Open
Bug 1414875
Opened 7 years ago
Updated 2 years ago
Assertion failure: !shell || shell == this (wrong shell), at /builds/worker/workspace/build/src/layout/base/PresShell.cpp:6268
Categories
(Core :: Layout, defect, P3)
Tracking
()
NEW
People
(Reporter: jkratzer, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: assertion, testcase)
Attachments
(1 file)
418 bytes,
text/html
|
Details |
Testcase found while fuzzing mozilla-central rev dc45ee24c55d.
==2610==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f5b5c233569 bp 0x7ffc0a4feef0 sp 0x7ffc0a4fee20 T0)
==2610==The signal is caused by a WRITE memory access.
==2610==Hint: address points to the zero page.
#0 0x7f5b5c233568 in mozilla::PresShell::RemoveFrameFromApproximatelyVisibleList(nsIFrame*) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:6268:5
#1 0x7f5b5c3f1572 in nsFrame::DestroyFrom(nsIFrame*) /builds/worker/workspace/build/src/layout/generic/nsFrame.cpp:812:34
#2 0x7f5b5c51d6c7 in nsLineBox::DeleteLineList(nsPresContext*, nsLineList&, nsIFrame*, nsFrameList*) /builds/worker/workspace/build/src/layout/generic/nsLineBox.cpp:401:14
#3 0x7f5b5c3b914e in nsBlockFrame::DestroyFrom(nsIFrame*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:331:3
#4 0x7f5b5c51d6c7 in nsLineBox::DeleteLineList(nsPresContext*, nsLineList&, nsIFrame*, nsFrameList*) /builds/worker/workspace/build/src/layout/generic/nsLineBox.cpp:401:14
#5 0x7f5b5c3b914e in nsBlockFrame::DestroyFrom(nsIFrame*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:331:3
#6 0x7f5b5c3b6527 in nsFrameList::DestroyFramesFrom(nsIFrame*) /builds/worker/workspace/build/src/layout/generic/nsFrameList.cpp:58:12
#7 0x7f5b5c3b958e in nsContainerFrame::DestroyFrom(nsIFrame*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:224:11
#8 0x7f5b5c3fbec2 in nsCanvasFrame::DestroyFrom(nsIFrame*) /builds/worker/workspace/build/src/layout/generic/nsCanvasFrame.cpp:160:21
#9 0x7f5b5c3b6527 in nsFrameList::DestroyFramesFrom(nsIFrame*) /builds/worker/workspace/build/src/layout/generic/nsFrameList.cpp:58:12
#10 0x7f5b5c3b958e in nsContainerFrame::DestroyFrom(nsIFrame*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:224:11
#11 0x7f5b5c3b6527 in nsFrameList::DestroyFramesFrom(nsIFrame*) /builds/worker/workspace/build/src/layout/generic/nsFrameList.cpp:58:12
#12 0x7f5b5c3b958e in nsContainerFrame::DestroyFrom(nsIFrame*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:224:11
#13 0x7f5b5c2b2264 in nsFrameManager::Destroy() /builds/worker/workspace/build/src/layout/base/nsFrameManager.cpp:118:17
#14 0x7f5b5c20e002 in mozilla::PresShell::Destroy() /builds/worker/workspace/build/src/layout/base/PresShell.cpp:1348:22
#15 0x7f5b5c2cdb37 in nsDocumentViewer::DestroyPresShell() /builds/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:4644:15
#16 0x7f5b5c2c8b6b in nsDocumentViewer::Hide() /builds/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:2245:3
#17 0x7f5b5e8e5348 in nsDocShell::SetVisibility(bool) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:6611:9
#18 0x7f5b5e8e53c3 in non-virtual thunk to nsDocShell::SetVisibility(bool) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:6601:13
#19 0x7f5b58c9a7a6 in nsFrameLoader::Hide() /builds/worker/workspace/build/src/dom/base/nsFrameLoader.cpp:1467:12
#20 0x7f5b5c5bd763 in nsHideViewer::Run() /builds/worker/workspace/build/src/layout/generic/nsSubDocumentFrame.cpp:985:21
#21 0x7f5b588eb1ad in nsContentUtils::RemoveScriptBlocker() /builds/worker/workspace/build/src/dom/base/nsContentUtils.cpp:5735:15
#22 0x7f5b58c03e6d in nsDocument::EndUpdate(unsigned int) /builds/worker/workspace/build/src/dom/base/nsDocument.cpp:5419:3
#23 0x7f5b5ba0298d in mozilla::dom::XULDocument::EndUpdate(unsigned int) /builds/worker/workspace/build/src/dom/xul/XULDocument.cpp:3194:18
#24 0x7f5b588e99e0 in mozAutoDocUpdate::~mozAutoDocUpdate() /builds/worker/workspace/build/src/dom/base/mozAutoDocUpdate.h:40:18
#25 0x7f5b58cc35e0 in nsINode::doRemoveChildAt(unsigned int, bool, nsIContent*, nsAttrAndChildArray&) /builds/worker/workspace/build/src/dom/base/nsINode.cpp:1951:1
#26 0x7f5b58a92f25 in mozilla::dom::FragmentOrElement::RemoveChildAt(unsigned int, bool) /builds/worker/workspace/build/src/dom/base/FragmentOrElement.cpp:1336:5
#27 0x7f5b5ba1b08b in nsXULElement::RemoveChildAt(unsigned int, bool) /builds/worker/workspace/build/src/dom/xul/nsXULElement.cpp:927:22
#28 0x7f5b58cbd8dd in nsINode::RemoveChild(nsINode&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/base/nsINode.cpp:619:3
#29 0x7f5b58cc2f9b in nsINode::Remove() /builds/worker/workspace/build/src/dom/base/nsINode.cpp:1861:11
#30 0x7f5b59fb1bff in mozilla::dom::ElementBinding::remove(JSContext*, JS::Handle<JSObject*>, mozilla::dom::Element*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/ElementBinding.cpp:4258:9
#31 0x7f5b5a43b87e in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3040:13
#32 0x7f5b5f294ef1 in js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) /builds/worker/workspace/build/src/js/src/jscntxtinlines.h:291:15
#33 0x7f5b5f294aca in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:472:16
#34 0x7f5b5f295b75 in InternalCall(JSContext*, js::AnyInvokeArgs const&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:521:12
#35 0x7f5b5f28a573 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3061:18
#36 0x7f5b5f2759e4 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:422:12
#37 0x7f5b5f294a23 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:494:15
#38 0x7f5b5f295b75 in InternalCall(JSContext*, js::AnyInvokeArgs const&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:521:12
#39 0x7f5b5f295d8c in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:540:10
#40 0x7f5b5fb50b8b in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:3032:12
Flags: in-testsuite?
Comment 1•7 years ago
|
||
I wasn't able to reproduce, even after allowing popups and trying many times.
Reporter | ||
Comment 2•7 years ago
|
||
In order to reproduce you'll likely need to enable the following pref:
user_pref("dom.webcomponents.enabled", true);
user_pref("dom.webcomponents.customelements.enabled", true);
Comment 3•7 years ago
|
||
Before I can hit the assert in the title of this bug I hit this assert
###!!! ASSERTION: Unexpected aDocument: 'aDocument == mDocument', file /Users/tim/ffopt/src/layout/base/PresShell.cpp, line 4417
which would explain the wrong shell assert. The wrong document assert is in PresShell::ContentAppended. Thats violated some pretty fundamental assumptions in layout. Is this expected with webcomponents?
Updated•7 years ago
|
Priority: -- → P3
Comment 4•7 years ago
|
||
I'm pretty sure this is https://hg.mozilla.org/mozilla-central/rev/e13804265867ec492d8b775035698b1bcd8b96f8.
Jason, may you try to repro the bug again and confirm it's fixed?
Flags: needinfo?(jkratzer)
Reporter | ||
Comment 5•7 years ago
|
||
(In reply to Emilio Cobos Álvarez [:emilio] from comment #4)
> I'm pretty sure this is
> https://hg.mozilla.org/mozilla-central/rev/
> e13804265867ec492d8b775035698b1bcd8b96f8.
>
> Jason, may you try to repro the bug again and confirm it's fixed?
Emilio, this looks fixed as I'm unable to reproduce this using the latest nightly.
Flags: needinfo?(jkratzer)
Comment hidden (Intermittent Failures Robot) |
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•