1463940 - crash at null in [@ MergeState::ProcessItemFromNewList]

Status: RESOLVED FIXED

(Core :: Web Painting, defect)

Description

[Tyson Smith [:tsmith]]

Attachment: testcase.html

Found with m-c:
BuildID=20180523220103
SourceStamp=47e81ea1ef10189ef210867934bf36e14cf223dc

==20033==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f5770590534 bp 0x7ffe3fc4c270 sp 0x7ffe3fc4c0c0 T0)
==20033==The signal is caused by a READ memory access.
==20033==Hint: address points to the zero page.
    #0 0x7f5770590533 in MergeState::ProcessItemFromNewList(nsDisplayItem*, mozilla::Maybe<Index<MergedListUnits> > const&) src/layout/painting/RetainedDisplayListBuilder.cpp
    #1 0x7f577058f988 in RetainedDisplayListBuilder::MergeDisplayLists(nsDisplayList*, RetainedDisplayList*, RetainedDisplayList*, mozilla::Maybe<mozilla::ActiveScrolledRoot const*>&, unsigned int) src/layout/painting/RetainedDisplayListBuilder.cpp:513:36
    #2 0x7f5770598a41 in RetainedDisplayListBuilder::AttemptPartialUpdate(unsigned int, mozilla::DisplayListChecker*) src/layout/painting/RetainedDisplayListBuilder.cpp:1205:7
    #3 0x7f576fd5168b in nsLayoutUtils::PaintFrame(gfxContext*, nsIFrame*, nsRegion const&, unsigned int, nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) src/layout/base/nsLayoutUtils.cpp:3695:40
    #4 0x7f576fc46907 in mozilla::PresShell::Paint(nsView*, nsRegion const&, unsigned int) src/layout/base/PresShell.cpp:6312:5
    #5 0x7f576f5da42a in nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*) src/view/nsViewManager.cpp:480:19
    #6 0x7f576f5d922c in nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) src/view/nsViewManager.cpp:412:33
    #7 0x7f576f5de886 in nsViewManager::ProcessPendingUpdates() src/view/nsViewManager.cpp:1102:5
    #8 0x7f576fbc02f5 in nsRefreshDriver::Tick(long, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:2039:11
    #9 0x7f576fbcd0cb in TickDriver src/layout/base/nsRefreshDriver.cpp:328:13
    #10 0x7f576fbcd0cb in mozilla::RefreshDriverTimer::TickRefreshDrivers(long, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) src/layout/base/nsRefreshDriver.cpp:301
    #11 0x7f576fbccca9 in mozilla::RefreshDriverTimer::Tick(long, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:320:5
    #12 0x7f576fbcf7ee in RunRefreshDrivers src/layout/base/nsRefreshDriver.cpp:760:5
    #13 0x7f576fbcf7ee in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:673
    #14 0x7f576fbcf3ee in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:574:9
    #15 0x7f577047408f in mozilla::layout::VsyncChild::RecvNotify(mozilla::TimeStamp const&) src/layout/ipc/VsyncChild.cpp:68:16
    #16 0x7f57691a1184 in mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) src/obj-firefox/ipc/ipdl/PVsyncChild.cpp:167:20
    #17 0x7f5769079363 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) src/obj-firefox/ipc/ipdl/PBackgroundChild.cpp:1988:28
    #18 0x7f5768be6e9e in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) src/ipc/glue/MessageChannel.cpp:2136:25
    #19 0x7f5768be3de2 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) src/ipc/glue/MessageChannel.cpp:2066:17
    #20 0x7f5768be561c in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) src/ipc/glue/MessageChannel.cpp:1912:5
    #21 0x7f5768be5c78 in mozilla::ipc::MessageChannel::MessageTask::Run() src/ipc/glue/MessageChannel.cpp:1945:15
    #22 0x7f5767cf2806 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1090:14
    #23 0x7f5767d0e740 in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:519:10
    #24 0x7f5768beeb3a in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:97:21
    #25 0x7f5768b42fd9 in RunInternal src/ipc/chromium/src/base/message_loop.cc:326:10
    #26 0x7f5768b42fd9 in RunHandler src/ipc/chromium/src/base/message_loop.cc:319
    #27 0x7f5768b42fd9 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:299
    #28 0x7f576f6681ba in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:157:27
    #29 0x7f57738c800b in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:893:22
    #30 0x7f5768b42fd9 in RunInternal src/ipc/chromium/src/base/message_loop.cc:326:10
    #31 0x7f5768b42fd9 in RunHandler src/ipc/chromium/src/base/message_loop.cc:319
    #32 0x7f5768b42fd9 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:299
    #33 0x7f57738c79d0 in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:719:34
    #34 0x4f1875 in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30
    #35 0x4f1875 in main src/browser/app/nsBrowserApp.cpp:282
    #36 0x7f578758682f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
    #37 0x420f48 in _start (firefox+0x420f48)

Comment 1

[Matt Woodrow (:mattwoodrow)]

Attachment: Bug 1463940 - Invalidate display items when we add a caption to a table, since it can change the ordering of the content.

Review commit: https://reviewboard.mozilla.org/r/246338/diff/#index_header
See other reviews: https://reviewboard.mozilla.org/r/246338/

Comment 2

[Markus Stange [:mstange]]

Comment on attachment 8980176 [details]
Bug 1463940 - Invalidate display items when we add a caption to a table, since it can change the ordering of the content.

https://reviewboard.mozilla.org/r/246338/#review253758

Comment 3

[Mozilla Autoland]

We're sorry, Autoland could not rebase your commits for you automatically. Please manually rebase your commits and try again.

hg error in cmd: hg rebase -s bf7606b1b52c9caf4fc3aeed8c5d12a9a45aa6c3 -d ee7d95e669c9: rebasing 465638:bf7606b1b52c "Bug 1463940 - Invalidate display items when we add a caption to a table, since it can change the ordering of the content. r=mstange" (tip)
merging layout/base/crashtests/crashtests.list
warning: conflicts while merging layout/base/crashtests/crashtests.list! (edit, then use 'hg resolve --mark')
unresolved conflicts (see hg resolve, then hg rebase --continue)

Comment 4

[Pulsebot]

Pushed by ryanvm@gmail.com:
https://hg.mozilla.org/integration/autoland/rev/f78166984496
Invalidate display items when we add a caption to a table, since it can change the ordering of the content. r=mstange

Comment 5

[Natalia Csoregi [:nataliaCs]]

https://hg.mozilla.org/mozilla-central/rev/f78166984496

Comment 6

[Miko Mynttinen]

Comment on attachment 8980176 [details]
Bug 1463940 - Invalidate display items when we add a caption to a table, since it can change the ordering of the content.

Approval Request Comment
[Feature/Bug causing the regression]: Display item was not invalidated when the underlying frame was modified.
[User impact if declined]: Crashes.
[Is this code covered by automated tests?]: Yes, crashtest added.
[Has the fix been verified in Nightly?]: Yes, cannot reproduce on Mac or Linux.
[Needs manual test from QE? If yes, steps to reproduce]: No. STR: open the attached testcase.
[List of other uplifts needed for the feature/fix]: None.
[Is the change risky?]: Low risk.
[Why is the change risky/not risky?]: This patch causes us to rebuild more display items, which slightly increase the risk of merging failure, but also reduces the chance of reused old items ending up in the wrong list.
[String changes made/needed]: No.

Comment 7

[Ryan VanderMeulen [:RyanVM]]

Comment on attachment 8980176 [details]
Bug 1463940 - Invalidate display items when we add a caption to a table, since it can change the ordering of the content.

RDL crash fix with a new crashtest included. Approved for 61.0b10.

Comment 8

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/releases/mozilla-beta/rev/1751ceaa8d09