Closed
Bug 1421014
Opened 7 years ago
Closed 7 years ago
Crash near null [@ GetBoolFlag | nsCSSFrameConstructor::ContentRemoved]
Categories
(Core :: DOM: Core & HTML, defect)
Core
DOM: Core & HTML
Tracking
()
RESOLVED
DUPLICATE
of bug 1420764
| Tracking | Status | |
|---|---|---|
| firefox59 | --- | affected |
People
(Reporter: truber, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: crash, csectype-nullptr, testcase)
Attachments
(1 file)
|
175 bytes,
text/html
|
Details |
The attached testcase crashes near null in m-c rev 20171127-cad9c9573579
==16749==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000001c (pc 0x7fca2f48fe49 bp 0x7ffd390d6de0 sp 0x7ffd390d6c80 T0)
==16749==The signal is caused by a READ memory access.
==16749==Hint: address points to the zero page.
#0 0x7fca2f48fe48 in GetBoolFlag /builds/worker/workspace/build/src/dom/base/nsINode.h:1626:12
#1 0x7fca2f48fe48 in IsInUncomposedDoc /builds/worker/workspace/build/src/dom/base/nsINode.h:545
#2 0x7fca2f48fe48 in GetPrimaryFrame /builds/worker/workspace/build/src/obj-firefox/dist/include/nsIContent.h:968
#3 0x7fca2f48fe48 in nsCSSFrameConstructor::ContentRemoved(nsIContent*, nsIContent*, nsIContent*, nsCSSFrameConstructor::RemoveFlags) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:8514
#4 0x7fca2f3d65b2 in mozilla::PresShell::ContentRemoved(nsIDocument*, nsIContent*, nsIContent*, nsIContent*) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:4544:22
#5 0x7fca2ac58d34 in nsNodeUtils::ContentRemoved(nsINode*, nsIContent*, nsIContent*) /builds/worker/workspace/build/src/dom/base/nsNodeUtils.cpp:221:3
#6 0x7fca2ac03d60 in nsINode::doRemoveChildAt(unsigned int, bool, nsIContent*, nsAttrAndChildArray&) /builds/worker/workspace/build/src/dom/base/nsINode.cpp:1947:5
#7 0x7fca2a910881 in mozilla::dom::FragmentOrElement::RemoveChildAt(unsigned int, bool) /builds/worker/workspace/build/src/dom/base/FragmentOrElement.cpp:1382:5
#8 0x7fca2ac054aa in nsINode::ReplaceOrInsertBefore(bool, nsINode*, nsINode*, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/base/nsINode.cpp:2259:18
#9 0x7fca2b456d40 in InsertBefore /builds/worker/workspace/build/src/dom/base/nsINode.h:1850:12
#10 0x7fca2b456d40 in AppendChild /builds/worker/workspace/build/src/dom/base/nsINode.h:1854
#11 0x7fca2b456d40 in mozilla::dom::NodeBinding::appendChild(JSContext*, JS::Handle<JSObject*>, nsINode*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/NodeBinding.cpp:897
#12 0x7fca2cacca07 in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3040:13
#13 0x7fca335d77d1 in CallJSNative /builds/worker/workspace/build/src/js/src/jscntxtinlines.h:291:15
Flags: in-testsuite?
|
Reporter | |
Updated•7 years ago
|
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
|
Assignee | |
Updated•6 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•