Closed
Bug 857841
Opened 12 years ago
Closed 12 years ago
SEGV crash in nsFrame::BoxReflow
Categories
(Core :: Layout, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 851396
People
(Reporter: mwobensmith, Assigned: dholbert)
References
Details
(Whiteboard: [asan])
Surfaced by 848237.
Use bug files for that bug to reproduce:
https://bugzilla.mozilla.org/attachment.cgi?id=721757
Requires ASan build and environment variable
ASAN_OPTIONS=strict_memcmp=0:alloc_dealloc_mismatch=0
Crash seems to occur on or around m-c 2013-02-28.
==6471== ERROR: AddressSanitizer: SEGV on unknown address 0x000000000034 (pc 0x00010450c1e0 sp 0x7fff5fbe5800 bp 0x7fff5fbe5eb0 T0)
AddressSanitizer can not provide additional info.
#0 0x10450c1df in nsFrame::BoxReflow(nsBoxLayoutState&, nsPresContext*, nsHTMLReflowMetrics&, nsRenderingContext*, int, int, int, int, bool) (in XUL) + 3695
#1 0x10450d807 in nsFrame::DoLayout(nsBoxLayoutState&) (in XUL) + 583
#2 0x10480b80c in nsIFrame::Layout(nsBoxLayoutState&) (in XUL) + 236
#3 0x104812386 in nsBoxFrame::LayoutChildAt(nsBoxLayoutState&, nsIFrame*, nsRect const&) (in XUL) + 406
#4 0x10461fbce in nsVideoFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) (in XUL) + 4206
#5 0x104583ad8 in nsLineLayout::ReflowFrame(nsIFrame*, unsigned int&, nsHTMLReflowMetrics*, bool&) (in XUL) + 3192
#6 0x1044ac828 in nsBlockFrame::ReflowInlineFrame(nsBlockReflowState&, nsLineLayout&, nsLineList_iterator, nsIFrame*, LineReflowStatus*) (in XUL) + 360
#7 0x1044ab3a1 in nsBlockFrame::DoReflowInlineFrames(nsBlockReflowState&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool) (in XUL) + 1857
#8 0x1044a8e92 in nsBlockFrame::ReflowInlineFrames(nsBlockReflowState&, nsLineList_iterator, bool*) (in XUL) + 1298
#9 0x1044a413e in nsBlockFrame::ReflowLine(nsBlockReflowState&, nsLineList_iterator, bool*) (in XUL) + 478
#10 0x10449db28 in nsBlockFrame::ReflowDirtyLines(nsBlockReflowState&) (in XUL) + 4072
#11 0x104499d61 in nsBlockFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) (in XUL) + 2081
#12 0x1044c1a97 in nsBlockReflowContext::ReflowBlock(nsRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, nsHTMLReflowState&, unsigned int&, nsBlockReflowState&) (in XUL) + 1399
#13 0x1044a7171 in nsBlockFrame::ReflowBlockFrame(nsBlockReflowState&, nsLineList_iterator, bool*) (in XUL) + 4193
#14 0x1044a40e8 in nsBlockFrame::ReflowLine(nsBlockReflowState&, nsLineList_iterator, bool*) (in XUL) + 392
#15 0x10449db28 in nsBlockFrame::ReflowDirtyLines(nsBlockReflowState&) (in XUL) + 4072
#16 0x104499d61 in nsBlockFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) (in XUL) + 2081
#17 0x1044c1a97 in nsBlockReflowContext::ReflowBlock(nsRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, nsHTMLReflowState&, unsigned int&, nsBlockReflowState&) (in XUL) + 1399
#18 0x1044a7171 in nsBlockFrame::ReflowBlockFrame(nsBlockReflowState&, nsLineList_iterator, bool*) (in XUL) + 4193
#19 0x1044a40e8 in nsBlockFrame::ReflowLine(nsBlockReflowState&, nsLineList_iterator, bool*) (in XUL) + 392
#20 0x10449db28 in nsBlockFrame::ReflowDirtyLines(nsBlockReflowState&) (in XUL) + 4072
#21 0x104499d61 in nsBlockFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) (in XUL) + 2081
#22 0x1044d9f5f in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, int, int, unsigned int, unsigned int&, nsOverflowContinuationTracker*) (in XUL) + 399
#23 0x10455225b in nsCanvasFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) (in XUL) + 1723
#24 0x1044d9f5f in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, int, int, unsigned int, unsigned int&, nsOverflowContinuationTracker*) (in XUL) + 399
#25 0x104530c5d in nsHTMLScrollFrame::ReflowScrolledFrame(ScrollReflowState*, bool, bool, nsHTMLReflowMetrics*, bool) (in XUL) + 2349
#26 0x10453180a in nsHTMLScrollFrame::ReflowContents(ScrollReflowState*, nsHTMLReflowMetrics const&) (in XUL) + 314
#27 0x104532e6e in nsHTMLScrollFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) (in XUL) + 1614
#28 0x1044d9f5f in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, int, int, unsigned int, unsigned int&, nsOverflowContinuationTracker*) (in XUL) + 399
#29 0x104610a30 in ViewportFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) (in XUL) + 864
#30 0x1043f4613 in PresShell::DoReflow(nsIFrame*, bool) (in XUL) + 2899
#31 0x1043ff692 in PresShell::ProcessReflowCommands(bool) (in XUL) + 562
#32 0x1043ff106 in PresShell::FlushPendingNotifications(mozilla::ChangesToFlush) (in XUL) + 2406
#33 0x1043fe74c in PresShell::FlushPendingNotifications(mozFlushType) (in XUL) + 204
#34 0x1049cf460 in nsDocument::FlushPendingNotifications(mozFlushType) (in XUL) + 1744
#35 0x104a302de in mozilla::dom::Element::GetPrimaryFrame(mozFlushType) (in XUL) + 78
#36 0x104a3027d in mozilla::dom::Element::GetStyledFrame() (in XUL) + 13
#37 0x104a30725 in mozilla::dom::Element::GetScrollFrame(nsIFrame**) (in XUL) + 85
#38 0x104a312b0 in mozilla::dom::Element::GetClientAreaRect() (in XUL) + 160
#39 0x104a4b747 in mozilla::dom::Element::ClientWidth() (in XUL) + 119
#40 0x106930bf0 in mozilla::dom::ElementBinding::get_clientWidth(JSContext*, JS::Handle<JSObject*>, mozilla::dom::Element*, JS::Value*) (in XUL) + 16
#41 0x10692b986 in mozilla::dom::ElementBinding::genericGetter(JSContext*, unsigned int, JS::Value*) (in XUL) + 934
#42 0x10815b75b in js::InvokeKernel(JSContext*, JS::CallArgs, js::MaybeConstruct) (in XUL) + 955
#43 0x1083373e1 in js::Invoke(JSContext*, js::InvokeArgsGuard&, js::MaybeConstruct) (in XUL) + 65
#44 0x10815c971 in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::Value*) (in XUL) + 1089
#45 0x10815e3de in js::InvokeGetterOrSetter(JSContext*, JSObject*, JS::Value const&, unsigned int, JS::Value*, JS::Value*) (in XUL) + 254
#46 0x10823121b in js::BaseProxyHandler::get(JSContext*, JSObject*, JSObject*, jsid, JS::Value*) (in XUL) + 1003
#47 0x105c722fb in xpc::XrayWrapper<js::CrossCompartmentWrapper, xpc::DOMXrayTraits>::get(JSContext*, JSObject*, JSObject*, jsid, JS::Value*) (in XUL) + 11
#48 0x10824fee2 in js::Proxy::get(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>) (in XUL) + 1410
#49 0x108254f88 in proxy_GetGeneric(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>) (in XUL) + 8
#50 0x107f8ef0a in JSObject::getGeneric(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>) (in XUL) + 250
#51 0x108171f4e in js::GetPropertyOperation(JSContext*, JSScript*, unsigned char*, JS::MutableHandle<JS::Value>, JS::MutableHandle<JS::Value>) (in XUL) + 2350
#52 0x10813ef8b in js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) (in XUL) + 37019
#53 0x108135c57 in js::RunScript(JSContext*, js::StackFrame*) (in XUL) + 1223
#54 0x10815b8d1 in js::InvokeKernel(JSContext*, JS::CallArgs, js::MaybeConstruct) (in XUL) + 1329
#55 0x1083373e1 in js::Invoke(JSContext*, js::InvokeArgsGuard&, js::MaybeConstruct) (in XUL) + 65
#56 0x10815c971 in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::Value*) (in XUL) + 1089
#57 0x107f7ed26 in JS_CallFunctionValue(JSContext*, JSObject*, JS::Value, unsigned int, JS::Value*, JS::Value*) (in XUL) + 678
#58 0x104fb60e8 in nsXBLProtoImplAnonymousMethod::Execute(nsIContent*) (in XUL) + 1512
#59 0x104fd8660 in nsBindingManager::ProcessAttachedQueue(unsigned int) (in XUL) + 336
#60 0x1043feef4 in PresShell::FlushPendingNotifications(mozilla::ChangesToFlush) (in XUL) + 1876
#61 0x1043fe74c in PresShell::FlushPendingNotifications(mozFlushType) (in XUL) + 204
#62 0x1049cf460 in nsDocument::FlushPendingNotifications(mozFlushType) (in XUL) + 1744
#63 0x104a9513e in nsObjectLoadingContent::InstantiatePluginInstance(bool) (in XUL) + 1070
#64 0x104a9f301 in nsObjectLoadingContent::SyncStartPluginInstance() (in XUL) + 289
#65 0x106e4f6eb in nsThread::ProcessNextEvent(bool, bool*) (in XUL) + 2139
#66 0x106d908fe in NS_ProcessPendingEvents_P(nsIThread*, unsigned int) (in XUL) + 254
#67 0x1062f4e83 in nsBaseAppShell::NativeEventCallback() (in XUL) + 451
#68 0x106270aca in nsAppShell::ProcessGeckoEvents(void*) (in XUL) + 490
#69 0x7fff87abfb30 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ (in CoreFoundation) + 16
#70 0x7fff87abf454 in __CFRunLoopDoSources0 (in CoreFoundation) + 244
#71 0x7fff87ae27f4 in __CFRunLoopRun (in CoreFoundation) + 788
#72 0x7fff87ae20e1 in CFRunLoopRunSpecific (in CoreFoundation) + 289
#73 0x7fff89f08eb3 in RunCurrentEventLoopInMode (in HIToolbox) + 208
#74 0x7fff89f08b93 in ReceiveNextEventCommon (in HIToolbox) + 165
#75 0x7fff89f08ae2 in BlockUntilNextEventMatchingListInMode (in HIToolbox) + 61
#76 0x7fff8348e562 in _DPSNextEvent (in AppKit) + 684
#77 0x7fff8348de21 in -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] (in AppKit) + 127
#78 0x10626f315 in -[GeckoNSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] (in XUL) + 245
#79 0x7fff834851d2 in -[NSApplication run] (in AppKit) + 516
#80 0x1062716a9 in nsAppShell::Run() (in XUL) + 185
#81 0x105e23e07 in nsAppStartup::Run() (in XUL) + 311
#82 0x103be316f in XREMain::XRE_mainRun() (in XUL) + 4287
#83 0x103be4127 in XREMain::XRE_main(int, char**, nsXREAppData const*) (in XUL) + 599
#84 0x103be45e2 in XRE_main (in XUL) + 146
#85 0x1000026f8 in 0x2000026f8
#86 0x10000190d in 0x20000190d
#87 0x100000e93 in 0x200000e93
#88 0x1 in 0x0000000100000001 (in firefox-bin)
Stats: 421M malloced (331M for red zones) by 463945 calls
Stats: 49M realloced by 19426 calls
Stats: 369M freed by 281904 calls
Stats: 326M really freed by 234524 calls
Stats: 286M (73438 full pages) mmaped in 500 calls
mmaps by size class: 7:143325; 8:67551; 9:16368; 10:8687; 11:12495; 12:1664; 13:1152; 14:512; 15:336; 16:696; 17:456; 18:32; 19:38; 20:19; 21:7; 24:1;
mallocs by size class: 7:231843; 8:105027; 9:39017; 10:32218; 11:42383; 12:3945; 13:3104; 14:1970; 15:817; 16:1576; 17:1849; 18:105; 19:60; 20:20; 21:8; 24:3;
frees by size class: 7:120978; 8:52115; 9:29358; 10:28302; 11:40563; 12:2787; 13:2356; 14:1727; 15:688; 16:1033; 17:1826; 18:91; 19:51; 20:19; 21:7; 24:3;
rfrees by size class: 7:96794; 8:40548; 9:24288; 10:24894; 11:38664; 12:2386; 13:1963; 14:1614; 15:637; 16:883; 17:1692; 18:84; 19:49; 20:19; 21:7; 24:2;
Stats: malloc large: 4505 small slow: 8328
==6471== ABORTING
|
||
Comment 1•12 years ago
|
||
WFM, using a local ASan debug build on Linux64. (Adobe Flash 11.2 r202)
|
||
Comment 2•12 years ago
|
||
I hit this on an ASan opt x64 build (with the default config in the wiki) on:
* r125373 (Feb 25 19:28:07 2013 +0800)
* r124746 (Mar 10 18:38:57 2013 -0400)
... using Clang r176408, Flash 11.2.202.275, Ubuntu 12.04, ASAN_OPTIONS=strict_memcmp=0:alloc_dealloc_mismatch=0.
I didn't hit it on r126001 nor trunk, so it may not show up in every rev or might be fixed now.
|
|
||
Comment 3•12 years ago
|
||
I can reproduce it in rev 124746 too, and I see this assert before crashing:
ASSERTION: A box layout method was called but InitBoxMetrics was never called: 'metrics', file layout/generic/nsFrame.cpp, line 8089
That assertion also occurred in bug 844529 comment 0, which landed 2013-02-27.
A regression from that bug is reported in bug 847211.
Given that our test here has 'test1.style.display = "inline-flex";"'
I'm guessing it's related to those bugs.
But as I said, I can't reproduce in current m-c trunk.
Assignee: nobody → dholbert
Depends on: 847211
|
Assignee | |
Comment 4•12 years ago
|
||
Yup, this is almost certainly a dupe of bug 851396, which was fixed on 3/22. Any
<video controls>
element with "display: flex" or "display:inline-flex" can be expected to hit that bug's assertions & crash, in un-patched builds. This is just a fancy testcase that ends up applying that style to a <video controls> element and triggering the crash.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → DUPLICATE
|
||
Updated•9 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•