Closed Bug 1528089 Opened 1 year ago Closed 1 year ago

crash near null in [@ RemoveFrame]

Categories

(Core :: Layout: Columns, defect)

defect
Not set

Tracking

()

RESOLVED DUPLICATE of bug 1524382
Tracking Status
firefox67 --- disabled

People

(Reporter: tsmith, Unassigned)

References

(Blocks 2 open bugs)

Details

(Keywords: crash, regression, testcase)

Attachments

(1 file)

Attached file testcase.html
==56879==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000038 (pc 0x7f7ed4d43fdf bp 0x7ffd0b538fc0 sp 0x7ffd0b538b40 T0)
==56879==The signal is caused by a READ memory access.
==56879==Hint: address points to the zero page.
    #0 0x7f7ed4d43fde in SetNextSibling src/layout/generic/nsIFrame.h:1640:9
    #1 0x7f7ed4d43fde in RemoveFrame src/layout/generic/nsFrameList.cpp:81
    #2 0x7f7ed4d43fde in nsFrameList::DestroyFrame(nsIFrame*) src/layout/generic/nsFrameList.cpp:120
    #3 0x7f7ed4ee34c0 in nsPlaceholderFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) src/layout/generic/nsPlaceholderFrame.cpp:180:11
    #4 0x7f7ed4e770bd in nsLineBox::DeleteLineList(nsPresContext*, nsLineList&, nsIFrame*, nsFrameList*, mozilla::layout::PostFrameDestroyData&) src/layout/generic/nsLineBox.cpp:371:14
    #5 0x7f7ed4bb146a in nsBlockFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) src/layout/generic/nsBlockFrame.cpp:327:3
    #6 0x7f7ed4e770bd in nsLineBox::DeleteLineList(nsPresContext*, nsLineList&, nsIFrame*, nsFrameList*, mozilla::layout::PostFrameDestroyData&) src/layout/generic/nsLineBox.cpp:371:14
    #7 0x7f7ed4bb146a in nsBlockFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) src/layout/generic/nsBlockFrame.cpp:327:3
    #8 0x7f7ed4d42ff5 in Destroy src/layout/generic/nsIFrame.h:652:5
    #9 0x7f7ed4d42ff5 in nsFrameList::DestroyFrames() src/layout/generic/nsFrameList.cpp:41
    #10 0x7f7ed49e7a0a in nsCSSFrameConstructor::MaybeRecreateForColumnSpan(nsFrameConstructorState&, nsContainerFrame*, nsFrameList&, nsIFrame*) src/layout/base/nsCSSFrameConstructor.cpp:10916:16
    #11 0x7f7ed49e129b in nsCSSFrameConstructor::ContentAppended(nsIContent*, nsCSSFrameConstructor::InsertionKind) src/layout/base/nsCSSFrameConstructor.cpp:6870:7
    #12 0x7f7ed494d1c7 in mozilla::RestyleManager::ProcessRestyledFrames(nsStyleChangeList&) src/layout/base/RestyleManager.cpp:1448:27
    #13 0x7f7ed495e453 in mozilla::RestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) src/layout/base/RestyleManager.cpp:3076:9
    #14 0x7f7ed48f74fb in ProcessPendingRestyles src/layout/base/RestyleManager.cpp:3148:3
    #15 0x7f7ed48f74fb in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) src/layout/base/PresShell.cpp:4121
    #16 0x7f7ecdf97fb3 in FlushPendingNotifications src/layout/base/nsIPresShell.h:581:5
    #17 0x7f7ecdf97fb3 in mozilla::dom::Document::FlushPendingNotifications(mozilla::ChangesToFlush) src/dom/base/Document.cpp:7071
    #18 0x7f7ecc7173f0 in nsDocLoader::DocLoaderIsEmpty(bool) src/uriloader/base/nsDocLoader.cpp:648:14
    #19 0x7f7ecc71a38e in nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) src/uriloader/base/nsDocLoader.cpp:589:5
    #20 0x7f7ecc71bc14 in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) src/uriloader/base/nsDocLoader.cpp
    #21 0x7f7ec9f6616f in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) src/netwerk/base/nsLoadGroup.cpp:575:22
    #22 0x7f7ecdf75c4a in DoUnblockOnload src/dom/base/Document.cpp:7714:18
    #23 0x7f7ecdf75c4a in mozilla::dom::Document::UnblockOnload(bool) src/dom/base/Document.cpp:7646
    #24 0x7f7ecdf746bb in mozilla::dom::Document::DispatchContentLoadedEvents() src/dom/base/Document.cpp:4801:3
    #25 0x7f7ece07722b in applyImpl<mozilla::dom::Document, void (mozilla::dom::Document::*)()> src/obj-firefox/dist/include/nsThreadUtils.h:1119:12
    #26 0x7f7ece07722b in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> src/obj-firefox/dist/include/nsThreadUtils.h:1125
    #27 0x7f7ece07722b in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() src/obj-firefox/dist/include/nsThreadUtils.h:1171
    #28 0x7f7ec9cad7b5 in mozilla::SchedulerGroup::Runnable::Run() src/xpcom/threads/SchedulerGroup.cpp:292:32
    #29 0x7f7ec9cec9a6 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1162:14
    #30 0x7f7ec9cf484d in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:474:10
    #31 0x7f7ecaf79c8f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:88:21
    #32 0x7f7ecae6415e in RunInternal src/ipc/chromium/src/base/message_loop.cc:315:10
    #33 0x7f7ecae6415e in RunHandler src/ipc/chromium/src/base/message_loop.cc:308
    #34 0x7f7ecae6415e in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:290
    #35 0x7f7ed41808a3 in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:137:27
    #36 0x7f7ed8d12e9e in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:908:20
    #37 0x7f7ecae6415e in RunInternal src/ipc/chromium/src/base/message_loop.cc:315:10
    #38 0x7f7ecae6415e in RunHandler src/ipc/chromium/src/base/message_loop.cc:308
    #39 0x7f7ecae6415e in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:290
    #40 0x7f7ed8d11ff3 in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:746:34
    #41 0x55eb5d983874 in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:49:28
    #42 0x55eb5d983874 in main src/browser/app/nsBrowserApp.cpp:265
    #43 0x7f7eee0b082f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
    #44 0x55eb5d8a8efc in _start (firefox+0x2defc)
Flags: in-testsuite?
Status: NEW → RESOLVED
Closed: 1 year ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1524382
You need to log in before you can comment on or make changes to this bug.