Open Bug 1708808 Opened 4 years ago Updated 2 years ago

Crash in [@ mozilla::PresShell::MarkFramesInSubtreeApproximatelyVisible]

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Type:
defect

Tracking

()

People

(Reporter: u608768, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash)

Crash Data

Crash report: https://crash-stats.mozilla.org/report/index/3b879e20-5a0e-4ea7-aa4f-873190210428

Reason: SIGSEGV /SEGV_ACCERR

Top 10 frames of crashing thread:

0 libxul.so mozilla::PresShell::MarkFramesInSubtreeApproximatelyVisible gfx/2d/BaseRect.h:277
1 libxul.so mozilla::PresShell::MarkFramesInSubtreeApproximatelyVisible layout/base/PresShell.cpp:5851
2 libxul.so mozilla::PresShell::MarkFramesInSubtreeApproximatelyVisible layout/base/PresShell.cpp:5851
3 libxul.so mozilla::PresShell::MarkFramesInSubtreeApproximatelyVisible layout/base/PresShell.cpp:5851
4 libxul.so mozilla::PresShell::MarkFramesInSubtreeApproximatelyVisible layout/base/PresShell.cpp:5851
5 libxul.so mozilla::PresShell::MarkFramesInSubtreeApproximatelyVisible layout/base/PresShell.cpp:5851
6 libxul.so mozilla::PresShell::MarkFramesInSubtreeApproximatelyVisible layout/base/PresShell.cpp:5851
7 libxul.so mozilla::PresShell::MarkFramesInSubtreeApproximatelyVisible layout/base/PresShell.cpp:5851
8 libxul.so mozilla::PresShell::MarkFramesInSubtreeApproximatelyVisible layout/base/PresShell.cpp:5851
9 libxul.so mozilla::PresShell::MarkFramesInSubtreeApproximatelyVisible layout/base/PresShell.cpp:5851

We've seen a number of these across all channels.

It looks to me like there is a garbage value somewhere inside nsIFrame::ChildLists()

@tsmith Is this stack at all known from fuzzing?

Flags: needinfo?(twsmith)

No sorry I don't see anything.

Flags: needinfo?(twsmith)

Oh how about bug 1708007?

Flags: needinfo?(emcdonough)

I fixed bug 1708007 - let's see if that makes this signature disappear...

I did a bit of investigation a couple months ago, I don't think this is actually directly related to bug 1708007, but it's possible they may have a common fix.

Flags: needinfo?(emcdonough)

MarkFramesInSubtreeApproximatelyVisible walks the full frame tree, so if there was any corruption in the frame tree that didn't cause us to crash closer to the actual point in time when the corruption was introduced we would crash here.

Severity: -- → S2
Depends on: 1790665
See Also: → 707699

Downgrading to S3, given low crash volume here (looks like it's gone down since earlier this year).

Severity: S2 → S3
You need to log in before you can comment on or make changes to this bug.