crash near null in [@ nsInlineFrame::ReflowFrames]
Categories
(Core :: Layout: Columns, defect, P3)
Tracking
()
People
(Reporter: tsmith, Assigned: TYLin)
References
(Blocks 1 open bug)
Details
(Keywords: crash, csectype-nullptr)
Attachments
(4 files)
==10544==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x00000000006d (pc 0x7f98f2d1c53c bp 0x7ffe4cc452e0 sp 0x7ffe4cc45250 T10544)
==10544==The signal is caused by a READ memory access.
==10544==Hint: address points to the zero page.
#0 0x7f98f2d1c53b in GetRealFrameFor src/layout/generic/nsPlaceholderFrame.h
#1 0x7f98f2d1c53b in nsInlineFrame::ReflowFrames(nsPresContext*, mozilla::ReflowInput const&, nsInlineFrame::InlineReflowInput&, mozilla::ReflowOutput&, nsReflowStatus&) src/layout/generic/nsInlineFrame.cpp:517:29
#2 0x7f98f2d1bd53 in nsInlineFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsInlineFrame.cpp:365:3
#3 0x7f98f2d47b11 in nsLineLayout::ReflowFrame(nsIFrame*, nsReflowStatus&, mozilla::ReflowOutput*, bool&) src/layout/generic/nsLineLayout.cpp:878:13
#4 0x7f98f2c45670 in nsBlockFrame::ReflowInlineFrame(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsIFrame*, LineReflowStatus*) src/layout/generic/nsBlockFrame.cpp:4516:15
#5 0x7f98f2c44df9 in nsBlockFrame::DoReflowInlineFrames(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool) src/layout/generic/nsBlockFrame.cpp:4318:5
#6 0x7f98f2c40e84 in nsBlockFrame::ReflowInlineFrames(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:4203:9
#7 0x7f98f2c3d6d0 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:3172:5
#8 0x7f98f2c385aa in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) src/layout/generic/nsBlockFrame.cpp:2707:7
#9 0x7f98f2c34425 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsBlockFrame.cpp:1368:3
#10 0x7f98f2c5c370 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:1076:14
#11 0x7f98f2c5db2e in nsColumnSetFrame::ReflowChildren(mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&, nsColumnSetFrame::ReflowConfig const&, bool) src/layout/generic/nsColumnSetFrame.cpp:701:7
#12 0x7f98f2c600aa in ReflowColumns src/layout/generic/nsColumnSetFrame.cpp:414:37
#13 0x7f98f2c600aa in nsColumnSetFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsColumnSetFrame.cpp:1257:37
#14 0x7f98f2c43b89 in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) src/layout/generic/nsBlockReflowContext.cpp:294:11
#15 0x7f98f2c3f9e8 in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:3833:11
#16 0x7f98f2c3d776 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:3169:5
#17 0x7f98f2c385aa in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) src/layout/generic/nsBlockFrame.cpp:2707:7
#18 0x7f98f2c34425 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsBlockFrame.cpp:1368:3
#19 0x7f98f2c5c370 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:1076:14
#20 0x7f98f2c5b6c6 in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsCanvasFrame.cpp:749:5
#21 0x7f98f2c5c370 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:1076:14
#22 0x7f98f2c9b5d5 in nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput*, bool, bool, mozilla::ReflowOutput*) src/layout/generic/nsGfxScrollFrame.cpp:753:3
#23 0x7f98f2c9c057 in nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput*, mozilla::ReflowOutput const&) src/layout/generic/nsGfxScrollFrame.cpp:877:3
#24 0x7f98f2c9fe0f in nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsGfxScrollFrame.cpp:1275:3
#25 0x7f98f2c29e28 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:1116:14
#26 0x7f98f2c29989 in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/ViewportFrame.cpp:297:7
#27 0x7f98f2b33cb1 in mozilla::PresShell::DoReflow(nsIFrame*, bool, mozilla::OverflowChangedTracker*) src/layout/base/PresShell.cpp:9636:11
#28 0x7f98f2b3d66e in mozilla::PresShell::ProcessReflowCommands(bool) src/layout/base/PresShell.cpp:9809:24
#29 0x7f98f2b3cdd6 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) src/layout/base/PresShell.cpp:4239:11
#30 0x7f98effde9ab in FlushPendingNotifications /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:1412:5
#31 0x7f98effde9ab in mozilla::dom::Document::FlushPendingNotifications(mozilla::ChangesToFlush) src/dom/base/Document.cpp:10094:16
#32 0x7f98effde944 in mozilla::dom::Document::FlushPendingNotifications(mozilla::ChangesToFlush) src/dom/base/Document.cpp:10090:22
#33 0x7f98ef6125ad in nsDocLoader::DocLoaderIsEmpty(bool, mozilla::Maybe<nsresult> const&) src/uriloader/base/nsDocLoader.cpp:702:14
#34 0x7f98ef6137e8 in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) src/uriloader/base/nsDocLoader.cpp:640:5
#35 0x7f98ef61403c in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsresult) src/uriloader/base/nsDocLoader.cpp
#36 0x7f98ee33d4d6 in mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) src/netwerk/base/nsLoadGroup.cpp:615:22
#37 0x7f98ee33cbb0 in mozilla::net::nsLoadGroup::Cancel(nsresult) src/netwerk/base/nsLoadGroup.cpp:249:11
#38 0x7f98ef612058 in nsDocLoader::Stop() src/uriloader/base/nsDocLoader.cpp:253:36
#39 0x7f98ef611f91 in nsDocLoader::Stop() src/uriloader/base/nsDocLoader.cpp:251:3
#40 0x7f98f3b75d0a in Stop src/docshell/base/nsDocShell.h:207:25
#41 0x7f98f3b75d0a in nsDocShell::Stop(unsigned int) src/docshell/base/nsDocShell.cpp:4002:5
#42 0x7f98f3b9a67f in non-virtual thunk to nsDocShell::Stop(unsigned int) src/docshell/base/nsDocShell.cpp
#43 0x7f98efef6245 in nsGlobalWindowOuter::StopOuter(mozilla::ErrorResult&) src/dom/base/nsGlobalWindowOuter.cpp:5184:22
#44 0x7f98f0dc0b27 in mozilla::dom::Window_Binding::stop(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/WindowBinding.cpp:2008:24
#45 0x7f98f1361aa3 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::MaybeCrossOriginObjectThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) src/dom/bindings/BindingUtils.cpp:3227:13
#46 0x7f98f41e7581 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) src/js/src/vm/Interpreter.cpp:507:13
#47 0x7f98f41e6cf2 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) src/js/src/vm/Interpreter.cpp:599:12
#48 0x7f98f41e88bf in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) src/js/src/vm/Interpreter.cpp:664:10
#49 0x7f98f41dc268 in CallFromStack src/js/src/vm/Interpreter.cpp:668:10
#50 0x7f98f41dc268 in Interpret(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:3336:16
#51 0x7f98f41d2ac3 in js::RunScript(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:468:13
#52 0x7f98f41e6caf in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) src/js/src/vm/Interpreter.cpp:636:13
#53 0x7f98f41e88bf in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) src/js/src/vm/Interpreter.cpp:664:10
#54 0x7f98f41e8a9f in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) src/js/src/vm/Interpreter.cpp:681:8
#55 0x7f98f42f7fe7 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) src/js/src/jsapi.cpp:2831:10
#56 0x7f98f1086728 in mozilla::dom::EventHandlerNonNull::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventHandlerBinding.cpp:276:37
#57 0x7f98f1728a21 in void mozilla::dom::EventHandlerNonNull::Call<nsCOMPtr<mozilla::dom::EventTarget> >(nsCOMPtr<mozilla::dom::EventTarget> const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventHandlerBinding.h:367:12
#58 0x7f98f1727b55 in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) src/dom/events/JSEventHandler.cpp:201:12
#59 0x7f98f170b21e in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) src/dom/events/EventListenerManager.cpp:1088:22
#60 0x7f98f170be73 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) src/dom/events/EventListenerManager.cpp:1279:17
#61 0x7f98f17018a4 in HandleEvent /builds/worker/workspace/obj-build/dist/include/mozilla/EventListenerManager.h:354:5
#62 0x7f98f17018a4 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) src/dom/events/EventDispatcher.cpp:356:17
#63 0x7f98f1700e41 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) src/dom/events/EventDispatcher.cpp:558:16
#64 0x7f98f1703969 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) src/dom/events/EventDispatcher.cpp:1058:11
#65 0x7f98f2ba5de6 in nsDocumentViewer::LoadComplete(nsresult) src/layout/base/nsDocumentViewer.cpp:1087:7
#66 0x7f98f3ba2380 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) src/docshell/base/nsDocShell.cpp:6220:20
#67 0x7f98f3ba1dab in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) src/docshell/base/nsDocShell.cpp:5547:7
#68 0x7f98f3ba2dbf in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) src/docshell/base/nsDocShell.cpp
#69 0x7f98ef614bac in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) src/uriloader/base/nsDocLoader.cpp:1331:3
#70 0x7f98ef6143ca in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) src/uriloader/base/nsDocLoader.cpp:937:14
#71 0x7f98ef6127b8 in nsDocLoader::DocLoaderIsEmpty(bool, mozilla::Maybe<nsresult> const&) src/uriloader/base/nsDocLoader.cpp:757:9
#72 0x7f98ef6145ca in ChildDoneWithOnload /builds/worker/workspace/obj-build/dist/include/nsDocLoader.h:243:5
#73 0x7f98ef6145ca in nsDocLoader::NotifyDoneWithOnload(nsDocLoader*) src/uriloader/base/nsDocLoader.cpp:831:14
#74 0x7f98ef6127c3 in nsDocLoader::DocLoaderIsEmpty(bool, mozilla::Maybe<nsresult> const&) src/uriloader/base/nsDocLoader.cpp:759:9
#75 0x7f98ef6137e8 in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) src/uriloader/base/nsDocLoader.cpp:640:5
#76 0x7f98ef61403c in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsresult) src/uriloader/base/nsDocLoader.cpp
#77 0x7f98ee33d4d6 in mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) src/netwerk/base/nsLoadGroup.cpp:615:22
#78 0x7f98ee33e9d3 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) src/netwerk/base/nsLoadGroup.cpp:522:10
#79 0x7f98effe18ef in mozilla::dom::Document::DoUnblockOnload() src/dom/base/Document.cpp:10827:18
#80 0x7f98effc0830 in mozilla::dom::Document::UnblockOnload(bool) src/dom/base/Document.cpp:10757:9
#81 0x7f98effd0848 in mozilla::dom::Document::DispatchContentLoadedEvents() src/dom/base/Document.cpp:7333:3
#82 0x7f98f00403e6 in applyImpl<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1188:12
#83 0x7f98f00403e6 in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1194:12
#84 0x7f98f00403e6 in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1240:13
#85 0x7f98ee1a9422 in mozilla::SchedulerGroup::Runnable::Run() src/xpcom/threads/SchedulerGroup.cpp:146:20
#86 0x7f98ee1af114 in mozilla::RunnableTask::Run() src/xpcom/threads/TaskController.cpp:242:16
#87 0x7f98ee1acedd in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) src/xpcom/threads/TaskController.cpp:512:26
#88 0x7f98ee1ac014 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) src/xpcom/threads/TaskController.cpp:371:15
#89 0x7f98ee1ac1c7 in mozilla::TaskController::ProcessPendingMTTask(bool) src/xpcom/threads/TaskController.cpp:168:36
#90 0x7f98ee1b3b56 in operator() src/xpcom/threads/TaskController.cpp:83:37
#91 0x7f98ee1b3b56 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_4>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:577:5
#92 0x7f98ee1c6d68 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1234:14
#93 0x7f98ee1cc73a in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:513:10
#94 0x7f98eeaf68ef in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:87:21
#95 0x7f98eea677f3 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:334:10
#96 0x7f98eea6770d in RunHandler src/ipc/chromium/src/base/message_loop.cc:327:3
#97 0x7f98eea6770d in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:309:3
#98 0x7f98f2876868 in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:137:27
#99 0x7f98f40a4e93 in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:913:20
#100 0x7f98eeaf76b7 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:237:9
#101 0x7f98eea677f3 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:334:10
#102 0x7f98eea6770d in RunHandler src/ipc/chromium/src/base/message_loop.cc:327:3
#103 0x7f98eea6770d in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:309:3
#104 0x7f98f40a4a6c in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:744:34
#105 0x5595489a109f in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
#106 0x5595489a109f in main src/browser/app/nsBrowserApp.cpp:303:18
|
Reporter | |
Comment 1•4 years ago
|
||
A Pernosco session is available here: https://pernos.co/debug/IrR2Jtpvvv_y3LIXcp6TYg/index.html
|
||
Comment 2•4 years ago
|
||
We may need a simplified test case for this crash. I mark this as S3 for now.
|
||
Comment 3•4 years ago
|
||
Seems similar to some issues Ting-Yu was looking at where we remove the placeholder frame from multicol reflow incorrectly, maybe a dupe?
|
Assignee | |
Comment 4•4 years ago
|
||
Can we have a test case for this?
|
|
Reporter | |
Comment 5•4 years ago
|
||
(In reply to Ting-Yu Lin [:TYLin] (UTC-7) from comment #4)
Can we have a test case for this?
Sorry I don't have a reliable or reduced test case to attach. Hopefully the Pernosco session can provide all the required information.
|
||
Comment 6•4 years ago
|
||
Here are a few assertions from the log in comment 1:
[Child 39022, Main Thread] WARNING: nsBlockFrame::CheckFloats: Explicit float list is out of sync with float cache: file /home/twsmith/code/mozilla-central/layout/generic/nsBlockFrame.cpp:7549
[Child 39022, Main Thread] ###!!! ASSERTION: frame tree not empty, but caller reported complete status: 'aSubtreeRoot->GetPrevInFlow()', file /home/twsmith/code/mozilla-central/layout/base/nsLayoutUtils.cpp:7249
[Child 39022, Main Thread] ###!!! ASSERTION: Placeholder relationship should have been torn down already; this might mean we have a stray placeholder in the tree.: '!placeholder || nsLayoutUtils::IsProperAncestorFrame( aDestructRoot, placeholder)', file /home/twsmith/code/mozilla-central/layout/generic/nsIFrame.cpp:809
[Child 39022, Main Thread] ###!!! ASSERTION: Null out-of-flow for placeholder?: 'outOfFlow', file /home/twsmith/code/mozilla-central/layout/generic/nsPlaceholderFrame.h:186
So it looks like we destroy a float and leave its placeholder still in the tree, and then later crash when trying to access the OOF frame from via the placeholder. I think this is always a safe null-pointer crash.
We have a few existing bugs on the above assertions (with testcases), so fixing those would be a good first step.
For anyone that wants to debug the Pernosco run directly: I think the first warning above might be a good place to start (and then work backwards from there):
https://pernos.co/debug/IrR2Jtpvvv_y3LIXcp6TYg/index.html#f{m[AWvb,AA_,t[AZc,mG4_,f{e[AWvY,ayOG_,s{af3f/HJAA,b+w,oGwMd,uGm8h___
|
|
||
Comment 7•4 years ago
|
||
After debugging this a bit in Pernosco, it appears that the placeholder/float are already in separate columns from the start, i.e. before any reflows. So the frame constructor created it that way for some reason. Hmmm...
|
|
||
Comment 8•4 years ago
|
||
It appears nsCSSFrameConstructor::CreateIBSiblings is re-parenting the placeholder. The NS_FRAME_HAS_MULTI_COLUMN_ANCESTOR flag is true on aInitialInline, so we fall into this block of code:
https://searchfox.org/mozilla-central/rev/819be4899a92213abf121b449779ced662f2ce13/layout/base/nsCSSFrameConstructor.cpp#10939-10962
I guess we need to deal with the out-of-flows of any placeholder descendants around here somewhere?
|
|
Assignee | |
Comment 9•3 years ago
|
||
I agree with Mats's analysis in comment 7 and comment 8. I have patches to fix the problem in the frame constructor, and that can also fix bug 1674011.
|
|
Assignee | |
Comment 10•3 years ago
|
||
Extract a helper to consolidate the if-else-if logic dealing with float
containing block, and adapt the callers to use it rather than
PushFloatContainingBlock().
This patch shouldn't change the behavior.
Note: In ConstructTableCell(), !isBlock is equivalent to
ShouldSuppressFloatingOfDescendants(cellInnerFrame) since
nsMathMLmtdInnerFrame is of eMathML type, so it's OK to just call
MaybePushFloatContainingBlock().
|
|
Assignee | |
Comment 11•3 years ago
|
||
Before this patch, a floating containing block (block frame)'s float
descendants are added to its mFloatedList in
~nsFrameConstructorSaveState() after returning from ProcessChildren().
This patch delays that by avoiding calling
MaybePushFloatContainingBlock() in ProcessChildren(), and move the call
one level up to ProcessChildren()'s callers so that the float
descendants are parented to the block frame after leaving the callers.
This is similar to how we handle the scope of abspos containing block.
This surely adds burden to some of the ProcessChildren() callers, but it
also unified the float containing block scope for those callers
utilizing both ConstructFramesFromItemList() and ProcessChildren().
This doesn't change the behavior for now, but it is required by the next
part to correctly reparent the float descendants to the correct
non-column-span block continuations split by column-span wrappers.
Depends on D120103
|
|
Assignee | |
Comment 12•3 years ago
|
||
When we create a non-column-span continuations, we really should
reparent floats that were supposed to parent to aInitialBlock to the
continuations instead.
multicol-span-float-002.html exercises
nsCSSFrameConstructor::ConstructBlock() and multicol-span-float-003.html
exercises nsCSSFrameConstructor::CreateIBSiblings().
Without this patch, multicol-span-float-002.html and
multicol-span-float-003.html still pass, but they trigger
ASSERTION: nsBlockFrame::CheckFloats: Explicit float list is out of
sync with float cache
1524382.html used to trigger the above assertions. Now it's fixed.
Depends on D120104
|
|
Assignee | |
Comment 13•3 years ago
|
||
Call MaybePushFloatContainingBlock() before some of
ConstructFramesFromItemList()'s caller to enforce the invariant that a
float containing block candidate is handled before processing its
children. Most of them handle nsIFrame::eXULBox frame like nsMenuFrame
that forbid float descendants.
The assertion condition only requires us to call
MaybePushFloatContainingBlock() if aParentFrame forbids float
descendants or is a float containing block, because it is a waste if
aParentFrame has nothing to do with floats, e.g. aParentFrame is
nsInlineFrame or nsCanvasFrame.
Note: ProcessChildren() calls ConstructFramesFromItemList() internally,
so adding the assertion in ConstructFramesFromItemList() is sufficient.
Depends on D120105
|
||
Comment 14•3 years ago
|
||
Pushed by aethanyc@gmail.com: https://hg.mozilla.org/integration/autoland/rev/f2f7f48c0adb Part 1 - Add MaybePushFloatContainingBlock() method. r=emilio https://hg.mozilla.org/integration/autoland/rev/ad4077953dc7 Part 2 - Make ProcessChildren()'s callers responsible for calling MaybePushFloatContainingBlock(). r=emilio https://hg.mozilla.org/integration/autoland/rev/fa7249945de1 Part 3 - Reparent floats when creating non-column-span wrapper frames. r=emilio https://hg.mozilla.org/integration/autoland/rev/fcd0f45d98cd Part 4 - Add assertion to check a float containing block candidate is handled before processing its children. r=emilio
Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/29771 for changes under testing/web-platform/tests
|
||
Comment 16•3 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/f2f7f48c0adb
https://hg.mozilla.org/mozilla-central/rev/ad4077953dc7
https://hg.mozilla.org/mozilla-central/rev/fa7249945de1
https://hg.mozilla.org/mozilla-central/rev/fcd0f45d98cd
Upstream PR merged by moz-wptsync-bot
|
||
Updated•3 years ago
|
|
|
||
Updated•3 years ago
|
Description
•