1426581 - crash near null in [@ nsBlockFrame::ChildIsDirty]

Status: NEW

(Core :: Layout, defect, P3)

Description

[Tyson Smith [:tsmith]]

Attachment: testcase.html

The best way to make this crash consistently is to run under Xvfb with a screen resolution of 1280x1024.

==7135==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000018 (pc 0x7f899af6ff94 bp 0x7ffd83307bf0 sp 0x7ffd83307bc0 T0)
==7135==The signal is caused by a READ memory access.
==7135==Hint: address points to the zero page.
    #0 0x7f899af6ff93 in get /src/obj-firefox/dist/include/nsCOMPtr.h:780:48
    #1 0x7f899af6ff93 in operator==<nsIContent, nsIContent> /src/obj-firefox/dist/include/nsCOMPtr.h:1440
    #2 0x7f899af6ff93 in nsBlockFrame::ChildIsDirty(nsIFrame*) /src/layout/generic/nsBlockFrame.cpp:6955
    #3 0x7f899ace287d in mozilla::PresShell::FrameNeedsReflow(nsIFrame*, nsIPresShell::IntrinsicDirty, nsFrameState, nsIPresShell::ReflowRootHandling) /src/layout/base/PresShell.cpp:2817:10
    #4 0x7f899acc5520 in StyleChangeReflow /src/layout/base/RestyleManager.cpp:1248:26
    #5 0x7f899acc5520 in mozilla::RestyleManager::ProcessRestyledFrames(nsStyleChangeList&) /src/layout/base/RestyleManager.cpp:1577
    #6 0x7f899ad44193 in mozilla::ServoRestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) /src/layout/base/ServoRestyleManager.cpp:1159:9
    #7 0x7f899acfd9c8 in ProcessPendingRestyles /src/layout/base/ServoRestyleManager.cpp:1235:3
    #8 0x7f899acfd9c8 in ProcessPendingRestyles /src/obj-firefox/dist/include/mozilla/RestyleManagerInlines.h:44
    #9 0x7f899acfd9c8 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /src/layout/base/PresShell.cpp:4226
    #10 0x7f89987aba0e in FlushPendingNotifications /src/obj-firefox/dist/include/nsIPresShell.h:571:5
    #11 0x7f89987aba0e in FlushPendingEvents /src/dom/events/EventStateManager.cpp:5308
    #12 0x7f89987aba0e in mozilla::EventStateManager::PreHandleEvent(nsPresContext*, mozilla::WidgetEvent*, nsIFrame*, nsIContent*, nsEventStatus*) /src/dom/events/EventStateManager.cpp:737
    #13 0x7f899ad2422e in mozilla::PresShell::HandleEventInternal(mozilla::WidgetEvent*, nsEventStatus*, bool) /src/layout/base/PresShell.cpp:7805:19
    #14 0x7f899ad25fd4 in mozilla::PresShell::HandlePositionedEvent(nsIFrame*, mozilla::WidgetGUIEvent*, nsEventStatus*) /src/layout/base/PresShell.cpp:7603:10
    #15 0x7f899ad212ef in mozilla::PresShell::HandleEvent(nsIFrame*, mozilla::WidgetGUIEvent*, bool, nsEventStatus*, nsIContent**) /src/layout/base/PresShell.cpp
    #16 0x7f899a45c96f in nsViewManager::DispatchEvent(mozilla::WidgetGUIEvent*, nsView*, nsEventStatus*) /src/view/nsViewManager.cpp:812:14
    #17 0x7f899acfae4a in mozilla::PresShell::DispatchSynthMouseMove(mozilla::WidgetGUIEvent*, bool) /src/layout/base/PresShell.cpp:3786:33
    #18 0x7f899ad11e4c in mozilla::PresShell::ProcessSynthMouseMoveEvent(bool) /src/layout/base/PresShell.cpp:5754:12
    #19 0x7f899ad543ca in mozilla::PresShell::nsSynthMouseMoveEvent::WillRefresh(mozilla::TimeStamp) /src/obj-firefox/dist/include/mozilla/PresShell.h:654:16
    #20 0x7f899ac5eb9e in nsRefreshDriver::Tick(long, mozilla::TimeStamp) /src/layout/base/nsRefreshDriver.cpp:1843:12
    #21 0x7f899ac6e91f in TickDriver /src/layout/base/nsRefreshDriver.cpp:336:13
    #22 0x7f899ac6e91f in mozilla::RefreshDriverTimer::TickRefreshDrivers(long, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /src/layout/base/nsRefreshDriver.cpp:306
    #23 0x7f899ac6e4e6 in mozilla::RefreshDriverTimer::Tick(long, mozilla::TimeStamp) /src/layout/base/nsRefreshDriver.cpp:328:5
    #24 0x7f899ac70d5e in RunRefreshDrivers /src/layout/base/nsRefreshDriver.cpp:769:5
    #25 0x7f899ac70d5e in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::TimeStamp) /src/layout/base/nsRefreshDriver.cpp:682
    #26 0x7f899ac6c2e7 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::ParentProcessVsyncNotifier::Run() /src/layout/base/nsRefreshDriver.cpp:528:20
    #27 0x7f89933343c4 in nsThread::ProcessNextEvent(bool, bool*) /src/xpcom/threads/nsThread.cpp:1037:14
    #28 0x7f899334ff40 in NS_ProcessNextEvent(nsIThread*, bool) /src/xpcom/threads/nsThreadUtils.cpp:513:10
    #29 0x7f89941b4a2a in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /src/ipc/glue/MessagePump.cpp:97:21
    #30 0x7f8994111439 in RunInternal /src/ipc/chromium/src/base/message_loop.cc:326:10
    #31 0x7f8994111439 in RunHandler /src/ipc/chromium/src/base/message_loop.cc:319
    #32 0x7f8994111439 in MessageLoop::Run() /src/ipc/chromium/src/base/message_loop.cc:299
    #33 0x7f899a4e6c9a in nsBaseAppShell::Run() /src/widget/nsBaseAppShell.cpp:159:27
    #34 0x7f899e9f7e9b in nsAppStartup::Run() /src/toolkit/components/startup/nsAppStartup.cpp:288:30
    #35 0x7f899ec0afda in XREMain::XRE_mainRun() /src/toolkit/xre/nsAppRunner.cpp:4685:22
    #36 0x7f899ec0d3cd in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /src/toolkit/xre/nsAppRunner.cpp:4847:8
    #37 0x7f899ec0e764 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /src/toolkit/xre/nsAppRunner.cpp:4942:21
    #38 0x4ee80b in do_main /src/browser/app/nsBrowserApp.cpp:231:22
    #39 0x4ee80b in main /src/browser/app/nsBrowserApp.cpp:304
    #40 0x7f89b1e0b82f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291
    #41 0x41e078 in _start (firefox+0x41e078)

Comment 1

[Tyson Smith [:tsmith]]

To clarify, to repro consistently with this specific testcase run with xvfb. I'd guess this is reproducible in normal circumstances with a different screen resolution.