(Hidden by Administrator)
Bug 1533891 Comment 0 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
Testcase found while fuzzing mozilla-central rev 54ed5eac2abc. Assertion failure: IsResolved() (Resolve() must be called first), at /builds/worker/workspace/build/src/layout/style/nsStyleStruct.h:239 ``` rax = 0x00005578171f0e40 rdx = 0x0000000000000000 rcx = 0x00007f1211d88f3c rbx = 0x00007f1201e781e0 rsi = 0x00007f121e8608b0 rdi = 0x00007f121e85f680 rbp = 0x00007ffc69c24be0 rsp = 0x00007ffc69c24bd0 r8 = 0x00007f121e8608b0 r9 = 0x00007f121f9bd740 r10 = 0x0000000000000000 r11 = 0x0000000000000000 r12 = 0x00007f1201e994d8 r13 = 0x00007f1201e70300 r14 = 0x0000000000000000 r15 = 0x00007ffc69c24c10 rip = 0x00007f120e621e14 OS|Linux|0.0.0 Linux 4.15.0-46-generic #49-Ubuntu SMP Wed Feb 6 09:33:07 UTC 2019 x86_64 CPU|amd64|family 6 model 94 stepping 3|1 GPU||| Crash|SIGSEGV /SEGV_MAPERR|0x0|0 0|0|libxul.so|nsStyleImage::GetImageData() const|hg:hg.mozilla.org/mozilla-central:layout/style/nsStyleStruct.h:54ed5eac2abca2519704c74bc5c421b846031504|240|0x0 0|1|libxul.so|nsFrame::DidSetComputedStyle(mozilla::ComputedStyle*)|hg:hg.mozilla.org/mozilla-central:layout/style/nsStyleStruct.h:54ed5eac2abca2519704c74bc5c421b846031504|940|0x9 0|2|libxul.so|nsIFrame::SetComputedStyle(mozilla::ComputedStyle*)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsIFrame.h:54ed5eac2abca2519704c74bc5c421b846031504|777|0xd 0|3|libxul.so|mozilla::RestyleManager::DoReparentComputedStyleForFirstLine(nsIFrame*, mozilla::ServoStyleSet&)|hg:hg.mozilla.org/mozilla-central:layout/base/RestyleManager.cpp:54ed5eac2abca2519704c74bc5c421b846031504|3568|0xc 0|4|libxul.so|ReparentChildListStyle|hg:hg.mozilla.org/mozilla-central:layout/generic/nsInlineFrame.cpp:54ed5eac2abca2519704c74bc5c421b846031504|268|0x13 0|5|libxul.so|nsFirstLineFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsInlineFrame.cpp:54ed5eac2abca2519704c74bc5c421b846031504|1012|0x15 0|6|libxul.so|nsLineLayout::ReflowFrame(nsIFrame*, nsReflowStatus&, mozilla::ReflowOutput*, bool&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsLineLayout.cpp:54ed5eac2abca2519704c74bc5c421b846031504|880|0x21 0|7|libxul.so|nsBlockFrame::ReflowInlineFrame(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsIFrame*, LineReflowStatus*)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsBlockFrame.cpp:54ed5eac2abca2519704c74bc5c421b846031504|4097|0x14 0|8|libxul.so|nsBlockFrame::DoReflowInlineFrames(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsBlockFrame.cpp:54ed5eac2abca2519704c74bc5c421b846031504|3900|0x2d 0|9|libxul.so|nsBlockFrame::ReflowInlineFrames(mozilla::BlockReflowInput&, nsLineList_iterator, bool*)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsBlockFrame.cpp:54ed5eac2abca2519704c74bc5c421b846031504|3787|0x41 0|10|libxul.so|nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsBlockFrame.cpp:54ed5eac2abca2519704c74bc5c421b846031504|2806|0x20 0|11|libxul.so|nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsBlockFrame.cpp:54ed5eac2abca2519704c74bc5c421b846031504|2349|0x20 0|12|libxul.so|nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsBlockFrame.cpp:54ed5eac2abca2519704c74bc5c421b846031504|1207|0xf 0|13|libxul.so|nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsBlockReflowContext.cpp:54ed5eac2abca2519704c74bc5c421b846031504|297|0x10 0|14|libxul.so|nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsBlockFrame.cpp:54ed5eac2abca2519704c74bc5c421b846031504|3424|0x1e 0|15|libxul.so|nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsBlockFrame.cpp:54ed5eac2abca2519704c74bc5c421b846031504|2803|0x19 