Open Bug 1387137 Opened 3 years ago Updated 3 years ago

Assertion failure: aInsertion->mParentFrame->GetContent() == fakeInsertion.mParentFrame->GetContent(), at /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:7019

Categories

(Core :: Layout, defect, P3)

defect

Tracking

()

Tracking Status
firefox-esr52 --- unaffected
firefox56 --- wontfix
firefox57 --- wontfix
firefox58 --- fixed

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, testcase, Whiteboard: [fixed by stylo])

Attachments

(1 file)

Attached file trigger.html
Testcase found while fuzzing mozilla-central rev 20170726-e8400551c2e3.

Assertion failure: aInsertion->mParentFrame->GetContent() == fakeInsertion.mParentFrame->GetContent(), at /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:7019

ASAN:DEADLYSIGNAL
=================================================================
==23121==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f84f09ec97c bp 0x7ffd611f9fc0 sp 0x7ffd611f9d60 T0)
==23121==The signal is caused by a WRITE memory access.
==23121==Hint: address points to the zero page.
    #0 0x7f84f09ec97b in nsCSSFrameConstructor::GetInsertionPrevSibling(nsCSSFrameConstructor::InsertionPoint*, nsIContent*, bool*, bool*, nsIContent*, nsIContent*) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:6981:5
    #1 0x7f84f09ee9e9 in nsCSSFrameConstructor::ContentRangeInserted(nsIContent*, nsIContent*, nsIContent*, nsILayoutHistoryState*, bool, bool, TreeMatchContext*) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:8160:27
    #2 0x7f84f09ea094 in nsCSSFrameConstructor::RecreateFramesForContent(nsIContent*, bool, nsCSSFrameConstructor::RemoveFlags, nsIContent**) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:10061:9
    #3 0x7f84f09498a4 in mozilla::RestyleManager::ProcessRestyledFrames(nsStyleChangeList&) /home/worker/workspace/build/src/layout/base/RestyleManager.cpp:1513:25
    #4 0x7f84f0933331 in mozilla::GeckoRestyleManager::ComputeAndProcessStyleChange(nsIFrame*, nsChangeHint, mozilla::RestyleTracker&, nsRestyleHint, mozilla::RestyleHintData const&) /home/worker/workspace/build/src/layout/base/GeckoRestyleManager.cpp:3557:3
    #5 0x7f84f0932803 in mozilla::GeckoRestyleManager::RestyleElement(mozilla::dom::Element*, nsIFrame*, nsChangeHint, mozilla::RestyleTracker&, nsRestyleHint, mozilla::RestyleHintData const&) /home/worker/workspace/build/src/layout/base/GeckoRestyleManager.cpp:228:5
    #6 0x7f84f0999990 in mozilla::RestyleTracker::ProcessOneRestyle(mozilla::dom::Element*, nsRestyleHint, nsChangeHint, mozilla::RestyleHintData const&) /home/worker/workspace/build/src/layout/base/RestyleTracker.cpp:94:22
    #7 0x7f84f0998020 in mozilla::RestyleTracker::DoProcessRestyles() /home/worker/workspace/build/src/layout/base/RestyleTracker.cpp:255:11
    #8 0x7f84f0935634 in mozilla::GeckoRestyleManager::ProcessPendingRestyles() /home/worker/workspace/build/src/layout/base/GeckoRestyleManager.cpp:579:3
    #9 0x7f84f096bbfd in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /home/worker/workspace/build/src/layout/base/PresShell.cpp:4195:41
    #10 0x7f84f0900aa0 in nsRefreshDriver::Tick(long, mozilla::TimeStamp) /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:1895:18
    #11 0x7f84f0909f1e in mozilla::RefreshDriverTimer::TickRefreshDrivers(long, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:305:7
    #12 0x7f84f0909ced in mozilla::RefreshDriverTimer::Tick(long, mozilla::TimeStamp) /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:326:5
    #13 0x7f84f090d405 in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::TimeStamp) /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:768:5
    #14 0x7f84f090c396 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::TimeStamp) /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:681:35
    #15 0x7f84f09082f7 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::ParentProcessVsyncNotifier::Run() /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:527:20
    #16 0x7f84eb0bf4ec in nsThread::ProcessNextEvent(bool, bool*) /home/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1579:14
    #17 0x7f84eb0c5250 in NS_ProcessNextEvent(nsIThread*, bool) /home/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:530:10
    #18 0x7f84ebc2b545 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /home/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21
    #19 0x7f84ebb7a287 in MessageLoop::RunInternal() /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #20 0x7f84ebb7a119 in MessageLoop::Run() /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299:3
    #21 0x7f84f041c06a in nsBaseAppShell::Run() /home/worker/workspace/build/src/widget/nsBaseAppShell.cpp:156:27
    #22 0x7f84f35b5f91 in nsAppStartup::Run() /home/worker/workspace/build/src/toolkit/components/startup/nsAppStartup.cpp:287:30
    #23 0x7f84f37134b2 in XREMain::XRE_mainRun() /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4596:22
    #24 0x7f84f37150fa in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4760:8
    #25 0x7f84f3715fe8 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4855:21
    #26 0x4ecaf8 in do_main(int, char**, char**) /home/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:236:22
    #27 0x4ec410 in main /home/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:309:16
    #28 0x7f850937982f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291
    #29 0x41e144 in _start (/home/forb1dden/builds/mc-asan-debug/firefox+0x41e144)
Priority: -- → P3
Only reproduces with Stylo disabled.
INFO: Last good revision: 9c84a2fe933e61f44ddcab3c377a04dd06280413
INFO: First bad revision: e2a697abd5d350428bdc7724ac043d2303b1c0c2
INFO: Pushlog:
https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=9c84a2fe933e61f44ddcab3c377a04dd06280413&tochange=e2a697abd5d350428bdc7724ac043d2303b1c0c2
Has Regression Range: --- → yes
Whiteboard: [fixed by stylo]
You need to log in before you can comment on or make changes to this bug.