Open Bug 1493775 Opened 6 years ago Updated 2 months ago

[first-line+float+fragmentation] AddressSanitizer: SEGV /builds/worker/workspace/build/src/layout/generic/nsIFrame.h:908:56 in GetWritingMode

Categories

(Core :: Layout: Block and Inline, defect)

Product:
Core
Component:
Layout: Block and Inline
Type:
defect

Tracking

()

Status:
REOPENED
Tracking Flags:
Tracking Status
firefox-esr102 --- wontfix
firefox-esr115 --- wontfix
firefox64 --- wontfix
firefox115 --- wontfix
firefox116 --- wontfix
firefox117 --- fix-optional

People

(Reporter: jkratzer, Unassigned)

References

(Depends on 1 open bug, Blocks 1 open bug)

Details

(Keywords: crash, regression, testcase)

Crash Data

Attachments

(2 files, 3 obsolete files)

1841739.html
623 bytes, text/html
Details
testcase.html
351 bytes, text/html
Details
Attached file testcase.html (obsolete) — 
Testcase found while fuzzing mozilla-central rev 095ec59a8800.

==23656==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000064 (pc 0x7f6e09650151 bp 0x7ffc1d791e70 sp 0x7ffc1d791980 T0)
==23656==The signal is caused by a READ memory access.
==23656==Hint: address points to the zero page.
    #0 0x7f6e09650150 in GetWritingMode /builds/worker/workspace/build/src/layout/generic/nsIFrame.h:908:56
    #1 0x7f6e09650150 in NewPerFrameData /builds/worker/workspace/build/src/layout/generic/nsLineLayout.cpp:685
    #2 0x7f6e09650150 in nsLineLayout::ReflowFrame(nsIFrame*, nsReflowStatus&, mozilla::ReflowOutput*, bool&) /builds/worker/workspace/build/src/layout/generic/nsLineLayout.cpp:811
    #3 0x7f6e0945835d in nsFirstLetterFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsFirstLetterFrame.cpp:242:9
    #4 0x7f6e0965211c in nsLineLayout::ReflowFrame(nsIFrame*, nsReflowStatus&, mozilla::ReflowOutput*, bool&) /builds/worker/workspace/build/src/layout/generic/nsLineLayout.cpp:940:13
    #5 0x7f6e093e7dba in nsBlockFrame::ReflowInlineFrame(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsIFrame*, LineReflowStatus*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:4274:15
    #6 0x7f6e093e689d in nsBlockFrame::DoReflowInlineFrames(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:4107:9
    #7 0x7f6e093da65f in nsBlockFrame::ReflowInlineFrames(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:3947:9
    #8 0x7f6e093d15bc in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2929:5
    #9 0x7f6e093c3507 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2463:7
    #10 0x7f6e093b752b in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:1297:3
    #11 0x7f6e093e267b in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) /builds/worker/workspace/build/src/layout/generic/nsBlockReflowContext.cpp:309:11
    #12 0x7f6e093fb5a7 in nsBlockFrame::ReflowFloat(mozilla::BlockReflowInput&, mozilla::LogicalRect const&, nsIFrame*, mozilla::LogicalMargin&, mozilla::LogicalMargin&, bool, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:6454:9
    #13 0x7f6e0932bc32 in mozilla::BlockReflowInput::FlowAndPlaceFloat(nsIFrame*) /builds/worker/workspace/build/src/layout/generic/BlockReflowInput.cpp:916:13
    #14 0x7f6e09329766 in mozilla::BlockReflowInput::AddFloat(nsLineLayout*, nsIFrame*, int) /builds/worker/workspace/build/src/layout/generic/BlockReflowInput.cpp:627:14
    #15 0x7f6e09653cd9 in AddFloat /builds/worker/workspace/build/src/layout/generic/nsLineLayout.h:181:22
    #16 0x7f6e09653cd9 in TryToPlaceFloat /builds/worker/workspace/build/src/layout/generic/nsLineLayout.cpp:1560
    #17 0x7f6e09653cd9 in nsLineLayout::ReflowFrame(nsIFrame*, nsReflowStatus&, mozilla::ReflowOutput*, bool&) /builds/worker/workspace/build/src/layout/generic/nsLineLayout.cpp:982
    #18 0x7f6e093e7dba in nsBlockFrame::ReflowInlineFrame(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsIFrame*, LineReflowStatus*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:4274:15
    #19 0x7f6e093e5dfa in nsBlockFrame::DoReflowInlineFrames(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:4074:5
    #20 0x7f6e093da65f in nsBlockFrame::ReflowInlineFrames(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:3947:9
    #21 0x7f6e093d15bc in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2929:5
    #22 0x7f6e093c3507 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2463:7
    #23 0x7f6e093b752b in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:1297:3
    #24 0x7f6e093e267b in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) /builds/worker/workspace/build/src/layout/generic/nsBlockReflowContext.cpp:309:11
    #25 0x7f6e093fb5a7 in nsBlockFrame::ReflowFloat(mozilla::BlockReflowInput&, mozilla::LogicalRect const&, nsIFrame*, mozilla::LogicalMargin&, mozilla::LogicalMargin&, bool, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:6454:9
    #26 0x7f6e0932bc32 in mozilla::BlockReflowInput::FlowAndPlaceFloat(nsIFrame*) /builds/worker/workspace/build/src/layout/generic/BlockReflowInput.cpp:916:13
    #27 0x7f6e093c09c2 in nsBlockFrame::ReflowPushedFloats(mozilla::BlockReflowInput&, nsOverflowAreas&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:6582:12
    #28 0x7f6e093b7371 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:1273:3
    #29 0x7f6e093e267b in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) /builds/worker/workspace/build/src/layout/generic/nsBlockReflowContext.cpp:309:11
    #30 0x7f6e093fb5a7 in nsBlockFrame::ReflowFloat(mozilla::BlockReflowInput&, mozilla::LogicalRect const&, nsIFrame*, mozilla::LogicalMargin&, mozilla::LogicalMargin&, bool, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:6454:9
    #31 0x7f6e0932bc32 in mozilla::BlockReflowInput::FlowAndPlaceFloat(nsIFrame*) /builds/worker/workspace/build/src/layout/generic/BlockReflowInput.cpp:916:13
    #32 0x7f6e093c09c2 in nsBlockFrame::ReflowPushedFloats(mozilla::BlockReflowInput&, nsOverflowAreas&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:6582:12
    #33 0x7f6e093b7371 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:1273:3
    #34 0x7f6e093e267b in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) /builds/worker/workspace/build/src/layout/generic/nsBlockReflowContext.cpp:309:11
    #35 0x7f6e093fb5a7 in nsBlockFrame::ReflowFloat(mozilla::BlockReflowInput&, mozilla::LogicalRect const&, nsIFrame*, mozilla::LogicalMargin&, mozilla::LogicalMargin&, bool, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:6454:9
    #36 0x7f6e0932bc32 in mozilla::BlockReflowInput::FlowAndPlaceFloat(nsIFrame*) /builds/worker/workspace/build/src/layout/generic/BlockReflowInput.cpp:916:13
    #37 0x7f6e093c09c2 in nsBlockFrame::ReflowPushedFloats(mozilla::BlockReflowInput&, nsOverflowAreas&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:6582:12
    #38 0x7f6e093b7371 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:1273:3
    #39 0x7f6e093e267b in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) /builds/worker/workspace/build/src/layout/generic/nsBlockReflowContext.cpp:309:11
    #40 0x7f6e093fb5a7 in nsBlockFrame::ReflowFloat(mozilla::BlockReflowInput&, mozilla::LogicalRect const&, nsIFrame*, mozilla::LogicalMargin&, mozilla::LogicalMargin&, bool, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:6454:9
    #41 0x7f6e0932bc32 in mozilla::BlockReflowInput::FlowAndPlaceFloat(nsIFrame*) /builds/worker/workspace/build/src/layout/generic/BlockReflowInput.cpp:916:13
    #42 0x7f6e093c09c2 in nsBlockFrame::ReflowPushedFloats(mozilla::BlockReflowInput&, nsOverflowAreas&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:6582:12
    #43 0x7f6e093b7371 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:1273:3
    #44 0x7f6e093e267b in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) /builds/worker/workspace/build/src/layout/generic/nsBlockReflowContext.cpp:309:11
    #45 0x7f6e093fb5a7 in nsBlockFrame::ReflowFloat(mozilla::BlockReflowInput&, mozilla::LogicalRect const&, nsIFrame*, mozilla::LogicalMargin&, mozilla::LogicalMargin&, bool, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:6454:9
    #46 0x7f6e0932bc32 in mozilla::BlockReflowInput::FlowAndPlaceFloat(nsIFrame*) /builds/worker/workspace/build/src/layout/generic/BlockReflowInput.cpp:916:13
    #47 0x7f6e093c09c2 in nsBlockFrame::ReflowPushedFloats(mozilla::BlockReflowInput&, nsOverflowAreas&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:6582:12
    #48 0x7f6e093b7371 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:1273:3
    #49 0x7f6e0943644b in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:951:14
    #50 0x7f6e0943d931 in nsColumnSetFrame::ReflowChildren(mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&, nsColumnSetFrame::ReflowConfig const&, bool, nsCollapsingMargin*, nsColumnSetFrame::ColumnBalanceData&) /builds/worker/workspace/build/src/layout/generic/nsColumnSetFrame.cpp:799:7
    #51 0x7f6e09445623 in ReflowColumns /builds/worker/workspace/build/src/layout/generic/nsColumnSetFrame.cpp:482:19
    #52 0x7f6e09445623 in nsColumnSetFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsColumnSetFrame.cpp:1240
    #53 0x7f6e0943644b in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:951:14
    #54 0x7f6e09433c4e in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsCanvasFrame.cpp:803:5
    #55 0x7f6e0943644b in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:951:14
    #56 0x7f6e0956e61b in nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput*, bool, bool, mozilla::ReflowOutput*, bool) /builds/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.cpp:606:3
    #57 0x7f6e09570189 in nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput*, mozilla::ReflowOutput const&) /builds/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.cpp:730:3
    #58 0x7f6e09575710 in nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.cpp:1120:3
    #59 0x7f6e09392058 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:995:14
    #60 0x7f6e0939077b in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/ViewportFrame.cpp:338:7
    #61 0x7f6e090e646b in mozilla::PresShell::DoReflow(nsIFrame*, bool) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:9016:11
    #62 0x7f6e09101248 in mozilla::PresShell::ProcessReflowCommands(bool) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:9189:24
    #63 0x7f6e090ff36c in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:4342:11
    #64 0x7f6e09075747 in FlushPendingNotifications /builds/worker/workspace/build/src/layout/base/nsIPresShell.h:577:5
    #65 0x7f6e09075747 in nsRefreshDriver::Tick(mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:1930
    #66 0x7f6e09087441 in TickDriver /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:325:13
    #67 0x7f6e09087441 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:300
    #68 0x7f6e09086f61 in mozilla::RefreshDriverTimer::Tick(mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:318:5
    #69 0x7f6e0908a241 in RunRefreshDrivers /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:756:5
    #70 0x7f6e0908a241 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:672
    #71 0x7f6e09089998 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:572:9
    #72 0x7f6e09b50da8 in mozilla::layout::VsyncChild::RecvNotify(mozilla::TimeStamp const&) /builds/worker/workspace/build/src/layout/ipc/VsyncChild.cpp:78:16
    #73 0x7f6e0083d08b in mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PVsyncChild.cpp:167:20
    #74 0x7f6e005b3e60 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PBackgroundChild.cpp:2280:28
    #75 0x7f6dffd9e685 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2248:25
    #76 0x7f6dffd9a3b9 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2175:17
    #77 0x7f6dffd9c4fd in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2012:5
    #78 0x7f6dffd9d227 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2045:15
    #79 0x7f6dfeb8d897 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1166:14
    #80 0x7f6dfeb96415 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:519:10
    #81 0x7f6dffda7d03 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21
    #82 0x7f6dffcaa73c in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:325:10
    #83 0x7f6dffcaa73c in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:318
    #84 0x7f6dffcaa73c in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:298
    #85 0x7f6e089971a3 in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:158:27
    #86 0x7f6e0ce5c2ee in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:939:22
    #87 0x7f6dffcaa73c in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:325:10
    #88 0x7f6dffcaa73c in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:318
    #89 0x7f6dffcaa73c in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:298
    #90 0x7f6e0ce5b413 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:765:34
    #91 0x55aa7621cb91 in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30
    #92 0x55aa7621cb91 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:287
    #93 0x7f6e20ae8b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
Flags: in-testsuite?
Attached file testcase.html (obsolete) — 
Previously attached the wrong testcase.
Attachment #9011561 - Attachment is obsolete: true
Attached file fuzzer.js (obsolete) — 

    
    

    
  
From the stack, it kinda looks like we must have called nsLineLayout::ReflowFrame with a null frame pointer. But I can't seem to reproduce this locally at the moment.


Jason, does this reproduce for you with current trunk code, or has something changed such that it no longer happens?


Flags: needinfo?(jkratzer)

    
    

    
  
Bugbug thinks this bug is a regression, but please revert this change in case of error.


Keywords: regression

    
    

    
  
(In reply to Jonathan Kew (:jfkthame) from comment #3)




From the stack, it kinda looks like we must have called nsLineLayout::ReflowFrame with a null frame pointer. But I can't seem to reproduce this locally at the moment.


Jason, does this reproduce for you with current trunk code, or has something changed such that it no longer happens?




This looks to have been fixed sometime within the following range:




Start: 7ea008f8701b6f95320a16d78ed6ed56e22235c6 (20181211162355)

End: a02122d22c5e3627c23591a77dde877961b44b8c (20181211162540)

Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=7ea008f8701b6f95320a16d78ed6ed56e22235c6&tochange=a02122d22c5e3627c23591a77dde877961b44b8c




Flags: needinfo?(jkratzer)

    
    

    
  
Hmm, I don't see anything in that pushlog that looks particularly likely as a fix.... would you mind double-checking the range? I'd feel more confident in resolving this if we could point to where a relevant fix landed.


Depends on: 1625252

    
    

    
  
I can't reproduce this crash on Linux.  It's very likely the same underlying issue as bug 1493775 though, which is reproducible.



    
    

    
  
Hey Jason,

Can you still reproduce this issue or should we close it?


Flags: needinfo?(jkratzer)

    
    

    
  
I was unable to reproduce this issue using mozilla-central rev 152fdda295bb. I think we can safely close this issue.


Status: NEW → RESOLVED
Closed: 3 years ago
Flags: needinfo?(jkratzer)
Resolution: --- → WORKSFORME

    
    

    
  
This was marked "Depends on" which is fair if you're not sure it's an actual duplicate, but according to Tyson this signature still happens dozens of times a week in our fuzzing infrastructure even if this testcase no longer works. Reported by multiple individual fuzzers, with reproducible testcases.


Tyson: can you attach one of the testcases, and if easy a bit of history of this crash.


Status: RESOLVED → REOPENED
Flags: needinfo?(twsmith)
Resolution: WORKSFORME → ---
Duplicate of this bug: 1841739

    
  
Crash Signature: [@ nsIFrame::GetWritingMode ]

          status-firefox115:
          --- → affected

          status-firefox116:
          --- → affected

          status-firefox117:
          --- → affected

          status-firefox64:
          affectedwontfix

          status-firefox-esr102:
          --- → affected

          status-firefox-esr115:
          --- → affected
Flags: needinfo?(twsmith)

    
    

    
  

      
      
      
      

        Attached file
          
        1841739.html
      

    


  
This is the test case from bug 1841739.



        Attachment #9011562 -
        Attachment is obsolete: true

        Attachment #9011563 -
        Attachment is obsolete: true

    
    

    
  

      
      
      
      

        Attached file
          
        testcase.html
      

    


  
Another test case from fuzzers.



    
    

    
  
Since the crash volume is low (less than 15 per week), the severity is downgraded to S3. Feel free to change it back if you think the bug is still critical.


For more information, please visit BugBot documentation.


Severity: critical → S3

    
    

    
  
Ting-Yu, this seems this is related to fragmentation, maybe you can poke and see if there's something obvious going on in the multicol code?


Flags: needinfo?(aethanyc)
Summary: AddressSanitizer: SEGV /builds/worker/workspace/build/src/layout/generic/nsIFrame.h:908:56 in GetWritingMode → [first-line+float+fragmentation] AddressSanitizer: SEGV /builds/worker/workspace/build/src/layout/generic/nsIFrame.h:908:56 in GetWritingMode

    
    

    
  
Float first-letter seems tricky in multicol ... I see the following warning when loading the testcase in comment 13 in my local debug builds


WARNING: Scanning overflow inline frames is something we should avoid: '!result.mOverflowFrameToScan'
...
WARNING: We shouldn't be backing up more than once! Someone must have set a break opportunity beyond the available width, even though there were better break opportunities before it
...



They might be a good start for investigation.


Flags: needinfo?(aethanyc)

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: