Open Bug 1453198 Opened 2 years ago Updated 2 years ago

Assertion failure: aDisplay->mDisplay != StyleDisplay::Contents || !aElement->IsRootOfNativeAnonymousSubtree() (display:contents on anonymous content is unsupported), at /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:4851

Categories

(Core :: Layout, defect, P5)

59 Branch
defect

Tracking

()

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, testcase)

Attachments

(1 file)

Testcase found while fuzzing esr52 rev d61516b059c1.

rax = 0x0000000000625d50   rdx = 0x0000000000000000
rcx = 0x00007f721aa3cfac   rbx = 0x00007f71f72ab020
rsi = 0x00007f721586a770   rdi = 0x00007f7215869540
rbp = 0x00007ffff67dd490   rsp = 0x00007ffff67dd470
r8 = 0x00007f721586a770    r9 = 0x00007f721ce1ec00
r10 = 0x0000000000000043   r11 = 0x0000000000000000
r12 = 0x00007f71f724e350   r13 = 0x00007f71f8035100
r14 = 0x0000000000000000   r15 = 0x0000000000000000
rip = 0x00007f7218e2c242
OS|Linux|0.0.0 Linux 4.4.0-119-generic #143-Ubuntu SMP Mon Apr 2 16:08:24 UTC 2018 x86_64
CPU|amd64|family 6 model 78 stepping 3|1
GPU|||
Crash|SIGSEGV|0x0|0
0|0|libxul.so|nsCSSFrameConstructor::FindDisplayData|hg:hg.mozilla.org/releases/mozilla-esr52:layout/base/nsCSSFrameConstructor.cpp:d61516b059c1|4849|0x0
0|1|libxul.so|nsCSSFrameConstructor::AddFrameConstructionItemsInternal|hg:hg.mozilla.org/releases/mozilla-esr52:layout/base/nsCSSFrameConstructor.cpp:d61516b059c1|5851|0x1d
0|2|libxul.so|nsCSSFrameConstructor::CreateGeneratedContentItem|hg:hg.mozilla.org/releases/mozilla-esr52:layout/base/nsCSSFrameConstructor.cpp:d61516b059c1|1917|0x2a
0|3|libxul.so|nsCSSFrameConstructor::AddFrameConstructionItemsInternal|hg:hg.mozilla.org/releases/mozilla-esr52:layout/base/nsCSSFrameConstructor.cpp:d61516b059c1|5921|0x22
0|4|libxul.so|nsCSSFrameConstructor::DoAddFrameConstructionItems|hg:hg.mozilla.org/releases/mozilla-esr52:layout/base/nsCSSFrameConstructor.cpp:d61516b059c1|5651|0x26
0|5|libxul.so|nsCSSFrameConstructor::AddFrameConstructionItems|hg:hg.mozilla.org/releases/mozilla-esr52:layout/base/nsCSSFrameConstructor.cpp:d61516b059c1|5669|0x1e
0|6|libxul.so|nsCSSFrameConstructor::ProcessChildren|hg:hg.mozilla.org/releases/mozilla-esr52:layout/base/nsCSSFrameConstructor.cpp:d61516b059c1|10836|0x27
0|7|libxul.so|nsCSSFrameConstructor::ConstructBlock|hg:hg.mozilla.org/releases/mozilla-esr52:layout/base/nsCSSFrameConstructor.cpp:d61516b059c1|11864|0x7
0|8|libxul.so|nsCSSFrameConstructor::ConstructDocElementFrame|hg:hg.mozilla.org/releases/mozilla-esr52:layout/base/nsCSSFrameConstructor.cpp:d61516b059c1|2631|0x32
0|9|libxul.so|nsCSSFrameConstructor::ContentRangeInserted|hg:hg.mozilla.org/releases/mozilla-esr52:layout/base/nsCSSFrameConstructor.cpp:d61516b059c1|7753|0x12
0|10|libxul.so|PresShell::Initialize|hg:hg.mozilla.org/releases/mozilla-esr52:layout/base/nsPresShell.cpp:d61516b059c1|1790|0x13
0|11|libxul.so|nsContentSink::StartLayout|hg:hg.mozilla.org/releases/mozilla-esr52:dom/base/nsContentSink.cpp:d61516b059c1|1229|0x17
0|12|libxul.so|nsHtml5TreeOpExecutor::StartLayout|hg:hg.mozilla.org/releases/mozilla-esr52:parser/html/nsHtml5TreeOpExecutor.cpp:d61516b059c1|614|0xa
0|13|libxul.so|nsHtml5TreeOperation::Perform|hg:hg.mozilla.org/releases/mozilla-esr52:parser/html/nsHtml5TreeOperation.cpp:d61516b059c1|987|0x8
0|14|libxul.so|nsHtml5TreeOpExecutor::RunFlushLoop|hg:hg.mozilla.org/releases/mozilla-esr52:parser/html/nsHtml5TreeOpExecutor.cpp:d61516b059c1|449|0xe
0|15|libxul.so|nsHtml5ExecutorFlusher::Run|hg:hg.mozilla.org/releases/mozilla-esr52:parser/html/nsHtml5StreamParser.cpp:d61516b059c1|128|0x8
0|16|libxul.so|nsThread::ProcessNextEvent|hg:hg.mozilla.org/releases/mozilla-esr52:xpcom/threads/nsThread.cpp:d61516b059c1|1216|0x11
0|17|libxul.so|NS_ProcessNextEvent|hg:hg.mozilla.org/releases/mozilla-esr52:xpcom/glue/nsThreadUtils.cpp:d61516b059c1|361|0xd
0|18|libxul.so|mozilla::ipc::MessagePump::Run|hg:hg.mozilla.org/releases/mozilla-esr52:ipc/glue/MessagePump.cpp:d61516b059c1|124|0xd
0|19|libxul.so|MessageLoop::RunInternal|hg:hg.mozilla.org/releases/mozilla-esr52:ipc/chromium/src/base/message_loop.cc:d61516b059c1|232|0x17
0|20|libxul.so|MessageLoop::Run|hg:hg.mozilla.org/releases/mozilla-esr52:ipc/chromium/src/base/message_loop.cc:d61516b059c1|225|0x8
0|21|libxul.so|nsBaseAppShell::Run|hg:hg.mozilla.org/releases/mozilla-esr52:widget/nsBaseAppShell.cpp:d61516b059c1|156|0xd
0|22|libxul.so|XRE_RunAppShell|hg:hg.mozilla.org/releases/mozilla-esr52:toolkit/xre/nsEmbedFunctions.cpp:d61516b059c1|866|0x6
0|23|libxul.so|mozilla::ipc::MessagePumpForChildProcess::Run|hg:hg.mozilla.org/releases/mozilla-esr52:ipc/glue/MessagePump.cpp:d61516b059c1|269|0x5
0|24|libxul.so|MessageLoop::RunInternal|hg:hg.mozilla.org/releases/mozilla-esr52:ipc/chromium/src/base/message_loop.cc:d61516b059c1|232|0x17
0|25|libxul.so|MessageLoop::Run|hg:hg.mozilla.org/releases/mozilla-esr52:ipc/chromium/src/base/message_loop.cc:d61516b059c1|225|0x8
0|26|libxul.so|XRE_InitChildProcess|hg:hg.mozilla.org/releases/mozilla-esr52:toolkit/xre/nsEmbedFunctions.cpp:d61516b059c1|698|0xf
0|27|plugin-container|content_process_main|hg:hg.mozilla.org/releases/mozilla-esr52:ipc/contentproc/plugin-container.cpp:d61516b059c1|197|0xe
0|28|libc-2.23.so||||0x20830
0|29|plugin-container|MOZ_ReportAssertionFailure|hg:hg.mozilla.org/releases/mozilla-esr52:mfbt/Assertions.h:d61516b059c1|170|0x5
Flags: in-testsuite?
There's no test-case?
Flags: needinfo?(jkratzer)
Attached file trigger.html
My apologies.  Looks like I forgot to attach it.
Flags: needinfo?(jkratzer)
Thanks!
Flags: needinfo?(emilio)
I can't repro this one on trunk. Can you double-check? Any way of reproducing this?
Flags: needinfo?(emilio) → needinfo?(jkratzer)
Oh, while fuzzing ESR. I'm pretty sure I fixed something like this a while ago... Given this looks fixed and that ESR52 is basically over (we're about to ship ESR60), not sure if it's worth uplifting.
Flags: needinfo?(jkratzer)
ni? Liz for whether to uplift question in comment 5.
Flags: needinfo?(lhenry)
We do ship two more ESR52 versions.  Up to you whether you think it is worth it. I don't have a strong opinion here.
Flags: needinfo?(lhenry)
Priority: -- → P5
You need to log in before you can comment on or make changes to this bug.