0|16|libxul.so|nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsBlockFrame.cpp:54ed5eac2abca2519704c74bc5c421b846031504|2349|0x20 0|17|libxul.so|nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsBlockFrame.cpp:54ed5eac2abca2519704c74bc5c421b846031504|1207|0xf 0|18|libxul.so|nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsBlockReflowContext.cpp:54ed5eac2abca2519704c74bc5c421b846031504|297|0x10 0|19|libxul.so|nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsBlockFrame.cpp:54ed5eac2abca2519704c74bc5c421b846031504|3424|0x1e 0|20|libxul.so|nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsBlockFrame.cpp:54ed5eac2abca2519704c74bc5c421b846031504|2803|0x19 0|21|libxul.so|nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsBlockFrame.cpp:54ed5eac2abca2519704c74bc5c421b846031504|2349|0x20 0|22|libxul.so|nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsBlockFrame.cpp:54ed5eac2abca2519704c74bc5c421b846031504|1207|0xf 0|23|libxul.so|nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsContainerFrame.cpp:54ed5eac2abca2519704c74bc5c421b846031504|890|0x1d 0|24|libxul.so|nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsCanvasFrame.cpp:54ed5eac2abca2519704c74bc5c421b846031504|732|0x4d 0|25|libxul.so|nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsContainerFrame.cpp:54ed5eac2abca2519704c74bc5c421b846031504|890|0x1d 0|26|libxul.so|nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput*, bool, bool, mozilla::ReflowOutput*)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsGfxScrollFrame.cpp:54ed5eac2abca2519704c74bc5c421b846031504|586|0x5 0|27|libxul.so|nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput*, mozilla::ReflowOutput const&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsGfxScrollFrame.cpp:54ed5eac2abca2519704c74bc5c421b846031504|698|0xe 0|28|libxul.so|nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsGfxScrollFrame.cpp:54ed5eac2abca2519704c74bc5c421b846031504|1091|0x5 0|29|libxul.so|nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsContainerFrame.cpp:54ed5eac2abca2519704c74bc5c421b846031504|929|0x19 0|30|libxul.so|mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&)|hg:hg.mozilla.org/mozilla-central:layout/generic/ViewportFrame.cpp:54ed5eac2abca2519704c74bc5c421b846031504|308|0x2b 0|31|libxul.so|nsIPresShell::DoReflow(nsIFrame*, bool, mozilla::OverflowChangedTracker*)|hg:hg.mozilla.org/mozilla-central:layout/base/PresShell.cpp:54ed5eac2abca2519704c74bc5c421b846031504|9044|0x1e 0|32|libxul.so|nsIPresShell::ProcessReflowCommands(bool)|hg:hg.mozilla.org/mozilla-central:layout/base/PresShell.cpp:54ed5eac2abca2519704c74bc5c421b846031504|9214|0x11 0|33|libxul.so|mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush)|hg:hg.mozilla.org/mozilla-central:layout/base/PresShell.cpp:54ed5eac2abca2519704c74bc5c421b846031504|4169|0x15 0|34|libxul.so|mozilla::PresShell::DoFlushPendingNotifications(mozilla::FlushType)|hg:hg.mozilla.org/mozilla-central:layout/base/PresShell.cpp:54ed5eac2abca2519704c74bc5c421b846031504|3949|0x7 0|35|libxul.so|nsDocumentViewer::LoadComplete(nsresult)|hg:hg.mozilla.org/mozilla-central:layout/base/nsDocumentViewer.cpp:54ed5eac2abca2519704c74bc5c421b846031504|1013|0x13 0|36|libxul.so|nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult)|hg:hg.mozilla.org/mozilla-central:docshell/base/nsDocShell.cpp:54ed5eac2abca2519704c74bc5c421b846031504|6560|0x18 0|37|libxul.so|nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult)|hg:hg.mozilla.org/mozilla-central:docshell/base/nsDocShell.cpp:54ed5eac2abca2519704c74bc5c421b846031504|6361|0x18 0|38|libxul.so|nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult)|hg:hg.mozilla.org/mozilla-central:uriloader/base/nsDocLoader.cpp:54ed5eac2abca2519704c74bc5c421b846031504|1313|0x2b 0|39|libxul.so|nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult)|hg:hg.mozilla.org/mozilla-central:uriloader/base/nsDocLoader.cpp:54ed5eac2abca2519704c74bc5c421b846031504|872|0x22 0|40|libxul.so|nsDocLoader::DocLoaderIsEmpty(bool)|hg:hg.mozilla.org/mozilla-central:uriloader/base/nsDocLoader.cpp:54ed5eac2abca2519704c74bc5c421b846031504|710|0x15 0|41|libxul.so|nsDocLoader::OnStopRequest(nsIRequest*, nsresult)|hg:hg.mozilla.org/mozilla-central:uriloader/base/nsDocLoader.cpp:54ed5eac2abca2519704c74bc5c421b846031504|598|0x16 0|42|libxul.so|mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult)|hg:hg.mozilla.org/mozilla-central:netwerk/base/nsLoadGroup.cpp:54ed5eac2abca2519704c74bc5c421b846031504|568|0x17 0|43|libxul.so|mozilla::dom::Document::DoUnblockOnload()|hg:hg.mozilla.org/mozilla-central:dom/base/Document.cpp:54ed5eac2abca2519704c74bc5c421b846031504|7705|0x20 0|44|libxul.so|mozilla::dom::Document::UnblockOnload(bool)|hg:hg.mozilla.org/mozilla-central:dom/base/Document.cpp:54ed5eac2abca2519704c74bc5c421b846031504|7637|0x8 0|45|libxul.so|mozilla::dom::Document::DispatchContentLoadedEvents()|hg:hg.mozilla.org/mozilla-central:dom/base/Document.cpp:54ed5eac2abca2519704c74bc5c421b846031504|4787|0xd 0|46|libxul.so|mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run()|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.h:54ed5eac2abca2519704c74bc5c421b846031504|1122|0x13 0|47|libxul.so|mozilla::SchedulerGroup::Runnable::Run()|hg:hg.mozilla.org/mozilla-central:xpcom/threads/SchedulerGroup.cpp:54ed5eac2abca2519704c74bc5c421b846031504|295|0x15 0|48|libxul.so|nsThread::ProcessNextEvent(bool, bool*)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:54ed5eac2abca2519704c74bc5c421b846031504|1179|0x15 0|49|libxul.so|NS_ProcessNextEvent(nsIThread*, bool)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:54ed5eac2abca2519704c74bc5c421b846031504|482|0x11 0|50|libxul.so|mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:54ed5eac2abca2519704c74bc5c421b846031504|88|0xa 0|51|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:54ed5eac2abca2519704c74bc5c421b846031504|315|0x17 0|52|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:54ed5eac2abca2519704c74bc5c421b846031504|308|0x8 0|53|libxul.so|nsBaseAppShell::Run()|hg:hg.mozilla.org/mozilla-central:widget/nsBaseAppShell.cpp:54ed5eac2abca2519704c74bc5c421b846031504|137|0xd 0|54|libxul.so|XRE_RunAppShell()|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:54ed5eac2abca2519704c74bc5c421b846031504|911|0x11 0|55|libxul.so|mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:54ed5eac2abca2519704c74bc5c421b846031504|238|0x5 0|56|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:54ed5eac2abca2519704c74bc5c421b846031504|315|0x17 0|57|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:54ed5eac2abca2519704c74bc5c421b846031504|308|0x8 0|58|libxul.so|XRE_InitChildProcess(int, char**, XREChildData const*)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:54ed5eac2abca2519704c74bc5c421b846031504|749|0xc 0|59|firefox-bin|content_process_main(mozilla::Bootstrap*, int, char**)|hg:hg.mozilla.org/mozilla-central:ipc/contentproc/plugin-container.cpp:54ed5eac2abca2519704c74bc5c421b846031504|49|0x14 0|60|firefox-bin|main|hg:hg.mozilla.org/mozilla-central:browser/app/nsBrowserApp.cpp:54ed5eac2abca2519704c74bc5c421b846031504|265|0x11 0|61|libc-2.27.so||||0x21b97 0|62|firefox-bin|MOZ_ReportCrash|hg:hg.mozilla.org/mozilla-central:mfbt/Assertions.h:54ed5eac2abca2519704c74bc5c421b846031504|184|0x5 ```