Open
Bug 1414902
Opened 7 years ago
Updated 2 years ago
stylo: Assertion failure: !GetStyleContextInMap(aMap, aContent) (Already have an entry for aContent), at /builds/worker/workspace/build/src/layout/base/nsFrameManager.cpp:205
Categories
(Core :: Layout, defect, P3)
Core
Layout
Tracking
()
NEW
| Tracking | Status | |
|---|---|---|
| firefox-esr52 | --- | unaffected |
| firefox56 | --- | unaffected |
| firefox57 | --- | unaffected |
| firefox58 | --- | wontfix |
| firefox59 | --- | ? |
People
(Reporter: jkratzer, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: assertion, testcase)
Attachments
(1 file)
|
576 bytes,
text/html
|
Details |
Testcase found while fuzzing mozilla-central rev dc45ee24c55d.
==8955==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f010eadadba bp 0x7ffcb989d560 sp 0x7ffcb989d530 T0)
==8955==The signal is caused by a WRITE memory access.
==8955==Hint: address points to the zero page.
#0 0x7f010eadadb9 in nsFrameManager::SetStyleContextInMap(nsFrameManagerBase::UndisplayedMap*, nsIContent*, nsStyleContext*) /builds/worker/workspace/build/src/layout/base/nsFrameManager.cpp:196:3
#1 0x7f010eb1ef77 in nsCSSFrameConstructor::FrameConstructionItemList::Destroy(nsCSSFrameConstructor*) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.h:1079:19
#2 0x7f010ea99a88 in nsCSSFrameConstructor::AutoFrameConstructionItemList::~AutoFrameConstructionItemList() /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.h:1145:40
#3 0x7f010eaab070 in nsCSSFrameConstructor::ContentRangeInserted(nsIContent*, nsIContent*, nsIContent*, nsILayoutHistoryState*, nsCSSFrameConstructor::InsertionKind, TreeMatchContext*) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:8579:1
#4 0x7f010eaa5859 in nsCSSFrameConstructor::RecreateFramesForContent(nsIContent*, nsCSSFrameConstructor::InsertionKind) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:10063:9
#5 0x7f010ea01d1d in mozilla::RestyleManager::ProcessRestyledFrames(nsStyleChangeList&) /builds/worker/workspace/build/src/layout/base/RestyleManager.cpp:1513:25
#6 0x7f010ea56fea in mozilla::ServoRestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) /builds/worker/workspace/build/src/layout/base/ServoRestyleManager.cpp:1159:9
#7 0x7f010ea24c7b in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:4196:41
#8 0x7f010e9b8923 in nsRefreshDriver::Tick(long, mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:1882:18
#9 0x7f010e9c1dae in mozilla::RefreshDriverTimer::TickRefreshDrivers(long, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:306:7
#10 0x7f010e9c1b84 in mozilla::RefreshDriverTimer::Tick(long, mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:327:5
#11 0x7f010e9c5065 in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:769:5
#12 0x7f010e9c4106 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:682:35
#13 0x7f010e9c0287 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::ParentProcessVsyncNotifier::Run() /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:528:20
#14 0x7f0108d08cff in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1037:14
#15 0x7f0108d29910 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:513:10
#16 0x7f01098c6025 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21
#17 0x7f0109818177 in MessageLoop::RunInternal() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
#18 0x7f0109818009 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299:3
#19 0x7f010e4aae1a in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:158:27
#20 0x7f01116cefe1 in nsAppStartup::Run() /builds/worker/workspace/build/src/toolkit/components/startup/nsAppStartup.cpp:288:30
#21 0x7f0111843b68 in XREMain::XRE_mainRun() /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4675:22
#22 0x7f011184578a in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4837:8
#23 0x7f01118466b9 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4932:21
#24 0x4ed558 in do_main(int, char**, char**) /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:231:22
#25 0x4ece7b in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:304:16
#26 0x7f0127fd982f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291Flags: in-testsuite?
|
||
Comment 1•7 years ago
|
||
Only reproduces with Stylo enabled. INFO: Last good revision: 2011b90ddb79817efddb3ac8c9feb0b6ed4b24a9 INFO: First bad revision: e214368792a2bad363b383e8efb47fd0133e7cd5 INFO: Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=2011b90ddb79817efddb3ac8c9feb0b6ed4b24a9&tochange=e214368792a2bad363b383e8efb47fd0133e7cd5
Blocks: 1404789
Has Regression Range: --- → yes
status-firefox56:
--- → unaffected
status-firefox57:
--- → unaffected
status-firefox58:
--- → fix-optional
status-firefox-esr52:
--- → unaffected
Priority: -- → P3
Summary: Assertion failure: !GetStyleContextInMap(aMap, aContent) (Already have an entry for aContent), at /builds/worker/workspace/build/src/layout/base/nsFrameManager.cpp:205 → stylo: Assertion failure: !GetStyleContextInMap(aMap, aContent) (Already have an entry for aContent), at /builds/worker/workspace/build/src/layout/base/nsFrameManager.cpp:205
Version: 52 Branch → Trunk
|
||
Updated•7 years ago
|
Flags: needinfo?(emilio)
|
|
||
Comment 2•7 years ago
|
||
This is just we trying to reconstruct the document element and failing, and the frame construction code remarking it as display: none. I think the easiest thing to do here is just to get rid of the undisplayed content maps, which we can do once we kill the old style system.
Flags: needinfo?(emilio)
|
||
Comment 3•6 years ago
|
||
https://wiki.mozilla.org/Bug_Triage/Projects/Bug_Handling/Bug_Husbandry#Move_fix-optionals
status-firefox59:
--- → ?
|
||
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•