Closed Bug 1524672 Opened 6 years ago Closed 6 years ago

crash near null in [@ RemoveFrame]

Categories

(Core :: Layout: Columns, defect, P3)

Product:
Core
Component:
Layout: Columns
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1524382
Tracking Flags:
Tracking Status
firefox67 --- disabled

People

(Reporter: tsmith, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash, testcase)

Attachments

(1 file)

testcase.html
121 bytes, text/html
Details
Attached file testcase.html 
==41899==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000030 (pc 0x7fc4d3ec6a8f bp 0x7ffef7c8f590 sp 0x7ffef7c8f120 T0)
==41899==The signal is caused by a READ memory access.
==41899==Hint: address points to the zero page.
    #0 0x7fc4d3ec6a8e in SetNextSibling src/layout/generic/nsIFrame.h:1637:9
    #1 0x7fc4d3ec6a8e in RemoveFrame src/layout/generic/nsFrameList.cpp:81
    #2 0x7fc4d3ec6a8e in nsFrameList::DestroyFrame(nsIFrame*) src/layout/generic/nsFrameList.cpp:120
    #3 0x7fc4d4068b53 in nsPlaceholderFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) src/layout/generic/nsPlaceholderFrame.cpp:179:11
    #4 0x7fc4d3ec5ea9 in nsFrameList::DestroyFramesFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) src/layout/generic/nsFrameList.cpp:51:12
    #5 0x7fc4d3d2366f in nsContainerFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) src/layout/generic/nsContainerFrame.cpp:211:11
    #6 0x7fc4d3ec5a9c in Destroy src/layout/generic/nsIFrame.h:647:5
    #7 0x7fc4d3ec5a9c in nsFrameList::DestroyFrames() src/layout/generic/nsFrameList.cpp:41
    #8 0x7fc4d3b4c7e7 in nsCSSFrameConstructor::MaybeRecreateForColumnSpan(nsFrameConstructorState&, nsContainerFrame*, nsFrameList&, nsIFrame*) src/layout/base/nsCSSFrameConstructor.cpp:10922:16
    #9 0x7fc4d3b45c51 in nsCSSFrameConstructor::ContentAppended(nsIContent*, nsCSSFrameConstructor::InsertionKind) src/layout/base/nsCSSFrameConstructor.cpp:6876:7
    #10 0x7fc4d3aab837 in mozilla::RestyleManager::ProcessRestyledFrames(nsStyleChangeList&) src/layout/base/RestyleManager.cpp:1447:27
    #11 0x7fc4d3abe033 in mozilla::RestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) src/layout/base/RestyleManager.cpp:3073:9
    #12 0x7fc4d3a57c6b in ProcessPendingRestyles src/layout/base/RestyleManager.cpp:3145:3
    #13 0x7fc4d3a57c6b in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) src/layout/base/PresShell.cpp:4140
    #14 0x7fc4cd119873 in FlushPendingNotifications src/layout/base/nsIPresShell.h:595:5
    #15 0x7fc4cd119873 in mozilla::dom::Document::FlushPendingNotifications(mozilla::ChangesToFlush) src/dom/base/Document.cpp:7064
    #16 0x7fc4cb8ababa in nsDocLoader::DocLoaderIsEmpty(bool) src/uriloader/base/nsDocLoader.cpp:648:14
    #17 0x7fc4cb8aeb2e in nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) src/uriloader/base/nsDocLoader.cpp:589:5
    #18 0x7fc4cb8b03b4 in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) src/uriloader/base/nsDocLoader.cpp
    #19 0x7fc4c90bdbaf in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) src/netwerk/base/nsLoadGroup.cpp:575:22
    #20 0x7fc4cd0f750a in DoUnblockOnload src/dom/base/Document.cpp:7699:18
    #21 0x7fc4cd0f750a in mozilla::dom::Document::UnblockOnload(bool) src/dom/base/Document.cpp:7631
    #22 0x7fc4cd0f5f6f in mozilla::dom::Document::DispatchContentLoadedEvents() src/dom/base/Document.cpp:4794:3
    #23 0x7fc4cd1f8fcb in applyImpl<mozilla::dom::Document, void (mozilla::dom::Document::*)()> src/obj-firefox/dist/include/nsThreadUtils.h:1119:12
    #24 0x7fc4cd1f8fcb in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> src/obj-firefox/dist/include/nsThreadUtils.h:1125
    #25 0x7fc4cd1f8fcb in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() src/obj-firefox/dist/include/nsThreadUtils.h:1171
    #26 0x7fc4c8e04395 in mozilla::SchedulerGroup::Runnable::Run() src/xpcom/threads/SchedulerGroup.cpp:299:32
    #27 0x7fc4c8e44716 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1161:14
    #28 0x7fc4c8e4c4dd in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:474:10
    #29 0x7fc4ca10e95f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:88:21
    #30 0x7fc4c9ffb4ce in RunInternal src/ipc/chromium/src/base/message_loop.cc:315:10
    #31 0x7fc4c9ffb4ce in RunHandler src/ipc/chromium/src/base/message_loop.cc:308
    #32 0x7fc4c9ffb4ce in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:290
    #33 0x7fc4d32d1c33 in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:137:27
    #34 0x7fc4d7e88fae in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:908:20
    #35 0x7fc4c9ffb4ce in RunInternal src/ipc/chromium/src/base/message_loop.cc:315:10
    #36 0x7fc4c9ffb4ce in RunHandler src/ipc/chromium/src/base/message_loop.cc:308
    #37 0x7fc4c9ffb4ce in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:290
    #38 0x7fc4d7e88103 in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:746:34
    #39 0x56031aef3874 in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:49:28
    #40 0x56031aef3874 in main src/browser/app/nsBrowserApp.cpp:265
Flags: in-testsuite?

Calling nsFrameList::DestroyFrame in MaybeRecreateForColumnSpan. I think this is the same as bug 1524382.

Status: NEW → RESOLVED
Closed: 6 years ago
Priority: -- → P3
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: