Closed Bug 1652618 Opened 3 months ago Closed 2 months ago

crash at null in [@ nsIFrame::ChildLists]

Categories

(Core :: DOM: Core & HTML, defect)

defect

Tracking

()

VERIFIED FIXED
mozilla80
Tracking Status
firefox-esr68 --- unaffected
firefox-esr78 --- wontfix
firefox79 --- wontfix
firefox80 --- verified

People

(Reporter: tsmith, Assigned: emilio)

References

(Blocks 1 open bug)

Details

(Keywords: crash, testcase, Whiteboard: [bugmon:bisected,confirmed])

Crash Data

Attachments

(2 files)

Attached file testcase.html

Found with m-c 20200709-83895192ba27

==51858==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f28e0dadf4c bp 0x7ffdc67ca6f0 sp 0x7ffdc67ca6e0 T0)
==51858==The signal is caused by a READ memory access.
==51858==Hint: address points to the zero page.
    #0 0x7f28e0dadf4b in nsIFrame::ChildLists() const /builds/worker/workspace/obj-build/dist/include/nsIFrame.h
    #1 0x7f28e0f20909 in nsFrameManager::CaptureFrameState(nsIFrame*, nsILayoutHistoryState*) /gecko/layout/base/nsFrameManager.cpp:166:40
    #2 0x7f28e0f20b77 in nsFrameManager::CaptureFrameState(nsIFrame*, nsILayoutHistoryState*) /gecko/layout/base/nsFrameManager.cpp:175:7
    #3 0x7f28e0f1b27d in nsCSSFrameConstructor::CaptureStateForFramesOf(nsIContent*, nsILayoutHistoryState*) /gecko/layout/base/nsCSSFrameConstructor.cpp:8157:5
    #4 0x7f28e0f1a339 in nsCSSFrameConstructor::ContentRemoved(nsIContent*, nsIContent*, nsCSSFrameConstructor::RemoveFlags) /gecko/layout/base/nsCSSFrameConstructor.cpp:7421:7
    #5 0x7f28e0e6e236 in mozilla::PresShell::DestroyFramesForAndRestyle(mozilla::dom::Element*) /gecko/layout/base/PresShell.cpp:2995:51
    #6 0x7f28dc368b3a in mozilla::dom::Element::AttachShadowWithoutNameChecks(mozilla::dom::ShadowRootMode) /gecko/dom/base/Element.cpp:1088:20
    #7 0x7f28dc3ecfb8 in operator() /gecko/dom/base/Element.cpp:1141:19
    #8 0x7f28dc3ecfb8 in mozilla::detail::RunnableFunction<mozilla::dom::Element::AttachAndSetUAShadowRoot()::$_39>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:577:5
    #9 0x7f28dc04dd83 in nsContentUtils::RemoveScriptBlocker() /gecko/dom/base/nsContentUtils.cpp:5344:15
    #10 0x7f28dc2fc4a8 in mozilla::dom::Document::EndUpdate() /gecko/dom/base/Document.cpp:7123:3
    #11 0x7f28dbfbd8f6 in mozAutoDocUpdate::~mozAutoDocUpdate() /gecko/dom/base/mozAutoDocUpdate.h:34:18
    #12 0x7f28dc5f1b8a in nsINode::ReplaceOrInsertBefore(bool, nsINode*, nsINode*, mozilla::ErrorResult&) /gecko/dom/base/nsINode.cpp:2696:1
    #13 0x7f28dcd27540 in InsertBefore /gecko/dom/base/nsINode.h:1971:12
    #14 0x7f28dcd27540 in AppendChild /gecko/dom/base/nsINode.h:1974:12
    #15 0x7f28dcd27540 in mozilla::dom::Node_Binding::appendChild(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/NodeBinding.cpp:989:60
    #16 0x7f28de0aa188 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /gecko/dom/bindings/BindingUtils.cpp:3219:13
    #17 0x7f28e4782d8b in CallJSNative /gecko/js/src/vm/Interpreter.cpp:484:13
    #18 0x7f28e4782d8b in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:576:12
    #19 0x7f28e4785028 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:639:10
    #20 0x7f28e476c926 in CallFromStack /gecko/js/src/vm/Interpreter.cpp:643:10
    #21 0x7f28e476c926 in Interpret(JSContext*, js::RunState&) /gecko/js/src/vm/Interpreter.cpp:3332:16
    #22 0x7f28e474dc41 in js::RunScript(JSContext*, js::RunState&) /gecko/js/src/vm/Interpreter.cpp:456:10
    #23 0x7f28e4782e6d in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:611:13
    #24 0x7f28e4785028 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:639:10
    #25 0x7f28e4785306 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:656:8
    #26 0x7f28e4929100 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /gecko/js/src/jsapi.cpp:2846:10
    #27 0x7f28ddc9f9ce in mozilla::dom::EventListener::HandleEvent(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventListenerBinding.cpp:55:8
    #28 0x7f28de7a943d in void mozilla::dom::EventListener::HandleEvent<mozilla::dom::EventTarget*>(mozilla::dom::EventTarget* const&, mozilla::dom::Event&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventListenerBinding.h:66:12
    #29 0x7f28de7a8e64 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /gecko/dom/events/EventListenerManager.cpp:1082:43
    #30 0x7f28de7aa670 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /gecko/dom/events/EventListenerManager.cpp:1279:17
    #31 0x7f28de7987cf in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /gecko/dom/events/EventDispatcher.cpp:355:17
    #32 0x7f28de796f6d in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /gecko/dom/events/EventDispatcher.cpp:557:16
    #33 0x7f28de79b4c6 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /gecko/dom/events/EventDispatcher.cpp:1054:11
    #34 0x7f28e0f39222 in nsDocumentViewer::LoadComplete(nsresult) /gecko/layout/base/nsDocumentViewer.cpp:1140:7
    #35 0x7f28e3ac692c in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /gecko/docshell/base/nsDocShell.cpp:6030:20
    #36 0x7f28e3ac5b25 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /gecko/docshell/base/nsDocShell.cpp:5499:7
    #37 0x7f28e3ac923f in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /gecko/docshell/base/nsDocShell.cpp
    #38 0x7f28dad5a100 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /gecko/uriloader/base/nsDocLoader.cpp:1331:3
    #39 0x7f28dad58fcc in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /gecko/uriloader/base/nsDocLoader.cpp:937:14
    #40 0x7f28dad5554b in nsDocLoader::DocLoaderIsEmpty(bool, mozilla::Maybe<nsresult> const&) /gecko/uriloader/base/nsDocLoader.cpp:757:9
    #41 0x7f28dad57abd in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /gecko/uriloader/base/nsDocLoader.cpp:640:5
    #42 0x7f28dad58b5c in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /gecko/uriloader/base/nsDocLoader.cpp
    #43 0x7f28d858c007 in mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) /gecko/netwerk/base/nsLoadGroup.cpp:615:22
    #44 0x7f28d858f217 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /gecko/netwerk/base/nsLoadGroup.cpp:522:10
    #45 0x7f28dc322ddf in mozilla::dom::Document::DoUnblockOnload() /gecko/dom/base/Document.cpp:10751:18
    #46 0x7f28dc2db657 in mozilla::dom::Document::UnblockOnload(bool) /gecko/dom/base/Document.cpp:10683:9
    #47 0x7f28dc2fdf94 in mozilla::dom::Document::DispatchContentLoadedEvents() /gecko/dom/base/Document.cpp:7319:3
    #48 0x7f28dc3ca894 in applyImpl<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1188:12
    #49 0x7f28dc3ca894 in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1194:12
    #50 0x7f28dc3ca894 in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1240:13
    #51 0x7f28d82902ed in mozilla::SchedulerGroup::Runnable::Run() /gecko/xpcom/threads/SchedulerGroup.cpp:146:20
    #52 0x7f28d829a879 in mozilla::RunnableTask::Run() /gecko/xpcom/threads/TaskController.cpp:242:16
    #53 0x7f28d8296e08 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:495:24
    #54 0x7f28d8294db2 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:371:15
    #55 0x7f28d82951f7 in mozilla::TaskController::ProcessPendingMTTask(bool) /gecko/xpcom/threads/TaskController.cpp:162:36
    #56 0x7f28d82a6681 in operator() /gecko/xpcom/threads/TaskController.cpp:83:37
    #57 0x7f28d82a6681 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_4>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:577:5
    #58 0x7f28d82cb73c in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1234:14
    #59 0x7f28d82d655c in NS_ProcessNextEvent(nsIThread*, bool) /gecko/xpcom/threads/nsThreadUtils.cpp:513:10
    #60 0x7f28d9687b4f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /gecko/ipc/glue/MessagePump.cpp:87:21
    #61 0x7f28d9565ac7 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:334:10
    #62 0x7f28d9565ac7 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:327:3
    #63 0x7f28d9565ac7 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:309:3
    #64 0x7f28e095f608 in nsBaseAppShell::Run() /gecko/widget/nsBaseAppShell.cpp:137:27
    #65 0x7f28e450f8b6 in XRE_RunAppShell() /gecko/toolkit/xre/nsEmbedFunctions.cpp:913:20
    #66 0x7f28d9565ac7 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:334:10
    #67 0x7f28d9565ac7 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:327:3
    #68 0x7f28d9565ac7 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:309:3
    #69 0x7f28e450ee9f in XRE_InitChildProcess(int, char**, XREChildData const*) /gecko/toolkit/xre/nsEmbedFunctions.cpp:744:34
    #70 0x55f40fdf8723 in content_process_main /gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
    #71 0x55f40fdf8723 in main /gecko/browser/app/nsBrowserApp.cpp:303:18
Flags: in-testsuite?
Component: Web Audio → Layout
Whiteboard: [bugmon:bisected,confirmed]
Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20200714153520-bca48c382991.
Failed to bisect testcase (Start build crashes!):
> Start: e8b7c48d4e7ed1b63aeedff379b51e566ea499d9 (20191107015224)
> End: 83895192ba27f0ae37ee27eb9524fb4a46bcf3a5 (20200709213735)
> BuildFlags: BuildFlags(asan=True, tsan=False, debug=False, fuzzing=False, coverage=False, valgrind=False)
Crash Signature: [@ nsFrameManager::CaptureFrameState ]

mozregression says:

https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=9596d7f4a7457bccc78cadf9c39bcc9c4b5b97f8&tochange=b3ecb5aef45a8fb74764bb32e54567d57ed00383

Given that the test has columns in it, and that push range turned on layout.css.column-span.enabled, I suspect multicol. TY, want to have a look?

Severity: -- → S2
Flags: needinfo?(aethanyc)

I see assertions in nsVideoFrame::Reflow like the following before it crashes.

###!!! ASSERTION: Unexpected extra child frame in nsVideoFrame; skipping: 'Error',

That means we create extra frame under nsVideoFrame. Why?

The script is trying to create a DOM tree like <audio><marquee></marquee></audio>. If we just write this DOM tree statically, frame constructor won't create any frame for <marquee> because HTMLAudioElement is marked as a shadow root when it attached to the dom tree.

BUT, the script creates <marquee> before attaching <audio> to the DOM.

  1) var x = document.createElement('audio');
  2) x.innerHTML = '<marquee>';
  3) document.documentElement.appendChild(x);

So frame constructor still creates frames for <marquee> as <audio>'s children. That shouldn't happen. The proof is that if line 2) and 3) is swapped above, the testcase won't crash. I wonder whether we can mark some DOM elements as shadow root sooner? Emilio, any ideas?

Component: Layout → DOM: Core & HTML
Flags: needinfo?(aethanyc) → needinfo?(emilio)

This changes the UA widget setup (again). What is going on in this
test-case is that we have a marquee inside a video, two things that have
their own UA widget. Given how the code is currently written, the
runnable to attach and set up the marquee's widget is posted before than
the video one (which is potentially reasonable).

However that means that the marquee one runs before and flushes layout,
and catches the video in an inconsistent state (in the composed doc, but
without a shadow root). That in turn messes up reflow because
nsVideoFrame assumes stuff.

Rather than putting the attach / detach logic in script runners, just
run that bit synchronously, and post only the event async. I audited the
consumers of those events and it seems fine to me, they either already
deal with the possibility of the shadow root being already detached or
they don't care.

For teardown, none of the destructors of the UA widgets rely on the
shadow root being still attached to the element.

Assignee: nobody → emilio
Status: NEW → ASSIGNED

What is going on is that the bit that is supposed to attach the shadow root is still in the script runner list, but the marquee widget flushes layout at that point and causes us to mess stuff up.

Flags: needinfo?(emilio)
Pushed by ealvarez@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/8323b7bb5e1a
Ensure UA widgets are attached and detached synchronously. r=smaug
Flags: needinfo?(emilio)
Pushed by ealvarez@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/0a3bb5c46698
Ensure UA widgets are attached and detached synchronously. r=smaug
Status: ASSIGNED → RESOLVED
Closed: 2 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla80
Status: RESOLVED → VERIFIED
Keywords: bugmon
Bugmon Analysis:
Verified bug as fixed on rev mozilla-central 20200725094010-3ad2fc2915b1.
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.
Flags: in-testsuite? → in-testsuite+
Regressions: 1655983
You need to log in before you can comment on or make changes to this bug.