Open
Bug 1703969
Opened 4 years ago
Updated 4 years ago
Assertion failure: mCurrent != mListLink (running past end), at src/layout/generic/nsLineBox.h:760
Categories
(Core :: Disability Access APIs, defect)
Core
Disability Access APIs
Tracking
()
NEW
| Tracking | Status | |
|---|---|---|
| firefox89 | --- | affected |
People
(Reporter: tsmith, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: assertion, testcase, Whiteboard: [bugmon:confirmed])
Attachments
(1 file)
|
270 bytes,
text/html
|
Details |
Found while fuzzing m-c 20210328-058997a8167d (--enable-debug --enable-fuzzing)
Assertion failure: mCurrent != mListLink (running past end), at src/layout/generic/nsLineBox.h:760
#0 0x7f2d8ca887bb in BuildTextRuns src/layout/generic/nsTextFrame.cpp
#1 0x7f2d8ca887bb in nsTextFrame::EnsureTextRun(nsTextFrame::TextRunType, mozilla::gfx::DrawTarget*, nsIFrame*, nsLineList_iterator const*, unsigned int*) src/layout/generic/nsTextFrame.cpp:2998:7
#2 0x7f2d8ca8e0e7 in nsTextFrame::GetRenderedText(unsigned int, unsigned int, nsIFrame::TextOffsetType, nsIFrame::TrailingWhitespace) src/layout/generic/nsTextFrame.cpp:9896:20
#3 0x7f2d8d95c8ce in nsTextEquivUtils::AppendTextEquivFromTextContent(nsIContent*, nsTSubstring<char16_t>*) src/accessible/base/nsTextEquivUtils.cpp:129:46
#4 0x7f2d8d95c1de in nsTextEquivUtils::AppendFromAccessible(mozilla::a11y::LocalAccessible*, nsTSubstring<char16_t>*) src/accessible/base/nsTextEquivUtils.cpp:187:9
#5 0x7f2d8d95bdf8 in nsTextEquivUtils::AppendFromAccessibleChildren(mozilla::a11y::LocalAccessible const*, nsTSubstring<char16_t>*) src/accessible/base/nsTextEquivUtils.cpp:175:10
#6 0x7f2d8d95bc93 in nsTextEquivUtils::GetNameFromSubtree(mozilla::a11y::LocalAccessible const*, nsTSubstring<char16_t>&) src/accessible/base/nsTextEquivUtils.cpp:39:7
#7 0x7f2d8d98dc10 in mozilla::a11y::HTMLLabelAccessible::NativeName(nsTString<char16_t>&) const src/accessible/html/HTMLElementAccessibles.cpp:45:3
#8 0x7f2d8d9695dc in mozilla::a11y::LocalAccessible::Name(nsTString<char16_t>&) const src/accessible/generic/LocalAccessible.cpp:134:29
#9 0x7f2d8d9343e4 in mozilla::a11y::EventQueue::PushNameOrDescriptionChange(mozilla::a11y::LocalAccessible*) src/accessible/base/EventQueue.cpp:74:43
#10 0x7f2d8d93658a in mozilla::a11y::NotificationController::QueueMutationEvent(mozilla::a11y::AccTreeMutationEvent*) src/accessible/base/NotificationController.cpp:184:9
#11 0x7f2d8d936bfb in mozilla::a11y::TreeMutation::BeforeRemoval(mozilla::a11y::LocalAccessible*, bool) src/accessible/base/EventTree.cpp:86:21
#12 0x7f2d8d970ff0 in mozilla::a11y::DocAccessible::ContentRemoved(mozilla::a11y::LocalAccessible*) src/accessible/generic/DocAccessible.cpp:2260:6
#13 0x7f2d8d96cf36 in mozilla::a11y::DocAccessible::ContentRemoved(nsIContent*) src/accessible/generic/DocAccessible.cpp:2289:5
#14 0x7f2d89b5ac49 in operator() src/dom/base/MutationObservers.cpp:170:3
#15 0x7f2d89b5ac49 in nsINode* ForEachAncestorObserver<mozilla::dom::MutationObservers::NotifyNativeAnonymousChildListChange(nsIContent*, bool)::$_13>(nsINode*, mozilla::dom::MutationObservers::NotifyNativeAnonymousChildListChange(nsIContent*, bool)::$_13&) src/dom/base/MutationObservers.cpp:65:9
#16 0x7f2d89b3e159 in Notify<IsRemoval::Yes, ShouldAssert::No, (lambda at src/dom/base/MutationObservers.cpp:170:3), (lambda at src/dom/base/MutationObservers.cpp:170:3)> src/dom/base/MutationObservers.cpp:95:19
#17 0x7f2d89b3e159 in mozilla::dom::MutationObservers::NotifyNativeAnonymousChildListChange(nsIContent*, bool) src/dom/base/MutationObservers.cpp:174:5
#18 0x7f2d89ada991 in mozilla::dom::Element::UnbindFromTree(bool) src/dom/base/Element.cpp:1854:7
#19 0x7f2d8b4043d7 in nsGenericHTMLElement::UnbindFromTree(bool) src/dom/html/nsGenericHTMLElement.cpp:493:20
#20 0x7f2d8c9f8270 in nsIFrame::DestroyAnonymousContent(nsPresContext*, already_AddRefed<nsIContent>&&) src/layout/generic/nsIFrame.cpp:264:14
#21 0x7f2d8c8c95f8 in nsIFrame::AutoPostDestroyData::~AutoPostDestroyData() src/layout/generic/nsIFrame.h:719:9
#22 0x7f2d8c952247 in Destroy src/layout/generic/nsIFrame.h:737:3
#23 0x7f2d8c952247 in nsBlockFrame::DoRemoveOutOfFlowFrame(nsIFrame*) src/layout/generic/nsBlockFrame.cpp:5910:13
#24 0x7f2d8c951edd in nsBlockFrame::RemoveFrame(mozilla::layout::FrameChildListID, nsIFrame*) src/layout/generic/nsBlockFrame.cpp:5634:5
#25 0x7f2d8ca6d5b3 in nsPlaceholderFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) src/layout/generic/nsPlaceholderFrame.cpp:181:11
#26 0x7f2d8c96dfc2 in DestroyFramesFrom src/layout/generic/nsFrameList.cpp:51:12
#27 0x7f2d8c96dfc2 in nsContainerFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) src/layout/generic/nsContainerFrame.cpp:227:11
#28 0x7f2d8c9537e5 in nsBlockFrame::DoRemoveFrameInternal(nsIFrame*, unsigned int, mozilla::layout::PostFrameDestroyData&) src/layout/generic/nsBlockFrame.cpp:6303:20
#29 0x7f2d8c951cf2 in DoRemoveFrame src/layout/generic/nsBlockFrame.h:543:5
#30 0x7f2d8c951cf2 in nsBlockFrame::RemoveFrame(mozilla::layout::FrameChildListID, nsIFrame*) src/layout/generic/nsBlockFrame.cpp:5618:5
#31 0x7f2d8c8a7c03 in nsCSSFrameConstructor::ContentRemoved(nsIContent*, nsIContent*, nsCSSFrameConstructor::RemoveFlags) src/layout/base/nsCSSFrameConstructor.cpp:7485:5
#32 0x7f2d8c89f80c in nsCSSFrameConstructor::RecreateFramesForContent(nsIContent*, nsCSSFrameConstructor::InsertionKind) src/layout/base/nsCSSFrameConstructor.cpp:8457:7
#33 0x7f2d8c866bd4 in mozilla::RestyleManager::ProcessRestyledFrames(nsStyleChangeList&) src/layout/base/RestyleManager.cpp:1503:25
#34 0x7f2d8c86d99b in mozilla::RestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) src/layout/base/RestyleManager.cpp:3048:9
#35 0x7f2d8c847611 in ProcessPendingRestyles src/layout/base/RestyleManager.cpp:3127:3
#36 0x7f2d8c847611 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) src/layout/base/PresShell.cpp:4208:39
#37 0x7f2d8c810072 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:2188:22
#38 0x7f2d8c81e780 in operator() src/layout/base/nsRefreshDriver.cpp:1463:25
#39 0x7f2d8c81e780 in mozilla::detail::RunnableFunction<nsRefreshDriver::EnsureTimerStarted(nsRefreshDriver::EnsureTimerStartedFlags)::$_0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:534:5
#40 0x7f2d87e3b7df in mozilla::RunnableTask::Run() src/xpcom/threads/TaskController.cpp:470:16
#41 0x7f2d87e39d60 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) src/xpcom/threads/TaskController.cpp:754:26
#42 0x7f2d87e38cc4 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) src/xpcom/threads/TaskController.cpp:609:15
#43 0x7f2d87e38e77 in mozilla::TaskController::ProcessPendingMTTask(bool) src/xpcom/threads/TaskController.cpp:393:36
#44 0x7f2d87e3f376 in operator() src/xpcom/threads/TaskController.cpp:133:37
#45 0x7f2d87e3f376 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_3>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:534:5
#46 0x7f2d87e5081d in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1155:16
#47 0x7f2d87e56dda in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:548:10
#48 0x7f2d8878bd36 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:87:21
#49 0x7f2d886f63c3 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:335:10
#50 0x7f2d886f62dd in RunHandler src/ipc/chromium/src/base/message_loop.cc:328:3
#51 0x7f2d886f62dd in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:310:3
#52 0x7f2d8c556e18 in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:137:27
#53 0x7f2d8ddc9e33 in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:902:20
#54 0x7f2d8878cc1c in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:237:9
#55 0x7f2d886f63c3 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:335:10
#56 0x7f2d886f62dd in RunHandler src/ipc/chromium/src/base/message_loop.cc:328:3
#57 0x7f2d886f62dd in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:310:3
#58 0x7f2d8ddc9a03 in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:734:34
#59 0x556158e44fb6 in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#60 0x556158e44fb6 in main src/browser/app/nsBrowserApp.cpp:309:18
#61 0x7f2d9ce8b0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
#62 0x556158e22d5c in _start (/home/worker/builds/m-c-20210330160248-fuzzing-debug/firefox-bin+0x14d5c)
Flags: in-testsuite?
|
||
Comment 1•4 years ago
|
||
Bugmon Analysis:
Unable to reproduce bug using the following builds:
mozilla-central 20210408215439-970ef713fe58
mozilla-central 20210328213901-058997a8167d
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.
Keywords: bugmon
Whiteboard: [bugmon:confirmed]
|
Reporter | |
Comment 2•4 years ago
|
||
This requires GNOME_ACCESSIBILITY=1. Not sure if this is the correct component or if it should be moved.
|
|
Reporter | |
Comment 3•4 years ago
|
||
A Pernosco session is available here: https://pernos.co/debug/4G4vKbpuxsP5YvUpuLHmdw/index.html
|
||
Comment 4•4 years ago
|
||
Yeah, this is a11y code poking at the frame tree in a dangerous state.
Component: Layout: Block and Inline → Disability Access APIs
|
||
Updated•4 years ago
|
Severity: -- → S4
You need to log in
before you can comment on or make changes to this bug.
Description
•