Open Bug 1415605 Opened 2 years ago Updated 1 year ago

crash near null [@ mozilla::PresShell::FrameNeedsReflow]

Categories

(Core :: Layout, defect, P2, critical)

55 Branch
defect

Tracking

()

Tracking Status
firefox-esr52 --- disabled
firefox56 --- wontfix
firefox57 --- wontfix
firefox58 --- wontfix
firefox59 --- affected
firefox60 --- affected
firefox61 --- affected
firefox62 --- affected

People

(Reporter: tsmith, Unassigned)

References

(Blocks 1 open bug)

Details

(4 keywords)

Crash Data

Attachments

(1 file)

Attached file testcase.html
Not sure if this is the same crash as in bug 1041212

==125321==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000050 (pc 0x7fe1f7dbe8be bp 0x7ffd634d5810 sp 0x7ffd634d5480 T0)
==125321==The signal is caused by a READ memory access.
==125321==Hint: address points to the zero page.
    #0 0x7fe1f7dbe8bd in GetStateBits /src/layout/generic/nsIFrame.h:2031:46
    #1 0x7fe1f7dbe8bd in mozilla::PresShell::FrameNeedsReflow(nsIFrame*, nsIPresShell::IntrinsicDirty, nsFrameState, nsIPresShell::ReflowRootHandling) /src/layout/base/PresShell.cpp:2723
    #2 0x7fe1f7da3140 in StyleChangeReflow /src/layout/base/RestyleManager.cpp:1238:41
    #3 0x7fe1f7da3140 in mozilla::RestyleManager::ProcessRestyledFrames(nsStyleChangeList&) /src/layout/base/RestyleManager.cpp:1567
    #4 0x7fe1f7e183ea in mozilla::ServoRestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) /src/layout/base/ServoRestyleManager.cpp:1159:9
    #5 0x7fe1f7dd7310 in ProcessPendingRestyles /src/layout/base/ServoRestyleManager.cpp:1235:3
    #6 0x7fe1f7dd7310 in ProcessPendingRestyles /src/obj-firefox/dist/include/mozilla/RestyleManagerInlines.h:44
    #7 0x7fe1f7dd7310 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /src/layout/base/PresShell.cpp:4196
    #8 0x7fe1f7d4b108 in FlushPendingNotifications /src/obj-firefox/dist/include/nsIPresShell.h:581:5
    #9 0x7fe1f7d4b108 in nsRefreshDriver::Tick(long, mozilla::TimeStamp) /src/layout/base/nsRefreshDriver.cpp:1882
    #10 0x7fe1f7d5863b in TickDriver /src/layout/base/nsRefreshDriver.cpp:336:13
    #11 0x7fe1f7d5863b in mozilla::RefreshDriverTimer::TickRefreshDrivers(long, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /src/layout/base/nsRefreshDriver.cpp:306
    #12 0x7fe1f7d58336 in mozilla::RefreshDriverTimer::Tick(long, mozilla::TimeStamp) /src/layout/base/nsRefreshDriver.cpp:328:5
    #13 0x7fe1f7d5a88b in RunRefreshDrivers /src/layout/base/nsRefreshDriver.cpp:769:5
    #14 0x7fe1f7d5a88b in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::TimeStamp) /src/layout/base/nsRefreshDriver.cpp:682
    #15 0x7fe1f7d5a496 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::TimeStamp) /src/layout/base/nsRefreshDriver.cpp:583:9
    #16 0x7fe1f85af6b2 in mozilla::layout::VsyncChild::RecvNotify(mozilla::TimeStamp const&) /src/layout/ipc/VsyncChild.cpp:68:16
    #17 0x7fe1f2144021 in mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) /src/obj-firefox/ipc/ipdl/PVsyncChild.cpp:155:20
    #18 0x7fe1f200ffb5 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /src/obj-firefox/ipc/ipdl/PBackgroundChild.cpp:1815:28
    #19 0x7fe1f1c65ba9 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /src/ipc/glue/MessageChannel.cpp:2119:25
    #20 0x7fe1f1c62bbf in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /src/ipc/glue/MessageChannel.cpp:2049:17
    #21 0x7fe1f1c642f4 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /src/ipc/glue/MessageChannel.cpp:1895:5
    #22 0x7fe1f1c64948 in mozilla::ipc::MessageChannel::MessageTask::Run() /src/ipc/glue/MessageChannel.cpp:1928:15
    #23 0x7fe1f0e813a6 in nsThread::ProcessNextEvent(bool, bool*) /src/xpcom/threads/nsThread.cpp:1037:14
    #24 0x7fe1f0e9b868 in NS_ProcessNextEvent(nsIThread*, bool) /src/xpcom/threads/nsThreadUtils.cpp:513:10
    #25 0x7fe1f1c6d811 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /src/ipc/glue/MessagePump.cpp:97:21
    #26 0x7fe1f1bcde6b in RunInternal /src/ipc/chromium/src/base/message_loop.cc:326:10
    #27 0x7fe1f1bcde6b in RunHandler /src/ipc/chromium/src/base/message_loop.cc:319
    #28 0x7fe1f1bcde6b in MessageLoop::Run() /src/ipc/chromium/src/base/message_loop.cc:299
    #29 0x7fe1f765092f in nsBaseAppShell::Run() /src/widget/nsBaseAppShell.cpp:158:27
    #30 0x7fe1fb969487 in XRE_RunAppShell() /src/toolkit/xre/nsEmbedFunctions.cpp:877:22
    #31 0x7fe1f1bcde6b in RunInternal /src/ipc/chromium/src/base/message_loop.cc:326:10
    #32 0x7fe1f1bcde6b in RunHandler /src/ipc/chromium/src/base/message_loop.cc:319
    #33 0x7fe1f1bcde6b in MessageLoop::Run() /src/ipc/chromium/src/base/message_loop.cc:299
    #34 0x7fe1fb968e3a in XRE_InitChildProcess(int, char**, XREChildData const*) /src/toolkit/xre/nsEmbedFunctions.cpp:703:34
    #35 0x4ec2de in content_process_main /src/browser/app/../../ipc/contentproc/plugin-container.cpp:63:30
    #36 0x4ec2de in main /src/browser/app/nsBrowserApp.cpp:280
    #37 0x7fe20e9db82f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291
    #38 0x41dbc8 in _start (firefox+0x41dbc8)
Flags: in-testsuite?
Works for me in an up-to-date local m-c ASAN Linux build.
Hmm. I just triple checked and I have no issues reproducing it with:
m-c ASan opt Linux
BuildID=20171108184714
SourceStamp=26d7a3a91c8596ca6834effec4b77a2c13d5f622

Jason: Can you please give us a sanity check here?
Flags: needinfo?(jkratzer)
(In reply to Tyson Smith [:tsmith] from comment #2)
> Hmm. I just triple checked and I have no issues reproducing it with:
> m-c ASan opt Linux
> BuildID=20171108184714
> SourceStamp=26d7a3a91c8596ca6834effec4b77a2c13d5f622
> 
> Jason: Can you please give us a sanity check here?

It repros for me on rev f63559d7e6a5 (20171108) on Ubuntu 16.04.
Flags: needinfo?(jkratzer)
Reproduces for me on Ubuntu 17.10 with a regular debug build. Also hits the below assertions:

ASSERTION: frame tree not empty, but caller reported complete status: 'aSubtreeRoot->GetPrevInFlow()', file layout/base/nsLayoutUtils.cpp, line 7859
ASSERTION: Placeholder relationship should have been torn down already; this might mean we have a stray placeholder in the tree.: '!placeholder || nsLayoutUtils::IsProperAncestorFrame(aDestructRoot, placeholder)', file layout/generic/nsFrame.cpp, line 760
ASSERTION: Null out-of-flow for placeholder?: 'outOfFlow', file layout/generic/nsPlaceholderFrame.h, line 183

Regression range (with the dom.forms.datetime pref forced on):
INFO: Last good revision: 3e6775cee4f7098f4d11bdd452c276a56ac1f29a
INFO: First bad revision: feaeb4c4a1149a7925e9d0e32a61fde7ad74b8f2
INFO: Pushlog:
https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=3e6775cee4f7098f4d11bdd452c276a56ac1f29a&tochange=feaeb4c4a1149a7925e9d0e32a61fde7ad74b8f2
Blocks: 1346085
Has Regression Range: --- → yes
Keywords: assertion
Priority: -- → P2
Version: 58 Branch → 55 Branch

Seems to work now.

You need to log in before you can comment on or make changes to this bug.