1422883 - crash near null in [@ GetImmediateChild]

Status: RESOLVED FIXED

(Core :: DOM: Core & HTML, defect, P3)

Description

[Tyson Smith [:tsmith]]

Attachment: testcase.html

==28488==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000040 (pc 0x7f797546689a bp 0x7ffdce207b70 sp 0x7ffdce207b70 T0)
==28488==The signal is caused by a READ memory access.
==28488==Hint: address points to the zero page.
    #0 0x7f7975466899 in GetFirstChild /src/dom/base/nsINode.h:1279:46
    #1 0x7f7975466899 in GetImmediateChild /src/dom/xbl/nsXBLPrototypeBinding.cpp:442
    #2 0x7f7975466899 in nsXBLBinding::GetSourceDocURI() /src/dom/xbl/nsXBLBinding.cpp:429
    #3 0x7f797680b789 in SVGObserverUtils::GetBaseURLForLocalRef(nsIContent*, nsIURI*) /src/layout/svg/SVGObserverUtils.cpp:979:34
    #4 0x7f797680bb3d in ResolveURLUsingLocalRef(nsIFrame*, mozilla::css::URLValueData const*) /src/layout/svg/SVGObserverUtils.cpp:1016:5
    #5 0x7f79768057ad in GetMaskURI /src/layout/svg/SVGObserverUtils.cpp:1078:10
    #6 0x7f79768057ad in nsSVGMaskProperty::nsSVGMaskProperty(nsIFrame*) /src/layout/svg/SVGObserverUtils.cpp:398
    #7 0x7f7976806dd5 in GetOrCreateMaskProperty /src/layout/svg/SVGObserverUtils.cpp:532:14
    #8 0x7f7976806dd5 in SVGObserverUtils::GetEffectProperties(nsIFrame*) /src/layout/svg/SVGObserverUtils.cpp:622
    #9 0x7f7976881d7b in nsSVGIntegrationUtils::ComputePostEffectsVisualOverflowRect(nsIFrame*, nsRect const&) /src/layout/svg/nsSVGIntegrationUtils.cpp:289:5
    #10 0x7f79764d6678 in ComputeEffectsRect /src/layout/generic/nsFrame.cpp:7302:9
    #11 0x7f79764d6678 in nsIFrame::FinishAndStoreOverflow(nsOverflowAreas&, nsSize, nsSize*, nsStyleDisplay const*) /src/layout/generic/nsFrame.cpp:9516
    #12 0x7f79765fcac9 in nsLineLayout::RelativePositionFrames(nsLineLayout::PerSpanData*, nsOverflowAreas&) /src/layout/generic/nsLineLayout.cpp:3385:12
    #13 0x7f79765fc500 in nsLineLayout::RelativePositionFrames(nsLineLayout::PerSpanData*, nsOverflowAreas&) /src/layout/generic/nsLineLayout.cpp:3332:7
    #14 0x7f79764269bc in RelativePositionFrames /src/layout/generic/nsLineLayout.h:129:5
    #15 0x7f79764269bc in nsBlockFrame::PlaceLine(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsFloatManager::SavedState*, mozilla::LogicalRect&, int&, bool*) /src/layout/generic/nsBlockFrame.cpp:4631
    #16 0x7f79764247dd in nsBlockFrame::DoReflowInlineFrames(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool) /src/layout/generic/nsBlockFrame.cpp:4097:12
    #17 0x7f797641b327 in nsBlockFrame::ReflowInlineFrames(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /src/layout/generic/nsBlockFrame.cpp:3843:9
    #18 0x7f79764145b0 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /src/layout/generic/nsBlockFrame.cpp:2827:5
    #19 0x7f797640a35a in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /src/layout/generic/nsBlockFrame.cpp:2363:7
    #20 0x7f7976402115 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /src/layout/generic/nsBlockFrame.cpp:1236:3
    #21 0x7f7976421557 in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) /src/layout/generic/nsBlockReflowContext.cpp:306:11
    #22 0x7f797641676b in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /src/layout/generic/nsBlockFrame.cpp:3474:11
    #23 0x7f7976414705 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /src/layout/generic/nsBlockFrame.cpp:2824:5
    #24 0x7f797640a35a in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /src/layout/generic/nsBlockFrame.cpp:2363:7
    #25 0x7f7976402115 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /src/layout/generic/nsBlockFrame.cpp:1236:3
    #26 0x7f7976421557 in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) /src/layout/generic/nsBlockReflowContext.cpp:306:11
    #27 0x7f797641676b in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /src/layout/generic/nsBlockFrame.cpp:3474:11
    #28 0x7f7976414705 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /src/layout/generic/nsBlockFrame.cpp:2824:5
    #29 0x7f797640a35a in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /src/layout/generic/nsBlockFrame.cpp:2363:7
    #30 0x7f7976402115 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /src/layout/generic/nsBlockFrame.cpp:1236:3
    #31 0x7f79764627a6 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /src/layout/generic/nsContainerFrame.cpp:934:14
    #32 0x7f7976460f4b in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /src/layout/generic/nsCanvasFrame.cpp:757:5
    #33 0x7f79764627a6 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /src/layout/generic/nsContainerFrame.cpp:934:14
    #34 0x7f7976536727 in nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput*, bool, bool, mozilla::ReflowOutput*, bool) /src/layout/generic/nsGfxScrollFrame.cpp:552:3
    #35 0x7f7976537929 in nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput*, mozilla::ReflowOutput const&) /src/layout/generic/nsGfxScrollFrame.cpp:664:3
    #36 0x7f797653bad6 in nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /src/layout/generic/nsGfxScrollFrame.cpp:1041:3
    #37 0x7f79763e729e in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /src/layout/generic/nsContainerFrame.cpp:978:14
    #38 0x7f79763e5d79 in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /src/layout/generic/ViewportFrame.cpp:336:7
    #39 0x7f79761b33e0 in mozilla::PresShell::DoReflow(nsIFrame*, bool) /src/layout/base/PresShell.cpp:9007:11
    #40 0x7f79761ca653 in mozilla::PresShell::ProcessReflowCommands(bool) /src/layout/base/PresShell.cpp:9180:24
    #41 0x7f79761c9414 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /src/layout/base/PresShell.cpp:4267:11
    #42 0x7f7976129d94 in FlushPendingNotifications /src/obj-firefox/dist/include/nsIPresShell.h:580:5
    #43 0x7f7976129d94 in nsRefreshDriver::Tick(long, mozilla::TimeStamp) /src/layout/base/nsRefreshDriver.cpp:1901
    #44 0x7f7976138f9f in TickDriver /src/layout/base/nsRefreshDriver.cpp:336:13
    #45 0x7f7976138f9f in mozilla::RefreshDriverTimer::TickRefreshDrivers(long, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /src/layout/base/nsRefreshDriver.cpp:306
    #46 0x7f7976138b54 in mozilla::RefreshDriverTimer::Tick(long, mozilla::TimeStamp) /src/layout/base/nsRefreshDriver.cpp:327:5
    #47 0x7f797613b3de in RunRefreshDrivers /src/layout/base/nsRefreshDriver.cpp:769:5
    #48 0x7f797613b3de in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::TimeStamp) /src/layout/base/nsRefreshDriver.cpp:682
    #49 0x7f7976136967 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::ParentProcessVsyncNotifier::Run() /src/layout/base/nsRefreshDriver.cpp:528:20
    #50 0x7f796e73920e in nsThread::ProcessNextEvent(bool, bool*) /src/xpcom/threads/nsThread.cpp:1033:14
    #51 0x7f796e754f90 in NS_ProcessNextEvent(nsIThread*, bool) /src/xpcom/threads/nsThreadUtils.cpp:508:10
    #52 0x7f796f5c700a in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /src/ipc/glue/MessagePump.cpp:97:21
    #53 0x7f796f51dfa9 in RunInternal /src/ipc/chromium/src/base/message_loop.cc:326:10
    #54 0x7f796f51dfa9 in RunHandler /src/ipc/chromium/src/base/message_loop.cc:319
    #55 0x7f796f51dfa9 in MessageLoop::Run() /src/ipc/chromium/src/base/message_loop.cc:299
    #56 0x7f79759b8a8a in nsBaseAppShell::Run() /src/widget/nsBaseAppShell.cpp:157:27
    #57 0x7f7979ead66b in nsAppStartup::Run() /src/toolkit/components/startup/nsAppStartup.cpp:288:30
    #58 0x7f797a0c5f38 in XREMain::XRE_mainRun() /src/toolkit/xre/nsAppRunner.cpp:4649:22
    #59 0x7f797a0c8d6e in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /src/toolkit/xre/nsAppRunner.cpp:4811:8
    #60 0x7f797a0ca1e4 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /src/toolkit/xre/nsAppRunner.cpp:4903:21
    #61 0x4ee80b in do_main /src/browser/app/nsBrowserApp.cpp:231:22
    #62 0x4ee80b in main /src/browser/app/nsBrowserApp.cpp:304
    #63 0x7f798d1ea82f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291
    #64 0x41e078 in _start (firefox+0x41e078)

Comment 1

[Tyson Smith [:tsmith]]

Attachment: prefs.js

Comment 2

[Olli Pettay [:smaug][bugs@pettay.fi]]

Can't reproduce anymore. Should have been fixed by bug 1425759.

Comment 3

[Ryan VanderMeulen [:RyanVM]]

Worth landing the test from this bug as a crashtest?

Comment 4

[Pulsebot]

Pushed by ecoal95@gmail.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/fc7f512b30ec
Crashtest. r=emilio

Comment 5

[Emilio Cobos Álvarez (:emilio)]

Agreed, thanks :)

Comment 6

[Cosmin Sabou [:CosminS]]

https://hg.mozilla.org/mozilla-central/rev/fc7f512b30ec