Open Bug 1428892 Opened 2 years ago Updated 1 year ago

Crash near null [@ Type | GetFirstLeaf]

Categories

(Core :: Layout, defect, P2, critical)

defect

Tracking

()

REOPENED
mozilla65
Tracking Status
firefox-esr60 --- wontfix
firefox59 --- wontfix
firefox66 --- fixed
firefox67 --- fixed
firefox68 --- fixed

People

(Reporter: truber, Assigned: emilio)

References

(Blocks 1 open bug)

Details

(4 keywords)

Crash Data

Attachments

(2 files)

Attached file testcase.html
The attached testcase causes a crash near null in m-c rev 20180108-ca379fcca95b.

==24147==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000065 (pc 0x7feb142c0bb2 bp 0x7ffeeef55630 sp 0x7ffeeef55610 T0)
==24147==The signal is caused by a READ memory access.
==24147==Hint: address points to the zero page.
    #0 0x7feb142c0bb1 in Type /builds/worker/workspace/build/src/layout/generic/nsIFrame.h:2797:38
    #1 0x7feb142c0bb1 in IsLetterFrame /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/FrameTypeList.h:40
    #2 0x7feb142c0bb1 in GetFirstLeaf /builds/worker/workspace/build/src/layout/base/nsBidiPresUtils.cpp:1393
    #3 0x7feb142c0bb1 in nsBidiPresUtils::GetFrameBidiData(nsIFrame*) /builds/worker/workspace/build/src/layout/base/nsBidiPresUtils.cpp:1401
    #4 0x7feb142be3b5 in BidiLineData::BidiLineData(nsIFrame*, int) /builds/worker/workspace/build/src/layout/base/nsBidiPresUtils.cpp:407:32
    #5 0x7feb142bdfc2 in nsBidiPresUtils::ReorderFrames(nsIFrame*, int, mozilla::WritingMode, nsSize const&, int) /builds/worker/workspace/build/src/layout/base/nsBidiPresUtils.cpp:1382:16
    #6 0x7feb14686cfd in nsLineLayout::TextAlignLine(nsLineBox*, bool) /builds/worker/workspace/build/src/layout/generic/nsLineLayout.cpp:3222:5
    #7 0x7feb144ae8db in nsBlockFrame::PlaceLine(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsFloatManager::SavedState*, mozilla::LogicalRect&, int&, bool*) /builds/worker/workspace/build/src/layout/generic/nsBlockFram
e.cpp:4612:15
    #8 0x7feb144ac74d in nsBlockFrame::DoReflowInlineFrames(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool) /builds/worker/workspace/build/
src/layout/generic/nsBlockFrame.cpp:4087:12
    #9 0x7feb144a3297 in nsBlockFrame::ReflowInlineFrames(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:3833:9
    #10 0x7feb1449c520 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2817:5
    #11 0x7feb144922ca in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2353:7
    #12 0x7feb1448a085 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:1226:3
    #13 0x7feb144a94c7 in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) /builds/worker/workspace/build/s
rc/layout/generic/nsBlockReflowContext.cpp:306:11
    #14 0x7feb1449e6db in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:3464:11
    #15 0x7feb1449c675 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2814:5
    #16 0x7feb144922ca in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2353:7
    #17 0x7feb1448a085 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:1226:3
    #18 0x7feb144a94c7 in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) /builds/worker/workspace/build/s
rc/layout/generic/nsBlockReflowContext.cpp:306:11
    #19 0x7feb1449e6db in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:3464:11
    #20 0x7feb1449c675 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2814:5
    #21 0x7feb144922ca in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2353:7
    #22 0x7feb1448a085 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:1226:3
    #23 0x7feb144ea756 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&
, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:934:14
    #24 0x7feb144ef3a2 in nsColumnSetFrame::ReflowChildren(mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&, nsColumnSetFrame::ReflowConfig const&, bool, nsCollapsingMargin*, nsColumnSetFrame::ColumnBalanceData&) /build
s/worker/workspace/build/src/layout/generic/nsColumnSetFrame.cpp:810:7
    #25 0x7feb144f42c1 in ReflowColumns /builds/worker/workspace/build/src/layout/generic/nsColumnSetFrame.cpp:507:19
    #26 0x7feb144f42c1 in nsColumnSetFrame::FindBestBalanceBSize(mozilla::ReflowInput const&, nsPresContext*, nsColumnSetFrame::ReflowConfig&, nsColumnSetFrame::ColumnBalanceData&, mozilla::ReflowOutput&, nsCollapsingMargin&, bool&, bool&,
 nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsColumnSetFrame.cpp:1175
    #27 0x7feb144f4e8e in nsColumnSetFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/
    ...


In debug builds it hits these assertions:

ASSERTION: frame tree not empty, but caller reported complete status: 'aSubtreeRoot->GetPrevInFlow()', file /builds/worker/workspace/build/src/layout/base/nsLayoutUtils.cpp, line 7966
ASSERTION: Placeholder relationship should have been torn down already; this might mean we have a stray placeholder in the tree.: '!placeholder || nsLayoutUtils::IsProperAncestorFrame(aDestructRoot, placeholder)', file /builds/worker/workspace/build/src/layout/generic/nsFrame.cpp, line 767
ASSERTION: Null out-of-flow for placeholder?: 'outOfFlow', file /builds/worker/workspace/build/src/layout/generic/nsPlaceholderFrame.h, line 183
Flags: in-testsuite?
[ Triage 2017/02/20: P2 ] P2 bugs may become P1's after further analysis. Please prioritize diagnosis and repair.
Priority: -- → P2
See Also: → 1452277
Closing because no crash reported since 12 weeks.
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → WONTFIX
Closing because no crash reported since 12 weeks.
Please don't close bugs with reproducible test-cases that still crash.
Status: RESOLVED → REOPENED
Resolution: WONTFIX → ---

WFM, I can no longer reproduce.

Status: REOPENED → RESOLVED
Closed: 2 years ago1 year ago
Resolution: --- → WORKSFORME

We should land the test then :)

Status: RESOLVED → REOPENED
Resolution: WORKSFORME → ---

Sorry, I don't know the convention here. Do you know how to land a testcase without a patch?

BTW, do you think I can apply for level 3 access now? I've been active here these days with 15+ patches (10+ already landed), it'd be convenient to be able to land my patches by myself.

Flags: needinfo?(emilio)

(In reply to violet.bugreport from comment #7)

Sorry, I don't know the convention here. Do you know how to land a testcase without a patch?

You land a patch with the test-case only.

BTW, do you think I can apply for level 3 access now? I've been active here these days with 15+ patches (10+ already landed), it'd be convenient to be able to land my patches by myself.

I'd be happy to vouch for you :)

Flags: needinfo?(emilio)
Status: REOPENED → RESOLVED
Closed: 1 year ago1 year ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla68

mozregression says this was fixed by bug 1196668. (In the future, we typically resolve as FIXED when we know what fixed it and use WFM if we don't)

Depends on: 1196668
Flags: in-testsuite? → in-testsuite+
Target Milestone: mozilla68 → mozilla65

Ryan, thanks for finding the regression range! Unfortunately that means that the bug is not gone, just the conditions to trigger it are a bit different (we need a non-empty alt attribute).

Here's a test-case that keeps crashing. Will reopen the bug.

Attachment #9055661 - Attachment mime type: text/plain → text/html
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
You need to log in before you can comment on or make changes to this bug.