crash near null in [@ GetPrevInFlow]
Categories
(Core :: Disability Access APIs, defect)
Tracking
()
Tracking | Status | |
---|---|---|
firefox-esr60 | --- | unaffected |
firefox-esr68 | --- | unaffected |
firefox68 | --- | unaffected |
firefox69 | --- | unaffected |
firefox70 | --- | fixed |
People
(Reporter: tsmith, Assigned: eeejay)
References
(Blocks 1 open bug, Regression)
Details
(Keywords: crash, regression, testcase)
Attachments
(2 files, 1 obsolete file)
Reducer with m-c:
BuildID=20190809095611
SourceStamp=36c3240e5cafd7b57146bab3b177bfa47f42bcfa
The attached test case requires "full-screen-api.allow-trusted-requests-only=false"
==58942==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000058 (pc 0x7f11f72c64d7 bp 0x7ffc7695a5a0 sp 0x7ffc7695a5a0 T0)
==58942==The signal is caused by a READ memory access.
==58942==Hint: address points to the zero page.
#0 0x7f11f72c64d6 in GetStateBits src/layout/generic/nsIFrame.h:2045:46
#1 0x7f11f72c64d6 in GetPrevInFlow src/layout/generic/nsSplittableFrame.cpp:112
#2 0x7f11f72c64d6 in nsSplittableFrame::FirstInFlow() const src/layout/generic/nsSplittableFrame.cpp:143
#3 0x7f11f73cd238 in nsTableFrame::GetCellMap() const src/layout/tables/nsTableFrame.cpp:642:37
#4 0x7f11f9ceec8f in GetEffectiveColSpanAt src/layout/tables/nsTableWrapperFrame.h:168:46
#5 0x7f11f9ceec8f in mozilla::a11y::HTMLTableAccessible::ColExtentAt(unsigned int, unsigned int) src/accessible/html/HTMLTableAccessible.cpp:621
#6 0x7f11f9ce81e2 in mozilla::a11y::HTMLTableCellAccessible::ColExtent() const src/accessible/html/HTMLTableAccessible.cpp:175:17
#7 0x7f11f9cea60a in mozilla::a11y::HTMLTableHeaderCellAccessible::NativeRole() const src/accessible/html/HTMLTableAccessible.cpp:288:53
#8 0x7f11f9cdc88a in Role src/accessible/generic/Accessible-inl.h:25:30
#9 0x7f11f9cdc88a in mozilla::a11y::HTMLTextFieldAccessible::ContainerWidget() const src/accessible/html/HTMLFormControlAccessible.cpp:396
#10 0x7f11f9c8cf74 in mozilla::a11y::Accessible::State() src/accessible/generic/Accessible.cpp:1247:26
#11 0x7f11f9c14189 in AccTextChangeEvent src/accessible/base/AccEvent.cpp:92:20
#12 0x7f11f9c14189 in mozilla::a11y::NotificationController::QueueMutationEvent(mozilla::a11y::AccTreeMutationEvent*) src/accessible/base/NotificationController.cpp:257
#13 0x7f11f9c14c1a in mozilla::a11y::TreeMutation::BeforeRemoval(mozilla::a11y::Accessible*, bool) src/accessible/base/EventTree.cpp:86:21
#14 0x7f11f9cb04ca in mozilla::a11y::DocAccessible::ContentRemoved(mozilla::a11y::Accessible*) src/accessible/generic/DocAccessible.cpp:1982:6
#15 0x7f11f9ca883a in mozilla::a11y::DocAccessible::ContentRemoved(nsIContent*) src/accessible/generic/DocAccessible.cpp:2011:5
#16 0x7f11f9ca895a in mozilla::a11y::DocAccessible::ContentRemoved(nsIContent*) src/accessible/generic/DocAccessible.cpp:2017:5
#17 0x7f11f18c778c in nsNodeUtils::NativeAnonymousChildListChange(nsIContent*, bool) src/dom/base/nsNodeUtils.cpp:187:3
#18 0x7f11f15ebe5f in mozilla::dom::Element::UnbindFromTree(bool) src/dom/base/Element.cpp:1844:7
#19 0x7f11f4997ce5 in nsGenericHTMLElement::UnbindFromTree(bool) src/dom/html/nsGenericHTMLElement.cpp:461:20
#20 0x7f11f70cf435 in nsIFrame::DestroyAnonymousContent(nsPresContext*, already_AddRefed<nsIContent>&&) src/layout/generic/nsFrame.cpp:260:14
#21 0x7f11f6f8b76c in nsIFrame::AutoPostDestroyData::~AutoPostDestroyData() src/layout/generic/nsIFrame.h:639:9
#22 0x7f11f71494d4 in Destroy src/layout/generic/nsIFrame.h:657:3
#23 0x7f11f71494d4 in nsFrameList::DestroyFrame(nsIFrame*) src/layout/generic/nsFrameList.cpp:121
#24 0x7f11f72b885d in nsPlaceholderFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) src/layout/generic/nsPlaceholderFrame.cpp:184:11
#25 0x7f11f72507af in nsLineBox::DeleteLineList(nsPresContext*, nsLineList&, nsIFrame*, nsFrameList*, mozilla::layout::PostFrameDestroyData&) src/layout/generic/nsLineBox.cpp:386:14
#26 0x7f11f700c543 in nsBlockFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) src/layout/generic/nsBlockFrame.cpp:328:3
#27 0x7f11f7148949 in nsFrameList::DestroyFramesFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) src/layout/generic/nsFrameList.cpp:51:12
#28 0x7f11f700cd63 in nsContainerFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) src/layout/generic/nsContainerFrame.cpp:215:11
#29 0x7f11f7148949 in nsFrameList::DestroyFramesFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) src/layout/generic/nsFrameList.cpp:51:12
#30 0x7f11f700cd63 in nsContainerFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) src/layout/generic/nsContainerFrame.cpp:215:11
#31 0x7f11f7148949 in nsFrameList::DestroyFramesFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) src/layout/generic/nsFrameList.cpp:51:12
#32 0x7f11f700cd63 in nsContainerFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) src/layout/generic/nsContainerFrame.cpp:215:11
#33 0x7f11f7148949 in nsFrameList::DestroyFramesFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) src/layout/generic/nsFrameList.cpp:51:12
#34 0x7f11f700cd63 in nsContainerFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) src/layout/generic/nsContainerFrame.cpp:215:11
#35 0x7f11f7148949 in nsFrameList::DestroyFramesFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) src/layout/generic/nsFrameList.cpp:51:12
#36 0x7f11f700cd63 in nsContainerFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) src/layout/generic/nsContainerFrame.cpp:215:11
#37 0x7f11f7044724 in nsBlockFrame::DoRemoveFrameInternal(nsIFrame*, unsigned int, mozilla::layout::PostFrameDestroyData&) src/layout/generic/nsBlockFrame.cpp:6082:20
#38 0x7f11f70415d5 in DoRemoveFrame src/layout/generic/nsBlockFrame.h:529:5
#39 0x7f11f70415d5 in nsBlockFrame::RemoveFrame(mozilla::layout::FrameChildListID, nsIFrame*) src/layout/generic/nsBlockFrame.cpp:5423
#40 0x7f11f6eaac65 in RemoveFrame src/layout/base/nsFrameManager.cpp:116:18
#41 0x7f11f6eaac65 in nsCSSFrameConstructor::ContentRemoved(nsIContent*, nsIContent*, nsCSSFrameConstructor::RemoveFlags) src/layout/base/nsCSSFrameConstructor.cpp:7709
#42 0x7f11f6e97ab5 in nsCSSFrameConstructor::RecreateFramesForContent(nsIContent*, nsCSSFrameConstructor::InsertionKind) src/layout/base/nsCSSFrameConstructor.cpp:8725:7
#43 0x7f11f6e328f0 in mozilla::RestyleManager::ProcessRestyledFrames(nsStyleChangeList&) src/layout/base/RestyleManager.cpp:1561:25
#44 0x7f11f6e3f365 in mozilla::RestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) src/layout/base/RestyleManager.cpp:3108:9
#45 0x7f11f6dec9b9 in ProcessPendingRestyles src/layout/base/RestyleManager.cpp:3190:3
#46 0x7f11f6dec9b9 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) src/layout/base/PresShell.cpp:4118
#47 0x7f11f6d763d1 in FlushPendingNotifications src/obj-firefox/dist/include/mozilla/PresShell.h:1445:5
#48 0x7f11f6d763d1 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:1989
#49 0x7f11f6d86fcf in TickDriver src/layout/base/nsRefreshDriver.cpp:372:13
#50 0x7f11f6d86fcf in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) src/layout/base/nsRefreshDriver.cpp:349
#51 0x7f11f6d86990 in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:366:5
#52 0x7f11f6d8a253 in RunRefreshDrivers src/layout/base/nsRefreshDriver.cpp:814:5
#53 0x7f11f6d8a253 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:734
#54 0x7f11f6d8951c in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) src/layout/base/nsRefreshDriver.cpp:629:9
#55 0x7f11f766c00b in mozilla::layout::VsyncChild::RecvNotify(mozilla::VsyncEvent const&) src/layout/ipc/VsyncChild.cpp:65:16
#56 0x7f11ef331f85 in mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) src/obj-firefox/ipc/ipdl/PVsyncChild.cpp:187:54
#57 0x7f11eee805d1 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) src/obj-firefox/ipc/ipdl/PBackgroundChild.cpp:5637:32
#58 0x7f11ee6eedd6 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) src/ipc/glue/MessageChannel.cpp:2184:25
#59 0x7f11ee6e9b3b in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) src/ipc/glue/MessageChannel.cpp:2108:9
#60 0x7f11ee6ec0f7 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) src/ipc/glue/MessageChannel.cpp:1955:3
#61 0x7f11ee6ecf87 in mozilla::ipc::MessageChannel::MessageTask::Run() src/ipc/glue/MessageChannel.cpp:1986:13
#62 0x7f11ed4e9060 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1225:14
#63 0x7f11ed4ef478 in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:486:10
#64 0x7f11ee6f81b4 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:110:5
#65 0x7f11ee5f56e2 in RunInternal src/ipc/chromium/src/base/message_loop.cc:315:10
#66 0x7f11ee5f56e2 in RunHandler src/ipc/chromium/src/base/message_loop.cc:308
#67 0x7f11ee5f56e2 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:290
#68 0x7f11f67f2d09 in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:137:27
#69 0x7f11fa6e553f in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:919:20
#70 0x7f11ee5f56e2 in RunInternal src/ipc/chromium/src/base/message_loop.cc:315:10
#71 0x7f11ee5f56e2 in RunHandler src/ipc/chromium/src/base/message_loop.cc:308
#72 0x7f11ee5f56e2 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:290
#73 0x7f11fa6e4de6 in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:754:34
#74 0x556e8582bf13 in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
#75 0x556e8582bf13 in main src/browser/app/nsBrowserApp.cpp:267
Comment 1•5 years ago
|
||
Seems like a regression from bug 686400.
Why is ContentRemoved relying on frame tree state? The frame tree is probably mid-destruction at that point.
Assignee | ||
Comment 2•5 years ago
|
||
Going to try to repro and fix.
Looks like this happens because we stopped removing the accessible subtree earlier.
Updated•5 years ago
|
Assignee | ||
Comment 3•5 years ago
|
||
The thing that is a bit puzzling about this bug is that we get notified via the dom mutation observer of the removed anonymous nodes during the destruction of the frame tree. I guess we should stop using the observer, but maybe more generally should the mutation observer be called during frame reconstruction?
Assignee | ||
Comment 4•5 years ago
|
||
The DOM mutation observer method is called during frame destruction
which is not a good state to be in when constructing and dispatching events.
Pushed by eisaacson@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/067d47e20a94 Explicitly check for removed anonymous children in reframe. r=Jamie
Comment 6•5 years ago
•
|
||
Backed out changeset 067d47e20a94 (Bug 1572811) for causing failures in CharacterData.cpp CLOSED TREE
Failure log: https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=261828849&repo=autoland&lineNumber=4481
https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=261834309&repo=autoland&lineNumber=3575
Backout: https://hg.mozilla.org/integration/autoland/rev/7f41e2dd2f998cbb4f533a8fec9046e7b8aeb147
Updated•5 years ago
|
Assignee | ||
Comment 7•5 years ago
|
||
Pushed by eisaacson@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/b47aa54a3dad Don't fire text change events if container accessible has no frame. r=Jamie
Comment 9•5 years ago
|
||
bugherder |
Updated•5 years ago
|
Comment 10•5 years ago
|
||
Is this something we can land an automated test for?
Assignee | ||
Comment 11•5 years ago
|
||
I'll just add the test case as a crash test.
Updated•5 years ago
|
Updated•2 years ago
|
Description
•