Closed Bug 1554824 Opened 6 years ago Closed 5 years ago

crash near null in [@ nsSplittableFrame::GetNextInFlow]

Categories

(Core :: Layout: Block and Inline, defect, P3)

Product:
Core
Component:
Layout: Block and Inline
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1575106
Tracking Flags:
Tracking Status
firefox69 --- affected

People

(Reporter: tsmith, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash, testcase)

Attachments

(1 file)

testcase.html
328 bytes, text/html
Details
Attached file testcase.html

Reduced with m-c:
BuildID=20190527141836
SourceStamp=944c410b7e9185a0cb90a4fbc0970299f1ff3e2b

Testcase requires layout.css.column-span.enabled=true

==6439==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000078 (pc 0x7f0dbc102872 bp 0x7ffce72dfea0 sp 0x7ffce72dfe90 T0)
==6439==The signal is caused by a READ memory access.
==6439==Hint: address points to the zero page.
    #0 0x7f0dbc102871 in nsSplittableFrame::GetNextInFlow() const src/layout/generic/nsSplittableFrame.cpp:127:10
    #1 0x7f0dbbdc279e in FindValidLine src/layout/generic/nsBlockFrame.cpp:5899:51
    #2 0x7f0dbbdc279e in nsBlockInFlowLineIterator::Next() src/layout/generic/nsBlockFrame.cpp:5859
    #3 0x7f0dbbce47b0 in BidiParagraphData::AdvanceLineIteratorToFrame(nsIFrame*, nsBlockInFlowLineIterator*, nsIFrame*&) src/layout/base/nsBidiPresUtils.cpp:343:22
    #4 0x7f0dbbb72d22 in BidiParagraphData::AppendFrame(nsIFrame*, nsBlockInFlowLineIterator*, nsIContent*) src/layout/base/nsBidiPresUtils.cpp:239:5
    #5 0x7f0dbbb6ab88 in nsBidiPresUtils::TraverseFrames(nsBlockInFlowLineIterator*, nsIFrame*, BidiParagraphData*) src/layout/base/nsBidiPresUtils.cpp:1079:13
    #6 0x7f0dbbb67e04 in nsBidiPresUtils::Resolve(nsBlockFrame*) src/layout/base/nsBidiPresUtils.cpp:703:5
    #7 0x7f0dbbda5fe8 in ResolveBidi src/layout/generic/nsBlockFrame.cpp:7437:10
    #8 0x7f0dbbda5fe8 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsBlockFrame.cpp:1293
    #9 0x7f0dbbe19ac2 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:893:14
    #10 0x7f0dbbe20b3f in nsColumnSetFrame::ReflowChildren(mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&, nsColumnSetFrame::ReflowConfig const&, bool) src/layout/generic/nsColumnSetFrame.cpp:762:7
    #11 0x7f0dbbe28c25 in ReflowColumns src/layout/generic/nsColumnSetFrame.cpp:452:37
    #12 0x7f0dbbe28c25 in nsColumnSetFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsColumnSetFrame.cpp:1201
    #13 0x7f0dbbdd3014 in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) src/layout/generic/nsBlockReflowContext.cpp:297:11
    #14 0x7f0dbbdc5138 in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:3660:11
    #15 0x7f0dbbdc16b5 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:3052:5
    #16 0x7f0dbbdb2e9d in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) src/layout/generic/nsBlockFrame.cpp:2594:7
    #17 0x7f0dbbda6904 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsBlockFrame.cpp:1334:3
    #18 0x7f0dbbe19ac2 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:893:14
    #19 0x7f0dbbdaf2aa in nsContainerFrame::ReflowOverflowContainerChildren(nsPresContext*, mozilla::ReflowInput const&, nsOverflowAreas&, unsigned int, nsReflowStatus&, void (*)(nsFrameList&, nsFrameList&, nsContainerFrame*)) src/layout/generic/nsContainerFrame.cpp:1140:7
    #20 0x7f0dbbda60f4 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsBlockFrame.cpp:1299:5
    #21 0x7f0dbbe19ac2 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:893:14
    #22 0x7f0dbbe20b3f in nsColumnSetFrame::ReflowChildren(mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&, nsColumnSetFrame::ReflowConfig const&, bool) src/layout/generic/nsColumnSetFrame.cpp:762:7
    #23 0x7f0dbbe28c25 in ReflowColumns src/layout/generic/nsColumnSetFrame.cpp:452:37
    #24 0x7f0dbbe28c25 in nsColumnSetFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsColumnSetFrame.cpp:1201
    #25 0x7f0dbbdd3014 in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) src/layout/generic/nsBlockReflowContext.cpp:297:11
    #26 0x7f0dbbdc5138 in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:3660:11
    #27 0x7f0dbbdc16b5 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:3052:5
    #28 0x7f0dbbdb2e9d in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) src/layout/generic/nsBlockFrame.cpp:2594:7
    #29 0x7f0dbbda6904 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsBlockFrame.cpp:1334:3
    #30 0x7f0dbbe19ac2 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:893:14
    #31 0x7f0dbbe17977 in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsCanvasFrame.cpp:730:5
    #32 0x7f0dbbe19ac2 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:893:14
    #33 0x7f0dbbf6c7b9 in nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput*, bool, bool, mozilla::ReflowOutput*) src/layout/generic/nsGfxScrollFrame.cpp:562:3
    #34 0x7f0dbbf6e137 in nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput*, mozilla::ReflowOutput const&) src/layout/generic/nsGfxScrollFrame.cpp:675:3
    #35 0x7f0dbbf76484 in nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsGfxScrollFrame.cpp:1077:3
    #36 0x7f0dbbd8d093 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:932:14
    #37 0x7f0dbbd8bc58 in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/ViewportFrame.cpp:307:7
    #38 0x7f0dbbabfe8f in mozilla::PresShell::DoReflow(nsIFrame*, bool, mozilla::OverflowChangedTracker*) src/layout/base/PresShell.cpp:9252:11
    #39 0x7f0dbbae10b0 in mozilla::PresShell::ProcessReflowCommands(bool) src/layout/base/PresShell.cpp:9422:24
    #40 0x7f0dbbade1c0 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) src/layout/base/PresShell.cpp:4231:11
    #41 0x7f0dbba4343a in FlushPendingNotifications src/obj-firefox/dist/include/mozilla/PresShell.h:1453:5
    #42 0x7f0dbba4343a in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:1979
    #43 0x7f0dbba588c9 in TickDriver src/layout/base/nsRefreshDriver.cpp:349:13
    #44 0x7f0dbba588c9 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) src/layout/base/nsRefreshDriver.cpp:326
    #45 0x7f0dbba58162 in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:343:5
    #46 0x7f0dbba5c69f in RunRefreshDrivers src/layout/base/nsRefreshDriver.cpp:789:5
    #47 0x7f0dbba5c69f in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:709
    #48 0x7f0dbba5b6f3 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) src/layout/base/nsRefreshDriver.cpp:604:9
    #49 0x7f0dbc5d0985 in mozilla::layout::VsyncChild::RecvNotify(mozilla::VsyncEvent const&) src/layout/ipc/VsyncChild.cpp:65:16
    #50 0x7f0db2a9b2a4 in mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) src/obj-firefox/ipc/ipdl/PVsyncChild.cpp:187:54
    #51 0x7f0db261ccf5 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) src/obj-firefox/ipc/ipdl/PBackgroundChild.cpp:4717:32
    #52 0x7f0db1e51a26 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) src/ipc/glue/MessageChannel.cpp:2158:25
    #53 0x7f0db1e4d43b in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) src/ipc/glue/MessageChannel.cpp:2082:9
    #54 0x7f0db1e4f9f7 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) src/ipc/glue/MessageChannel.cpp:1939:3
    #55 0x7f0db1e50787 in mozilla::ipc::MessageChannel::MessageTask::Run() src/ipc/glue/MessageChannel.cpp:1970:13
    #56 0x7f0db0a7e517 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1176:14
    #57 0x7f0db0a86154 in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:486:10
    #58 0x7f0db1e5ae34 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:110:5
    #59 0x7f0db1d3337e in RunInternal src/ipc/chromium/src/base/message_loop.cc:315:10
    #60 0x7f0db1d3337e in RunHandler src/ipc/chromium/src/base/message_loop.cc:308
    #61 0x7f0db1d3337e in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:290
    #62 0x7f0dbb360733 in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:137:27
    #63 0x7f0dbf98484e in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:911:20
    #64 0x7f0db1d3337e in RunInternal src/ipc/chromium/src/base/message_loop.cc:315:10
    #65 0x7f0db1d3337e in RunHandler src/ipc/chromium/src/base/message_loop.cc:308
    #66 0x7f0db1d3337e in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:290
    #67 0x7f0dbf9839bc in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:749:34
    #68 0x55c74045d72e in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
    #69 0x55c74045d72e in main src/browser/app/nsBrowserApp.cpp:263
    #70 0x7f0dd53d582f in __libc_start_main /build/glibc-LK5gWL/glibc-2.23/csu/../csu/libc-start.c:291
Flags: in-testsuite?

ResolveBidi is in the crash stack. Maybe fixing bug 1524431 can fix this as well.

Priority: -- → P3
See Also: → 1524431

Sadly, the proposed patches in bug 1524431 don't help.

Loading the test case in debug build yields the following assertions.

[8205, Main Thread] ###!!! ASSERTION: Can't find frame in lines!: 'hasNext', file /home/tlin/Projects/gecko/layout/base/nsBidiPresUtils.cpp, line 344
Assertion failure: mCurrent != mListLink (running past end), at /home/tlin/Projects/gecko/layout/generic/nsLineBox.h:751
See Also: 1524431

In a debug build, the patches for bug 1300293 change what the first assertion is; I haven't checked what their effect in a non-debug build is.

This is fixed by bug 1575106, and the testcase is added as a crashtest in bug 1575106 Part 4.

Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: