1488219 - Assertion failure: nullptr != aFrame && nullptr != aState (null parameters passed in), at src/layout/base/nsFrameManager.cpp:172

Status: RESOLVED FIXED

(Core :: Layout: Form Controls, defect)

Description

[Tyson Smith [:tsmith]]

Attachment: testcase.html

Reduced with m-c:
BuildID=20180830165914
SourceStamp=c317d6b31d9c951c9357fb9a49d2686a3efcfe2f

Assertion failure: nullptr != aFrame && nullptr != aState (null parameters passed in), at src/layout/base/nsFrameManager.cpp:172

#0 nsFrameManager::CaptureFrameState(nsIFrame*, nsILayoutHistoryState*) src/layout/base/nsFrameManager.cpp:172:3
#1 nsFrameManager::CaptureFrameState(nsIFrame*, nsILayoutHistoryState*) src/layout/base/nsFrameManager.cpp:189:7
#2 nsFrameManager::CaptureFrameState(nsIFrame*, nsILayoutHistoryState*) src/layout/base/nsFrameManager.cpp:189:7
#3 nsFrameManager::CaptureFrameState(nsIFrame*, nsILayoutHistoryState*) src/layout/base/nsFrameManager.cpp:189:7
#4 nsFrameManager::CaptureFrameState(nsIFrame*, nsILayoutHistoryState*) src/layout/base/nsFrameManager.cpp:189:7
#5 nsFrameManager::CaptureFrameState(nsIFrame*, nsILayoutHistoryState*) src/layout/base/nsFrameManager.cpp:189:7
#6 nsFrameManager::CaptureFrameState(nsIFrame*, nsILayoutHistoryState*) src/layout/base/nsFrameManager.cpp:189:7
#7 nsFrameManager::CaptureFrameState(nsIFrame*, nsILayoutHistoryState*) src/layout/base/nsFrameManager.cpp:189:7
#8 nsFrameManager::CaptureFrameState(nsIFrame*, nsILayoutHistoryState*) src/layout/base/nsFrameManager.cpp:189:7
#9 mozilla::PresShell::CaptureHistoryState(nsILayoutHistoryState**) src/layout/base/PresShell.cpp:3936:22
#10 nsDocShell::PersistLayoutHistoryState() src/docshell/base/nsDocShell.cpp:12416:19
#11 nsDocShell::Embed(nsIContentViewer*, char const*, nsISupports*) src/docshell/base/nsDocShell.cpp:6672:3
#12 nsDocShell::CreateContentViewer(nsTSubstring<char> const&, nsIRequest*, nsIStreamListener**) src/docshell/base/nsDocShell.cpp:8666:3
#13 nsDSURIContentListener::DoContent(nsTSubstring<char> const&, bool, nsIRequest*, nsIStreamListener**, bool*) src/docshell/base/nsDSURIContentListener.cpp:196:21
#14 nsDocumentOpenInfo::TryContentListener(nsIURIContentListener*, nsIChannel*) src/uriloader/base/nsURILoader.cpp:759:28
#15 nsDocumentOpenInfo::DispatchContent(nsIRequest*, nsISupports*) src/uriloader/base/nsURILoader.cpp:428:30
#16 nsDocumentOpenInfo::OnStartRequest(nsIRequest*, nsISupports*) src/uriloader/base/nsURILoader.cpp:306:8
#17 nsBaseChannel::OnStartRequest(nsIRequest*, nsISupports*) src/netwerk/base/nsBaseChannel.cpp:860:25
#18 nsInputStreamPump::OnStateStart() src/netwerk/base/nsInputStreamPump.cpp:524:25
#19 nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream*) src/netwerk/base/nsInputStreamPump.cpp:429:25
#20 non-virtual thunk to nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream*) src/netwerk/base/nsInputStreamPump.cpp
#21 nsInputStreamReadyEvent::Run() src/xpcom/io/nsStreamUtils.cpp:102:20
#22 mozilla::SchedulerGroup::Runnable::Run() src/xpcom/threads/SchedulerGroup.cpp:337:32
#23 nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1167:14
#24 NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:519:10
#25 mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:97:21
#26 MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:325:10
#27 MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:298:3
#28 nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:158:27
#29 XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:944:22
#30 mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:269:9
#31 MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:325:10
#32 MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:298:3
#33 XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:770:34
#34 content_process_main(mozilla::Bootstrap*, int, char**) src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30
#35 main src/browser/app/nsBrowserApp.cpp:287:18
#36 __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
#37 _start (firefox+0x423d84)

Comment 1

[Emilio Cobos Álvarez (:emilio)]

We're deleting the columnset frame without deleting the placeholder... TYLin, you're looking at columnset stuff, maybe you could take a look at this?

Comment 2

[Tyson Smith [:tsmith]]

Also shows up as crash on an opt build.

==2121==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fdee6ff8415 bp 0x7ffeef08ad50 sp 0x7ffeef08ad50 T0)
==2121==The signal is caused by a READ memory access.
==2121==Hint: address points to the zero page.
    #0 0x7fdee6ff8414 in mozilla::layout::FrameChildListIterator::FrameChildListIterator(nsIFrame const*) src/layout/generic/FrameChildList.cpp:17:11
    #1 0x7fdee6ef1de9 in nsFrameManager::CaptureFrameState(nsIFrame*, nsILayoutHistoryState*) src/layout/base/nsFrameManager.cpp:177:31
    #2 0x7fdee6ef1f60 in nsFrameManager::CaptureFrameState(nsIFrame*, nsILayoutHistoryState*) src/layout/base/nsFrameManager.cpp:189:7
    #3 0x7fdee6ef1f60 in nsFrameManager::CaptureFrameState(nsIFrame*, nsILayoutHistoryState*) src/layout/base/nsFrameManager.cpp:189:7
    #4 0x7fdee6ef1f60 in nsFrameManager::CaptureFrameState(nsIFrame*, nsILayoutHistoryState*) src/layout/base/nsFrameManager.cpp:189:7
    #5 0x7fdee6ef1f60 in nsFrameManager::CaptureFrameState(nsIFrame*, nsILayoutHistoryState*) src/layout/base/nsFrameManager.cpp:189:7
    #6 0x7fdee6ef1f60 in nsFrameManager::CaptureFrameState(nsIFrame*, nsILayoutHistoryState*) src/layout/base/nsFrameManager.cpp:189:7
    #7 0x7fdee6ef1f60 in nsFrameManager::CaptureFrameState(nsIFrame*, nsILayoutHistoryState*) src/layout/base/nsFrameManager.cpp:189:7
    #8 0x7fdee6ef1f60 in nsFrameManager::CaptureFrameState(nsIFrame*, nsILayoutHistoryState*) src/layout/base/nsFrameManager.cpp:189:7
    #9 0x7fdee6ef1f60 in nsFrameManager::CaptureFrameState(nsIFrame*, nsILayoutHistoryState*) src/layout/base/nsFrameManager.cpp:189:7
    #10 0x7fdee6e3247b in mozilla::PresShell::CaptureHistoryState(nsILayoutHistoryState**) src/layout/base/PresShell.cpp:3936:22
    #11 0x7fdee9a26c98 in nsDocShell::PersistLayoutHistoryState() src/docshell/base/nsDocShell.cpp:12416:19
    #12 0x7fdee9a33ba3 in nsDocShell::Embed(nsIContentViewer*, char const*, nsISupports*) src/docshell/base/nsDocShell.cpp:6672:3
    #13 0x7fdee99cc139 in nsDocShell::CreateContentViewer(nsTSubstring<char> const&, nsIRequest*, nsIStreamListener**) src/docshell/base/nsDocShell.cpp:8666:3
    #14 0x7fdee99c983c in nsDSURIContentListener::DoContent(nsTSubstring<char> const&, bool, nsIRequest*, nsIStreamListener**, bool*) src/docshell/base/nsDSURIContentListener.cpp:196:21
    #15 0x7fdee09b3fc6 in nsDocumentOpenInfo::TryContentListener(nsIURIContentListener*, nsIChannel*) src/uriloader/base/nsURILoader.cpp:759:28
    #16 0x7fdee09b164c in nsDocumentOpenInfo::DispatchContent(nsIRequest*, nsISupports*) src/uriloader/base/nsURILoader.cpp:428:30
    #17 0x7fdee09aff42 in nsDocumentOpenInfo::OnStartRequest(nsIRequest*, nsISupports*) src/uriloader/base/nsURILoader.cpp:306:8
    #18 0x7fdedecc911c in nsBaseChannel::OnStartRequest(nsIRequest*, nsISupports*) src/netwerk/base/nsBaseChannel.cpp:860:25
    #19 0x7fdeded23a51 in nsInputStreamPump::OnStateStart() src/netwerk/base/nsInputStreamPump.cpp:524:25
    #20 0x7fdeded230ec in nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream*) src/netwerk/base/nsInputStreamPump.cpp:429:25
    #21 0x7fdedeabd7b2 in nsInputStreamReadyEvent::Run() src/xpcom/io/nsStreamUtils.cpp:102:20
    #22 0x7fdedeafff9e in mozilla::SchedulerGroup::Runnable::Run() src/xpcom/threads/SchedulerGroup.cpp:337:32
    #23 0x7fdedeb2de0f in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1167:14
    #24 0x7fdedeb34fa8 in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:519:10
    #25 0x7fdedfa6ff26 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:125:5
    #26 0x7fdedf9c3b2c in RunInternal src/ipc/chromium/src/base/message_loop.cc:325:10
    #27 0x7fdedf9c3b2c in RunHandler src/ipc/chromium/src/base/message_loop.cc:318
    #28 0x7fdedf9c3b2c in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:298
    #29 0x7fdee685eeca in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:158:27
    #30 0x7fdeea4eee1f in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:944:22
    #31 0x7fdedf9c3b2c in RunInternal src/ipc/chromium/src/base/message_loop.cc:325:10
    #32 0x7fdedf9c3b2c in RunHandler src/ipc/chromium/src/base/message_loop.cc:318
    #33 0x7fdedf9c3b2c in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:298
    #34 0x7fdeea4ee6e9 in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:770:34
    #35 0x4f2304 in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30
    #36 0x4f2304 in main src/browser/app/nsBrowserApp.cpp:287
    #37 0x7fdefe00a82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
    #38 0x421728 in _start (firefox+0x421728)

Comment 3

[Ting-Yu Lin [:TYLin] (PDT, UTC-7)]

In the testcase, the script tries to insert a node into <input id='c' type='time'>. Unfortunately, we mark nsDateTimeControlFrame as "NonLeaf", so we'll try to render the inserted node under the <input>, which makes weird things happen.

[1] https://searchfox.org/mozilla-central/rev/c3fef66a5b211ea8038c1c132706d02db408093a/layout/generic/nsFrameIdList.h#23

Comment 4

[Ting-Yu Lin [:TYLin] (PDT, UTC-7)]

Attachment: Bug 1488219 - Mark nsDateTimeControlFrame as a leaf frame.

nsDateTimeControlFrame should be a leaf like all the other <input> frames
like nsTextControlFrame, nsCheckboxRadioFrame, etc.

Comment 5

[Daniel Holbert [:dholbert]]

Comment on attachment 9006381 [details]
Bug 1488219 - Mark nsDateTimeControlFrame as a leaf frame.

Daniel Holbert [:dholbert] has approved the revision.

Comment 6

[Pulsebot]

Pushed by aethanyc@gmail.com:
https://hg.mozilla.org/integration/autoland/rev/91a9eae5ae1e
Mark nsDateTimeControlFrame as a leaf frame. r=dholbert

Comment 7

[Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)]

https://hg.mozilla.org/mozilla-central/rev/91a9eae5ae1e

Comment 8

[Ryan VanderMeulen [:RyanVM]]

Is there a user impact which justifies Beta uplift consideration or can this ride 64 to release?

Comment 9

[Ting-Yu Lin [:TYLin] (PDT, UTC-7)]

Opt build could crash by the testcase, so it might worth an uplift to beta.

Comment 10

[Ting-Yu Lin [:TYLin] (PDT, UTC-7)]

Comment on attachment 9006381 [details]
Bug 1488219 - Mark nsDateTimeControlFrame as a leaf frame.

Approval Request Comment
[Feature/Bug causing the regression]: Bug 1288591.
[User impact if declined]: Browser might crash if a script tries to append or insert a node into <input type="time">
[Is this code covered by automated tests?]: Yes, by a crashtest.
[Has the fix been verified in Nightly?]: Yes
[Needs manual test from QE? If yes, steps to reproduce]: No.
[List of other uplifts needed for the feature/fix]: None.
[Is the change risky?]: Not risky. 
[Why is the change risky/not risky?]: The patch prevents frames to be generated for normal kids under nsDateTimeControlFrame, and nsDateTimeControlFrame should behave like this from the beginning. No other functionality is changed.
[String changes made/needed]: None.

Comment 11

[Pascal Chevrel:pascalc]

Comment on attachment 9006381 [details]
Bug 1488219 - Mark nsDateTimeControlFrame as a leaf frame.

Approved for the next 63 beta

Comment 12

[Cristina Coroiu [:ccoroiu]]

https://hg.mozilla.org/releases/mozilla-beta/rev/05de4a3234ad