Closed
Bug 1513282
Opened 6 years ago
Closed 5 years ago
Crash [@ MOZ_CrashOOL] near nsFrame::DoGetParentComputedStyle(nsIFrame**) const src/layout/generic/nsFrame.cpp:9972:13
Categories
(Core :: Layout, defect, P3)
Core
Layout
Tracking
()
RESOLVED
FIXED
mozilla71
People
(Reporter: jkratzer, Assigned: emilio)
References
(Blocks 1 open bug)
Details
(Keywords: crash, regression, testcase)
Attachments
(2 files)
Testcase found while fuzzing mozilla-central rev 0132b59bb093.
==20807==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 (pc 0x7fda3548dc2e bp 0x7ffe25902b90 sp 0x7ffe25902b90 T0)
==20807==The signal is caused by a WRITE memory access.
==20807==Hint: address points to the zero page.
#0 0x7fda3548dc2d in MOZ_CrashOOL(char const*, int, char const*) src/obj-firefox/dist/include/mozilla/Assertions.h:311:3
#1 0x7fda3548dbea in GeckoCrashOOL src/toolkit/xre/nsAppRunner.cpp:5349:3
#2 0x7fda3740274a in gkrust_shared::panic_hook::h577176513f96817f src/toolkit/library/rust/shared/lib.rs:234:8
#3 0x7fda37402688 in core::ops::function::Fn::call::h82a5285a736af5e0 src/libcore/ops/function.rs:78:4
#4 0x7fda37b4e758 in std::panicking::rust_panic_with_hook::h0e12cb2fc86d00fa /rustc/da5f414c2c0bfe5198934493f04c676e2b23ff2e/src/libstd/panicking.rs:481:16
#5 0x7fda37b4e54d in std::panicking::continue_panic_fmt::h141671b29fe0e27d /rustc/da5f414c2c0bfe5198934493f04c676e2b23ff2e/src/libstd/panicking.rs:391:4
#6 0x7fda37b50755 in rust_begin_unwind /rustc/da5f414c2c0bfe5198934493f04c676e2b23ff2e/src/libstd/panicking.rs:326:4
#7 0x7fda37b620bb in core::panicking::panic_fmt::h429a06507aba9228 /rustc/da5f414c2c0bfe5198934493f04c676e2b23ff2e/src/libcore/panicking.rs:77:13
#8 0x7fda37b621d1 in core::option::expect_failed::h4c79c3aae6612643 /rustc/da5f414c2c0bfe5198934493f04c676e2b23ff2e/src/libcore/option.rs:1000:4
#9 0x7fda3783e5a3 in _$LT$core..option..Option$LT$T$GT$$GT$::expect::h13bd5ccc44bbd1c2 src/libcore/option.rs:312:20
#10 0x7fda3783e5a3 in Servo_Element_IsDisplayContents src/servo/ports/geckolib/glue.rs:1301
#11 0x7fda315ec4b6 in nsFrame::DoGetParentComputedStyle(nsIFrame**) const src/layout/generic/nsFrame.cpp:9972:13
#12 0x7fda3121ebc0 in mozilla::RestyleManager::DoReparentComputedStyleForFirstLine(nsIFrame*, mozilla::ServoStyleSet&) src/layout/base/RestyleManager.cpp:3536:13
#13 0x7fda314ec071 in nsBlockFrame::UpdatePseudoElementStyles(mozilla::ServoRestyleState&) src/layout/generic/nsBlockFrame.cpp:7631:16
#14 0x7fda312177a3 in UpdateFramePseudoElementStyles src/layout/base/RestyleManager.cpp:2598:41
#15 0x7fda312177a3 in mozilla::RestyleManager::ProcessPostTraversal(mozilla::dom::Element*, mozilla::ComputedStyle*, mozilla::ServoRestyleState&, mozilla::ServoPostTraversalFlags) src/layout/base/RestyleManager.cpp:2914
#16 0x7fda3121afaf in mozilla::RestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) src/layout/base/RestyleManager.cpp:3093:28
#17 0x7fda311bb73a in ProcessPendingRestyles src/layout/base/RestyleManager.cpp:3187:3
#18 0x7fda311bb73a in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) src/layout/base/PresShell.cpp:4358
#19 0x7fda2abc5ede in FlushPendingNotifications src/layout/base/nsIPresShell.h:591:5
#20 0x7fda2abc5ede in nsIDocument::FlushPendingNotifications(mozilla::ChangesToFlush) src/dom/base/nsDocument.cpp:7790
#21 0x7fda2918e27a in nsDocLoader::DocLoaderIsEmpty(bool) src/uriloader/base/nsDocLoader.cpp:695:14
#22 0x7fda2919116e in nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) src/uriloader/base/nsDocLoader.cpp:631:5
#23 0x7fda291929f4 in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) src/uriloader/base/nsDocLoader.cpp
#24 0x7fda26aac1c7 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) src/netwerk/base/nsLoadGroup.cpp:628:28
#25 0x7fda2abcc0d7 in DoUnblockOnload src/dom/base/nsDocument.cpp:8492:18
#26 0x7fda2abcc0d7 in nsDocument::UnblockOnload(bool) src/dom/base/nsDocument.cpp:8414
#27 0x7fda30fb491a in UnblockOnload src/layout/style/Loader.cpp:2679:16
#28 0x7fda30fb491a in mozilla::css::SheetLoadData::FireLoadEvent(nsIThreadInternal*) src/layout/style/Loader.cpp:342
#29 0x7fda30fb4c44 in AfterProcessNextEvent src/layout/style/Loader.cpp:317:3
#30 0x7fda30fb4c44 in non-virtual thunk to mozilla::css::SheetLoadData::AfterProcessNextEvent(nsIThreadInternal*, bool) src/layout/style/Loader.cpp
#31 0x7fda26824586 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1292:3
#32 0x7fda2682c6dd in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:530:10
#33 0x7fda27aa840f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:97:21
#34 0x7fda2799fbae in RunInternal src/ipc/chromium/src/base/message_loop.cc:325:10
#35 0x7fda2799fbae in RunHandler src/ipc/chromium/src/base/message_loop.cc:318
#36 0x7fda2799fbae in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:298
#37 0x7fda30a41fd3 in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:158:27
#38 0x7fda35494a5e in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:951:22
#39 0x7fda2799fbae in RunInternal src/ipc/chromium/src/base/message_loop.cc:325:10
#40 0x7fda2799fbae in RunHandler src/ipc/chromium/src/base/message_loop.cc:318
#41 0x7fda2799fbae in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:298
#42 0x7fda35493aae in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:777:34
#43 0x55695e0d1864 in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30
#44 0x55695e0d1864 in main src/browser/app/nsBrowserApp.cpp:287
#45 0x7fda49edeb96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
#46 0x55695dff6eec in _start (/home/worker/firefox-asan/firefox+0x2deec)
Flags: in-testsuite?
|
Assignee | |
Updated•6 years ago
|
Flags: needinfo?(emilio)
|
|
Assignee | |
Comment 1•6 years ago
|
||
This is fundamentally the same issue as bug 1422838.
Depends on: 1465474
Flags: needinfo?(emilio)
|
||
Comment 2•6 years ago
|
||
Emilio -- Can we dup this to bug 1422838?
Flags: needinfo?(emilio)
Priority: -- → P3
|
|
Assignee | |
Comment 3•6 years ago
|
||
We could, though then we'd need to remember to test this test-case as well when we fix it.
If we keep it as dependent we get an extra email notification which is nice, but I'm fine with duping it if you prefer, no strong opinion really.
Flags: needinfo?(emilio)
|
||
Comment 4•5 years ago
|
||
This test case is now hitting
Hit MOZ_CRASH(Invoking Servo_Element_IsDisplayContents on unstyled element) at src/libcore/option.rs:1034
#01: static void core::ops::function::Fn::call<fn(core::panic::PanicInfo*),(core::panic::PanicInfo*)>( * *, struct core::panic::PanicInfo *) [git:github.com/rust-lang/rust:src/libcore/ops/function.rs:eae3437dfe991621e8afdc82734f4a172d7ddf9b:69]
#02: void std::panicking::rust_panic_with_hook() [git:github.com/rust-lang/rust:src/libstd/panicking.rs:eae3437dfe991621e8afdc82734f4a172d7ddf9b:484]
#03: static void std::panicking::continue_panic_fmt() [git:github.com/rust-lang/rust:src/libstd/panicking.rs:eae3437dfe991621e8afdc82734f4a172d7ddf9b:384]
#04: void std::panicking::rust_begin_panic() [git:github.com/rust-lang/rust:src/libstd/panicking.rs:eae3437dfe991621e8afdc82734f4a172d7ddf9b:311]
#05: void core::panicking::panic_fmt() [git:github.com/rust-lang/rust:src/libcore/panicking.rs:eae3437dfe991621e8afdc82734f4a172d7ddf9b:85]
#06: void core::option::expect_failed() [git:github.com/rust-lang/rust:src/libcore/option.rs:eae3437dfe991621e8afdc82734f4a172d7ddf9b:1034]
#07: bool geckoservo::glue::Servo_Element_IsDisplayContents(struct style::gecko_bindings::structs::root::mozilla::dom::Element *) [servo/ports/geckolib/glue.rs:1279]
#08: nsFrame::DoGetParentComputedStyle(nsIFrame * *) [layout/generic/nsFrame.cpp:9915]
#09: mozilla::RestyleManager::DoReparentComputedStyleForFirstLine(nsIFrame *,mozilla::ServoStyleSet &) [layout/base/RestyleManager.cpp:3510]
#10: nsBlockFrame::UpdatePseudoElementStyles(mozilla::ServoRestyleState &) [layout/generic/nsBlockFrame.cpp:0]
#11: mozilla::RestyleManager::ProcessPostTraversal(mozilla::dom::Element *,mozilla::ComputedStyle *,mozilla::ServoRestyleState &,mozilla::ServoPostTraversalFlags) [layout/base/RestyleManager.cpp:2908]
#12: mozilla::RestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) [layout/base/RestyleManager.cpp:3087]
#13: mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) [layout/base/PresShell.cpp:4112]
#14: mozilla::dom::Document::FlushPendingNotifications(mozilla::ChangesToFlush) [dom/base/Document.cpp:10033]
|
|
Assignee | |
Updated•5 years ago
|
Flags: needinfo?(emilio)
|
||
Comment 5•5 years ago
|
||
Bugbug thinks this bug is a regression, but please revert this change in case of error.
Keywords: regression
|
|
Assignee | |
Updated•5 years ago
|
Assignee: nobody → emilio
Flags: needinfo?(emilio)
|
|
Assignee | |
Comment 6•5 years ago
|
||
... where we've lost track of the display: contents style already since the
ancestor has become display: none, but the first-line belongs to a higher
ancestor that hasn't. Pretty nasty.
Pushed by ealvarez@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/6e2c380c58e7
Don't crash in some first-line + display: contents edge cases. r=heycam
|
||
Comment 8•5 years ago
|
||
| bugherder | ||
Status: NEW → RESOLVED
Closed: 5 years ago
status-firefox71:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla71
|
||
Updated•5 years ago
|
status-firefox67:
--- → wontfix
status-firefox68:
--- → wontfix
status-firefox69:
--- → wontfix
status-firefox70:
--- → wontfix
status-firefox-esr60:
--- → unaffected
status-firefox-esr68:
--- → wontfix
Flags: in-testsuite? → in-testsuite+
|
||
Updated•1 year ago
|
You need to log in
before you can comment on or make changes to this bug.
Description
•