Closed Bug 1856629 Opened 1 year ago Closed 1 year ago

Crash in [@ nsCOMPtr<T>::get | nsCOMPtr<T>::operator nsIContent* | nsIFrame::GetContent]

Categories

(Core :: Layout: Text and Fonts, defect)

Product:
Core
Component:
Layout: Text and Fonts
Version:
Firefox 120
Platform:
Unspecified
Windows 10
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
120 Branch
Tracking Flags:
Tracking Status
firefox-esr115 --- unaffected
firefox118 --- unaffected
firefox119 --- unaffected
firefox120 --- fixed

People

(Reporter: calixte, Assigned: jfkthame, NeedInfo)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: crash, regression)

Crash Data

Attachments

(1 file)

Bug 1856629 - More careful null-checking in nsBlockFrame::Reflow. r=#layout-reviewers
48 bytes, text/x-phabricator-request
Details | Review

Crash report: https://crash-stats.mozilla.org/report/index/738831d8-9f23-4aba-a295-75b880231002

Reason: EXCEPTION_ACCESS_VIOLATION_READ

Top 10 frames of crashing thread:

0  xul.dll  nsCOMPtr<nsIContent>::get const  xpcom/base/nsCOMPtr.h:751
0  xul.dll  nsCOMPtr<nsIContent>::operator nsIContent* const  xpcom/base/nsCOMPtr.h:759
0  xul.dll  nsIFrame::GetContent const  layout/generic/nsIFrame.h:740
0  xul.dll  nsBlockFrame::Reflow::<lambda_0>::operator const  layout/generic/nsBlockFrame.cpp:1495
0  xul.dll  nsBlockFrame::Reflow::<lambda_0>::operator const  layout/generic/nsBlockFrame.cpp:1570
0  xul.dll  nsBlockFrame::Reflow  layout/generic/nsBlockFrame.cpp:1596
1  xul.dll  nsContainerFrame::ReflowChild  layout/generic/nsContainerFrame.cpp:889
2  xul.dll  nsHTMLScrollFrame::ReflowScrolledFrame  layout/generic/nsGfxScrollFrame.cpp:939
3  xul.dll  nsHTMLScrollFrame::ReflowContents  layout/generic/nsGfxScrollFrame.cpp:1072
3  xul.dll  nsHTMLScrollFrame::Reflow  layout/generic/nsGfxScrollFrame.cpp:1509

There is 1 crash in nightly 120 with buildid 20231001214422. In analyzing the backtrace, the regression may have been introduced by patch [1] to fix bug 1731541.

[1] https://hg.mozilla.org/mozilla-central/rev?node=8c9ba927121c

Flags: needinfo?(jfkthame)

Set release status flags based on info from the regressing bug 1731541

status-firefox118: --- → unaffected
status-firefox119: --- → unaffected
status-firefox-esr115: --- → unaffected

Looks like maybe iter->mFirstChild is null here, and we need a null check at some level maybe?
https://hg.mozilla.org/mozilla-central/file/1abb269d873e8bda2c0fa1b4f26f481c89584ca6/layout/generic/nsBlockFrame.cpp#l1495

Assignee: nobody → jfkthame
Status: NEW → ASSIGNED
Pushed by jkew@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/ee60a98b1285 More careful null-checking in nsBlockFrame::Reflow. r=emilio

https://hg.mozilla.org/mozilla-central/rev/ee60a98b1285

Status: ASSIGNED → RESOLVED
Closed: 1 year ago
status-firefox120: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 120 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: