Open
Bug 1646815
Opened 4 years ago
Updated 2 years ago
Crash [@ NS_ABORT_OOM | @ nsGridContainerFrame::GridReflowInput::CalculateTrackSizesForAxis]
Categories
(Core :: Layout: Grid, defect)
Core
Layout: Grid
Tracking
()
NEW
| Tracking | Status | |
|---|---|---|
| firefox79 | --- | affected |
People
(Reporter: jkratzer, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: crash, testcase, Whiteboard: [bugmon:bisected,confirmed])
Crash Data
Attachments
(1 file)
|
706 bytes,
text/html
|
Details |
Testcase found while fuzzing mozilla-central rev f291dd9e075c.
==30985==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 (pc 0x7f377edd1ddf bp 0x7ffffdd7f640 sp 0x7ffffdd7f640 T0)
==30985==The signal is caused by a WRITE memory access.
==30985==Hint: address points to the zero page.
#0 0x7f377edd1dde in NS_ABORT_OOM(unsigned long) /builds/worker/checkouts/gecko/xpcom/base/nsDebugImpl.cpp:611:3
#1 0x7f377ed8aeaf in nsTArrayInfallibleAllocator::ResultTypeProxy nsTArray_base<nsTArrayInfallibleAllocator, nsTArray_RelocateUsingMemutils>::EnsureCapacity<nsTArrayInfallibleAllocator>(unsigned long, unsigned long) /builds/worker/workspace/obj-build/dist/include/nsTArray-inl.h:154:5
#2 0x7f377ed8aa0b in nsTArrayInfallibleAllocator::ResultTypeProxy nsTArray_base<nsTArrayInfallibleAllocator, nsTArray_RelocateUsingMemutils>::ExtendCapacity<nsTArrayInfallibleAllocator>(unsigned long, unsigned long, unsigned long) /builds/worker/workspace/obj-build/dist/include/nsTArray-inl.h:135:16
#3 0x7f3787efa6f2 in InsertSlotsAt<nsTArrayInfallibleAllocator> /builds/worker/workspace/obj-build/dist/include/nsTArray-inl.h:366:17
#4 0x7f3787efa6f2 in nsGridContainerFrame::TrackSize* nsTArray_Impl<nsGridContainerFrame::TrackSize, nsTArrayInfallibleAllocator>::InsertElementsAtInternal<nsTArrayInfallibleAllocator>(unsigned long, unsigned long) /builds/worker/workspace/obj-build/dist/include/nsTArray.h:2233:49
#5 0x7f3787e56e70 in nsTArrayInfallibleAllocator::ResultType nsTArray_Impl<nsGridContainerFrame::TrackSize, nsTArrayInfallibleAllocator>::SetLength<nsTArrayInfallibleAllocator>(unsigned long) /builds/worker/workspace/obj-build/dist/include/nsTArray.h:2162:11
#6 0x7f3787e5628a in nsGridContainerFrame::GridReflowInput::CalculateTrackSizesForAxis(mozilla::LogicalAxis, nsGridContainerFrame::Grid const&, int, nsGridContainerFrame::SizingConstraint) /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:3588:19
#7 0x7f3787ea2200 in nsGridContainerFrame::IntrinsicISize(gfxContext*, nsLayoutUtils::IntrinsicISizeType) /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:9160:9
#8 0x7f3787ea2f25 in nsGridContainerFrame::GetMinISize(gfxContext*) /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:9184:29
#9 0x7f3787dd2c70 in nsIFrame::ShrinkWidthToFit(gfxContext*, int, nsIFrame::ComputeSizeFlags) /builds/worker/checkouts/gecko/layout/generic/nsFrame.cpp:6358:22
#10 0x7f3787d4288b in nsContainerFrame::ComputeAutoSize(gfxContext*, mozilla::WritingMode, mozilla::LogicalSize const&, int, mozilla::LogicalSize const&, mozilla::LogicalSize const&, mozilla::LogicalSize const&, nsIFrame::ComputeSizeFlags) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:990:11
#11 0x7f3787dd0262 in nsIFrame::ComputeSize(gfxContext*, mozilla::WritingMode, mozilla::LogicalSize const&, int, mozilla::LogicalSize const&, mozilla::LogicalSize const&, mozilla::LogicalSize const&, nsIFrame::ComputeSizeFlags) /builds/worker/checkouts/gecko/layout/generic/nsFrame.cpp:6073:7
#12 0x7f3787caa956 in mozilla::ReflowInput::InitAbsoluteConstraints(nsPresContext*, mozilla::ReflowInput const*, mozilla::LogicalSize const&, mozilla::LayoutFrameType) /builds/worker/checkouts/gecko/layout/generic/ReflowInput.cpp:1642:28
#13 0x7f3787ca12e1 in mozilla::ReflowInput::InitConstraints(nsPresContext*, mozilla::Maybe<mozilla::LogicalSize> const&, nsMargin const*, nsMargin const*, mozilla::LayoutFrameType) /builds/worker/checkouts/gecko/layout/generic/ReflowInput.cpp:2291:7
#14 0x7f3787c9adfa in mozilla::ReflowInput::Init(nsPresContext*, mozilla::Maybe<mozilla::LogicalSize> const&, nsMargin const*, nsMargin const*) /builds/worker/checkouts/gecko/layout/generic/ReflowInput.cpp:354:3
#15 0x7f3787cdd0de in nsAbsoluteContainingBlock::ReflowAbsoluteFrame(nsIFrame*, nsPresContext*, mozilla::ReflowInput const&, nsRect const&, nsAbsoluteContainingBlock::AbsPosReflowFlags, nsIFrame*, nsReflowStatus&, nsOverflowAreas*) /builds/worker/checkouts/gecko/layout/generic/nsAbsoluteContainingBlock.cpp:707:15
#16 0x7f3787cda744 in nsAbsoluteContainingBlock::Reflow(nsContainerFrame*, nsPresContext*, mozilla::ReflowInput const&, nsReflowStatus&, nsRect const&, nsAbsoluteContainingBlock::AbsPosReflowFlags, nsOverflowAreas*) /builds/worker/checkouts/gecko/layout/generic/nsAbsoluteContainingBlock.cpp:212:7
#17 0x7f3787e947e4 in nsGridContainerFrame::ReflowChildren(nsGridContainerFrame::GridReflowInput&, mozilla::LogicalRect const&, nsSize const&, mozilla::ReflowOutput&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:8388:37
#18 0x7f3787e963da in nsGridContainerFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:8562:11
#19 0x7f3787cdd8d2 in nsAbsoluteContainingBlock::ReflowAbsoluteFrame(nsIFrame*, nsPresContext*, mozilla::ReflowInput const&, nsRect const&, nsAbsoluteContainingBlock::AbsPosReflowFlags, nsIFrame*, nsReflowStatus&, nsOverflowAreas*) /builds/worker/checkouts/gecko/layout/generic/nsAbsoluteContainingBlock.cpp:760:14
#20 0x7f3787cda744 in nsAbsoluteContainingBlock::Reflow(nsContainerFrame*, nsPresContext*, mozilla::ReflowInput const&, nsReflowStatus&, nsRect const&, nsAbsoluteContainingBlock::AbsPosReflowFlags, nsOverflowAreas*) /builds/worker/checkouts/gecko/layout/generic/nsAbsoluteContainingBlock.cpp:212:7
#21 0x7f3787e947e4 in nsGridContainerFrame::ReflowChildren(nsGridContainerFrame::GridReflowInput&, mozilla::LogicalRect const&, nsSize const&, mozilla::ReflowOutput&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:8388:37
#22 0x7f3787e963da in nsGridContainerFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:8562:11
#23 0x7f3787cdd8d2 in nsAbsoluteContainingBlock::ReflowAbsoluteFrame(nsIFrame*, nsPresContext*, mozilla::ReflowInput const&, nsRect const&, nsAbsoluteContainingBlock::AbsPosReflowFlags, nsIFrame*, nsReflowStatus&, nsOverflowAreas*) /builds/worker/checkouts/gecko/layout/generic/nsAbsoluteContainingBlock.cpp:760:14
#24 0x7f3787cda744 in nsAbsoluteContainingBlock::Reflow(nsContainerFrame*, nsPresContext*, mozilla::ReflowInput const&, nsReflowStatus&, nsRect const&, nsAbsoluteContainingBlock::AbsPosReflowFlags, nsOverflowAreas*) /builds/worker/checkouts/gecko/layout/generic/nsAbsoluteContainingBlock.cpp:212:7
#25 0x7f3787dd37ac in nsIFrame::ReflowAbsoluteFrames(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&, bool) /builds/worker/checkouts/gecko/layout/generic/nsFrame.cpp:6506:24
#26 0x7f3787dd3337 in nsIFrame::FinishReflowWithAbsoluteFrames(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&, bool) /builds/worker/checkouts/gecko/layout/generic/nsFrame.cpp:6473:3
#27 0x7f3787d3349d in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsCanvasFrame.cpp:835:3
#28 0x7f3787d33de4 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:1074:14
#29 0x7f3787e19ec1 in nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput*, bool, bool, mozilla::ReflowOutput*) /builds/worker/checkouts/gecko/layout/generic/nsGfxScrollFrame.cpp:661:3
#30 0x7f3787e1b6f5 in nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput*, mozilla::ReflowOutput const&) /builds/worker/checkouts/gecko/layout/generic/nsGfxScrollFrame.cpp:775:3
#31 0x7f3787e1f8da in nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsGfxScrollFrame.cpp:1161:3
#32 0x7f3787cd9361 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:1114:14
#33 0x7f3787cd89cb in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/ViewportFrame.cpp:296:7
#34 0x7f3787af5b4e in mozilla::PresShell::DoReflow(nsIFrame*, bool, mozilla::OverflowChangedTracker*) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:9605:11
#35 0x7f3787b08407 in mozilla::PresShell::ProcessReflowCommands(bool) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:9778:24
#36 0x7f3787b06e7d in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4244:11
#37 0x7f3787a94587 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2064:20
#38 0x7f3787aa19f6 in TickDriver /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:373:13
#39 0x7f3787aa19f6 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:350:7
#40 0x7f3787aa15f5 in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:367:5
#41 0x7f3787ab0a72 in RunRefreshDrivers /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:819:5
#42 0x7f3787ab0a72 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:737:16
#43 0x7f3787ab004f in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyParentProcessVsync() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:639:7
#44 0x7f3787a9e9e2 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::ParentProcessVsyncNotifier::Run() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:538:20
#45 0x7f377eff608e in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1234:14
#46 0x7f377f00107c in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:501:10
#47 0x7f37803860cf in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:87:21
#48 0x7f37802635e7 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:315:10
#49 0x7f37802635e7 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:308:3
#50 0x7f37802635e7 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:290:3
#51 0x7f37875f1058 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137:27
#52 0x7f378b1a9b56 in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:913:20
#53 0x7f37802635e7 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:315:10
#54 0x7f37802635e7 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:308:3
#55 0x7f37802635e7 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:290:3
#56 0x7f378b1a913f in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:744:34
#57 0x562c5a6c9b43 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
#58 0x562c5a6c9b43 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:303:18
#59 0x7f37a2dd2b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /builds/worker/checkouts/gecko/xpcom/base/nsDebugImpl.cpp:611:3 in NS_ABORT_OOM(unsigned long)
Flags: in-testsuite?
|
Reporter | |
Updated•4 years ago
|
Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]
|
|
Reporter | |
Comment 1•4 years ago
|
||
Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20200618094105-f291dd9e075c.
Failed to bisect testcase (Start build crashes!):
> Start: a440f0629814ea638bdbee6cf2f1a0425dd04c61 (20190620094631)
> End: 7f0b0cbecd946aee526a869853a46a14ee44b1f9 (20200618044329)
> BuildFlags: BuildFlags(asan=True, tsan=False, debug=False, fuzzing=False, coverage=False, valgrind=False)
|
||
Updated•4 years ago
|
Crash Signature: [@ OOM | large | NS_ABORT_OOM | nsTArray_base<T>::InsertSlotsAt<T> | nsTArray_Impl<T>::SetLength<T> | nsGridContainerFrame::GridReflowInput::CalculateTrackSizesForAxis ]
|
||
Comment 2•2 years ago
|
||
Bugmon Analysis
Unable to reproduce bug 1646815 using build mozilla-central 20201205093858-7ce95b6cde26. Without a baseline, bugmon is unable to analyze this bug.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Keywords: bugmon
|
||
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•