crash at null in [@ nsIFrame::ChildLists]
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
Tracking | Status | |
---|---|---|
firefox-esr68 | --- | unaffected |
firefox-esr78 | --- | wontfix |
firefox79 | --- | wontfix |
firefox80 | --- | verified |
People
(Reporter: tsmith, Assigned: emilio)
References
(Blocks 1 open bug)
Details
(Keywords: crash, testcase, Whiteboard: [bugmon:bisected,confirmed])
Crash Data
Attachments
(2 files)
Found with m-c 20200709-83895192ba27
==51858==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f28e0dadf4c bp 0x7ffdc67ca6f0 sp 0x7ffdc67ca6e0 T0)
==51858==The signal is caused by a READ memory access.
==51858==Hint: address points to the zero page.
#0 0x7f28e0dadf4b in nsIFrame::ChildLists() const /builds/worker/workspace/obj-build/dist/include/nsIFrame.h
#1 0x7f28e0f20909 in nsFrameManager::CaptureFrameState(nsIFrame*, nsILayoutHistoryState*) /gecko/layout/base/nsFrameManager.cpp:166:40
#2 0x7f28e0f20b77 in nsFrameManager::CaptureFrameState(nsIFrame*, nsILayoutHistoryState*) /gecko/layout/base/nsFrameManager.cpp:175:7
#3 0x7f28e0f1b27d in nsCSSFrameConstructor::CaptureStateForFramesOf(nsIContent*, nsILayoutHistoryState*) /gecko/layout/base/nsCSSFrameConstructor.cpp:8157:5
#4 0x7f28e0f1a339 in nsCSSFrameConstructor::ContentRemoved(nsIContent*, nsIContent*, nsCSSFrameConstructor::RemoveFlags) /gecko/layout/base/nsCSSFrameConstructor.cpp:7421:7
#5 0x7f28e0e6e236 in mozilla::PresShell::DestroyFramesForAndRestyle(mozilla::dom::Element*) /gecko/layout/base/PresShell.cpp:2995:51
#6 0x7f28dc368b3a in mozilla::dom::Element::AttachShadowWithoutNameChecks(mozilla::dom::ShadowRootMode) /gecko/dom/base/Element.cpp:1088:20
#7 0x7f28dc3ecfb8 in operator() /gecko/dom/base/Element.cpp:1141:19
#8 0x7f28dc3ecfb8 in mozilla::detail::RunnableFunction<mozilla::dom::Element::AttachAndSetUAShadowRoot()::$_39>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:577:5
#9 0x7f28dc04dd83 in nsContentUtils::RemoveScriptBlocker() /gecko/dom/base/nsContentUtils.cpp:5344:15
#10 0x7f28dc2fc4a8 in mozilla::dom::Document::EndUpdate() /gecko/dom/base/Document.cpp:7123:3
#11 0x7f28dbfbd8f6 in mozAutoDocUpdate::~mozAutoDocUpdate() /gecko/dom/base/mozAutoDocUpdate.h:34:18
#12 0x7f28dc5f1b8a in nsINode::ReplaceOrInsertBefore(bool, nsINode*, nsINode*, mozilla::ErrorResult&) /gecko/dom/base/nsINode.cpp:2696:1
#13 0x7f28dcd27540 in InsertBefore /gecko/dom/base/nsINode.h:1971:12
#14 0x7f28dcd27540 in AppendChild /gecko/dom/base/nsINode.h:1974:12
#15 0x7f28dcd27540 in mozilla::dom::Node_Binding::appendChild(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/NodeBinding.cpp:989:60
#16 0x7f28de0aa188 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /gecko/dom/bindings/BindingUtils.cpp:3219:13
#17 0x7f28e4782d8b in CallJSNative /gecko/js/src/vm/Interpreter.cpp:484:13
#18 0x7f28e4782d8b in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:576:12
#19 0x7f28e4785028 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:639:10
#20 0x7f28e476c926 in CallFromStack /gecko/js/src/vm/Interpreter.cpp:643:10
#21 0x7f28e476c926 in Interpret(JSContext*, js::RunState&) /gecko/js/src/vm/Interpreter.cpp:3332:16
#22 0x7f28e474dc41 in js::RunScript(JSContext*, js::RunState&) /gecko/js/src/vm/Interpreter.cpp:456:10
#23 0x7f28e4782e6d in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:611:13
#24 0x7f28e4785028 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:639:10
#25 0x7f28e4785306 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:656:8
#26 0x7f28e4929100 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /gecko/js/src/jsapi.cpp:2846:10
#27 0x7f28ddc9f9ce in mozilla::dom::EventListener::HandleEvent(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventListenerBinding.cpp:55:8
#28 0x7f28de7a943d in void mozilla::dom::EventListener::HandleEvent<mozilla::dom::EventTarget*>(mozilla::dom::EventTarget* const&, mozilla::dom::Event&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventListenerBinding.h:66:12
#29 0x7f28de7a8e64 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /gecko/dom/events/EventListenerManager.cpp:1082:43
#30 0x7f28de7aa670 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /gecko/dom/events/EventListenerManager.cpp:1279:17
#31 0x7f28de7987cf in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /gecko/dom/events/EventDispatcher.cpp:355:17
#32 0x7f28de796f6d in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /gecko/dom/events/EventDispatcher.cpp:557:16
#33 0x7f28de79b4c6 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /gecko/dom/events/EventDispatcher.cpp:1054:11
#34 0x7f28e0f39222 in nsDocumentViewer::LoadComplete(nsresult) /gecko/layout/base/nsDocumentViewer.cpp:1140:7
#35 0x7f28e3ac692c in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /gecko/docshell/base/nsDocShell.cpp:6030:20
#36 0x7f28e3ac5b25 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /gecko/docshell/base/nsDocShell.cpp:5499:7
#37 0x7f28e3ac923f in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /gecko/docshell/base/nsDocShell.cpp
#38 0x7f28dad5a100 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /gecko/uriloader/base/nsDocLoader.cpp:1331:3
#39 0x7f28dad58fcc in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /gecko/uriloader/base/nsDocLoader.cpp:937:14
#40 0x7f28dad5554b in nsDocLoader::DocLoaderIsEmpty(bool, mozilla::Maybe<nsresult> const&) /gecko/uriloader/base/nsDocLoader.cpp:757:9
#41 0x7f28dad57abd in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /gecko/uriloader/base/nsDocLoader.cpp:640:5
#42 0x7f28dad58b5c in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /gecko/uriloader/base/nsDocLoader.cpp
#43 0x7f28d858c007 in mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) /gecko/netwerk/base/nsLoadGroup.cpp:615:22
#44 0x7f28d858f217 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /gecko/netwerk/base/nsLoadGroup.cpp:522:10
#45 0x7f28dc322ddf in mozilla::dom::Document::DoUnblockOnload() /gecko/dom/base/Document.cpp:10751:18
#46 0x7f28dc2db657 in mozilla::dom::Document::UnblockOnload(bool) /gecko/dom/base/Document.cpp:10683:9
#47 0x7f28dc2fdf94 in mozilla::dom::Document::DispatchContentLoadedEvents() /gecko/dom/base/Document.cpp:7319:3
#48 0x7f28dc3ca894 in applyImpl<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1188:12
#49 0x7f28dc3ca894 in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1194:12
#50 0x7f28dc3ca894 in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1240:13
#51 0x7f28d82902ed in mozilla::SchedulerGroup::Runnable::Run() /gecko/xpcom/threads/SchedulerGroup.cpp:146:20
#52 0x7f28d829a879 in mozilla::RunnableTask::Run() /gecko/xpcom/threads/TaskController.cpp:242:16
#53 0x7f28d8296e08 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:495:24
#54 0x7f28d8294db2 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:371:15
#55 0x7f28d82951f7 in mozilla::TaskController::ProcessPendingMTTask(bool) /gecko/xpcom/threads/TaskController.cpp:162:36
#56 0x7f28d82a6681 in operator() /gecko/xpcom/threads/TaskController.cpp:83:37
#57 0x7f28d82a6681 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_4>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:577:5
#58 0x7f28d82cb73c in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1234:14
#59 0x7f28d82d655c in NS_ProcessNextEvent(nsIThread*, bool) /gecko/xpcom/threads/nsThreadUtils.cpp:513:10
#60 0x7f28d9687b4f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /gecko/ipc/glue/MessagePump.cpp:87:21
#61 0x7f28d9565ac7 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:334:10
#62 0x7f28d9565ac7 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:327:3
#63 0x7f28d9565ac7 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:309:3
#64 0x7f28e095f608 in nsBaseAppShell::Run() /gecko/widget/nsBaseAppShell.cpp:137:27
#65 0x7f28e450f8b6 in XRE_RunAppShell() /gecko/toolkit/xre/nsEmbedFunctions.cpp:913:20
#66 0x7f28d9565ac7 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:334:10
#67 0x7f28d9565ac7 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:327:3
#68 0x7f28d9565ac7 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:309:3
#69 0x7f28e450ee9f in XRE_InitChildProcess(int, char**, XREChildData const*) /gecko/toolkit/xre/nsEmbedFunctions.cpp:744:34
#70 0x55f40fdf8723 in content_process_main /gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
#71 0x55f40fdf8723 in main /gecko/browser/app/nsBrowserApp.cpp:303:18
Reporter | ||
Updated•5 years ago
|
Updated•5 years ago
|
Comment 1•5 years ago
|
||
Updated•5 years ago
|
Comment 2•5 years ago
|
||
mozregression says:
Given that the test has columns
in it, and that push range turned on layout.css.column-span.enabled
, I suspect multicol. TY, want to have a look?
Comment 3•5 years ago
|
||
I see assertions in nsVideoFrame::Reflow
like the following before it crashes.
###!!! ASSERTION: Unexpected extra child frame in nsVideoFrame; skipping: 'Error',
That means we create extra frame under nsVideoFrame
. Why?
The script is trying to create a DOM tree like <audio><marquee></marquee></audio>
. If we just write this DOM tree statically, frame constructor won't create any frame for <marquee>
because HTMLAudioElement
is marked as a shadow root when it attached to the dom tree.
BUT, the script creates <marquee>
before attaching <audio>
to the DOM.
1) var x = document.createElement('audio');
2) x.innerHTML = '<marquee>';
3) document.documentElement.appendChild(x);
So frame constructor still creates frames for <marquee>
as <audio>
's children. That shouldn't happen. The proof is that if line 2) and 3) is swapped above, the testcase won't crash. I wonder whether we can mark some DOM elements as shadow root sooner? Emilio, any ideas?
Assignee | ||
Comment 4•5 years ago
|
||
This changes the UA widget setup (again). What is going on in this
test-case is that we have a marquee inside a video, two things that have
their own UA widget. Given how the code is currently written, the
runnable to attach and set up the marquee's widget is posted before than
the video one (which is potentially reasonable).
However that means that the marquee one runs before and flushes layout,
and catches the video in an inconsistent state (in the composed doc, but
without a shadow root). That in turn messes up reflow because
nsVideoFrame assumes stuff.
Rather than putting the attach / detach logic in script runners, just
run that bit synchronously, and post only the event async. I audited the
consumers of those events and it seems fine to me, they either already
deal with the possibility of the shadow root being already detached or
they don't care.
For teardown, none of the destructors of the UA widgets rely on the
shadow root being still attached to the element.
Updated•5 years ago
|
Assignee | ||
Comment 5•5 years ago
|
||
What is going on is that the bit that is supposed to attach the shadow root is still in the script runner list, but the marquee widget flushes layout at that point and causes us to mess stuff up.
Comment 7•5 years ago
|
||
Backed out for mochitest failures on test_audiocontrols_dimensions.html
Backout link: https://hg.mozilla.org/integration/autoland/rev/99616c0729ec7a21dc0c1bde523c9779b71a0af9
Log link: https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=310768537&repo=autoland&lineNumber=8114
Comment 8•5 years ago
•
|
||
Please also check:
- reftest failures on 449149-1b.html -> https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=310768577&repo=autoland&lineNumber=8102
- bc failure on browser_keyboardShortcut.js -> https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=310769159&repo=autoland&lineNumber=4540
Assignee | ||
Updated•5 years ago
|
Comment 10•5 years ago
|
||
bugherder |
Updated•5 years ago
|
Comment 11•5 years ago
|
||
Updated•5 years ago
|
Description
•