Closed
Bug 1574544
Opened 5 years ago
Closed 5 years ago
crash near null in [@ nsCSSFrameConstructor::IsValidSibling]
Categories
(Core :: Layout, defect, P2)
Core
Layout
Tracking
()
RESOLVED
FIXED
mozilla70
| Tracking | Status | |
|---|---|---|
| firefox-esr60 | --- | unaffected |
| firefox-esr68 | --- | wontfix |
| firefox68 | --- | wontfix |
| firefox69 | --- | wontfix |
| firefox70 | --- | fixed |
People
(Reporter: tsmith, Assigned: emilio)
References
(Blocks 1 open bug, Regression)
Details
(Keywords: crash, regression, testcase)
Crash Data
Attachments
(2 files)
Reduced with m-c:
BuildID=20190816094815
SourceStamp=5d4cbfe103bbc517599231eb33d4f3ebbbcede40
==21146==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000020 (pc 0x7efd1c226c13 bp 0x7ffceddcb770 sp 0x7ffceddcb730 T0)
==21146==The signal is caused by a READ memory access.
==21146==Hint: address points to the zero page.
#0 0x7efd1c226c12 in get src/obj-firefox/dist/include/mozilla/RefPtr.h:278:27
#1 0x7efd1c226c12 in operator-> src/obj-firefox/dist/include/mozilla/RefPtr.h:308
#2 0x7efd1c226c12 in NodeType src/dom/base/nsINode.h:654
#3 0x7efd1c226c12 in IsComment src/dom/base/nsINode.h:545
#4 0x7efd1c226c12 in nsCSSFrameConstructor::IsValidSibling(nsIFrame*, nsIContent*, mozilla::Maybe<mozilla::StyleDisplay>&) src/layout/base/nsCSSFrameConstructor.cpp:6064
#5 0x7efd1c227494 in nsCSSFrameConstructor::AdjustSiblingFrame(nsIFrame*, nsIContent*, mozilla::Maybe<mozilla::StyleDisplay>&, nsCSSFrameConstructor::SiblingDirection) src/layout/base/nsCSSFrameConstructor.cpp:6230:8
#6 0x7efd1c31a0c7 in operator() src/layout/base/nsCSSFrameConstructor.cpp:6136:12
#7 0x7efd1c31a0c7 in nsIFrame* nsCSSFrameConstructor::FindSiblingInternal<(nsCSSFrameConstructor::SiblingDirection)1>(mozilla::dom::FlattenedChildIterator&, nsIContent*, mozilla::Maybe<mozilla::StyleDisplay>&) src/layout/base/nsCSSFrameConstructor.cpp:6181
#8 0x7efd1c227825 in nsIFrame* nsCSSFrameConstructor::FindSibling<(nsCSSFrameConstructor::SiblingDirection)1>(mozilla::dom::FlattenedChildIterator const&, mozilla::Maybe<mozilla::StyleDisplay>&) src/layout/base/nsCSSFrameConstructor.cpp:6255:23
#9 0x7efd1c2286a1 in FindPreviousSibling src/layout/base/nsCSSFrameConstructor.cpp:6240:10
#10 0x7efd1c2286a1 in nsCSSFrameConstructor::GetInsertionPrevSibling(nsCSSFrameConstructor::InsertionPoint*, nsIContent*, bool*, bool*, nsIContent*, nsIContent*) src/layout/base/nsCSSFrameConstructor.cpp:6335
#11 0x7efd1c2297b2 in nsCSSFrameConstructor::ContentRangeInserted(nsIContent*, nsIContent*, nsILayoutHistoryState*, nsCSSFrameConstructor::InsertionKind) src/layout/base/nsCSSFrameConstructor.cpp:7136:27
#12 0x7efd1c1bdbd4 in mozilla::RestyleManager::ProcessRestyledFrames(nsStyleChangeList&) src/layout/base/RestyleManager.cpp:1561:25
#13 0x7efd1c1ca095 in mozilla::RestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) src/layout/base/RestyleManager.cpp:3108:9
#14 0x7efd1c177249 in ProcessPendingRestyles src/layout/base/RestyleManager.cpp:3190:3
#15 0x7efd1c177249 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) src/layout/base/PresShell.cpp:4119
#16 0x7efd168a6949 in FlushPendingNotifications src/obj-firefox/dist/include/mozilla/PresShell.h:1445:5
#17 0x7efd168a6949 in mozilla::dom::Document::FlushPendingNotifications(mozilla::ChangesToFlush) src/dom/base/Document.cpp:9975
#18 0x7efd168f2ad6 in FlushPendingNotifications src/dom/base/Document.cpp:9905:3
#19 0x7efd168f2ad6 in nsIContent::GetPrimaryFrame(mozilla::FlushType) src/dom/base/Element.cpp:233
#20 0x7efd19cb6cc8 in nsGenericHTMLElement::GetOffsetRect(mozilla::gfx::IntRectTyped<mozilla::CSSPixel>&) src/dom/html/nsGenericHTMLElement.cpp:317:8
#21 0x7efd1bd42d80 in OffsetWidth src/dom/html/nsGenericHTMLElement.h:204:5
#22 0x7efd1bd42d80 in mozilla::HTMLEditor::RefreshInlineTableEditingUIInternal() src/editor/libeditor/HTMLInlineTableEditor.cpp:339
#23 0x7efd1bd44ea5 in mozilla::HTMLEditor::ShowInlineTableEditingUIInternal(mozilla::dom::Element&) src/editor/libeditor/HTMLInlineTableEditor.cpp:148:19
#24 0x7efd1bd3f175 in mozilla::HTMLEditor::RefreshEditingUI() src/editor/libeditor/HTMLAnonymousNodeEditor.cpp:461:21
#25 0x7efd1be88fb9 in EnableInlineTableEditor src/obj-firefox/dist/include/mozilla/HTMLEditor.h:340:5
#26 0x7efd1be88fb9 in mozilla::SetDocumentStateCommand::DoCommandParam(mozilla::Command, mozilla::Maybe<bool> const&, mozilla::TextEditor&, nsIPrincipal*) const src/editor/libeditor/HTMLEditorDocumentCommands.cpp:114
#27 0x7efd1686552a in mozilla::dom::Document::ExecCommand(nsTSubstring<char16_t> const&, bool, nsTSubstring<char16_t> const&, nsIPrincipal&, mozilla::ErrorResult&) src/dom/base/Document.cpp:4618:26
#28 0x7efd189f5447 in mozilla::dom::Document_Binding::execCommand(JSContext*, JS::Handle<JSObject*>, mozilla::dom::Document*, JSJitMethodCallArgs const&) src/obj-firefox/dom/bindings/DocumentBinding.cpp:3579:36
#29 0x7efd1914bf3d in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) src/dom/bindings/BindingUtils.cpp:3163:13
#30 0x7efd1fd2a4f7 in CallJSNative src/js/src/vm/Interpreter.cpp:447:13
#31 0x7efd1fd2a4f7 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:539
#32 0x7efd1fd1279c in CallFromStack src/js/src/vm/Interpreter.cpp:598:10
#33 0x7efd1fd1279c in Interpret(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:3084
#34 0x7efd1fcf3e3f in js::RunScript(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:424:10
#35 0x7efd1fd2afff in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:567:13
#36 0x7efd1fd2d222 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) src/js/src/vm/Interpreter.cpp:610:8
#37 0x7efd20839e28 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) src/js/src/jsapi.cpp:2722:10
#38 0x7efd189ac924 in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) src/obj-firefox/dom/bindings/EventHandlerBinding.cpp:267:37
#39 0x7efd19914191 in Call<nsCOMPtr<mozilla::dom::EventTarget> > src/obj-firefox/dist/include/mozilla/dom/EventHandlerBinding.h:363:12
#40 0x7efd19914191 in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) src/dom/events/JSEventHandler.cpp:205
#41 0x7efd198d877c in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) src/dom/events/EventListenerManager.cpp:1031:22
#42 0x7efd198da1c0 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) src/dom/events/EventListenerManager.cpp:1223:17
#43 0x7efd198c0e0a in HandleEvent src/obj-firefox/dist/include/mozilla/EventListenerManager.h:353:5
#44 0x7efd198c0e0a in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) src/dom/events/EventDispatcher.cpp:349
#45 0x7efd198bf622 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) src/dom/events/EventDispatcher.cpp:551:16
#46 0x7efd198c4feb in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) src/dom/events/EventDispatcher.cpp:1047:11
#47 0x7efd1c25f8f4 in nsDocumentViewer::LoadComplete(nsresult) src/layout/base/nsDocumentViewer.cpp:1169:7
#48 0x7efd1ee8cf09 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) src/docshell/base/nsDocShell.cpp:6519:20
#49 0x7efd1ee8c1ae in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) src/docshell/base/nsDocShell.cpp:6319:7
#50 0x7efd1ee90cff in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) src/docshell/base/nsDocShell.cpp
#51 0x7efd151c429c in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) src/uriloader/base/nsDocLoader.cpp:1333:3
#52 0x7efd151c333c in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) src/uriloader/base/nsDocLoader.cpp:892:14
#53 0x7efd151bef5b in nsDocLoader::DocLoaderIsEmpty(bool) src/uriloader/base/nsDocLoader.cpp:726:9
#54 0x7efd151c1db6 in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) src/uriloader/base/nsDocLoader.cpp:614:5
#55 0x7efd151c2f1c in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsresult) src/uriloader/base/nsDocLoader.cpp
#56 0x7efd12a59210 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) src/netwerk/base/nsLoadGroup.cpp:568:22
#57 0x7efd16856c68 in DoUnblockOnload src/dom/base/Document.cpp:10664:18
#58 0x7efd16856c68 in mozilla::dom::Document::UnblockOnload(bool) src/dom/base/Document.cpp:10596
#59 0x7efd168823f4 in mozilla::dom::Document::DispatchContentLoadedEvents() src/dom/base/Document.cpp:7160:3
#60 0x7efd16967954 in applyImpl<mozilla::dom::Document, void (mozilla::dom::Document::*)()> src/obj-firefox/dist/include/nsThreadUtils.h:1124:12
#61 0x7efd16967954 in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> src/obj-firefox/dist/include/nsThreadUtils.h:1130
#62 0x7efd16967954 in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() src/obj-firefox/dist/include/nsThreadUtils.h:1176
#63 0x7efd127747d1 in mozilla::SchedulerGroup::Runnable::Run() src/xpcom/threads/SchedulerGroup.cpp:295:32
#64 0x7efd127a6720 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1225:14
#65 0x7efd127ac768 in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:486:10
#66 0x7efd1399c6ff in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:88:21
#67 0x7efd13897762 in RunInternal src/ipc/chromium/src/base/message_loop.cc:315:10
#68 0x7efd13897762 in RunHandler src/ipc/chromium/src/base/message_loop.cc:308
#69 0x7efd13897762 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:290
#70 0x7efd1bb7ea79 in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:137:27
#71 0x7efd1fa71cef in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:934:20
#72 0x7efd13897762 in RunInternal src/ipc/chromium/src/base/message_loop.cc:315:10
#73 0x7efd13897762 in RunHandler src/ipc/chromium/src/base/message_loop.cc:308
#74 0x7efd13897762 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:290
#75 0x7efd1fa71596 in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:769:34
#76 0x5577cee25f13 in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
#77 0x5577cee25f13 in main src/browser/app/nsBrowserApp.cpp:267
Flags: in-testsuite?
|
Reporter | |
Updated•5 years ago
|
status-firefox70:
--- → affected
|
||
Comment 1•5 years ago
|
||
Is this a recent regression?
Keywords: regressionwindow-wanted
Priority: -- → P2
|
||
Comment 2•5 years ago
|
||
Regression window:
https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=5f3c40ffdfedafcf6476694d148a5c6c7601db73&tochange=4f0a12bcb4017a46280b133aa2be83ca49b6d14a
Regressed by: Bug 1484110
Regressed by: 1484110
|
|
||
Updated•5 years ago
|
Keywords: regressionwindow-wanted → regression
|
Assignee | |
Comment 3•5 years ago
|
||
Huh, weird.
I'll try to take a look as Masayuki is not available and I'm somewhat familiar with the crashing code.
Flags: needinfo?(emilio)
|
|
Assignee | |
Comment 4•5 years ago
|
||
This condition was needed when FindInsertionPrevSibling and co didn't understand
display: contents.
Editor is pretty broken (and calls into PresShell::ContentRemoved directly, and
incorrectly, using anonymous nodes).
In this case we were taking the XBL path because of display: contents, which
means that we tried to seek to the editor anonymous node, and crash (since it's
not an explicit kid).
Editor needs to get fixed, but this is technically more correct and fixes the
crash, so we may as well take it in the interim.
|
|
Assignee | |
Updated•5 years ago
|
Assignee: nobody → emilio
Flags: needinfo?(emilio)
Pushed by ealvarez@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/91d88ae893e7 Remove now-unnecessary condition that makes the frame constructor get confused with editor anonymous nodes. r=mats
|
||
Comment 6•5 years ago
|
||
| bugherder | ||
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla70
|
||
Updated•5 years ago
|
Crash Signature: [@ nsCSSFrameConstructor::IsValidSibling]
status-firefox68:
--- → wontfix
status-firefox69:
--- → wontfix
status-firefox-esr60:
--- → unaffected
status-firefox-esr68:
--- → wontfix
Flags: in-testsuite? → in-testsuite+
|
||
Updated•2 years ago
|
Has Regression Range: --- → yes
You need to log in
before you can comment on or make changes to this bug.
Description
•