Closed
Bug 1600637
Opened 5 years ago
Closed 5 years ago
Assertion failure: mFrames.FirstChild() && mFrames.FirstChild()->GetContentInsertionFrame()->IsLegendFrame() | Crash [@ mozilla::ReflowInput::ReflowInput ]
Categories
(Core :: Layout: Form Controls, defect)
Core
Layout: Form Controls
Tracking
()
RESOLVED
DUPLICATE
of bug 1600207
People
(Reporter: bc, Assigned: MatsPalmgren_bugz)
References
()
Details
(4 keywords)
Crash Data
-
https://www.filmpro.ru/movies/357236 Nightly Windows and Linux
-
Assert in Debug Linux and Windows Nightly.
Assertion failure: mFrames.FirstChild() && mFrames.FirstChild()->GetContentInsertionFrame()->IsLegendFrame(), at /builds/worker/workspace/build/src/layout/forms/nsFieldSetFrame.cpp:93
#01: nsFieldSetFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) [layout/forms/nsFieldSetFrame.cpp:418]
#02: nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) [layout/generic/nsBlockReflowContext.cpp:294]
#03: nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) [layout/generic/nsBlockFrame.cpp:3694]
#04: nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) [layout/generic/nsBlockFrame.cpp:0]
#05: nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) [layout/generic/nsBlockFrame.cpp:2584]
... tons more frames.
Crash in Opt
bp-980c2f04-1b7c-4db5-b2c8-ff0980191202 Crash [@ mozilla::ReflowInput::ReflowInput ]
Frame Module Signature Source Trust
0 libxul.so mozilla::ReflowInput::ReflowInput(nsPresContext*, mozilla::ReflowInput const&, nsIFrame*, mozilla::LogicalSize const&, mozilla::Maybe<mozilla::LogicalSize> const&, unsigned int) layout/generic/ReflowInput.cpp:172 context
1 libxul.so nsFieldSetFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) layout/forms/nsFieldSetFrame.cpp:566 cfi
2 libxul.so nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) layout/generic/nsBlockReflowContext.cpp:293 cfi
3 libxul.so nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) layout/generic/nsBlockFrame.cpp:3039 cfi
4 libxul.so nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) layout/generic/nsBlockFrame.cpp:1325 cfi
5 libxul.so nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) layout/generic/nsBlockReflowContext.cpp:293
Use after Poison in ASAN.
==25193==ERROR: AddressSanitizer: use-after-poison on address 0x625000babb5c at pc 0x7fd8bd4a81d8 bp 0x7ffeb7d64e00 sp 0x7ffeb7d64df8
READ of size 1 at 0x625000babb5c thread T0 (Web Content)
#0 0x7fd8bd4a81d7 in GetWritingMode /builds/worker/workspace/build/src/layout/generic/nsIFrame.h:906:56
#1 0x7fd8bd4a81d7 in SizeComputationInput /builds/worker/workspace/build/src/layout/generic/ReflowInput.h:181:30
#2 0x7fd8bd4a81d7 in mozilla::ReflowInput::ReflowInput(nsPresContext*, mozilla::ReflowInput const&, nsIFrame*, mozilla::LogicalSize const&, mozilla::Maybe<mozilla::LogicalSize> const&, unsigned int) /builds/worker/workspace/build/src/layout/generic/ReflowInput.cpp:169:7
#3 0x7fd8bd860684 in nsFieldSetFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/forms/nsFieldSetFrame.cpp:566:17
#4 0x7fd8bd51902c in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) /builds/worker/workspace/build/src/layout/generic/nsBlockReflowContext.cpp:293:11
#5 0x7fd8bd50f122 in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:3694:11
|
||
Comment 1•5 years ago
|
||
Mats, could you take a look? It looks like you've touched nsFieldSetFrame.cpp recently. Thanks.
Group: core-security → layout-core-security
Flags: needinfo?(mats)
|
|
||
Updated•5 years ago
|
Component: Layout → Layout: Form Controls
|
||
Comment 2•5 years ago
|
||
Probably a dup of bug 1600207.
|
Assignee | |
Comment 3•5 years ago
|
||
Yes, the fix in bug 1600207 in my local build makes this crash go away.
Assignee: nobody → mats
Group: layout-core-security
Status: NEW → RESOLVED
Closed: 5 years ago
Flags: needinfo?(mats)
Keywords: csectype-framepoisoning
Resolution: --- → DUPLICATE
|
||
Updated•5 years ago
|
status-firefox72:
--- → fixed
You need to log in
before you can comment on or make changes to this bug.
Description
•