Open Bug 1416398 Opened 7 years ago Updated 1 year ago

crash near null [@ nsInlineFrame::UpdateStyleOfOwnedAnonBoxesForIBSplit]

Categories

(Core :: Layout, defect, P3)

Product:
Core
Component:
Layout
Version:
58 Branch
Type:
defect

Tracking

()

Tracking Flags:
Tracking Status
firefox58 --- affected

People

(Reporter: tsmith, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash, testcase)

Attachments

(2 files)

testcase.html
716 bytes, text/html
Details
Stack of the removal of the missing trailing inline
6.78 KB, text/plain
Details
Attached file testcase.html 
==41160==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000058 (pc 0x7faeb56ae6a8 bp 0x7ffce04fa9d0 sp 0x7ffce04fa920 T0)
==41160==The signal is caused by a READ memory access.
==41160==Hint: address points to the zero page.
    #0 0x7faeb56ae6a7 in Hdr /src/obj-firefox/dist/include/nsTArray.h:527:32
    #1 0x7faeb56ae6a7 in Elements /src/obj-firefox/dist/include/nsTArray.h:1038
    #2 0x7faeb56ae6a7 in IndexOf<const mozilla::FramePropertyDescriptorUntyped *, mozilla::FrameProperties::PropertyComparator> /src/obj-firefox/dist/include/nsTArray.h:1187
    #3 0x7faeb56ae6a7 in GetInternal /src/layout/base/FrameProperties.h:413
    #4 0x7faeb56ae6a7 in Get<nsContainerFrame> /src/layout/base/FrameProperties.h:235
    #5 0x7faeb56ae6a7 in GetProperty<nsContainerFrame> /src/layout/generic/nsIFrame.h:3572
    #6 0x7faeb56ae6a7 in nsInlineFrame::UpdateStyleOfOwnedAnonBoxesForIBSplit(mozilla::ServoRestyleState&) /src/layout/generic/nsInlineFrame.cpp:994
    #7 0x7faeb55cbf73 in nsIFrame::DoUpdateStyleOfOwnedAnonBoxes(mozilla::ServoRestyleState&) /src/layout/generic/nsFrame.cpp:11096:42
    #8 0x7faeb53163a5 in UpdateStyleOfOwnedAnonBoxes /src/layout/generic/nsIFrame.h:3385:7
    #9 0x7faeb53163a5 in mozilla::ServoRestyleManager::ProcessPostTraversal(mozilla::dom::Element*, mozilla::ServoStyleContext*, mozilla::ServoRestyleState&, mozilla::ServoPostTraversalFlags) /src/layout/base/ServoRestyleManager.cpp:910
    #10 0x7faeb5316ae3 in mozilla::ServoRestyleManager::ProcessPostTraversal(mozilla::dom::Element*, mozilla::ServoStyleContext*, mozilla::ServoRestyleState&, mozilla::ServoPostTraversalFlags) /src/layout/base/ServoRestyleManager.cpp:953:32
    #11 0x7faeb5316ae3 in mozilla::ServoRestyleManager::ProcessPostTraversal(mozilla::dom::Element*, mozilla::ServoStyleContext*, mozilla::ServoRestyleState&, mozilla::ServoPostTraversalFlags) /src/layout/base/ServoRestyleManager.cpp:953:32
    #12 0x7faeb5316ae3 in mozilla::ServoRestyleManager::ProcessPostTraversal(mozilla::dom::Element*, mozilla::ServoStyleContext*, mozilla::ServoRestyleState&, mozilla::ServoPostTraversalFlags) /src/layout/base/ServoRestyleManager.cpp:953:32
    #13 0x7faeb5316ae3 in mozilla::ServoRestyleManager::ProcessPostTraversal(mozilla::dom::Element*, mozilla::ServoStyleContext*, mozilla::ServoRestyleState&, mozilla::ServoPostTraversalFlags) /src/layout/base/ServoRestyleManager.cpp:953:32
    #14 0x7faeb5316ae3 in mozilla::ServoRestyleManager::ProcessPostTraversal(mozilla::dom::Element*, mozilla::ServoStyleContext*, mozilla::ServoRestyleState&, mozilla::ServoPostTraversalFlags) /src/layout/base/ServoRestyleManager.cpp:953:32
    #15 0x7faeb5319851 in mozilla::ServoRestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) /src/layout/base/ServoRestyleManager.cpp:1142:28
    #16 0x7faeb52d8b90 in ProcessPendingRestyles /src/layout/base/ServoRestyleManager.cpp:1235:3
    #17 0x7faeb52d8b90 in ProcessPendingRestyles /src/obj-firefox/dist/include/mozilla/RestyleManagerInlines.h:44
    #18 0x7faeb52d8b90 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /src/layout/base/PresShell.cpp:4196
    #19 0x7faeb524c988 in FlushPendingNotifications /src/obj-firefox/dist/include/nsIPresShell.h:581:5
    #20 0x7faeb524c988 in nsRefreshDriver::Tick(long, mozilla::TimeStamp) /src/layout/base/nsRefreshDriver.cpp:1882
    #21 0x7faeb5259ebb in TickDriver /src/layout/base/nsRefreshDriver.cpp:336:13
    #22 0x7faeb5259ebb in mozilla::RefreshDriverTimer::TickRefreshDrivers(long, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /src/layout/base/nsRefreshDriver.cpp:306
    #23 0x7faeb5259ba4 in mozilla::RefreshDriverTimer::Tick(long, mozilla::TimeStamp) /src/layout/base/nsRefreshDriver.cpp:327:5
    #24 0x7faeb525c10b in RunRefreshDrivers /src/layout/base/nsRefreshDriver.cpp:769:5
    #25 0x7faeb525c10b in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::TimeStamp) /src/layout/base/nsRefreshDriver.cpp:682
    #26 0x7faeb52578b7 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::ParentProcessVsyncNotifier::Run() /src/layout/base/nsRefreshDriver.cpp:528:20
    #27 0x7faeae3831c6 in nsThread::ProcessNextEvent(bool, bool*) /src/xpcom/threads/nsThread.cpp:1037:14
    #28 0x7faeae39d688 in NS_ProcessNextEvent(nsIThread*, bool) /src/xpcom/threads/nsThreadUtils.cpp:513:10
    #29 0x7faeaf16db11 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /src/ipc/glue/MessagePump.cpp:97:21
    #30 0x7faeaf0ce11b in RunInternal /src/ipc/chromium/src/base/message_loop.cc:326:10
    #31 0x7faeaf0ce11b in RunHandler /src/ipc/chromium/src/base/message_loop.cc:319
    #32 0x7faeaf0ce11b in MessageLoop::Run() /src/ipc/chromium/src/base/message_loop.cc:299
    #33 0x7faeb4b4ee4f in nsBaseAppShell::Run() /src/widget/nsBaseAppShell.cpp:158:27
    #34 0x7faeb8c6b701 in nsAppStartup::Run() /src/toolkit/components/startup/nsAppStartup.cpp:288:30
    #35 0x7faeb8e634fb in XREMain::XRE_mainRun() /src/toolkit/xre/nsAppRunner.cpp:4664:22
    #36 0x7faeb8e650c5 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /src/toolkit/xre/nsAppRunner.cpp:4826:8
    #37 0x7faeb8e66476 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /src/toolkit/xre/nsAppRunner.cpp:4921:21
    #38 0x4ec4ec in do_main /src/browser/app/nsBrowserApp.cpp:231:22
    #39 0x4ec4ec in main /src/browser/app/nsBrowserApp.cpp:304
    #40 0x7faecbee482f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291
    #41 0x41dbc8 in _start (/home/user/workspace/browsers/m-c-1510166834-asan-opt/firefox+0x41dbc8)
Flags: in-testsuite?
Summary: nsInlineFrame::UpdateStyleOfOwnedAnonBoxesForIBSplit → crash near null [@ nsInlineFrame::UpdateStyleOfOwnedAnonBoxesForIBSplit]
This is another IB split whose trailing inline has been destroyed... I have no idea about what is supposed to prevent that from happening, but here's the place the trailing inline is removed.
See Also: → 1418503
Fwiw, this returns 2 in Chrome:
data:text/html,<x><div>x</div></x><script>alert(document.body.firstChild.getClientRects().length)</script>
The first rect has width=0 so it seems they don't create the trailing inline.
Is there a spec that defines which boxes to create in this case?
Priority: -- → P3
Severity: critical → S3
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: