Closed Bug 1630385 Opened 4 years ago Closed 4 years ago

use-after-poison [@ mozilla::layout::FindScrollAnchoringBoundingRect]

Categories

(Core :: Layout, defect, P2)

defect

Tracking

()

VERIFIED FIXED
mozilla77
Tracking Status
firefox-esr68 --- unaffected
firefox75 --- unaffected
firefox76 --- unaffected
firefox77 --- verified

People

(Reporter: tsmith, Assigned: emilio)

References

(Blocks 1 open bug, Regression)

Details

(4 keywords)

Crash Data

Attachments

(2 files)

Attached file testcase.html

Reduced with m-c 20200415-e2ba76aefa65

This test case seems to only trigger the issue when run under Xvfb.

==101212==ERROR: AddressSanitizer: use-after-poison on address 0x6250002d8ce8 at pc 0x7f5eb6444e3c bp 0x7fff0f190730 sp 0x7fff0f190728
READ of size 8 at 0x6250002d8ce8 thread T0 (Web Content)
    #0 0x7f5eb6444e3b in get /builds/worker/workspace/obj-build/dist/include/nsCOMPtr.h:839:48
    #1 0x7f5eb6444e3b in operator nsIContent * /builds/worker/workspace/obj-build/dist/include/nsCOMPtr.h:847:33
    #2 0x7f5eb6444e3b in GetContent gecko/layout/generic/nsIFrame.h:726:43
    #3 0x7f5eb6444e3b in mozilla::layout::FindScrollAnchoringBoundingRect(nsIFrame const*, nsIFrame*) gecko/layout/generic/ScrollAnchorContainer.cpp:124:42
    #4 0x7f5eb6442822 in mozilla::layout::FindScrollAnchoringBoundingOffset(mozilla::ScrollFrameHelper const*, nsIFrame*) gecko/layout/generic/ScrollAnchorContainer.cpp:198:7
    #5 0x7f5eb644379e in mozilla::layout::ScrollAnchorContainer::ApplyAdjustments() gecko/layout/generic/ScrollAnchorContainer.cpp:426:7
    #6 0x7f5eb629192e in mozilla::PresShell::FlushPendingScrollAnchorAdjustments() gecko/layout/base/PresShell.cpp:2644:23
    #7 0x7f5eb629dfce in mozilla::PresShell::ProcessReflowCommands(bool) gecko/layout/base/PresShell.cpp:9549:9
    #8 0x7f5eb629c99d in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) gecko/layout/base/PresShell.cpp:4221:11
    #9 0x7f5eb622cc27 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) gecko/layout/base/nsRefreshDriver.cpp:2077:20
    #10 0x7f5eb623b556 in TickDriver gecko/layout/base/nsRefreshDriver.cpp:374:13
    #11 0x7f5eb623b556 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) gecko/layout/base/nsRefreshDriver.cpp:351:7
    #12 0x7f5eb623b155 in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) gecko/layout/base/nsRefreshDriver.cpp:368:5
    #13 0x7f5eb623a202 in RunRefreshDrivers gecko/layout/base/nsRefreshDriver.cpp:828:5
    #14 0x7f5eb623a202 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) gecko/layout/base/nsRefreshDriver.cpp:746:16
    #15 0x7f5eb6239381 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) gecko/layout/base/nsRefreshDriver.cpp:645:9
    #16 0x7f5eb69a04d9 in mozilla::layout::VsyncChild::RecvNotify(mozilla::VsyncEvent const&) gecko/layout/ipc/VsyncChild.cpp:55:16
    #17 0x7f5eaf8bb0c0 in mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:187:54
    #18 0x7f5eaf3795d0 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundChild.cpp:5970:32
    #19 0x7f5eaec98ea0 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) gecko/ipc/glue/MessageChannel.cpp:2187:25
    #20 0x7f5eaec93837 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) gecko/ipc/glue/MessageChannel.cpp:2111:9
    #21 0x7f5eaec95d34 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) gecko/ipc/glue/MessageChannel.cpp:1959:3
    #22 0x7f5eaec96c10 in mozilla::ipc::MessageChannel::MessageTask::Run() gecko/ipc/glue/MessageChannel.cpp:1990:13
    #23 0x7f5ead9b6366 in nsThread::ProcessNextEvent(bool, bool*) gecko/xpcom/threads/nsThread.cpp:1200:14
    #24 0x7f5ead9c11bc in NS_ProcessNextEvent(nsIThread*, bool) gecko/xpcom/threads/nsThreadUtils.cpp:481:10
    #25 0x7f5eaeca4b5f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) gecko/ipc/glue/MessagePump.cpp:87:21
    #26 0x7f5eaeb92fa7 in RunInternal gecko/ipc/chromium/src/base/message_loop.cc:315:10
    #27 0x7f5eaeb92fa7 in RunHandler gecko/ipc/chromium/src/base/message_loop.cc:308:3
    #28 0x7f5eaeb92fa7 in MessageLoop::Run() gecko/ipc/chromium/src/base/message_loop.cc:290:3
    #29 0x7f5eb5d93d38 in nsBaseAppShell::Run() gecko/widget/nsBaseAppShell.cpp:137:27
    #30 0x7f5eb9908616 in XRE_RunAppShell() gecko/toolkit/xre/nsEmbedFunctions.cpp:909:20
    #31 0x7f5eaeb92fa7 in RunInternal gecko/ipc/chromium/src/base/message_loop.cc:315:10
    #32 0x7f5eaeb92fa7 in RunHandler gecko/ipc/chromium/src/base/message_loop.cc:308:3
    #33 0x7f5eaeb92fa7 in MessageLoop::Run() gecko/ipc/chromium/src/base/message_loop.cc:290:3
    #34 0x7f5eb9907cca in XRE_InitChildProcess(int, char**, XREChildData const*) gecko/toolkit/xre/nsEmbedFunctions.cpp:740:34
    #35 0x555cfc4b4933 in content_process_main gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
    #36 0x555cfc4b4933 in main gecko/browser/app/nsBrowserApp.cpp:303:18
    #37 0x7f5ed111182f in __libc_start_main /build/glibc-LK5gWL/glibc-2.23/csu/../csu/libc-start.c:291
    #38 0x555cfc40928c in _start (workspace/browsers/m-c-20200415155632-fuzzing-asan-opt/firefox+0x9d28c)

0x6250002d8ce8 is located 5096 bytes inside of 8192-byte region [0x6250002d7900,0x6250002d9900)
allocated by thread T0 (Web Content) here:
    #0 0x555cfc481c5d in malloc /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:145:3
    #1 0x7f5ead96bfa0 in mozilla::ArenaAllocator<8192ul, 8ul>::AllocateChunk(unsigned long) /builds/worker/workspace/obj-build/dist/include/mozilla/ArenaAllocator.h:171:15
    #2 0x7f5eb63c657d in InternalAllocate /builds/worker/workspace/obj-build/dist/include/mozilla/ArenaAllocator.h:205:25
    #3 0x7f5eb63c657d in Allocate /builds/worker/workspace/obj-build/dist/include/mozilla/ArenaAllocator.h:67:12
    #4 0x7f5eb63c657d in mozilla::ArenaAllocator<8192ul, 8ul>::Allocate(unsigned long) /builds/worker/workspace/obj-build/dist/include/mozilla/ArenaAllocator.h:71:15
    #5 0x7f5eb6461fc5 in AllocateByObjectID /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:280:32
    #6 0x7f5eb6461fc5 in AllocateFrame /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:272:12
    #7 0x7f5eb6461fc5 in operator new gecko/layout/generic/ViewportFrame.cpp:34:1
    #8 0x7f5eb6461fc5 in NS_NewViewportFrame(mozilla::PresShell*, mozilla::ComputedStyle*) gecko/layout/generic/ViewportFrame.cpp:31:10
    #9 0x7f5eb631c5d2 in nsCSSFrameConstructor::ConstructRootFrame() gecko/layout/base/nsCSSFrameConstructor.cpp:2413:7
    #10 0x7f5eb62878eb in mozilla::PresShell::Initialize() gecko/layout/base/PresShell.cpp:1821:36
    #11 0x7f5eb1ab38ec in nsContentSink::StartLayout(bool) gecko/dom/base/nsContentSink.cpp:1160:30
    #12 0x7f5eb053e809 in nsHtml5TreeOpExecutor::StartLayout(bool*) gecko/parser/html/nsHtml5TreeOpExecutor.cpp:678:18
==101212==WARNING: Symbolizer buffer too small
    #13 0x7f5eb0549e32  (workspace/browsers/m-c-20200415155632-fuzzing-asan-opt/libxul.so+0x6fc5e32)
==101212==WARNING: Symbolizer buffer too small
    #14 0x7f5eb053d175  (workspace/browsers/m-c-20200415155632-fuzzing-asan-opt/libxul.so+0x6fb9175)
    #15 0x7f5eb053c3e5 in , opAppendText, opFosterParentText, opAppendComment, opAppendCommentToDocument, opAppendDoctypeToDocument, opGetDocumentFragmentForTemplate, opGetFosterParent, opMarkAsBroken, opRunScript, opRunScriptAsyncDefer, opPreventScriptExecution, opDoneAddingChildren, opDoneCreatingElement, opSetDocumentCharset, opCharsetSwitchTo, opUpdateStyleSheet, opProcessMeta, opProcessOfflineManifest, opMarkMalformedIfScript, opStreamEnded, opSetStyleLineNumber, opSetScriptLineNumberAndFreeze, opSvgLoad, opMaybeComplainAboutCharset, opMaybeComplainAboutDeepTree, opAddClass, opAddViewSourceHref, opAddViewSourceBase, opAddErrorType, opAddLineNumberId, opStartLayout, opEnableEncodingMenu> > /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:269:14
    #16 0x7f5eb053c3e5 in match<TreeOperationMatcher, mozilla::Variant<uninitialized, opAppend, opDetach, opAppendChildrenToNewParent, opFosterParent, opAppendToDocument, opAddAttributes, nsHtml5DocumentMode, opCreateHTMLElement, opCreateSVGElement, opCreateMathMLElement, opSetFormElement, opAppendText, opFosterParentText, opAppendComment, opAppendCommentToDocument, opAppendDoctypeToDocument, opGetDocumentFragmentForTemplate, opGetFosterParent, opMarkAsBroken, opRunScript, opRunScriptAsyncDefer, opPreventScriptExecution, opDoneAddingChildren, opDoneCreatingElement, opSetDocumentCharset, opCharsetSwitchTo, opUpdateStyleSheet, opProcessMeta, opProcessOfflineManifest, opMarkMalformedIfScript, opStreamEnded, opSetStyleLineNumber, opSetScriptLineNumberAndFreeze, opSvgLoad, opMaybeComplainAboutCharset, opMaybeComplainAboutDeepTree, opAddClass, opAddViewSourceHref, opAddViewSourceBase, opAddErrorType, opAddLineNumberId, opStartLayout, opEnableEncodingMenu> > /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:269:14
    #17 0x7f5eb053c3e5 in decltype(auto) mozilla::detail::VariantImplementation<unsigned char, 8ul, opCreateHTMLElement, opCreateSVGElement, opCreateMathMLElement, opSetFormElement, opAppendText, opFosterParentText, opAppendComment, opAppendCommentToDocument, opAppendDoctypeToDocument, opGetDocumentFragmentForTemplate, opGetFosterParent, opMarkAsBroken, opRunScript, opRunScriptAsyncDefer, opPreventScriptExecution, opDoneAddingChildren, opDoneCreatingElement, opSetDocumentCharset, opCharsetSwitchTo, opUpdateStyleSheet, opProcessMeta, opProcessOfflineManifest, opMarkMalformedIfScript, opStreamEnded, opSetStyleLineNumber, opSetScriptLineNumberAndFreeze, opSvgLoad, opMaybeComplainAboutCharset, opMaybeComplainAboutDeepTree, opAddClass, opAddViewSourceHref, opAddViewSourceBase, opAddErrorType, opAddLineNumberId, opStartLayout, opEnableEncodingMenu>::match<nsHtml5TreeOperation::Perform(nsHtml5TreeOpExecutor*, nsIContent**, bool*, bool*)::TreeOperationMatcher, mozilla::Variant<uninitialized, opAppend, opDetach, opAppendChildrenToNewParent, opFosterParent, opAppendToDocument, opAddAttributes, nsHtml5DocumentMode, opCreateHTMLElement, opCreateSVGElement, opCreateMathMLElement, opSetFormElement, opAppendText, opFosterParentText, opAppendComment, opAppendCommentToDocument, opAppendDoctypeToDocument, opGetDocumentFragmentForTemplate, opGetFosterParent, opMarkAsBroken, opRunScript, opRunScriptAsyncDefer, opPreventScriptExecution, opDoneAddingChildren, opDoneCreatingElement, opSetDocumentCharset, opCharsetSwitchTo, opUpdateStyleSheet, opProcessMeta, opProcessOfflineManifest, opMarkMalformedIfScript, opStreamEnded, opSetStyleLineNumber, opSetScriptLineNumberAndFreeze, opSvgLoad, opMaybeComplainAboutCharset, opMaybeComplainAboutDeepTree, opAddClass, opAddViewSourceHref, opAddViewSourceBase, opAddErrorType, opAddLineNumberId, opStartLayout, opEnableEncodingMenu> >(nsHtml5TreeOperation::Perform(nsHtml5TreeOpExecutor*, nsIContent**, bool*, bool*)::TreeOperationMatcher&&, mozilla::Variant<uninitialized, opAppend, opDetach, opAppendChildrenToNewParent, opFosterParent, opAppendToDocument, opAddAttributes, nsHtml5DocumentMode, opCreateHTMLElement, opCreateSVGElement, opCreateMathMLElement, opSetFormElement, opAppendText, opFosterParentText, opAppendComment, opAppendCommentToDocument, opAppendDoctypeToDocument, opGetDocumentFragmentForTemplate, opGetFosterParent, opMarkAsBroken, opRunScript, opRunScriptAsyncDefer, opPreventScriptExecution, opDoneAddingChildren, opDoneCreatingElement, opSetDocumentCharset, opCharsetSwitchTo, opUpdateStyleSheet, opProcessMeta, opProcessOfflineManifest, opMarkMalformedIfScript, opStreamEnded, opSetStyleLineNumber, opSetScriptLineNumberAndFreeze, opSvgLoad, opMaybeComplainAboutCharset, opMaybeComplainAboutDeepTree, opAddClass, opAddViewSourceHref, opAddViewSourceBase, opAddErrorType, opAddLineNumberId, opStartLayout, opEnableEncodingMenu>&) /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:269:14
    #18 0x7f5eb0543598 in match<TreeOperationMatcher, mozilla::Variant<uninitialized, opAppend, opDetach, opAppendChildrenToNewParent, opFosterParent, opAppendToDocument, opAddAttributes, nsHtml5DocumentMode, opCreateHTMLElement, opCreateSVGElement, opCreateMathMLElement, opSetFormElement, opAppendText, opFosterParentText, opAppendComment, opAppendCommentToDocument, opAppendDoctypeToDocument, opGetDocumentFragmentForTemplate, opGetFosterParent, opMarkAsBroken, opRunScript, opRunScriptAsyncDefer, opPreventScriptExecution, opDoneAddingChildren, opDoneCreatingElement, opSetDocumentCharset, opCharsetSwitchTo, opUpdateStyleSheet, opProcessMeta, opProcessOfflineManifest, opMarkMalformedIfScript, opStreamEnded, opSetStyleLineNumber, opSetScriptLineNumberAndFreeze, opSvgLoad, opMaybeComplainAboutCharset, opMaybeComplainAboutDeepTree, opAddClass, opAddViewSourceHref, opAddViewSourceBase, opAddErrorType, opAddLineNumberId, opStartLayout, opEnableEncodingMenu> > /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:269:14
    #19 0x7f5eb0543598 in match<TreeOperationMatcher, mozilla::Variant<uninitialized, opAppend, opDetach, opAppendChildrenToNewParent, opFosterParent, opAppendToDocument, opAddAttributes, nsHtml5DocumentMode, opCreateHTMLElement, opCreateSVGElement, opCreateMathMLElement, opSetFormElement, opAppendText, opFosterParentText, opAppendComment, opAppendCommentToDocument, opAppendDoctypeToDocument, opGetDocumentFragmentForTemplate, opGetFosterParent, opMarkAsBroken, opRunScript, opRunScriptAsyncDefer, opPreventScriptExecution, opDoneAddingChildren, opDoneCreatingElement, opSetDocumentCharset, opCharsetSwitchTo, opUpdateStyleSheet, opProcessMeta, opProcessOfflineManifest, opMarkMalformedIfScript, opStreamEnded, opSetStyleLineNumber, opSetScriptLineNumberAndFreeze, opSvgLoad, opMaybeComplainAboutCharset, opMaybeComplainAboutDeepTree, opAddClass, opAddViewSourceHref, opAddViewSourceBase, opAddErrorType, opAddLineNumberId, opStartLayout, opEnableEncodingMenu> > /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:269:14
    #20 0x7f5eb0543598 in match<TreeOperationMatcher, mozilla::Variant<uninitialized, opAppend, opDetach, opAppendChildrenToNewParent, opFosterParent, opAppendToDocument, opAddAttributes, nsHtml5DocumentMode, opCreateHTMLElement, opCreateSVGElement, opCreateMathMLElement, opSetFormElement, opAppendText, opFosterParentText, opAppendComment, opAppendCommentToDocument, opAppendDoctypeToDocument, opGetDocumentFragmentForTemplate, opGetFosterParent, opMarkAsBroken, opRunScript, opRunScriptAsyncDefer, opPreventScriptExecution, opDoneAddingChildren, opDoneCreatingElement, opSetDocumentCharset, opCharsetSwitchTo, opUpdateStyleSheet, opProcessMeta, opProcessOfflineManifest, opMarkMalformedIfScript, opStreamEnded, opSetStyleLineNumber, opSetScriptLineNumberAndFreeze, opSvgLoad, opMaybeComplainAboutCharset, opMaybeComplainAboutDeepTree, opAddClass, opAddViewSourceHref, opAddViewSourceBase, opAddErrorType, opAddLineNumberId, opStartLayout, opEnableEncodingMenu> > /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:269:14
    #21 0x7f5eb0543598 in match<TreeOperationMatcher, mozilla::Variant<uninitialized, opAppend, opDetach, opAppendChildrenToNewParent, opFosterParent, opAppendToDocument, opAddAttributes, nsHtml5DocumentMode, opCreateHTMLElement, opCreateSVGElement, opCreateMathMLElement, opSetFormElement, opAppendText, opFosterParentText, opAppendComment, opAppendCommentToDocument, opAppendDoctypeToDocument, opGetDocumentFragmentForTemplate, opGetFosterParent, opMarkAsBroken, opRunScript, opRunScriptAsyncDefer, opPreventScriptExecution, opDoneAddingChildren, opDoneCreatingElement, opSetDocumentCharset, opCharsetSwitchTo, opUpdateStyleSheet, opProcessMeta, opProcessOfflineManifest, opMarkMalformedIfScript, opStreamEnded, opSetStyleLineNumber, opSetScriptLineNumberAndFreeze, opSvgLoad, opMaybeComplainAboutCharset, opMaybeComplainAboutDeepTree, opAddClass, opAddViewSourceHref, opAddViewSourceBase, opAddErrorType, opAddLineNumberId, opStartLayout, opEnableEncodingMenu> > /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:269:14
    #22 0x7f5eb0543598 in match<TreeOperationMatcher, mozilla::Variant<uninitialized, opAppend, opDetach, opAppendChildrenToNewParent, opFosterParent, opAppendToDocument, opAddAttributes, nsHtml5DocumentMode, opCreateHTMLElement, opCreateSVGElement, opCreateMathMLElement, opSetFormElement, opAppendText, opFosterParentText, opAppendComment, opAppendCommentToDocument, opAppendDoctypeToDocument, opGetDocumentFragmentForTemplate, opGetFosterParent, opMarkAsBroken, opRunScript, opRunScriptAsyncDefer, opPreventScriptExecution, opDoneAddingChildren, opDoneCreatingElement, opSetDocumentCharset, opCharsetSwitchTo, opUpdateStyleSheet, opProcessMeta, opProcessOfflineManifest, opMarkMalformedIfScript, opStreamEnded, opSetStyleLineNumber, opSetScriptLineNumberAndFreeze, opSvgLoad, opMaybeComplainAboutCharset, opMaybeComplainAboutDeepTree, opAddClass, opAddViewSourceHref, opAddViewSourceBase, opAddErrorType, opAddLineNumberId, opStartLayout, opEnableEncodingMenu> > /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:269:14
    #23 0x7f5eb0543598 in match<TreeOperationMatcher, mozilla::Variant<uninitialized, opAppend, opDetach, opAppendChildrenToNewParent, opFosterParent, opAppendToDocument, opAddAttributes, nsHtml5DocumentMode, opCreateHTMLElement, opCreateSVGElement, opCreateMathMLElement, opSetFormElement, opAppendText, opFosterParentText, opAppendComment, opAppendCommentToDocument, opAppendDoctypeToDocument, opGetDocumentFragmentForTemplate, opGetFosterParent, opMarkAsBroken, opRunScript, opRunScriptAsyncDefer, opPreventScriptExecution, opDoneAddingChildren, opDoneCreatingElement, opSetDocumentCharset, opCharsetSwitchTo, opUpdateStyleSheet, opProcessMeta, opProcessOfflineManifest, opMarkMalformedIfScript, opStreamEnded, opSetStyleLineNumber, opSetScriptLineNumberAndFreeze, opSvgLoad, opMaybeComplainAboutCharset, opMaybeComplainAboutDeepTree, opAddClass, opAddViewSourceHref, opAddViewSourceBase, opAddErrorType, opAddLineNumberId, opStartLayout, opEnableEncodingMenu> > /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:269:14
    #24 0x7f5eb0543598 in match<TreeOperationMatcher, mozilla::Variant<uninitialized, opAppend, opDetach, opAppendChildrenToNewParent, opFosterParent, opAppendToDocument, opAddAttributes, nsHtml5DocumentMode, opCreateHTMLElement, opCreateSVGElement, opCreateMathMLElement, opSetFormElement, opAppendText, opFosterParentText, opAppendComment, opAppendCommentToDocument, opAppendDoctypeToDocument, opGetDocumentFragmentForTemplate, opGetFosterParent, opMarkAsBroken, opRunScript, opRunScriptAsyncDefer, opPreventScriptExecution, opDoneAddingChildren, opDoneCreatingElement, opSetDocumentCharset, opCharsetSwitchTo, opUpdateStyleSheet, opProcessMeta, opProcessOfflineManifest, opMarkMalformedIfScript, opStreamEnded, opSetStyleLineNumber, opSetScriptLineNumberAndFreeze, opSvgLoad, opMaybeComplainAboutCharset, opMaybeComplainAboutDeepTree, opAddClass, opAddViewSourceHref, opAddViewSourceBase, opAddErrorType, opAddLineNumberId, opStartLayout, opEnableEncodingMenu> > /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:269:14
    #25 0x7f5eb0543598 in match<TreeOperationMatcher, mozilla::Variant<uninitialized, opAppend, opDetach, opAppendChildrenToNewParent, opFosterParent, opAppendToDocument, opAddAttributes, nsHtml5DocumentMode, opCreateHTMLElement, opCreateSVGElement, opCreateMathMLElement, opSetFormElement, opAppendText, opFosterParentText, opAppendComment, opAppendCommentToDocument, opAppendDoctypeToDocument, opGetDocumentFragmentForTemplate, opGetFosterParent, opMarkAsBroken, opRunScript, opRunScriptAsyncDefer, opPreventScriptExecution, opDoneAddingChildren, opDoneCreatingElement, opSetDocumentCharset, opCharsetSwitchTo, opUpdateStyleSheet, opProcessMeta, opProcessOfflineManifest, opMarkMalformedIfScript, opStreamEnded, opSetStyleLineNumber, opSetScriptLineNumberAndFreeze, opSvgLoad, opMaybeComplainAboutCharset, opMaybeComplainAboutDeepTree, opAddClass, opAddViewSourceHref, opAddViewSourceBase, opAddErrorType, opAddLineNumberId, opStartLayout, opEnableEncodingMenu> > /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:269:14
    #26 0x7f5eb0543598 in match<TreeOperationMatcher> /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:795:12
    #27 0x7f5eb0543598 in nsHtml5TreeOperation::Perform(nsHtml5TreeOpExecutor*, nsIContent**, bool*, bool*) gecko/parser/html/nsHtml5TreeOperation.cpp:1188:21
    #28 0x7f5ead97cc4d in nsHtml5TreeOpExecutor::RunFlushLoop() gecko/parser/html/nsHtml5TreeOpExecutor.cpp:495:19
    #29 0x7f5ead9b6366 in nsHtml5ExecutorFlusher::Run() gecko/parser/html/nsHtml5StreamParser.cpp:127:18
    #30 0x7f5ead9c11bc in mozilla::SchedulerGroup::Runnable::Run() gecko/xpcom/threads/SchedulerGroup.cpp:146:20
    #31 0x7f5eaeca4b5f in nsThread::ProcessNextEvent(bool, bool*) gecko/xpcom/threads/nsThread.cpp:1200:14
    #32 0x7f5eaeb92fa7 in NS_ProcessNextEvent(nsIThread*, bool) gecko/xpcom/threads/nsThreadUtils.cpp:481:10
    #33 0x7f5eb5d93d38 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) gecko/ipc/glue/MessagePump.cpp:87:21
    #34 0x7f5eb9908616 in RunInternal gecko/ipc/chromium/src/base/message_loop.cc:315:10
    #35 0x7f5eb9908616 in RunHandler gecko/ipc/chromium/src/base/message_loop.cc:308:3
    #36 0x7f5eb9908616 in MessageLoop::Run() gecko/ipc/chromium/src/base/message_loop.cc:290:3
    #37 0x7f5eaeb92fa7 in nsBaseAppShell::Run() gecko/widget/nsBaseAppShell.cpp:137:27
Flags: in-testsuite?

Do you happen to know if this is a recent regression?

It seems to repro outside XVfb as well, you just need a smaller viewport.

nvm, seems to be a regression from bug 1520581.

Priority: -- → P2
Regressed by: 1520581
Has Regression Range: --- → yes
Flags: needinfo?(emilio)

A Pernosco session is available here: https://pernos.co/debug/-gMXkUMGj1Ofajfwn10ELQ/index.html

Too slow, had a fix already ;)

Assignee: nobody → emilio
Flags: needinfo?(emilio)

We can modify the scroll position without invalidating the anchor (that's kind
of the point, actually).

So it's possible (and ok) to end up with a frame which is already maintaining
an anchor but for which CanMaintainAnchor now returns true.

So if you have a scrollframe with a non-zero scroll position and select an
anchor for that scrollframe, and then try to select an anchor for an ancestor,
you don't want to dig into there.

Pushed by ealvarez@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/9022d327e0bd
Don't descend into scroll frames with a pre-existing anchor. r=dholbert
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla77
Flags: in-testsuite? → in-testsuite+
Status: RESOLVED → VERIFIED
Keywords: bugmon
Bugmon Analysis:
Verified bug as fixed on rev mozilla-central 20200423095248-47426d145e24.
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: