Open
Bug 1668046
Opened 4 years ago
Updated 2 years ago
stack-overflow in [@ nsCSSFrameConstructor::MaybeRecreateContainerForFrameRemoval]
Categories
(Core :: Layout, defect)
Core
Layout
Tracking
()
People
(Reporter: jkratzer, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: crash, testcase, Whiteboard: [bugmon:confirmed])
Attachments
(1 file, 1 obsolete file)
|
304 bytes,
text/html
|
Details |
Testcase found while fuzzing mozilla-central rev 5f3283738794.
==13017==ERROR: UndefinedBehaviorSanitizer: stack-overflow on address 0x7ffcc6577ff8 (pc 0x7f5de59c0b0f bp 0x7ffcc6578090 sp 0x7ffcc6578000 T13017)
#0 0x7f5de59c0b0f in operator nsIStatefulFrame *<nsIStatefulFrame> /builds/worker/checkouts/gecko/layout/base/nsFrameManager.cpp
#1 0x7f5de59c0b0f in nsFrameManager::CaptureFrameStateFor(nsIFrame*, nsILayoutHistoryState*) /builds/worker/checkouts/gecko/layout/base/nsFrameManager.cpp:133:37
#2 0x7f5de59a9520 in nsFrameManager::CaptureFrameState(nsIFrame*, nsILayoutHistoryState*) /builds/worker/checkouts/gecko/layout/base/nsFrameManager.cpp:163:3
#3 0x7f5de59a960a in nsFrameManager::CaptureFrameState(nsIFrame*, nsILayoutHistoryState*) /builds/worker/checkouts/gecko/layout/base/nsFrameManager.cpp:175:7
#4 0x7f5de59a61fd in CaptureStateForFramesOf /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:8193:5
#5 0x7f5de59a61fd in nsCSSFrameConstructor::ContentRemoved(nsIContent*, nsIContent*, nsCSSFrameConstructor::RemoveFlags) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:7455:7
#6 0x7f5de59a6187 in nsCSSFrameConstructor::ContentRemoved(nsIContent*, nsIContent*, nsCSSFrameConstructor::RemoveFlags) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:7441:31
#7 0x7f5de599e92c in nsCSSFrameConstructor::RecreateFramesForContent(nsIContent*, nsCSSFrameConstructor::InsertionKind) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:8567:7
#8 0x7f5de59a71f4 in nsCSSFrameConstructor::MaybeRecreateContainerForFrameRemoval(nsIFrame*) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp
SUMMARY: UndefinedBehaviorSanitizer: stack-overflow /builds/worker/checkouts/gecko/layout/base/nsFrameManager.cpp in operator nsIStatefulFrame *<nsIStatefulFrame>
==13017==ABORTING
Flags: in-testsuite?
|
Reporter | |
Comment 1•4 years ago
|
||
Bugmon Analysis:
Unable to reproduce bug using the following builds:
mozilla-central 20200929153831-324ea565091e
mozilla-central 20200929153831-324ea565091e
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.
Keywords: bugmon
Whiteboard: [bugmon:confirm] → [bugmon:confirmed]
|
||
Comment 3•2 years ago
|
||
A Pernosco session is available here: https://pernos.co/debug/_e9b3a0W0V3h7u1god5x3Q/index.html
status-firefox104:
--- → wontfix
status-firefox105:
--- → wontfix
status-firefox106:
--- → affected
status-firefox-esr102:
--- → affected
status-firefox-esr91:
--- → wontfix
|
||
Updated•2 years ago
|
Severity: normal → S3
|
||
Comment 5•2 years ago
|
||
Simplifying bug summary to steal the clearer/more-concise summary from the dupe bug (bug 1753132). (The bug here isn't really that we're triggering undefined behavior, but rather that we're hitting a stack overflow.)
Summary: UndefinedBehaviorSanitizer: stack-overflow /builds/worker/checkouts/gecko/layout/base/nsFrameManager.cpp:163:3 in nsFrameManager::CaptureFrameState(nsIFrame*, nsILayoutHistoryState*) → stack-overflow in [@ nsCSSFrameConstructor::MaybeRecreateContainerForFrameRemoval]
You need to log in
before you can comment on or make changes to this bug.
Description
•