"ASSERTION: Cannot find containing block" followed by null deref in InlineBackgroundData::GetContinuousRect

NEW
Unassigned

Status

()

Core
Layout
--
critical
2 years ago
2 years ago

People

(Reporter: SkyLined, Unassigned)

Tracking

({crash, rtl, testcase})

Trunk
crash, rtl, testcase
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(crash signature)

Attachments

(2 attachments)

(Reporter)

Description

2 years ago
Created attachment 8667789 [details]
repro.html

User Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Build ID: 20150826023504

Steps to reproduce:

<rt dir=rtl><x style=background:red>x<svg display=table-column>


Actual results:

Access violation while reading memory at 0x18 using a NULL ptr

Stack
xul.dll!InlineBackgroundData::GetContinuousRect + 0x23 (EF in id)
xul.dll!InlineBackgroundData::GetBorderContinuousRect + 0x2A (D8 in id)
xul.dll!JoinBoxesForSlice + 0x3A
xul.dll!BoxDecorationRectForBorder + 0x2ACFA7 (this may not be correct)
xul.dll!mozilla::gfx::DrawTargetCairo::SetTransform + 0x8A
xul.dll!nsCSSRendering::PaintBorder + 0xA8
xul.dll!nsDisplayBorder::Paint + 0x57



Expected results:

Page loads without crashing Firefox

Comment 1

2 years ago
Please do the following:

1. Update to the current release.
https://support.mozilla.org/kb/update-firefox-latest-version
2. Reproduce the crash, submit the crash report, then restart Firefox.
3. Type about:crashes into the location bar, then press Enter.
4. Copy the most recent report ID to the clipboard, then paste it in a comment here.
Severity: normal → critical
Flags: needinfo?(berendjanwever)
Keywords: crash, rtl, stackwanted, testcase
See Also: → bug 421203
(Reporter)

Comment 2

2 years ago
Is the repro failing for you that I need to do all this for you? Btw. it crashes up-to-date Nightly.
Flags: needinfo?(berendjanwever)

Comment 3

2 years ago
Created attachment 8669735 [details]
stack (lldb)

###!!! ASSERTION: Cannot find containing block.: 'mBlockFrame', file layout/base/nsCSSRendering.cpp, line 338

Followed by InlineBackgroundData::GetContinuousRect dereferencing a null mBlockFrame.

Updated

2 years ago
Crash Signature: [@ InlineBackgroundData::GetContinuousRect]
Component: Untriaged → Layout
Keywords: stackwanted
Product: Firefox → Core
Summary: AVR:NULL firefox.exe!xul.dll!InlineBackgroundData::GetContinuousRect → "ASSERTION: Cannot find containing block" followed by null deref in InlineBackgroundData::GetContinuousRect
Version: 40 Branch → Trunk

Comment 4

2 years ago
bp-b6276d68-8c0f-4c88-97d7-14e8b2151005
Status: UNCONFIRMED → NEW
Ever confirmed: true
You need to log in before you can comment on or make changes to this bug.