Open Bug 1429172 Opened 2 years ago Updated 2 years ago

Crash near null [@ Type | nsBidiPresUtils::ChildListMayRequireBidi] with floats and multicol

Categories

(Core :: Layout, defect, P3, critical)

defect

Tracking

()

Tracking Status
firefox59 --- affected

People

(Reporter: truber, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, crash, testcase)

Crash Data

Attachments

(2 files)

Attached file testcase.html
The attached testcase causes a crash near null in m-c rev 20180109-6f5fac320fcb.
The testcase is very fragile and even whitespace changes change the signature to bug 1411689.

==2758==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000065 (pc 0x7f28d8224032 bp 0x7ffd0010af70 sp 0x7ffd0010af40 T0)
==2758==The signal is caused by a READ memory access.
==2758==Hint: address points to the zero page.
    #0 0x7f28d8224031 in Type /builds/worker/workspace/build/src/layout/generic/nsIFrame.h:2797:38
    #1 0x7f28d8224031 in IsLetterFrame /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/FrameTypeList.h:40
    #2 0x7f28d8224031 in nsBidiPresUtils::ChildListMayRequireBidi(nsIFrame*, nsIContent**) /builds/worker/workspace/build/src/layout/base/nsBidiPresUtils.cpp:1309
    #3 0x7f28d8222eb4 in nsBidiPresUtils::Resolve(nsBlockFrame*) /builds/worker/workspace/build/src/layout/base/nsBidiPresUtils.cpp:725:11
    #4 0x7f28d83f87a2 in ResolveBidi /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:7510:10
    #5 0x7f28d83f87a2 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:1179
    #6 0x7f28d8418277 in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) /builds/worker/workspace/build/sr
c/layout/generic/nsBlockReflowContext.cpp:306:11
    #7 0x7f28d840d48b in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:3464:11
    #8 0x7f28d840b425 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2814:5
    #9 0x7f28d840107a in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2353:7
    #10 0x7f28d83f8e35 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:1226:3
    #11 0x7f28d8418277 in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) /builds/worker/workspace/build/s
rc/layout/generic/nsBlockReflowContext.cpp:306:11
    #12 0x7f28d840d48b in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:3464:11
    #13 0x7f28d840b425 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2814:5
    #14 0x7f28d840107a in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2353:7
    #15 0x7f28d83f8e35 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:1226:3
    #16 0x7f28d8418277 in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) /builds/worker/workspace/build/s
rc/layout/generic/nsBlockReflowContext.cpp:306:11
In a debug build, I'm seeing this testcase fail some nonfatal assertions, and crash in a different place (while evaluating an assertion condition).

I get 4 copies of this assertion:
###!!! ASSERTION: frame tree not empty, but caller reported complete status: 'aSubtreeRoot->GetPrevInFlow()', file layout/base/nsLayoutUtils.cpp, line 7975
...and then 4 copies of this:
###!!! ASSERTION: Placeholder relationship should have been torn down already; this might mean we have a stray placeholder in the tree.: '!placeholder || nsLayoutUtils::IsProperAncestorFrame(aDestructRoot, placeholder)', file layout/generic/nsFrame.cpp, line 767
...and then 1 copy of this:
###!!! ASSERTION: Null out-of-flow for placeholder?: 'outOfFlow', file ../../../mozilla/layout/generic/nsPlaceholderFrame.h, line 183

And then we crash while evaluating the lower assertion here because "outOfFlowFrame" is null (and we dereference it in the NS_ASSERTION condition):
> nsIFrame*
> nsLayoutUtils::GetFloatFromPlaceholder(nsIFrame* aFrame) {
>   NS_ASSERTION(aFrame->IsPlaceholderFrame(), "Must have a placeholder here");
>   if (aFrame->GetStateBits() & PLACEHOLDER_FOR_FLOAT) {
>     nsIFrame *outOfFlowFrame =
>       nsPlaceholderFrame::GetRealFrameForPlaceholder(aFrame);
>     NS_ASSERTION(outOfFlowFrame->IsFloating(),
>                  "How did that happen?");
(This is likely a multicol/float interaction bug -- I suspect it has nothing to do with nsBidiPresUtils except that that's where we end up using the unexpectedly-null out-of-flow frame pointer first.)
Keywords: assertion
Summary: Crash near null [@ Type | nsBidiPresUtils::ChildListMayRequireBidi] → Crash near null [@ Type | nsBidiPresUtils::ChildListMayRequireBidi] with floats and multicol
Priority: -- → P3
See Also: → 1429215
You need to log in before you can comment on or make changes to this bug.