==116579==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000001c (pc 0x7f6a20f022b9 bp 0x7fff97eb5810 sp 0x7fff97eb56c0 T0) ==116579==The signal is caused by a READ memory access. ==116579==Hint: address points to the zero page. #0 0x7f6a20f022b8 in GetBoolFlag /src/dom/base/nsINode.h:1626:12 #1 0x7f6a20f022b8 in IsInUncomposedDoc /src/dom/base/nsINode.h:545 #2 0x7f6a20f022b8 in GetPrimaryFrame /src/obj-firefox/dist/include/nsIContent.h:968 #3 0x7f6a20f022b8 in nsCSSFrameConstructor::ContentRemoved(nsIContent*, nsIContent*, nsIContent*, nsCSSFrameConstructor::RemoveFlags) /src/layout/base/nsCSSFrameConstructor.cpp:8514 #4 0x7f6a20f028f6 in nsCSSFrameConstructor::ContentRemoved(nsIContent*, nsIContent*, nsIContent*, nsCSSFrameConstructor::RemoveFlags) /src/layout/base/nsCSSFrameConstructor.cpp:8532:11 #5 0x7f6a20e48f02 in mozilla::PresShell::ContentRemoved(nsIDocument*, nsIContent*, nsIContent*, nsIContent*) /src/layout/base/PresShell.cpp:4544:22 #6 0x7f6a1c6d1ab4 in nsNodeUtils::ContentRemoved(nsINode*, nsIContent*, nsIContent*) /src/dom/base/nsNodeUtils.cpp:221:3 #7 0x7f6a1c67c280 in nsINode::doRemoveChildAt(unsigned int, bool, nsIContent*, nsAttrAndChildArray&) /src/dom/base/nsINode.cpp:1947:5 #8 0x7f6a1c389ca1 in mozilla::dom::FragmentOrElement::RemoveChildAt(unsigned int, bool) /src/dom/base/FragmentOrElement.cpp:1382:5 #9 0x7f6a1c67d9ca in nsINode::ReplaceOrInsertBefore(bool, nsINode*, nsINode*, mozilla::ErrorResult&) /src/dom/base/nsINode.cpp:2259:18 #10 0x7f6a1cecc2f0 in InsertBefore /src/dom/base/nsINode.h:1850:12 #11 0x7f6a1cecc2f0 in AppendChild /src/dom/base/nsINode.h:1854 #12 0x7f6a1cecc2f0 in mozilla::dom::NodeBinding::appendChild(JSContext*, JS::Handle<JSObject*>, nsINode*, JSJitMethodCallArgs const&) /src/obj-firefox/dom/bindings/NodeBinding.cpp:897 #13 0x7f6a1e541e87 in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /src/dom/bindings/BindingUtils.cpp:3040:13 #14 0x7f6a25031ea1 in CallJSNative /src/js/src/jscntxtinlines.h:291:15 #15 0x7f6a25031ea1 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /src/js/src/vm/Interpreter.cpp:473 #16 0x7f6a2501d78a in CallFromStack /src/js/src/vm/Interpreter.cpp:528:12 #17 0x7f6a2501d78a in Interpret(JSContext*, js::RunState&) /src/js/src/vm/Interpreter.cpp:3098 #18 0x7f6a25003a50 in js::RunScript(JSContext*, js::RunState&) /src/js/src/vm/Interpreter.cpp:423:12 #19 0x7f6a2503232e in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /src/js/src/vm/Interpreter.cpp:495:15 #20 0x7f6a25032e32 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /src/js/src/vm/Interpreter.cpp:541:10 #21 0x7f6a25b247cc in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /src/js/src/jsapi.cpp:3036:12 #22 0x7f6a1de8078e in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /src/obj-firefox/dom/bindings/EventHandlerBinding.cpp:260:37 #23 0x7f6a1e9db093 in Call<nsISupports *> /src/obj-firefox/dist/include/mozilla/dom/EventHandlerBinding.h:362:12 #24 0x7f6a1e9db093 in mozilla::JSEventHandler::HandleEvent(nsIDOMEvent*) /src/dom/events/JSEventHandler.cpp:215 #25 0x7f6a1e9a1051 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) /src/dom/events/EventListenerManager.cpp:1111:51 #26 0x7f6a1e9a2f62 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) /src/dom/events/EventListenerManager.cpp:1286:20 #27 0x7f6a1e98d4ff in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /src/dom/events/EventDispatcher.cpp:462:16 #28 0x7f6a1e990e35 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /src/dom/events/EventDispatcher.cpp:826:9 #29 0x7f6a1e992e5c in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, nsIDOMEvent*, nsPresContext*, nsEventStatus*) /src/dom/events/EventDispatcher.cpp:892:12 #30 0x7f6a1c677e7f in nsINode::DispatchEvent(nsIDOMEvent*, bool*) /src/dom/base/nsINode.cpp:1356:5 #31 0x7f6a1c15632e in nsContentUtils::DispatchEvent(nsIDocument*, nsISupports*, nsTSubstring<char16_t> const&, bool, bool, bool, bool*, bool) /src/dom/base/nsContentUtils.cpp:4546:18 #32 0x7f6a1c1560e4 in nsContentUtils::DispatchTrustedEvent(nsIDocument*, nsISupports*, nsTSubstring<char16_t> const&, bool, bool, bool*) /src/dom/base/nsContentUtils.cpp:4514:10 #33 0x7f6a1ecd8c7f in mozilla::dom::HTMLMediaElement::DispatchEvent(nsTSubstring<char16_t> const&) /src/dom/html/HTMLMediaElement.cpp:6358:10 #34 0x7f6a193ffe04 in mozilla::SchedulerGroup::Runnable::Run() /src/xpcom/threads/SchedulerGroup.cpp:396:25 #35 0x7f6a194266de in nsThread::ProcessNextEvent(bool, bool*) /src/xpcom/threads/nsThread.cpp:1033:14 #36 0x7f6a19442460 in NS_ProcessNextEvent(nsIThread*, bool) /src/xpcom/threads/nsThreadUtils.cpp:508:10 #37 0x7f6a1a2b3cca in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /src/ipc/glue/MessagePump.cpp:97:21 #38 0x7f6a1a20af69 in RunInternal /src/ipc/chromium/src/base/message_loop.cc:326:10 #39 0x7f6a1a20af69 in RunHandler /src/ipc/chromium/src/base/message_loop.cc:319 #40 0x7f6a1a20af69 in MessageLoop::Run() /src/ipc/chromium/src/base/message_loop.cc:299 #41 0x7f6a20630d3a in nsBaseAppShell::Run() /src/widget/nsBaseAppShell.cpp:157:27 #42 0x7f6a24d6425b in XRE_RunAppShell() /src/toolkit/xre/nsEmbedFunctions.cpp:869:22 #43 0x7f6a1a20af69 in RunInternal /src/ipc/chromium/src/base/message_loop.cc:326:10 #44 0x7f6a1a20af69 in RunHandler /src/ipc/chromium/src/base/message_loop.cc:319 #45 0x7f6a1a20af69 in MessageLoop::Run() /src/ipc/chromium/src/base/message_loop.cc:299 #46 0x7f6a24d63c4d in XRE_InitChildProcess(int, char**, XREChildData const*) /src/toolkit/xre/nsEmbedFunctions.cpp:695:34 #47 0x4ee9f5 in content_process_main /src/browser/app/../../ipc/contentproc/plugin-container.cpp:63:30 #48 0x4ee9f5 in main /src/browser/app/nsBrowserApp.cpp:280 #49 0x7f6a37e7282f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291 #50 0x41e078 in _start (firefox+0x41e078)

Is this a regression in the last few weeks? I couldn't reproduce it at first in a tree a few weeks old, but after updating it I get this fatal assertion (in a DEBUG build): https://searchfox.org/mozilla-central/rev/45a3df4e6b8f653b0103d18d97c34dd666706358/layout/base/nsCSSFrameConstructor.cpp#8516

So, we have this DOM tree at that point: <marquee> <a id="a"> <img> |aChild| is <img>, its GetFlattenedTreeParent() is <a>, but GetFlattenedTreeParent() on <a> returns null due to: https://searchfox.org/mozilla-central/rev/8839daefd69087d7ac2655b72790d3a25b6a815c/dom/base/FragmentOrElement.cpp#264-267 (|parent| is <marquee> here) So, since we have "*{ display:contents }" we can't find any ancestor with a frame. Reverting the change in bug 1419334 makes the crash go away, fwiw.

Yup, this is essentially the same bug as bug 1420533.

(In reply to Mats Palmgren (:mats) from comment #2) > Reverting the change in bug 1419334 makes the crash go away, fwiw. (The issue here is that <a> leaves the flattened tree because we notify the binding manager before notifying the frame constructor. This was wallpapered before the change in bug 1419334).

Marking fix-optional to remove the duplicate from weekly triage, since we'll see the issue in bug 1420533.