Closed
Bug 1407892
Opened 7 years ago
Closed 3 years ago
Crash near null [@ get | StyleDisplay | IsFloating]
Categories
(Core :: Layout, defect)
Tracking
()
People
(Reporter: jkratzer, Unassigned)
References
(Blocks 1 open bug)
Details
(4 keywords)
Attachments
(2 files)
Testcase found while fuzzing mozilla-central rev 20d9ad08dd36.
==12650==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000020 (pc 0x7f0e96bb85bc bp 0x7ffcbe0804b0 sp 0x7ffcbe080480 T0)
==12650==The signal is caused by a READ memory access.
==12650==Hint: address points to the zero page.
#0 0x7f0e96bb85bb in get /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:287:27
#1 0x7f0e96bb85bb in operator-> /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:319
#2 0x7f0e96bb85bb in StyleDisplay /builds/worker/workspace/build/src/obj-firefox/dist/include/nsStyleStructList.h:100
#3 0x7f0e96bb85bb in IsFloating /builds/worker/workspace/build/src/layout/generic/nsIFrameInlines.h:47
#4 0x7f0e96bb85bb in nsPlaceholderFrame::AddInlineMinISize(gfxContext*, nsIFrame::InlineMinISizeData*) /builds/worker/workspace/build/src/layout/generic/nsPlaceholderFrame.cpp:76
#5 0x7f0e969d772e in nsBlockFrame::GetMinISize(gfxContext*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:770:16
#6 0x7f0e968fce3e in nsLayoutUtils::IntrinsicForAxis(mozilla::PhysicalAxis, gfxContext*, nsIFrame*, nsLayoutUtils::IntrinsicISizeType, mozilla::Maybe<mozilla::LogicalSize> const&, unsigned int, int) /builds/worker/workspace/build/src/layout/base/nsLayoutUtils.cpp:5384:26
#7 0x7f0e96900d46 in nsLayoutUtils::IntrinsicForContainer(gfxContext*, nsIFrame*, nsLayoutUtils::IntrinsicISizeType, unsigned int) /builds/worker/workspace/build/src/layout/base/nsLayoutUtils.cpp:5517:10
#8 0x7f0e96bb8625 in nsPlaceholderFrame::AddInlineMinISize(gfxContext*, nsIFrame::InlineMinISizeData*) /builds/worker/workspace/build/src/layout/generic/nsPlaceholderFrame.cpp:78:7
#9 0x7f0e969d772e in nsBlockFrame::GetMinISize(gfxContext*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:770:16
#10 0x7f0e96a41e0a in nsColumnSetFrame::GetMinISize(gfxContext*) /builds/worker/workspace/build/src/layout/generic/nsColumnSetFrame.cpp:537:35
#11 0x7f0e968fce3e in nsLayoutUtils::IntrinsicForAxis(mozilla::PhysicalAxis, gfxContext*, nsIFrame*, nsLayoutUtils::IntrinsicISizeType, mozilla::Maybe<mozilla::LogicalSize> const&, unsigned int, int) /builds/worker/workspace/build/src/layout/base/nsLayoutUtils.cpp:5384:26
#12 0x7f0e96900d46 in nsLayoutUtils::IntrinsicForContainer(gfxContext*, nsIFrame*, nsLayoutUtils::IntrinsicISizeType, unsigned int) /builds/worker/workspace/build/src/layout/base/nsLayoutUtils.cpp:5517:10
#13 0x7f0e96bb8625 in nsPlaceholderFrame::AddInlineMinISize(gfxContext*, nsIFrame::InlineMinISizeData*) /builds/worker/workspace/build/src/layout/generic/nsPlaceholderFrame.cpp:78:7
#14 0x7f0e969d772e in nsBlockFrame::GetMinISize(gfxContext*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:770:16
#15 0x7f0e96a41e0a in nsColumnSetFrame::GetMinISize(gfxContext*) /builds/worker/workspace/build/src/layout/generic/nsColumnSetFrame.cpp:537:35
#16 0x7f0e96a48f47 in ShrinkWidthToFit /builds/worker/workspace/build/src/layout/generic/nsFrame.cpp:5798:22
#17 0x7f0e96a48f47 in nsContainerFrame::ComputeAutoSize(gfxContext*, mozilla::WritingMode, mozilla::LogicalSize const&, int, mozilla::LogicalSize const&, mozilla::LogicalSize const&, mozilla::LogicalSize const&, nsIFrame::ComputeSizeFlags) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:843
#18 0x7f0e96a50221 in nsFrame::ComputeSize(gfxContext*, mozilla::WritingMode, mozilla::LogicalSize const&, int, mozilla::LogicalSize const&, mozilla::LogicalSize const&, mozilla::LogicalSize const&, nsIFrame::ComputeSizeFlags) /builds/worker/workspace/build/src/layout/generic/nsFrame.cpp:5057:24
#19 0x7f0e9697c4ae in FloatMarginISize(mozilla::ReflowInput const&, int, nsIFrame*, mozilla::SizeComputationInput const&) /builds/worker/workspace/build/src/layout/generic/BlockReflowInput.cpp:692:13
#20 0x7f0e96978a05 in mozilla::BlockReflowInput::FlowAndPlaceFloat(nsIFrame*) /builds/worker/workspace/build/src/layout/generic/BlockReflowInput.cpp:757:30
#21 0x7f0e96977b28 in mozilla::BlockReflowInput::AddFloat(nsLineLayout*, nsIFrame*, int) /builds/worker/workspace/build/src/layout/generic/BlockReflowInput.cpp:627:14
#22 0x7f0e96b94861 in AddFloat /builds/worker/workspace/build/src/layout/generic/nsLineLayout.h:183:22
#23 0x7f0e96b94861 in nsLineLayout::ReflowFrame(nsIFrame*, nsReflowStatus&, mozilla::ReflowOutput*, bool&) /builds/worker/workspace/build/src/layout/generic/nsLineLayout.cpp:962
#24 0x7f0e96a00964 in nsBlockFrame::ReflowInlineFrame(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsIFrame*, LineReflowStatus*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:4220:15
#25 0x7f0e969ff578 in nsBlockFrame::DoReflowInlineFrames(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:4016:5
#26 0x7f0e969f7059 in nsBlockFrame::ReflowInlineFrames(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:3890:9
#27 0x7f0e969f0c88 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2873:5
#28 0x7f0e969e678f in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2409:7
#29 0x7f0e969dd542 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:1235:3
#30 0x7f0e96a39c4a in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:932:14
#31 0x7f0e96a38581 in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsCanvasFrame.cpp:751:5
#32 0x7f0e96a39c4a in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:932:14
#33 0x7f0e96afbdf8 in nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput*, bool, bool, mozilla::ReflowOutput*, bool) /builds/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.cpp:550:3
#34 0x7f0e96afd4ae in nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput*, mozilla::ReflowOutput const&) /builds/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.cpp:662:3
#35 0x7f0e96b00659 in nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.cpp:1039:3
#36 0x7f0e969c4623 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:976:14
#37 0x7f0e969c2f85 in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/ViewportFrame.cpp:330:7
#38 0x7f0e967c5e3c in mozilla::PresShell::DoReflow(nsIFrame*, bool) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:8944:11
#39 0x7f0e967d9f01 in mozilla::PresShell::ProcessReflowCommands(bool) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:9117:24
#40 0x7f0e967d9167 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:4183:11Flags: in-testsuite?
|
||
Comment 1•7 years ago
|
||
Regression range 1: INFO: Last good revision: cc473fe5dc512c450634506f68cbacfb40a06a23 (2015-11-11) INFO: First bad revision: 3cc3b1968524248450c465c4ea2ee5596ffa65f2 (2015-11-12) INFO: Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=cc473fe5dc512c450634506f68cbacfb40a06a23&tochange=3cc3b1968524248450c465c4ea2ee5596ffa65f2 The first regression range points to when the testcase first started crashing, though it requires a reload to do so. Bug 1122918 seems like a good candidate given the float:inline-end usage. Regression range 2: INFO: Last good revision: 22f51211915bf7daff076180847a7140d35aa353 (2016-01-01) INFO: First bad revision: ce643acfab14d95bea2fb6c4f56477413514b686 (2016-01-02) INFO: Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=22f51211915bf7daff076180847a7140d35aa353&tochange=ce643acfab14d95bea2fb6c4f56477413514b686 This is when the testcase first started crashing immediately on load. Probably one of the webkit-related changes in there changing timings or something? Maybe it isn't interesting, but there it is anyway. On debug builds, it also hits the following assertions: ASSERTION: frame tree not empty, but caller reported complete status: 'aSubtreeRoot->GetPrevInFlow()', file z:/build/build/src/layout/base/nsLayoutUtils.cpp, line 7769 ASSERTION: frame tree not empty, but caller reported complete status: 'start == end || IsInLetterFrame(aSubtreeRoot)', file z:/build/build/src/layout/base/nsLayoutUtils.cpp, line 7783 ASSERTION: Placeholder relationship should have been torn down already; this might mean we have a stray placeholder in the tree.: '!placeholder || nsLayoutUtils::IsProperAncestorFrame(aDestructRoot, placeholder)', file z:/build/build/src/layout/generic/nsFrame.cpp, line 737 ASSERTION: Null out-of-flow for placeholder?: 'outOfFlow', file z:\build\build\src\layout\generic\nsPlaceholderFrame.h, line 182
Has Regression Range: --- → yes
status-firefox56:
--- → wontfix
status-firefox57:
--- → wontfix
status-firefox58:
--- → fix-optional
status-firefox-esr52:
--- → wontfix
Keywords: assertion
Version: unspecified → 45 Branch
|
||
Comment 2•7 years ago
|
||
(In reply to Ryan VanderMeulen [:RyanVM] from comment #1) > Regression range 1: [...] > The first regression range points to when the testcase first started > crashing, though it requires a reload to do so. Bug 1122918 seems like a > good candidate given the float:inline-end usage. Indeed -- though really that's just kind of an alias. Would you mind trying "float:right" instead (which should be equivalent to float:inline-end in this testcase) and see if that produces an even older regression range? (Might be wise to preemptively convert "-webkit-transform" to "transform", too -- otherwise this might end up producing a bogus range for when we added support for that alias. :))
|
|
||
Updated•7 years ago
|
Flags: needinfo?(ryanvm)
|
|
||
Comment 3•7 years ago
|
||
(In reply to Daniel Holbert [:dholbert] from comment #2) > (Might be wise to preemptively convert "-webkit-transform" to "transform", > too -- otherwise this might end up producing a bogus range for when we added > support for that alias. :)) Oh, I hadn't looked at range 2 -- indeed, that would've been from when we enabled webkit prefixed aliases (Bug 1213126). I'll bet that the behavior-difference around "Regresison range 2" would go away [i.e. the instacrash would go back further] if the testcase just used "transform" instead of "-webkit-transform".
|
|
||
Comment 4•7 years ago
|
||
Here's a testcase with the changes noted above (aliases removed), which should hopefully make it reproduce more reliably across older builds & might hopefully produce a non-alias-related regression range. I verified that this still crashes in current Nightly.
|
|
||
Updated•7 years ago
|
Attachment #8917656 -
Attachment description: trigger.html → testcase 1
|
|
||
Comment 5•7 years ago
|
||
Testcase 2 insta-crashes on all affected builds. INFO: Last good revision: 9a8f2342fb3116d23989087e026448d38a3768c5 (2015-10-27) INFO: First bad revision: fc706d376f0658e560a59c3dd520437b18e8c4a4 (2015-10-28) INFO: Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=9a8f2342fb3116d23989087e026448d38a3768c5&tochange=fc706d376f0658e560a59c3dd520437b18e8c4a4
Flags: needinfo?(ryanvm)
|
||
Comment 6•6 years ago
|
||
https://wiki.mozilla.org/Bug_Triage/Projects/Bug_Handling/Bug_Husbandry#Move_fix-optionals
status-firefox59:
--- → ?
|
||
Comment 7•3 years ago
|
||
Hey Jason,
Can you still repro this or should we close it?
Flags: needinfo?(jkratzer)
|
||
Updated•3 years ago
|
Keywords: regression
|
Reporter | |
Comment 8•3 years ago
|
||
(In reply to Andrei Purice from comment #7)
Hey Jason,
Can you still repro this or should we close it?
Andrei, I cannot reproduce this using mozilla-central rev 152fdda295bb. I think we can safely close this issue.
Status: NEW → RESOLVED
Closed: 3 years ago
Flags: needinfo?(jkratzer)
Resolution: --- → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•