Closed Bug 1344312 Opened 7 years ago Closed 7 years ago

MOZ_CrashPrintf in [@ nsCellMap::ShrinkWithoutRows]

Categories

(Core :: Layout: Tables, defect)

Product:
Core
Component:
Layout: Tables
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1344628
Tracking Flags:
Tracking Status
firefox54 --- affected

People

(Reporter: tsmith, Assigned: neerja)

References

(Blocks 1 open bug)

Details

(Keywords: crash, testcase)

Attachments

(1 file)

test_case.html
435 bytes, text/html
Details
Attached file test_case.html 
==31566==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00000050dcb6 bp 0x7ffc98495c00 sp 0x7ffc98495aa0 T0)
    #0 0x50dcb5 in MOZ_CrashPrintf /home/worker/workspace/build/src/mfbt/Assertions.cpp:63:3
    #1 0x7f3b7bac9a5f in InvalidArrayIndex_CRASH(unsigned long, unsigned long) /home/worker/workspace/build/src/xpcom/ds/nsTArray.cpp:26:3
    #2 0x7f3b82a68620 in ElementAt /home/worker/workspace/build/src/obj-firefox/dist/include/nsTArray.h:1042:7
    #3 0x7f3b82a68620 in operator[] /home/worker/workspace/build/src/obj-firefox/dist/include/nsTArray.h:1080
    #4 0x7f3b82a68620 in nsCellMap::ShrinkWithoutRows(nsTableCellMap&, int, int, int, mozilla::TableArea&) /home/worker/workspace/build/src/layout/tables/nsCellMap.cpp:1884
    #5 0x7f3b82a5e2f3 in nsTableCellMap::RemoveRows(int, int, bool, mozilla::TableArea&) /home/worker/workspace/build/src/layout/tables/nsCellMap.cpp:522:7
    #6 0x7f3b82a88ccc in nsTableFrame::RemoveRows(nsTableRowFrame&, int, bool) /home/worker/workspace/build/src/layout/tables/nsTableFrame.cpp:1087:5
    #7 0x7f3b82af3557 in nsTableRowGroupFrame::RemoveFrame(mozilla::layout::FrameChildListID, nsIFrame*) /home/worker/workspace/build/src/layout/tables/nsTableRowGroupFrame.cpp:1616:5
    #8 0x7f3b825c34c5 in RemoveFrame /home/worker/workspace/build/src/layout/base/nsFrameManager.cpp:525:5
    #9 0x7f3b825c34c5 in nsCSSFrameConstructor::ContentRemoved(nsIContent*, nsIContent*, nsIContent*, nsCSSFrameConstructor::RemoveFlags, bool*, nsIContent**) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:8570
    #10 0x7f3b825afc43 in nsCSSFrameConstructor::RecreateFramesForContent(nsIContent*, bool, nsCSSFrameConstructor::RemoveFlags, nsIContent**) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:9759:10
    #11 0x7f3b825c1165 in nsCSSFrameConstructor::WipeContainingBlock(nsFrameConstructorState&, nsIFrame*, nsIFrame*, nsCSSFrameConstructor::FrameConstructionItemList&, bool, nsIFrame*) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:12611:7
    #12 0x7f3b825bcf05 in nsCSSFrameConstructor::ContentAppended(nsIContent*, nsIContent*, bool) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:7540:7
    #13 0x7f3b825b7d88 in nsCSSFrameConstructor::CreateNeededFrames(nsIContent*) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:7183:5
    #14 0x7f3b825b7e35 in nsCSSFrameConstructor::CreateNeededFrames(nsIContent*) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:7190:7
    #15 0x7f3b825b7e35 in nsCSSFrameConstructor::CreateNeededFrames(nsIContent*) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:7190:7
    #16 0x7f3b825b7e35 in nsCSSFrameConstructor::CreateNeededFrames(nsIContent*) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:7190:7
    #17 0x7f3b825b7e35 in nsCSSFrameConstructor::CreateNeededFrames(nsIContent*) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:7190:7
    #18 0x7f3b824c9632 in mozilla::GeckoRestyleManager::ProcessPendingRestyles() /home/worker/workspace/build/src/layout/base/GeckoRestyleManager.cpp:464:3
    #19 0x7f3b82515e20 in ProcessPendingRestyles /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RestyleManagerInlines.h:44:3
    #20 0x7f3b82515e20 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /home/worker/workspace/build/src/layout/base/PresShell.cpp:4184
    #21 0x7f3b7e5b8b6e in FlushPendingNotifications /home/worker/workspace/build/src/obj-firefox/dist/include/nsIPresShell.h:599:5
    #22 0x7f3b7e5b8b6e in nsDocument::FlushPendingNotifications(mozilla::FlushType) /home/worker/workspace/build/src/dom/base/nsDocument.cpp:7984
    #23 0x7f3b7d55f1b1 in nsDocLoader::DocLoaderIsEmpty(bool) /home/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:685:9
    #24 0x7f3b7d561714 in nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /home/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:614:5
    #25 0x7f3b7d5622cc in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /home/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:470:14
    #26 0x7f3b7bd5997b in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /home/worker/workspace/build/src/netwerk/base/nsLoadGroup.cpp:634:18
    #27 0x7f3b7e5bfdbb in nsDocument::DoUnblockOnload() /home/worker/workspace/build/src/dom/base/nsDocument.cpp:8840:7
    #28 0x7f3b7e5bf95b in nsDocument::UnblockOnload(bool) /home/worker/workspace/build/src/dom/base/nsDocument.cpp:8766:9
    #29 0x7f3b7e595b8c in nsDocument::DispatchContentLoadedEvents() /home/worker/workspace/build/src/dom/base/nsDocument.cpp:5293:3
    #30 0x7f3b7e66fa02 in applyImpl<nsDocument, void (nsDocument::*)()> /home/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:855:12
    #31 0x7f3b7e66fa02 in apply<nsDocument, void (nsDocument::*)()> /home/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:861
    #32 0x7f3b7e66fa02 in mozilla::detail::RunnableMethodImpl<nsDocument*, void (nsDocument::*)(), true, false>::Run() /home/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:890
    #33 0x7f3b7bb9f9a2 in nsThread::ProcessNextEvent(bool, bool*) /home/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1264:7
    #34 0x7f3b7bb9c250 in NS_ProcessNextEvent(nsIThread*, bool) /home/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:389:10
    #35 0x7f3b7c9a0e5f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /home/worker/workspace/build/src/ipc/glue/MessagePump.cpp:96:21
    #36 0x7f3b7c9121f8 in RunInternal /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:238:3
    #37 0x7f3b7c9121f8 in RunHandler /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:231
    #38 0x7f3b7c9121f8 in MessageLoop::Run() /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:211
    #39 0x7f3b81d7939f in nsBaseAppShell::Run() /home/worker/workspace/build/src/widget/nsBaseAppShell.cpp:156:3
    #40 0x7f3b8540a911 in nsAppStartup::Run() /home/worker/workspace/build/src/toolkit/components/startup/nsAppStartup.cpp:283:19
    #41 0x7f3b855d669c in XREMain::XRE_mainRun() /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4476:10
    #42 0x7f3b855d8198 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4654:8
    #43 0x7f3b855d945c in XRE_main(int, char**, mozilla::BootstrapConfig const&) /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4745:16
    #44 0x4dffaf in do_main /home/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:236:10
    #45 0x4dffaf in main /home/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:307
    #46 0x7f3b96fc682f in __libc_start_main /build/glibc-t3gR2i/glibc-2.23/csu/../csu/libc-start.c:291
    #47 0x41c3d8 in _start (/home/user/workspace/browsers/firefox_cnt/firefox+0x41c3d8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/worker/workspace/build/src/mfbt/Assertions.cpp:63:3 in MOZ_CrashPrintf
==31566==ABORTING
Flags: in-testsuite?
I'm guessing this might be the same issue as in bug 1344542?
This bug has a testcase though.
Flags: needinfo?(npancholi)
(In reply to Mats Palmgren (:mats) from comment #1)
> I'm guessing this might be the same issue as in bug 1344542?
> This bug has a testcase though.

I'll take a look and mark as duplicate if needed. Thanks.
Assignee: nobody → npancholi
Flags: needinfo?(npancholi)
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
Group: layout-core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: