Closed
Bug 1611848
Opened 4 years ago
Closed 4 years ago
Assertion failure: aNewFrame->GetParent() == outOfFlowFrameList->containingBlock (Parent of the frame is not the containing block?), at /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:1119
Categories
(Core :: Layout, defect, P2)
Core
Layout
Tracking
()
RESOLVED
FIXED
mozilla76
People
(Reporter: jkratzer, Assigned: emilio)
References
(Blocks 1 open bug)
Details
(Keywords: assertion, testcase)
Attachments
(2 files)
Testcase found while fuzzing mozilla-central rev c0fa6d007c58.
Assertion failure: aNewFrame->GetParent() == outOfFlowFrameList->containingBlock (Parent of the frame is not the containing block?), at /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:1119
rax = 0x000055795de38340 rdx = 0x0000000000000000
rcx = 0x00007f279c58c7e3 rbx = 0x00007f2773a8c5d0
rsi = 0x00007f27a7f7c8b0 rdi = 0x00007f27a7f7b680
rbp = 0x00007ffe99adddc0 rsp = 0x00007ffe99addd60
r8 = 0x00007f27a7f7c8b0 r9 = 0x00007f27a90e3780
r10 = 0x0000000000000000 r11 = 0x0000000000000000
r12 = 0x00007ffe99ade368 r13 = 0x00007ffe99ade320
r14 = 0x00007ffe99ade2c8 r15 = 0x00007f2773a8c270
rip = 0x00007f279898d153
OS|Linux|0.0.0 Linux 5.3.0-26-generic #28~18.04.1-Ubuntu SMP Wed Dec 18 16:40:14 UTC 2019 x86_64
CPU|amd64|family 6 model 94 stepping 3|8
GPU|||
Crash|SIGSEGV|0x0|0
0|0|libxul.so|nsFrameConstructorState::AddChild(nsIFrame*, nsFrameList&, nsIContent*, nsContainerFrame*, bool, bool, bool, bool, nsIFrame*)|hg:hg.mozilla.org/mozilla-central:layout/base/nsCSSFrameConstructor.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|1118|0x2f
0|1|libxul.so|nsCSSFrameConstructor::ConstructBlock(nsFrameConstructorState&, nsIContent*, nsContainerFrame*, nsContainerFrame*, mozilla::ComputedStyle*, nsContainerFrame**, nsFrameList&, nsIFrame*)|hg:hg.mozilla.org/mozilla-central:layout/base/nsCSSFrameConstructor.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|10520|0x3a
0|2|libxul.so|nsCSSFrameConstructor::ConstructNonScrollableBlockWithConstructor(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItem&, nsContainerFrame*, nsStyleDisplay const*, nsFrameList&, nsBlockFrame* (*)(mozilla::PresShell*, mozilla::ComputedStyle*))|hg:hg.mozilla.org/mozilla-central:layout/base/nsCSSFrameConstructor.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|4602|0x49
0|3|libxul.so|nsCSSFrameConstructor::ConstructNonScrollableBlock(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItem&, nsContainerFrame*, nsStyleDisplay const*, nsFrameList&)|hg:hg.mozilla.org/mozilla-central:layout/base/nsCSSFrameConstructor.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|4573|0xe
0|4|libxul.so|nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameList&)|hg:hg.mozilla.org/mozilla-central:layout/base/nsCSSFrameConstructor.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|3567|0x1d
0|5|libxul.so|nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameList&)|hg:hg.mozilla.org/mozilla-central:layout/base/nsCSSFrameConstructor.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|5636|0x15
0|6|libxul.so|nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsContainerFrame*, bool, nsFrameList&)|hg:hg.mozilla.org/mozilla-central:layout/base/nsCSSFrameConstructor.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|9486|0x16
0|7|libxul.so|nsCSSFrameConstructor::ContentAppended(nsIContent*, nsCSSFrameConstructor::InsertionKind)|hg:hg.mozilla.org/mozilla-central:layout/base/nsCSSFrameConstructor.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|6805|0x24
0|8|libxul.so|mozilla::RestyleManager::ProcessRestyledFrames(nsStyleChangeList&)|hg:hg.mozilla.org/mozilla-central:layout/base/RestyleManager.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|1432|0xe
0|9|libxul.so|mozilla::RestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags)|hg:hg.mozilla.org/mozilla-central:layout/base/RestyleManager.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|3081|0xf
0|10|libxul.so|mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush)|hg:hg.mozilla.org/mozilla-central:layout/base/PresShell.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|4077|0x1c
0|11|libxul.so|mozilla::dom::Document::FlushPendingNotifications(mozilla::ChangesToFlush)|hg:hg.mozilla.org/mozilla-central:dom/base/Document.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|10034|0x3d
0|12|libxul.so|nsDocLoader::DocLoaderIsEmpty(bool)|hg:hg.mozilla.org/mozilla-central:uriloader/base/nsDocLoader.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|675|0xb
0|13|libxul.so|nsDocLoader::OnStopRequest(nsIRequest*, nsresult)|hg:hg.mozilla.org/mozilla-central:uriloader/base/nsDocLoader.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|614|0x16
0|14|libxul.so|mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult)|hg:hg.mozilla.org/mozilla-central:netwerk/base/nsLoadGroup.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|604|0x1a
0|15|libxul.so|mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult)|hg:hg.mozilla.org/mozilla-central:netwerk/base/nsLoadGroup.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|511|0xe
0|16|libxul.so|mozilla::dom::Document::DoUnblockOnload()|hg:hg.mozilla.org/mozilla-central:dom/base/Document.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|10690|0x4c
0|17|libxul.so|mozilla::dom::Document::UnblockOnload(bool)|hg:hg.mozilla.org/mozilla-central:dom/base/Document.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|10624|0x2a
0|18|libxul.so|mozilla::dom::Document::DispatchContentLoadedEvents()|hg:hg.mozilla.org/mozilla-central:dom/base/Document.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|7312|0xd
0|19|libxul.so|mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run()|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.h:c0fa6d007c58437398cc06a97d221c42d41dcf9e|1215|0x5
0|20|libxul.so|nsThread::ProcessNextEvent(bool, bool*)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|1220|0xe
0|21|libxul.so|NS_ProcessNextEvent(nsIThread*, bool)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|486|0x11
0|22|libxul.so|mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|87|0xa
0|23|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:c0fa6d007c58437398cc06a97d221c42d41dcf9e|315|0x19
0|24|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:c0fa6d007c58437398cc06a97d221c42d41dcf9e|290|0x8
0|25|libxul.so|nsBaseAppShell::Run()|hg:hg.mozilla.org/mozilla-central:widget/nsBaseAppShell.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|137|0xd
0|26|libxul.so|nsAppStartup::Run()|hg:hg.mozilla.org/mozilla-central:toolkit/components/startup/nsAppStartup.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|272|0x10
0|27|libxul.so|XREMain::XRE_mainRun()|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsAppRunner.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|4624|0x16
0|28|libxul.so|XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsAppRunner.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|4761|0x8
0|29|libxul.so|XRE_main(int, char**, mozilla::BootstrapConfig const&)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsAppRunner.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|4842|0x5
0|30|firefox-bin|do_main|hg:hg.mozilla.org/mozilla-central:browser/app/nsBrowserApp.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|217|0x26
0|31|firefox-bin|main|hg:hg.mozilla.org/mozilla-central:browser/app/nsBrowserApp.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|339|0xf
0|32|libc-2.27.so||||0x21b97
0|33|firefox-bin|__cxa_throw_bad_array_new_length|hg:hg.mozilla.org/mozilla-central:build/unix/stdc++compat/stdc++compat.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|82|0x12
0|34|firefox-bin||||0x10e30
0|35|ld-2.27.so||||0x10733
0|36|libdl-2.27.so||||0x202d80
0|37|libpthread-2.27.so||||0x219bb0
0|38|firefox-bin||||0x10e30
0|39|firefox-bin|_start|||0x29
Flags: in-testsuite?
|
||
Comment 1•4 years ago
|
||
The test case leads to crash. bp-77c80bda-7f33-4887-a430-d45270200127
Priority: -- → P2
|
Assignee | |
Comment 2•4 years ago
|
||
Slightly more useful crash report (I don't know why the one in comment 1 doesn't have a useful stack): https://crash-stats.mozilla.org/report/index/8114ab03-a69b-4b2a-9009-1bdeb0200127
It seems some combination of display: contents and <svg:text>. Yay? Will look.
Flags: needinfo?(emilio)
|
|
Assignee | |
Comment 4•4 years ago
|
||
Oh, it does, just intermittently... yay?
|
||
Comment 5•4 years ago
•
|
||
:emilio, were you able to dig further into this (it is tracked as new regression for 74)?
|
|
||
Comment 6•4 years ago
|
||
:svoisen, is there someone that can work on this issue (tracked as regression for FF74) ?
Flags: needinfo?(svoisen)
|
|
Assignee | |
Updated•4 years ago
|
Flags: needinfo?(svoisen)
|
||
Comment 8•4 years ago
|
||
Based on comment 4 perhaps this is not a regression from 72? Do we want to track until we're sure?
|
|
Assignee | |
Comment 9•4 years ago
|
||
(In reply to Sean Voisen (:svoisen) [On PTO until Feb 21] from comment #8)
Based on comment 4 perhaps this is not a regression from 72? Do we want to track until we're sure?
This does crash on 72 the same way as 74, so I don't think we want to track this. I still plan to fix this ofc.
|
||
Updated•4 years ago
|
|
|
||
Comment 10•4 years ago
|
||
Removing regression keyword so this doesn't show up in regression triage.
Keywords: regression
|
|
Assignee | |
Comment 11•4 years ago
|
||
Returning null from FindSVGData just means "fall back to whatever display
specifies", and that's not great.
|
|
Assignee | |
Updated•4 years ago
|
Flags: needinfo?(emilio)
|
||
Comment 12•4 years ago
|
||
Pushed by ealvarez@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/02c284defc4d Properly suppress shadow dom / display: contents inside svg text. r=heycam
Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/22467 for changes under testing/web-platform/tests
Can't merge web-platform-tests PR due to failing upstream checks: Github PR https://github.com/web-platform-tests/wpt/pull/22467 * Community-TC (pull_request) (https://community-tc.services.mozilla.com/tasks/groups/NrdAgWUIQ1S3jvr1BeHxyw)
Flags: needinfo?(emilio)
|
|
Assignee | |
Comment 15•4 years ago
|
||
Instability due to a crashtest that crashes sounds as expected right? :)
Flags: needinfo?(emilio) → needinfo?(james)
|
||
Comment 16•4 years ago
|
||
| bugherder | ||
Status: NEW → RESOLVED
Closed: 4 years ago
status-firefox76:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla76
|
||
Comment 17•4 years ago
|
||
Since the status are different for nightly and release, what's the status for beta?
For more information, please visit auto_nag documentation.
status-firefox75:
--- → ?
|
||
Updated•4 years ago
|
status-firefox-esr68:
--- → wontfix
Flags: in-testsuite? → in-testsuite+
Upstream PR merged by jgraham
|
||
Updated•4 years ago
|
Flags: needinfo?(james)
You need to log in
before you can comment on or make changes to this bug.
Description
•