem to have hit only on Android/x86.

and the function gets __attribute__((noinline)) on Android/x86.

~0029288

peak (reporter)

1. The corresponding Mozilla bug is here: https://bugzilla.mozilla.org/show_bug.cgi?id=1273048
2. FF is built with bundled GCC 4.8.2 and this is one of GCC versions known to produce broken code.
3. The code in question was compiled correctly and FF stopped crashing when removed defined(ANDROID) from #ifdef before PseudoElementHasFlags (see the attached patch).
+Notes

-Issue History
Date Modified Username Field Change
2017-05-13 14:34 peak New Issue
2017-05-13 21:45 peak Note Added: 0029275
2017-05-16 20:15 peak File Added: ff52-pseudoelement-crash.patch
2017-05-16 20:15 peak Note Added: 0029288
+Issue History