Closed Bug 1774450 Opened 2 years ago Closed 11 months ago

Crash [@ nsTableRowGroupFrame::SplitSpanningCells]

Categories

(Core :: Layout: Tables, defect)

Product:
Core
Component:
Layout: Tables
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1821177

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: testcase, Whiteboard: [bugmon:bisected,confirmed])

Crash Data

Attachments

(1 file)

Testcase
1.30 KB, text/plain
Details

Testcase found while fuzzing mozilla-central rev b1ed2fa50612 (built with: --enable-debug --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build b1ed2fa50612 --debug --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

[@ nsTableRowGroupFrame::SplitSpanningCells]

    ==131608==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fe8852be339 bp 0x7fff6f8a67d0 sp 0x7fff6f8a6510 T131608)
    ==131608==The signal is caused by a READ memory access.
    ==131608==Hint: address points to the zero page.
        #0 0x7fe8852be339 in nsTableRowGroupFrame::SplitSpanningCells(nsPresContext&, mozilla::ReflowInput const&, nsTableFrame&, nsTableRowFrame&, nsTableRowFrame&, bool, int, nsTableRowFrame*&, nsTableRowFrame*&, int&) /layout/tables/nsTableRowGroupFrame.cpp:981:29
        #1 0x7fe8852c0395 in nsTableRowGroupFrame::SplitRowGroup(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsTableFrame*, nsReflowStatus&, bool) /layout/tables/nsTableRowGroupFrame.cpp:1297:15
        #2 0x7fe8852c07c3 in nsTableRowGroupFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/tables/nsTableRowGroupFrame.cpp:1401:5
        #3 0x7fe8850fb595 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /layout/generic/nsContainerFrame.cpp:1005:14
        #4 0x7fe8852a48a3 in nsTableFrame::ReflowChildren(mozilla::TableReflowInput&, nsReflowStatus&, nsIFrame*&, mozilla::OverflowAreas&) /layout/tables/nsTableFrame.cpp:2908:7
        #5 0x7fe8852a2889 in nsTableFrame::ReflowTable(mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, nsIFrame*&, nsReflowStatus&) /layout/tables/nsTableFrame.cpp:1961:3
        #6 0x7fe8852a199b in nsTableFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/tables/nsTableFrame.cpp:1747:5
        #7 0x7fe8850fb595 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /layout/generic/nsContainerFrame.cpp:1005:14
        #8 0x7fe8852c7562 in nsTableWrapperFrame::ReflowChild(nsPresContext*, nsIFrame*, mozilla::ReflowInput const&, mozilla::ReflowOutput&, nsReflowStatus&) /layout/tables/nsTableWrapperFrame.cpp:848:21
        #9 0x7fe8852c8236 in nsTableWrapperFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/tables/nsTableWrapperFrame.cpp:980:3
        #10 0x7fe8850e7a07 in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowState&) /layout/generic/nsBlockReflowContext.cpp:288:11
        #11 0x7fe8850e3824 in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowState&, nsLineList_iterator, bool*) /layout/generic/nsBlockFrame.cpp:3906:11
        #12 0x7fe8850e0fc6 in nsBlockFrame::ReflowLine(mozilla::BlockReflowState&, nsLineList_iterator, bool*) /layout/generic/nsBlockFrame.cpp:3256:5
        #13 0x7fe8850db327 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowState&) /layout/generic/nsBlockFrame.cpp:2783:7
        #14 0x7fe8850d69a6 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/generic/nsBlockFrame.cpp:1415:3
        #15 0x7fe8850fb595 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /layout/generic/nsContainerFrame.cpp:1005:14
        #16 0x7fe8850fa63d in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/generic/nsCanvasFrame.cpp:791:7
        #17 0x7fe8850cb456 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /layout/generic/nsContainerFrame.cpp:1045:14
        #18 0x7fe8852084c1 in nsPageContentFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/generic/nsPageContentFrame.cpp:74:5
        #19 0x7fe8850cb456 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /layout/generic/nsContainerFrame.cpp:1045:14
        #20 0x7fe88520a9d2 in nsPageFrame::ReflowPageContent(nsPresContext*, mozilla::ReflowInput const&) /layout/generic/nsPageFrame.cpp:186:3
        #21 0x7fe88520b2a0 in nsPageFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/generic/nsPageFrame.cpp:209:13
        #22 0x7fe8850fb595 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /layout/generic/nsContainerFrame.cpp:1005:14
        #23 0x7fe8850a8724 in mozilla::PrintedSheetFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/generic/PrintedSheetFrame.cpp:132:5
        #24 0x7fe8850cb456 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /layout/generic/nsContainerFrame.cpp:1045:14
        #25 0x7fe88520ecfd in nsPageSequenceFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/generic/nsPageSequenceFrame.cpp:370:5
        #26 0x7fe8850fb595 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /layout/generic/nsContainerFrame.cpp:1005:14
        #27 0x7fe8850fa63d in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/generic/nsCanvasFrame.cpp:791:7
        #28 0x7fe8850cb456 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /layout/generic/nsContainerFrame.cpp:1045:14
        #29 0x7fe8850cac1a in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/generic/ViewportFrame.cpp:374:7
        #30 0x7fe884fc8cc5 in mozilla::PresShell::DoReflow(nsIFrame*, bool, mozilla::OverflowChangedTracker*) /layout/base/PresShell.cpp:9615:11
        #31 0x7fe884fd2e6f in mozilla::PresShell::ProcessReflowCommands(bool) /layout/base/PresShell.cpp:9786:24
        #32 0x7fe884fd22b4 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /layout/base/PresShell.cpp:4358:11
        #33 0x7fe8854463c5 in nsPrintJob::ReflowPrintObject(mozilla::UniquePtr<nsPrintObject, mozilla::DefaultDelete<nsPrintObject> > const&) /layout/printing/nsPrintJob.cpp:1398:14
        #34 0x7fe88544589a in nsPrintJob::ReflowDocList(mozilla::UniquePtr<nsPrintObject, mozilla::DefaultDelete<nsPrintObject> > const&) /layout/printing/nsPrintJob.cpp:975:3
        #35 0x7fe885442a47 in nsPrintJob::InitPrintDocConstruction(bool) /layout/printing/nsPrintJob.cpp:1014:5
        #36 0x7fe8854418ec in nsPrintJob::DoCommonPrint(bool, nsIPrintSettings*, nsIWebProgressListener*, mozilla::dom::Document*) /layout/printing/nsPrintJob.cpp:469:3
        #37 0x7fe885442c45 in CommonPrint /layout/printing/nsPrintJob.cpp:352:17
        #38 0x7fe885442c45 in nsPrintJob::Print(mozilla::dom::Document*, nsIPrintSettings*, mozilla::layout::RemotePrintJobChild*, nsIWebProgressListener*) /layout/printing/nsPrintJob.cpp:479:10
        #39 0x7fe88504f592 in nsDocumentViewer::Print(nsIPrintSettings*, mozilla::layout::RemotePrintJobChild*, nsIWebProgressListener*) /layout/base/nsDocumentViewer.cpp:2937:18
        #40 0x7fe8817731f4 in nsGlobalWindowOuter::Print(nsIPrintSettings*, mozilla::layout::RemotePrintJobChild*, nsIWebProgressListener*, nsIDocShell*, nsGlobalWindowOuter::IsPreview, nsGlobalWindowOuter::IsForWindowDotPrint, std::function<void (mozilla::dom::PrintPreviewResultInfo const&)>&&, mozilla::ErrorResult&) /dom/base/nsGlobalWindowOuter.cpp:5250:24
        #41 0x7fe8844c1331 in mozilla::dom::BrowserChild::RecvPrint(mozilla::dom::MaybeDiscarded<mozilla::dom::BrowsingContext> const&, mozilla::embedding::PrintData const&) /dom/ipc/BrowserChild.cpp:2530:18
        #42 0x7fe8845c4ced in mozilla::dom::PBrowserChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBrowserChild.cpp:7624:80
        #43 0x7fe88463ac93 in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PContentChild.cpp:8475:32
        #44 0x7fe880b0b9d1 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /ipc/glue/MessageChannel.cpp:1781:25
        #45 0x7fe880b08525 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message> >) /ipc/glue/MessageChannel.cpp:1706:9
        #46 0x7fe880b090c6 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /ipc/glue/MessageChannel.cpp:1506:3
        #47 0x7fe880b0a451 in mozilla::ipc::MessageChannel::MessageTask::Run() /ipc/glue/MessageChannel.cpp:1604:14
        #48 0x7fe87ff517ee in mozilla::RunnableTask::Run() /xpcom/threads/TaskController.cpp:475:16
        #49 0x7fe87ff2c1c3 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:788:26
        #50 0x7fe87ff2ad73 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:620:15
        #51 0x7fe87ff2afe3 in mozilla::TaskController::ProcessPendingMTTask(bool) /xpcom/threads/TaskController.cpp:398:36
        #52 0x7fe87ff54fe9 in operator() /xpcom/threads/TaskController.cpp:127:37
        #53 0x7fe87ff54fe9 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_1>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
        #54 0x7fe87ff40a4f in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1180:16
        #55 0x7fe87ff4704d in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:465:10
        #56 0x7fe8817759cc in bool mozilla::SpinEventLoopUntil<(mozilla::ProcessFailureBehavior)1, nsGlobalWindowOuter::Print(nsIPrintSettings*, mozilla::layout::RemotePrintJobChild*, nsIWebProgressListener*, nsIDocShell*, nsGlobalWindowOuter::IsPreview, nsGlobalWindowOuter::IsForWindowDotPrint, std::function<void (mozilla::dom::PrintPreviewResultInfo const&)>&&, mozilla::ErrorResult&)::$_3>(nsTSubstring<char> const&, nsGlobalWindowOuter::Print(nsIPrintSettings*, mozilla::layout::RemotePrintJobChild*, nsIWebProgressListener*, nsIDocShell*, nsGlobalWindowOuter::IsPreview, nsGlobalWindowOuter::IsForWindowDotPrint, std::function<void (mozilla::dom::PrintPreviewResultInfo const&)>&&, mozilla::ErrorResult&)::$_3&&, nsIThread*) /builds/worker/workspace/obj-build/dist/include/mozilla/SpinEventLoopUntil.h:176:25
        #57 0x7fe881773279 in nsGlobalWindowOuter::Print(nsIPrintSettings*, mozilla::layout::RemotePrintJobChild*, nsIWebProgressListener*, nsIDocShell*, nsGlobalWindowOuter::IsPreview, nsGlobalWindowOuter::IsForWindowDotPrint, std::function<void (mozilla::dom::PrintPreviewResultInfo const&)>&&, mozilla::ErrorResult&) /dom/base/nsGlobalWindowOuter.cpp:5272:5
        #58 0x7fe881771af3 in nsGlobalWindowOuter::PrintOuter(mozilla::ErrorResult&) /dom/base/nsGlobalWindowOuter.cpp:5071:3
        #59 0x7fe885047b25 in nsDocumentViewer::LoadComplete(nsresult) /layout/base/nsDocumentViewer.cpp:1172:43
        #60 0x7fe886649384 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /docshell/base/nsDocShell.cpp:6436:20
        #61 0x7fe886648e35 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /docshell/base/nsDocShell.cpp:5828:7
        #62 0x7fe886649cbf in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /docshell/base/nsDocShell.cpp
        #63 0x7fe880e0a5ec in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /uriloader/base/nsDocLoader.cpp:1377:3
        #64 0x7fe880e09b2a in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /uriloader/base/nsDocLoader.cpp:975:14
        #65 0x7fe880e07de1 in nsDocLoader::DocLoaderIsEmpty(bool, mozilla::Maybe<nsresult> const&) /uriloader/base/nsDocLoader.cpp:794:9
        #66 0x7fe880e08fc8 in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /uriloader/base/nsDocLoader.cpp:677:5
        #67 0x7fe88666aa7d in nsDocShell::OnStopRequest(nsIRequest*, nsresult) /docshell/base/nsDocShell.cpp:13824:23
        #68 0x7fe880126240 in mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) /netwerk/base/nsLoadGroup.cpp:614:22
        #69 0x7fe880127753 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /netwerk/base/nsLoadGroup.cpp:518:10
        #70 0x7fe8818e6fbd in mozilla::dom::Document::DoUnblockOnload() /dom/base/Document.cpp:11668:18
        #71 0x7fe8818b16ef in mozilla::dom::Document::UnblockOnload(bool) /dom/base/Document.cpp:11606:9
        #72 0x7fe8818cd89b in mozilla::dom::Document::DispatchContentLoadedEvents() /dom/base/Document.cpp:8141:3
        #73 0x7fe88197e35b in applyImpl<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1147:12
        #74 0x7fe88197e35b in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1153:12
        #75 0x7fe88197e35b in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1200:13
        #76 0x7fe87ff22112 in mozilla::SchedulerGroup::Runnable::Run() /xpcom/threads/SchedulerGroup.cpp:140:20
        #77 0x7fe87ff517ee in mozilla::RunnableTask::Run() /xpcom/threads/TaskController.cpp:475:16
        #78 0x7fe87ff2c1c3 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:788:26
        #79 0x7fe87ff2ad73 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:620:15
        #80 0x7fe87ff2afe3 in mozilla::TaskController::ProcessPendingMTTask(bool) /xpcom/threads/TaskController.cpp:398:36
        #81 0x7fe87ff54f76 in operator() /xpcom/threads/TaskController.cpp:124:37
        #82 0x7fe87ff54f76 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
        #83 0x7fe87ff40a4f in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1180:16
        #84 0x7fe87ff4704d in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:465:10
        #85 0x7fe880b11456 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:85:21
        #86 0x7fe880a38637 in MessageLoop::RunInternal() /ipc/chromium/src/base/message_loop.cc:380:10
        #87 0x7fe880a38542 in RunHandler /ipc/chromium/src/base/message_loop.cc:373:3
        #88 0x7fe880a38542 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:355:3
        #89 0x7fe884c7cf38 in nsBaseAppShell::Run() /widget/nsBaseAppShell.cpp:150:27
        #90 0x7fe886dabd3b in XRE_RunAppShell() /toolkit/xre/nsEmbedFunctions.cpp:875:20
        #91 0x7fe880b1234a in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:235:9
        #92 0x7fe880a38637 in MessageLoop::RunInternal() /ipc/chromium/src/base/message_loop.cc:380:10
        #93 0x7fe880a38542 in RunHandler /ipc/chromium/src/base/message_loop.cc:373:3
        #94 0x7fe880a38542 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:355:3
        #95 0x7fe886dab35c in XRE_InitChildProcess(int, char**, XREChildData const*) /toolkit/xre/nsEmbedFunctions.cpp:734:34
        #96 0x55abf0fb5f70 in content_process_main /browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
        #97 0x55abf0fb5f70 in main /browser/app/nsBrowserApp.cpp:338:18
        #98 0x7fe89650e082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
        #99 0x55abf0f8bd1c in _start (/home/jkratzer/builds/mc-debug/firefox-bin+0x15d1c) (BuildId: b2d1bcdab58cde437345acb5b623f21a6c1d4685)
    
    UndefinedBehaviorSanitizer can not provide additional info.
    SUMMARY: UndefinedBehaviorSanitizer: SEGV /layout/tables/nsTableRowGroupFrame.cpp:981:29 in nsTableRowGroupFrame::SplitSpanningCells(nsPresContext&, mozilla::ReflowInput const&, nsTableFrame&, nsTableRowFrame&, nsTableRowFrame&, bool, int, nsTableRowFrame*&, nsTableRowFrame*&, int&)
    ==131608==ABORTING
Attached file Testcase 

    
    

    
  
Table-printing interaction it seems.

Assert hit prior to crash:


[Child 1795028, Main Thread] ###!!! ASSERTION: invalid continued row: 'Error', file /home/dshin/mozilla-unified/layout/tables/nsTableRowGroupFrame.cpp:1068



https://searchfox.org/mozilla-central/source/layout/tables/nsTableRowGroupFrame.cpp#1068


Severity: -- → S2

    
    

    
  
Bugmon Analysis

Verified bug as reproducible on mozilla-central 20220615214908-0e44540919cd.

Unable to bisect testcase (Testcase reproduces on start build!):




Start: b7d44f6d500311bc4f0f889dbd924f790368ca5b (20210617042731)

End: b1ed2fa50612451f8f39fc84c5f64af62cf7fe3a (20220615093700)

BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False, nyx=False)




Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]

    
    

    
  
Looks like a safe crash (null deref), and the fuzzer testcase looks pretty hairy; hopefully unlikely to be hit by real-world content.


I'll try to take a look soon & see what we can do here, though. [ni=me]


Severity: S2 → S3
Flags: needinfo?(dholbert)

    
    

    
  
Testcase crashes using the initial build (mozilla-central 20220615093700-b1ed2fa50612) but not with tip (mozilla-central 20230512180301-33f0079fba2d.)


The bug appears to have been fixed in the following build range:




Start: 71c51c79a738c48f1c7815199d5e2f585e341c3d (20230511170707)

End: cce3ffe7bdf80ecd6a3918fb59be3857304e2712 (20230511180626)

Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=71c51c79a738c48f1c7815199d5e2f585e341c3d&tochange=cce3ffe7bdf80ecd6a3918fb59be3857304e2712




jkratzer, can you confirm that the above bisection range is responsible for fixing this issue?

Removing bugmon keyword as no further action possible.  Please review the bug and re-add the keyword for further analysis.


Flags: needinfo?(dholbert) → needinfo?(jkratzer)
Keywords: bugmon

    
    

    
  
Looks to be fixed by bug 1821177!


Status: NEW → RESOLVED
Closed: 11 months ago
Duplicate of bug: 1821177
Flags: needinfo?(jkratzer)
Resolution: --- → DUPLICATE

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: