Open
Bug 1493775
Opened 7 years ago
Updated 1 year ago
[first-line+float+fragmentation] AddressSanitizer: SEGV /builds/worker/workspace/build/src/layout/generic/nsIFrame.h:908:56 in GetWritingMode
Categories
(Core :: Layout: Block and Inline, defect)
Core
Layout: Block and Inline
Tracking
()
REOPENED
People
(Reporter: jkratzer, Unassigned)
References
(Depends on 1 open bug, Blocks 1 open bug)
Details
(Keywords: crash, regression, testcase)
Crash Data
Attachments
(2 files, 3 obsolete files)
Testcase found while fuzzing mozilla-central rev 095ec59a8800.
==23656==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000064 (pc 0x7f6e09650151 bp 0x7ffc1d791e70 sp 0x7ffc1d791980 T0)
==23656==The signal is caused by a READ memory access.
==23656==Hint: address points to the zero page.
#0 0x7f6e09650150 in GetWritingMode /builds/worker/workspace/build/src/layout/generic/nsIFrame.h:908:56
#1 0x7f6e09650150 in NewPerFrameData /builds/worker/workspace/build/src/layout/generic/nsLineLayout.cpp:685
#2 0x7f6e09650150 in nsLineLayout::ReflowFrame(nsIFrame*, nsReflowStatus&, mozilla::ReflowOutput*, bool&) /builds/worker/workspace/build/src/layout/generic/nsLineLayout.cpp:811
#3 0x7f6e0945835d in nsFirstLetterFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsFirstLetterFrame.cpp:242:9
#4 0x7f6e0965211c in nsLineLayout::ReflowFrame(nsIFrame*, nsReflowStatus&, mozilla::ReflowOutput*, bool&) /builds/worker/workspace/build/src/layout/generic/nsLineLayout.cpp:940:13
#5 0x7f6e093e7dba in nsBlockFrame::ReflowInlineFrame(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsIFrame*, LineReflowStatus*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:4274:15
#6 0x7f6e093e689d in nsBlockFrame::DoReflowInlineFrames(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:4107:9
#7 0x7f6e093da65f in nsBlockFrame::ReflowInlineFrames(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:3947:9
#8 0x7f6e093d15bc in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2929:5
#9 0x7f6e093c3507 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2463:7
#10 0x7f6e093b752b in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:1297:3
#11 0x7f6e093e267b in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) /builds/worker/workspace/build/src/layout/generic/nsBlockReflowContext.cpp:309:11
#12 0x7f6e093fb5a7 in nsBlockFrame::ReflowFloat(mozilla::BlockReflowInput&, mozilla::LogicalRect const&, nsIFrame*, mozilla::LogicalMargin&, mozilla::LogicalMargin&, bool, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:6454:9
#13 0x7f6e0932bc32 in mozilla::BlockReflowInput::FlowAndPlaceFloat(nsIFrame*) /builds/worker/workspace/build/src/layout/generic/BlockReflowInput.cpp:916:13
#14 0x7f6e09329766 in mozilla::BlockReflowInput::AddFloat(nsLineLayout*, nsIFrame*, int) /builds/worker/workspace/build/src/layout/generic/BlockReflowInput.cpp:627:14
#15 0x7f6e09653cd9 in AddFloat /builds/worker/workspace/build/src/layout/generic/nsLineLayout.h:181:22
#16 0x7f6e09653cd9 in TryToPlaceFloat /builds/worker/workspace/build/src/layout/generic/nsLineLayout.cpp:1560
#17 0x7f6e09653cd9 in nsLineLayout::ReflowFrame(nsIFrame*, nsReflowStatus&, mozilla::ReflowOutput*, bool&) /builds/worker/workspace/build/src/layout/generic/nsLineLayout.cpp:982
#18 0x7f6e093e7dba in nsBlockFrame::ReflowInlineFrame(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsIFrame*, LineReflowStatus*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:4274:15
#19 0x7f6e093e5dfa in nsBlockFrame::DoReflowInlineFrames(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:4074:5
#20 0x7f6e093da65f in nsBlockFrame::ReflowInlineFrames(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:3947:9
#21 0x7f6e093d15bc in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2929:5
#22 0x7f6e093c3507 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2463:7
#23 0x7f6e093b752b in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:1297:3
#24 0x7f6e093e267b in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) /builds/worker/workspace/build/src/layout/generic/nsBlockReflowContext.cpp:309:11
#25 0x7f6e093fb5a7 in nsBlockFrame::ReflowFloat(mozilla::BlockReflowInput&, mozilla::LogicalRect const&, nsIFrame*, mozilla::LogicalMargin&, mozilla::LogicalMargin&, bool, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:6454:9
#26 0x7f6e0932bc32 in mozilla::BlockReflowInput::FlowAndPlaceFloat(nsIFrame*) /builds/worker/workspace/build/src/layout/generic/BlockReflowInput.cpp:916:13
#27 0x7f6e093c09c2 in nsBlockFrame::ReflowPushedFloats(mozilla::BlockReflowInput&, nsOverflowAreas&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:6582:12
#28 0x7f6e093b7371 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:1273:3
#29 0x7f6e093e267b in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) /builds/worker/workspace/build/src/layout/generic/nsBlockReflowContext.cpp:309:11
#30 0x7f6e093fb5a7 in nsBlockFrame::ReflowFloat(mozilla::BlockReflowInput&, mozilla::LogicalRect const&, nsIFrame*, mozilla::LogicalMargin&, mozilla::LogicalMargin&, bool, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:6454:9
#31 0x7f6e0932bc32 in mozilla::BlockReflowInput::FlowAndPlaceFloat(nsIFrame*) /builds/worker/workspace/build/src/layout/generic/BlockReflowInput.cpp:916:13
#32 0x7f6e093c09c2 in nsBlockFrame::ReflowPushedFloats(mozilla::BlockReflowInput&, nsOverflowAreas&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:6582:12
#33 0x7f6e093b7371 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:1273:3
#34 0x7f6e093e267b in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) /builds/worker/workspace/build/src/layout/generic/nsBlockReflowContext.cpp:309:11
#35 0x7f6e093fb5a7 in nsBlockFrame::ReflowFloat(mozilla::BlockReflowInput&, mozilla::LogicalRect const&, nsIFrame*, mozilla::LogicalMargin&, mozilla::LogicalMargin&, bool, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:6454:9
#36 0x7f6e0932bc32 in mozilla::BlockReflowInput::FlowAndPlaceFloat(nsIFrame*) /builds/worker/workspace/build/src/layout/generic/BlockReflowInput.cpp:916:13
#37 0x7f6e093c09c2 in nsBlockFrame::ReflowPushedFloats(mozilla::BlockReflowInput&, nsOverflowAreas&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:6582:12
#38 0x7f6e093b7371 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:1273:3
#39 0x7f6e093e267b in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) /builds/worker/workspace/build/src/layout/generic/nsBlockReflowContext.cpp:309:11
#40 0x7f6e093fb5a7 in nsBlockFrame::ReflowFloat(mozilla::BlockReflowInput&, mozilla::LogicalRect const&, nsIFrame*, mozilla::LogicalMargin&, mozilla::LogicalMargin&, bool, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:6454:9
#41 0x7f6e0932bc32 in mozilla::BlockReflowInput::FlowAndPlaceFloat(nsIFrame*) /builds/worker/workspace/build/src/layout/generic/BlockReflowInput.cpp:916:13
#42 0x7f6e093c09c2 in nsBlockFrame::ReflowPushedFloats(mozilla::BlockReflowInput&, nsOverflowAreas&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:6582:12
#43 0x7f6e093b7371 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:1273:3
#44 0x7f6e093e267b in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) /builds/worker/workspace/build/src/layout/generic/nsBlockReflowContext.cpp:309:11
#45 0x7f6e093fb5a7 in nsBlockFrame::ReflowFloat(mozilla::BlockReflowInput&, mozilla::LogicalRect const&, nsIFrame*, mozilla::LogicalMargin&, mozilla::LogicalMargin&, bool, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:6454:9
#46 0x7f6e0932bc32 in mozilla::BlockReflowInput::FlowAndPlaceFloat(nsIFrame*) /builds/worker/workspace/build/src/layout/generic/BlockReflowInput.cpp:916:13
#47 0x7f6e093c09c2 in nsBlockFrame::ReflowPushedFloats(mozilla::BlockReflowInput&, nsOverflowAreas&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:6582:12
#48 0x7f6e093b7371 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:1273:3
#49 0x7f6e0943644b in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:951:14
#50 0x7f6e0943d931 in nsColumnSetFrame::ReflowChildren(mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&, nsColumnSetFrame::ReflowConfig const&, bool, nsCollapsingMargin*, nsColumnSetFrame::ColumnBalanceData&) /builds/worker/workspace/build/src/layout/generic/nsColumnSetFrame.cpp:799:7
#51 0x7f6e09445623 in ReflowColumns /builds/worker/workspace/build/src/layout/generic/nsColumnSetFrame.cpp:482:19
#52 0x7f6e09445623 in nsColumnSetFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsColumnSetFrame.cpp:1240
#53 0x7f6e0943644b in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:951:14
#54 0x7f6e09433c4e in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsCanvasFrame.cpp:803:5
