Closed Bug 1350372 Opened 8 years ago Closed 7 years ago

Crash near null [@ GetBoolFlag | mozilla::AnimationCollection<mozilla::dom::CSSTransition>::GetAnimationCollection]

Categories

(Core :: CSS Parsing and Computation, defect)

Product:
Core
Component:
CSS Parsing and Computation
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla58
Tracking Flags:
Tracking Status
firefox55 --- affected
firefox58 --- fixed

People

(Reporter: truber, Unassigned)

References

Details

(Keywords: crash, testcase)

Attachments

(1 file)

testcase.html
738 bytes, text/html
Details
Attached file testcase.html
The attached testcase crashes near null in mozilla-central rev 72bc265f157f. ==22974==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000032 (pc 0x7f6d875444bb bp 0x7ffdc17e1d90 sp 0x7ffdc17e1d90 T0) ==22974==The signal is caused by a READ memory access. ==22974==Hint: address points to the zero page. #0 0x7f6d875444ba in GetBoolFlag /home/worker/workspace/build/src/dom/base/nsINode.h:1595:12 #1 0x7f6d875444ba in MayHaveAnimations /home/worker/workspace/build/src/dom/base/nsINode.h:1641 #2 0x7f6d875444ba in mozilla::AnimationCollection<mozilla::dom::CSSTransition>::GetAnimationCollection(mozilla::dom::Element const*, mozilla::CSSPseudoElementType) /home/worker/workspace/build/src/layout/style/AnimationCollection.cpp:46 #3 0x7f6d878600ae in nsTransitionManager::StyleContextChanged(mozilla::dom::Element*, nsStyleContext*, RefPtr<nsStyleContext>*) /home/worker/workspace/build/src/layout/style/nsTransitionManager.cpp:499:5 #4 0x7f6d878ce28f in TryInitiatingTransition /home/worker/workspace/build/src/layout/base/GeckoRestyleManager.cpp:672:38 #5 0x7f6d878ce28f in mozilla::ElementRestyler::RestyleSelf(nsIFrame*, nsRestyleHint, unsigned int*, nsTArray<mozilla::ElementRestyler::SwapInstruction>&) /home/worker/workspace/build/src/layout/base/GeckoRestyleManager.cpp:2674 #6 0x7f6d878caa62 in mozilla::ElementRestyler::Restyle(nsRestyleHint) /home/worker/workspace/build/src/layout/base/GeckoRestyleManager.cpp:1832:7 #7 0x7f6d878d46aa in mozilla::ElementRestyler::RestyleContentChildren(nsIFrame*, nsRestyleHint) /home/worker/workspace/build/src/layout/base/GeckoRestyleManager.cpp:3443:27 #8 0x7f6d878d1b5d in mozilla::ElementRestyler::RestyleChildren(nsRestyleHint) /home/worker/workspace/build/src/layout/base/GeckoRestyleManager.cpp:2963:7 #9 0x7f6d878cb27b in mozilla::ElementRestyler::Restyle(nsRestyleHint) /home/worker/workspace/build/src/layout/base/GeckoRestyleManager.cpp:1986:5 #10 0x7f6d878d46aa in mozilla::ElementRestyler::RestyleContentChildren(nsIFrame*, nsRestyleHint) /home/worker/workspace/build/src/layout/base/GeckoRestyleManager.cpp:3443:27 #11 0x7f6d878d1b5d in mozilla::ElementRestyler::RestyleChildren(nsRestyleHint) /home/worker/workspace/build/src/layout/base/GeckoRestyleManager.cpp:2963:7 #12 0x7f6d878cb27b in mozilla::ElementRestyler::Restyle(nsRestyleHint) /home/worker/workspace/build/src/layout/base/GeckoRestyleManager.cpp:1986:5 #13 0x7f6d878d46aa in mozilla::ElementRestyler::RestyleContentChildren(nsIFrame*, nsRestyleHint) /home/worker/workspace/build/src/layout/base/GeckoRestyleManager.cpp:3443:27 #14 0x7f6d878d1b5d in mozilla::ElementRestyler::RestyleChildren(nsRestyleHint) /home/worker/workspace/build/src/layout/base/GeckoRestyleManager.cpp:2963:7 #15 0x7f6d878cb27b in mozilla::ElementRestyler::Restyle(nsRestyleHint) /home/worker/workspace/build/src/layout/base/GeckoRestyleManager.cpp:1986:5 #16 0x7f6d878d6c76 in mozilla::ElementRestyler::ComputeStyleChangeFor(nsIFrame*, nsStyleChangeList*, nsChangeHint, mozilla::RestyleTracker&, nsRestyleHint, mozilla::RestyleHintData const&, nsTArray<mozilla::ElementRestyler::ContextToClear>&, nsTArray<RefPtr<nsStyleContext> >&) /home/worker/workspace/build/src/layout/base/GeckoRestyleManager.cpp:3107:16 #17 0x7f6d878c0a74 in mozilla::GeckoRestyleManager::ComputeAndProcessStyleChange(nsIFrame*, nsChangeHint, mozilla::RestyleTracker&, nsRestyleHint, mozilla::RestyleHintData const&) /home/worker/workspace/build/src/layout/base/GeckoRestyleManager.cpp:3518:3 #18 0x7f6d878bff5f in mozilla::GeckoRestyleManager::RestyleElement(mozilla::dom::Element*, nsIFrame*, nsChangeHint, mozilla::RestyleTracker&, nsRestyleHint, mozilla::RestyleHintData const&) /home/worker/workspace/build/src/layout/base/GeckoRestyleManager.cpp:152:5 #19 0x7f6d879489ae in ProcessOneRestyle /home/worker/workspace/build/src/layout/base/RestyleTracker.cpp:95:22 #20 0x7f6d879489ae in mozilla::RestyleTracker::DoProcessRestyles() /home/worker/workspace/build/src/layout/base/RestyleTracker.cpp:262 #21 0x7f6d878c3db6 in ProcessRestyles /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/GeckoRestyleManager.h:386:23 #22 0x7f6d878c3db6 in mozilla::GeckoRestyleManager::ProcessPendingRestyles() /home/worker/workspace/build/src/layout/base/GeckoRestyleManager.cpp:504 #23 0x7f6d8790db36 in ProcessPendingRestyles /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RestyleManagerInlines.h:44:3 #24 0x7f6d8790db36 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /home/worker/workspace/build/src/layout/base/PresShell.cpp:4184
Flags: in-testsuite?
Flags: needinfo?(hikezoe)
The target element (_moz_generated_content_before) in nsTransitionManager::StyleContextChanged does not have parent element at that moment. Whereas the target nsIFrame has parent nsIFrame. Before the crash we get below assertion: ###!!! ASSERTION: property should only be set on first continuation/ib-sibling: 'nsLayoutUtils::IsFirstContinuationOrIBSplitSibling(aOwnerFrame)', file /home/ikezoe/central/layout/base/nsCSSFrameConstructor.cpp, line 6132 I am not sure this is an animation problem.
Flags: needinfo?(hikezoe)
See Also: → 1145931, 1251800
Is that a bug in nsTransitionManager::StyleContextChanged still? Should it check that aElement is not a null pointer before dereferencing it?
Component: DOM: Animation → CSS Parsing and Computation
What I don't quite understand is that it's a normal case that generated content element is not yet associated with a parent element (i.e. nsINode::mParent is null) when we call StyleContextChanged(). If it's normal, we should add a null check, if it's illegal in the first place, we should fix the real cause and add assertion in StyleContextChanged().
Depends on: 1381134
https://hg.mozilla.org/mozilla-central/rev/0cb7895ffc98
Status: NEW → RESOLVED
Closed: 7 years ago
status-firefox58: --- → fixed
Flags: in-testsuite? → in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla58
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: