If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

SIGSEGV on aarch64 in nsLayoutUtils::GetLastSibling when compiling with gcc6

RESOLVED FIXED

Status

()

Core
Build Config
--
critical
RESOLVED FIXED
10 months ago
3 months ago

People

(Reporter: Jeremy Linton, Assigned: glandium)

Tracking

(Blocks: 1 bug, {crash})

50 Branch
Other
Linux
crash
Points:
---

Firefox Tracking Flags

(firefox52 fixed, firefox-esr52 fixed, firefox53 fixed, firefox54 unaffected)

Details

MozReview Requests

()

Submitter Diff Changes Open Issues Last Updated
Loading...
Error loading review requests:

Attachments

(2 attachments)

(Reporter)

Description

10 months ago
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0
Build ID: 20161104212021

Steps to reproduce:

Install Fedora 25 or rawhide. Attempt to start firefox. It crashes immediatly.



Actual results:

[root@mammon-juno ~]# firefox 
Segmentation fault (core dumped)
gdb /usr/lib64/firefox/firefox core.firefox.1473783380.14629
(trimming)
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
Core was generated by `/usr/lib64/firefox/firefox'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  raise (sig=sig@entry=11) at ../sysdeps/unix/sysv/linux/raise.c:58
58      }
[Current thread is 1 (Thread 0x3ff80815070 (LWP 14629))]
(gdb) bt
#0  raise (sig=sig@entry=11) at ../sysdeps/unix/sysv/linux/raise.c:58
#1  0x000003ff7c521c4c in nsProfileLock::FatalSignalHandler (signo=11, info=0x3ffd61162e0, context=0x3ffd6116360) at /usr/src/debug/firefox-48.0.1/firefox-48.0.1/toolkit/profile/nsProfileLock.cpp:181
#2  <signal handler called>
#3  0x000003ff7c079c04 in nsLayoutUtils::GetLastSibling (aFrame=0xe5e5e5e5e5e5e5e5) at /usr/src/debug/firefox-48.0.1/firefox-48.0.1/layout/base/nsLayoutUtils.cpp:1914
#4  0x000003ff7c0f2d54 in nsFrameList::SetFrames (this=0x3ffd6117c78, aFrameList=<optimized out>) at /usr/src/debug/firefox-48.0.1/firefox-48.0.1/layout/generic/nsFrameList.cpp:68
#5  0x000003ff7c03e798 in nsFrameConstructorState::AddChild (this=0x3ffd61181d8, aNewFrame=0x3ff61e5e930, aFrameItems=..., aContent=0x3ff5e466820, aStyleContext=0x3ff61e5e5c0, aParentFrame=
    0x3ff61e41c40, aCanBePositioned=<optimized out>, aCanBeFloated=<optimized out>, aIsOutOfFlowPopup=false, aInsertAfter=false, aInsertAfterFrame=0x0)
    at /usr/src/debug/firefox-48.0.1/firefox-48.0.1/layout/base/nsCSSFrameConstructor.cpp:1302
#6  0x000003ff7c0604ac in nsCSSFrameConstructor::ConstructFrameFromItemInternal (this=this@entry=0x3ff68b37780, aItem=..., aState=..., aParentFrame=0x3ff61e41c40, aFrameItems=...)
    at /usr/src/debug/firefox-48.0.1/firefox-48.0.1/layout/base/nsCSSFrameConstructor.cpp:3937
#7  0x000003ff7c060c58 in nsCSSFrameConstructor::ConstructFramesFromItem (this=0x3ff68b37780, aState=..., aIter=..., aParentFrame=0x3ff61e41c40, aFrameItems=...)
    at /usr/src/debug/firefox-48.0.1/firefox-48.0.1/layout/base/nsCSSFrameConstructor.cpp:6081
#8  0x000003ff7c0612d8 in nsCSSFrameConstructor::ConstructFramesFromItemList (this=this@entry=0x3ff68b37780, aState=..., aItems=..., aParentFrame=aParentFrame@entry=0x3ff61e41c40, aFrameItems=...)
    at /usr/src/debug/firefox-48.0.1/firefox-48.0.1/layout/base/nsCSSFrameConstructor.cpp:10498
#9  0x000003ff7c05f954 in nsCSSFrameConstructor::ProcessChildren (this=0x3ff68b37780, aState=..., aContent=0x3ff5e4660d0, aStyleContext=<optimized out>, aFrame=0x3ff61e41c40, 
    aCanHaveGeneratedContent=true, aFrameItems=..., aAllowBlockStyles=<optimized out>, aPendingBinding=0x3ff5e447f20, aPossiblyLeafFrame=0x3ff61e41c40)
    at /usr/src/debug/firefox-48.0.1/firefox-48.0.1/layout/base/nsCSSFrameConstructor.cpp:10699
#10 0x000003ff7c0608f4 in nsCSSFrameConstructor::ConstructFrameFromItemInternal (this=this@entry=0x3ff68b37780, aItem=..., aState=..., aParentFrame=<optimized out>, aFrameItems=...)
    at /usr/src/debug/firefox-48.0.1/firefox-48.0.1/layout/base/nsCSSFrameConstructor.cpp:4002
#11 0x000003ff7c060c58 in nsCSSFrameConstructor::ConstructFramesFromItem (this=0x3ff68b37780, aState=..., aIter=..., aParentFrame=0x3ff61e41440, aFrameItems=...)
    at /usr/src/debug/firefox-48.0.1/firefox-48.0.1/layout/base/nsCSSFrameConstructor.cpp:6081
#12 0x000003ff7c0612d8 in nsCSSFrameConstructor::ConstructFramesFromItemList (this=0x3ff68b37780, aState=..., aItems=..., aParentFrame=0x3ff61e41440, aFrameItems=...)
    at /usr/src/debug/firefox-48.0.1/firefox-48.0.1/layout/base/nsCSSFrameConstructor.cpp:10498
#13 0x000003ff7c062044 in nsCSSFrameConstructor::CreateAnonymousFrames (this=this@entry=0x3ff68b37780, aState=..., aParent=aParent@entry=0x3ff618f7730, aParentFrame=aParentFrame@entry=0x3ff61e41440, 
    aPendingBinding=aPendingBinding@entry=0x0, aChildItems=...) at /usr/src/debug/firefox-48.0.1/firefox-48.0.1/layout/base/nsCSSFrameConstructor.cpp:4132
#14 0x000003ff7c06258c in nsCSSFrameConstructor::BeginBuildingScrollFrame (this=0x3ff68b37780, aState=..., aContent=0x3ff618f7730, aContentStyle=0x3ff61e40140, aParentFrame=<optimized out>, 
    aScrolledPseudo=0x3ff6ea92620, aIsRoot=<optimized out>, aNewFrame=@0x3ffd61181b8: 0x0) at /usr/src/debug/firefox-48.0.1/firefox-48.0.1/layout/base/nsCSSFrameConstructor.cpp:4540
#15 0x000003ff7c062768 in nsCSSFrameConstructor::SetUpDocElementContainingBlock (this=this@entry=0x3ff68b37780, aDocElement=aDocElement@entry=0x3ff618f7730)
    at /usr/src/debug/firefox-48.0.1/firefox-48.0.1/layout/base/nsCSSFrameConstructor.cpp:2875
#16 0x000003ff7c068d50 in nsCSSFrameConstructor::ConstructDocElementFrame (this=0x3ff68b37780, aDocElement=0x3ff618f7730, aFrameState=0x0)
    at /usr/src/debug/firefox-48.0.1/firefox-48.0.1/layout/base/nsCSSFrameConstructor.cpp:2411
#17 0x000003ff7c069cb8 in nsCSSFrameConstructor::ContentRangeInserted (this=0x3ff68b37780, aContainer=aContainer@entry=0x0, aStartChild=aStartChild@entry=0x3ff618f7730, aEndChild=0x0, 
    aFrameState=aFrameState@entry=0x0, aAllowLazyConstruction=aAllowLazyConstruction@entry=false) at /usr/src/debug/firefox-48.0.1/firefox-48.0.1/layout/base/nsCSSFrameConstructor.cpp:7631
#18 0x000003ff7c06a458 in nsCSSFrameConstructor::ContentInserted (this=<optimized out>, aContainer=aContainer@entry=0x0, aChild=aChild@entry=0x3ff618f7730, aFrameState=aFrameState@entry=0x0, 
    aAllowLazyConstruction=aAllowLazyConstruction@entry=false) at /usr/src/debug/firefox-48.0.1/firefox-48.0.1/layout/base/nsCSSFrameConstructor.cpp:7521
#19 0x000003ff7c0af864 in PresShell::Initialize (this=0x3ff61853800, aWidth=<optimized out>, aHeight=<optimized out>) at /usr/src/debug/firefox-48.0.1/firefox-48.0.1/layout/base/nsPresShell.cpp:1685
#20 0x000003ff7af173dc in nsContentSink::StartLayout (this=<optimized out>, aIgnorePendingSheets=aIgnorePendingSheets@entry=false, this=<optimized out>)
    at /usr/src/debug/firefox-48.0.1/firefox-48.0.1/dom/base/nsContentSink.cpp:1216
#21 0x000003ff7abedf20 in nsHtml5TreeOpExecutor::StartLayout (this=this@entry=0x3ff61852400) at /usr/src/debug/firefox-48.0.1/firefox-48.0.1/parser/html/nsHtml5TreeOpExecutor.cpp:614
#22 0x000003ff7ac0d344 in nsHtml5TreeOperation::Perform (this=0x3ff6185bad8, aBuilder=0x3ff61852400, aScriptElement=<optimized out>)
    at /usr/src/debug/firefox-48.0.1/firefox-48.0.1/parser/html/nsHtml5TreeOperation.cpp:991
#23 0x000003ff7ac09898 in nsHtml5TreeOpExecutor::RunFlushLoop (this=0x3ff61852400) at /usr/src/debug/firefox-48.0.1/firefox-48.0.1/parser/html/nsHtml5TreeOpExecutor.cpp:451
#24 0x000003ff7ac09be0 in nsHtml5ExecutorFlusher::Run (this=<optimized out>) at /usr/src/debug/firefox-48.0.1/firefox-48.0.1/parser/html/nsHtml5StreamParser.cpp:125
#25 0x000003ff7a5d6400 in nsThread::ProcessNextEvent (this=0x3ff7db60eb0, aMayWait=<optimized out>, aResult=0x3ffd6118e97) at /usr/src/debug/firefox-48.0.1/firefox-48.0.1/xpcom/threads/nsThread.cpp:994
#26 0x000003ff7a5f9184 in NS_ProcessNextEvent (aThread=<optimized out>, aThread@entry=0x3ff7db60eb0, aMayWait=aMayWait@entry=false)
    at /usr/src/debug/firefox-48.0.1/firefox-48.0.1/xpcom/glue/nsThreadUtils.cpp:290
#27 0x000003ff7a83d3c4 in mozilla::ipc::MessagePump::Run (this=0x3ff7e786f40, aDelegate=0x3ff70860080) at /usr/src/debug/firefox-48.0.1/firefox-48.0.1/ipc/glue/MessagePump.cpp:98
#28 0x000003ff7a820b1c in MessageLoop::Run (this=<optimized out>) at /usr/src/debug/firefox-48.0.1/firefox-48.0.1/ipc/chromium/src/base/message_loop.cc:230
#29 0x000003ff7be19b44 in nsBaseAppShell::Run (this=0x3ff6ac255c0) at /usr/src/debug/firefox-48.0.1/firefox-48.0.1/widget/nsBaseAppShell.cpp:156
#30 0x000003ff7c4e0be4 in nsAppStartup::Run (this=0x3ff6a9f2360) at /usr/src/debug/firefox-48.0.1/firefox-48.0.1/toolkit/components/startup/nsAppStartup.cpp:284
#31 0x000003ff7c52a07c in XREMain::XRE_mainRun (this=this@entry=0x3ffd6119138) at /usr/src/debug/firefox-48.0.1/firefox-48.0.1/toolkit/xre/nsAppRunner.cpp:4347
#32 0x000003ff7c52a880 in XREMain::XRE_main (this=this@entry=0x3ffd6119138, argc=argc@entry=1, argv=argv@entry=0x3ffd611a668, aAppData=aAppData@entry=0x3ffd6119338)
    at /usr/src/debug/firefox-48.0.1/firefox-48.0.1/toolkit/xre/nsAppRunner.cpp:4451
#33 0x000003ff7c52aad8 in XRE_main (argc=1, argv=0x3ffd611a668, aAppData=0x3ffd6119338, aFlags=<optimized out>) at /usr/src/debug/firefox-48.0.1/firefox-48.0.1/toolkit/xre/nsAppRunner.cpp:4559
#34 0x000002aae19d5738 in do_main (argc=1, argv=0x3ffd611a668, envp=<optimized out>, xreDirectory=0x3ff7e741d20) at /usr/src/debug/firefox-48.0.1/firefox-48.0.1/browser/app/nsBrowserApp.cpp:220
#35 0x000002aae19d4c78 in main (argc=1, argv=0x3ffd611a668, envp=0x3ffd611a678) at /usr/src/debug/firefox-48.0.1/firefox-48.0.1/browser/app/nsBrowserApp.cpp:360


Expected results:

I should be able to browse the web...

The fedora defect has more detained info.

https://bugzilla.redhat.com/show_bug.cgi?id=1354671
(Reporter)

Updated

10 months ago
OS: Unspecified → Linux
Hardware: Unspecified → Other
Version: 50 Branch → 49 Branch

Updated

10 months ago
Severity: normal → critical
Keywords: crash

Comment 1

10 months ago
FYI only: Unable to reproduce this as of today with an up-to-date Fedora 25 installation on x86, including Firefox version 50.0.2:

[user@host /] $ rpm -qa | grep firefox
firefox-50.0.2-1.fc25.x86_64

bugday-20161205
(Reporter)

Comment 2

10 months ago
Yes, it seems to be arm64 specific. On fedora rawhide:

[root@mammon-seattle-raw ~]# rpm -qa |grep firefox
firefox-50.0.2-2.fc26.aarch64
root@mammon-seattle-raw ~]# firefox 
Segmentation fault (core dumped)
[root@mammon-seattle-raw ~]# gdb /usr/lib64/firefox/firefox /var/spool/abrt/ccpp-2016-12-05-14:07:27-4626/coredump
GNU gdb (GDB) Fedora 7.12-29.fc26
Copyright (C) 2016 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "aarch64-redhat-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /usr/lib64/firefox/firefox...Reading symbols from /usr/lib64/firefox/firefox...(no debugging symbols found)...done.
(no debugging symbols found)...done.
(trimming)
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
Core was generated by `/usr/lib64/firefox/firefox'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x0000ffffa2dd2d50 in raise () from /lib64/libpthread.so.0
[Current thread is 1 (Thread 0xffffa2e851c0 (LWP 4626))]
Missing separate debuginfos, use: dnf debuginfo-install firefox-50.0.2-2.fc26.aarch64
(gdb) bt
#0  0x0000ffffa2dd2d50 in raise () at /lib64/libpthread.so.0
#1  0x0000ffff9e93902c in nsProfileLock::FatalSignalHandler(int, siginfo_t*, void*) () at /usr/lib64/firefox/libxul.so
#2  0x0000ffffa2e306c0 in <signal handler called> ()
#3  0x0000ffff9e438284 in nsLayoutUtils::GetLastSibling(nsIFrame*) () at /usr/lib64/firefox/libxul.so
#4  0x0000ffff9e4c5024 in nsFrameList::SetFrames(nsIFrame*) () at /usr/lib64/firefox/libxul.so
#5  0x0000ffff9e3f9f90 in nsFrameConstructorState::AddChild(nsIFrame*, nsFrameItems&, nsIContent*, nsStyleContext*, nsContainerFrame*, bool, bool, bool, bool, nsIFrame*) ()
    at /usr/lib64/firefox/libxul.so
#6  0x0000ffff9e41500c in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameItems&) () at /usr/lib64/firefox/libxul.so
#7  0x0000ffff9e415858 in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameItems&) () at /usr/lib64/firefox/libxul.so
#8  0x0000ffff9e415e84 in nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsContainerFrame*, nsFrameItems&) () at /usr/lib64/firefox/libxul.so
#9  0x0000ffff9e416c88 in nsCSSFrameConstructor::CreateAnonymousFrames(nsFrameConstructorState&, nsIContent*, nsContainerFrame*, PendingBinding*, nsFrameItems&) ()
    at /usr/lib64/firefox/libxul.so
#10 0x0000ffff9e41716c in nsCSSFrameConstructor::BeginBuildingScrollFrame(nsFrameConstructorState&, nsIContent*, nsStyleContext*, nsContainerFrame*, nsIAtom*, bool, nsContainerFrame*&) () at /usr/lib64/firefox/libxul.so
#11 0x0000ffff9e417348 in nsCSSFrameConstructor::SetUpDocElementContainingBlock(nsIContent*) () at /usr/lib64/firefox/libxul.so
#12 0x0000ffff9e41cdf0 in nsCSSFrameConstructor::ConstructDocElementFrame(mozilla::dom::Element*, nsILayoutHistoryState*) () at /usr/lib64/firefox/libxul.so
#13 0x0000ffff9e41de28 in nsCSSFrameConstructor::ContentRangeInserted(nsIContent*, nsIContent*, nsIContent*, nsILayoutHistoryState*, bool) () at /usr/lib64/firefox/libxul.so
#14 0x0000ffff9e486808 in PresShell::Initialize(int, int) () at /usr/lib64/firefox/libxul.so
#15 0x0000ffff9d229bc4 in nsContentSink::StartLayout(bool) () at /usr/lib64/firefox/libxul.so
#16 0x0000ffff9cebaf58 in nsHtml5TreeOpExecutor::StartLayout() () at /usr/lib64/firefox/libxul.so
#17 0x0000ffff9cedb794 in nsHtml5TreeOperation::Perform(nsHtml5TreeOpExecutor*, nsIContent**) () at /usr/lib64/firefox/libxul.so
#18 0x0000ffff9ced7d50 in nsHtml5TreeOpExecutor::RunFlushLoop() [clone .part.177] () at /usr/lib64/firefox/libxul.so
#19 0x0000ffff9ced7fd0 in nsHtml5ExecutorFlusher::Run() () at /usr/lib64/firefox/libxul.so
#20 0x0000ffff9c866128 in nsThread::ProcessNextEvent(bool, bool*) () at /usr/lib64/firefox/libxul.so
#21 0x0000ffff9c889354 in NS_ProcessNextEvent(nsIThread*, bool) () at /usr/lib64/firefox/libxul.so
#22 0x0000ffff9cad3524 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) () at /usr/lib64/firefox/libxul.so
#23 0x0000ffff9cab60ac in MessageLoop::Run() () at /usr/lib64/firefox/libxul.so
#24 0x0000ffff9e1e4b24 in nsBaseAppShell::Run() () at /usr/lib64/firefox/libxul.so
#25 0x0000ffff9e8e0c34 in nsAppStartup::Run() () at /usr/lib64/firefox/libxul.so
#26 0x0000ffff9e941400 in XREMain::XRE_mainRun() () at /usr/lib64/firefox/libxul.so
#27 0x0000ffff9e941c80 in XREMain::XRE_main(int, char**, nsXREAppData const*) () at /usr/lib64/firefox/libxul.so
#28 0x0000ffff9e941ecc in XRE_main () at /usr/lib64/firefox/libxul.so
#29 0x0000aaaaad3b5878 in do_main(int, char**, char**, nsIFile*) ()
#30 0x0000aaaaad3b4cf4 in main ()
(gdb)
(Reporter)

Updated

10 months ago
Version: 49 Branch → 50 Branch
Mozilla/5.0 (X11; Linux x86_64; rv:53.0) Gecko/20100101 Firefox/53.0
Build ID: 20161205030204

I tested on Fedora 23 x64 using Firefox latest Nightly ( Build ID:20161205030204), Firefox Release 50.0 and Firefox version 50.0.2 and could not reproduce it.

Could you please check if the issue is reproducible using Firefox with a new profile or in safe mode?

https://support.mozilla.org/en-US/kb/profile-manager-create-and-remove-firefox-profiles

https://support.mozilla.org/en-US/kb/troubleshoot-firefox-issues-using-safe-mode

Could you please provide the crash sigrature from about:crashes?

Thanks.
Flags: needinfo?(jeremy.linton)
(Reporter)

Comment 4

10 months ago
This is an immediate crash, no windows are ever displayed. So about:crashes is not accessable. 

It continues to crash with .mozilla removed, and using `firefox --safe-mode`

That said the backtrace varies a little but the top half dozen calls are the same:

(this is from FF50 again)

(gdb) bt
#0  0x0000ffffabb38284 in nsLayoutUtils::GetLastSibling(nsIFrame*) () at /usr/lib64/firefox/libxul.so
#1  0x0000ffffabbc5024 in nsFrameList::SetFrames(nsIFrame*) () at /usr/lib64/firefox/libxul.so
#2  0x0000ffffabaf9f90 in nsFrameConstructorState::AddChild(nsIFrame*, nsFrameItems&, nsIContent*, nsStyleContext*, nsContainerFrame*, bool, bool, bool, bool, nsIFrame*) ()
    at /usr/lib64/firefox/libxul.so
#3  0x0000ffffabb1500c in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameItems&) ()
    at /usr/lib64/firefox/libxul.so
#4  0x0000ffffabb15858 in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameItems&) ()
    at /usr/lib64/firefox/libxul.so
#5  0x0000ffffabb15e84 in nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsContainerFrame*, nsFrameItems&) ()
    at /usr/lib64/firefox/libxul.so
#6  0x0000ffffabb14534 in nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, nsStyleContext*, nsContainerFrame*, bool, nsFrameItems&, bool, PendingBinding*, nsIFrame*) ()
    at /usr/lib64/firefox/libxul.so
#7  0x0000ffffabb1547c in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameItems&) ()
    at /usr/lib64/firefox/libxul.so
#8  0x0000ffffabb15858 in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameItems&) ()
    at /usr/lib64/firefox/libxul.so
#9  0x0000ffffabb15e84 in nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsContainerFrame*, nsFrameItems&) ()
    at /usr/lib64/firefox/libxul.so
#10 0x0000ffffabb14534 in nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, nsStyleContext*, nsContainerFrame*, bool, nsFrameItems&, bool, PendingBinding*, nsIFrame*) ()
    at /usr/lib64/firefox/libxul.so
#11 0x0000ffffabb1547c in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameItems&) ()
    at /usr/lib64/firefox/libxul.so
#12 0x0000ffffabb15858 in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameItems&) ()
    at /usr/lib64/firefox/libxul.so
#13 0x0000ffffabb15e84 in nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsContainerFrame*, nsFrameItems&) ()
    at /usr/lib64/firefox/libxul.so
#14 0x0000ffffabb14534 in nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, nsStyleContext*, nsContainerFrame*, bool, nsFrameItems&, bool, PendingBinding*, nsIFrame*) ()
    at /usr/lib64/firefox/libxul.so
#15 0x0000ffffabb1547c in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameItems&) ()
    at /usr/lib64/firefox/libxul.so
#16 0x0000ffffabb15858 in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameItems&) ()
    at /usr/lib64/firefox/libxul.so
#17 0x0000ffffabb15e84 in nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsContainerFrame*, nsFrameItems&) ()
    at /usr/lib64/firefox/libxul.so
#18 0x0000ffffabb14534 in nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, nsStyleContext*, nsContainerFrame*, bool, nsFrameItems&, bool, PendingBinding*, nsIFrame*) ()
    at /usr/lib64/firefox/libxul.so
#19 0x0000ffffabb1547c in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameItems&) ()
    at /usr/lib64/firefox/libxul.so
#20 0x0000ffffabb15858 in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameItems&) ()
    at /usr/lib64/firefox/libxul.so
#21 0x0000ffffabb15e84 in nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsContainerFrame*, nsFrameItems&) ()
    at /usr/lib64/firefox/libxul.so
#22 0x0000ffffabb14534 in nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, nsStyleContext*, nsContainerFrame*, bool, nsFrameItems&, bool, PendingBinding*, nsIFrame*) ()
    at /usr/lib64/firefox/libxul.so
#23 0x0000ffffabb1d5e8 in nsCSSFrameConstructor::ConstructDocElementFrame(mozilla::dom::Element*, nsILayoutHistoryState*) () at /usr/lib64/firefox/libxul.so
#24 0x0000ffffabb1de28 in nsCSSFrameConstructor::ContentRangeInserted(nsIContent*, nsIContent*, nsIContent*, nsILayoutHistoryState*, bool) () at /usr/lib64/firefox/libxul.so
#25 0x0000ffffabb86808 in PresShell::Initialize(int, int) () at /usr/lib64/firefox/libxul.so
#26 0x0000ffffab834680 in mozilla::dom::XULDocument::StartLayout() () at /usr/lib64/firefox/libxul.so
#27 0x0000ffffab841f64 in mozilla::dom::XULDocument::DoneWalking() () at /usr/lib64/firefox/libxul.so
#28 0x0000ffffab84726c in mozilla::dom::XULDocument::ResumeWalk() () at /usr/lib64/firefox/libxul.so
#29 0x0000ffffab848e34 in mozilla::dom::XULDocument::OnScriptCompileComplete(JSScript*, nsresult) () at /usr/lib64/firefox/libxul.so
#30 0x0000ffffab840eb0 in NotifyOffThreadScriptCompletedRunnable::Run() () at /usr/lib64/firefox/libxul.so
#31 0x0000ffffa9f66128 in nsThread::ProcessNextEvent(bool, bool*) () at /usr/lib64/firefox/libxul.so
#32 0x0000ffffa9f89354 in NS_ProcessNextEvent(nsIThread*, bool) () at /usr/lib64/firefox/libxul.so
#33 0x0000ffffabded114 in nsXULWindow::ShowModal() () at /usr/lib64/firefox/libxul.so
#34 0x0000ffffabdb45a0 in nsWindowWatcher::OpenWindowInternal(mozIDOMWindowProxy*, char const*, char const*, char const*, bool, bool, bool, nsIArray*, float*, mozIDOMWindowProxy**) ()
    at /usr/lib64/firefox/libxul.so
#35 0x0000ffffabdb4b50 in nsWindowWatcher::OpenWindow(mozIDOMWindowProxy*, char const*, char const*, char const*, nsISupports*, mozIDOMWindowProxy**) () at /usr/lib64/firefox/libxul.so
#36 0x0000ffffa9ebb444 in ShowProfileManager(nsIToolkitProfileService*, nsINativeAppSupport*) () at /usr/lib64/firefox/libxul.so
#37 0x0000ffffac040ee4 in XREMain::XRE_mainStartup(bool*) () at /usr/lib64/firefox/libxul.so
#38 0x0000ffffac041c34 in XREMain::XRE_main(int, char**, nsXREAppData const*) () at /usr/lib64/firefox/libxul.so
#39 0x0000ffffac041ecc in XRE_main () at /usr/lib64/firefox/libxul.so
---Type <return> to continue, or q <return> to quit--- 
#40 0x0000aaaadf775878 in do_main(int, char**, char**, nsIFile*) ()
#41 0x0000aaaadf774cf4 in main ()
(Reporter)

Comment 5

10 months ago
Also because it might be more useful here is a bt full, against .49 with the debuginfos installed. 

#0  raise (sig=sig@entry=11) at ../sysdeps/unix/sysv/linux/raise.c:58
        set = {__val = {18446744067266837247, 4396215539968, 4396234509592, 4396238687488, 4396215544424, 4396238686400, 2504233800, 4397793239024, 4396215544464, 4396238686400, 4397793226736, 439621 4397793221912, 4397793222048, 4397793222176, 4397793223096}}
        pid = <optimized out>
        tid = <optimized out>
#1  0x000003ff92dd98fc in nsProfileLock::FatalSignalHandler (signo=11, info=0x3fff0e71da0, context=0x3fff0e71e20) at /usr/src/debug/firefox-49.0/firefox-49.0/toolkit/profile/nsProfileLock.cpp:181
        unblock_sigs = {__val = {1024, 0 <repeats 15 times>}}
        oldact = <optimized out>
#2  <signal handler called>
No symbol table info available.
#3  0x000003ff9290773c in nsLayoutUtils::GetLastSibling (aFrame=0xe5e5e5e5e5e5e5e5) at /usr/src/debug/firefox-49.0/firefox-49.0/layout/base/nsLayoutUtils.cpp:1915
No locals.
#4  0x000003ff929837a4 in nsFrameList::SetFrames (this=0x3fff0e73738, aFrameList=<optimized out>) at /usr/src/debug/firefox-49.0/firefox-49.0/layout/generic/nsFrameList.cpp:68
No locals.
#5  0x000003ff928ccb78 in nsFrameConstructorState::AddChild (this=0x3fff0e73c98, aNewFrame=0x3ff7e1c4938, aFrameItems=..., aContent=0x3ff7b388320, aStyleContext=0x3ff7e1c45c0, aParentFrame=0x3ff7e1afnBePositioned=<optimized out>, aCanBeFloated=<optimized out>, aIsOutOfFlowPopup=false, aInsertAfter=false, aInsertAfterFrame=0x0) at /usr/src/debug/firefox-49.0/firefox-49.0/layout/base/nsCSSFrameCon.cpp:1302
        placeholderType = 0
        outOfFlowFrameItems = <optimized out>
        frameItems = <optimized out>
#6  0x000003ff928ed794 in nsCSSFrameConstructor::ConstructFrameFromItemInternal (this=this@entry=0x3ff807271d0, aItem=..., aState=..., aParentFrame=0x3ff7e1afc60, aFrameItems=...) at /usr/src/debug/f9.0/firefox-49.0/layout/base/nsCSSFrameConstructor.cpp:3937
        data = <optimized out>
        bits = <optimized out>
        content = <optimized out>
        adcp = {mTreeMatchContext = @0x3fff0e73d60, mPresContext = 0x3ff7d921800, mAncestors = {<nsTArray<mozilla::dom::Element*>> = {<nsTArray_Impl<mozilla::dom::Element*, nsTArrayInfallibleAllocatonsTArray_base<nsTArrayInfallibleAllocator, nsTArray_CopyWithMemutils>> = {mHdr = 0x3fff0e73280}, <nsTArray_TypedBase<mozilla::dom::Element*, nsTArray_Impl<mozilla::dom::Element*, nsTArrayInfallibleAl >> = {<nsTArray_SafeElementAtHelper<mozilla::dom::Element*, nsTArray_Impl<mozilla::dom::Element*, nsTArrayInfallibleAllocator> >> = {<No data fields>}, <No data fields>}, static NoIndex = 184467440715}, <No data fields>}, {mAutoBuf = "\000\000\000\000\004\000\000\200\371t\377\377\277\377\377\a\371t\377\377\277\377\377\a\371t\377\377\277\377\377\a\000\000\000\000\000\000\000", mAlign = {elem = 0}}}
        insertionPointPusher = {mPushedAncestor = false, mPushedStyleScope = false, mTreeMatchContext = @0x3fff0e73d60, mElement = 0x0}
        ancestorPusher = {mPushedAncestor = false, mPushedStyleScope = true, mTreeMatchContext = @0x3fff0e73d60, mElement = 0x3ff7b388320}
        newFrame = 0x3ff7e1c4938
        primaryFrame = 0x3ff7e1c4938
#7  0x000003ff928edf40 in nsCSSFrameConstructor::ConstructFramesFromItem (this=0x3ff807271d0, aState=..., aIter=..., aParentFrame=0x3ff7e1afc60, aFrameItems=...) at /usr/src/debug/firefox-49.0/firefoayout/base/nsCSSFrameConstructor.cpp:6085
        adjParentFrame = 0x3ff7e1afc60
        savedStateBits = 0
#8  0x000003ff928ee598 in nsCSSFrameConstructor::ConstructFramesFromItemList (this=this@entry=0x3ff807271d0, aState=..., aItems=..., aParentFrame=aParentFrame@entry=0x3ff7e1afc60, aFrameItems=...) atc/debug/firefox-49.0/firefox-49.0/layout/base/nsCSSFrameConstructor.cpp:10506
No locals.
#9  0x000003ff928ecc2c in nsCSSFrameConstructor::ProcessChildren (this=0x3ff807271d0, aState=..., aContent=0x3ff7b387bd0, aStyleContext=<optimized out>, aFrame=0x3ff7e1afc60, aCanHaveGeneratedContentFrameItems=..., aAllowBlockStyles=<optimized out>, aPendingBinding=0x3ff7b3789a0, aPossiblyLeafFrame=0x3ff7e1afc60) at /usr/src/debug/firefox-49.0/firefox-49.0/layout/base/nsCSSFrameConstructor.cpp:1
        savedDepth = {mLocation = @0x3ff80727288, mValue = 0}
        haveFirstLetterStyle = false
        haveFirstLineStyle = false
        floatSaveState = {mItems = 0x3fff0e73cf8, mSavedItems = {<nsFrameItems> = {<nsFrameList> = {mFirstChild = 0x0, mLastChild = 0x0}, <No data fields>}, containingBlock = 0x0}, mChildListID = mozyout::kFloatList, mState = 0x3fff0e73c98, mSavedFixedItems = {<nsFrameItems> = {<nsFrameList> = {mFirstChild = 0x0, mLastChild = 0x0}, <No data fields>}, containingBlock = 0x0}, mSavedFixedPosIsAbsPoe}
        pusher = {mState = @0x3fff0e73c98, mPendingBinding = 0x0}
        itemsToConstruct = {mItems = {next = 0x3ff8315dbc0, prev = 0x3ff8315dbc0}, mInlineCount = 0, mBlockCount = 1, mLineParticipantCount = 0, mItemCount = 1, mDesiredParentCounts = {1, 0, 0, 0, 0,, 0, 0}, mLineBoundaryAtStart = false, mLineBoundaryAtEnd = false, mParentHasNoXBLChildren = false, mTriedConstructingFrames = true, mUndisplayedItems = {<nsTArray_Impl<nsCSSFrameConstructor::FrameCoonItemList::UndisplayedItem, nsTArrayInfallibleAllocator>> = {<nsTArray_base<nsTArrayInfallibleAllocator, nsTArray_CopyWithMemutils>> = {mHdr = 0x3ff7b446a80}, <nsTArray_TypedBase<nsCSSFrameConstructeConstructionItemList::UndisplayedItem, nsTArray_Impl<nsCSSFrameConstructor::FrameConstructionItemList::UndisplayedItem, nsTArrayInfallibleAllocator> >> = {<nsTArray_SafeElementAtHelper<nsCSSFrameCon::FrameConstructionItemList::UndisplayedItem, nsTArray_Impl<nsCSSFrameConstructor::FrameConstructionItemList::UndisplayedItem, nsTArrayInfallibleAllocator> >> = {<No data fields>}, <No data fields>},NoIndex = <optimized out>}, <No data fields>}}
        anonymousItems = {<nsTArray<nsIAnonymousContentCreator::ContentInfo>> = {<nsTArray_Impl<nsIAnonymousContentCreator::ContentInfo, nsTArrayInfallibleAllocator>> = {<nsTArray_base<nsTArrayInfallcator, nsTArray_CopyWithMemutils>> = {mHdr = 0x3fff0e735f0}, <nsTArray_TypedBase<nsIAnonymousContentCreator::ContentInfo, nsTArray_Impl<nsIAnonymousContentCreator::ContentInfo, nsTArrayInfallibleAllo> = {<nsTArray_SafeElementAtHelper<nsIAnonymousContentCreator::ContentInfo, nsTArray_Impl<nsIAnonymousContentCreator::ContentInfo, nsTArrayInfallibleAllocator> >> = {<No data fields>}, <No data fieldtic NoIndex = <optimized out>}, <No data fields>}, {mAutoBuf = "\000\000\000\000\004\000\000\200\b\002\000\000\000\000\000\000`\374\032~\377\003\000\000\250\257\034\224\377\003\000\000P\364\032~\377\000\310\354\032~\377\003\000\000\224\327\216\222\377\003\000\000\320{8{\377\003\000\000\000\000\000\000\000\000\000\000|َ\222\377\003\000\000\000\360\067\224\377\003\000\000\320{8{\377\003\000\000pَ\223\000", mAlign = {elem = 0 '\000'}}}
#10 0x000003ff928edbdc in nsCSSFrameConstructor::ConstructFrameFromItemInternal (this=this@entry=0x3ff807271d0, aItem=..., aState=..., aParentFrame=<optimized out>, aFrameItems=...) at /usr/src/debug-49.0/firefox-49.0/layout/base/nsCSSFrameConstructor.cpp:4002
        data = <optimized out>
        bits = 520
        content = <optimized out>
        adcp = {mTreeMatchContext = @0x3fff0e73d60, mPresContext = 0x3ff7d921800, mAncestors = {<nsTArray<mozilla::dom::Element*>> = {<nsTArray_Impl<mozilla::dom::Element*, nsTArrayInfallibleAllocatonsTArray_base<nsTArrayInfallibleAllocator, nsTArray_CopyWithMemutils>> = {mHdr = 0x3fff0e73840}, <nsTArray_TypedBase<mozilla::dom::Element*, nsTArray_Impl<mozilla::dom::Element*, nsTArrayInfallibleAl >> = {<nsTArray_SafeElementAtHelper<mozilla::dom::Element*, nsTArray_Impl<mozilla::dom::Element*, nsTArrayInfallibleAllocator> >> = {<No data fields>}, <No data fields>}, static NoIndex = 184467440715}, <No data fields>}, {mAutoBuf = "\000\000\000\000\004\000\000\200\235t\377\377\277\377\377\a\235t\377\377\277\377\377\a\235t\377\377\277\377\377\a\000\000\000\000\000\000\000", mAlign = {elem = 0}}}
        insertionPointPusher = {mPushedAncestor = false, mPushedStyleScope = false, mTreeMatchContext = @0x3fff0e73d60, mElement = 0x0}
        ancestorPusher = {mPushedAncestor = false, mPushedStyleScope = true, mTreeMatchContext = @0x3fff0e73d60, mElement = 0x3ff7b387bd0}
        newFrame = 0x3ff7e1afc60
        primaryFrame = 0x3ff7e1afc60
#11 0x000003ff928edf40 in nsCSSFrameConstructor::ConstructFramesFromItem (this=0x3ff807271d0, aState=..., aIter=..., aParentFrame=0x3ff7e1af450, aFrameItems=...) at /usr/src/debug/firefox-49.0/firefoayout/base/nsCSSFrameConstructor.cpp:6085
        adjParentFrame = 0x3ff7e1af450
        savedStateBits = 0
#12 0x000003ff928ee598 in nsCSSFrameConstructor::ConstructFramesFromItemList (this=0x3ff807271d0, aState=..., aItems=..., aParentFrame=0x3ff7e1af450, aFrameItems=...) at /usr/src/debug/firefox-49.0/f9.0/layout/base/nsCSSFrameConstructor.cpp:10506
No locals.
#13 0x000003ff928ef24c in nsCSSFrameConstructor::CreateAnonymousFrames (this=this@entry=0x3ff807271d0, aState=..., aParent=aParent@entry=0x3ff7dddbe00, aParentFrame=aParentFrame@entry=0x3ff7e1af450, Binding=aPendingBinding@entry=0x0, aChildItems=...) at /usr/src/debug/firefox-49.0/firefox-49.0/layout/base/nsCSSFrameConstructor.cpp:4132
        i = <optimized out>
        newAnonymousItems = {<nsTArray<nsIAnonymousContentCreator::ContentInfo>> = {<nsTArray_Impl<nsIAnonymousContentCreator::ContentInfo, nsTArrayInfallibleAllocator>> = {<nsTArray_base<nsTArrayInfllocator, nsTArray_CopyWithMemutils>> = {mHdr = 0x3fff0e73b00}, <nsTArray_TypedBase<nsIAnonymousContentCreator::ContentInfo, nsTArray_Impl<nsIAnonymousContentCreator::ContentInfo, nsTArrayInfallibleA> >> = {<nsTArray_SafeElementAtHelper<nsIAnonymousContentCreator::ContentInfo, nsTArray_Impl<nsIAnonymousContentCreator::ContentInfo, nsTArrayInfallibleAllocator> >> = {<No data fields>}, <No data fistatic NoIndex = <optimized out>}, <No data fields>}, {mAutoBuf = "\003\000\000\000\004\000\000\200\320{8{\377\003\000\000\000\000\000\000\000\000\000\000\200\330;\224\377\003\000\000`|8{\377\003\000\000\000\000\000\000\000\000\200\330;\224\377\003\000\000\360|8{\377\003\000\000\000\000\000\000\000\000\000\000\200\330;\224\377\003\000\000\000\360\067\224\377\003\000\000\320qr\200\377\003\000\0006\222\377\003\000", mAlign = {elem = 3 '\003'}}}
        rv = <optimized out>
        count = <optimized out>
        pusher = {mState = @0x3fff0e73c98, mPendingBinding = 0x0}
        ancestorPusher = {mPushedAncestor = <optimized out>, mPushedStyleScope = <optimized out>, mTreeMatchContext = @0x3fff0e73d60, mElement = 0x3ff7dddbe00}
        insertion = {mParentFrame = 0x3ff7e1af450, mContainer = 0x3ff7dddbe00, mMultiple = false}
#14 0x000003ff928ef794 in nsCSSFrameConstructor::BeginBuildingScrollFrame (this=0x3ff807271d0, aState=..., aContent=0x3ff7dddbe00, aContentStyle=0x3ff7e1ae140, aParentFrame=<optimized out>, aScrolledx3ff8bb82ac0, aIsRoot=<optimized out>, aNewFrame=@0x3fff0e73c78: 0x0) at /usr/src/debug/firefox-49.0/firefox-49.0/layout/base/nsCSSFrameConstructor.cpp:4547
        gfxScrollFrame = 0x3ff7e1af450
        anonymousItems = {<nsFrameList> = {mFirstChild = 0x3ff7e1afc60, mLastChild = 0x3ff7e1afc60}, <No data fields>}
        styleSet = <optimized out>
#15 0x000003ff928ef970 in nsCSSFrameConstructor::SetUpDocElementContainingBlock (this=this@entry=0x3ff807271d0, aDocElement=aDocElement@entry=0x3ff7dddbe00) at /usr/src/debug/firefox-49.0/firefox-49./base/nsCSSFrameConstructor.cpp:2875
        rootFrame = 0x3ff7e1af0e8
        rootPseudo = 0x3ff8bb82ac0
        isXUL = <optimized out>
        isScrollable = true
        newFrame = 0x0
        rootPseudoStyle = <optimized out>
        state = {mPresContext = 0x3ff7d921800, mPresShell = 0x3ff7d971400, mFrameManager = 0x3ff807271d0, mPopupItems = {<nsFrameItems> = {<nsFrameList> = {mFirstChild = 0x0, mLastChild = 0x0}, <No dds>}, containingBlock = 0x0}, mFixedItems = {<nsFrameItems> = {<nsFrameList> = {mFirstChild = 0x0, mLastChild = 0x0}, <No data fields>}, containingBlock = 0x0}, mAbsoluteItems = {<nsFrameItems> = {<nst> = {mFirstChild = 0x0, mLastChild = 0x0}, <No data fields>}, containingBlock = 0x0}, mFloatedItems = {<nsFrameItems> = {<nsFrameList> = {mFirstChild = 0x0, mLastChild = 0x0}, <No data fields>}, coBlock = 0x0}, mTopLayerFixedItems = {<nsFrameItems> = {<nsFrameList> = {mFirstChild = 0x0, mLastChild = 0x0}, <No data fields>}, containingBlock = 0x3ff7e1ae918}, mTopLayerAbsoluteItems = {<nsFrameIt<nsFrameList> = {mFirstChild = 0x0, mLastChild = 0x0}, <No data fields>}, containingBlock = 0x3ff7e1af0e8}, mFrameState = {<nsCOMPtr_base> = {mRawPtr = 0x0}, <No data fields>}, mAdditionalStateBits =edPosIsAbsPos = true, mHavePendingPopupgroup = false, mCreatingExtraFrames = false, mGeneratedTextNodesWithInitializer = {<nsCOMArray_base> = {mArray = {<nsTArray_Impl<nsISupports*, nsTArrayInfalliblor>> = {<nsTArray_base<nsTArrayInfallibleAllocator, nsTArray_CopyWithMemutils>> = {mHdr = 0x3ff943bd880 <nsTArrayHeader::sEmptyHdr>}, <nsTArray_TypedBase<nsISupports*, nsTArray_Impl<nsISupports*, nsTallibleAllocator> >> = {<nsTArray_SafeElementAtHelper<nsISupports*, nsTArray_Impl<nsISupports*, nsTArrayInfallibleAllocator> >> = {<No data fields>}, <No data fields>}, static NoIndex = 1844674407370, <No data fields>}}, <No data fields>}, mTreeMatchContext = {mForStyling = true, mHaveRelevantLink = false, mHaveSpecifiedScope = false, mVisitedHandling = nsRuleWalker::eRelevantLinkUnvisited, mSconsTArray<mozilla::dom::Element*>> = {<nsTArray_Impl<mozilla::dom::Element*, nsTArrayInfallibleAllocator>> = {<nsTArray_base<nsTArrayInfallibleAllocator, nsTArray_CopyWithMemutils>> = {mHdr = 0x3fff0e<nsTArray_TypedBase<mozilla::dom::Element*, nsTArray_Impl<mozilla::dom::Element*, nsTArrayInfallibleAllocator> >> = {<nsTArray_SafeElementAtHelper<mozilla::dom::Element*, nsTArray_Impl<mozilla::dom::, nsTArrayInfallibleAllocator> >> = {<No data fields>}, <No data fields>}, static NoIndex = 18446744073709551615}, <No data fields>}, {mAutoBuf = "\000\000\000\000\001\000\000\200x\031\222}\377\003\0ign = {elem = 0 '\000'}}}, mDocument = 0x3ff7dca1000, mScopedRoot = 0x0, mIsHTMLDocument = true, mCompatMode = eCompatibility_NavQuirks, mNthIndexCache = {mCaches = {{{impl = {<nsNthIndexCache::Systelicy> = {<No data fields>}, static CAP_BITS = <optimized out>, gen = 0, hashShift = 32, table = 0x0, entryCount = 0, removedCount = 0, static sMinCapacityLog2 = 2, static sMinCapacity = 4, static sMa536870912, static sMaxCapacity = 1073741824, static sHashBits = 32, static sAlphaDenominator = 4 '\004', static sMinAlphaNumerator = <optimized out>, static sMaxAlphaNumerator = 3 '\003', static sFre, static sRemovedKey = 1, static sCollisionBit = 1}}, {impl = {<nsNthIndexCache::SystemAllocPolicy> = {<No data fields>}, static CAP_BITS = <optimized out>, gen = 0, hashShift = 32, table = 0x0, entr 0, removedCount = 0, static sMinCapacityLog2 = 2, static sMinCapacity = 4, static sMaxInit = 536870912, static sMaxCapacity = 1073741824, static sHashBits = 32, static sAlphaDenominator = 4 '\004', MinAlphaNumerator = <optimized out>, static sMaxAlphaNumerator = 3 '\003', static sFreeKey = 0, static sRemovedKey = 1, static sCollisionBit = 1}}}, {{impl = {<nsNthIndexCache::SystemAllocPolicy> = { fields>}, static CAP_BITS = <optimized out>, gen = 0, hashShift = 32, table = 0x0, entryCount = 0, removedCount = 0, static sMinCapacityLog2 = 2, static sMinCapacity = 4, static sMaxInit = 536870912 sMaxCapacity = 1073741824, static sHashBits = 32, static sAlphaDenominator = 4 '\004', static sMinAlphaNumerator = <optimized out>, static sMaxAlphaNumerator = 3 '\003', static sFreeKey = 0, static Key = 1, static sCollisionBit = 1}}, {impl = {<nsNthIndexCache::SystemAllocPolicy> = {<No data fields>}, static CAP_BITS = <optimized out>, gen = 0, hashShift = 32, table = 0x0, entryCount = 0, remov= 0, static sMinCapacityLog2 = 2, static sMinCapacity = 4, static sMaxInit = 536870912, static sMaxCapacity = 1073741824, static sHashBits = 32, static sAlphaDenominator = 4 '\004', static sMinAlphaN = <optimized out>, static sMaxAlphaNumerator = 3 '\003', static sFreeKey = 0, static sRemovedKey = 1, static sCollisionBit = 1}}}}}, mAncestorFilter = {mFilter = {mRawPtr = 0x0}, mPopTargets = {<nsTpl<unsigned int, nsTArrayInfallibleAllocator>> = {<nsTArray_base<nsTArrayInfallibleAllocator, nsTArray_CopyWithMemutils>> = {mHdr = 0x3ff943bd880 <nsTArrayHeader::sEmptyHdr>}, <nsTArray_TypedBase<unst, nsTArray_Impl<unsigned int, nsTArrayInfallibleAllocator> >> = {<nsTArray_SafeElementAtHelper<unsigned int, nsTArray_Impl<unsigned int, nsTArrayInfallibleAllocator> >> = {<No data fields>}, <No dat>}, static NoIndex = 18446744073709551615}, <No data fields>}, mHashes = {<nsTArray_Impl<unsigned int, nsTArrayInfallibleAllocator>> = {<nsTArray_base<nsTArrayInfallibleAllocator, nsTArray_CopyWithMe = {mHdr = 0x3ff943bd880 <nsTArrayHeader::sEmptyHdr>}, <nsTArray_TypedBase<unsigned int, nsTArray_Impl<unsigned int, nsTArrayInfallibleAllocator> >> = {<nsTArray_SafeElementAtHelper<unsigned int, nsTpl<unsigned int, nsTArrayInfallibleAllocator> >> = {<No data fields>}, <No data fields>}, static NoIndex = 18446744073709551615}, <No data fields>}}, mUsingPrivateBrowsing = false, mSkippingParentDisdStyleFixup = false, mForScopedStyle = false, mStyleScopes = {<nsTArray<mozilla::dom::Element*>> = {<nsTArray_Impl<mozilla::dom::Element*, nsTArrayInfallibleAllocator>> = {<nsTArray_base<nsTArrayInfalocator, nsTArray_CopyWithMemutils>> = {mHdr = 0x3fff0e73e20}, <nsTArray_TypedBase<mozilla::dom::Element*, nsTArray_Impl<mozilla::dom::Element*, nsTArrayInfallibleAllocator> >> = {<nsTArray_SafeElemeer<mozilla::dom::Element*, nsTArray_Impl<mozilla::dom::Element*, nsTArrayInfallibleAllocator> >> = {<No data fields>}, <No data fields>}, static NoIndex = 18446744073709551615}, <No data fields>}, {m= "\000\000\000\000\001\000\000\200\000\000\000\000\377\003\000", mAlign = {elem = 0 '\000'}}}, mCurrentStyleScope = 0x0}, mPendingBindings = {sentinel = {mNext = 0x3ff7b3789a0, mPrev = 0x3ff7b3789a0tinel = true}}, mCurrentPendingBindingInsertionPoint = 0x3ff7b3789a0}
        parentFrame = 0x3ff7e1ae918
        styleSet = <optimized out>
#16 0x000003ff928f60e8 in nsCSSFrameConstructor::ConstructDocElementFrame (this=0x3ff807271d0, aDocElement=0x3ff7dddbe00, aFrameState=0x0) at /usr/src/debug/firefox-49.0/firefox-49.0/layout/base/nsCSnstructor.cpp:2411
        state = {mPresContext = 0x3ff9284339c <nsRuleNode::ResolveVariableReferences(nsStyleStructID, nsRuleData*, nsStyleContext*)+252>, mPresShell = 0x3ff9285c4d8 <nsRuleNode::ComputeSVGResetData(vRuleData const*, nsStyleContext*, nsRuleNode*, nsRuleNode::RuleDetail, mozilla::RuleNodeCacheConditions)+1160>, mFrameManager = 0x3ff7e1ae140, mPopupItems = {<nsFrameItems> = {<nsFrameList> = {mFirst0x3ff9285c2a0 <nsRuleNode::ComputeSVGResetData(void*, nsRuleData const*, nsStyleContext*, nsRuleNode*, nsRuleNode::RuleDetail, mozilla::RuleNodeCacheConditions)+592>, mLastChild = 0xfc422303fe550c00}ta fields>}, containingBlock = 0x12}, mFixedItems = {<nsFrameItems> = {<nsFrameList> = {mFirstChild = 0x0, mLastChild = 0x3ff7e1ae140}, <No data fields>}, containingBlock = 0x3fff0e742e8}, mAbsoluteI<nsFrameItems> = {<nsFrameList> = {mFirstChild = 0x1b0, mLastChild = 0x12}, <No data fields>}, containingBlock = 0x3fff0e742f0}, mFloatedItems = {<nsFrameItems> = {<nsFrameList> = {mFirstChild = 0x2ac <free+276>, mLastChild = 0x3ff96b00048}, <No data fields>}, containingBlock = 0x3ff7b3c5c00}, mTopLayerFixedItems = {<nsFrameItems> = {<nsFrameList> = {mFirstChild = 0x2aad6fdc274 <calloc+556>, mLa= 0xd6fdc22c}, <No data fields>}, containingBlock = 0x3ff7dfa3c38}, mTopLayerAbsoluteItems = {<nsFrameItems> = {<nsFrameList> = {mFirstChild = 0x10, mLastChild = 0x1}, <No data fields>}, containingBl20}, mFrameState = {<nsCOMPtr_base> = {mRawPtr = 0x3ff9286cee8 <nsTHashtable<nsPresArena::FreeList>::s_CopyEntry(PLDHashTable*, PLDHashEntryHdr const*, PLDHashEntryHdr*)>}, <No data fields>}, mAdditieBits = 4395819097088, mFixedPosIsAbsPos = 216, mHavePendingPopupgroup = 176, mCreatingExtraFrames = 38, mGeneratedTextNodesWithInitializer = {<nsCOMArray_base> = {mArray = {<nsTArray_Impl<nsISupportrrayInfallibleAllocator>> = {<nsTArray_base<nsTArrayInfallibleAllocator, nsTArray_CopyWithMemutils>> = {mHdr = 0x3ff7d971430}, <nsTArray_TypedBase<nsISupports*, nsTArray_Impl<nsISupports*, nsTArrayInAllocator> >> = {<nsTArray_SafeElementAtHelper<nsISupports*, nsTArray_Impl<nsISupports*, nsTArrayInfallibleAllocator> >> = {<No data fields>}, <No data fields>}, static NoIndex = 18446744073709551615ata fields>}}, <No data fields>}, mTreeMatchContext = {mForStyling = 48, mHaveRelevantLink = 20, mHaveSpecifiedScope = 151, mVisitedHandling = (nsRuleWalker::eRelevantLinkVisited | nsRuleWalker::eLindOrUnvisited | unknown: 1020), mScopes = {<nsTArray<mozilla::dom::Element*>> = {<nsTArray_Impl<mozilla::dom::Element*, nsTArrayInfallibleAllocator>> = {<nsTArray_base<nsTArrayInfallibleAllocator, nsTpyWithMemutils>> = {mHdr = 0x20000021}, <nsTArray_TypedBase<mozilla::dom::Element*, nsTArray_Impl<mozilla::dom::Element*, nsTArrayInfallibleAllocator> >> = {<nsTArray_SafeElementAtHelper<mozilla::domt*, nsTArray_Impl<mozilla::dom::Element*, nsTArrayInfallibleAllocator> >> = {<No data fields>}, <No data fields>}, static NoIndex = 18446744073709551615}, <No data fields>}, {mAutoBuf = '\000' <repeames>, mAlign = {elem = 0 '\000'}}}, mDocument = 0x3ff7e1ae140, mScopedRoot = 0x3fff0e74390, mIsHTMLDocument = false, mCompatMode = 1023, mNthIndexCache = {mCaches = {{{impl = {<nsNthIndexCache::Systelicy> = {<No data fields>}, static CAP_BITS = <optimized out>, gen = 8388608, hashShift = 0, table = 0x3ff90dd92fc <PLDHashTable::Add(void const*, mozilla::fallible_t const&)+156>, entryCount = 40416emovedCount = 1023, static sMinCapacityLog2 = 2, static sMinCapacity = 4, static sMaxInit = 536870912, static sMaxCapacity = 1073741824, static sHashBits = 32, static sAlphaDenominator = 4 '\004', stnAlphaNumerator = <optimized out>, static sMaxAlphaNumerator = 3 '\003', static sFreeKey = 0, static sRemovedKey = 1, static sCollisionBit = 1}}, {impl = {<nsNthIndexCache::SystemAllocPolicy> = {<No lds>}, static CAP_BITS = <optimized out>, gen = 4396238237696, hashShift = 0, table = 0x3ff90dd92b8 <PLDHashTable::Add(void const*, mozilla::fallible_t const&)+88>, entryCount = 23, removedCount = 0,sMinCapacityLog2 = 2, static sMinCapacity = 4, static sMaxInit = 536870912, static sMaxCapacity = 1073741824, static sHashBits = 32, static sAlphaDenominator = 4 '\004', static sMinAlphaNumerator = <d out>, static sMaxAlphaNumerator = 3 '\003', static sFreeKey = 0, static sRemovedKey = 1, static sCollisionBit = 1}}}, {{impl = {<nsNthIndexCache::SystemAllocPolicy> = {<No data fields>}, static CAP<optimized out>, gen = 4395858596912, hashShift = 0, table = 0x3ff7d971430, entryCount = 4041687960, removedCount = 1023, static sMinCapacityLog2 = 2, static sMinCapacity = 4, static sMaxInit = 53687atic sMaxCapacity = 1073741824, static sHashBits = 32, static sAlphaDenominator = 4 '\004', static sMinAlphaNumerator = <optimized out>, static sMaxAlphaNumerator = 3 '\003', static sFreeKey = 0, staovedKey = 1, static sCollisionBit = 1}}, {impl = {<nsNthIndexCache::SystemAllocPolicy> = {<No data fields>}, static CAP_BITS = <optimized out>, gen = 4395867237536, hashShift = 0, table = 0x0, entryC115690720, removedCount = 1023, static sMinCapacityLog2 = 2, static sMinCapacity = 4, static sMaxInit = 536870912, static sMaxCapacity = 1073741824, static sHashBits = 32, static sAlphaDenominator = , static sMinAlphaNumerator = <optimized out>, static sMaxAlphaNumerator = 3 '\003', static sFreeKey = 0, static sRemovedKey = 1, static sCollisionBit = 1}}}}}, mAncestorFilter = {mFilter = {mRawPtr 0e74398}, mPopTargets = {<nsTArray_Impl<unsigned int, nsTArrayInfallibleAllocator>> = {<nsTArray_base<nsTArrayInfallibleAllocator, nsTArray_CopyWithMemutils>> = {mHdr = 0x3ff936919e8 <nsCSSProps::gPrdexInStruct>}, <nsTArray_TypedBase<unsigned int, nsTArray_Impl<unsigned int, nsTArrayInfallibleAllocator> >> = {<nsTArray_SafeElementAtHelper<unsigned int, nsTArray_Impl<unsigned int, nsTArrayInfalliator> >> = {<No data fields>}, <No data fields>}, static NoIndex = 18446744073709551615}, <No data fields>}, mHashes = {<nsTArray_Impl<unsigned int, nsTArrayInfallibleAllocator>> = {<nsTArray_base<nsfallibleAllocator, nsTArray_CopyWithMemutils>> = {mHdr = 0x3fff0e742b0}, <nsTArray_TypedBase<unsigned int, nsTArray_Impl<unsigned int, nsTArrayInfallibleAllocator> >> = {<nsTArray_SafeElementAtHelperd int, nsTArray_Impl<unsigned int, nsTArrayInfallibleAllocator> >> = {<No data fields>}, <No data fields>}, static NoIndex = 18446744073709551615}, <No data fields>}}, mUsingPrivateBrowsing = 64, mSkrentDisplayBasedStyleFixup = 225, mForScopedStyle = 26, mStyleScopes = {<nsTArray<mozilla::dom::Element*>> = {<nsTArray_Impl<mozilla::dom::Element*, nsTArrayInfallibleAllocator>> = {<nsTArray_base<nsfallibleAllocator, nsTArray_CopyWithMemutils>> = {mHdr = 0x3fff0e74230}, <nsTArray_TypedBase<mozilla::dom::Element*, nsTArray_Impl<mozilla::dom::Element*, nsTArrayInfallibleAllocator> >> = {<nsTArraymentAtHelper<mozilla::dom::Element*, nsTArray_Impl<mozilla::dom::Element*, nsTArrayInfallibleAllocator> >> = {<No data fields>}, <No data fields>}, static NoIndex = 18446744073709551615}, <No data fi{mAutoBuf = "\000\360\067\224\377\003\000\000\240\354\032~\377\003\000", mAlign = {elem = 0 '\000'}}}, mCurrentStyleScope = 0x3ff928685e8 <nsRuleNode::ComputeEffectsData(void*, nsRuleData const*, nsSext*, nsRuleNode*, nsRuleNode::RuleDetail, mozilla::RuleNodeCacheConditions)+872>}, mPendingBindings = {sentinel = {mNext = 0x0, mPrev = 0x3ff92868660 <nsRuleNode::ComputeEffectsData(void*, nsRuleDat, nsStyleContext*, nsRuleNode*, nsRuleNode::RuleDetail, mozilla::RuleNodeCacheConditions)+992>, mIsSentinel = 160}}, mCurrentPendingBindingInsertionPoint = 0x17}
        styleContext = {mRawPtr = 0x3ff00000000}
        display = <optimized out>
        ancestorPusher = <optimized out>
        absoluteSaveState = {mItems = 0x3ff7e1ae578, mSavedItems = {<nsFrameItems> = {<nsFrameList> = {mFirstChild = 0x3ff00000000, mLastChild = 0x3ff00000000}, <No data fields>}, containingBlock = 06}, mChildListID = (unknown: 0), mState = 0x3ff93691000 <nsCSSProps::gPropertyUseCounter+296>, mSavedFixedItems = {<nsFrameItems> = {<nsFrameList> = {mFirstChild = 0x3ff00000000, mLastChild = 0x3ff7e <No data fields>}, containingBlock = 0x3ff9437f000}, mSavedFixedPosIsAbsPos = 28}
        contentFrame = 0x9
        newFrame = <optimized out>
        processChildren = <optimized out>
        isChild = <optimized out>
#17 0x000003ff928f70a0 in nsCSSFrameConstructor::ContentRangeInserted (this=0x3ff807271d0, aContainer=aContainer@entry=0x0, aStartChild=aStartChild@entry=0x3ff7dddbe00, aEndChild=0x0, aFrameState=aFr@entry=0x0, aAllowLazyConstruction=aAllowLazyConstruction@entry=false) at /usr/src/debug/firefox-49.0/firefox-49.0/layout/base/nsCSSFrameConstructor.cpp:7639
        isSingleInsert = true
        insertion = {mParentFrame = 0x804e03ef, mContainer = 0x3ff00000000, mMultiple = 72}
        isAppend = 255
        isRangeInsertSafe = 3
        prevSibling = <optimized out>
        container = <optimized out>
        frameType = <optimized out>
        state = {mPresContext = 0x804e03ef, mPresShell = 0x7ffffbfffff73f7, mFrameManager = 0x7ffffbfffff73f7, mPopupItems = {<nsFrameItems> = {<nsFrameList> = {mFirstChild = 0x3ff00000000, mLastChilff0e74290}, <No data fields>}, containingBlock = 0x3ff7e1ae140}, mFixedItems = {<nsFrameItems> = {<nsFrameList> = {mFirstChild = 0x3ff7e1ae0e0, mLastChild = 0x0}, <No data fields>}, containingBlock =AbsoluteItems = {<nsFrameItems> = {<nsFrameList> = {mFirstChild = 0x0, mLastChild = 0x800000}, <No data fields>}, containingBlock = 0x3fff0e75ff0}, mFloatedItems = {<nsFrameItems> = {<nsFrameList> = hild = 0x2aad6fd9ab4 <malloc+172>, mLastChild = 0x3ff7e1ae140}, <No data fields>}, containingBlock = 0x3fff0e74290}, mTopLayerFixedItems = {<nsFrameItems> = {<nsFrameList> = {mFirstChild = 0x3fff0e75stChild = 0x2aad6fd9bdc <malloc+468>}, <No data fields>}, containingBlock = 0x50}, mTopLayerAbsoluteItems = {<nsFrameItems> = {<nsFrameList> = {mFirstChild = 0x1, mLastChild = 0x0}, <No data fields>}ningBlock = 0x80000000}, mFrameState = {<nsCOMPtr_base> = {mRawPtr = 0x48}, <No data fields>}, mAdditionalStateBits = NS_FRAME_IN_REFLOW, mFixedPosIsAbsPos = 16, mHavePendingPopupgroup = false, mCreaaFrames = false, mGeneratedTextNodesWithInitializer = {<nsCOMArray_base> = {mArray = {<nsTArray_Impl<nsISupports*, nsTArrayInfallibleAllocator>> = {<nsTArray_base<nsTArrayInfallibleAllocator, nsTArrathMemutils>> = {mHdr = 0x3ff7d984cb8}, <nsTArray_TypedBase<nsISupports*, nsTArray_Impl<nsISupports*, nsTArrayInfallibleAllocator> >> = {<nsTArray_SafeElementAtHelper<nsISupports*, nsTArray_Impl<nsISu nsTArrayInfallibleAllocator> >> = {<No data fields>}, <No data fields>}, static NoIndex = 18446744073709551615}, <No data fields>}}, <No data fields>}, mTreeMatchContext = {mForStyling = 128, mHaveRink = 216, mHaveSpecifiedScope = 59, mVisitedHandling = (nsRuleWalker::eRelevantLinkVisited | nsRuleWalker::eLinksVisitedOrUnvisited | unknown: 1020), mScopes = {<nsTArray<mozilla::dom::Element*>> = ay_Impl<mozilla::dom::Element*, nsTArrayInfallibleAllocator>> = {<nsTArray_base<nsTArrayInfallibleAllocator, nsTArray_CopyWithMemutils>> = {mHdr = 0x2aad6fc597c <moz_xmalloc(size_t)+28>}, <nsTArray_T<mozilla::dom::Element*, nsTArray_Impl<mozilla::dom::Element*, nsTArrayInfallibleAllocator> >> = {<nsTArray_SafeElementAtHelper<mozilla::dom::Element*, nsTArray_Impl<mozilla::dom::Element*, nsTArrayIeAllocator> >> = {<No data fields>}, <No data fields>}, static NoIndex = 18446744073709551615}, <No data fields>}, {mAutoBuf = "\004\000\000\000\000\000\000\000\240L\230}\377\003\000", mAlign = {elem04'}}}, mDocument = 0x3ff90d2bf0c <nsTArray_base<nsTArrayInfallibleAllocator, nsTArray_CopyWithMemutils>::EnsureCapacity<nsTArrayInfallibleAllocator>(unsigned long, unsigned long)+444>, mScopedRoot =fd9bdc <malloc+468>, mIsHTMLDocument = 96, mCompatMode = 1023, mNthIndexCache = {mCaches = {{{impl = {<nsNthIndexCache::SystemAllocPolicy> = {<No data fields>}, static CAP_BITS = <optimized out>, gen58676896, hashShift = 0, table = 0x3ff80b2ec80, entryCount = 2473194080, removedCount = 1023, static sMinCapacityLog2 = 2, static sMinCapacity = 4, static sMaxInit = 536870912, static sMaxCapacity = 24, static sHashBits = 32, static sAlphaDenominator = 4 '\004', static sMinAlphaNumerator = <optimized out>, static sMaxAlphaNumerator = 3 '\003', static sFreeKey = 0, static sRemovedKey = 1, static onBit = 1}}, {impl = {<nsNthIndexCache::SystemAllocPolicy> = {<No data fields>}, static CAP_BITS = <optimized out>, gen = 4395867236632, hashShift = 0, table = 0x3ff943bd000 <TypedArrayObjectProtoCla344>, entryCount = 2458419564, removedCount = 1023, static sMinCapacityLog2 = 2, static sMinCapacity = 4, static sMaxInit = 536870912, static sMaxCapacity = 1073741824, static sHashBits = 32, static nominator = 4 '\004', static sMinAlphaNumerator = <optimized out>, static sMaxAlphaNumerator = 3 '\003', static sFreeKey = 0, static sRemovedKey = 1, static sCollisionBit = 1}}}, {{impl = {<nsNthIndeSystemAllocPolicy> = {<No data fields>}, static CAP_BITS = <optimized out>, gen = 4396238237696, hashShift = 0, table = 0x3ff7e1ae918, entryCount = 2154983888, removedCount = 1023, static sMinCapacit2, static sMinCapacity = 4, static sMaxInit = 536870912, static sMaxCapacity = 1073741824, static sHashBits = 32, static sAlphaDenominator = 4 '\004', static sMinAlphaNumerator = <optimized out>, staAlphaNumerator = 3 '\003', static sFreeKey = 0, static sRemovedKey = 1, static sCollisionBit = 1}}, {impl = {<nsNthIndexCache::SystemAllocPolicy> = {<No data fields>}, static CAP_BITS = <optimized ou= 4395867234624, hashShift = 0, table = 0x3ff9437f000, entryCount = 2109952128, removedCount = 1023, static sMinCapacityLog2 = 2, static sMinCapacity = 4, static sMaxInit = 536870912, static sMaxCapa073741824, static sHashBits = 32, static sAlphaDenominator = 4 '\004', static sMinAlphaNumerator = <optimized out>, static sMaxAlphaNumerator = 3 '\003', static sFreeKey = 0, static sRemovedKey = 1, CollisionBit = 1}}}}}, mAncestorFilter = {mFilter = {mRawPtr = 0x0}, mPopTargets = {<nsTArray_Impl<unsigned int, nsTArrayInfallibleAllocator>> = {<nsTArray_base<nsTArrayInfallibleAllocator, nsTArray_Memutils>> = {mHdr = 0x0}, <nsTArray_TypedBase<unsigned int, nsTArray_Impl<unsigned int, nsTArrayInfallibleAllocator> >> = {<nsTArray_SafeElementAtHelper<unsigned int, nsTArray_Impl<unsigned int, nsTallibleAllocator> >> = {<No data fields>}, <No data fields>}, static NoIndex = 18446744073709551615}, <No data fields>}, mHashes = {<nsTArray_Impl<unsigned int, nsTArrayInfallibleAllocator>> = {<nsTAe<nsTArrayInfallibleAllocator, nsTArray_CopyWithMemutils>> = {mHdr = 0x3ff7d971400}, <nsTArray_TypedBase<unsigned int, nsTArray_Impl<unsigned int, nsTArrayInfallibleAllocator> >> = {<nsTArray_SafeElelper<unsigned int, nsTArray_Impl<unsigned int, nsTArrayInfallibleAllocator> >> = {<No data fields>}, <No data fields>}, static NoIndex = 18446744073709551615}, <No data fields>}}, mUsingPrivateBrowsise, mSkippingParentDisplayBasedStyleFixup = 240, mForScopedStyle = 55, mStyleScopes = {<nsTArray<mozilla::dom::Element*>> = {<nsTArray_Impl<mozilla::dom::Element*, nsTArrayInfallibleAllocator>> = {<nbase<nsTArrayInfallibleAllocator, nsTArray_CopyWithMemutils>> = {mHdr = 0x1770}, <nsTArray_TypedBase<mozilla::dom::Element*, nsTArray_Impl<mozilla::dom::Element*, nsTArrayInfallibleAllocator> >> = {<_SafeElementAtHelper<mozilla::dom::Element*, nsTArray_Impl<mozilla::dom::Element*, nsTArrayInfallibleAllocator> >> = {<No data fields>}, <No data fields>}, static NoIndex = 18446744073709551615}, <Noelds>}, {mAutoBuf = "p\027\000\000\000\000\000\000\030\351\032~\377\003\000", mAlign = {elem = 112 'p'}}}, mCurrentStyleScope = 0x0}, mPendingBindings = {sentinel = {mNext = 0x3ff7d971400, mPrev = 0x1d0, mIsSentinel = 236}}, mCurrentPendingBindingInsertionPoint = 0x3ff7dddbe00}
        containingBlock = <optimized out>
        haveFirstLetterStyle = <optimized out>
        haveFirstLineStyle = <optimized out>
        items = {mItems = {next = 0x3fff0e75ff0, prev = 0x3ff9299ad18 <nsContainerFrame::SyncFrameViewProperties(nsPresContext*, nsIFrame*, nsStyleContext*, nsView*, unsigned int)+648>}, mInlineCount91296, mBlockCount = 1023, mLineParticipantCount = 2109952128, mItemCount = 1023, mDesiredParentCounts = {2115692824, 1023, 2115690816, 1023, 2110248704, 1023, 2115690816, 1023, 2115690720, 1023}, mLaryAtStart = 93, mLineBoundaryAtEnd = 37, mParentHasNoXBLChildren = 11, mTriedConstructingFrames = 166, mUndisplayedItems = {<nsTArray_Impl<nsCSSFrameConstructor::FrameConstructionItemList::UndisplaynsTArrayInfallibleAllocator>> = {<nsTArray_base<nsTArrayInfallibleAllocator, nsTArray_CopyWithMemutils>> = {mHdr = 0x3ff7d9796d8}, <nsTArray_TypedBase<nsCSSFrameConstructor::FrameConstructionItemListlayedItem, nsTArray_Impl<nsCSSFrameConstructor::FrameConstructionItemList::UndisplayedItem, nsTArrayInfallibleAllocator> >> = {<nsTArray_SafeElementAtHelper<nsCSSFrameConstructor::FrameConstructionItUndisplayedItem, nsTArray_Impl<nsCSSFrameConstructor::FrameConstructionItemList::UndisplayedItem, nsTArrayInfallibleAllocator> >> = {<No data fields>}, <No data fields>}, static NoIndex = <optimized No data fields>}}
        parentType = <optimized out>
        iter = {<mozilla::dom::ExplicitChildIterator> = {mParent = 0x3ff7e1ae0e0, mChild = 0x0, mDefaultChild = 0x0, mShadowIterator = {mRawPtr = 0x0}, mIndexInInserted = 262144, mIsFirst = false}, mved = false}
        haveNoXBLChildren = <optimized out>
        frameItems = {<nsFrameList> = {mFirstChild = 0x0, mLastChild = 0x3ff83074000}, <No data fields>}
        captionItems = {<nsFrameList> = {mFirstChild = 0xfc422303fe550c00, mLastChild = 0x3ff00000000}, <No data fields>}
        accService = <optimized out>
#18 0x000003ff928f7840 in nsCSSFrameConstructor::ContentInserted (this=<optimized out>, aContainer=aContainer@entry=0x0, aChild=aChild@entry=0x3ff7dddbe00, aFrameState=aFrameState@entry=0x0, aAllowLauction=aAllowLazyConstruction@entry=false) at /usr/src/debug/firefox-49.0/firefox-49.0/layout/base/nsCSSFrameConstructor.cpp:7529
No locals.
#19 0x000003ff9293f400 in PresShell::Initialize (this=0x3ff7d971400, aWidth=<optimized out>, aHeight=<optimized out>) at /usr/src/debug/firefox-49.0/firefox-49.0/layout/base/nsPresShell.cpp:1692
        rootFrame = 0x3ff7e1ae918
        root = 0x3ff7dddbe00
        timerStart = <optimized out>
        kungFuDeathGrip = {<nsCOMPtr_base> = {mRawPtr = 0x3ff7d971400}, <No data fields>}
        invalidateFrame = 0x0
        aHeight = <optimized out>
        aWidth = <optimized out>
        this = 0x3ff7d971400
#20 0x000003ff9173411c in nsContentSink::StartLayout (this=<optimized out>, aIgnorePendingSheets=aIgnorePendingSheets@entry=false, this=<optimized out>) at /usr/src/debug/firefox-49.0/firefox-49.0/dosContentSink.cpp:1210
No locals.
#21 0x000003ff913f6000 in nsHtml5TreeOpExecutor::StartLayout (this=this@entry=0x3ff83912000) at /usr/src/debug/firefox-49.0/firefox-49.0/parser/html/nsHtml5TreeOpExecutor.cpp:612
No locals.
#22 0x000003ff91415464 in nsHtml5TreeOperation::Perform (this=0x3ff7d9796d8, aBuilder=0x3ff83912000, aScriptElement=<optimized out>) at /usr/src/debug/firefox-49.0/firefox-49.0/parser/html/nsHtml5Treon.cpp:990
No locals.
#23 0x000003ff914119a8 in nsHtml5TreeOpExecutor::RunFlushLoop (this=0x3ff83912000) at /usr/src/debug/firefox-49.0/firefox-49.0/parser/html/nsHtml5TreeOpExecutor.cpp:448
        guard = {mExecutor = {mRawPtr = 0x3ff83912000}}
        parserKungFuDeathGrip = {<nsCOMPtr_base> = {mRawPtr = 0x3ff83159200}, <No data fields>}
#24 0x000003ff91411cf0 in nsHtml5ExecutorFlusher::Run (this=<optimized out>) at /usr/src/debug/firefox-49.0/firefox-49.0/parser/html/nsHtml5StreamParser.cpp:125
No locals.
#25 0x000003ff90dc01f0 in nsThread::ProcessNextEvent (this=0x3ff94570eb0, aMayWait=<optimized out>, aResult=0x3fff0e74957) at /usr/src/debug/firefox-49.0/firefox-49.0/xpcom/threads/nsThread.cpp:1067
        reallyWait = false
        callScriptObserver = true
        obs = {<nsCOMPtr_base> = {mRawPtr = 0x3ff8bbc7c08}, <No data fields>}
        rv = nsresult::NS_OK
        aResult = 0x3fff0e74957
        aMayWait = false
        this = 0x3ff94570eb0
#26 0x000003ff90de30f4 in NS_ProcessNextEvent (aThread=<optimized out>, aThread@entry=0x3ff94570eb0, aMayWait=aMayWait@entry=false) at /usr/src/debug/firefox-49.0/firefox-49.0/xpcom/glue/nsThreadUtil0
        val = true
#27 0x000003ff91031d34 in mozilla::ipc::MessagePump::Run (this=0x3ff954c7980, aDelegate=0x3ff8dae0080) at /usr/src/debug/firefox-49.0/firefox-49.0/ipc/glue/MessagePump.cpp:100
        did_work = <optimized out>
        thisThread = 0x3ff94570eb0
#28 0x000003ff910132c4 in MessageLoop::Run (this=<optimized out>) at /usr/src/debug/firefox-49.0/firefox-49.0/ipc/chromium/src/base/message_loop.cc:235
        save_state = {<MessageLoop::RunState> = {run_depth = 1, quit_received = false}, loop_ = 0x3ff8dae0080, previous_state_ = 0x0}
#29 0x000003ff926a641c in nsBaseAppShell::Run (this=0x3ff8bbc7c00) at /usr/src/debug/firefox-49.0/firefox-49.0/widget/nsBaseAppShell.cpp:156
        thread = 0x3ff94570eb0
#30 0x000003ff92d9784c in nsAppStartup::Run (this=0x3ff87a51af0) at /usr/src/debug/firefox-49.0/firefox-49.0/toolkit/components/startup/nsAppStartup.cpp:284
        rv = -437918235
        retval = <optimized out>
#31 0x000003ff92de1ce0 in XREMain::XRE_mainRun (this=this@entry=0x3fff0e74bf8) at /usr/src/debug/firefox-49.0/firefox-49.0/toolkit/xre/nsAppRunner.cpp:4372
        rv = nsresult::NS_OK
        appStartup = {<nsCOMPtr_base> = {mRawPtr = 0x3ff87a51af0}, <No data fields>}
        cmdLine = {<nsCOMPtr_base> = {mRawPtr = 0x3ff83a5b280}, <No data fields>}
        workingDir = {<nsCOMPtr_base> = {mRawPtr = 0x3ff80a92f00}, <No data fields>}
#32 0x000003ff92de2558 in XREMain::XRE_main (this=this@entry=0x3fff0e74bf8, argc=argc@entry=1, argv=argv@entry=0x3fff0e76128, aAppData=aAppData@entry=0x3fff0e74df8) at /usr/src/debug/firefox-49.0/fir0/toolkit/xre/nsAppRunner.cpp:4476
        rv = <optimized out>
        binFile = {<nsCOMPtr_base> = {mRawPtr = 0x3ff95471f30}, <No data fields>}
        exit = false
        result = <optimized out>
        appInitiatedRestart = false
#33 0x000003ff92de27b0 in XRE_main (argc=1, argv=0x3fff0e76128, aAppData=0x3fff0e74df8, aFlags=<optimized out>) at /usr/src/debug/firefox-49.0/firefox-49.0/toolkit/xre/nsAppRunner.cpp:4584
        main = {mNativeApp = {<nsCOMPtr_base> = {mRawPtr = 0x3ff96ae38a0}, <No data fields>}, mProfileSvc = {<nsCOMPtr_base> = {mRawPtr = 0x3ff95447450}, <No data fields>}, mProfD = {<nsCOMPtr_base> tr = 0x3ff95472cf0}, <No data fields>}, mProfLD = {<nsCOMPtr_base> = {mRawPtr = 0x3ff95472da0}, <No data fields>}, mProfileLock = {<nsCOMPtr_base> = {mRawPtr = 0x3ff95439280}, <No data fields>}, mRemce = {<nsCOMPtr_base> = {mRawPtr = 0x3ff8078e5c0}, <No data fields>}, mScopedXPCOM = {mTuple = {<mozilla::detail::PairHelper<ScopedXPCOMStartup*, mozilla::DefaultDelete<ScopedXPCOMStartup>, (mozilla::StorageType)1, (mozilla::detail::StorageType)0>> = {<mozilla::DefaultDelete<ScopedXPCOMStartup>> = {<No data fields>}, mFirstA = 0x3ff94530b90}, <No data fields>}}, mAppData = {mRawPtr = 0x3ff96ad11rProvider = {<nsIDirectoryServiceProvider2> = {<nsIDirectoryServiceProvider> = {<nsISupports> = {_vptr.nsISupports = 0x3ff94233370 <vtable for nsXREDirProvider+16>}, <No data fields>}, <No data fieldIProfileStartup> = {<nsISupports> = {_vptr.nsISupports = 0x3ff942333b8 <vtable for nsXREDirProvider+88>}, <No data fields>}, mAppProvider = {<nsCOMPtr_base> = {mRawPtr = 0x0}, <No data fields>}, mGREnsCOMPtr_base> = {mRawPtr = 0x3ff95471bc0}, <No data fields>}, mGREBinDir = {<nsCOMPtr_base> = {mRawPtr = 0x3ff95471fe0}, <No data fields>}, mXULAppDir = {<nsCOMPtr_base> = {mRawPtr = 0x3ff95471dd0},a fields>}, mProfileDir = {<nsCOMPtr_base> = {mRawPtr = 0x3ff95472cf0}, <No data fields>}, mProfileLocalDir = {<nsCOMPtr_base> = {mRawPtr = 0x3ff95472da0}, <No data fields>}, mProfileNotified = true,dleDirectories = {<nsCOMArray_base> = {mArray = {<nsTArray_Impl<nsISupports*, nsTArrayInfallibleAllocator>> = {<nsTArray_base<nsTArrayInfallibleAllocator, nsTArray_CopyWithMemutils>> = {mHdr = 0x3ff9<nsTArrayHeader::sEmptyHdr>}, <nsTArray_TypedBase<nsISupports*, nsTArray_Impl<nsISupports*, nsTArrayInfallibleAllocator> >> = {<nsTArray_SafeElementAtHelper<nsISupports*, nsTArray_Impl<nsISupports*, InfallibleAllocator> >> = {<No data fields>}, <No data fields>}, static NoIndex = 18446744073709551615}, <No data fields>}}, <No data fields>}, mExtensionDirectories = {<nsCOMArray_base> = {mArray = ay_Impl<nsISupports*, nsTArrayInfallibleAllocator>> = {<nsTArray_base<nsTArrayInfallibleAllocator, nsTArray_CopyWithMemutils>> = {mHdr = 0x3ff943bd880 <nsTArrayHeader::sEmptyHdr>}, <nsTArray_TypedBasports*, nsTArray_Impl<nsISupports*, nsTArrayInfallibleAllocator> >> = {<nsTArray_SafeElementAtHelper<nsISupports*, nsTArray_Impl<nsISupports*, nsTArrayInfallibleAllocator> >> = {<No data fields>}, <Nields>}, static NoIndex = 18446744073709551615}, <No data fields>}}, <No data fields>}, mThemeDirectories = {<nsCOMArray_base> = {mArray = {<nsTArray_Impl<nsISupports*, nsTArrayInfallibleAllocator>> rray_base<nsTArrayInfallibleAllocator, nsTArray_CopyWithMemutils>> = {mHdr = 0x3ff8591a960}, <nsTArray_TypedBase<nsISupports*, nsTArray_Impl<nsISupports*, nsTArrayInfallibleAllocator> >> = {<nsTArraymentAtHelper<nsISupports*, nsTArray_Impl<nsISupports*, nsTArrayInfallibleAllocator> >> = {<No data fields>}, <No data fields>}, static NoIndex = 18446744073709551615}, <No data fields>}}, <No data fi mProfileName = {<nsFixedCString> = {<nsCString> = {<nsACString_internal> = {mData = 0x3ff93655bf8 "default", mLength = 7, mFlags = 65569}, <No data fields>}, mFixedCapacity = 63, mFixedBuf = 0x3fff0"}, mStorage = "\000M\347\360\377\003\000\000/M\347\360\377\003\000\000\000\fU\376\003#B\374\000\360\377֪\002\000\000(a\347\360\377\003\000\000\350M\347\360\377\003\000\000\001\000\000\000\000\000\000V\374֪\002\000"}, mDesktopStartupID = {<nsFixedCString> = {<nsCString> = {<nsACString_internal> = {mData = 0x3fff0e74d18 "", mLength = 0, mFlags = 65553}, <No data fields>}, mFixedCapacity = 63, mFixex3fff0e74d18 ""}, mStorage = "\000\000\000\000\000\000\000\000(M\347\360\377\003\000\000browser\000 \035G\225\377\003\000\000\004\234Ր\377\003\000\000\320\035G\225\377\003\000\000\340!ِ\377\003\000\000\377֪\002\000"}, mStartOffline = false, mShuttingDown = false, mDisableRemote = false, mGdkDisplay = 0x3ff8daa00e0}
        result = <optimized out>
#34 0x000002aad6fc5738 in do_main (argc=1, argv=0x3fff0e76128, envp=<optimized out>, xreDirectory=0x3ff95471bc0) at /usr/src/debug/firefox-49.0/firefox-49.0/browser/app/nsBrowserApp.cpp:242
        appini = {<nsCOMPtr_base> = {mRawPtr = 0x0}, <No data fields>}
        rv = <optimized out>
        appDataFile = <optimized out>
        appData = {<nsXREAppData> = {size = 128, directory = 0x3ff95471dd0, vendor = 0x3ff945304b0 "Mozilla", name = 0x3ff945304b8 "Firefox", remotingName = 0x3ff945304c0 "firefox", version = 0x3ff9449.0", buildID = 0x3ff96ae08a0 "20160921082846", ID = 0x3ff96a91780 "{ec8030f7-c20a-464f-9b0e-13a3a9e97384}", copyright = 0x0, flags = 2, xreDirectory = 0x3ff95471bc0, minVersion = 0x3ff945304d0 "49.ersion = 0x3ff945304d8 "49.0", crashReporterURL = 0x3ff945304e0 "", profile = 0x0, UAName = 0x0}, <No data fields>}
        exeFile = {<nsCOMPtr_base> = {mRawPtr = 0x3ff95471c70}, <No data fields>}
        greDir = {<nsCOMPtr_base> = {mRawPtr = 0x3ff95471d20}, <No data fields>}
        appSubdir = {<nsCOMPtr_base> = {mRawPtr = 0x3ff95471dd0}, <No data fields>}
#35 0x000002aad6fc4c78 in main (argc=1, argv=0x3fff0e76128, envp=0x3fff0e76138) at /usr/src/debug/firefox-49.0/firefox-49.0/browser/app/nsBrowserApp.cpp:383
        gotCounters = <optimized out>
        initialRUsage = {ru_utime = {tv_sec = 0, tv_usec = 15000}, ru_stime = {tv_sec = 0, tv_usec = 13000}, {ru_maxrss = 4288, __ru_maxrss_word = 4288}, {ru_ixrss = 0, __ru_ixrss_word = 0}, {ru_idrs_ru_idrss_word = 0}, {ru_isrss = 0, __ru_isrss_word = 0}, {ru_minflt = 289, __ru_minflt_word = 289}, {ru_majflt = 0, __ru_majflt_word = 0}, {ru_nswap = 0, __ru_nswap_word = 0}, {ru_inblock = 0, __ru_word = 0}, {ru_oublock = 0, __ru_oublock_word = 0}, {ru_msgsnd = 0, __ru_msgsnd_word = 0}, {ru_msgrcv = 0, __ru_msgrcv_word = 0}, {ru_nsignals = 0, __ru_nsignals_word = 0}, {ru_nvcsw = 16, __ru_nvcsw16}, {ru_nivcsw = 3, __ru_nivcsw_word = 3}}
        xreDirectory = 0x3ff95471bc0
        rv = <optimized out>
        result = <optimized out>
(Reporter)

Updated

10 months ago
Flags: needinfo?(jeremy.linton)
Component: Untriaged → Layout
Product: Firefox → Core
Hard to debug this without being able to reproduce myself.

Instead, would you be able to use mozregression to find out when this regressed (assuming it is a regression)?  http://mozilla.github.io/mozregression/
Flags: needinfo?(jeremy.linton)
(Reporter)

Comment 7

9 months ago
Ok, so I started debugging it myself.

At this point it seems its a combination of optimization flags and bugs caused by the lack of C++ initializers for pointers contained in the classes. Lowering/changing the build/optimization flags results in a working build, but for sure I've found a couple of bugs. Most of these have been hidden by the memset() in nsIPresShell::AllocateFrame(). But GCC has decided that stores to into space allocated by new before the construction chain are invalid and subject to dead store elimination.

The backtrace shown in this defect is caused by nsIFrame using a default constructor, which according to the C++ standard isn't required to initialize pointers. And given the overridden new which appears to be picking up memory previously filled with poison values those values then are in pointers contained in the object and propagate through null pointer checks until they crash the application.

(note:  mContent,mStyleContext,mParent,mNextSibling,mPrevSibling values immediately after construction).

(gdb) print *(nsIFrame *) 0xffffa2365c70
$59 = {<nsQueryFrame> = {_vptr.nsQueryFrame = 0xffffb4fea150 <vtable for nsScrollbarFrame+16>}, static kFrameIID = nsQueryFrame::nsIFrame_id, static kPrincipalList = mozilla::layout::kPrincipalList, static kAbsoluteList = mozilla::layout::kAbsoluteList, static kBulletList = mozilla::layout::kBulletList, 
  static kCaptionList = mozilla::layout::kCaptionList, static kColGroupList = mozilla::layout::kColGroupList, static kExcessOverflowContainersList = mozilla::layout::kExcessOverflowContainersList, static kFixedList = mozilla::layout::kFixedList, static kFloatList = mozilla::layout::kFloatList, 
  static kOverflowContainersList = mozilla::layout::kOverflowContainersList, static kOverflowList = mozilla::layout::kOverflowList, static kOverflowOutOfFlowList = mozilla::layout::kOverflowOutOfFlowList, static kPopupList = mozilla::layout::kPopupList, static kPushedFloatsList = mozilla::layout::kPushedFloatsList, 
  static kSelectPopupList = mozilla::layout::kSelectPopupList, static kBackdropList = mozilla::layout::kBackdropList, static kNoReflowPrincipalList = mozilla::layout::kNoReflowPrincipalList, static sLayerIsPrerenderedDataKey = 0 '\000', mRect = {<mozilla::gfx::BaseRect<int, nsRect, nsPoint, nsSize, nsMargin>> = {
      x = 0, y = 0, width = 0, height = 0}, <No data fields>}, mContent = 0xe5e5e5e5e5e5e5e5, mStyleContext = 0xffffa2364ce0, mParent = 0xe5e5e5e5e5e5e5e5, mNextSibling = 0xe5e5e5e5e5e5e5e5, mPrevSibling = 0xe5e5e5e5e5e5e5e5, mState = 12583938, mOverflow = {mType = 3857049061, mVisualDeltas = {mLeft = 229 '\345', 
      mTop = 229 '\345', mRight = 229 '\345', mBottom = 229 '\345'}}}
(gdb) bt
#0  0x0000ffffb3615b60 in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameItems&) (this=this@entry=0xffffa5b311f0, aItem=..., aState=..., aParentFrame=0xffffa2365468, aFrameItems=...)
    at /root/firefox/firefox-50.1.0/firefox-50.1.0/layout/base/nsCSSFrameConstructor.cpp:3881
#1  0x0000ffffb3616468 in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameItems&) (this=this@entry=0xffffa5b311f0, aState=..., aIter=..., aParentFrame=aParentFrame@entry=0xffffa2365468, aFrameItems=...)
    at /root/firefox/firefox-50.1.0/firefox-50.1.0/layout/base/nsCSSFrameConstructor.cpp:6103

Providing a default constructor here moves the problem into nsSplittableFrame, which also fails to initialize mPrevContinuation and mNextContinuation.

Frankly, the compiler itself is throwing hundreds (if not thousands) of use before initialization warnings all over the code base. So it might be a good idea to fix/analyze some of those warnings. Because it seems likely a fair number of similar/intermittent bugs on x86 are showing up too.

For example:
https://bugzilla.redhat.com/show_bug.cgi?id=1332926

Either way, tossing a 

void* __attribute__((optimize("no-lifetime-dse"))) AllocateFrame(nsQueryFrame::FrameIID aID, size_t aSize)

into nsIPressShell seems to fix a whole class of these problems.
(Reporter)

Comment 8

9 months ago
Particulary, a fix like:

  nsIFrame() : nsQueryFrame(), mRect(), mContent(nullptr),
               mStyleContext(nullptr), mParent(nullptr), mNextSibling(nullptr),
               mPrevSibling(nullptr), mState()
  {
  }

in class nsIFrame fixes the defect that causes the crash listed in this defect. That should be considered the "correct" fix rather than hacking the compilers dead store elimination flags.

But by itself, that is insufficient as the constructor in nsSplittableFrame needs 

nsFrame(aContext), mPrevContinuation(nullptr),  mNextContinuation(nullptr)

and on for a few more...
(Reporter)

Comment 9

9 months ago
Also, one final note before I'm OOO for a couple weeks. The arm64/fedora/firefox package is using more aggressive compiler optimizations than the x86 package. I suspect that if the x86 package does something similar this problem can be recreated there as well.
(Reporter)

Updated

9 months ago
Flags: needinfo?(jeremy.linton)

Updated

8 months ago
Status: UNCONFIRMED → NEW
Ever confirmed: true

Comment 10

8 months ago
(In reply to Jeremy Linton from comment #9)
> Also, one final note before I'm OOO for a couple weeks. The
> arm64/fedora/firefox package is using more aggressive compiler optimizations
> than the x86 package. I suspect that if the x86 package does something
> similar this problem can be recreated there as well.

Can be the optimization relaxed? May that help with Bug 1333340?
Flags: needinfo?(jeremy.linton)

Comment 11

8 months ago
There's a patch available https://bugzilla.redhat.com/show_bug.cgi?id=1354671#c28

Comment 12

8 months ago
Created attachment 8829952 [details] [diff] [review]
Disable gcc lifetime dead store elimination for operator new
(Reporter)

Comment 13

8 months ago
(In reply to Martin Stránský from comment #10)
> (In reply to Jeremy Linton from comment #9)
> > Also, one final note before I'm OOO for a couple weeks. The
> > arm64/fedora/firefox package is using more aggressive compiler optimizations
> > than the x86 package. I suspect that if the x86 package does something
> > similar this problem can be recreated there as well.
> 
> Can be the optimization relaxed? May that help with Bug 1333340?

As a FYI, I did try to reproduce this on x86 with more agressive optimization settings, and wasn't successful. 

I looked at 1354671, and I can't really tell from just the build log, why xpcshell is having a problem. That said, I would have expected a crash rather than an assertion, particulary since the Id it is asserting can't be joined isn't POD. Plus, its constructor is setting the id_ fields. So, I wouldn't expect a global no-lifetime-dse to fix it. 

I'm generally of the opinion that compiler flags shouldn't influence whether code works or not. So, I'm trying to run a build on a armv7 machine to pin down why its failing. Although the build might not succeed due to lack of ram...
(Assignee)

Comment 14

8 months ago
Julian, is that part of your patch queue for those things? (don't remember the bug #)
Flags: needinfo?(jseward)
Yes, this is one of the failures that my make-it-work-properly-with-gcc-6
work fixed.  The metabug for that is bug 1316555, and I think that the
specific failure here is fixed by bug 1316556.  As of about five hours ago,
all those fixes are in mozilla-central.

Not sure what to do with this bug.  We can close it as a known dup of 1316556,
but that doesn't help the Fedora people build a working version of 50/51/52/53
with gcc 6, plain -O2 and no relaxation of Lifetime DSE.  Unfortunately the
various patches seem to me to be difficult to backport correctly and harder
still to verify correct.

And I'm not 100% sure I've found *all* the gcc 6 related problems yet ..
Flags: needinfo?(jseward)
(Assignee)

Comment 16

8 months ago
Maybe we should just cave in and make the build system add the right flags on its own for older branches. Which, afaict, -fno-schedule-insns2 -fno-delete-null-pointer-checks are enough (that's what I'm using in Debian), but maybe -fno-lifetime-dse is required on some platforms (haven't had problems without it on x86/x86-64, but I know I have weird things happening on arm, but I don't know yet if it's because -fno-lifetime-dse is missing)
Summary: SIGSEGV on aarch64 in nsLayoutUtils::GetLastSibling → SIGSEGV on aarch64 in nsLayoutUtils::GetLastSibling when compiling with gcc6
Does one of you want to own doing either comment 12 or comment 16?  (Both seem reasonable to me, although I suspect Julian has a better idea than I do how much else would be broken if we just take comment 12's patch.)
Flags: needinfo?(mh+mozilla)
Flags: needinfo?(jseward)
(Assignee)

Comment 18

8 months ago
I can own doing comment 16. I don't think comment 12 is going to cut it, there is much more than that that gcc 6 is breaking, as other bugs have showed. We have to agree on a set of flags, though, and on what branch we want to have which ones. (Some of them are probably not necessary with some of Julian's patches having landed)
Flags: needinfo?(mh+mozilla)
Assignee: nobody → mh+mozilla
Component: Layout → Build Config
(In reply to Mike Hommey [:glandium] from comment #18)
> I can own doing comment 16. I don't think comment 12 is going to cut it,
> there is much more than that that gcc 6 is breaking, as other bugs have
> showed.

OK.  Yes we need to do comment 16.  I think the flags should include
-fno-lifetime-dse and -fno-delete-null-pointer-checks.  I'm not sure
why -fno-schedule-insns2 is relevant -- I'm not aware of problems
relating to insn scheduling, but that doesn't mean there aren't any.
Martin, why is that flag necessary?

> [..] and on what branch we want to have which ones.

Just so long as they don't wind up on trunk -- that would be really
confusing now.

viz branches, are you proposing to push these flags into aurora/beta/release?
Or do I misunderstand?
Flags: needinfo?(jseward) → needinfo?(stransky)
(Assignee)

Comment 20

8 months ago
Last time I did try pushes with gcc 6, not having -fno-schedule-insns2 would lead to some unit tests failing.

> viz branches, are you proposing to push these flags into aurora/beta/release?

Yes.

Comment 21

8 months ago
(In reply to Julian Seward [:jseward] from comment #19)
> -fno-lifetime-dse and -fno-delete-null-pointer-checks.  I'm not sure
> why -fno-schedule-insns2 is relevant -- I'm not aware of problems
> relating to insn scheduling, but that doesn't mean there aren't any.
> Martin, why is that flag necessary?

Sorry, I have no idea.
Flags: needinfo?(stransky)
(Assignee)

Comment 22

8 months ago
I have try pushes of unmodified source code from beta, aurora and inbound building against GCC6. I don't have the results for aurora and beta yet, but as far as inbound is concerned, unit tests are all green without any flags.
(Assignee)

Comment 23

8 months ago
Julian, do you expect beta and aurora to be fine with GCC6? because I'm getting an all green on try for both without adding any compiler flags.
Flags: needinfo?(jseward)
Based on which fixes landed when, I would expect them both to fail
some of the time.  That said, I suspect it depends on the optimisation
level in as much as that controls how aggressively gcc inlines.
What opt level is this with?  -Os ?
Flags: needinfo?(jseward)
(In reply to Mike Hommey [:glandium] from comment #23)
> Julian, do you expect beta and aurora to be fine with GCC6? because I'm
> getting an all green on try for both without adding any compiler flags.

Building mozilla-beta with gcc-6.3.1 on Fedora 25 x86_64 at -O2 gets me
a build that fails almost instantly at startup, using the mozconfig below:

++DOMWINDOW == 5 (0x3c2b430) [pid = 31598] [serial = 5] [outer = 0x33ee510]
[31598] ###!!! ASSERTION: Double-initing a frame?: '!mContent', file /home/sewardj/MOZ/M_BETA/layout/generic/nsFrame.cpp, line 516
[31598] ###!!! ASSERTION: Shouldn't happen: '!aNewFrame->GetNextSibling()', file /home/sewardj/MOZ/M_BETA/layout/base/nsCSSFrameConstructor.cpp, line 1258

Program ./ff-O2-linux64-dbg/dist/bin/firefox-bin (pid = 31598) received signal 11.

and that problem (with aNewFrame, mContext, etc) is caused by lifetime-dse in gcc6
- I fixed it in bug 1316556.

To sum up, I would say that in this case, getting green on try is not an
adequate correctness check.  I suspect try uses -Os, which presumably reduces
gcc's inlining aggressiveness and so does not bring together the sequence
"allocate; memset-zero; begin constructor" that causes problems.

It seems reasonable to me to expect that at least some people will
want to build/package Fx with gcc6 at -O2 and so we need to test
at least to that level of optimisation.

------------

sewardj@dundee:~/MOZ/M_BETA$ cat $MOZCONFIG
. $topsrcdir/browser/config/mozconfig
mk_add_options MOZ_OBJDIR=@TOPSRCDIR@/ff-O2-linux64-dbg
ac_add_options --enable-tests

ac_add_options --enable-optimize="-g -O2"
ac_add_options --enable-debug-symbols
ac_add_options --enable-debug

ac_add_options --enable-valgrind

ac_add_options --enable-profiling
ac_add_options --enable-elf-hack

ac_add_options --disable-crashreporter

## Shouldn't really need this
ac_add_options --disable-jemalloc

mk_add_options MOZ_MAKE_FLAGS="-j8"
mk_add_options AUTOCLOBBER=1
(Assignee)

Comment 26

8 months ago
Here is a try push of beta building with GCC 6.3.0 with --enable-optimize=-O2.
https://treeherder.mozilla.org/#/jobs?repo=try&revision=15ebb6858d6e6624ad8fae2b2124c932e49c70d1

Tests are still running fine.
(Assignee)

Comment 27

8 months ago
... but that's not a debug build.
The debug builds fail more often than the non-debug ones, I assume because there
are more member fields that potentially don't get initialised as a result of
the lifetime-dse transformation.

I re-tested debug -O2 builds of both beta and aurora just now.  Beta fails
immediately at startup.  Aurora will at least start up, visit techcrunch.com
and quit, without crashing.  Presumably because it has more of the fixes that
got pushed into trunk over the past couple of months.
(Assignee)

Comment 29

8 months ago
Ok, there's something weird here... I did another beta build with GCC 6.3.0 with --enable-optimize=-O2, and the unit tests were still all green.
https://treeherder.mozilla.org/#/jobs?repo=try&revision=f9080424c42041d282683b4082ee7f1d94f8f791

Is Fedora maybe enabling non-default stuff in their GCC?

Julian, do you get crashes if you build with https://queue.taskcluster.net/v1/task/J33M6kH6S_ue9uyBvXuDJg/artifacts/public/gcc.tar.xz instead of Fedora's GCC?
Flags: needinfo?(jseward)
(Assignee)

Comment 30

8 months ago
(In reply to Mike Hommey [:glandium] from comment #29)
> I did another beta build with GCC 6.3.0

a debug build, that is.
(Reporter)

Comment 31

8 months ago
(In reply to Mike Hommey [:glandium] from comment #29)
> Ok, there's something weird here... I did another beta build with GCC 6.3.0
> with --enable-optimize=-O2, and the unit tests were still all green.
> https://treeherder.mozilla.org/#/
> jobs?repo=try&revision=f9080424c42041d282683b4082ee7f1d94f8f791
> 
> Is Fedora maybe enabling non-default stuff in their GCC?

AFAIK, No, and when syncing the x86 and ARM64 flags, the x86 seemed to work while the ARM64 build died instantly due to the memset() in operator new(). So, it just appears that the ARM64 back-end is a lot better/more aggressive at DSE. Simply putting the no-lifetime-dse in the operator new() path made it appear as robust as the x86.
(Assignee)

Comment 32

8 months ago
So, after several try pushes, this is what we know:
- -O2 opt builds look fine, for some reason.
- -O2 debug builds have a large number of orange tests. Like almost (but not) all of them. (turns out my previous attempt was not using -O2, but -Os, because I hadn't changed the right mozconfig for a debug build)
- After trying all combinations of the three flags mentioned in this bug, it turns out that -fno-lifetime-dse alone fixes everything. I'm actually surprised that -fno-delete-null-pointer-checks doesn't make a difference. Maybe it does at -O3. That's what I'm going to try next.
(In reply to Mike Hommey [:glandium] from comment #32)
> - After trying all combinations of the three flags mentioned in this bug, it
> turns out that -fno-lifetime-dse alone fixes everything. I'm actually
> surprised that -fno-delete-null-pointer-checks doesn't make a difference.

That might be because we fixed all detected cases of missing null pointer
checks relatively early in the process, whereas the LDSE fixes have been
more recent.
Flags: needinfo?(jseward)
(Assignee)

Comment 34

8 months ago
> Maybe it does at -O3. That's what I'm going to try next.

-O3 -fno-lifetime-dse gets green tests too.

So I guess we can live with just adding -fno-lifetime-dse. Julian, do you agree?
Flags: needinfo?(jseward)
(In reply to Mike Hommey [:glandium] from comment #34)
> So I guess we can live with just adding -fno-lifetime-dse. Julian, do you
> agree?

Yes I agree.

I did 4 test builds, all --enable-debug, with the following results
(testing with a startup, load techcrunch.com and quit)

Aurora: -O2 only                 OK
Beta:   -O2 only                 FAIL

Aurora: -O2 -fno-lifetime-dse    OK
Beta:   -O2 -fno-lifetime-dse    OK

Although it seems from this that we only need to patch beta, I would
prefer to patch aurora too.  I am fairly confident that trunk is now
OK with plain -O2, but I'm not confident that aurora contains all
the relevant fixes.  So I'd prefer to err on the side of safety here.
Flags: needinfo?(jseward)
(In reply to Julian Seward [:jseward] from comment #35)
(A bit more ..)
> So I'd prefer to err on the side of safety here.

Also because of Jeremy's observation in comment #31 that builds on aarch64-linux
may give different exposure to lifetime-dse problems compared to x86_64-linux,
and we're only testing on x86_64-linux here.
Comment hidden (mozreview-request)
(In reply to Mike Hommey [:glandium] from comment #37)
> Created attachment 8833243 [details]
> Bug 1321579 - Add -fno-lifetime-dse when building with GCC >= 5.0.

Tested OK (start, techcrunch.com, quit), no crash, for m-beta,
gcc (GCC) 6.3.1 20161221 (Red Hat 6.3.1-1), --enable-optimize="-g -O2".
(In reply to Julian Seward [:jseward] from comment #38)
> --enable-optimize="-g -O2".
I should add: also with ac_add_options --enable-debug, since that's the failing case.

Comment 40

8 months ago
mozreview-review
Comment on attachment 8833243 [details]
Bug 1321579 - Add -fno-lifetime-dse when building with GCC >= 5.0.

https://reviewboard.mozilla.org/r/109454/#review110584

Thank you for the explanatory comments.
Attachment #8833243 - Flags: review?(nfroyd) → review+
(Assignee)

Comment 41

8 months ago
Comment on attachment 8833243 [details]
Bug 1321579 - Add -fno-lifetime-dse when building with GCC >= 5.0.

Approval Request Comment
[User impact if declined]: Building with GCC 6 results in broken builds
[Is this code covered by automated tests?]: N/A
[Has the fix been verified in Nightly?]: N/A
[Needs manual test from QE? If yes, steps to reproduce]: N/A
[List of other uplifts needed for the feature/fix]: None
[Is the change risky?]: The change only applies to people building with GCC >= 5. Mozilla builds are using GCC 4.8 or 4.9 depending on which train we are on. The patch is actually not required on central because Gecko was fixed to compile properly without disabling lifetime-dse. That's why it hasn't landed before this approval request. We only want this on aurora and beta. We /could/ get this on esr45, but at this point, anyone who has been building esr45 with GCC6 will have worked around the issue somehow on their own.
[Why is the change risky/not risky?]: NPOTB
[String changes made/needed]: None
Attachment #8833243 - Flags: approval-mozilla-beta?
Attachment #8833243 - Flags: approval-mozilla-aurora?
(Assignee)

Comment 42

8 months ago
I just found out that -fschedule-insns, which is enabled at -O2 and -O3 breaks the ion jit on at least armhf with GCC6. Julian, any opinion wrt disabling that across the board vs. only arm?
Flags: needinfo?(jseward)
Comment on attachment 8833243 [details]
Bug 1321579 - Add -fno-lifetime-dse when building with GCC >= 5.0.

NPOTB, please go ahead for aurora and beta.
Attachment #8833243 - Flags: approval-mozilla-beta?
Attachment #8833243 - Flags: approval-mozilla-beta+
Attachment #8833243 - Flags: approval-mozilla-aurora?
Attachment #8833243 - Flags: approval-mozilla-aurora+

Comment 44

8 months ago
bugherderuplift
https://hg.mozilla.org/releases/mozilla-aurora/rev/5254b7f0b149
status-firefox53: --- → fixed

Comment 45

8 months ago
bugherderuplift
https://hg.mozilla.org/releases/mozilla-beta/rev/6a044187aa43
status-firefox52: --- → fixed
Status: NEW → RESOLVED
Last Resolved: 8 months ago
status-firefox54: --- → unaffected
Resolution: --- → FIXED
Flags: needinfo?(jseward)

Updated

8 months ago
Blocks: 1316555

Comment 46

7 months ago
bugherderuplift
https://hg.mozilla.org/releases/mozilla-esr52/rev/6a044187aa43
status-firefox-esr52: --- → fixed
(Reporter)

Updated

3 months ago
Flags: needinfo?(jeremy.linton)
You need to log in before you can comment on or make changes to this bug.