#55 0x7f6e0943644b in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:951:14
#56 0x7f6e0956e61b in nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput*, bool, bool, mozilla::ReflowOutput*, bool) /builds/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.cpp:606:3
#57 0x7f6e09570189 in nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput*, mozilla::ReflowOutput const&) /builds/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.cpp:730:3
#58 0x7f6e09575710 in nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.cpp:1120:3
#59 0x7f6e09392058 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:995:14
#60 0x7f6e0939077b in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/ViewportFrame.cpp:338:7
#61 0x7f6e090e646b in mozilla::PresShell::DoReflow(nsIFrame*, bool) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:9016:11
#62 0x7f6e09101248 in mozilla::PresShell::ProcessReflowCommands(bool) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:9189:24
#63 0x7f6e090ff36c in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:4342:11
#64 0x7f6e09075747 in FlushPendingNotifications /builds/worker/workspace/build/src/layout/base/nsIPresShell.h:577:5
#65 0x7f6e09075747 in nsRefreshDriver::Tick(mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:1930
#66 0x7f6e09087441 in TickDriver /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:325:13
#67 0x7f6e09087441 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:300
#68 0x7f6e09086f61 in mozilla::RefreshDriverTimer::Tick(mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:318:5
#69 0x7f6e0908a241 in RunRefreshDrivers /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:756:5
#70 0x7f6e0908a241 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:672
#71 0x7f6e09089998 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:572:9
#72 0x7f6e09b50da8 in mozilla::layout::VsyncChild::RecvNotify(mozilla::TimeStamp const&) /builds/worker/workspace/build/src/layout/ipc/VsyncChild.cpp:78:16
#73 0x7f6e0083d08b in mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PVsyncChild.cpp:167:20
#74 0x7f6e005b3e60 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PBackgroundChild.cpp:2280:28
#75 0x7f6dffd9e685 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2248:25
#76 0x7f6dffd9a3b9 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2175:17
#77 0x7f6dffd9c4fd in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2012:5
#78 0x7f6dffd9d227 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2045:15
#79 0x7f6dfeb8d897 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1166:14
#80 0x7f6dfeb96415 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:519:10
#81 0x7f6dffda7d03 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21
#82 0x7f6dffcaa73c in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:325:10
#83 0x7f6dffcaa73c in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:318
#84 0x7f6dffcaa73c in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:298
#85 0x7f6e089971a3 in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:158:27
#86 0x7f6e0ce5c2ee in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:939:22
#87 0x7f6dffcaa73c in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:325:10
#88 0x7f6dffcaa73c in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:318
#89 0x7f6dffcaa73c in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:298
#90 0x7f6e0ce5b413 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:765:34
#91 0x55aa7621cb91 in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30
#92 0x55aa7621cb91 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:287
#93 0x7f6e20ae8b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
Flags: in-testsuite?
|
Reporter | |
Comment 1•7 years ago
|
||
Previously attached the wrong testcase.
Attachment #9011561 -
Attachment is obsolete: true
|
|
Reporter | |
Comment 2•7 years ago
|
||
|
||
Comment 3•6 years ago
|
||
From the stack, it kinda looks like we must have called nsLineLayout::ReflowFrame with a null frame pointer. But I can't seem to reproduce this locally at the moment.
Jason, does this reproduce for you with current trunk code, or has something changed such that it no longer happens?
Flags: needinfo?(jkratzer)
|
||
Comment 4•6 years ago
|
||
Bugbug thinks this bug is a regression, but please revert this change in case of error.
Keywords: regression
|
|
Reporter | |
Comment 5•6 years ago
|
||
(In reply to Jonathan Kew (:jfkthame) from comment #3)
From the stack, it kinda looks like we must have called nsLineLayout::ReflowFrame with a null frame pointer. But I can't seem to reproduce this locally at the moment.
Jason, does this reproduce for you with current trunk code, or has something changed such that it no longer happens?
This looks to have been fixed sometime within the following range:
Start: 7ea008f8701b6f95320a16d78ed6ed56e22235c6 (20181211162355)
End: a02122d22c5e3627c23591a77dde877961b44b8c (20181211162540)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=7ea008f8701b6f95320a16d78ed6ed56e22235c6&tochange=a02122d22c5e3627c23591a77dde877961b44b8c
Flags: needinfo?(jkratzer)
|
|
||
Comment 6•6 years ago
|
||
Hmm, I don't see anything in that pushlog that looks particularly likely as a fix.... would you mind double-checking the range? I'd feel more confident in resolving this if we could point to where a relevant fix landed.
|
||
Comment 7•5 years ago
|
||
I can't reproduce this crash on Linux. It's very likely the same underlying issue as bug 1493775 though, which is reproducible.
|
||
Comment 8•4 years ago
|
||
Hey Jason,
Can you still reproduce this issue or should we close it?
Flags: needinfo?(jkratzer)
|
|
Reporter | |
Comment 9•4 years ago
|
||
I was unable to reproduce this issue using mozilla-central rev 152fdda295bb. I think we can safely close this issue.
Status: NEW → RESOLVED
Closed: 4 years ago
Flags: needinfo?(jkratzer)
Resolution: --- → WORKSFORME
|
||
Comment 10•2 years ago
|
||
This was marked "Depends on" which is fair if you're not sure it's an actual duplicate, but according to Tyson this signature still happens dozens of times a week in our fuzzing infrastructure even if this testcase no longer works. Reported by multiple individual fuzzers, with reproducible testcases.
Tyson: can you attach one of the testcases, and if easy a bit of history of this crash.
Status: RESOLVED → REOPENED
Flags: needinfo?(twsmith)
Resolution: WORKSFORME → ---
|
||
Updated•2 years ago
|
Crash Signature: [@ nsIFrame::GetWritingMode ]
status-firefox115:
--- → affected
status-firefox116:
--- → affected
status-firefox117:
--- → affected
status-firefox-esr102:
--- → affected
status-firefox-esr115:
--- → affected
Flags: needinfo?(twsmith)
|
|
||
Comment 12•2 years ago
|
||
This is the test case from bug 1841739.
Attachment #9011562 -
Attachment is obsolete: true
Attachment #9011563 -
Attachment is obsolete: true
|
|
||
Comment 13•2 years ago
|
||
Another test case from fuzzers.
|
|
||
Comment 14•2 years ago
|
||
Since the crash volume is low (less than 15 per week), the severity is downgraded to S3. Feel free to change it back if you think the bug is still critical.
For more information, please visit BugBot documentation.
Severity: critical → S3
|
||
Updated•2 years ago
|
|
||
Comment 15•2 years ago
|
||
Ting-Yu, this seems this is related to fragmentation, maybe you can poke and see if there's something obvious going on in the multicol code?
Flags: needinfo?(aethanyc)
Summary: AddressSanitizer: SEGV /builds/worker/workspace/build/src/layout/generic/nsIFrame.h:908:56 in GetWritingMode → [first-line+float+fragmentation] AddressSanitizer: SEGV /builds/worker/workspace/build/src/layout/generic/nsIFrame.h:908:56 in GetWritingMode
|
||
Comment 16•1 year ago
|
||
Float first-letter seems tricky in multicol ... I see the following warning when loading the testcase in comment 13 in my local debug builds
WARNING: Scanning overflow inline frames is something we should avoid: '!result.mOverflowFrameToScan'
...
WARNING: We shouldn't be backing up more than once! Someone must have set a break opportunity beyond the available width, even though there were better break opportunities before it
...
They might be a good start for investigation.
Flags: needinfo?(aethanyc)
You need to log in
before you can comment on or make changes to this bug.
Description
•