1461812 - crash in [@ MergeState::ProcessPredecessorsOfOldNode]

Status: RESOLVED FIXED

(Core :: Web Painting, defect, P1)

Description

[Tyson Smith [:tsmith]]

Attachment: testcase.html

Found with m-c:
BuildID=20180515095353
SourceStamp=cf3ee14023483cbbb57129479537c713e22c1980

==2108==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00000055c658 bp 0x7fffb8b843b0 sp 0x7fffb8b84240 T0)
==2108==The signal is caused by a WRITE memory access.
==2108==Hint: address points to the zero page.
    #0 0x55c657 in MOZ_CrashPrintf src/mfbt/Assertions.cpp:63:3
    #1 0x7f7cee4390ab in InvalidArrayIndex_CRASH(unsigned long, unsigned long) src/xpcom/ds/nsTArray.cpp:26:3
    #2 0x7f7cf6dc19b8 in ElementAt src/obj-firefox/dist/include/nsTArray.h:1031:7
    #3 0x7f7cf6dc19b8 in operator[] src/obj-firefox/dist/include/nsTArray.h:1069
    #4 0x7f7cf6dc19b8 in MergeState::ProcessPredecessorsOfOldNode(Index<OldListUnits>) src/layout/painting/RetainedDisplayListBuilder.cpp:424
    #5 0x7f7cf6cb9f62 in MergeState::ProcessItemFromNewList(nsDisplayItem*, mozilla::Maybe<Index<MergedListUnits> > const&) src/layout/painting/RetainedDisplayListBuilder.cpp:291:61
    #6 0x7f7cf6cb8db2 in RetainedDisplayListBuilder::MergeDisplayLists(nsDisplayList*, RetainedDisplayList*, RetainedDisplayList*, mozilla::Maybe<mozilla::ActiveScrolledRoot const*>&) src/layout/painting/RetainedDisplayListBuilder.cpp:488:36
    #7 0x7f7cf6cc1ab1 in RetainedDisplayListBuilder::AttemptPartialUpdate(unsigned int, mozilla::DisplayListChecker*) src/layout/painting/RetainedDisplayListBuilder.cpp:1179:7
    #8 0x7f7cf647e2cb in nsLayoutUtils::PaintFrame(gfxContext*, nsIFrame*, nsRegion const&, unsigned int, nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) src/layout/base/nsLayoutUtils.cpp:3679:40
    #9 0x7f7cf6371885 in mozilla::PresShell::Paint(nsView*, nsRegion const&, unsigned int) src/layout/base/PresShell.cpp:6350:5
    #10 0x7f7cf5d0c16a in nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*) src/view/nsViewManager.cpp:480:19
    #11 0x7f7cf5d0af6c in nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) src/view/nsViewManager.cpp:412:33
    #12 0x7f7cf5d105c6 in nsViewManager::ProcessPendingUpdates() src/view/nsViewManager.cpp:1102:5
    #13 0x7f7cf62e8f94 in nsRefreshDriver::Tick(long, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:2067:11
    #14 0x7f7cf62f6520 in TickDriver src/layout/base/nsRefreshDriver.cpp:337:13
    #15 0x7f7cf62f6520 in mozilla::RefreshDriverTimer::TickRefreshDrivers(long, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) src/layout/base/nsRefreshDriver.cpp:307
    #16 0x7f7cf62f60e6 in mozilla::RefreshDriverTimer::Tick(long, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:329:5
    #17 0x7f7cf62f8e5e in RunRefreshDrivers src/layout/base/nsRefreshDriver.cpp:770:5
    #18 0x7f7cf62f8e5e in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:683
    #19 0x7f7cf62f8a5e in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:584:9
    #20 0x7f7cf6b9ed9f in mozilla::layout::VsyncChild::RecvNotify(mozilla::TimeStamp const&) src/layout/ipc/VsyncChild.cpp:68:16
    #21 0x7f7cef9cc854 in mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) src/obj-firefox/ipc/ipdl/PVsyncChild.cpp:167:20
    #22 0x7f7cef8a4763 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) src/obj-firefox/ipc/ipdl/PBackgroundChild.cpp:1988:28
    #23 0x7f7cef41478e in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) src/ipc/glue/MessageChannel.cpp:2136:25
    #24 0x7f7cef411756 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) src/ipc/glue/MessageChannel.cpp:2066:17
    #25 0x7f7cef412f0c in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) src/ipc/glue/MessageChannel.cpp:1912:5
    #26 0x7f7cef413568 in mozilla::ipc::MessageChannel::MessageTask::Run() src/ipc/glue/MessageChannel.cpp:1945:15
    #27 0x7f7cee523113 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1090:14
    #28 0x7f7cee53ece0 in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:519:10
    #29 0x7f7cef41c416 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:125:5
    #30 0x7f7cef370ec9 in RunInternal src/ipc/chromium/src/base/message_loop.cc:326:10
    #31 0x7f7cef370ec9 in RunHandler src/ipc/chromium/src/base/message_loop.cc:319
    #32 0x7f7cef370ec9 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:299
    #33 0x7f7cf5d99efa in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:157:27
    #34 0x7f7cfa001e4b in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:893:22
    #35 0x7f7cef370ec9 in RunInternal src/ipc/chromium/src/base/message_loop.cc:326:10
    #36 0x7f7cef370ec9 in RunHandler src/ipc/chromium/src/base/message_loop.cc:319
    #37 0x7f7cef370ec9 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:299
    #38 0x7f7cfa001810 in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:719:34
    #39 0x4f1875 in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30
    #40 0x4f1875 in main src/browser/app/nsBrowserApp.cpp:282
    #41 0x7f7d0dc2982f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
    #42 0x420f48 in _start (firefox+0x420f48)

Comment 1

[Ryan VanderMeulen [:RyanVM]]

INFO: Last good revision: bad54bae22fada00a6441796e2f9e181ccd3d2fd
INFO: First bad revision: 9a2af4dad8113d6cfabb7308339e19a6c5dd2309
INFO: Pushlog:
https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=bad54bae22fada00a6441796e2f9e181ccd3d2fd&tochange=9a2af4dad8113d6cfabb7308339e19a6c5dd2309

Comment 2

[Matt Woodrow (:mattwoodrow)]

Attachment: Bug 1461812 - Make sure we fully cleanup any partially constructed display lists when returning a failure from AttemptPartialUpdate.

Review commit: https://reviewboard.mozilla.org/r/244222/diff/#index_header
See other reviews: https://reviewboard.mozilla.org/r/244222/

Comment 3

[Miko Mynttinen]

Comment on attachment 8976019 [details]
Bug 1461812 - Make sure we fully cleanup any partially constructed display lists when returning a failure from AttemptPartialUpdate.

https://reviewboard.mozilla.org/r/244222/#review250236

LGTM.

Comment 4

[Pulsebot]

Pushed by ryanvm@gmail.com:
https://hg.mozilla.org/integration/autoland/rev/5543294befe9
Make sure we fully cleanup any partially constructed display lists when returning a failure from AttemptPartialUpdate. r=miko

Comment 5

[Stefan Hindli [:stefan_hindli]]

https://hg.mozilla.org/mozilla-central/rev/5543294befe9

Comment 6

[Matt Woodrow (:mattwoodrow)]

Comment on attachment 8976019 [details]
Bug 1461812 - Make sure we fully cleanup any partially constructed display lists when returning a failure from AttemptPartialUpdate.

Approval Request Comment
[Feature/Bug causing the regression]: retained-dl, bug 1459441
[User impact if declined]: We need this to take bug 1459441 without crashing.
[Is this code covered by automated tests?]: Yes, new crashtest added.
[Has the fix been verified in Nightly?]: Crashtest passes on m-c.
[Needs manual test from QE? If yes, steps to reproduce]: No.
[List of other uplifts needed for the feature/fix]: None.
[Is the change risky?]: No
[Why is the change risky/not risky?]: Just adds more explicit cleanup to avoid reusing invalid state.
[String changes made/needed]: None.

Comment 7

[Ryan VanderMeulen [:RyanVM]]

Comment on attachment 8976019 [details]
Bug 1461812 - Make sure we fully cleanup any partially constructed display lists when returning a failure from AttemptPartialUpdate.

Retained display list fix needed for the feature to ship in Fx61. Approved for 61.0b6.

Comment 8

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/releases/mozilla-beta/rev/909e56123552