Closed Bug 1214178 Opened 10 years ago Closed 4 years ago

crash in nsLineLayout::BeginLineReflow(int, int, int, int, bool, bool, mozilla::WritingMode, nsSize const&)

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Platform:
Unspecified
All
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME
Tracking Flags:
Tracking Status
firefox44 --- affected
firefox49 --- affected

People

(Reporter: Usul, Unassigned)

Details

(Keywords: crash, testcase-wanted)

Crash Data

This bug was filed from the Socorro interface and is report bp-1235ee52-0b5d-45d0-b48d-b08a72151013. ============================================================= 0 libxul.so nsLineLayout::BeginLineReflow(int, int, int, int, bool, bool, mozilla::WritingMode, nsSize const&) layout/generic/nsLineLayout.cpp 1 libxul.so nsBlockFrame::DoReflowInlineFrames(nsBlockReflowState&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool) layout/generic/nsBlockFrame.cpp 2 libxul.so nsBlockFrame::ReflowInlineFrames(nsBlockReflowState&, nsLineList_iterator, bool*) layout/generic/nsBlockFrame.cpp 3 libxul.so nsBlockFrame::ReflowDirtyLines(nsBlockReflowState&) layout/generic/nsBlockFrame.cpp 4 libxul.so nsBlockFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) layout/generic/nsBlockFrame.cpp 5 libxul.so nsFrame::BoxReflow(nsBoxLayoutState&, nsPresContext*, nsHTMLReflowMetrics&, nsRenderingContext*, int, int, int, int, bool) layout/generic/nsFrame.cpp 6 libxul.so nsFrame::RefreshSizeCache(nsBoxLayoutState&) layout/generic/nsFrame.cpp 7 libxul.so nsFrame::GetPrefSize(nsBoxLayoutState&) layout/generic/nsFrame.cpp 8 libxul.so nsSprocketLayout::GetPrefSize(nsIFrame*, nsBoxLayoutState&) layout/xul/nsSprocketLayout.cpp 9 libxul.so nsBoxFrame::GetPrefSize(nsBoxLayoutState&) layout/xul/nsBoxFrame.cpp 10 libxul.so nsSprocketLayout::GetPrefSize(nsIFrame*, nsBoxLayoutState&) layout/xul/nsSprocketLayout.cpp 11 libxul.so nsBoxFrame::GetPrefSize(nsBoxLayoutState&) layout/xul/nsBoxFrame.cpp 12 libxul.so nsSprocketLayout::GetPrefSize(nsIFrame*, nsBoxLayoutState&) layout/xul/nsSprocketLayout.cpp 13 libxul.so nsBoxFrame::GetPrefSize(nsBoxLayoutState&) layout/xul/nsBoxFrame.cpp 14 libxul.so nsStackLayout::GetPrefSize(nsIFrame*, nsBoxLayoutState&) layout/xul/nsStackLayout.cpp 15 libxul.so nsBoxFrame::GetPrefSize(nsBoxLayoutState&) layout/xul/nsBoxFrame.cpp 16 libxul.so nsSprocketLayout::GetPrefSize(nsIFrame*, nsBoxLayoutState&) layout/xul/nsSprocketLayout.cpp 17 libxul.so nsBoxFrame::GetPrefSize(nsBoxLayoutState&) layout/xul/nsBoxFrame.cpp 18 libxul.so nsSprocketLayout::GetPrefSize(nsIFrame*, nsBoxLayoutState&) layout/xul/nsSprocketLayout.cpp 19 libxul.so nsBoxFrame::GetPrefSize(nsBoxLayoutState&) layout/xul/nsBoxFrame.cpp 20 libxul.so nsSprocketLayout::GetPrefSize(nsIFrame*, nsBoxLayoutState&) layout/xul/nsSprocketLayout.cpp 21 libxul.so nsBoxFrame::GetPrefSize(nsBoxLayoutState&) layout/xul/nsBoxFrame.cpp 22 libxul.so nsXULScrollFrame::GetPrefSize(nsBoxLayoutState&) layout/generic/nsGfxScrollFrame.cpp 23 libxul.so nsSprocketLayout::GetPrefSize(nsIFrame*, nsBoxLayoutState&) layout/xul/nsSprocketLayout.cpp 24 libxul.so nsBoxFrame::GetPrefSize(nsBoxLayoutState&) layout/xul/nsBoxFrame.cpp 25 libxul.so nsSprocketLayout::GetPrefSize(nsIFrame*, nsBoxLayoutState&) layout/xul/nsSprocketLayout.cpp 26 libxul.so nsBoxFrame::GetPrefSize(nsBoxLayoutState&) layout/xul/nsBoxFrame.cpp 27 libxul.so nsSprocketLayout::GetPrefSize(nsIFrame*, nsBoxLayoutState&) layout/xul/nsSprocketLayout.cpp 28 libxul.so nsBoxFrame::GetPrefSize(nsBoxLayoutState&) layout/xul/nsBoxFrame.cpp 29 libxul.so nsSprocketLayout::GetPrefSize(nsIFrame*, nsBoxLayoutState&) layout/xul/nsSprocketLayout.cpp 30 libxul.so nsBoxFrame::GetPrefSize(nsBoxLayoutState&) layout/xul/nsBoxFrame.cpp 31 libxul.so nsSprocketLayout::GetPrefSize(nsIFrame*, nsBoxLayoutState&) layout/xul/nsSprocketLayout.cpp 32 libxul.so nsBoxFrame::GetPrefSize(nsBoxLayoutState&) layout/xul/nsBoxFrame.cpp 33 libxul.so nsStackLayout::GetPrefSize(nsIFrame*, nsBoxLayoutState&) layout/xul/nsStackLayout.cpp 34 libxul.so nsBoxFrame::GetPrefSize(nsBoxLayoutState&) layout/xul/nsBoxFrame.cpp 35 libxul.so nsSprocketLayout::PopulateBoxSizes(nsIFrame*, nsBoxLayoutState&, nsBoxSize*&, int&, int&, int&) layout/xul/nsSprocketLayout.cpp 36 libxul.so nsSprocketLayout::Layout(nsIFrame*, nsBoxLayoutState&) layout/xul/nsSprocketLayout.cpp 37 libxul.so nsBoxFrame::DoLayout(nsBoxLayoutState&) layout/xul/nsBoxFrame.cpp 38 libxul.so nsIFrame::Layout(nsBoxLayoutState&) layout/xul/nsBox.cpp 39 libxul.so nsStackLayout::Layout(nsIFrame*, nsBoxLayoutState&) layout/xul/nsStackLayout.cpp 40 libxul.so nsBoxFrame::DoLayout(nsBoxLayoutState&) layout/xul/nsBoxFrame.cpp 41 libxul.so nsIFrame::Layout(nsBoxLayoutState&) layout/xul/nsBox.cpp 42 libxul.so nsBoxFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) layout/xul/nsBoxFrame.cpp 43 libxul.so nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, int, int, unsigned int, unsigned int&, nsOverflowContinuationTracker*) layout/generic/nsContainerFrame.cpp 44 libxul.so ViewportFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) layout/generic/nsViewportFrame.cpp 45 libxul.so PresShell::DoReflow(nsIFrame*, bool) layout/base/nsPresShell.cpp 46 libxul.so PresShell::ProcessReflowCommands(bool) layout/base/nsPresShell.cpp 47 libxul.so PresShell::FlushPendingNotifications(mozilla::ChangesToFlush) layout/base/nsPresShell.cpp 48 libxul.so nsRefreshDriver::Tick(long, mozilla::TimeStamp) layout/base/nsRefreshDriver.cpp 49 libxul.so mozilla::RefreshDriverTimer::Tick(long, mozilla::TimeStamp) layout/base/nsRefreshDriver.cpp 50 libxul.so mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::TimeStamp) layout/base/nsRefreshDriver.cpp 51 libxul.so nsRunnableMethodImpl<void (mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::*)(mozilla::TimeStamp), true, mozilla::TimeStamp>::Run() xpcom/glue/nsThreadUtils.h 52 libxul.so nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp 53 libxul.so NS_ProcessNextEvent(nsIThread*, bool) xpcom/glue/nsThreadUtils.cpp 54 libxul.so mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) ipc/glue/MessagePump.cpp 55 libxul.so MessageLoop::Run() ipc/chromium/src/base/message_loop.cc 56 libxul.so nsBaseAppShell::Run() widget/nsBaseAppShell.cpp 57 libxul.so nsAppStartup::Run() toolkit/components/startup/nsAppStartup.cpp 58 libxul.so XREMain::XRE_mainRun() toolkit/xre/nsAppRunner.cpp 59 libxul.so XREMain::XRE_main(int, char**, nsXREAppData const*) toolkit/xre/nsAppRunner.cpp 60 libxul.so XRE_main toolkit/xre/nsAppRunner.cpp 61 firefox do_main browser/app/nsBrowserApp.cpp 62 firefox main browser/app/nsBrowserApp.cpp Ø 63 libc-2.21.so libc-2.21.so@0x206ff Ø 64 libstdc++.so.6.0.21 libstdc++.so.6.0.21@0x37dcff 65 firefox _init 66 firefox firefox@0x12fab 67 firefox __libc_csu_fini 68 firefox firefox@0x12fab 69 firefox _start I was opening flickr tabs by clicking images from search results. Console showed this when I crashed : [Child 8567] ###!!! ABORT: Aborting on channel error.: file /builds/slave/m-cen-l64-ntly-000000000000000/build/src/ipc/glue/MessageChannel.cpp, line 1768 [Child 8567] ###!!! ABORT: Aborting on channel error.: file /builds/slave/m-cen-l64-ntly-000000000000000/build/src/ipc/glue/MessageChannel.cpp, line 1768
Crash Signature: [@ nsLineLayout::BeginLineReflow(int, int, int, int, bool, bool, mozilla::WritingMode, nsSize const&)] → [@ nsLineLayout::BeginLineReflow(int, int, int, int, bool, bool, mozilla::WritingMode, nsSize const&)] [@ nsLineLayout::BeginLineReflow]
Seems like outerLineLayout->mSpanFreeList is somehow corrupt. Seems unlikely we'd be able to figure this out without a reproducable testcase, but maybe Xidorn can spot something.
Flags: needinfo?(quanxunzhen)
I have no idea. We would need a reproducible testcase to find out the reason. In this case, outerLineLayout should just be `this`, and mSpanFreeList should have already inited to nullptr in the constructor. So probably there is something wrong with the arena allocator?
Flags: needinfo?(quanxunzhen)
status-firefox49: --- → affected
Keywords: testcase-wanted
OS: Linux → All

Reopening bug since there are crash reports in the last 6 months.

Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.