1514544 - crash at null in [@ ShouldSilentlyDiscardItem]

Status: RESOLVED FIXED

(Core :: Web Painting, defect)

Description

[Tyson Smith [:tsmith]]

Attachment: testcase.html

==61293==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fa6ea9ca5e0 bp 0x7fffefcdbeb0 sp 0x7fffefcdbd00 T0)
==61293==The signal is caused by a READ memory access.
    #0 0x7fa6ea9ca5df in ShouldSilentlyDiscardItem src/layout/painting/RetainedDisplayListBuilder.cpp:329:20
    #1 0x7fa6ea9ca5df in MergeState::ProcessOldNode(Index<OldListUnits>, nsTArray<Index<MergedListUnits> >&&) src/layout/painting/RetainedDisplayListBuilder.cpp:525
    #2 0x7fa6ea8795ae in MergeState::Finalize() src/layout/painting/RetainedDisplayListBuilder.cpp:461:7
    #3 0x7fa6ea876a7a in RetainedDisplayListBuilder::MergeDisplayLists(nsDisplayList*, RetainedDisplayList*, RetainedDisplayList*, mozilla::Maybe<mozilla::ActiveScrolledRoot const*>&, nsDisplayItem*) src/layout/painting/RetainedDisplayListBuilder.cpp:669:21
    #4 0x7fa6ea8784e7 in MergeState::ProcessItemFromNewList(nsDisplayItem*, mozilla::Maybe<Index<MergedListUnits> > const&) src/layout/painting/RetainedDisplayListBuilder.cpp:363:25
    #5 0x7fa6ea8766e5 in RetainedDisplayListBuilder::MergeDisplayLists(nsDisplayList*, RetainedDisplayList*, RetainedDisplayList*, mozilla::Maybe<mozilla::ActiveScrolledRoot const*>&, nsDisplayItem*) src/layout/painting/RetainedDisplayListBuilder.cpp:666:31
    #6 0x7fa6ea882a52 in RetainedDisplayListBuilder::AttemptPartialUpdate(unsigned int, mozilla::DisplayListChecker*) src/layout/painting/RetainedDisplayListBuilder.cpp:1336:7
    #7 0x7fa6e9e149b5 in nsLayoutUtils::PaintFrame(gfxContext*, nsIFrame*, nsRegion const&, unsigned int, nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) src/layout/base/nsLayoutUtils.cpp:3620:40
    #8 0x7fa6e9cad21d in mozilla::PresShell::Paint(nsView*, nsRegion const&, unsigned int) src/layout/base/PresShell.cpp:6011:5
    #9 0x7fa6e9423d0c in nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*) src/view/nsViewManager.cpp:461:19
    #10 0x7fa6e9422b0c in nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) src/view/nsViewManager.cpp:396:33
    #11 0x7fa6e94285a6 in nsViewManager::ProcessPendingUpdates() src/view/nsViewManager.cpp:1030:5
    #12 0x7fa6e9bf8246 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:1901:11
    #13 0x7fa6e9c09ff9 in TickDriver src/layout/base/nsRefreshDriver.cpp:327:13
    #14 0x7fa6e9c09ff9 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) src/layout/base/nsRefreshDriver.cpp:304
    #15 0x7fa6e9c099c7 in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:321:5
    #16 0x7fa6e9c0ce3f in RunRefreshDrivers src/layout/base/nsRefreshDriver.cpp:726:5
    #17 0x7fa6e9c0ce3f in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:646
    #18 0x7fa6e9c0c6eb in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) src/layout/base/nsRefreshDriver.cpp:546:9
    #19 0x7fa6ea7286d5 in mozilla::layout::VsyncChild::RecvNotify(mozilla::VsyncEvent const&) src/layout/ipc/VsyncChild.cpp:65:16
    #20 0x7fa6e0fbc8db in mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) src/obj-firefox/ipc/ipdl/PVsyncChild.cpp:167:20
    #21 0x7fa6e0bbf6aa in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) src/obj-firefox/ipc/ipdl/PBackgroundChild.cpp:2788:28
    #22 0x7fa6e04339c9 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) src/ipc/glue/MessageChannel.cpp:2159:21
    #23 0x7fa6e042f34a in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) src/ipc/glue/MessageChannel.cpp:2086:9
    #24 0x7fa6e0431551 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) src/ipc/glue/MessageChannel.cpp:1935:3
    #25 0x7fa6e0432417 in mozilla::ipc::MessageChannel::MessageTask::Run() src/ipc/glue/MessageChannel.cpp:1966:13
    #26 0x7fa6df1acd28 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1157:14
    #27 0x7fa6df1b5add in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:468:10
    #28 0x7fa6e043ce04 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:110:5
    #29 0x7fa6e032fc3e in RunInternal src/ipc/chromium/src/base/message_loop.cc:314:10
    #30 0x7fa6e032fc3e in RunHandler src/ipc/chromium/src/base/message_loop.cc:307
    #31 0x7fa6e032fc3e in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:289
    #32 0x7fa6e9516f33 in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:137:27
    #33 0x7fa6edf9143e in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:915:20
    #34 0x7fa6e032fc3e in RunInternal src/ipc/chromium/src/base/message_loop.cc:314:10
    #35 0x7fa6e032fc3e in RunHandler src/ipc/chromium/src/base/message_loop.cc:307
    #36 0x7fa6e032fc3e in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:289
    #37 0x7fa6edf9048e in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:753:34
    #38 0x55b04b23a864 in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:49:28
    #39 0x55b04b23a864 in main src/browser/app/nsBrowserApp.cpp:265
    #40 0x7fa70325182f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
    #41 0x55b04b15feec in _start (firefox+0x2deec)

Comment 1

[Matt Woodrow (:mattwoodrow)]

This got fixed by the backout of bug 1500864. I'm including this crashtest in the fixed version.