Closed Bug 1516739 Opened 6 years ago Closed 6 years ago

crash at null in [@ nsAbsoluteContainingBlock::SetInitialChildList]

Categories

(Core :: Layout: Columns, defect, P2)

Product:
Core
Component:
Layout: Columns
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla67
Tracking Flags:
Tracking Status
firefox-esr60 --- unaffected
firefox65 --- disabled
firefox66 --- disabled
firefox67 --- fixed

People

(Reporter: tsmith, Assigned: TYLin)

References

(Blocks 1 open bug)

Details

(Keywords: crash, testcase)

Attachments

(3 files)

testcase.html
164 bytes, text/html
Details
1516739.html
233 bytes, text/html
Details
Bug 1516739 - Stop reparenting absolute/fixed positioned blocks when constructing multicol container.
47 bytes, text/x-phabricator-request
Details | Review
Attached file testcase.html 
==5752==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f8828adde8e bp 0x7ffd21b4bcb0 sp 0x7ffd21b4bcb0 T0)
==5752==The signal is caused by a WRITE memory access.
==5752==Hint: address points to the zero page.
    #0 0x7f8828adde8d in SetFrames src/layout/generic/nsFrameList.h
    #1 0x7f8828adde8d in nsAbsoluteContainingBlock::SetInitialChildList(nsIFrame*, mozilla::layout::FrameChildListID, nsFrameList&) src/layout/generic/nsAbsoluteContainingBlock.cpp:53
    #2 0x7f88288bbfe4 in nsFrameConstructorState::ProcessFrameInsertions(nsAbsoluteItems&, mozilla::layout::FrameChildListID) src/layout/base/nsCSSFrameConstructor.cpp:1309:54
    #3 0x7f88288bdb6e in ~nsFrameConstructorSaveState src/layout/base/nsCSSFrameConstructor.cpp:1412:13
    #4 0x7f88288bdb6e in nsFrameConstructorState::ReparentAbsoluteItems(nsContainerFrame*) src/layout/base/nsCSSFrameConstructor.cpp:1138
    #5 0x7f8828928fcb in nsCSSFrameConstructor::CreateColumnSpanSiblings(nsFrameConstructorState&, nsContainerFrame*, nsFrameList&, nsIFrame*) src/layout/base/nsCSSFrameConstructor.cpp:10821:16
    #6 0x7f88288d584b in nsCSSFrameConstructor::ConstructBlock(nsFrameConstructorState&, nsIContent*, nsContainerFrame*, nsContainerFrame*, mozilla::ComputedStyle*, nsContainerFrame**, nsFrameItems&, nsIFrame*, PendingBinding*) src/layout/base/nsCSSFrameConstructor.cpp:10600:36
    #7 0x7f88288e844b in ConstructNonScrollableBlockWithConstructor src/layout/base/nsCSSFrameConstructor.cpp:4583:3
    #8 0x7f88288e844b in nsCSSFrameConstructor::ConstructNonScrollableBlock(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItem&, nsContainerFrame*, nsStyleDisplay const*, nsFrameItems&) src/layout/base/nsCSSFrameConstructor.cpp:4554
    #9 0x7f88288e34d2 in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameItems&) src/layout/base/nsCSSFrameConstructor.cpp:3614:16
    #10 0x7f88288f1639 in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameItems&) src/layout/base/nsCSSFrameConstructor.cpp:5672:3
    #11 0x7f88288c9a5a in nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsContainerFrame*, bool, nsFrameItems&) src/layout/base/nsCSSFrameConstructor.cpp:9496:5
    #12 0x7f88289047ae in nsCSSFrameConstructor::ContentAppended(nsIContent*, nsCSSFrameConstructor::InsertionKind) src/layout/base/nsCSSFrameConstructor.cpp:6803:3
    #13 0x7f882886fe37 in mozilla::RestyleManager::ProcessRestyledFrames(nsStyleChangeList&) src/layout/base/RestyleManager.cpp:1398:27
    #14 0x7f8828881733 in mozilla::RestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) src/layout/base/RestyleManager.cpp:2974:9
    #15 0x7f882882009a in ProcessPendingRestyles src/layout/base/RestyleManager.cpp:3046:3
    #16 0x7f882882009a in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) src/layout/base/PresShell.cpp:4102
    #17 0x7f882215fb1e in FlushPendingNotifications src/layout/base/nsIPresShell.h:575:5
    #18 0x7f882215fb1e in nsIDocument::FlushPendingNotifications(mozilla::ChangesToFlush) src/dom/base/nsDocument.cpp:7090
    #19 0x7f88206e6e6a in nsDocLoader::DocLoaderIsEmpty(bool) src/uriloader/base/nsDocLoader.cpp:647:14
    #20 0x7f88206e9d5e in nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) src/uriloader/base/nsDocLoader.cpp:589:5
    #21 0x7f88206eb5e4 in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) src/uriloader/base/nsDocLoader.cpp
    #22 0x7f881df8972f in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) src/netwerk/base/nsLoadGroup.cpp:579:22
    #23 0x7f8822165d87 in DoUnblockOnload src/dom/base/nsDocument.cpp:7728:18
    #24 0x7f8822165d87 in nsDocument::UnblockOnload(bool) src/dom/base/nsDocument.cpp:7660
    #25 0x7f882213f8e9 in nsIDocument::DispatchContentLoadedEvents() src/dom/base/nsDocument.cpp:4829:3
    #26 0x7f882229994b in applyImpl<nsIDocument, void (nsIDocument::*)()> src/obj-firefox/dist/include/nsThreadUtils.h:1106:12
    #27 0x7f882229994b in apply<nsIDocument, void (nsIDocument::*)()> src/obj-firefox/dist/include/nsThreadUtils.h:1112
    #28 0x7f882229994b in mozilla::detail::RunnableMethodImpl<nsIDocument*, void (nsIDocument::*)(), true, (mozilla::RunnableKind)0>::Run() src/obj-firefox/dist/include/nsThreadUtils.h:1158
    #29 0x7f881dcd15b5 in mozilla::SchedulerGroup::Runnable::Run() src/xpcom/threads/SchedulerGroup.cpp:299:32
    #30 0x7f881dd0e9f8 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1157:14
    #31 0x7f881dd177ad in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:468:10
    #32 0x7f881efa121f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:88:21
    #33 0x7f881ee9378e in RunInternal src/ipc/chromium/src/base/message_loop.cc:314:10
    #34 0x7f881ee9378e in RunHandler src/ipc/chromium/src/base/message_loop.cc:307
    #35 0x7f881ee9378e in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:289
    #36 0x7f88280afb43 in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:137:27
    #37 0x7f882cb5575e in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:915:20
    #38 0x7f881ee9378e in RunInternal src/ipc/chromium/src/base/message_loop.cc:314:10
    #39 0x7f881ee9378e in RunHandler src/ipc/chromium/src/base/message_loop.cc:307
    #40 0x7f881ee9378e in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:289
    #41 0x7f882cb547ae in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:753:34
    #42 0x5631fe884864 in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:49:28
    #43 0x5631fe884864 in main src/browser/app/nsBrowserApp.cpp:265
    #44 0x7f88416e8b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #45 0x5631fe7a9eec in _start (firefox+0x2deec)
Flags: in-testsuite?
Priority: -- → P2
Blocks: fuzzing-column-span, 1421105
Flags: needinfo?(aethanyc)
Attached file 1516739.html

The test case in comment 0 uses CSS "scale", so it requires "layout.css.individual-transform.enabled=true" to reproduce the crash.

I simplified the test case by using "transform: scale()", so we don't need to flip the pref.

Basically, to reproduce the crash, we need

  1. "transform" style on the multi-column containing block.
  2. A column-span followed by an absolute block.
Flags: needinfo?(aethanyc)
Assignee: nobody → aethanyc
Status: NEW → ASSIGNED
The crash happens because we try to reparent the absolute blocks to the
non-column-span wrapper's absolute list when the ColumnSetWrapperFrame
has "transform" style.

However, in AdjustAbsoluteContainingBlock() called by
PushAbsoluteContainingBlock(), it finds the first continuation as the
absolute containing block, but the first
continuation (::-moz-column-content) is not mark as an absolute
containing block. It's the outer ColumnSetWrapperFrame that is marked as
an absolute containing block.

This patch fixed only the bogus setup. It doesn't attempt to solve the
correctness of the absolute positioning in a containing block that was
split by a column-span, which should be fixed in bug 1491727.
Blocks: 1520722
Attachment #9036999 - Attachment description: Bug 1516739 - Stop reparenting absolute blocks to the non-column-span wrapper siblings's absolute list. → Bug 1516739 - Stop reparenting absolute/fixed positioned blocks when constructing multicol container.
Pushed by aethanyc@gmail.com:
https://hg.mozilla.org/integration/autoland/rev/56db0b66845e
Stop reparenting absolute/fixed positioned blocks when constructing multicol container. r=dbaron

https://hg.mozilla.org/mozilla-central/rev/56db0b66845e

Status: ASSIGNED → RESOLVED
Closed: 6 years ago
status-firefox67: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla67
Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/15147 for changes under testing/web-platform/tests
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: