Closed Bug 1587688 Opened 5 years ago Closed 5 years ago

crash near null in [@ nsMeterFrame::ReflowBarFrame]

Categories

(Core :: Layout: Form Controls, defect, P2)

Product:
Core
Component:
Layout: Form Controls
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla71
Tracking Flags:
Tracking Status
firefox71 --- fixed

People

(Reporter: tsmith, Assigned: emilio)

References

(Blocks 1 open bug)

Details

(Keywords: crash, csectype-nullptr)

Attachments

(1 file)

testcase.html
301 bytes, text/html
Details
Attached file testcase.html

Reduced with m-c:
BuildID=20191009164235
SourceStamp=a43ad34ac8e3033d22c2ea30eebfa8c271130e48

==88909==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000006c (pc 0x7f41c8a9ba30 bp 0x7ffc632aac70 sp 0x7ffc632aa980 T0)
==88909==The signal is caused by a READ memory access.
==88909==Hint: address points to the zero page.
    #0 0x7f41c8a9ba2f in nsMeterFrame::ReflowBarFrame(nsIFrame*, nsPresContext*, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/forms/nsMeterFrame.cpp
    #1 0x7f41c8a9b2fe in nsMeterFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/forms/nsMeterFrame.cpp:99:3
    #2 0x7f41c8941cca in nsLineLayout::ReflowFrame(nsIFrame*, nsReflowStatus&, mozilla::ReflowOutput*, bool&) src/layout/generic/nsLineLayout.cpp:877:13
    #3 0x7f41c893f949 in nsInlineFrame::ReflowInlineFrame(nsPresContext*, mozilla::ReflowInput const&, nsInlineFrame::InlineReflowInput&, nsIFrame*, nsReflowStatus&) src/layout/generic/nsInlineFrame.cpp:674:15
    #4 0x7f41c893de3c in nsInlineFrame::ReflowFrames(nsPresContext*, mozilla::ReflowInput const&, nsInlineFrame::InlineReflowInput&, mozilla::ReflowOutput&, nsReflowStatus&) src/layout/generic/nsInlineFrame.cpp:548:7
    #5 0x7f41c893c8d7 in nsInlineFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsInlineFrame.cpp:363:3
    #6 0x7f41c8941cca in nsLineLayout::ReflowFrame(nsIFrame*, nsReflowStatus&, mozilla::ReflowOutput*, bool&) src/layout/generic/nsLineLayout.cpp:877:13
    #7 0x7f41c8729093 in nsBlockFrame::ReflowInlineFrame(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsIFrame*, LineReflowStatus*) src/layout/generic/nsBlockFrame.cpp:4331:15
    #8 0x7f41c8727969 in nsBlockFrame::DoReflowInlineFrames(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool) src/layout/generic/nsBlockFrame.cpp:4133:5
    #9 0x7f41c871f59a in nsBlockFrame::ReflowInlineFrames(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:4018:9
    #10 0x7f41c87171c1 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:2997:5
    #11 0x7f41c870c9b3 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) src/layout/generic/nsBlockFrame.cpp:2537:7
    #12 0x7f41c8703e34 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsBlockFrame.cpp:1280:3
    #13 0x7f41c8bb6dc0 in SVGTextFrame::DoReflow() src/layout/svg/SVGTextFrame.cpp:5099:8
    #14 0x7f41c8b9c6f1 in SVGTextFrame::MaybeReflowAnonymousBlockChild() src/layout/svg/SVGTextFrame.cpp:5040:5
    #15 0x7f41c8b9ef3c in SVGTextFrame::ReflowSVG() src/layout/svg/SVGTextFrame.cpp:3423:3
    #16 0x7f41c8b9fd3b in nsSVGDisplayContainerFrame::ReflowSVG() src/layout/svg/nsSVGContainerFrame.cpp:318:17
    #17 0x7f41c8c16233 in nsSVGOuterSVGFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/svg/nsSVGOuterSVGFrame.cpp:459:14
    #18 0x7f41c8941cca in nsLineLayout::ReflowFrame(nsIFrame*, nsReflowStatus&, mozilla::ReflowOutput*, bool&) src/layout/generic/nsLineLayout.cpp:877:13
    #19 0x7f41c8729093 in nsBlockFrame::ReflowInlineFrame(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsIFrame*, LineReflowStatus*) src/layout/generic/nsBlockFrame.cpp:4331:15
    #20 0x7f41c8727969 in nsBlockFrame::DoReflowInlineFrames(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool) src/layout/generic/nsBlockFrame.cpp:4133:5
    #21 0x7f41c871f59a in nsBlockFrame::ReflowInlineFrames(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:4018:9
    #22 0x7f41c87171c1 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:2997:5
    #23 0x7f41c870c9b3 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) src/layout/generic/nsBlockFrame.cpp:2537:7
    #24 0x7f41c8703e34 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsBlockFrame.cpp:1280:3
    #25 0x7f41c872556a in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) src/layout/generic/nsBlockReflowContext.cpp:291:11
    #26 0x7f41c871a2d5 in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:3649:11
    #27 0x7f41c871731b in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:2994:5
    #28 0x7f41c870c9b3 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) src/layout/generic/nsBlockFrame.cpp:2537:7
    #29 0x7f41c8703e34 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsBlockFrame.cpp:1280:3
    #30 0x7f41c875d1c7 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:910:14
    #31 0x7f41c875bd11 in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsCanvasFrame.cpp:729:5
    #32 0x7f41c875d1c7 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:910:14
    #33 0x7f41c88678dd in nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput*, bool, bool, mozilla::ReflowOutput*) src/layout/generic/nsGfxScrollFrame.cpp:644:3
    #34 0x7f41c8868a91 in nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput*, mozilla::ReflowOutput const&) src/layout/generic/nsGfxScrollFrame.cpp:758:3
    #35 0x7f41c886e2bd in nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsGfxScrollFrame.cpp:1160:3
    #36 0x7f41c86f0f7c in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:950:14
    #37 0x7f41c86effdf in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/ViewportFrame.cpp:299:7
    #38 0x7f41c84c1a6f in mozilla::PresShell::DoReflow(nsIFrame*, bool, mozilla::OverflowChangedTracker*) src/layout/base/PresShell.cpp:9229:11
    #39 0x7f41c84dc062 in mozilla::PresShell::ProcessReflowCommands(bool) src/layout/base/PresShell.cpp:9399:24
    #40 0x7f41c84d912c in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) src/layout/base/PresShell.cpp:4168:11
    #41 0x7f41c5b5bbc7 in FlushPendingNotifications src/obj-firefox/dist/include/mozilla/PresShell.h:1443:5
    #42 0x7f41c5b5bbc7 in FlushLayout src/dom/events/EventStateManager.cpp:5626
    #43 0x7f41c5b5bbc7 in mozilla::EventStateManager::PreHandleEvent(nsPresContext*, mozilla::WidgetEvent*, nsIFrame*, nsIContent*, nsEventStatus*, nsIContent*) src/dom/events/EventStateManager.cpp:691
    #44 0x7f41c85080c8 in mozilla::PresShell::EventHandler::DispatchEvent(mozilla::EventStateManager*, mozilla::WidgetEvent*, bool, nsEventStatus*, nsIContent*) src/layout/base/PresShell.cpp:7808:39
    #45 0x7f41c84fea0b in mozilla::PresShell::EventHandler::HandleEventWithCurrentEventInfo(mozilla::WidgetEvent*, nsEventStatus*, bool, nsIContent*) src/layout/base/PresShell.cpp:7777:17
    #46 0x7f41c84fd384 in mozilla::PresShell::EventHandler::HandleEventUsingCoordinates(nsIFrame*, mozilla::WidgetGUIEvent*, nsEventStatus*, bool) src/layout/base/PresShell.cpp:6736:30
    #47 0x7f41c84fb56e in mozilla::PresShell::EventHandler::HandleEvent(nsIFrame*, mozilla::WidgetGUIEvent*, bool, nsEventStatus*) src/layout/base/PresShell.cpp:6541:12
    #48 0x7f41c84f9f57 in mozilla::PresShell::HandleEvent(nsIFrame*, mozilla::WidgetGUIEvent*, bool, nsEventStatus*) src/layout/base/PresShell.cpp:6467:23
    #49 0x7f41c7e29121 in nsViewManager::DispatchEvent(mozilla::WidgetGUIEvent*, nsView*, nsEventStatus*) src/view/nsViewManager.cpp:751:18
    #50 0x7f41c7e28b24 in nsView::HandleEvent(mozilla::WidgetGUIEvent*, bool) src/view/nsView.cpp:1064:9
    #51 0x7f41c7e9e45e in mozilla::widget::PuppetWidget::DispatchEvent(mozilla::WidgetGUIEvent*, nsEventStatus&) src/widget/PuppetWidget.cpp:381:37
    #52 0x7f41c1eeb27a in mozilla::layers::APZCCallbackHelper::DispatchWidgetEvent(mozilla::WidgetGUIEvent&) src/gfx/layers/apz/util/APZCCallbackHelper.cpp:544:21
    #53 0x7f41c74b42f4 in DispatchWidgetEventViaAPZ src/dom/ipc/BrowserChild.cpp:1736:10
    #54 0x7f41c74b42f4 in mozilla::dom::BrowserChild::HandleRealMouseButtonEvent(mozilla::WidgetMouseEvent const&, mozilla::layers::ScrollableLayerGuid const&, unsigned long const&) src/dom/ipc/BrowserChild.cpp:1675
    #55 0x7f41c74b6e7f in mozilla::dom::BrowserChild::RecvRealMouseButtonEvent(mozilla::WidgetMouseEvent const&, mozilla::layers::ScrollableLayerGuid const&, unsigned long const&) src/dom/ipc/BrowserChild.cpp:1648:3
    #56 0x7f41c74b6fdc in mozilla::dom::BrowserChild::RecvSynthMouseMoveEvent(mozilla::WidgetMouseEvent const&, mozilla::layers::ScrollableLayerGuid const&, unsigned long const&) src/dom/ipc/BrowserChild.cpp:1613:8
    #57 0x7f41c0a54318 in mozilla::dom::PBrowserChild::OnMessageReceived(IPC::Message const&) src/obj-firefox/ipc/ipdl/PBrowserChild.cpp:5069:56
    #58 0x7f41bfe2ef58 in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) src/obj-firefox/ipc/ipdl/PContentChild.cpp:7834:32
    #59 0x7f41bfac76b6 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) src/ipc/glue/MessageChannel.cpp:2185:25
    #60 0x7f41bfac230d in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) src/ipc/glue/MessageChannel.cpp:2109:9
    #61 0x7f41bfac4937 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) src/ipc/glue/MessageChannel.cpp:1954:3
    #62 0x7f41bfac57c7 in mozilla::ipc::MessageChannel::MessageTask::Run() src/ipc/glue/MessageChannel.cpp:1985:13
    #63 0x7f41be84ab71 in mozilla::SchedulerGroup::Runnable::Run() src/xpcom/threads/SchedulerGroup.cpp:295:32
    #64 0x7f41be87c339 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1225:14
    #65 0x7f41be882fa8 in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:486:10
    #66 0x7f41bfad0a9f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:88:21
    #67 0x7f41bf9c9762 in RunInternal src/ipc/chromium/src/base/message_loop.cc:315:10
    #68 0x7f41bf9c9762 in RunHandler src/ipc/chromium/src/base/message_loop.cc:308
    #69 0x7f41bf9c9762 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:290
    #70 0x7f41c7ed2229 in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:137:27
    #71 0x7f41cbe1afff in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:934:20
    #72 0x7f41bf9c9762 in RunInternal src/ipc/chromium/src/base/message_loop.cc:315:10
    #73 0x7f41bf9c9762 in RunHandler src/ipc/chromium/src/base/message_loop.cc:308
    #74 0x7f41bf9c9762 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:290
    #75 0x7f41cbe1a8a6 in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:769:34
    #76 0x556744348d1a in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
    #77 0x556744348d1a in main src/browser/app/nsBrowserApp.cpp:272
Flags: in-testsuite?

Please let me know if a Pernosco session would be helpful and I will create one.

Fwiw, in a debug build I get:
###!!! ASSERTION: The meter frame should have a child with a frame!: 'barFrame', file layout/forms/nsMeterFrame.cpp, line 97

Is this a regression?

Keywords: csectype-nullptr
Priority: -- → P2

This is fixed by https://phabricator.services.mozilla.com/D44808, which is awaiting your review, fwiw.

Depends on: 1578844

OK, good. No need for a regression-window then.

Keywords: regressionwindow-wanted, testcase

Verified the test case no longer crashes.

Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Assignee: nobody → emilio
status-firefox71: affectedfixed
Target Milestone: --- → mozilla71
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: