[first-line+float+fragmentation] AddressSanitizer: SEGV /builds/worker/workspace/build/src/layout/generic/nsIFrame.h:908:56 in GetWritingMode
Categories
(Core :: Layout: Block and Inline, defect)
Tracking
()
People
(Reporter: jkratzer, Unassigned)
References
(Depends on 1 open bug, Blocks 1 open bug)
Details
(Keywords: crash, regression, testcase)
Crash Data
Attachments
(2 files, 3 obsolete files)
Reporter | ||
Comment 1•7 years ago
|
||
Reporter | ||
Comment 2•7 years ago
|
||
Comment 3•6 years ago
|
||
From the stack, it kinda looks like we must have called nsLineLayout::ReflowFrame with a null frame pointer. But I can't seem to reproduce this locally at the moment.
Jason, does this reproduce for you with current trunk code, or has something changed such that it no longer happens?
Comment 4•6 years ago
|
||
Bugbug thinks this bug is a regression, but please revert this change in case of error.
Reporter | ||
Comment 5•6 years ago
|
||
(In reply to Jonathan Kew (:jfkthame) from comment #3)
From the stack, it kinda looks like we must have called nsLineLayout::ReflowFrame with a null frame pointer. But I can't seem to reproduce this locally at the moment.
Jason, does this reproduce for you with current trunk code, or has something changed such that it no longer happens?
This looks to have been fixed sometime within the following range:
Start: 7ea008f8701b6f95320a16d78ed6ed56e22235c6 (20181211162355)
End: a02122d22c5e3627c23591a77dde877961b44b8c (20181211162540)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=7ea008f8701b6f95320a16d78ed6ed56e22235c6&tochange=a02122d22c5e3627c23591a77dde877961b44b8c
Comment 6•6 years ago
|
||
Hmm, I don't see anything in that pushlog that looks particularly likely as a fix.... would you mind double-checking the range? I'd feel more confident in resolving this if we could point to where a relevant fix landed.
Comment 7•5 years ago
|
||
I can't reproduce this crash on Linux. It's very likely the same underlying issue as bug 1493775 though, which is reproducible.
Comment 8•4 years ago
|
||
Hey Jason,
Can you still reproduce this issue or should we close it?
Reporter | ||
Comment 9•4 years ago
|
||
I was unable to reproduce this issue using mozilla-central rev 152fdda295bb. I think we can safely close this issue.
Comment 10•2 years ago
|
||
This was marked "Depends on" which is fair if you're not sure it's an actual duplicate, but according to Tyson this signature still happens dozens of times a week in our fuzzing infrastructure even if this testcase no longer works. Reported by multiple individual fuzzers, with reproducible testcases.
Tyson: can you attach one of the testcases, and if easy a bit of history of this crash.
Updated•2 years ago
|
Comment 12•2 years ago
|
||
This is the test case from bug 1841739.
Comment 13•2 years ago
|
||
Another test case from fuzzers.
Comment 14•2 years ago
|
||
Since the crash volume is low (less than 15 per week), the severity is downgraded to S3
. Feel free to change it back if you think the bug is still critical.
For more information, please visit BugBot documentation.
Updated•2 years ago
|
Comment 15•2 years ago
|
||
Ting-Yu, this seems this is related to fragmentation, maybe you can poke and see if there's something obvious going on in the multicol code?
Comment 16•1 year ago
|
||
Float first-letter seems tricky in multicol ... I see the following warning when loading the testcase in comment 13 in my local debug builds
WARNING: Scanning overflow inline frames is something we should avoid: '!result.mOverflowFrameToScan'
...
WARNING: We shouldn't be backing up more than once! Someone must have set a break opportunity beyond the available width, even though there were better break opportunities before it
...
They might be a good start for investigation.
Description
•