Closed Bug 1534754 Opened 5 years ago Closed 5 years ago

AddressSanitizer: SEGV /builds/worker/workspace/build/src/layout/generic/nsFrame.cpp:10272:9 in nsFrame::BoxReflow(nsBoxLayoutState&, nsPresContext*, mozilla::ReflowOutput&, gfxContext*, int, int, int, int, bool)

Categories

(DevTools :: Inspector: Layout, defect)

Product:
DevTools
Component:
Inspector: Layout
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 1533424

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash, testcase)

Attachments

(1 file)

testcase.html
369 bytes, text/html
Details
Attached file testcase.html

Testcase found while fuzzing mozilla-central rev 4d15e90af575.

==31307==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 (pc 0x7ff06e54f90c bp 0x7fff3d411630 sp 0x7fff3d411140 T0)
==31307==The signal is caused by a WRITE memory access.
==31307==Hint: address points to the zero page.
#0 0x7ff06e54f90b in nsFrame::BoxReflow(nsBoxLayoutState&, nsPresContext*, mozilla::ReflowOutput&, gfxContext*, int, int, int, int, bool) /builds/worker/workspace/build/src/layout/generic/nsFrame.cpp:10272:9
#1 0x7ff06e5511b8 in nsFrame::DoXULLayout(nsBoxLayoutState&) /builds/worker/workspace/build/src/layout/generic/nsFrame.cpp:10003:5
#2 0x7ff06ea34722 in XULLayout /builds/worker/workspace/build/src/layout/xul/nsBox.cpp:301:8
#3 0x7ff06ea34722 in nsBoxFrame::LayoutChildAt(nsBoxLayoutState&, nsIFrame*, nsRect const&) /builds/worker/workspace/build/src/layout/xul/nsBoxFrame.cpp:1182
#4 0x7ff06e59cb2a in mozilla::ScrollFrameHelper::LayoutScrollbars(nsBoxLayoutState&, nsRect const&, nsRect const&) /builds/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.cpp:5940:7
#5 0x7ff06e59a828 in nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.cpp:1138:15
#6 0x7ff06e3b38ff in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:929:14
#7 0x7ff06e3b24e4 in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/ViewportFrame.cpp:307:7
#8 0x7ff06e0eea9b in nsIPresShell::DoReflow(nsIFrame*, bool, mozilla::OverflowChangedTracker*) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:9135:11
#9 0x7ff06e10e410 in nsIPresShell::ProcessReflowCommands(bool) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:9305:24
#10 0x7ff06e10b4bf in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:4170:11
#11 0x7ff06e2354d2 in FlushPendingNotifications /builds/worker/workspace/build/src/layout/base/nsIPresShell.h:573:5
#12 0x7ff06e2354d2 in nsDocumentViewer::LoadComplete(nsresult) /builds/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:1013
#13 0x7ff0710cec6c in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:6560:21
#14 0x7ff0710cdd98 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:6361:7
#15 0x7ff0710d3907 in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp
#16 0x7ff065ec4ac5 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:1313:3
#17 0x7ff065ec36ac in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:872:14
#18 0x7ff065ebdce1 in nsDocLoader::DocLoaderIsEmpty(bool) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:710:9
#19 0x7ff065ec1900 in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:598:5
#20 0x7ff065ec31d4 in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp
#21 0x7ff06368bce7 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/workspace/build/src/netwerk/base/nsLoadGroup.cpp:568:22
#22 0x7ff0676e741a in DoUnblockOnload /builds/worker/workspace/build/src/dom/base/Document.cpp:7727:18
#23 0x7ff0676e741a in mozilla::dom::Document::UnblockOnload(bool) /builds/worker/workspace/build/src/dom/base/Document.cpp:7659
#24 0x7ff0676e5e7f in mozilla::dom::Document::DispatchContentLoadedEvents() /builds/worker/workspace/build/src/dom/base/Document.cpp:4804:3
#25 0x7ff0677e9b7b in applyImpl<mozilla::dom::Document, void (mozilla::dom::Document::)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1122:12
#26 0x7ff0677e9b7b in apply<mozilla::dom::Document, void (mozilla::dom::Document::)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1128
#27 0x7ff0677e9b7b in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1174
#28 0x7ff0633ccd25 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:295:32
#29 0x7ff06340c5b1 in nsThread::ProcessNextEvent(bool, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1179:14
#30 0x7ff0634149bd in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:482:10
#31 0x7ff0646b801f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:88:21
#32 0x7ff06458c8ce in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
#33 0x7ff06458c8ce in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308
#34 0x7ff06458c8ce in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290
#35 0x7ff06d9a03b3 in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:137:27
#36 0x7ff071f32a8e in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:911:20
#37 0x7ff06458c8ce in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
#38 0x7ff06458c8ce in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308
#39 0x7ff06458c8ce in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290
#40 0x7ff071f31be3 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:749:34
#41 0x5618dc156874 in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:49:28
#42 0x5618dc156874 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:265
#43 0x7ff086bddb96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

Flags: in-testsuite?
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: