Closed Bug 1458028 Opened 2 years ago Closed 2 years ago

Crash near null in [@ mozilla::DetailsFrame::HasMainSummaryFrame]

Categories

(Core :: Layout, defect)

defect
Not set

Tracking

()

RESOLVED FIXED
mozilla61
Tracking Status
firefox-esr52 --- unaffected
firefox-esr60 --- wontfix
firefox60 --- wontfix
firefox61 --- fixed

People

(Reporter: tsmith, Assigned: mats)

References

(Blocks 1 open bug)

Details

(Keywords: crash, csectype-nullptr, testcase)

Crash Data

Attachments

(3 files)

Attached file testcase.html
==5563==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000065 (pc 0x7fb3f98e43f0 bp 0x7ffd408f69b0 sp 0x7ffd408f69b0 T0)
==5563==The signal is caused by a READ memory access.
==5563==Hint: address points to the zero page.
    #0 0x7fb3f98e43ef in Type src/layout/generic/nsIFrame.h:2794:38
    #1 0x7fb3f98e43ef in IsPlaceholderFrame src/obj-firefox/dist/include/mozilla/FrameTypeList.h:52
    #2 0x7fb3f98e43ef in GetRealFrameFor src/layout/generic/nsPlaceholderFrame.h:169
    #3 0x7fb3f98e43ef in mozilla::DetailsFrame::HasMainSummaryFrame(nsIFrame*) src/layout/generic/DetailsFrame.cpp:134
    #4 0x7fb3f97d7e7a in nsCSSFrameConstructor::MaybeRecreateContainerForFrameRemoval(nsIFrame*) src/layout/base/nsCSSFrameConstructor.cpp:8904:34
    #5 0x7fb3f97d5667 in nsCSSFrameConstructor::ContentRemoved(nsIContent*, nsIContent*, nsCSSFrameConstructor::RemoveFlags) src/layout/base/nsCSSFrameConstructor.cpp:8018:9
    #6 0x7fb3f97298aa in mozilla::PresShell::ContentRemoved(nsIContent*, nsIContent*) src/layout/base/PresShell.cpp:4549:22
    #7 0x7fb3f4ae9c89 in nsNodeUtils::ContentRemoved(nsINode*, nsIContent*, nsIContent*) src/dom/base/nsNodeUtils.cpp:230:3
    #8 0x7fb3f49a5cb0 in nsINode::doRemoveChildAt(unsigned int, bool, nsIContent*, nsAttrAndChildArray&) src/dom/base/nsINode.cpp:1663:5
    #9 0x7fb3f47f2a31 in mozilla::dom::FragmentOrElement::RemoveChildAt_Deprecated(unsigned int, bool) src/dom/base/FragmentOrElement.cpp:1211:5
    #10 0x7fb3f4a85b1d in RemoveChild src/dom/base/nsINode.cpp:544:3
    #11 0x7fb3f4a85b1d in nsINode::Remove() src/dom/base/nsINode.cpp:1576
    #12 0x7fb3f66e3f6d in mozilla::dom::ElementBinding::remove(JSContext*, JS::Handle<JSObject*>, mozilla::dom::Element*, JSJitMethodCallArgs const&) src/obj-firefox/dom/bindings/ElementBinding.cpp:4557:9
    #13 0x7fb3f6e03e61 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) src/dom/bindings/BindingUtils.cpp:3260:13
    #14 0x7fb3fd696767 in CallJSNative src/js/src/vm/JSContext-inl.h:280:15
    #15 0x7fb3fd696767 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:467
    #16 0x7fb3fd681216 in CallFromStack src/js/src/vm/Interpreter.cpp:522:12
    #17 0x7fb3fd681216 in Interpret(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:3086
    #18 0x7fb3fd667967 in js::RunScript(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:417:12
    #19 0x7fb3fd6964e5 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:489:15
    #20 0x7fb3fd697762 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) src/js/src/vm/Interpreter.cpp:535:10
    #21 0x7fb3fe1a005a in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) src/js/src/jsapi.cpp:2989:12
    #22 0x7fb3f6590d2e in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) src/obj-firefox/dom/bindings/EventHandlerBinding.cpp:264:37
    #23 0x7fb3f756dd2a in Call<nsISupports *> src/obj-firefox/dist/include/mozilla/dom/EventHandlerBinding.h:363:12
    #24 0x7fb3f756dd2a in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) src/dom/events/JSEventHandler.cpp:214
    #25 0x7fb3f7534a8d in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) src/dom/events/EventListenerManager.cpp:1121:52
    #26 0x7fb3f753619b in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*) src/dom/events/EventListenerManager.cpp:1288:20
    #27 0x7fb3f75207f7 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) src/dom/events/EventDispatcher.cpp:528:16
    #28 0x7fb3f7524623 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) src/dom/events/EventDispatcher.cpp:934:9
    #29 0x7fb3f9802858 in nsDocumentViewer::LoadComplete(nsresult) src/layout/base/nsDocumentViewer.cpp:1066:7
    #30 0x7fb3fc9591e2 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) src/docshell/base/nsDocShell.cpp:7236:21
    #31 0x7fb3fc955609 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) src/docshell/base/nsDocShell.cpp:7029:7
    #32 0x7fb3fc95ce0f in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) src/docshell/base/nsDocShell.cpp
    #33 0x7fb3f36243e7 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) src/uriloader/base/nsDocLoader.cpp:1315:3
    #34 0x7fb3f362346a in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) src/uriloader/base/nsDocLoader.cpp:858:14
    #35 0x7fb3f3620045 in nsDocLoader::DocLoaderIsEmpty(bool) src/uriloader/base/nsDocLoader.cpp:747:9
    #36 0x7fb3f362200c in nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) src/uriloader/base/nsDocLoader.cpp:632:5
    #37 0x7fb3f362302c in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) src/uriloader/base/nsDocLoader.cpp
    #38 0x7fb3f1a3702a in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) src/netwerk/base/nsLoadGroup.cpp:629:28
    #39 0x7fb3f49d5a7a in DoUnblockOnload src/dom/base/nsDocument.cpp:8422:18
    #40 0x7fb3f49d5a7a in nsDocument::UnblockOnload(bool) src/dom/base/nsDocument.cpp:8344
    #41 0x7fb3f49b65e4 in nsIDocument::DispatchContentLoadedEvents() src/dom/base/nsDocument.cpp:5328:3
    #42 0x7fb3f4acd4d4 in applyImpl<nsIDocument, void (nsIDocument::*)()> src/obj-firefox/dist/include/nsThreadUtils.h:1165:12
    #43 0x7fb3f4acd4d4 in apply<nsIDocument, void (nsIDocument::*)()> src/obj-firefox/dist/include/nsThreadUtils.h:1171
    #44 0x7fb3f4acd4d4 in mozilla::detail::RunnableMethodImpl<nsIDocument*, void (nsIDocument::*)(), true, (mozilla::RunnableKind)0>::Run() src/obj-firefox/dist/include/nsThreadUtils.h:1216
    #45 0x7fb3f182f501 in mozilla::SchedulerGroup::Runnable::Run() src/xpcom/threads/SchedulerGroup.cpp:337:32
    #46 0x7fb3f184e2f9 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1090:14
    #47 0x7fb3f1869d30 in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:519:10
    #48 0x7fb3f27476ea in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:97:21
    #49 0x7fb3f269bf09 in RunInternal src/ipc/chromium/src/base/message_loop.cc:326:10
    #50 0x7fb3f269bf09 in RunHandler src/ipc/chromium/src/base/message_loop.cc:319
    #51 0x7fb3f269bf09 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:299
    #52 0x7fb3f916395a in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:157:27
    #53 0x7fb3fd3cb8fb in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:893:22
    #54 0x7fb3f269bf09 in RunInternal src/ipc/chromium/src/base/message_loop.cc:326:10
    #55 0x7fb3f269bf09 in RunHandler src/ipc/chromium/src/base/message_loop.cc:319
    #56 0x7fb3f269bf09 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:299
    #57 0x7fb3fd3cb2c0 in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:719:34
    #58 0x4f1875 in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30
    #59 0x4f1875 in main src/browser/app/nsBrowserApp.cpp:280
    #60 0x7fb41104982f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
    #61 0x420f48 in _start (firefox+0x420f48)
Flags: in-testsuite?
I'll take a look...
Assignee: nobody → mats
Status: NEW → ASSIGNED
Attached file frame tree
We don't find the <summary> frame because it's been pushed
to the OverflowList.
Comment on attachment 8972532 [details] [diff] [review]
Try also the OverflowList and next-in-flows when searching for the first child frame

Review of attachment 8972532 [details] [diff] [review]:
-----------------------------------------------------------------

IIUC the underlying problem is actually bug 847368 and this is kinda workaround for that case?

I don't think normally we want to push children into overflow when the principal list contains nothing... In that case the frame itself should probably be pushed to overflow of its parent instead.
Attachment #8972532 - Flags: review?(xidorn+moz) → review+
Yeah, kinda... I haven't looked into it much for <details>/<summary>
specifically, but since we use nsBlockFrame::Reflow here we need to
deal with the possibility that it might get pushed.  The breaking
rules are standardized and there are valid cases where the first
fragment may become empty.
Pushed by mpalmgren@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/270f1ccc00a0
Try also the OverflowList and next-in-flows when searching for the first child frame.  r=xidorn
Flags: in-testsuite? → in-testsuite+
https://hg.mozilla.org/mozilla-central/rev/270f1ccc00a0
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla61
Crash Signature: [@ mozilla::DetailsFrame::HasMainSummaryFrame]
Depends on: 1460158
You need to log in before you can comment on or make changes to this bug.