Open Bug 1574303 Opened 8 months ago Updated 7 months ago

crash near null [@ mozilla::FrameLayerBuilder::WillEndTransaction]

Categories

(Core :: Web Painting, defect, P3)

Unspecified
Android
defect

Tracking

()

Tracking Status
firefox70 --- affected

People

(Reporter: tsmith, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash, testcase)

Attachments

(1 file)

Attached file testcase.html

Found with m-c 20190717-4d6f456872e1

The attached test case only reproduces the issue on Android and may take a few attempts. It has been verified reproducable with m-c: 20190813-eff8c62bdeb7

eip = 0xcb90da50   esp = 0xd13fa100   ebp = 0xd13fa148   ebx = 0xd07dddb8
esi = 0xab67e000   edi = 0xd13fa2a0   eax = 0x5154daf5   ecx = 0x00000000
edx = 0xd141f600   efl = 0x00210286
OS|Android|0.0.0 Linux 4.4.124+ #1 SMP PREEMPT Wed Jan 30 07:13:09 UTC 2019 i686
CPU|x86|GenuineIntel family 6 model 6 stepping 3|4
GPU|||
Crash|SIGSEGV|0x4|13
13|0|libxul.so|mozilla::FrameLayerBuilder::WillEndTransaction()|hg:hg.mozilla.org/mozilla-central:layout/painting/FrameLayerBuilder.cpp:4d6f456872e11c470adf8b0463684ccbc940386c|2297|0x0
13|1|libxul.so|mozilla::FrameLayerBuilder::AddPaintedDisplayItem(mozilla::PaintedLayerData*, mozilla::AssignedDisplayItem&, mozilla::layers::Layer*)|hg:hg.mozilla.org/mozilla-central:layout/painting/FrameLayerBuilder.cpp:4d6f456872e11c470adf8b0463684ccbc940386c|5477|0x8
13|2|libxul.so|mozilla::PaintedLayerDataNode::PopAllPaintedLayerData()|hg:hg.mozilla.org/mozilla-central:layout/painting/FrameLayerBuilder.cpp:4d6f456872e11c470adf8b0463684ccbc940386c|3517|0x18
13|3|libxul.so|mozilla::PaintedLayerDataNode::Finish(bool)|hg:hg.mozilla.org/mozilla-central:layout/painting/FrameLayerBuilder.cpp:4d6f456872e11c470adf8b0463684ccbc940386c|3129|0x8
13|4|libxul.so|mozilla::PaintedLayerDataNode::FinishAllChildren(bool)|hg:hg.mozilla.org/mozilla-central:layout/painting/FrameLayerBuilder.cpp:4d6f456872e11c470adf8b0463684ccbc940386c|3120|0x23
13|5|libxul.so|mozilla::PaintedLayerDataNode::Finish(bool)|hg:hg.mozilla.org/mozilla-central:layout/painting/FrameLayerBuilder.cpp:4d6f456872e11c470adf8b0463684ccbc940386c|3127|0xd
13|6|libxul.so|mozilla::PaintedLayerDataNode::FinishAllChildren(bool)|hg:hg.mozilla.org/mozilla-central:layout/painting/FrameLayerBuilder.cpp:4d6f456872e11c470adf8b0463684ccbc940386c|3120|0x23
13|7|libxul.so|mozilla::PaintedLayerDataNode::Finish(bool)|hg:hg.mozilla.org/mozilla-central:layout/painting/FrameLayerBuilder.cpp:4d6f456872e11c470adf8b0463684ccbc940386c|3127|0xd
13|8|libxul.so|mozilla::PaintedLayerDataTree::Finish()|hg:hg.mozilla.org/mozilla-central:layout/painting/FrameLayerBuilder.cpp:4d6f456872e11c470adf8b0463684ccbc940386c|3179|0x15
13|9|libxul.so|mozilla::ContainerState::Finish(unsigned int*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, nsDisplayList*)|hg:hg.mozilla.org/mozilla-central:layout/painting/FrameLayerBuilder.cpp:4d6f456872e11c470adf8b0463684ccbc940386c|5966|0xf
13|10|libxul.so|mozilla::FrameLayerBuilder::BuildContainerLayerFor(nsDisplayListBuilder*, mozilla::layers::LayerManager*, nsIFrame*, nsDisplayItem*, nsDisplayList*, mozilla::ContainerLayerParameters const&, mozilla::gfx::Matrix4x4Typed<mozilla::gfx::UnknownUnits, mozilla::gfx::UnknownUnits, float> const*, unsigned int)|hg:hg.mozilla.org/mozilla-central:layout/painting/FrameLayerBuilder.cpp:4d6f456872e11c470adf8b0463684ccbc940386c|6361|0x15
13|11|libxul.so|nsDisplayOwnLayer::BuildLayer(nsDisplayListBuilder*, mozilla::layers::LayerManager*, mozilla::ContainerLayerParameters const&)|hg:hg.mozilla.org/mozilla-central:layout/painting/nsDisplayList.cpp:4d6f456872e11c470adf8b0463684ccbc940386c|6876|0x1f
13|12|libxul.so|nsDisplayAsyncZoom::BuildLayer(nsDisplayListBuilder*, mozilla::layers::LayerManager*, mozilla::ContainerLayerParameters const&)|hg:hg.mozilla.org/mozilla-central:layout/painting/nsDisplayList.cpp:4d6f456872e11c470adf8b0463684ccbc940386c|7896|0x24
13|13|libxul.so|mozilla::ContainerState::ProcessDisplayItems(nsDisplayList*)|hg:hg.mozilla.org/mozilla-central:layout/painting/FrameLayerBuilder.cpp:4d6f456872e11c470adf8b0463684ccbc940386c|4903|0x2f
13|14|libxul.so|mozilla::FrameLayerBuilder::BuildContainerLayerFor(nsDisplayListBuilder*, mozilla::layers::LayerManager*, nsIFrame*, nsDisplayItem*, nsDisplayList*, mozilla::ContainerLayerParameters const&, mozilla::gfx::Matrix4x4Typed<mozilla::gfx::UnknownUnits, mozilla::gfx::UnknownUnits, float> const*, unsigned int)|hg:hg.mozilla.org/mozilla-central:layout/painting/FrameLayerBuilder.cpp:4d6f456872e11c470adf8b0463684ccbc940386c|6354|0xf
13|15|libxul.so|nsDisplayOwnLayer::BuildLayer(nsDisplayListBuilder*, mozilla::layers::LayerManager*, mozilla::ContainerLayerParameters const&)|hg:hg.mozilla.org/mozilla-central:layout/painting/nsDisplayList.cpp:4d6f456872e11c470adf8b0463684ccbc940386c|6876|0x1f
13|16|libxul.so|nsDisplayResolution::BuildLayer(nsDisplayListBuilder*, mozilla::layers::LayerManager*, mozilla::ContainerLayerParameters const&)|hg:hg.mozilla.org/mozilla-central:layout/painting/nsDisplayList.cpp:4d6f456872e11c470adf8b0463684ccbc940386c|7280|0x21
13|17|libxul.so|mozilla::ContainerState::ProcessDisplayItems(nsDisplayList*)|hg:hg.mozilla.org/mozilla-central:layout/painting/FrameLayerBuilder.cpp:4d6f456872e11c470adf8b0463684ccbc940386c|4903|0x2f
13|18|libxul.so|mozilla::FrameLayerBuilder::BuildContainerLayerFor(nsDisplayListBuilder*, mozilla::layers::LayerManager*, nsIFrame*, nsDisplayItem*, nsDisplayList*, mozilla::ContainerLayerParameters const&, mozilla::gfx::Matrix4x4Typed<mozilla::gfx::UnknownUnits, mozilla::gfx::UnknownUnits, float> const*, unsigned int)|hg:hg.mozilla.org/mozilla-central:layout/painting/FrameLayerBuilder.cpp:4d6f456872e11c470adf8b0463684ccbc940386c|6354|0xf
13|19|libxul.so|nsDisplayList::BuildLayers(nsDisplayListBuilder*, mozilla::layers::LayerManager*, unsigned int, bool)|hg:hg.mozilla.org/mozilla-central:layout/painting/nsDisplayList.cpp:4d6f456872e11c470adf8b0463684ccbc940386c|2890|0x47
13|20|libxul.so|nsDisplayList::PaintRoot(nsDisplayListBuilder*, gfxContext*, unsigned int)|hg:hg.mozilla.org/mozilla-central:layout/painting/nsDisplayList.cpp:4d6f456872e11c470adf8b0463684ccbc940386c|3107|0x28
13|21|libxul.so|nsLayoutUtils::PaintFrame(gfxContext*, nsIFrame*, nsRegion const&, unsigned int, nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags)|hg:hg.mozilla.org/mozilla-central:layout/base/nsLayoutUtils.cpp:4d6f456872e11c470adf8b0463684ccbc940386c|4119|0x27
13|22|libxul.so|mozilla::PresShell::Paint(nsView*, nsRegion const&, mozilla::PaintFlags)|hg:hg.mozilla.org/mozilla-central:layout/base/PresShell.cpp:4d6f456872e11c470adf8b0463684ccbc940386c|6155|0x1e
13|23|libxul.so|nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*)|hg:hg.mozilla.org/mozilla-central:view/nsViewManager.cpp:4d6f456872e11c470adf8b0463684ccbc940386c|461|0x2e
13|24|libxul.so|nsViewManager::ProcessPendingUpdatesForView(nsView*, bool)|hg:hg.mozilla.org/mozilla-central:view/nsViewManager.cpp:4d6f456872e11c470adf8b0463684ccbc940386c|396|0x17
13|25|libxul.so|nsViewManager::ProcessPendingUpdates()|hg:hg.mozilla.org/mozilla-central:view/nsViewManager.cpp:4d6f456872e11c470adf8b0463684ccbc940386c|1019|0x17
13|26|libxul.so|nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp)|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:4d6f456872e11c470adf8b0463684ccbc940386c|2104|0x10
13|27|libxul.so|mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&)|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:4d6f456872e11c470adf8b0463684ccbc940386c|350|0x33
13|28|libxul.so|mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp)|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:4d6f456872e11c470adf8b0463684ccbc940386c|344|0x4c
13|29|libxul.so|mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp)|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:4d6f456872e11c470adf8b0463684ccbc940386c|710|0x41
13|30|libxul.so|mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::ParentProcessVsyncNotifier::Run()|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:4d6f456872e11c470adf8b0463684ccbc940386c|510|0x3d
13|31|libxul.so|nsThread::ProcessNextEvent(bool, bool*)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:4d6f456872e11c470adf8b0463684ccbc940386c|1225|0x16
13|32|libxul.so|NS_ProcessNextEvent(nsIThread*, bool)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:4d6f456872e11c470adf8b0463684ccbc940386c|486|0x11
13|33|libxul.so|mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:4d6f456872e11c470adf8b0463684ccbc940386c|88|0xd
13|34|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:4d6f456872e11c470adf8b0463684ccbc940386c|315|0x16
13|35|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:4d6f456872e11c470adf8b0463684ccbc940386c|290|0xb
13|36|libxul.so|nsBaseAppShell::Run()|hg:hg.mozilla.org/mozilla-central:widget/nsBaseAppShell.cpp:4d6f456872e11c470adf8b0463684ccbc940386c|137|0xe
13|37|libxul.so|nsAppStartup::Run()|hg:hg.mozilla.org/mozilla-central:toolkit/components/startup/nsAppStartup.cpp:4d6f456872e11c470adf8b0463684ccbc940386c|276|0x18
13|38|libxul.so|XREMain::XRE_mainRun()|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsAppRunner.cpp:4d6f456872e11c470adf8b0463684ccbc940386c|4636|0x10
13|39|libxul.so|XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsAppRunner.cpp:4d6f456872e11c470adf8b0463684ccbc940386c|4771|0x8
13|40|libxul.so|XRE_main(int, char**, mozilla::BootstrapConfig const&)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsAppRunner.cpp:4d6f456872e11c470adf8b0463684ccbc940386c|4852|0xf
13|41|libxul.so|GeckoStart|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsAndroidStartup.cpp:4d6f456872e11c470adf8b0463684ccbc940386c|47|0xd
13|42|libxul.so|mozilla::BootstrapImpl::GeckoStart(_JNIEnv*, char**, int, mozilla::StaticXREAppData const&)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/Bootstrap.cpp:4d6f456872e11c470adf8b0463684ccbc940386c|77|0x11
13|43|libmozglue.so|Java_org_mozilla_gecko_mozglue_GeckoLoader_nativeRun|hg:hg.mozilla.org/mozilla-central:mozglue/android/APKOpen.cpp:4d6f456872e11c470adf8b0463684ccbc940386c|372|0x2a
13|44|libart.so||||0x634318
Flags: in-testsuite?

The priority flag is not set for this bug.
:mattwoodrow, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(matt.woodrow)
Flags: needinfo?(matt.woodrow)
Priority: -- → P3
You need to log in before you can comment on or make changes to this bug.