Closed
Bug 1409502
Opened 8 years ago
Closed 8 years ago
Crash near null [@ mozilla::ReflowInput::InitConstraints]
Categories
(Core :: Layout, defect)
Core
Layout
Tracking
()
RESOLVED
FIXED
mozilla58
| Tracking | Status | |
|---|---|---|
| firefox-esr52 | --- | unaffected |
| firefox56 | --- | disabled |
| firefox57 | --- | fixed |
| firefox58 | --- | fixed |
People
(Reporter: jkratzer, Assigned: emilio)
References
(Blocks 1 open bug)
Details
(Keywords: crash, testcase)
Attachments
(1 file)
|
431 bytes,
text/html
|
Details |
Testcase found while fuzzing mozilla-central rev 41286177c59c.
==17065==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000010 (pc 0x7f9845821998 bp 0x7fff4d7d8c50 sp 0x7fff4d7d89a0 T0)
==17065==The signal is caused by a READ memory access.
==17065==Hint: address points to the zero page.
#0 0x7f9845821997 in mozilla::ReflowInput::InitConstraints(nsPresContext*, mozilla::LogicalSize const&, nsMargin const*, nsMargin const*, mozilla::LayoutFrameType) /builds/worker/workspace/build/src/layout/generic/ReflowInput.cpp:2287:42
#1 0x7f984581a2bd in mozilla::ReflowInput::Init(nsPresContext*, mozilla::LogicalSize const*, nsMargin const*, nsMargin const*) /builds/worker/workspace/build/src/layout/generic/ReflowInput.cpp:425:3
#2 0x7f9845860825 in nsAbsoluteContainingBlock::ReflowAbsoluteFrame(nsIFrame*, nsPresContext*, mozilla::ReflowInput const&, nsRect const&, nsAbsoluteContainingBlock::AbsPosReflowFlags, nsIFrame*, nsReflowStatus&, nsOverflowAreas*) /builds/worker/workspace/build/src/layout/generic/nsAbsoluteContainingBlock.cpp:679:15
#3 0x7f984585bbd3 in nsAbsoluteContainingBlock::Reflow(nsContainerFrame*, nsPresContext*, mozilla::ReflowInput const&, nsReflowStatus&, nsRect const&, nsAbsoluteContainingBlock::AbsPosReflowFlags, nsOverflowAreas*) /builds/worker/workspace/build/src/layout/generic/nsAbsoluteContainingBlock.cpp:166:7
#4 0x7f98458597a3 in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/ViewportFrame.cpp:377:35
#5 0x7f9845657acc in mozilla::PresShell::DoReflow(nsIFrame*, bool) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:8936:11
#6 0x7f984566bb01 in mozilla::PresShell::ProcessReflowCommands(bool) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:9109:24
#7 0x7f984566ad67 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:4182:11
#8 0x7f98455def34 in FlushPendingNotifications /builds/worker/workspace/build/src/obj-firefox/dist/include/nsIPresShell.h:566:5
#9 0x7f98455def34 in nsRefreshDriver::Tick(long, mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:1956
#10 0x7f98455ed3bb in TickDriver /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:337:13
#11 0x7f98455ed3bb in mozilla::RefreshDriverTimer::TickRefreshDrivers(long, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:307
#12 0x7f98455ed0a4 in mozilla::RefreshDriverTimer::Tick(long, mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:328:5
#13 0x7f98455ef60b in RunRefreshDrivers /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:770:5
#14 0x7f98455ef60b in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:683
#15 0x7f98455ead27 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::ParentProcessVsyncNotifier::Run() /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:529:20
#16 0x7f983e839722 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1039:14
#17 0x7f983e8533f8 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:524:10
#18 0x7f983f5e3541 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21
#19 0x7f983f5458ab in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
#20 0x7f983f5458ab in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
#21 0x7f983f5458ab in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
#22 0x7f9844effbbf in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:158:27
#23 0x7f984905c191 in nsAppStartup::Run() /builds/worker/workspace/build/src/toolkit/components/startup/nsAppStartup.cpp:288:30
#24 0x7f984924d15b in XREMain::XRE_mainRun() /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4701:22
#25 0x7f984924ed78 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4865:8
#26 0x7f98492501ab in XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4960:21
#27 0x4ebfe3 in do_main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:231:22
#28 0x4ebfe3 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:304
#29 0x7f985c59382f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291
#30 0x41db38 in _start (/home/forb1dden/builds/mc-asan/firefox+0x41db38)
Flags: in-testsuite?
|
||
Comment 1•8 years ago
|
||
Regression range:
INFO: Last good revision: 91a488108e10bfd4df90ccf8b738ae5c4a0f0dc1
INFO: First bad revision: ab3c85d4d199c903f6359e276def141d67a000d7
INFO: Pushlog:
https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=91a488108e10bfd4df90ccf8b738ae5c4a0f0dc1&tochange=ab3c85d4d199c903f6359e276def141d67a000d7
--> Caused by bug 1324619
Fix range:
INFO: First good revision: cb247c8a0fe5dca1f9f8c58e53b4dd2ac0cd92c5
INFO: Last bad revision: 8146509b7d8098eea54d2ae41b5e57200e8ec4e2
INFO: Pushlog:
https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=8146509b7d8098eea54d2ae41b5e57200e8ec4e2&tochange=cb247c8a0fe5dca1f9f8c58e53b4dd2ac0cd92c5
--> Fixed by bug 1404324
Emilio, is it worth landing this testcase as a separate crashtest or do we have sufficient coverage from the other bug already?
Assignee: nobody → emilio
Blocks: 1324619
Status: NEW → RESOLVED
Has Regression Range: --- → yes
Closed: 8 years ago
status-firefox56:
--- → disabled
status-firefox57:
--- → fixed
status-firefox58:
--- → fixed
status-firefox-esr52:
--- → unaffected
Depends on: 1404324
Flags: needinfo?(emilio)
Resolution: --- → FIXED
Target Milestone: --- → mozilla58
|
Assignee | |
Comment 2•8 years ago
|
||
I think they're pretty similar (this one is with position: fixed, the crashtests there has position: absolute). Maybe worth landing it anyway though.
Flags: needinfo?(emilio)
|
|
||
Updated•8 years ago
|
Flags: in-testsuite? → in-testsuite+
Pushed by ryanvm@gmail.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/01cdc4cd898b
Add crashtest. r=me
|
||
Comment 4•8 years ago
|
||
| bugherder | ||
You need to log in
before you can comment on or make changes to this bug.
Description
•