Closed Bug 1136975 Opened 10 years ago Closed 10 years ago

B2G: Segmentation fault in nsDisplayWrapList::nsDisplayWrapList /layout/base/nsDisplayList.cpp:3517

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Platform:
ARM
Gonk (Firefox OS)
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: gwagner, Unassigned)

Details

(Keywords: crash)

On current trunk on a flame with debug gecko. STR: Rotate to landscape mode. Program received signal SIGSEGV, Segmentation fault. nsDisplayWrapList::nsDisplayWrapList (this=0xbead4d28, aBuilder=0xbead4cd0, aFrame=0xacf0f164, aList=0x12) at ../../../layout/base/nsDisplayList.cpp:3517 3517 if (!aFrame || !aFrame->IsTransformed()) { (gdb) bt #0 nsDisplayWrapList::nsDisplayWrapList (this=0xbead4d28, aBuilder=0xbead4cd0, aFrame=0xacf0f164, aList=0x12) at ../../../layout/base/nsDisplayList.cpp:3517 #1 0x00000000 in ?? () (gdb) p aFrame $1 = (nsIFrame *) 0xacf0f164 (gdb) p *aFrame $2 = {<nsQueryFrame> = {_vptr.nsQueryFrame = 0xb677f5a0 <vtable for nsHTMLFramesetBorderFrame+188>}, static kFrameIID = nsQueryFrame::nsIFrame_id, static kPrincipalList = mozilla::layout::kPrincipalList, static kAbsoluteList = mozilla::layout::kAbsoluteList, static kBulletList = mozilla::layout::kBulletList, static kCaptionList = mozilla::layout::kCaptionList, static kColGroupList = mozilla::layout::kColGroupList, static kExcessOverflowContainersList = mozilla::layout::kExcessOverflowContainersList, static kFixedList = mozilla::layout::kFixedList, static kFloatList = mozilla::layout::kFloatList, static kOverflowContainersList = mozilla::layout::kOverflowContainersList, static kOverflowList = mozilla::layout::kOverflowList, static kOverflowOutOfFlowList = mozilla::layout::kOverflowOutOfFlowList, static kPopupList = mozilla::layout::kPopupList, static kPushedFloatsList = mozilla::layout::kPushedFloatsList, static kSelectPopupList = mozilla::layout::kSelectPopupList, static kNoReflowPrincipalList = mozilla::layout::kNoReflowPrincipalList, static sLayerIsPrerenderedDataKey = 0 '\000', mRect = {<mozilla::gfx::BaseRect<int, nsRect, nsPoint, nsSize, nsMargin>> = {x = 0, y = 0, width = 538976288, height = 8224}, <No data fields>}, mContent = 0x10160004, mStyleContext = 0x20000000, mParent = 0x4d, mNextSibling = 0x0, mPrevSibling = 0x3d32ee10, mState = 26333166046281729, mOverflow = {mType = 1, mVisualDeltas = {mLeft = 1 '\001', mTop = 0 '\000', mRight = 0 '\000', mBottom = 0 '\000'}}} (gdb) (gdb) p this $4 = (nsDisplayWrapList * const) 0xbead4d28 (gdb) p *this $5 = {<nsDisplayItem> = {<nsDisplayItemLink> = {mAbove = 0x28}, _vptr.nsDisplayItem = 0x3f0ff8cd, mFrame = 0x440e5555, mClip = 0x439b5555, mReferenceFrame = 0xa9eb4838, mToReferenceFrame = {<mozilla::gfx::BasePoint<int, nsPoint, int>> = {x = 0, y = 0}, <No data fields>}, mVisibleRect = {<mozilla::gfx::BaseRect<int, nsRect, nsPoint, nsSize, nsMargin>> = {x = -1255929999, y = -1442725888, width = -1225251557, height = -1444161888}, <No data fields>}, mPainted = 20}, mList = {mSentinel = { mAbove = 0xb5faf364}, mTop = 0x2000, mVisibleRect = {<mozilla::gfx::BaseRect<int, nsRect, nsPoint, nsSize, nsMargin>> = {x = 0, y = -1095938624, width = -1359406912, height = -1255312147}, <No data fields>}, mIsOpaque = false, mForceTransparentSurface = false}, mMergedFrames = {<nsTArray_Impl<nsIFrame*, nsTArrayInfallibleAllocator>> = {<nsTArray_base<nsTArrayInfallibleAllocator, nsTArray_CopyWithMemutils>> = { mHdr = 0xaaeeac00}, <nsTArray_TypedBase<nsIFrame*, nsTArray_Impl<nsIFrame*, nsTArrayInfallibleAllocator> >> = {<nsTArray_SafeElementAtHelper<nsIFrame*, nsTArray_Impl<nsIFrame*, nsTArrayInfallibleAllocator> >> = {<No data fields>}, <No data fields>}, static NoIndex = <optimized out>}, <No data fields>}, mBounds = {<mozilla::gfx::BaseRect<int, nsRect, nsPoint, nsSize, nsMargin>> = {x = -1385762700, y = -1385250112, width = -1385738144, height = 0}, <No data fields>}, mBaseVisibleRect = {<mozilla::gfx::BaseRect<int, nsRect, nsPoint, nsSize, nsMargin>> = {x = -1385738144, y = -1255782247, width = -1385250112, height = 0}, <No data fields>}, mOverrideZIndex = 8192, mHasZIndexOverride = 205}
Looks like the stack was smashed. I think frame #0 is incorrect: the diff between the values in "this=0xbead4d28, aBuilder=0xbead4cd0" is 88 (decimal) which seems impossible given how these objects are allocated. Also, many of the member values of both objects are impossible. Is the crash reproducible? Do you get the same stack every time?
Severity: normal → critical
Flags: needinfo?(anygregor)
Keywords: crash
OS: Mac OS X → Gonk (Firefox OS)
Hardware: x86 → ARM
I haven't been able to reproduce this issue and this might have been a bad build to begin with. I will re-open if I see it again.
Flags: needinfo?(anygregor)
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.