1602990 - member call on null pointer of type 'nsIFrame' in layout/base/PresShell.cpp:2585

Status: RESOLVED FIXED

(Core :: SVG, defect, P3)

Description

[Tyson Smith [:tsmith]]

Attachment: testcase.html

Reproduced with m-c: 20191210-f5d38101ac7c

layout/base/PresShell.cpp:2585:21: runtime error: member call on null pointer of type 'nsIFrame'
    #0 0x7f3b37d218ce in mozilla::PresShell::FrameNeedsReflow(nsIFrame*, mozilla::IntrinsicDirty, nsFrameState, mozilla::ReflowRootHandling) layout/base/PresShell.cpp:2585:21
    #1 0x7f3b3825d012 in mozilla::SVGRenderingObserverSet::InvalidateAll() layout/svg/SVGObserverUtils.cpp:1024:19
    #2 0x7f3b37fa2454 in nsFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) layout/generic/nsFrame.cpp:802:3
    #3 0x7f3b37f00c30 in nsContainerFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) layout/generic/nsContainerFrame.cpp:288:22
    #4 0x7f3b3806e6fc in nsLineBox::DeleteLineList(nsPresContext*, nsLineList&, nsIFrame*, nsFrameList*, mozilla::layout::PostFrameDestroyData&) layout/generic/nsLineBox.cpp:380:14
    #5 0x7f3b37f0074f in nsBlockFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) layout/generic/nsBlockFrame.cpp:370:3
    #6 0x7f3b37fde30e in nsFrameList::DestroyFramesFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) layout/generic/nsFrameList.cpp:51:12
    #7 0x7f3b37f00ba7 in nsContainerFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) layout/generic/nsContainerFrame.cpp:215:11
    #8 0x7f3b37fde30e in nsFrameList::DestroyFramesFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) layout/generic/nsFrameList.cpp:51:12
    #9 0x7f3b37f00ba7 in nsContainerFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) layout/generic/nsContainerFrame.cpp:215:11
    #10 0x7f3b37fde30e in nsFrameList::DestroyFramesFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) layout/generic/nsFrameList.cpp:51:12
    #11 0x7f3b37f00ba7 in nsContainerFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) layout/generic/nsContainerFrame.cpp:215:11
    #12 0x7f3b3806e6fc in nsLineBox::DeleteLineList(nsPresContext*, nsLineList&, nsIFrame*, nsFrameList*, mozilla::layout::PostFrameDestroyData&) layout/generic/nsLineBox.cpp:380:14
    #13 0x7f3b37f0074f in nsBlockFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) layout/generic/nsBlockFrame.cpp:370:3
    #14 0x7f3b3806e6fc in nsLineBox::DeleteLineList(nsPresContext*, nsLineList&, nsIFrame*, nsFrameList*, mozilla::layout::PostFrameDestroyData&) layout/generic/nsLineBox.cpp:380:14
    #15 0x7f3b37f0074f in nsBlockFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) layout/generic/nsBlockFrame.cpp:370:3
    #16 0x7f3b37fde30e in nsFrameList::DestroyFramesFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) layout/generic/nsFrameList.cpp:51:12
    #17 0x7f3b37f00ba7 in nsContainerFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) layout/generic/nsContainerFrame.cpp:215:11
    #18 0x7f3b37f33c4c in nsCanvasFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) layout/generic/nsCanvasFrame.cpp:216:21
    #19 0x7f3b37fde30e in nsFrameList::DestroyFramesFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) layout/generic/nsFrameList.cpp:51:12
    #20 0x7f3b37f00ba7 in nsContainerFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) layout/generic/nsContainerFrame.cpp:215:11
    #21 0x7f3b37e46e8c in nsIFrame::Destroy() layout/generic/nsIFrame.h:655:5
    #22 0x7f3b37f4290b in nsContainerFrame::RemoveFrame(mozilla::layout::FrameChildListID, nsIFrame*) layout/generic/nsContainerFrame.cpp:169:19
    #23 0x7f3b37dcc006 in nsCSSFrameConstructor::ContentRemoved(nsIContent*, nsIContent*, nsCSSFrameConstructor::RemoveFlags) layout/base/nsCSSFrameConstructor.cpp:7614:5
    #24 0x7f3b37dc46f7 in nsCSSFrameConstructor::RecreateFramesForContent(nsIContent*, nsCSSFrameConstructor::InsertionKind) layout/base/nsCSSFrameConstructor.cpp:8627:7
    #25 0x7f3b37d54be5 in mozilla::RestyleManager::ProcessRestyledFrames(nsStyleChangeList&) layout/base/RestyleManager.cpp:1536:25
    #26 0x7f3b37d5befb in mozilla::RestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) layout/base/RestyleManager.cpp:3082:9
    #27 0x7f3b37d30789 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) layout/base/PresShell.cpp:4066:39
    #28 0x7f3b37cd27e0 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) layout/base/nsRefreshDriver.cpp:2021:22
    #29 0x7f3b37ce1ffe in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) layout/base/nsRefreshDriver.cpp:351:7
    #30 0x7f3b37ce1d61 in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) layout/base/nsRefreshDriver.cpp:368:5
    #31 0x7f3b37ce0769 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) layout/base/nsRefreshDriver.cpp:740:16
    #32 0x7f3b37cdfaf7 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) layout/base/nsRefreshDriver.cpp:635:9
    #33 0x7f3b383a9366 in mozilla::layout::VsyncChild::RecvNotify(mozilla::VsyncEvent const&) layout/ipc/VsyncChild.cpp:65:16
    #34 0x7f3b315659f6 in mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) objdir-ff-ubsan/ipc/ipdl/PVsyncChild.cpp:187:54
    #35 0x7f3b30f544fb in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) objdir-ff-ubsan/ipc/ipdl/PBackgroundChild.cpp:5876:32
    #36 0x7f3b3071960b in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) ipc/glue/MessageChannel.cpp:2209:25
    #37 0x7f3b30714ad7 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) ipc/glue/MessageChannel.cpp:2131:9
    #38 0x7f3b30716643 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) ipc/glue/MessageChannel.cpp:1973:3
    #39 0x7f3b30717578 in mozilla::ipc::MessageChannel::MessageTask::Run() ipc/glue/MessageChannel.cpp:2004:13
    #40 0x7f3b2f3714e4 in nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp:1256:14
    #41 0x7f3b2f377186 in NS_ProcessNextEvent(nsIThread*, bool) xpcom/threads/nsThreadUtils.cpp:486:10
    #42 0x7f3b307260d7 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) ipc/glue/MessagePump.cpp:109:5
    #43 0x7f3b3056d004 in MessageLoop::Run() ipc/chromium/src/base/message_loop.cc:290:3
    #44 0x7f3b378e4e5a in nsBaseAppShell::Run() widget/nsBaseAppShell.cpp:137:27
    #45 0x7f3b3b8cf4e1 in XRE_RunAppShell() toolkit/xre/nsEmbedFunctions.cpp:946:20
    #46 0x7f3b307276e1 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) ipc/glue/MessagePump.cpp:237:9
    #47 0x7f3b3056d004 in MessageLoop::Run() ipc/chromium/src/base/message_loop.cc:290:3
    #48 0x7f3b3b8ce986 in XRE_InitChildProcess(int, char**, XREChildData const*) toolkit/xre/nsEmbedFunctions.cpp:781:34
    #49 0x55d6e03391bd in content_process_main(mozilla::Bootstrap*, int, char**) browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
    #50 0x55d6e03393e1 in main browser/app/nsBrowserApp.cpp:303:18

Comment 1

[Tyson Smith [:tsmith]]

A Pernosco session is available here: https://pernos.co/debug/ZdBRB6WH0s8kb-mDVZyGhg/index.html

Comment 2

[Robert Longson [:longsonr]]

see if bug 1601824 fixes it

Comment 3

[Tyson Smith [:tsmith]]

This is still reproducible with m-c 20191218-f870bccd07ee.

Comment 4

[BugBot [:suhaib / :marco/ :calixte]]

The priority flag is not set for this bug.
:svoisen, could you have a look please?

For more information, please visit auto_nag documentation.

Comment 5

[Cameron McCormack (:heycam)]

In the test case we we have some non-display SVG text on a text path. The textPath has an odd xlink:href="" (which would normally point to a path element) pointing back to itself. The textPath observes the element pointed to by xlink:href, and so it ends up observing itself. We're in the middle of destroying frames from the root element. When we call nsFrame::DestroyFrom on the textPath element, we notify itself, which then notifies the the text element since the text path could have changed. In response, we end up calling ScheduleReflowSVGNonDisplayText so that text would be reflowed to account for the new text path target. That works by crawling up the frame tree to find the closest displayed ancestor and scheduling a reflow on it. That ancestor is the frame for the subtree root we're in the middle of destroying, and it's already done half of its work. That happened to have included severing the connection between an out-of-flow frame and its placeholder. So when we try to reflow and come across the placeholder frame, we find it pointing to a null OOF frame, which we then try to reflow, and crash.

It seems like we should try to avoid doing the ScheduleReflowSVGNonDisplayText work if we're in the middle of destroying the SVGTextFrame.

Comment 6

[Cameron McCormack (:heycam)]

We already skip the call to ScheduleReflowSVGNonDisplayText when NS_STATE_SVG_TEXT_IN_REFLOW is set, for similar reasons. We can rename that state bit and make it a bit broader.

Comment 7

[Cameron McCormack (:heycam)]

Oh, this is slightly more complicated since there is a use involved...

Comment 8

[Robert Longson [:longsonr]]

bug 1848851 should have fixed this. It doesn't crash for me any more and the textPath in SVGObserverUtils has targetIsValid = false so no reflow happens any more.