Closed
Bug 1506204
Opened 6 years ago
Closed 6 years ago
crash near null in [@ nsCSSFrameConstructor::MaybeRecreateContainerForFrameRemoval]
Categories
(Core :: Layout: Columns, defect, P2)
Core
Layout: Columns
Tracking
()
RESOLVED
FIXED
mozilla65
| Tracking | Status | |
|---|---|---|
| firefox-esr60 | --- | unaffected |
| firefox63 | --- | unaffected |
| firefox64 | --- | unaffected |
| firefox65 | --- | fixed |
People
(Reporter: tsmith, Assigned: TYLin)
References
(Blocks 2 open bugs)
Details
(Keywords: crash, testcase, Whiteboard: [fuzzblocker][wptsync upstream])
Crash Data
Attachments
(2 files)
Reduced with m-c:
BuildID=20181109100140
SourceStamp=5e7636ec12c5c4543b64428e15165031cff32dc4
This bug popped up over night and is happening frequently.
==75624==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000018 (pc 0x7f213043da3b bp 0x7fffb7f5e790 sp 0x7fffb7f5e1e0 T0)
==75624==The signal is caused by a READ memory access.
==75624==Hint: address points to the zero page.
#0 0x7f213043da3a in get src/obj-firefox/dist/include/nsCOMPtr.h:919:48
#1 0x7f213043da3a in operator nsIContent * src/obj-firefox/dist/include/nsCOMPtr.h:927
#2 0x7f213043da3a in GetContent src/layout/generic/nsIFrame.h:701
#3 0x7f213043da3a in nsCSSFrameConstructor::MaybeRecreateContainerForFrameRemoval(nsIFrame*) src/layout/base/nsCSSFrameConstructor.cpp:8787
#4 0x7f213043b68a in nsCSSFrameConstructor::ContentRemoved(nsIContent*, nsIContent*, nsCSSFrameConstructor::RemoveFlags) src/layout/base/nsCSSFrameConstructor.cpp:7887:9
#5 0x7f2130356ff4 in mozilla::PresShell::ContentRemoved(nsIContent*, nsIContent*) src/layout/base/PresShell.cpp:4612:22
#6 0x7f212a079cf6 in nsNodeUtils::ContentRemoved(nsINode*, nsIContent*, nsIContent*) src/dom/base/nsNodeUtils.cpp:230:3
#7 0x7f2129ee8840 in nsINode::RemoveChildNode(nsIContent*, bool) src/dom/base/nsINode.cpp:2042:5
#8 0x7f212a0038df in nsINode::ReplaceOrInsertBefore(bool, nsINode*, nsINode*, mozilla::ErrorResult&) src/dom/base/nsINode.cpp:2388:18
#9 0x7f212ac2bed9 in InsertBefore src/obj-firefox/dist/include/nsINode.h:1798:12
#10 0x7f212ac2bed9 in AppendChild src/obj-firefox/dist/include/nsINode.h:1802
#11 0x7f212ac2bed9 in mozilla::dom::Node_Binding::appendChild(JSContext*, JS::Handle<JSObject*>, nsINode*, JSJitMethodCallArgs const&) src/obj-firefox/dom/bindings/NodeBinding.cpp:997
#12 0x7f212cf666a4 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) src/dom/bindings/BindingUtils.cpp:3374:13
#13 0x7f21361eb3fd in CallJSNative src/js/src/vm/Interpreter.cpp:468:15
#14 0x7f21361eb3fd in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:560
#15 0x7f21361d4c1a in CallFromStack src/js/src/vm/Interpreter.cpp:620:12
#16 0x7f21361d4c1a in Interpret(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:3461
#17 0x7f21361b8486 in js::RunScript(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:447:12
#18 0x7f21361ebda1 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:587:15
#19 0x7f21361eda22 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) src/js/src/vm/Interpreter.cpp:633:10
#20 0x7f213528bea6 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) src/js/src/jsapi.cpp:2975:12
#21 0x7f212c586169 in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) src/obj-firefox/dom/bindings/EventHandlerBinding.cpp:265:37
#22 0x7f212d7fa159 in void mozilla::dom::EventHandlerNonNull::Call<nsISupports*>(nsISupports* const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) src/obj-firefox/dist/include/mozilla/dom/EventHandlerBinding.h:363:12
#23 0x7f212d7f73e9 in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) src/dom/events/JSEventHandler.cpp:214:12
#24 0x7f212d7ab44a in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) src/dom/events/EventListenerManager.cpp:1107:52
#25 0x7f212d7ada47 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) src/dom/events/EventListenerManager.cpp:1309:15
#26 0x7f212d78f5d6 in HandleEvent src/obj-firefox/dist/include/mozilla/EventListenerManager.h:390:5
#27 0x7f212d78f5d6 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) src/dom/events/EventDispatcher.cpp:425
#28 0x7f212d78d858 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) src/dom/events/EventDispatcher.cpp:642:16
#29 0x7f212d7942b0 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) src/dom/events/EventDispatcher.cpp:1164:11
#30 0x7f2130478e9e in nsDocumentViewer::LoadComplete(nsresult) src/layout/base/nsDocumentViewer.cpp:1167:7
#31 0x7f21336d55c3 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) src/docshell/base/nsDocShell.cpp:7050:21
#32 0x7f21336d0de9 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) src/docshell/base/nsDocShell.cpp:6841:7
#33 0x7f21336d9bf7 in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) src/docshell/base/nsDocShell.cpp
#34 0x7f21285941d5 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) src/uriloader/base/nsDocLoader.cpp:1309:3
#35 0x7f2128592dbc in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) src/uriloader/base/nsDocLoader.cpp:852:14
#36 0x7f212858e6f8 in nsDocLoader::DocLoaderIsEmpty(bool) src/uriloader/base/nsDocLoader.cpp:741:9
#37 0x7f212859104e in nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) src/uriloader/base/nsDocLoader.cpp:630:5
#38 0x7f21285928e4 in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) src/uriloader/base/nsDocLoader.cpp
#39 0x7f2125f3ad67 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) src/netwerk/base/nsLoadGroup.cpp:630:28
#40 0x7f2129f1ea07 in DoUnblockOnload src/dom/base/nsDocument.cpp:8517:18
#41 0x7f2129f1ea07 in nsDocument::UnblockOnload(bool) src/dom/base/nsDocument.cpp:8439
#42 0x7f2129ef8ab2 in nsIDocument::DispatchContentLoadedEvents() src/dom/base/nsDocument.cpp:5332:3
#43 0x7f212a0589cb in applyImpl<nsIDocument, void (nsIDocument::*)()> src/obj-firefox/dist/include/nsThreadUtils.h:1191:12
#44 0x7f212a0589cb in apply<nsIDocument, void (nsIDocument::*)()> src/obj-firefox/dist/include/nsThreadUtils.h:1197
#45 0x7f212a0589cb in mozilla::detail::RunnableMethodImpl<nsIDocument*, void (nsIDocument::*)(), true, (mozilla::RunnableKind)0>::Run() src/obj-firefox/dist/include/nsThreadUtils.h:1242
#46 0x7f2125cb4b81 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1246:14
#47 0x7f2125cbd92d in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:530:10
#48 0x7f2126f2e62f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:97:21
#49 0x7f2126e2aaee in RunInternal src/ipc/chromium/src/base/message_loop.cc:325:10
#50 0x7f2126e2aaee in RunHandler src/ipc/chromium/src/base/message_loop.cc:318
#51 0x7f2126e2aaee in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:298
#52 0x7f212fbf2003 in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:158:27
#53 0x7f21341e74d0 in nsAppStartup::Run() src/toolkit/components/startup/nsAppStartup.cpp:290:30
#54 0x7f21344b627e in XREMain::XRE_mainRun() src/toolkit/xre/nsAppRunner.cpp:4789:22
#55 0x7f21344b8b50 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) src/toolkit/xre/nsAppRunner.cpp:4934:8
#56 0x7f21344ba4d3 in XRE_main(int, char**, mozilla::BootstrapConfig const&) src/toolkit/xre/nsAppRunner.cpp:5026:21
#57 0x563208e2967c in do_main src/browser/app/nsBrowserApp.cpp:233:22
#58 0x563208e2967c in main src/browser/app/nsBrowserApp.cpp:315
#59 0x7f214937e82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
#60 0x563208d4eeec in _start (firefox+0x2deec)Flags: in-testsuite?
|
Reporter | |
Comment 1•6 years ago
|
||
With a debug build this test case also triggers: Assertion failure: current (No ColumnSetWrapperFrame in a valid column hierarchy?), at src/layout/base/nsCSSFrameConstructor.cpp:622 0|0|libxul.so|GetMultiColumnContainingBlockFor|hg:hg.mozilla.org/mozilla-central:layout/base/nsCSSFrameConstructor.cpp:2f1158e5e0ce2523f93482abf6158db058a782a1|622|0x18 0|1|libxul.so|nsCSSFrameConstructor::MaybeRecreateContainerForFrameRemoval(nsIFrame*)|hg:hg.mozilla.org/mozilla-central:layout/base/nsCSSFrameConstructor.cpp:2f1158e5e0ce2523f93482abf6158db058a782a1|8773|0x8 0|2|libxul.so|nsCSSFrameConstructor::ContentRemoved(nsIContent*, nsIContent*, nsCSSFrameConstructor::RemoveFlags)|hg:hg.mozilla.org/mozilla-central:layout/base/nsCSSFrameConstructor.cpp:2f1158e5e0ce2523f93482abf6158db058a782a1|7887|0xb 0|3|libxul.so|mozilla::PresShell::ContentRemoved(nsIContent*, nsIContent*)|hg:hg.mozilla.org/mozilla-central:layout/base/PresShell.cpp:2f1158e5e0ce2523f93482abf6158db058a782a1|4614|0x11 0|4|libxul.so|nsNodeUtils::ContentRemoved(nsINode*, nsIContent*, nsIContent*)|hg:hg.mozilla.org/mozilla-central:dom/base/nsNodeUtils.cpp:2f1158e5e0ce2523f93482abf6158db058a782a1|230|0xf 0|5|libxul.so|nsINode::RemoveChildNode(nsIContent*, bool)|hg:hg.mozilla.org/mozilla-central:dom/base/nsINode.cpp:2f1158e5e0ce2523f93482abf6158db058a782a1|2042|0xe 0|6|libxul.so|nsINode::ReplaceOrInsertBefore(bool, nsINode*, nsINode*, mozilla::ErrorResult&)|hg:hg.mozilla.org/mozilla-central:dom/base/nsINode.cpp:2f1158e5e0ce2523f93482abf6158db058a782a1|2388|0x39 ...
|
||
Updated•6 years ago
|
Flags: needinfo?(aethanyc)
|
Assignee | |
Comment 2•6 years ago
|
||
This is because of Bug 1421105. Will take a look.
Assignee: nobody → aethanyc
Status: NEW → ASSIGNED
Component: CSS Parsing and Computation → Layout: Columns
Flags: needinfo?(aethanyc)
|
|
Assignee | |
Updated•6 years ago
|
Priority: -- → P2
|
|
Assignee | |
Comment 3•6 years ago
|
||
|
|
Reporter | |
Updated•6 years ago
|
Blocks: fuzzing-column-span
|
||
Updated•6 years ago
|
Attachment #9024146 -
Attachment description: Bug 1506204 - Jump over placeholder frames when searching for the multi-column container. → Bug 1506204 - Check the in flow frame to determine when to reframe the multicol container.
|
||
Updated•6 years ago
|
Crash Signature: [@ nsCSSFrameConstructor::MaybeRecreateContainerForFrameRemoval]
status-firefox63:
--- → unaffected
status-firefox64:
--- → unaffected
status-firefox-esr60:
--- → unaffected
Pushed by aethanyc@gmail.com: https://hg.mozilla.org/integration/autoland/rev/75ca66f490c3 Check the in flow frame to determine when to reframe the multicol container. r=dbaron
Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/14116 for changes under testing/web-platform/tests
Whiteboard: [fuzzblocker] → [fuzzblocker][wptsync upstream]
Upstream web-platform-tests status checks passed, PR will merge once commit reaches central.
|
||
Comment 7•6 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/75ca66f490c3
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla65
Upstream PR merged
You need to log in
before you can comment on or make changes to this bug.
Description
•