1494030 - Assertion failure: aNextSibling->GetParent() == aParentFrame (Wrong parent), at /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:6083

Status: RESOLVED FIXED

(Core :: Layout, defect)

Description

[Jason Kratzer [:jkratzer]]

Attachment: testcase.html

Assertion failure: aNextSibling->GetParent() == aParentFrame (Wrong parent), at /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:6083

Testcase found while fuzzing mozilla-central rev c5a9878baf35.

rax = 0x0000000000000000   rdx = 0x0000000000000000
rcx = 0x0000000000000b40   rbx = 0x00007f4bdac7eae8
rsi = 0x00007f4bf4d338b0   rdi = 0x00007f4bf4d32680
rbp = 0x00007ffc8d03b190   rsp = 0x00007ffc8d03b180
r8 = 0x00007f4bf4d338b0    r9 = 0x00007f4bf5ea9740
r10 = 0x0000000000000000   r11 = 0x0000000000000000
r12 = 0x00007f4bdac7ef28   r13 = 0x00007ffc8d03b1f8
r14 = 0x00007f4bdac7e9a0   r15 = 0x00007ffc8d03b2d8
rip = 0x00007f4be5719775
OS|Linux|0.0.0 Linux 4.15.0-34-generic #37-Ubuntu SMP Mon Aug 27 15:21:48 UTC 2018 x86_64
CPU|amd64|family 6 model 78 stepping 3|1
GPU|||
Crash|SIGSEGV /SEGV_MAPERR|0x0|0
0|0|libxul.so|FindAppendPrevSibling|hg:hg.mozilla.org/mozilla-central:layout/base/nsCSSFrameConstructor.cpp:c5a9878baf35a354cb913b4f06542e233685ea9a|6083|0x18
0|1|libxul.so|nsCSSFrameConstructor::ContentAppended(nsIContent*, nsCSSFrameConstructor::InsertionKind)|hg:hg.mozilla.org/mozilla-central:layout/base/nsCSSFrameConstructor.cpp:c5a9878baf35a354cb913b4f06542e233685ea9a|7103|0x5
0|2|libxul.so|mozilla::RestyleManager::ProcessRestyledFrames(nsStyleChangeList&)|hg:hg.mozilla.org/mozilla-central:layout/base/RestyleManager.cpp:c5a9878baf35a354cb913b4f06542e233685ea9a|1444|0xe
0|3|libxul.so|mozilla::RestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags)|hg:hg.mozilla.org/mozilla-central:layout/base/RestyleManager.cpp:c5a9878baf35a354cb913b4f06542e233685ea9a|3057|0xb
0|4|libxul.so|mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush)|hg:hg.mozilla.org/mozilla-central:layout/base/PresShell.cpp:c5a9878baf35a354cb913b4f06542e233685ea9a|4298|0x19
0|5|libxul.so|nsRefreshDriver::Tick(mozilla::TimeStamp)|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:c5a9878baf35a354cb913b4f06542e233685ea9a|1904|0x5
0|6|libxul.so|mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&)|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:c5a9878baf35a354cb913b4f06542e233685ea9a|325|0x8
0|7|libxul.so|mozilla::RefreshDriverTimer::Tick(mozilla::TimeStamp)|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:c5a9878baf35a354cb913b4f06542e233685ea9a|318|0xc
0|8|libxul.so|mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::TimeStamp)|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:c5a9878baf35a354cb913b4f06542e233685ea9a|756|0xc
0|9|libxul.so|mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::TimeStamp)|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:c5a9878baf35a354cb913b4f06542e233685ea9a|572|0xc
0|10|libxul.so|mozilla::layout::VsyncChild::RecvNotify(mozilla::TimeStamp const&)|hg:hg.mozilla.org/mozilla-central:layout/ipc/VsyncChild.cpp:c5a9878baf35a354cb913b4f06542e233685ea9a|78|0x9
0|11|libxul.so|mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&)|s3:gecko-generated-sources:2c36fa176485b987fd1c1ce548d1f34c4c8bfdea36ff5dd016400feb13d3c5c0c7f99d5a56d13733937c9483a48617af010c09f521533a5ce0fc1f74c50b86a2/ipc/ipdl/PVsyncChild.cpp:|167|0xc
0|12|libxul.so|mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:c5a9878baf35a354cb913b4f06542e233685ea9a|2248|0x6
0|13|libxul.so|mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:c5a9878baf35a354cb913b4f06542e233685ea9a|2175|0xb
0|14|libxul.so|mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:c5a9878baf35a354cb913b4f06542e233685ea9a|2012|0xb
0|15|libxul.so|mozilla::ipc::MessageChannel::MessageTask::Run()|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:c5a9878baf35a354cb913b4f06542e233685ea9a|2045|0xc
0|16|libxul.so|nsThread::ProcessNextEvent(bool, bool*)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:c5a9878baf35a354cb913b4f06542e233685ea9a|1166|0x15
0|17|libxul.so|NS_ProcessNextEvent(nsIThread*, bool)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:c5a9878baf35a354cb913b4f06542e233685ea9a|519|0x11
0|18|libxul.so|mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:c5a9878baf35a354cb913b4f06542e233685ea9a|97|0xa
0|19|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:c5a9878baf35a354cb913b4f06542e233685ea9a|325|0x17
0|20|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:c5a9878baf35a354cb913b4f06542e233685ea9a|318|0x8
0|21|libxul.so|nsBaseAppShell::Run()|hg:hg.mozilla.org/mozilla-central:widget/nsBaseAppShell.cpp:c5a9878baf35a354cb913b4f06542e233685ea9a|158|0xd
0|22|libxul.so|XRE_RunAppShell()|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:c5a9878baf35a354cb913b4f06542e233685ea9a|939|0x11
0|23|libxul.so|mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:c5a9878baf35a354cb913b4f06542e233685ea9a|269|0x5
0|24|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:c5a9878baf35a354cb913b4f06542e233685ea9a|325|0x17
0|25|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:c5a9878baf35a354cb913b4f06542e233685ea9a|318|0x8
0|26|libxul.so|XRE_InitChildProcess(int, char**, XREChildData const*)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:c5a9878baf35a354cb913b4f06542e233685ea9a|765|0x8
0|27|firefox-bin|content_process_main(mozilla::Bootstrap*, int, char**)|hg:hg.mozilla.org/mozilla-central:ipc/contentproc/plugin-container.cpp:c5a9878baf35a354cb913b4f06542e233685ea9a|50|0x14
0|28|firefox-bin|main|hg:hg.mozilla.org/mozilla-central:browser/app/nsBrowserApp.cpp:c5a9878baf35a354cb913b4f06542e233685ea9a|287|0x11
0|29|libc-2.27.so||||0x21b97
0|30|firefox-bin|MOZ_ReportAssertionFailure|hg:hg.mozilla.org/mozilla-central:mfbt/Assertions.h:c5a9878baf35a354cb913b4f06542e233685ea9a|164|0x5

Comment 1

[Emilio Cobos Álvarez (:emilio)]

Attachment: Bug 1494030 - Fix an assertion.

We're trying to insert a table caption via an append into a display: contents
element. We pass the content-insertion-frame (the table frame) instead of the
siblings' parent (the table wrapper frame).

This is the right thing to pass though, we adjust the caption parent frame
later, on AdjustCaptionParentFrame, and we ensure that we don't get here for a
non-caption thing because of IsValidSibling (though note that that can actually
lie, see bug 1424656, we'd get the layout wrong if the title element was a
replaced element for example), so a normal append without a previous sibling
will still be correct.

It'd be nice to make this a bit less messy, fwiw, but I don't have the ideas or
the time to do it now.

Comment 2

[Mats Palmgren (inactive)]

Comment on attachment 9012552 [details]
Bug 1494030 - Fix an assertion.

Mats Palmgren (:mats) has approved the revision.

Comment 3

[Pulsebot]

Pushed by emilio@crisal.io:
https://hg.mozilla.org/integration/autoland/rev/910f24a3906f
Fix an assertion. r=mats

Comment 4

[Cristina Coroiu [:ccoroiu]]

https://hg.mozilla.org/mozilla-central/rev/910f24a3906f