Open
Bug 1416398
Opened 7 years ago
Updated 1 year ago
crash near null [@ nsInlineFrame::UpdateStyleOfOwnedAnonBoxesForIBSplit]
Categories
(Core :: Layout, defect, P3)
Tracking
()
NEW
Tracking | Status | |
---|---|---|
firefox58 | --- | affected |
People
(Reporter: tsmith, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: crash, testcase)
Attachments
(2 files)
==41160==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000058 (pc 0x7faeb56ae6a8 bp 0x7ffce04fa9d0 sp 0x7ffce04fa920 T0) ==41160==The signal is caused by a READ memory access. ==41160==Hint: address points to the zero page. #0 0x7faeb56ae6a7 in Hdr /src/obj-firefox/dist/include/nsTArray.h:527:32 #1 0x7faeb56ae6a7 in Elements /src/obj-firefox/dist/include/nsTArray.h:1038 #2 0x7faeb56ae6a7 in IndexOf<const mozilla::FramePropertyDescriptorUntyped *, mozilla::FrameProperties::PropertyComparator> /src/obj-firefox/dist/include/nsTArray.h:1187 #3 0x7faeb56ae6a7 in GetInternal /src/layout/base/FrameProperties.h:413 #4 0x7faeb56ae6a7 in Get<nsContainerFrame> /src/layout/base/FrameProperties.h:235 #5 0x7faeb56ae6a7 in GetProperty<nsContainerFrame> /src/layout/generic/nsIFrame.h:3572 #6 0x7faeb56ae6a7 in nsInlineFrame::UpdateStyleOfOwnedAnonBoxesForIBSplit(mozilla::ServoRestyleState&) /src/layout/generic/nsInlineFrame.cpp:994 #7 0x7faeb55cbf73 in nsIFrame::DoUpdateStyleOfOwnedAnonBoxes(mozilla::ServoRestyleState&) /src/layout/generic/nsFrame.cpp:11096:42 #8 0x7faeb53163a5 in UpdateStyleOfOwnedAnonBoxes /src/layout/generic/nsIFrame.h:3385:7 #9 0x7faeb53163a5 in mozilla::ServoRestyleManager::ProcessPostTraversal(mozilla::dom::Element*, mozilla::ServoStyleContext*, mozilla::ServoRestyleState&, mozilla::ServoPostTraversalFlags) /src/layout/base/ServoRestyleManager.cpp:910 #10 0x7faeb5316ae3 in mozilla::ServoRestyleManager::ProcessPostTraversal(mozilla::dom::Element*, mozilla::ServoStyleContext*, mozilla::ServoRestyleState&, mozilla::ServoPostTraversalFlags) /src/layout/base/ServoRestyleManager.cpp:953:32 #11 0x7faeb5316ae3 in mozilla::ServoRestyleManager::ProcessPostTraversal(mozilla::dom::Element*, mozilla::ServoStyleContext*, mozilla::ServoRestyleState&, mozilla::ServoPostTraversalFlags) /src/layout/base/ServoRestyleManager.cpp:953:32 #12 0x7faeb5316ae3 in mozilla::ServoRestyleManager::ProcessPostTraversal(mozilla::dom::Element*, mozilla::ServoStyleContext*, mozilla::ServoRestyleState&, mozilla::ServoPostTraversalFlags) /src/layout/base/ServoRestyleManager.cpp:953:32 #13 0x7faeb5316ae3 in mozilla::ServoRestyleManager::ProcessPostTraversal(mozilla::dom::Element*, mozilla::ServoStyleContext*, mozilla::ServoRestyleState&, mozilla::ServoPostTraversalFlags) /src/layout/base/ServoRestyleManager.cpp:953:32 #14 0x7faeb5316ae3 in mozilla::ServoRestyleManager::ProcessPostTraversal(mozilla::dom::Element*, mozilla::ServoStyleContext*, mozilla::ServoRestyleState&, mozilla::ServoPostTraversalFlags) /src/layout/base/ServoRestyleManager.cpp:953:32 #15 0x7faeb5319851 in mozilla::ServoRestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) /src/layout/base/ServoRestyleManager.cpp:1142:28 #16 0x7faeb52d8b90 in ProcessPendingRestyles /src/layout/base/ServoRestyleManager.cpp:1235:3 #17 0x7faeb52d8b90 in ProcessPendingRestyles /src/obj-firefox/dist/include/mozilla/RestyleManagerInlines.h:44 #18 0x7faeb52d8b90 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /src/layout/base/PresShell.cpp:4196 #19 0x7faeb524c988 in FlushPendingNotifications /src/obj-firefox/dist/include/nsIPresShell.h:581:5 #20 0x7faeb524c988 in nsRefreshDriver::Tick(long, mozilla::TimeStamp) /src/layout/base/nsRefreshDriver.cpp:1882 #21 0x7faeb5259ebb in TickDriver /src/layout/base/nsRefreshDriver.cpp:336:13 #22 0x7faeb5259ebb in mozilla::RefreshDriverTimer::TickRefreshDrivers(long, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /src/layout/base/nsRefreshDriver.cpp:306 #23 0x7faeb5259ba4 in mozilla::RefreshDriverTimer::Tick(long, mozilla::TimeStamp) /src/layout/base/nsRefreshDriver.cpp:327:5 #24 0x7faeb525c10b in RunRefreshDrivers /src/layout/base/nsRefreshDriver.cpp:769:5 #25 0x7faeb525c10b in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::TimeStamp) /src/layout/base/nsRefreshDriver.cpp:682 #26 0x7faeb52578b7 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::ParentProcessVsyncNotifier::Run() /src/layout/base/nsRefreshDriver.cpp:528:20 #27 0x7faeae3831c6 in nsThread::ProcessNextEvent(bool, bool*) /src/xpcom/threads/nsThread.cpp:1037:14 #28 0x7faeae39d688 in NS_ProcessNextEvent(nsIThread*, bool) /src/xpcom/threads/nsThreadUtils.cpp:513:10 #29 0x7faeaf16db11 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /src/ipc/glue/MessagePump.cpp:97:21 #30 0x7faeaf0ce11b in RunInternal /src/ipc/chromium/src/base/message_loop.cc:326:10 #31 0x7faeaf0ce11b in RunHandler /src/ipc/chromium/src/base/message_loop.cc:319 #32 0x7faeaf0ce11b in MessageLoop::Run() /src/ipc/chromium/src/base/message_loop.cc:299 #33 0x7faeb4b4ee4f in nsBaseAppShell::Run() /src/widget/nsBaseAppShell.cpp:158:27 #34 0x7faeb8c6b701 in nsAppStartup::Run() /src/toolkit/components/startup/nsAppStartup.cpp:288:30 #35 0x7faeb8e634fb in XREMain::XRE_mainRun() /src/toolkit/xre/nsAppRunner.cpp:4664:22 #36 0x7faeb8e650c5 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /src/toolkit/xre/nsAppRunner.cpp:4826:8 #37 0x7faeb8e66476 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /src/toolkit/xre/nsAppRunner.cpp:4921:21 #38 0x4ec4ec in do_main /src/browser/app/nsBrowserApp.cpp:231:22 #39 0x4ec4ec in main /src/browser/app/nsBrowserApp.cpp:304 #40 0x7faecbee482f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291 #41 0x41dbc8 in _start (/home/user/workspace/browsers/m-c-1510166834-asan-opt/firefox+0x41dbc8)
Flags: in-testsuite?
Reporter | ||
Updated•7 years ago
|
Summary: nsInlineFrame::UpdateStyleOfOwnedAnonBoxesForIBSplit → crash near null [@ nsInlineFrame::UpdateStyleOfOwnedAnonBoxesForIBSplit]
Comment 1•7 years ago
|
||
This is another IB split whose trailing inline has been destroyed... I have no idea about what is supposed to prevent that from happening, but here's the place the trailing inline is removed.
Comment 2•7 years ago
|
||
Fwiw, this returns 2 in Chrome: data:text/html,<x><div>x</div></x><script>alert(document.body.firstChild.getClientRects().length)</script> The first rect has width=0 so it seems they don't create the trailing inline. Is there a spec that defines which boxes to create in this case?
Updated•7 years ago
|
Priority: -- → P3
Updated•3 years ago
|
Severity: critical → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•