Open
Bug 1530040
Opened 6 years ago
Updated 2 years ago
NS_ABORT_OOM in [@ nsCellMap::AllocCellData]
Categories
(Core :: Layout: Tables, defect, P3)
Core
Layout: Tables
Tracking
()
NEW
People
(Reporter: tsmith, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: crash, testcase)
Attachments
(1 file)
|
(deleted),
text/html
|
Details |
==13623==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 (pc 0x7f3efc2464cf bp 0x7ffee72371a0 sp 0x7ffee72371a0 T0)
==13623==The signal is caused by a WRITE memory access.
==13623==Hint: address points to the zero page.
#0 0x7f3efc2464ce in NS_ABORT_OOM(unsigned long) src/xpcom/base/nsDebugImpl.cpp:603:3
#1 0x7f3efc31d74f in PLDHashTable::Add(void const*) src/xpcom/ds/PLDHashTable.cpp
#2 0x7f3f07894cd0 in PutEntry src/obj-firefox/dist/include/nsTHashtable.h:152:43
#3 0x7f3f07894cd0 in PutEntry src/obj-firefox/dist/include/nsTHashtable.h:531
#4 0x7f3f07894cd0 in RecordAlloc src/layout/base/nsIPresShell.h:1627
#5 0x7f3f07894cd0 in AllocateByObjectID src/layout/base/nsIPresShell.h:241
#6 0x7f3f07894cd0 in nsCellMap::AllocCellData(nsTableCellFrame*) src/layout/tables/nsCellMap.cpp:2395
#7 0x7f3f07887379 in nsCellMap::AppendCell(nsTableCellMap&, nsTableCellFrame*, int, bool, int, mozilla::TableArea&, int*) src/layout/tables/nsCellMap.cpp:1389:22
#8 0x7f3f0789267e in nsCellMap::ExpandWithRows(nsTableCellMap&, nsTArray<nsTableRowFrame*>&, int, int, mozilla::TableArea&) src/layout/tables/nsCellMap.cpp:1584:9
#9 0x7f3f07884dec in nsTableCellMap::InsertRows(nsTableRowGroupFrame*, nsTArray<nsTableRowFrame*>&, int, bool, mozilla::TableArea&) src/layout/tables/nsCellMap.cpp:424:16
#10 0x7f3f078c16f9 in nsTableFrame::InsertRows(nsTableRowGroupFrame*, nsTArray<nsTableRowFrame*>&, int, bool) src/layout/tables/nsTableFrame.cpp:860:14
#11 0x7f3f078bca25 in nsTableFrame::InsertRowGroups(nsFrameList::Slice const&) src/layout/tables/nsTableFrame.cpp:1084:13
#12 0x7f3f078bb372 in nsTableFrame::SetInitialChildList(mozilla::layout::FrameChildListID, nsFrameList&) src/layout/tables/nsTableFrame.cpp:339:5
#13 0x7f3f07c0285d in nsMathMLmtableFrame::SetInitialChildList(mozilla::layout::FrameChildListID, nsFrameList&) src/layout/mathml/nsMathMLmtableFrame.cpp:892:17
#14 0x7f3f071d238f in nsCSSFrameConstructor::ConstructTable(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItem&, nsContainerFrame*, nsStyleDisplay const*, nsFrameItems&) src/layout/base/nsCSSFrameConstructor.cpp:2028:15
#15 0x7f3f071ea476 in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameItems&) src/layout/base/nsCSSFrameConstructor.cpp:3610:16
#16 0x7f3f071f70d8 in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameItems&) src/layout/base/nsCSSFrameConstructor.cpp:5661:3
#17 0x7f3f071d2c8a in nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsContainerFrame*, bool, nsFrameItems&) src/layout/base/nsCSSFrameConstructor.cpp:9536:5
#18 0x7f3f071d3d35 in nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, mozilla::ComputedStyle*, nsContainerFrame*, bool, nsFrameItems&, bool, PendingBinding*, nsIFrame*) src/layout/base/nsCSSFrameConstructor.cpp:9696:3
#19 0x7f3f071eb482 in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameItems&) src/layout/base/nsCSSFrameConstructor.cpp:3757:9
#20 0x7f3f071f70d8 in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameItems&) src/layout/base/nsCSSFrameConstructor.cpp:5661:3
#21 0x7f3f071d2c8a in nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsContainerFrame*, bool, nsFrameItems&) src/layout/base/nsCSSFrameConstructor.cpp:9536:5
#22 0x7f3f0720a77d in nsCSSFrameConstructor::ContentAppended(nsIContent*, nsCSSFrameConstructor::InsertionKind) src/layout/base/nsCSSFrameConstructor.cpp:6822:3
#23 0x7f3f0717a7b7 in mozilla::RestyleManager::ProcessRestyledFrames(nsStyleChangeList&) src/layout/base/RestyleManager.cpp:1448:27
#24 0x7f3f0718b923 in mozilla::RestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) src/layout/base/RestyleManager.cpp:3090:9
#25 0x7f3f07124159 in ProcessPendingRestyles src/layout/base/RestyleManager.cpp:3162:3
#26 0x7f3f07124159 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) src/layout/base/PresShell.cpp:4127
#27 0x7f3f0708e5f5 in FlushPendingNotifications src/layout/base/nsIPresShell.h:581:5
#28 0x7f3f0708e5f5 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:1879
#29 0x7f3f070a2f09 in TickDriver src/layout/base/nsRefreshDriver.cpp:342:13
#30 0x7f3f070a2f09 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) src/layout/base/nsRefreshDriver.cpp:319
#31 0x7f3f070a27f8 in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:336:5
#32 0x7f3f070a6a3f in RunRefreshDrivers src/layout/base/nsRefreshDriver.cpp:772:5
#33 0x7f3f070a6a3f in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:692
#34 0x7f3f070a5bfa in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) src/layout/base/nsRefreshDriver.cpp:592:9
#35 0x7f3f07b8ccb5 in mozilla::layout::VsyncChild::RecvNotify(mozilla::VsyncEvent const&) src/layout/ipc/VsyncChild.cpp:65:16
#36 0x7f3efe33f42b in mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) src/obj-firefox/ipc/ipdl/PVsyncChild.cpp:168:54
#37 0x7f3efdf0c327 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) src/obj-firefox/ipc/ipdl/PBackgroundChild.cpp:2808:28
#38 0x7f3efd7675d9 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) src/ipc/glue/MessageChannel.cpp:2150:21
#39 0x7f3efd7633da in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) src/ipc/glue/MessageChannel.cpp:2077:9
#40 0x7f3efd7655e1 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) src/ipc/glue/MessageChannel.cpp:1936:3
#41 0x7f3efd7663a7 in mozilla::ipc::MessageChannel::MessageTask::Run() src/ipc/glue/MessageChannel.cpp:1967:13
#42 0x7f3efc4e5ea6 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1162:14
#43 0x7f3efc4edd4d in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:474:10
#44 0x7f3efd7709df in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:88:21
#45 0x7f3efd65aafe in RunInternal src/ipc/chromium/src/base/message_loop.cc:315:10
#46 0x7f3efd65aafe in RunHandler src/ipc/chromium/src/base/message_loop.cc:308
#47 0x7f3efd65aafe in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:290
#48 0x7f3f069b4ad3 in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:137:27
#49 0x7f3f0b54776e in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:908:20
#50 0x7f3efd65aafe in RunInternal src/ipc/chromium/src/base/message_loop.cc:315:10
#51 0x7f3efd65aafe in RunHandler src/ipc/chromium/src/base/message_loop.cc:308
#52 0x7f3efd65aafe in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:290
#53 0x7f3f0b5468c3 in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:746:34
#54 0x559c28d27874 in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:49:28
#55 0x559c28d27874 in main src/browser/app/nsBrowserApp.cpp:265
Flags: in-testsuite?
|
||
Comment 1•6 years ago
|
||
I suppose nsCellMap should try harder to use fallible allocation, and provide useful fallback values to its callers when it fails to allocate enough cell data.
Priority: -- → P3
|
||
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•