Closed Bug 1447151 Opened 7 years ago Closed 7 years ago

Crash in nsDisplayListBuilder::OutOfFlowDisplayData::ComputeVisibleRectForFrame

Categories

(Core :: Web Painting, defect)

Product:
Core
Component:
Web Painting
Version:
59 Branch
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1436505
Tracking Flags:
Tracking Status
firefox-esr52 --- unaffected
firefox-esr60 --- wontfix
firefox59 --- wontfix
firefox60 --- wontfix
firefox61 --- wontfix
firefox62 --- wontfix
firefox63 --- wontfix

People

(Reporter: philipp, Unassigned)

References

Details

(4 keywords)

Crash Data

This bug was filed from the Socorro interface and is report bp-fe08f496-64f9-446a-a4a0-de9d50180319. ============================================================= Top 10 frames of crashing thread: 0 xul.dll nsDisplayListBuilder::OutOfFlowDisplayData::ComputeVisibleRectForFrame layout/painting/nsDisplayList.h:1497 1 xul.dll nsDisplayListBuilder::MarkOutOfFlowFrameForDisplay layout/painting/nsDisplayList.cpp:1206 2 xul.dll nsDisplayListBuilder::MarkFramesForDisplayList layout/painting/nsDisplayList.cpp:1506 3 xul.dll nsBlockFrame::BuildDisplayList layout/generic/nsBlockFrame.cpp:6696 4 xul.dll nsIFrame::BuildDisplayListForChild layout/generic/nsFrame.cpp:3815 5 xul.dll mozilla::ScrollFrameHelper::BuildDisplayList layout/generic/nsGfxScrollFrame.cpp:3633 6 xul.dll nsIFrame::BuildDisplayListForStackingContext layout/generic/nsFrame.cpp:3046 7 xul.dll nsIFrame::BuildDisplayListForChild layout/generic/nsFrame.cpp:3754 8 xul.dll DisplayLine layout/generic/nsBlockFrame.cpp:6649 9 xul.dll nsBlockFrame::BuildDisplayList layout/generic/nsBlockFrame.cpp:6744 ============================================================= this is a low-volume crash signature regressing cross-platform in firefox 59 in a codepath that was last touched in bug 1344971.
Matt, could you take a look and see if we could do anything for this crash? Thanks.
Flags: needinfo?(matt.woodrow)
For some reason we're getting an invalid frame pointer in AnyContentAncestorModified, and crashing trying to call IsFrameModified on it. It's not clear how that happens, the minidump doesn't have enough information to figure out what the previous (valid) frame was in the iteration. It's definitely not aFrame that crashes, so we've gone up to the parent at least once. MarkFrameForDisplay does almost exactly the same thing here (and has for a long time), and I'm not aware of any crashes from doing this.
Flags: needinfo?(matt.woodrow)
Group: core-security
Keywords: sec-high
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
Marking fix-optional here since we are tracking this in bug 1436505.
status-firefox62: affectedfix-optional
status-firefox63: --- → ?

Removing employee no longer with company from CC list of private bugs.

Group: layout-core-security
You need to log in before you can comment on or make changes to this bug.