Closed Bug 1489863 Opened 6 years ago Closed 6 years ago

crash near null in [@ nsTextFrame::ReflowText]

Categories

(Core :: Layout: Floats, defect, P3)

Product:
Core
Component:
Layout: Floats
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla64
Tracking Flags:
Tracking Status
firefox-esr60 --- unaffected
firefox62 --- unaffected
firefox63 --- verified
firefox64 --- verified

People

(Reporter: tsmith, Assigned: emilio)

References

(Blocks 1 open bug)

Details

(Keywords: crash, regression, testcase)

Attachments

(2 files)

testcase.html
233 bytes, text/html
Details
Bug 1489863 - Add a crashtest.
46 bytes, text/x-phabricator-request
dholbert
: review+
Details | Review
Attached file testcase.html 
==18239==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000015 (pc 0x7f5552d1a2b0 bp 0x7fff20d34f30 sp 0x7fff20d34800 T0)
==18239==The signal is caused by a READ memory access.
==18239==Hint: address points to the zero page.
    #0 0x7f5552d1a2af in IsVertical src/obj-firefox/dist/include/gfxFont.h
    #1 0x7f5552d1a2af in nsTextFrame::ReflowText(nsLineLayout&, int, mozilla::gfx::DrawTarget*, mozilla::ReflowOutput&, nsReflowStatus&) src/layout/generic/nsTextFrame.cpp:9685
    #2 0x7f5552c41a52 in nsLineLayout::ReflowFrame(nsIFrame*, nsReflowStatus&, mozilla::ReflowOutput*, bool&) src/layout/generic/nsLineLayout.cpp:943:7
    #3 0x7f5552c3f95f in nsInlineFrame::ReflowInlineFrame(nsPresContext*, mozilla::ReflowInput const&, nsInlineFrame::InlineReflowInput&, nsIFrame*, nsReflowStatus&) src/layout/generic/nsInlineFrame.cpp:729:15
    #4 0x7f5552c3de3f in nsInlineFrame::ReflowFrames(nsPresContext*, mozilla::ReflowInput const&, nsInlineFrame::InlineReflowInput&, mozilla::ReflowOutput&, nsReflowStatus&) src/layout/generic/nsInlineFrame.cpp:598:7
    #5 0x7f5552c3cec1 in nsInlineFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsInlineFrame.cpp:400:3
    #6 0x7f5552c41bc0 in nsLineLayout::ReflowFrame(nsIFrame*, nsReflowStatus&, mozilla::ReflowOutput*, bool&) src/layout/generic/nsLineLayout.cpp:940:13
    #7 0x7f5552a62b9d in nsBlockFrame::ReflowInlineFrame(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsIFrame*, LineReflowStatus*) src/layout/generic/nsBlockFrame.cpp:4269:15
    #8 0x7f5552a61452 in nsBlockFrame::DoReflowInlineFrames(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool) src/layout/generic/nsBlockFrame.cpp:4069:5
    #9 0x7f5552a57e49 in nsBlockFrame::ReflowInlineFrames(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:3942:9
    #10 0x7f5552a4fb92 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:2924:5
    #11 0x7f5552a44b4a in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) src/layout/generic/nsBlockFrame.cpp:2458:7
    #12 0x7f5552a3bea7 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsBlockFrame.cpp:1292:3
    #13 0x7f5552a5eaeb in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) src/layout/generic/nsBlockReflowContext.cpp:309:11
    #14 0x7f5552a5232f in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:3571:11
    #15 0x7f5552a4fce4 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:2921:5
    #16 0x7f5552a44b4a in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) src/layout/generic/nsBlockFrame.cpp:2458:7
    #17 0x7f5552a3bea7 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsBlockFrame.cpp:1292:3
    #18 0x7f5552aa13a6 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:951:14
    #19 0x7f5552a9f387 in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsCanvasFrame.cpp:803:5
    #20 0x7f5552aa13a6 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:951:14
    #21 0x7f5552b91e05 in nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput*, bool, bool, mozilla::ReflowOutput*, bool) src/layout/generic/nsGfxScrollFrame.cpp:606:3
    #22 0x7f5552b93344 in nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput*, mozilla::ReflowOutput const&) src/layout/generic/nsGfxScrollFrame.cpp:730:3
    #23 0x7f5552b9743f in nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsGfxScrollFrame.cpp:1120:3
    #24 0x7f5552a1e66e in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:995:14
    #25 0x7f5552a1d254 in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/ViewportFrame.cpp:338:7
    #26 0x7f5552801302 in mozilla::PresShell::DoReflow(nsIFrame*, bool) src/layout/base/PresShell.cpp:9026:11
    #27 0x7f5552816de0 in mozilla::PresShell::ProcessReflowCommands(bool) src/layout/base/PresShell.cpp:9199:24
    #28 0x7f55528151f9 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) src/layout/base/PresShell.cpp:4351:11
    #29 0x7f55527a44c1 in FlushPendingNotifications src/layout/base/nsIPresShell.h:577:5
    #30 0x7f55527a44c1 in nsRefreshDriver::Tick(mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:1926
    #31 0x7f55527b375f in TickDriver src/layout/base/nsRefreshDriver.cpp:324:13
    #32 0x7f55527b375f in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) src/layout/base/nsRefreshDriver.cpp:299
    #33 0x7f55527b3391 in mozilla::RefreshDriverTimer::Tick(mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:317:5
    #34 0x7f55527b5ebe in RunRefreshDrivers src/layout/base/nsRefreshDriver.cpp:755:5
    #35 0x7f55527b5ebe in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:671
    #36 0x7f55527b5ac0 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:571:9
    #37 0x7f555306e12f in mozilla::layout::VsyncChild::RecvNotify(mozilla::TimeStamp const&) src/layout/ipc/VsyncChild.cpp:78:16
    #38 0x7f554ba61e08 in mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) src/obj-firefox/ipc/ipdl/PVsyncChild.cpp:167:20
    #39 0x7f554b8ed836 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) src/obj-firefox/ipc/ipdl/PBackgroundChild.cpp:2280:28
    #40 0x7f554b44848e in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) src/ipc/glue/MessageChannel.cpp:2239:25
    #41 0x7f554b4453a4 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) src/ipc/glue/MessageChannel.cpp:2166:17
    #42 0x7f554b446bfc in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) src/ipc/glue/MessageChannel.cpp:2012:5
    #43 0x7f554b447258 in mozilla::ipc::MessageChannel::MessageTask::Run() src/ipc/glue/MessageChannel.cpp:2045:15
    #44 0x7f554a50de0f in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1167:14
    #45 0x7f554a514fa8 in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:519:10
    #46 0x7f554b44ff3a in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:97:21
    #47 0x7f554b3a3b2c in RunInternal src/ipc/chromium/src/base/message_loop.cc:325:10
    #48 0x7f554b3a3b2c in RunHandler src/ipc/chromium/src/base/message_loop.cc:318
    #49 0x7f554b3a3b2c in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:298
    #50 0x7f555223eeca in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:158:27
    #51 0x7f5555ecee1f in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:944:22
    #52 0x7f554b3a3b2c in RunInternal src/ipc/chromium/src/base/message_loop.cc:325:10
    #53 0x7f554b3a3b2c in RunHandler src/ipc/chromium/src/base/message_loop.cc:318
    #54 0x7f554b3a3b2c in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:298
    #55 0x7f5555ece6e9 in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:770:34
    #56 0x4f2304 in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30
    #57 0x4f2304 in main src/browser/app/nsBrowserApp.cpp:287
    #58 0x7f55699ea82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
    #59 0x421728 in _start (firefox+0x421728)
Flags: in-testsuite?
Regression range:
https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=ed8e57ba1b07cced1517a62573617ff3cac0fab9&tochange=a4eef4b8a3b0c8560d548ebf0a5ef2f2e17cbb23

--> regression from bug 488725 , i.e. new bug in Firefox 63 (currently on beta)

emilio, maybe you could take a look?
Blocks: 488725
Has Regression Range: --- → yes
status-firefox62: --- → unaffected
Component: Layout → Layout: Floats
Flags: needinfo?(emilio)
Keywords: regression
Priority: -- → P3
Yes.
Assignee: nobody → emilio
See Also: → 1490281
This crashtest is simpler than the one from bug 1489287, so I think we should
land it.
Depends on: 1489287
Flags: needinfo?(emilio)
Comment on attachment 9008042 [details]
Bug 1489863 - Add a crashtest.

Daniel Holbert [:dholbert] has approved the revision.
Attachment #9008042 - Flags: review+
Severity: normal → critical
https://hg.mozilla.org/mozilla-central/rev/a763a7590d5b
Status: NEW → RESOLVED
Closed: 6 years ago
status-firefox64: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla64
Emilio, does this test need backporting to the beta branch?
Flags: needinfo?(emilio)
This is only the test, so no. Will request uplift for the actual fix.
Flags: needinfo?(emilio)
status-firefox-esr60: --- → unaffected
Flags: in-testsuite? → in-testsuite+
Flags: qe-verify+
I have reproduced in Nightly v64.0a1 from 2018-09-05. 
I have verified the fix in Nightly v64.0a1 from 2018-09-27 and Firefox Beta v63.0b9.
Uplift successful. Thank you!
Status: RESOLVED → VERIFIED
status-firefox63: fixedverified
status-firefox64: fixedverified
Flags: qe-verify+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: