1413942 - Assertion failure: aChild->GetProperty(nsGkAtoms::restylableAnonymousNode) (Someone passed native anonymous content directly into frame construction. Stop doing that!), at /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:6824

Status: NEW

(Core :: Layout, defect)

Description

[Jason Kratzer [:jkratzer]]

Attachment: trigger.html

Testcase found while fuzzing mozilla-esr52 rev 88d1cdb50caf.

==32159==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f6ef53fc542 bp 0x7ffcdd1a4940 sp 0x7ffcdd1a46e0 T0)
    #0 0x7f6ef53fc541 in nsCSSFrameConstructor::GetInsertionPrevSibling(nsCSSFrameConstructor::InsertionPoint*, nsIContent*, bool*, bool*, nsIContent*, nsIContent*) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:6865:34
    #1 0x7f6ef53fe25c in nsCSSFrameConstructor::ContentRangeInserted(nsIContent*, nsIContent*, nsIContent*, nsILayoutHistoryState*, bool) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:7842:27
    #2 0x7f6ef53a800f in nsCSSFrameConstructor::RecreateFramesForContent(nsIContent*, bool, nsCSSFrameConstructor::RemoveFlags, nsIContent**) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:9708:14
    #3 0x7f6ef53c0167 in mozilla::RestyleManagerBase::ProcessRestyledFrames(nsStyleChangeList&) /home/worker/workspace/build/src/layout/base/RestyleManagerBase.cpp:1176:7
    #4 0x7f6ef53a8399 in mozilla::RestyleManager::ComputeAndProcessStyleChange(nsIFrame*, nsChangeHint, mozilla::RestyleTracker&, nsRestyleHint, mozilla::RestyleHintData const&) /home/worker/workspace/build/src/layout/base/RestyleManager.cpp:3804:3
    #5 0x7f6ef53a6eac in mozilla::RestyleManager::RestyleElement(mozilla::dom::Element*, nsIFrame*, nsChangeHint, mozilla::RestyleTracker&, nsRestyleHint, mozilla::RestyleHintData const&) /home/worker/workspace/build/src/layout/base/RestyleManager.cpp:152:5
    #6 0x7f6ef53c8b2a in mozilla::RestyleTracker::ProcessOneRestyle(mozilla::dom::Element*, nsRestyleHint, nsChangeHint, mozilla::RestyleHintData const&) /home/worker/workspace/build/src/layout/base/RestyleTracker.cpp:97:5
    #7 0x7f6ef53c6b5d in mozilla::RestyleTracker::DoProcessRestyles() /home/worker/workspace/build/src/layout/base/RestyleTracker.cpp:266:9
    #8 0x7f6ef53ab66a in mozilla::RestyleManager::ProcessPendingRestyles() /home/worker/workspace/build/src/layout/base/RestyleManager.cpp:834:3
    #9 0x7f6ef5526eb3 in PresShell::FlushPendingNotifications(mozilla::ChangesToFlush) /home/worker/workspace/build/src/layout/base/nsPresShell.cpp:4167:9
    #10 0x7f6ef532fe62 in nsRefreshDriver::Tick(long, mozilla::TimeStamp) /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:1836:11
    #11 0x7f6ef5337c46 in mozilla::RefreshDriverTimer::TickRefreshDrivers(long, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:295:7
    #12 0x7f6ef5337a89 in mozilla::RefreshDriverTimer::Tick(long, mozilla::TimeStamp) /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:316:5
    #13 0x7f6ef533a955 in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::TimeStamp) /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:663:5
    #14 0x7f6ef5339aa5 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::TimeStamp) /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:583:9
    #15 0x7f6ef533a1f4 in mozilla::detail::RunnableMethodImpl<void (mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::*)(mozilla::TimeStamp), true, false, mozilla::TimeStamp>::Run() /home/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:810:7
    #16 0x7f6eeff23412 in nsThread::ProcessNextEvent(bool, bool*) /home/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1216:7
    #17 0x7f6eeffaf550 in NS_ProcessNextEvent(nsIThread*, bool) /home/worker/workspace/build/src/xpcom/glue/nsThreadUtils.cpp:361:10
    #18 0x7f6ef0a5af29 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /home/worker/workspace/build/src/ipc/glue/MessagePump.cpp:96:21
    #19 0x7f6ef09c8c27 in MessageLoop::RunInternal() /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:232:3
    #20 0x7f6ef09c8ab9 in MessageLoop::Run() /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:205:3
    #21 0x7f6ef4e8625a in nsBaseAppShell::Run() /home/worker/workspace/build/src/widget/nsBaseAppShell.cpp:156:3
    #22 0x7f6ef662712c in nsAppStartup::Run() /home/worker/workspace/build/src/toolkit/components/startup/nsAppStartup.cpp:283:19
    #23 0x7f6ef6744edd in XREMain::XRE_mainRun() /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4488:10
    #24 0x7f6ef6746527 in XREMain::XRE_main(int, char**, nsXREAppData const*) /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4621:8
    #25 0x7f6ef6747112 in XRE_main /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4712:16
    #26 0x4e03e9 in do_main(int, char**, char**, nsIFile*) /home/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:282:10
    #27 0x4dfac5 in main /home/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:415:16
    #28 0x7f6f0d09682f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291
    #29 0x41c274 in _start (/home/forb1dden/builds/esr-asan-debug/firefox+0x41c274)

Comment 1

[Ryan VanderMeulen [:RyanVM]]

Fix range:
INFO: First good revision: 314707aa7875cdd89baea83c3e5b05266f55e076
INFO: Last bad revision: 432ed6f1eef15ff18b666b4d809a7b5e60ac79e3
INFO: Pushlog:
https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=432ed6f1eef15ff18b666b4d809a7b5e60ac79e3&tochange=314707aa7875cdd89baea83c3e5b05266f55e076

I can't see us possibly backporting this fix to ESR52, but we might as well land the testcase as a crashtest?