Closed Bug 1424072 Opened 2 years ago Closed 1 year ago

crash near null in [@ IsFramePartOfIBSplit]

Categories

(Core :: Layout, defect, P3)

59 Branch
defect

Tracking

()

RESOLVED WORKSFORME
Tracking Status
firefox59 --- affected

People

(Reporter: tsmith, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash, testcase)

Attachments

(1 file)

Attached file testcase.html
==79711==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000050 (pc 0x7f369c12f18f bp 0x7ffc0f0fdc60 sp 0x7ffc0f0fdb00 T0)
==79711==The signal is caused by a READ memory access.
==79711==Hint: address points to the zero page.
    #0 0x7f369c12f18e in GetStateBits /builds/worker/workspace/build/src/layout/generic/nsIFrame.h:2033:46
    #1 0x7f369c12f18e in IsFramePartOfIBSplit /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:530
    #2 0x7f369c12f18e in nsCSSFrameConstructor::WipeContainingBlock(nsFrameConstructorState&, nsIFrame*, nsIFrame*, nsCSSFrameConstructor::FrameConstructionItemList&, bool, nsIFrame*) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:12799
    #3 0x7f369c1285b3 in nsCSSFrameConstructor::ContentAppended(nsIContent*, nsIContent*, nsCSSFrameConstructor::InsertionKind, TreeMatchContext*) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:7751:7
    #4 0x7f369c03980c in mozilla::RestyleManager::ProcessRestyledFrames(nsStyleChangeList&) /builds/worker/workspace/build/src/layout/base/RestyleManager.cpp:1414:27
    #5 0x7f369c0b8b63 in mozilla::ServoRestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) /builds/worker/workspace/build/src/layout/base/ServoRestyleManager.cpp:1161:9
    #6 0x7f369c0728b8 in ProcessPendingRestyles /builds/worker/workspace/build/src/layout/base/ServoRestyleManager.cpp:1237:3
    #7 0x7f369c0728b8 in ProcessPendingRestyles /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RestyleManagerInlines.h:44
    #8 0x7f369c0728b8 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:4213
    #9 0x7f3699b61b91 in FlushPendingNotifications /builds/worker/workspace/build/src/obj-firefox/dist/include/nsIPresShell.h:571:5
    #10 0x7f3699b61b91 in FlushPendingEvents /builds/worker/workspace/build/src/dom/events/EventStateManager.cpp:5358
    #11 0x7f3699b61b91 in mozilla::EventStateManager::PreHandleEvent(nsPresContext*, mozilla::WidgetEvent*, nsIFrame*, nsIContent*, nsEventStatus*) /builds/worker/workspace/build/src/dom/events/EventStateManager.cpp:737
    #12 0x7f369c098ba0 in mozilla::PresShell::HandleEventInternal(mozilla::WidgetEvent*, nsEventStatus*, bool) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:7778:19
    #13 0x7f369c09a9b4 in mozilla::PresShell::HandlePositionedEvent(nsIFrame*, mozilla::WidgetGUIEvent*, nsEventStatus*) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:7572:10
    #14 0x7f369c095a9d in mozilla::PresShell::HandleEvent(nsIFrame*, mozilla::WidgetGUIEvent*, bool, nsEventStatus*, nsIContent**) /builds/worker/workspace/build/src/layout/base/PresShell.cpp
    #15 0x7f369b7d663f in nsViewManager::DispatchEvent(mozilla::WidgetGUIEvent*, nsView*, nsEventStatus*) /builds/worker/workspace/build/src/view/nsViewManager.cpp:812:14
    #16 0x7f369b7d5d4f in nsView::HandleEvent(mozilla::WidgetGUIEvent*, bool) /builds/worker/workspace/build/src/view/nsView.cpp:1140:9
    #17 0x7f369b83a23c in mozilla::widget::PuppetWidget::DispatchEvent(mozilla::WidgetGUIEvent*, nsEventStatus&) /builds/worker/workspace/build/src/widget/PuppetWidget.cpp:410:35
    #18 0x7f3696c7e989 in mozilla::layers::APZCCallbackHelper::DispatchWidgetEvent(mozilla::WidgetGUIEvent&) /builds/worker/workspace/build/src/gfx/layers/apz/util/APZCCallbackHelper.cpp:499:21
    #19 0x7f369b062467 in DispatchWidgetEventViaAPZ /builds/worker/workspace/build/src/dom/ipc/TabChild.cpp:1868:10
    #20 0x7f369b062467 in mozilla::dom::TabChild::HandleRealMouseButtonEvent(mozilla::WidgetMouseEvent const&, mozilla::layers::ScrollableLayerGuid const&, unsigned long const&) /builds/worker/workspace/build/src/dom/ipc/TabChild.cpp:1808
    #21 0x7f369b063d67 in mozilla::dom::TabChild::RecvRealMouseButtonEvent(mozilla::WidgetMouseEvent const&, mozilla::layers::ScrollableLayerGuid const&, unsigned long const&) /builds/worker/workspace/build/src/dom/ipc/TabChild.cpp:1775:3
    #22 0x7f369b064074 in RecvSynthMouseMoveEvent /builds/worker/workspace/build/src/dom/ipc/TabChild.cpp:1736:8
    #23 0x7f369b064074 in non-virtual thunk to mozilla::dom::TabChild::RecvSynthMouseMoveEvent(mozilla::WidgetMouseEvent const&, mozilla::layers::ScrollableLayerGuid const&, unsigned long const&) /builds/worker/workspace/build/src/dom/ipc/TabChild.cpp
    #24 0x7f3695b8bd67 in mozilla::dom::PBrowserChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PBrowserChild.cpp:3442:20
    #25 0x7f3695d25001 in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PContentChild.cpp:4869:28
    #26 0x7f36954b487e in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2110:25
    #27 0x7f36954b18f7 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2040:17
    #28 0x7f36954b2ffc in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1886:5
    #29 0x7f36954b3658 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1919:15
    #30 0x7f3694607d94 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:396:25
    #31 0x7f369462e66e in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1033:14
    #32 0x7f369464a3f0 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:508:10
    #33 0x7f36954bc99a in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21
    #34 0x7f3695413929 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #35 0x7f3695413929 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
    #36 0x7f3695413929 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
    #37 0x7f369b8645ca in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:157:27
    #38 0x7f369ff7918b in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:865:22
    #39 0x7f3695413929 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #40 0x7f3695413929 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
    #41 0x7f3695413929 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
    #42 0x7f369ff78b7d in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:691:34
    #43 0x4ee9f5 in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:63:30
    #44 0x4ee9f5 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:280
    #45 0x7f36b308e82f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291
    #46 0x41e078 in _start (firefox+0x41e078)
Flags: in-testsuite?
I expect this ASSERT to have fired well before this crash:
https://searchfox.org/mozilla-central/source/layout/base/nsCSSFrameConstructor.cpp#12739

Maybe better to guard this higher up to prevent ContentAppended() from traversing too far?
Priority: -- → P3

I cannot reproduce this on Nightly 2019-03-15 and my local debug build. Close this.

Status: NEW → RESOLVED
Closed: 1 year ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.