Closed
Bug 1346454
Opened 7 years ago
Closed 5 years ago
Null deref [@ nsContainerFrame::RenumberFrameAndDescendants]
Categories
(Core :: Layout, defect, P3)
Tracking
()
RESOLVED
FIXED
mozilla68
| Tracking | Status | |
|---|---|---|
| firefox-esr52 | --- | wontfix |
| firefox-esr60 | --- | wontfix |
| firefox55 | --- | wontfix |
| firefox56 | --- | wontfix |
| firefox57 | --- | wontfix |
| firefox58 | --- | wontfix |
| firefox59 | --- | wontfix |
| firefox60 | --- | wontfix |
| firefox61 | --- | wontfix |
| firefox62 | --- | wontfix |
| firefox64 | --- | wontfix |
| firefox65 | --- | wontfix |
| firefox66 | --- | wontfix |
| firefox67 | --- | wontfix |
| firefox68 | --- | fixed |
People
(Reporter: truber, Assigned: MatsPalmgren_bugz)
References
Details
(4 keywords)
Crash Data
Attachments
(4 files)
The attached test case crashes in mozilla-central rev 92c5b7bcd598.
==17367==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f3989461d58 bp 0x7ffdcc141690 sp 0x7ffdcc141630 T0)
#0 0x7f3989461d57 in nsContainerFrame::RenumberFrameAndDescendants(int*, int, int, bool) /home/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:1920:15
#1 0x7f398942b2d5 in nsBlockFrame::RenumberChildFrames(int*, int, int, bool) /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:7093:9
#2 0x7f39893e06bf in nsContainerFrame::RenumberList() /home/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:1859:10
#3 0x7f39893e5a82 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:11
92:7Flags: in-testsuite?
|
Reporter | |
Comment 1•7 years ago
|
||
|
||
Updated•7 years ago
|
status-firefox57:
--- → affected
status-firefox58:
--- → affected
|
||
Comment 2•7 years ago
|
||
Regression range: INFO: Last good revision: 840cfd5bc971 (2015-03-24) INFO: First bad revision: 5330c6f461a4 (2015-03-25) INFO: Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=840cfd5bc971&tochange=5330c6f461a4 Fix range: INFO: First good revision: d6bf703c5deaf1e328babd03d5e68ff2a4ffe10e INFO: Last bad revision: e6e712904806da25a9c8f48ea4533abe7c6ea8f4 INFO: Pushlog: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=e6e712904806da25a9c8f48ea4533abe7c6ea8f4&tochange=d6bf703c5deaf1e328babd03d5e68ff2a4ffe10e Fixed by bug 1308876. NI myself to land a crashtest.
Assignee: nobody → dbaron
Status: NEW → RESOLVED
Closed: 7 years ago
status-firefox56:
--- → fixed
status-firefox57:
affected → ---
status-firefox58:
affected → ---
status-firefox-esr52:
--- → wontfix
Flags: needinfo?(ryanvm)
Resolution: --- → FIXED
Target Milestone: --- → mozilla56
Version: Trunk → 39 Branch
Pushed by ryanvm@gmail.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/be4d5678923c Add crashtest. r=me
|
|
||
Updated•7 years ago
|
Flags: in-testsuite? → in-testsuite+
|
|
||
Comment 4•7 years ago
|
||
Bah, this actually still fails intermittently. Backing out and reopening the bug :( https://treeherder.mozilla.org/logviewer.html#?job_id=136236648&repo=try
Assignee: dbaron → nobody
Status: RESOLVED → REOPENED
status-firefox57:
--- → wontfix
status-firefox58:
--- → fix-optional
Flags: in-testsuite+ → in-testsuite?
Resolution: FIXED → ---
Target Milestone: mozilla56 → ---
Backout by ryanvm@gmail.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/f2b1253de1e6 Backed out changeset be4d5678923c for intermittent crashes.
|
|
||
Updated•7 years ago
|
Has Regression Range: --- → no
|
|
Reporter | |
Comment 6•7 years ago
|
||
Another simpler testcase.
|
|
||
Comment 7•7 years ago
|
||
Testcase #2 indeed does reproduce more reliably. Regression range: INFO: Last good revision: 179e29a23c56 (2013-05-11) INFO: First bad revision: d68224f5325b (2013-05-12) INFO: Pushlog: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=179e29a23c56&tochange=d68224f5325b Bug 828312 looks like the culprit. On builds from around the time of the initial regression, the crash is on a line touched by part 2 specifically.
Blocks: 828312
Crash Signature: [@ nsContainerFrame::RenumberFrameAndDescendants ]
Has Regression Range: no → yes
Version: 39 Branch → 23 Branch
|
||
Comment 8•6 years ago
|
||
https://wiki.mozilla.org/Bug_Triage/Projects/Bug_Handling/Bug_Husbandry#Move_fix-optionals
status-firefox59:
--- → ?
|
||
Comment 9•6 years ago
|
||
attachment 8846200 [details] = bp-52fe6ee3-c34c-4dd2-bc52-c11200180609 attachment 8919860 [details] = bp-6a32ae17-42da-4b02-a24b-d0b210180609
status-firefox62:
--- → affected
|
|
||
Updated•6 years ago
|
|
|
||
Updated•6 years ago
|
status-firefox-esr60:
--- → affected
|
||
Updated•6 years ago
|
Keywords: regression
|
|
||
Updated•6 years ago
|
|
||
Comment 10•6 years ago
|
||
While fuzzing Firefox 63.0.3 on Windows 10, I encountered this crash. I verified that it still happens in Firefox Nightly (Build ID 20181210095504):
=================================================================
==6620==ERROR: AddressSanitizer: access-violation on unknown address 0x000000000000 (pc 0x7ffecd978dfc bp 0x0000000002a0 sp 0x0012f43f4920 T0)
==6620==The signal is caused by a READ memory access.
==6620==Hint: address points to the zero page.
#0 0x7ffecd978dfb in nsContainerFrame::RenumberFrameAndDescendants(int *,int,int,bool) z:\build\build\src\layout\generic\nsContainerFrame.cpp:1795
#1 0x7ffecd937885 in nsBlockFrame::RenumberChildFrames(int *,int,int,bool) z:\build\build\src\layout\generic\nsBlockFrame.cpp:6845
#2 0x7ffecd8e4368 in nsContainerFrame::RenumberList(void) z:\build\build\src\layout\generic\nsContainerFrame.cpp:1734
#3 0x7ffecd90e910 in nsBlockFrame::AttributeChanged(int,class nsAtom *,int) z:\build\build\src\layout\generic\nsBlockFrame.cpp:2996
#4 0x7ffecd65b3b7 in mozilla::RestyleManager::AttributeChanged(class mozilla::dom::Element *,int,class nsAtom *,int,class nsAttrValue const *) z:\build\build\src\layout\base\RestyleManager.cpp:3280
#5 0x7ffecd65adc0 in mozilla::PresShell::AttributeChanged(class mozilla::dom::Element *,int,class nsAtom *,int,class nsAttrValue const *) z:\build\build\src\layout\base\PresShell.cpp:4182
#6 0x7ffec6c7787b in nsNodeUtils::AttributeChanged(class mozilla::dom::Element *,int,class nsAtom *,int,class nsAttrValue const *) z:\build\build\src\dom\base\nsNodeUtils.cpp:157
#7 0x7ffec68bada0 in mozilla::dom::Element::SetAttrAndNotify(int,class nsAtom *,class nsAtom *,class nsAttrValue const *,class nsAttrValue &,class nsIPrincipal *,unsigned char,bool,bool,bool,class nsIDocument *,class mozAutoDocUpdate const &) z:\build\build\src\dom\base\Element.cpp:2474
#8 0x7ffec68b0f51 in mozilla::dom::Element::SetAttr(int,class nsAtom *,class nsAtom *,class nsTSubstring<UNKNOWN> const &,class nsIPrincipal *,bool) z:\build\build\src\dom\base\Element.cpp:2321
#9 0x7ffec9defaf8 in mozilla::dom::HTMLLIElement_Binding::set_value z:\build\build\src\obj-firefox\dom\bindings\HTMLLIElementBinding.cpp:63
#10 0x7ffeca34cf27 in mozilla::dom::binding_detail::GenericSetter<struct mozilla::dom::binding_detail::NormalThisPolicy>(struct JSContext *,unsigned int,union JS::Value *) z:\build\build\src\dom\bindings\BindingUtils.cpp:3015
#11 0x7ffed1a9a501 in js::InternalCallOrConstruct(struct JSContext *,class JS::CallArgs const &,enum js::MaybeConstruct) z:\build\build\src\js\src\vm\Interpreter.cpp:535
#12 0x7ffed1aa064f in js::CallSetter(struct JSContext *,class JS::Handle<union JS::Value>,class JS::Handle<union JS::Value>,class JS::Handle<union JS::Value>) z:\build\build\src\js\src\vm\Interpreter.cpp:744
#13 0x7ffed211fdd9 in SetExistingProperty z:\build\build\src\js\src\vm\NativeObject.cpp:2945
#14 0x7ffed20e4f84 in js::NativeSetProperty<1>(struct JSContext *,class JS::Handle<class js::NativeObject *>,class JS::Handle<struct JS::PropertyKey>,class JS::Handle<union JS::Value>,class JS::Handle<union JS::Value>,class JS::ObjectOpResult &) z:\build\build\src\js\src\vm\NativeObject.cpp:2974
#15 0x7ffed1a6558b in Interpret z:\build\build\src\js\src\vm\Interpreter.cpp:3098
#16 0x7ffed1a5d80c in js::RunScript(struct JSContext *,class js::RunState &) z:\build\build\src\js\src\vm\Interpreter.cpp:423
#17 0x7ffed1a9ae4e in js::InternalCallOrConstruct(struct JSContext *,class JS::CallArgs const &,enum js::MaybeConstruct) z:\build\build\src\js\src\vm\Interpreter.cpp:563
#18 0x7ffed1a9d365 in InternalCall z:\build\build\src\js\src\vm\Interpreter.cpp:590
#19 0x7ffed1a9d596 in js::Call(struct JSContext *,class JS::Handle<union JS::Value>,class JS::Handle<union JS::Value>,class js::AnyInvokeArgs const &,class JS::MutableHandle<union JS::Value>) z:\build\build\src\js\src\vm\Interpreter.cpp:606
#20 0x7ffed2645cca in JS::Call(struct JSContext *,class JS::Handle<union JS::Value>,class JS::Handle<union JS::Value>,class JS::HandleValueArray const &,class JS::MutableHandle<union JS::Value>) z:\build\build\src\js\src\jsapi.cpp:2651
#21 0x7ffec950848f in mozilla::dom::EventHandlerNonNull::Call(struct JSContext *,class JS::Handle<union JS::Value>,class mozilla::dom::Event &,class JS::MutableHandle<union JS::Value>,class mozilla::ErrorResult &) z:\build\build\src\obj-firefox\dom\bindings\EventHandlerBinding.cpp:265
#22 0x7ffecabf443e in mozilla::dom::EventHandlerNonNull::Call<class nsISupports *>(class nsISupports * const &,class mozilla::dom::Event &,class JS::MutableHandle<union JS::Value>,class mozilla::ErrorResult &,char const *,enum mozilla::dom::CallbackObject::ExceptionHandling,class JS::Realm *) z:\build\build\src\obj-firefox\dist\include\mozilla\dom\EventHandlerBinding.h:363
#23 0x7ffecabf14de in mozilla::JSEventHandler::HandleEvent(class mozilla::dom::Event *) z:\build\build\src\dom\events\JSEventHandler.cpp:205
#24 0x7ffecabb07bf in mozilla::EventListenerManager::HandleEventSubType(struct mozilla::EventListenerManager::Listener *,class mozilla::dom::Event *,class mozilla::dom::EventTarget *) z:\build\build\src\dom\events\EventListenerManager.cpp:1044
#25 0x7ffecabb27c5 in mozilla::EventListenerManager::HandleEventInternal(class nsPresContext *,class mozilla::WidgetEvent *,class mozilla::dom::Event * *,class mozilla::dom::EventTarget *,enum nsEventStatus *,bool) z:\build\build\src\dom\events\EventListenerManager.cpp:1238
#26 0x7ffecab950e2 in mozilla::EventTargetChainItem::HandleEvent(class mozilla::EventChainPostVisitor &,class mozilla::ELMCreationDetector &) z:\build\build\src\dom\events\EventDispatcher.cpp:346
#27 0x7ffecab9332a in mozilla::EventTargetChainItem::HandleEventTargetChain(class nsTArray<class mozilla::EventTargetChainItem> &,class mozilla::EventChainPostVisitor &,class mozilla::EventDispatchingCallback *,class mozilla::ELMCreationDetector &) z:\build\build\src\dom\events\EventDispatcher.cpp:548
#28 0x7ffecab98a90 in mozilla::EventDispatcher::Dispatch(class nsISupports *,class nsPresContext *,class mozilla::WidgetEvent *,class mozilla::dom::Event *,enum nsEventStatus *,class mozilla::EventDispatchingCallback *,class nsTArray<class mozilla::dom::EventTarget *> *) z:\build\build\src\dom\events\EventDispatcher.cpp:1038
#29 0x7ffecd769577 in nsDocumentViewer::LoadComplete(enum nsresult) z:\build\build\src\layout\base\nsDocumentViewer.cpp:1102
#30 0x7ffed0b486cd in nsDocShell::EndPageLoad(class nsIWebProgress *,class nsIChannel *,enum nsresult) z:\build\build\src\docshell\base\nsDocShell.cpp:6726
#31 0x7ffed0b439ba in nsDocShell::OnStateChange(class nsIWebProgress *,class nsIRequest *,unsigned int,enum nsresult) z:\build\build\src\docshell\base\nsDocShell.cpp:6525
#32 0x7ffec5166779 in nsDocLoader::DoFireOnStateChange(class nsIWebProgress * const,class nsIRequest * const,int &,enum nsresult) z:\build\build\src\uriloader\base\nsDocLoader.cpp:1235
#33 0x7ffec516557c in nsDocLoader::doStopDocumentLoad(class nsIRequest *,enum nsresult) z:\build\build\src\uriloader\base\nsDocLoader.cpp:794
#34 0x7ffec51616e0 in nsDocLoader::DocLoaderIsEmpty(bool) z:\build\build\src\uriloader\base\nsDocLoader.cpp:693
#35 0x7ffec5163c2e in nsDocLoader::OnStopRequest(class nsIRequest *,class nsISupports *,enum nsresult) z:\build\build\src\uriloader\base\nsDocLoader.cpp:589
#36 0x7ffec30a61fc in mozilla::net::nsLoadGroup::RemoveRequest(class nsIRequest *,class nsISupports *,enum nsresult) z:\build\build\src\netwerk\base\nsLoadGroup.cpp:586
#37 0x7ffec6b342b2 in nsDocument::UnblockOnload(bool) z:\build\build\src\dom\base\nsDocument.cpp:7733
#38 0x7ffecab1a464 in mozilla::LoadBlockingAsyncEventDispatcher::~LoadBlockingAsyncEventDispatcher(void) z:\build\build\src\dom\events\AsyncEventDispatcher.cpp:117
#39 0x7ffec67c4d8f in mozilla::LoadBlockingAsyncEventDispatcher::`scalar deleting destructor'(unsigned int) z:\build\build\src\obj-firefox\dist\include\mozilla\AsyncEventDispatcher.h:153
#40 0x7ffec2e4c7af in mozilla::net::AltSvcOverride::Release(void) z:\build\build\src\xpcom\threads\nsThreadUtils.cpp:49
#41 0x7ffec2e0bb87 in mozilla::SchedulerGroup::Runnable::Run(void) z:\build\build\src\xpcom\threads\SchedulerGroup.cpp:303
#42 0x7ffec2e3b685 in nsThread::ProcessNextEvent(bool,bool *) z:\build\build\src\xpcom\threads\nsThread.cpp:1157
#43 0x7ffec2e43f68 in NS_ProcessNextEvent(class nsIThread *,bool) z:\build\build\src\xpcom\threads\nsThreadUtils.cpp:468
#44 0x7ffec3eff979 in mozilla::ipc::MessagePump::Run(class base::MessagePump::Delegate *) z:\build\build\src\ipc\glue\MessagePump.cpp:88
#45 0x7ffec3e5face in MessageLoop::RunHandler(void) z:\build\build\src\ipc\chromium\src\base\message_loop.cc:307
#46 0x7ffec3e5f856 in MessageLoop::Run(void) z:\build\build\src\ipc\chromium\src\base\message_loop.cc:289
#47 0x7ffecce6d9ea in nsBaseAppShell::Run(void) z:\build\build\src\widget\nsBaseAppShell.cpp:137
#48 0x7ffeccffd9b7 in nsAppShell::Run(void) z:\build\build\src\widget\windows\nsAppShell.cpp:409
#49 0x7ffed17cec9d in XRE_RunAppShell(void) z:\build\build\src\toolkit\xre\nsEmbedFunctions.cpp:915
#50 0x7ffec3e5face in MessageLoop::RunHandler(void) z:\build\build\src\ipc\chromium\src\base\message_loop.cc:307
#51 0x7ffec3e5f856 in MessageLoop::Run(void) z:\build\build\src\ipc\chromium\src\base\message_loop.cc:289
#52 0x7ffed17cdf44 in XRE_InitChildProcess(int,char * * const,struct XREChildData const *) z:\build\build\src\toolkit\xre\nsEmbedFunctions.cpp:753
#53 0x7ff6a14c1f11 (C:\Program Files\Mozilla Developer Preview\firefox.exe+0x140001f11)
#54 0x7ff6a14c14a1 (C:\Program Files\Mozilla Developer Preview\firefox.exe+0x1400014a1)
#55 0x7ff6a14d0adb (C:\Program Files\Mozilla Developer Preview\firefox.exe+0x140010adb)
#56 0x7fff1a2d3033 (C:\Windows\System32\KERNEL32.DLL+0x180013033)
#57 0x7fff1c621470 (C:\Windows\SYSTEM32\ntdll.dll+0x180071470)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: access-violation z:\build\build\src\layout\generic\nsContainerFrame.cpp:1795 in nsContainerFrame::RenumberFrameAndDescendants(int *,int,int,bool)
==6620==ABORTING
status-firefox64:
--- → affected
status-firefox65:
--- → affected
|
|
||
Comment 11•6 years ago
|
||
|
||
Comment 12•6 years ago
|
||
Could you file a different bug for that please? A minimized test-case would be ideal, but not required.
|
||
Updated•6 years ago
|
|
||
Updated•5 years ago
|
Priority: -- → P3
|
|
||
Updated•5 years ago
|
status-firefox66:
--- → affected
Happy to take a patch in nightly 67, or potentially, in beta 66 for this.
I'm marking it fix-optional to remove it from weekly regression triage, since it has a priority assigned.
|
||
Comment 14•5 years ago
|
||
Pushed by mpalmgren@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/459f39031f71 Add a couple of crashtests. r=mats DONTBUILD
|
Assignee | |
Comment 15•5 years ago
|
||
The crashing code was removed by bug 288704 so this should be fixed.
Assignee: nobody → mats
Status: REOPENED → RESOLVED
Closed: 7 years ago → 5 years ago
Depends on: 288704
Flags: in-testsuite? → in-testsuite+
OS: Unspecified → All
Hardware: Unspecified → All
Resolution: --- → FIXED
|
||
Comment 16•5 years ago
|
||
| bugherder | ||
|
|
||
Updated•5 years ago
|
You need to log in
before you can comment on or make changes to this bug.
Description
•