1364139 - Assertion failure: !aContent || aContent->IsElement() || (aFrame && aContent->GetParent() && aFrame->PresContext()->FrameManager()-> GetDisplayContentsStyleFor(aContent->GetParent() @ [/home/worker/workspace/build/src/layout/base/nsStyleChangeList.cpp:39]

Status: RESOLVED FIXED

(Core :: Layout, defect, P3)

Description

[Jason Kratzer [:jkratzer]]

Attachment: Testcase

Testcase found while fuzzing mozilla-central rev 20170510-d8762cb96742.

Assertion failure: !aContent || aContent->IsElement() || (aFrame && aContent->GetParent() && aFrame->PresContext()->FrameManager()-> GetDisplayContentsStyleFor(aContent->GetParent())) || (aContent->IsNodeOfType(nsINode::eTEXT) && aContent->IsStyledByServo() && aContent->HasFlag(NODE_NEEDS_FRAME) && aHint & nsChangeHint_ReconstructFrame) (Shouldn't be trying to restyle non-elements directly, except if it's a display:contents child or a text node doing lazy frame construction), at /home/worker/workspace/build/src/layout/base/nsStyleChangeList.cpp:39

ASAN:DEADLYSIGNAL
=================================================================
==26348==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f2b210278ee bp 0x7ffeb1748d10 sp 0x7ffeb1748c00 T0)
==26348==The signal is caused by a WRITE memory access.
==26348==Hint: address points to the zero page.
    #0 0x7f2b210278ed in nsStyleChangeList::AppendChange(nsIFrame*, nsIContent*, nsChangeHint) /home/worker/workspace/build/src/layout/base/nsStyleChangeList.cpp:25:3
    #1 0x7f2b20ee7f83 in mozilla::ElementRestyler::CaptureChange(nsStyleContext*, nsStyleContext*, nsChangeHint, unsigned int*, unsigned int*) /home/worker/workspace/build/src/layout/base/GeckoRestyleManager.cpp:1335:20
    #2 0x7f2b20eeef0f in mozilla::ElementRestyler::RestyleSelf(nsIFrame*, nsRestyleHint, unsigned int*, nsTArray<mozilla::ElementRestyler::SwapInstruction>&) /home/worker/workspace/build/src/layout/base/GeckoRestyleManager.cpp:2701:7
    #3 0x7f2b20eec0b6 in mozilla::ElementRestyler::Restyle(nsRestyleHint) /home/worker/workspace/build/src/layout/base/GeckoRestyleManager.cpp:1850:7
    #4 0x7f2b20ef5e1a in mozilla::ElementRestyler::RestyleContentChildren(nsIFrame*, nsRestyleHint) /home/worker/workspace/build/src/layout/base/GeckoRestyleManager.cpp:3456:27
    #5 0x7f2b20ef230d in mozilla::ElementRestyler::RestyleChildren(nsRestyleHint) /home/worker/workspace/build/src/layout/base/GeckoRestyleManager.cpp:2981:7
    #6 0x7f2b20eec86c in mozilla::ElementRestyler::Restyle(nsRestyleHint) /home/worker/workspace/build/src/layout/base/GeckoRestyleManager.cpp:2004:5
    #7 0x7f2b20ef5e1a in mozilla::ElementRestyler::RestyleContentChildren(nsIFrame*, nsRestyleHint) /home/worker/workspace/build/src/layout/base/GeckoRestyleManager.cpp:3456:27
    #8 0x7f2b20ef230d in mozilla::ElementRestyler::RestyleChildren(nsRestyleHint) /home/worker/workspace/build/src/layout/base/GeckoRestyleManager.cpp:2981:7
    #9 0x7f2b20eec86c in mozilla::ElementRestyler::Restyle(nsRestyleHint) /home/worker/workspace/build/src/layout/base/GeckoRestyleManager.cpp:2004:5
    #10 0x7f2b20ef5e1a in mozilla::ElementRestyler::RestyleContentChildren(nsIFrame*, nsRestyleHint) /home/worker/workspace/build/src/layout/base/GeckoRestyleManager.cpp:3456:27
    #11 0x7f2b20ef230d in mozilla::ElementRestyler::RestyleChildren(nsRestyleHint) /home/worker/workspace/build/src/layout/base/GeckoRestyleManager.cpp:2981:7
    #12 0x7f2b20eec86c in mozilla::ElementRestyler::Restyle(nsRestyleHint) /home/worker/workspace/build/src/layout/base/GeckoRestyleManager.cpp:2004:5
    #13 0x7f2b20ef6bea in mozilla::ElementRestyler::ComputeStyleChangeFor(nsIFrame*, nsStyleChangeList*, nsChangeHint, mozilla::RestyleTracker&, nsRestyleHint, mozilla::RestyleHintData const&, nsTArray<mozilla::ElementRestyler::ContextToClear>&, nsTArray<RefPtr<nsStyleContext> >&) /home/worker/workspace/build/src/layout/base/GeckoRestyleManager.cpp:3120:16
    #14 0x7f2b20ee1f01 in mozilla::GeckoRestyleManager::ComputeAndProcessStyleChange(nsIFrame*, nsChangeHint, mozilla::RestyleTracker&, nsRestyleHint, mozilla::RestyleHintData const&) /home/worker/workspace/build/src/layout/base/GeckoRestyleManager.cpp:3531:3
    #15 0x7f2b20ee13eb in mozilla::GeckoRestyleManager::RestyleElement(mozilla::dom::Element*, nsIFrame*, nsChangeHint, mozilla::RestyleTracker&, nsRestyleHint, mozilla::RestyleHintData const&) /home/worker/workspace/build/src/layout/base/GeckoRestyleManager.cpp:151:5

Comment 1

[Ryan VanderMeulen [:RyanVM]]

Regression Range:
INFO: Last good revision: 620f5ed5c91ec42874c6b725d8caddb713bbe022
INFO: First bad revision: bd7af7e530068aeebf1c357bfed8e8d4c43e2d05
INFO: Pushlog:
https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=620f5ed5c91ec42874c6b725d8caddb713bbe022&tochange=bd7af7e530068aeebf1c357bfed8e8d4c43e2d05

Fix Range:
INFO: First good revision: a83033b39544a5a179d7164f304216843ac9773e
INFO: Last bad revision: de9ea32f4238bbb9dfc05f2c01e664a58bffb7e5
INFO: Pushlog:
https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=de9ea32f4238bbb9dfc05f2c01e664a58bffb7e5&tochange=a83033b39544a5a179d7164f304216843ac9773e

Cam, should we call this a dupe of bug 1368617 or fixed by it? Is it worth landing the testcase here as a crashtest still?

Comment 2

[Cameron McCormack (:heycam)]

Yeah, looks like a dupe, given the contents of the test too.  Still, may as well land it.

Comment 3

[Pulsebot]

Pushed by cmccormack@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/8a8db9f479a1
Crashtest for ::first-letter/::first-line text node inheritance problems. r=me

Comment 4

[Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)]

https://hg.mozilla.org/mozilla-central/rev/8a8db9f479a1