Closed
Bug 897883
Opened 11 years ago
Closed 2 years ago
SEGV in nsCellMapColumnIterator::GetNextFrame
Categories
(Core :: Layout: Tables, defect)
Core
Layout: Tables
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: attekett, Unassigned)
References
Details
(4 keywords, Whiteboard: [sg:dos][qa-not-actionable])
Attachments
(2 files)
Tested on: OS: Ubuntu 12.04 Firefox: ASAN opt-build from: https://ftp.mozilla.org/pub/mozilla.org/firefox/tinderbox-builds/mozilla-central-linux64-asan/1374487346/ ASAN debug-build from: https://ftp.mozilla.org/pub/mozilla.org/firefox/tinderbox-builds/mozilla-central-linux64-dbg-asan/1374487346/ Opt-build ASAN-report: ASAN:SIGSEGV ================================================================= ==9664==ERROR: AddressSanitizer: SEGV on unknown address 0x000000180001 (pc 0x7f57749660a3 sp 0x7fff4d946e20 bp 0x7fff4d946f30 T0) AddressSanitizer can not provide additional info. #0 0x7f57749660a2 in nsCellMapColumnIterator::GetNextFrame(int*, int*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/layout/tables/nsCellMap.cpp:2877 #1 0x7f577494daf2 in BasicTableLayoutStrategy::ComputeColumnIntrinsicWidths(nsRenderingContext*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/layout/tables/BasicTableLayoutStrategy.cpp:316 #2 0x7f577494cc75 in BasicTableLayoutStrategy::ComputeIntrinsicWidths(nsRenderingContext*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/layout/tables/BasicTableLayoutStrategy.cpp:432 #3 0x7f577494cc24 in BasicTableLayoutStrategy::GetMinWidth(nsRenderingContext*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/layout/tables/BasicTableLayoutStrategy.cpp:44 #4 0x7f5774991d8b in nsTableFrame::TableShrinkWidthToFit(nsRenderingContext*, int) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/layout/tables/nsTableFrame.cpp:1521 #5 0x7f57745e516d in nsFrame::ComputeSize(nsRenderingContext*, nsSize, int, nsSize, nsSize, nsSize, unsigned int) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/layout/generic/nsFrame.cpp:3818 . . . Debug-build ASAN-report: ###!!! ASSERTION: Must have usable originating data here: 'cellFrame', file /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/layout/tables/nsCellMap.cpp, line 2876 ASAN:SIGSEGV ================================================================= ==9541==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f6642a814ef sp 0x7fffc4d71880 bp 0x7fffc4d71990 T0) AddressSanitizer can not provide additional info. #0 0x7f6642a814ee in nsCellMapColumnIterator::GetNextFrame(int*, int*) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/layout/tables/nsCellMap.cpp:2877 #1 0x7f6642a6ff56 in BasicTableLayoutStrategy::ComputeColumnIntrinsicWidths(nsRenderingContext*) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/layout/tables/BasicTableLayoutStrategy.cpp:316 #2 0x7f6642a6f6e8 in BasicTableLayoutStrategy::ComputeIntrinsicWidths(nsRenderingContext*) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/layout/tables/BasicTableLayoutStrategy.cpp:432 #3 0x7f6642a6f660 in BasicTableLayoutStrategy::GetMinWidth(nsRenderingContext*) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/layout/tables/BasicTableLayoutStrategy.cpp:44 #4 0x7f6642a9f08d in nsTableFrame::TableShrinkWidthToFit(nsRenderingContext*, int) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/layout/tables/nsTableFrame.cpp:1521 #5 0x7f6642a9f1a4 in nsTableFrame::ComputeAutoSize(nsRenderingContext*, nsSize, int, nsSize, nsSize, nsSize, bool) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/layout/tables/nsTableFrame.cpp:1552 . . .
|
||
Comment 1•11 years ago
|
||
The patches in bug 862624 makes the test not crash, so it's likely a dupe. It's a harmless null-pointer crash in a Linux64 debug build: Program received signal SIGSEGV, Segmentation fault. 0x00007ffff276f525 in nsCellMapColumnIterator::GetNextFrame 2877 int32_t rowSpan = cellFrame->GetRowSpan(); (gdb) p cellFrame $1 = (nsTableCellFrame *) 0x0 Not sure if it's anything more interesting in an Opt build yet.
Assignee: nobody → matspal
Severity: normal → critical
Depends on: 862624
OS: Linux → All
Hardware: x86_64 → All
|
|
||
Comment 2•11 years ago
|
||
Same symptoms in a Linux64 Opt build. This looks like a safe crash to me.
Keywords: csec-nullptr,
sec-other
|
||
Updated•9 years ago
|
Group: core-security → layout-core-security
|
||
Updated•8 years ago
|
|
||
Updated•3 years ago
|
Whiteboard: [sg:dos] → [sg:dos][qa-not-actionable]
|
|
||
Updated•3 years ago
|
Flags: in-testsuite?
|
||
Comment 4•2 years ago
|
||
The bug assignee didn't login in Bugzilla in the last months and this bug has severity 'critical'.
:dholbert, could you have a look please?
For more information, please visit auto_nag documentation.
Assignee: MatsPalmgren_bugz → nobody
Flags: needinfo?(dholbert)
|
|
||
Updated•2 years ago
|
Severity: critical → S2
|
||
Comment 5•2 years ago
|
||
I'm not seeing a crash at this point, in either opt or debug build.
This was likely a dupe, per comment 1. I'll add a crashtest.
Status: NEW → RESOLVED
Closed: 2 years ago
Flags: needinfo?(dholbert)
Resolution: --- → WORKSFORME
|
|
||
Comment 6•2 years ago
|
||
Depends on D160731
Pushed by dholbert@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/dabbcb4b1434 Add crashtest for this no-longer-reproducible bug. (no review, crashtest-only)
|
||
Comment 8•2 years ago
|
||
| bugherder | ||
|
|
||
Comment 9•2 years ago
|
||
A patch has been attached on this bug, which was already closed. Filing a separate bug will ensure better tracking. If this was not by mistake and further action is needed, please alert the appropriate party. (Or: if the patch doesn't change behavior -- e.g. landing a test case, or fixing a typo -- then feel free to disregard this message)
You need to log in
before you can comment on or make changes to this bug.
Description
•