Closed
Bug 1655741
Opened 4 years ago
Closed 4 years ago
Assertion failure: frame, at /builds/worker/checkouts/gecko/dom/base/Element.cpp:860
Categories
(Core :: DOM: Core & HTML, defect)
Core
DOM: Core & HTML
Tracking
()
VERIFIED
FIXED
81 Branch
Tracking | Status | |
---|---|---|
firefox-esr68 | --- | unaffected |
firefox-esr78 | --- | unaffected |
firefox79 | --- | unaffected |
firefox80 | --- | wontfix |
firefox81 | --- | verified |
People
(Reporter: jkratzer, Assigned: emilio)
References
(Blocks 1 open bug, Regression)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:confirm], [wptsync upstream])
Attachments
(2 files)
Testcase found while fuzzing mozilla-central rev eba7e3ce9382 (built with --enable-debug). Testcase must be served over HTTP in order to reproduce.
Assertion failure: frame, at /builds/worker/checkouts/gecko/dom/base/Element.cpp:860
==10870==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f8de89f9368 bp 0x7ffc80a24000 sp 0x7ffc80a23fa0 T10870)
==10870==The signal is caused by a WRITE memory access.
==10870==Hint: address points to the zero page.
#0 0x7f8de89f9367 in AnnotateMozCrashReason /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:42:19
#1 0x7f8de89f9367 in mozilla::dom::Element::GetClientAreaRect() /builds/worker/checkouts/gecko/dom/base/Element.cpp:860:5
#2 0x7f8de9b1d6d2 in ClientHeight /builds/worker/workspace/obj-build/dist/include/mozilla/dom/Element.h:1310:35
#3 0x7f8de9b1d6d2 in mozilla::dom::Element_Binding::get_clientHeight(JSContext*, JS::Handle<JSObject*>, void*, JSJitGetterCallArgs) /builds/worker/workspace/obj-build/dom/bindings/ElementBinding.cpp:3610:39
#4 0x7f8de9e48486 in bool mozilla::dom::binding_detail::GenericGetter<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3102:13
#5 0x7f8deccc1b11 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:485:13
#6 0x7f8deccc1389 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:577:12
#7 0x7f8deccc2e4f in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:640:10
#8 0x7f8deccc302f in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:657:8
#9 0x7f8decdd34b7 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/jsapi.cpp:2837:10
#10 0x7f8de7cac9fd in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JSObject*>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/obj-build/dist/include/jsapi.h:1516:10
#11 0x7f8de7cac6a8 in xpc::XrayWrapper<js::CrossCompartmentWrapper, xpc::DOMXrayTraits>::get(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JS::Value>) const /builds/worker/checkouts/gecko/js/xpconnect/wrappers/XrayWrapper.cpp:2101:10
#12 0x7f8dece28877 in js::Proxy::getInternal(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/proxy/Proxy.cpp:372:19
#13 0x7f8dece285c7 in js::Proxy::get(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/proxy/Proxy.cpp:380:10
#14 0x7f8dece28902 in js::Proxy::getInternal(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/proxy/Proxy.cpp:368:14
#15 0x7f8dece285c7 in js::Proxy::get(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/proxy/Proxy.cpp:380:10
#16 0x7f8dece28902 in js::Proxy::getInternal(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/proxy/Proxy.cpp:368:14
#17 0x7f8dece285c7 in js::Proxy::get(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/proxy/Proxy.cpp:380:10
#18 0x7f8dece28902 in js::Proxy::getInternal(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/proxy/Proxy.cpp:368:14
#19 0x7f8dece285c7 in js::Proxy::get(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/proxy/Proxy.cpp:380:10
#20 0x7f8deccc8a9f in js::GetProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, js::PropertyName*, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/ObjectOperations-inl.h:124:10
#21 0x7f8deccc7f0d in js::GetProperty(JSContext*, JS::Handle<JS::Value>, JS::Handle<js::PropertyName*>, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:4703:10
#22 0x7f8deccb3d72 in Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:218:10
#23 0x7f8deccad086 in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:457:10
#24 0x7f8deccc12e6 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:612:13
#25 0x7f8deccc2e4f in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:640:10
#26 0x7f8ded688fd7 in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/jit/BaselineIC.cpp:2978:10
#27 0xff3b19a9092 (<unknown module>)
UndefinedBehaviorSanitizer can not provide additional info.
Flags: in-testsuite?
Assignee | ||
Comment 2•4 years ago
|
||
There's no correctness issue here, but the assertion is just wrong. For
the scrolling element we may get the root scrollable frame even though
the primary frame is null.
Pushed by ealvarez@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/fc18fa1b110b
Don't assert that there's a primary frame as long as there's a scroll frame for the root scroll frame. r=mats
Pushed by emilio@crisal.io:
https://hg.mozilla.org/integration/autoland/rev/66666abbfefa
Add some metadata to the new test to appease wptlint.
Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/24801 for changes under testing/web-platform/tests
Whiteboard: [bugmon:confirm] → [bugmon:confirm], [wptsync upstream]
Comment 6•4 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/fc18fa1b110b
https://hg.mozilla.org/mozilla-central/rev/66666abbfefa
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → 81 Branch
Reporter | ||
Updated•4 years ago
|
Reporter | ||
Comment 7•4 years ago
|
||
Bugmon Analysis:
Verified bug as fixed on rev mozilla-central 20200730093956-0e4bc84faa30.
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.
Updated•4 years ago
|
status-firefox79:
--- → unaffected
status-firefox80:
--- → wontfix
status-firefox-esr68:
--- → unaffected
status-firefox-esr78:
--- → unaffected
Flags: in-testsuite? → in-testsuite+
Regressed by: 1654769
Updated•4 years ago
|
Has Regression Range: --- → yes
Updated•4 years ago
|
Keywords: regression
Upstream PR merged by jgraham
You need to log in
before you can comment on or make changes to this bug.
Description
•