Closed
Bug 1384161
Opened 7 years ago
Closed 7 years ago
Assertion failure: parent || !aContent->GetParent() (no non-elements), at /home/worker/workspace/build/src/layout/base/nsFrameManager.cpp:141
Categories
(Core :: DOM: Selection, defect, P3)
Core
DOM: Selection
Tracking
()
RESOLVED
FIXED
mozilla57
| Tracking | Status | |
|---|---|---|
| firefox-esr52 | --- | wontfix |
| firefox56 | --- | wontfix |
| firefox57 | --- | fixed |
| firefox58 | --- | unaffected |
People
(Reporter: jkratzer, Assigned: ayg)
References
(Blocks 1 open bug)
Details
(Keywords: assertion, testcase)
Attachments
(1 file)
|
725 bytes,
text/html
|
Details |
Testcase found while fuzzing mozilla-central rev 20170722-c22502562670.
Assertion failure: parent || !aContent->GetParent() (no non-elements), at /home/worker/workspace/build/src/layout/base/nsFrameManager.cpp:141
ASAN:DEADLYSIGNAL
=================================================================
==24076==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fdfed37c805 bp 0x7fff38fc74b0 sp 0x7fff38fc74a0 T0)
==24076==The signal is caused by a WRITE memory access.
==24076==Hint: address points to the zero page.
#0 0x7fdfed37c804 in ParentForUndisplayedMap(nsIContent const*) /home/worker/workspace/build/src/layout/base/nsFrameManager.cpp:141:3
#1 0x7fdfed37c6ff in nsFrameManager::GetUndisplayedNodeInMapFor(nsFrameManagerBase::UndisplayedMap*, nsIContent const*) /home/worker/workspace/build/src/layout/base/nsFrameManager.cpp:161:24
#2 0x7fdfed37c6c8 in nsFrameManager::GetStyleContextInMap(nsFrameManagerBase::UndisplayedMap*, nsIContent const*) /home/worker/workspace/build/src/layout/base/nsFrameManager.cpp:150:27
#3 0x7fdfed4da96d in nsFrameSelection::GetFrameForNodeOffset(nsIContent*, int, mozilla::CaretAssociationHint, int*) const /home/worker/workspace/build/src/layout/generic/nsFrameSelection.cpp:1645:32
#4 0x7fdfe9cd7a68 in mozilla::dom::Selection::GetSelectionEndPointGeometry(short, nsRect*) /home/worker/workspace/build/src/dom/base/Selection.cpp:3429:28
#5 0x7fdfe9cd7624 in mozilla::dom::Selection::GetSelectionAnchorGeometry(short, nsRect*) /home/worker/workspace/build/src/dom/base/Selection.cpp:3365:14
#6 0x7fdfe9cd36a7 in mozilla::dom::Selection::ScrollIntoView(short, nsIPresShell::ScrollAxis, nsIPresShell::ScrollAxis, int) /home/worker/workspace/build/src/dom/base/Selection.cpp:3587:21
#7 0x7fdfe9cd8106 in mozilla::dom::Selection::ScrollSelectionIntoViewEvent::Run() /home/worker/workspace/build/src/dom/base/Selection.cpp:3484:15
#8 0x7fdfed25d799 in nsRefreshDriver::Tick(long, mozilla::TimeStamp) /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:1848:22
#9 0x7fdfed26706e in mozilla::RefreshDriverTimer::TickRefreshDrivers(long, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:305:7
#10 0x7fdfed266e3d in mozilla::RefreshDriverTimer::Tick(long, mozilla::TimeStamp) /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:326:5
#11 0x7fdfed26a555 in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::TimeStamp) /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:768:5
#12 0x7fdfed2694e6 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::TimeStamp) /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:681:35
#13 0x7fdfed265447 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::ParentProcessVsyncNotifier::Run() /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:527:20
#14 0x7fdfe7a1a0fc in nsThread::ProcessNextEvent(bool, bool*) /home/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1579:14
#15 0x7fdfe7a1fe60 in NS_ProcessNextEvent(nsIThread*, bool) /home/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:530:10
#16 0x7fdfe858afb5 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /home/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21
#17 0x7fdfe84d7127 in MessageLoop::RunInternal() /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:321:10
#18 0x7fdfe84d6fb9 in MessageLoop::Run() /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:294:3
#19 0x7fdfecd78f8a in nsBaseAppShell::Run() /home/worker/workspace/build/src/widget/nsBaseAppShell.cpp:156:27
#20 0x7fdfeff0f601 in nsAppStartup::Run() /home/worker/workspace/build/src/toolkit/components/startup/nsAppStartup.cpp:287:30
|
||
Updated•7 years ago
|
Priority: -- → P3
|
|
||
Updated•7 years ago
|
status-firefox57:
--- → wontfix
status-firefox58:
--- → fix-optional
|
||
Comment 1•7 years ago
|
||
Regression range goes back more than a year, which is the furthest back mozregression can bisect debug builds.
Fix range:
INFO: First good revision: 0bda6393453ef6ca289a37aa723f87f91160c66f
INFO: Last bad revision: fb2e833fe98deb0f1aeaf3d3b0b8ade309eb5c8e
INFO: Pushlog:
https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=fb2e833fe98deb0f1aeaf3d3b0b8ade309eb5c8e&tochange=0bda6393453ef6ca289a37aa723f87f91160c66f
Fixed by bug 1359397. NI myself to land the testcase as a crashtest.
Assignee: nobody → ayg
Has Regression Range: --- → yes
status-firefox56:
--- → wontfix
status-firefox-esr52:
--- → wontfix
Depends on: 1359397
Flags: needinfo?(ryanvm)
Target Milestone: --- → mozilla57
|
|
||
Updated•7 years ago
|
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Pushed by ryanvm@gmail.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/b7d1b49c8f96
Add crashtest. r=me
|
|
||
Updated•7 years ago
|
Flags: needinfo?(ryanvm) → in-testsuite+
|
||
Comment 3•7 years ago
|
||
| bugherder | ||
You need to log in
before you can comment on or make changes to this bug.
Description
•