Closed Bug 1524411 Opened 5 years ago Closed 5 years ago

crash near null [@ nsLayoutUtils::GetFirstLinePosition]

Categories

(Core :: Layout: Columns, defect, P3)

Product:
Core
Component:
Layout: Columns
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla69
Tracking Flags:
Tracking Status
firefox-esr60 --- unaffected
firefox66 --- disabled
firefox67 --- disabled
firefox68 --- disabled
firefox69 --- fixed

People

(Reporter: tsmith, Assigned: TYLin)

References

(Blocks 1 open bug)

Details

(Keywords: crash, testcase)

Attachments

(2 files)

testcase.html
203 bytes, text/html
Details
Bug 1524411 - Null-check kid in nsLayoutUtils::GetFirstLinePosition(). r=dholbert
47 bytes, text/x-phabricator-request
Details | Review
Attached file testcase.html

Reduced with m-c:
BuildID=20190131093752
SourceStamp=9ee54a21a22ab5beab264bcabe3c8039a27a32e8

==130813==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000020 (pc 0x7f81d3e2abc4 bp 0x7ffcb0091a70 sp 0x7ffcb0091900 T0)
==130813==The signal is caused by a READ memory access.
==130813==Hint: address points to the zero page.
    #0 0x7f81d3e2abc3 in get src/layout/base/../../mfbt/RefPtr.h
    #1 0x7f81d3e2abc3 in operator-> src/layout/base/../../mfbt/RefPtr.h:297
    #2 0x7f81d3e2abc3 in StyleDisplay src/layout/style/nsStyleStructList.h:47
    #3 0x7f81d3e2abc3 in nsLayoutUtils::GetFirstLinePosition(mozilla::WritingMode, nsIFrame const*, nsLayoutUtils::LinePosition*) src/layout/base/nsLayoutUtils.cpp:6000
    #4 0x7f81d3e2b8d1 in nsLayoutUtils::GetFirstLinePosition(mozilla::WritingMode, nsIFrame const*, nsLayoutUtils::LinePosition*) src/layout/base/nsLayoutUtils.cpp:6057:11
    #5 0x7f81d3e2af71 in nsLayoutUtils::GetFirstLinePosition(mozilla::WritingMode, nsIFrame const*, nsLayoutUtils::LinePosition*) src/layout/base/nsLayoutUtils.cpp:6075:11
    #6 0x7f81d3f4bb6a in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsBlockFrame.cpp:1278:9
    #7 0x7f81d3f74b0e in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) src/layout/generic/nsBlockReflowContext.cpp:297:11
    #8 0x7f81d3f8caf9 in nsBlockFrame::ReflowFloat(mozilla::BlockReflowInput&, mozilla::LogicalRect const&, nsIFrame*, mozilla::LogicalMargin&, mozilla::LogicalMargin&, bool, nsReflowStatus&) src/layout/generic/nsBlockFrame.cpp:6125:9
    #9 0x7f81d3ec7a43 in mozilla::BlockReflowInput::FlowAndPlaceFloat(nsIFrame*) src/layout/generic/BlockReflowInput.cpp:910:13
    #10 0x7f81d3ec55d9 in mozilla::BlockReflowInput::AddFloat(nsLineLayout*, nsIFrame*, int) src/layout/generic/BlockReflowInput.cpp:594:14
    #11 0x7f81d420d469 in AddFloat src/layout/generic/nsLineLayout.h:157:22
    #12 0x7f81d420d469 in TryToPlaceFloat src/layout/generic/nsLineLayout.cpp:1477
    #13 0x7f81d420d469 in nsLineLayout::ReflowFrame(nsIFrame*, nsReflowStatus&, mozilla::ReflowOutput*, bool&) src/layout/generic/nsLineLayout.cpp:926
    #14 0x7f81d3f79e20 in nsBlockFrame::ReflowInlineFrame(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsIFrame*, LineReflowStatus*) src/layout/generic/nsBlockFrame.cpp:4084:15
    #15 0x7f81d3f77fd1 in nsBlockFrame::DoReflowInlineFrames(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool) src/layout/generic/nsBlockFrame.cpp:3887:5
    #16 0x7f81d3f6cd54 in nsBlockFrame::ReflowInlineFrames(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:3772:9
    #17 0x7f81d3f6490b in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:2791:5
    #18 0x7f81d3f56fd7 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) src/layout/generic/nsBlockFrame.cpp:2334:7
    #19 0x7f81d3f4b2f7 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsBlockFrame.cpp:1207:3
    #20 0x7f81d3fbf72a in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:883:14
    #21 0x7f81d3fc6a89 in nsColumnSetFrame::ReflowChildren(mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&, nsColumnSetFrame::ReflowConfig const&, bool, nsColumnSetFrame::ColumnBalanceData&) src/layout/generic/nsColumnSetFrame.cpp:754:7
    #22 0x7f81d3fcf2eb in ReflowColumns src/layout/generic/nsColumnSetFrame.cpp:452:19
    #23 0x7f81d3fcf2eb in nsColumnSetFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsColumnSetFrame.cpp:1191
    #24 0x7f81d3f74b0e in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) src/layout/generic/nsBlockReflowContext.cpp:297:11
    #25 0x7f81d3f67b3f in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:3408:11
    #26 0x7f81d3f64975 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:2788:5
    #27 0x7f81d3f56fd7 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) src/layout/generic/nsBlockFrame.cpp:2334:7
    #28 0x7f81d3f4b2f7 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsBlockFrame.cpp:1207:3
    #29 0x7f81d3f74b0e in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) src/layout/generic/nsBlockReflowContext.cpp:297:11
    #30 0x7f81d3f67b3f in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:3408:11
    #31 0x7f81d3f64975 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:2788:5
    #32 0x7f81d3f56fd7 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) src/layout/generic/nsBlockFrame.cpp:2334:7
    #33 0x7f81d3f4b2f7 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsBlockFrame.cpp:1207:3
    #34 0x7f81d3fbf72a in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:883:14
    #35 0x7f81d3fc6a89 in nsColumnSetFrame::ReflowChildren(mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&, nsColumnSetFrame::ReflowConfig const&, bool, nsColumnSetFrame::ColumnBalanceData&) src/layout/generic/nsColumnSetFrame.cpp:754:7
    #36 0x7f81d3fcf2eb in ReflowColumns src/layout/generic/nsColumnSetFrame.cpp:452:19
    #37 0x7f81d3fcf2eb in nsColumnSetFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsColumnSetFrame.cpp:1191
    #38 0x7f81d3f74b0e in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) src/layout/generic/nsBlockReflowContext.cpp:297:11
    #39 0x7f81d3f67b3f in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:3408:11
    #40 0x7f81d3f64975 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:2788:5
    #41 0x7f81d3f56fd7 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) src/layout/generic/nsBlockFrame.cpp:2334:7
    #42 0x7f81d3f4b2f7 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsBlockFrame.cpp:1207:3
    #43 0x7f81d3f74b0e in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) src/layout/generic/nsBlockReflowContext.cpp:297:11
    #44 0x7f81d3f67b3f in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:3408:11
    #45 0x7f81d3f64975 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:2788:5
    #46 0x7f81d3f56fd7 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) src/layout/generic/nsBlockFrame.cpp:2334:7
    #47 0x7f81d3f4b2f7 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsBlockFrame.cpp:1207:3
    #48 0x7f81d3fbf72a in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:883:14
    #49 0x7f81d3fc6a89 in nsColumnSetFrame::ReflowChildren(mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&, nsColumnSetFrame::ReflowConfig const&, bool, nsColumnSetFrame::ColumnBalanceData&) src/layout/generic/nsColumnSetFrame.cpp:754:7
    #50 0x7f81d3fce13e in ReflowColumns src/layout/generic/nsColumnSetFrame.cpp:452:19
    #51 0x7f81d3fce13e in nsColumnSetFrame::FindBestBalanceBSize(mozilla::ReflowInput const&, nsPresContext*, nsColumnSetFrame::ReflowConfig&, nsColumnSetFrame::ColumnBalanceData&, mozilla::ReflowOutput&, bool&, bool&, nsReflowStatus&) src/layout/generic/nsColumnSetFrame.cpp:1097
    #52 0x7f81d3fcf47b in nsColumnSetFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsColumnSetFrame.cpp:1198:5
    #53 0x7f81d3f74b0e in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) src/layout/generic/nsBlockReflowContext.cpp:297:11
    #54 0x7f81d3f67b3f in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:3408:11
    #55 0x7f81d3f64975 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:2788:5
    #56 0x7f81d3f56fd7 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) src/layout/generic/nsBlockFrame.cpp:2334:7
    #57 0x7f81d3f4b2f7 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsBlockFrame.cpp:1207:3
    #58 0x7f81d3fbf72a in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:883:14
    #59 0x7f81d3fbd702 in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsCanvasFrame.cpp:731:5
    #60 0x7f81d3fbf72a in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:883:14
    #61 0x7f81d4119889 in nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput*, bool, bool, mozilla::ReflowOutput*) src/layout/generic/nsGfxScrollFrame.cpp:575:3
    #62 0x7f81d411bbba in nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput*, mozilla::ReflowOutput const&) src/layout/generic/nsGfxScrollFrame.cpp:721:7
    #63 0x7f81d4121e5d in nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsGfxScrollFrame.cpp:1060:3
    #64 0x7f81d3f2fddf in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:922:14
    #65 0x7f81d3f2eb5b in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/ViewportFrame.cpp:314:7
    #66 0x7f81d3c57f81 in nsIPresShell::DoReflow(nsIFrame*, bool, mozilla::OverflowChangedTracker*) src/layout/base/PresShell.cpp:8695:11
    #67 0x7f81d3c779b0 in nsIPresShell::ProcessReflowCommands(bool) src/layout/base/PresShell.cpp:8865:24
    #68 0x7f81d3c74b80 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) src/layout/base/PresShell.cpp:4187:11
    #69 0x7f81d3da3ed3 in FlushPendingNotifications src/layout/base/nsIPresShell.h:587:5
    #70 0x7f81d3da3ed3 in nsDocumentViewer::LoadComplete(nsresult) src/layout/base/nsDocumentViewer.cpp:1016
    #71 0x7f81d7263b45 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) src/docshell/base/nsDocShell.cpp:6625:21
    #72 0x7f81d725f37e in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) src/docshell/base/nsDocShell.cpp:6422:7
    #73 0x7f81d7268547 in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) src/docshell/base/nsDocShell.cpp
    #74 0x7f81cbacdca5 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) src/uriloader/base/nsDocLoader.cpp:1236:3
    #75 0x7f81cbacc88c in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) src/uriloader/base/nsDocLoader.cpp:795:14
    #76 0x7f81cbac8058 in nsDocLoader::DocLoaderIsEmpty(bool) src/uriloader/base/nsDocLoader.cpp:694:9
    #77 0x7f81cbacab2e in nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) src/uriloader/base/nsDocLoader.cpp:589:5
    #78 0x7f81cbacc3b4 in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) src/uriloader/base/nsDocLoader.cpp
    #79 0x7f81c92d9baf in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) src/netwerk/base/nsLoadGroup.cpp:575:22
    #80 0x7f81cd31350a in DoUnblockOnload src/dom/base/Document.cpp:7699:18
    #81 0x7f81cd31350a in mozilla::dom::Document::UnblockOnload(bool) src/dom/base/Document.cpp:7631
    #82 0x7f81cd311f6f in mozilla::dom::Document::DispatchContentLoadedEvents() src/dom/base/Document.cpp:4794:3
    #83 0x7f81cd414fcb in applyImpl<mozilla::dom::Document, void (mozilla::dom::Document::*)()> src/obj-firefox/dist/include/nsThreadUtils.h:1119:12
    #84 0x7f81cd414fcb in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> src/obj-firefox/dist/include/nsThreadUtils.h:1125
    #85 0x7f81cd414fcb in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() src/obj-firefox/dist/include/nsThreadUtils.h:1171
    #86 0x7f81c9020395 in mozilla::SchedulerGroup::Runnable::Run() src/xpcom/threads/SchedulerGroup.cpp:299:32
    #87 0x7f81c9060716 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1161:14
    #88 0x7f81c90684dd in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:474:10
    #89 0x7f81ca32a95f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:88:21
    #90 0x7f81ca2174ce in RunInternal src/ipc/chromium/src/base/message_loop.cc:315:10
    #91 0x7f81ca2174ce in RunHandler src/ipc/chromium/src/base/message_loop.cc:308
    #92 0x7f81ca2174ce in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:290
    #93 0x7f81d34edc33 in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:137:27
    #94 0x7f81d80a4fae in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:908:20
    #95 0x7f81ca2174ce in RunInternal src/ipc/chromium/src/base/message_loop.cc:315:10
    #96 0x7f81ca2174ce in RunHandler src/ipc/chromium/src/base/message_loop.cc:308
    #97 0x7f81ca2174ce in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:290
    #98 0x7f81d80a4103 in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:746:34
    #99 0x56463ebda874 in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:49:28
    #100 0x56463ebda874 in main src/browser/app/nsBrowserApp.cpp:265
    #101 0x7f81ed38882f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
    #102 0x56463eaffefc in _start (firefox+0x2defc)
Flags: in-testsuite?
Priority: -- → P3

The crash happens because kid is nullptr in nsLayoutUtils::GetFirstLinePosition https://searchfox.org/mozilla-central/rev/fe7dbedf223c0fc4b37d5bd72293438dfbca6cec/layout/base/nsLayoutUtils.cpp#6321-6323

      nsIFrame* kid = aFrame->PrincipalChildList().FirstChild();
      // If aFrame is fieldset, kid might be a legend frame here, but that's ok.
      if (GetFirstLinePosition(aWM, kid, &kidPosition)) {

The frame tree looks like this.

ColumnSetWrapper(li)(1)@7f1e030fd2e8 parent=7f1e029d2dd0 next=7f1e029d2578 next-in-flow=7f1e029d2578 {0,0,60,11520} vis-overflow=-2880,0,3000,11520 scr-overflow=-2880,0,3000,11520 [state=0182060040c00321] [content=7f1e0341e670] [cs=7f1e03420108]<
  line 7f1e030fd440: count=1 state=block,clean,prevmarginclean,not impacted,not wrapped,before:nobr,after:nobr[0x8] {0,5220,60,6300} vis-overflow=0,5220,120,6300 scr-overflow=0,5220,120,6300 <
    ColumnSet(li)(1)@7f1e030fd3a8 parent=7f1e030fd2e8 next=7f1e029d24d0 next-in-flow=7f1e029d24d0 {0,5220,60,6300} vis-overflow=0,0,120,6300 scr-overflow=0,0,120,6300 [state=0082100000000020] [content=7f1e0341e670] [cs=7f1e034205b8:-moz-column-set]<
      Block(li)(1)@7f1e030fd230 parent=7f1e030fd3a8 next=7f1e029d2648 next-in-flow=7f1e029d2648 {0,0,60,6300} vis-overflow=0,0,120,6300 scr-overflow=0,0,120,6300 [state=000210000ad00000] [content=7f1e0341e670] [cs=7f1e034206a8:-moz-column-content]<
        line 7f1e030fd8c0: count=1 state=block,clean,prevmarginclean,not impacted,not wrapped,before:nobr,after:nobr[0x108] bm=480 {0,480,120,5340} <
          ColumnSetWrapper(hr)(1)@7f1e030fd670 parent=7f1e030fd230 {0,480,120,5340} [state=0080060008c00220] [content=7f1e0341e700] [cs=7f1e034201f8]<
            line 7f1e030fd7c8: count=1 state=block,clean,prevmarginclean,not impacted,not wrapped,before:nobr,after:nobr[0x108] {60,5280,0,0} <
              ColumnSet(hr)(1)@7f1e030fd730 parent=7f1e030fd670 {60,5280,0,0} [state=0080100000000020] [content=7f1e0341e700] [cs=7f1e03420a68:-moz-column-set]<
                Block(hr)(1)@7f1e030fd5b8 parent=7f1e030fd730 {0,0,1,0} [state=0000100000100000] [content=7f1e0341e700] [cs=7f1e03420b58:-moz-column-content]<
                >
              >
            >
          >
        >
        Overflow-lines 0x7f1e029f26c0/0x7f1e029f26d0 <
          line 7f1e030fd910: count=1 state=inline,dirty,prevmargindirty,not impacted,not wrapped,before:nobr,after:nobr[0x103] {0,0,0,0} vis-overflow=0,6285,1920,990 scr-overflow=0,6285,960,990 <
            Text(2)"\nA\n"@7f1e030fd818 parent=7f1e030fd230 {0,6285,960,990} vis-overflow=0,0,1920,990 scr-overflow=0,0,960,990 [state=00010000b0600000] [content=7f1e030f4780] [cs=7f1e03420978:-moz-text] [run=7f1e034fa580][0,3,T]
          >
        >
      >
      Block(li)(1)@7f1e029d2648 parent=7f1e030fd3a8 prev-in-flow=7f1e030fd230 {0,0,0,0} [state=0000100000d00406] [content=7f1e0341e670] [cs=7f1e034206a8:-moz-column-content]<
      >
    >
  >
  line 7f1e030fdcc8: count=1 state=block,dirty,prevmargindirty,not impacted,not wrapped,before:nobr,after:nobr[0xb] {0,0,0,0} <
    ColumnSet(li)(1)@7f1e029d24d0 parent=7f1e030fd2e8 prev-in-flow=7f1e030fd3a8 {0,0,0,0} [state=0000100000000406] [content=7f1e0341e670] [cs=7f1e034205b8:-moz-column-set]<>
  >
  BulletList 0x7f1e030fd8b0 <
    Bullet(_moz_generated_content_marker)(-1)@7f1e030fd508 parent=7f1e030fd2e8 {-2880,5220,2880,990} [state=0100000000000040] [content=7f1e0341e8b0] [cs=7f1e03420888:marker]
  >
>

The outer ColumnSetWrapper(li)(1)@7f1e030fd2e8 asks its first line by calling GetFirstLinePostion. The function recurses down to Block(hr)(1)@7f1e030fd5b8, but found nothing. So the outer ColumnSetWrapper(li) continues to ask its second line, which contains a solely ColumnSet(li)(1)@7f1e029d24d0. This ColumnSet(li) has no children, so it crashes.

Usually, a ColumnSet always has -moz-column-content anonymous boxes. But in this case, this column tree structure hasn't properly setup yet until we reflow ColumnSetWrapper(li)(1)@7f1e030fd2e8's next-in-flow. (ColumnSetWrapper will pull ColumnSet from its prev-in-flow, and the ColumnSet will pull column content boxes` from is prev-in-flow. Then everything is OK.)

I don't think this intermediate column frame tree is a problem. We should just null-check GetFirstLinePostion().

Assignee: nobody → aethanyc
Status: NEW → ASSIGNED
Attachment #9070721 - Attachment description: Bug 1524411 - Null-check aFrame in nsLayoutUtils::GetFirstLinePosition(). r=dholbert → Bug 1524411 - Null-check kid in nsLayoutUtils::GetFirstLinePosition(). r=dholbert
Pushed by aethanyc@gmail.com:
https://hg.mozilla.org/integration/autoland/rev/5c4c2e634db6
Null-check kid in nsLayoutUtils::GetFirstLinePosition(). r=dholbert

https://hg.mozilla.org/mozilla-central/rev/5c4c2e634db6

Status: ASSIGNED → RESOLVED
Closed: 5 years ago
status-firefox69: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla69

Since the status are different for nightly and release, what's the status for beta?
For more information, please visit auto_nag documentation.

status-firefox68: --- → ?
status-firefox68: ?disabled
status-firefox-esr60: --- → unaffected
Flags: in-testsuite? → in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: