Closed Bug 1573216 Opened 5 years ago Closed 5 years ago

crash near null in [@ nsLineLayout::NewPerFrameData]

Categories

(Core :: Layout: Columns, defect, P3)

Product:
Core
Component:
Layout: Columns
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1575106
Tracking Flags:
Tracking Status
firefox70 --- disabled

People

(Reporter: tsmith, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash, csectype-nullptr, testcase)

Attachments

(1 file)

testcase.html
(deleted), text/html
Details
Attached file testcase.html (deleted) —

Reduced with 20190810-c53f789ffabb

src/layout/generic/nsLineLayout.cpp:637:31: runtime error: member call on null pointer of type 'nsIFrame'
    #0 0x7f4324d0b175 in nsLineLayout::NewPerFrameData(nsIFrame*) src/layout/generic/nsLineLayout.cpp:637:31
    #1 0x7f4324cfe514 in nsLineLayout::ReflowFrame(nsIFrame*, nsReflowStatus&, mozilla::ReflowOutput*, bool&) src/layout/generic/nsLineLayout.cpp:748:23
    #2 0x7f4324b7daaf in nsFirstLetterFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsFirstLetterFrame.cpp:226:9
    #3 0x7f4324cff303 in nsLineLayout::ReflowFrame(nsIFrame*, nsReflowStatus&, mozilla::ReflowOutput*, bool&) src/layout/generic/nsLineLayout.cpp:877:13
    #4 0x7f4324cfd8b7 in nsInlineFrame::ReflowInlineFrame(nsPresContext*, mozilla::ReflowInput const&, nsInlineFrame::InlineReflowInput&, nsIFrame*, nsReflowStatus&) src/layout/generic/nsInlineFrame.cpp:674:15
    #5 0x7f4324cfc58c in nsInlineFrame::ReflowFrames(nsPresContext*, mozilla::ReflowInput const&, nsInlineFrame::InlineReflowInput&, mozilla::ReflowOutput&, nsReflowStatus&) src/layout/generic/nsInlineFrame.cpp:548:7
    #6 0x7f4324cfb583 in nsInlineFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsInlineFrame.cpp:363:3
    #7 0x7f4324cff303 in nsLineLayout::ReflowFrame(nsIFrame*, nsReflowStatus&, mozilla::ReflowOutput*, bool&) src/layout/generic/nsLineLayout.cpp:877:13
    #8 0x7f4324b3e6e5 in nsBlockFrame::ReflowInlineFrame(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsIFrame*, LineReflowStatus*) src/layout/generic/nsBlockFrame.cpp:4329:15
    #9 0x7f4324b3d515 in nsBlockFrame::DoReflowInlineFrames(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool) src/layout/generic/nsBlockFrame.cpp:4164:9   
    #10 0x7f4324b35507 in nsBlockFrame::ReflowInlineFrames(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:4016:9
    #11 0x7f4324b2d2ad in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:3003:5
    #12 0x7f4324b240a8 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) src/layout/generic/nsBlockFrame.cpp:2543:7
    #13 0x7f4324b1ca13 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsBlockFrame.cpp:1283:3
    #14 0x7f4324b6a3c1 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:896:14
    #15 0x7f4324b6f1b5 in nsColumnSetFrame::ReflowChildren(mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&, nsColumnSetFrame::ReflowConfig const&, bool) src/layout/generic/nsColumnSetFrame.cpp:765:7
    #16 0x7f4324b6dcb4 in nsColumnSetFrame::ReflowColumns(mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&, nsColumnSetFrame::ReflowConfig&, bool) src/layout/generic/nsColumnSetFrame.cpp:448:37
    #17 0x7f4324b74b6a in nsColumnSetFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsColumnSetFrame.cpp:1263:37
    #18 0x7f4324b3a9d0 in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) src/layout/generic/nsBlockReflowContext.cpp:297:11
    #19 0x7f4324b30a20 in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:3647:11
    #20 0x7f4324b2d501 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:3000:5
    #21 0x7f4324b240a8 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) src/layout/generic/nsBlockFrame.cpp:2543:7
    #22 0x7f4324b1ca13 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsBlockFrame.cpp:1283:3
    #23 0x7f43248eb124 in mozilla::PresShell::DoReflow(nsIFrame*, bool, mozilla::OverflowChangedTracker*) src/layout/base/PresShell.cpp:9229:11
    #24 0x7f4324900b70 in mozilla::PresShell::ProcessReflowCommands(bool) src/layout/base/PresShell.cpp:9399:24
    #25 0x7f43248ff28d in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) src/layout/base/PresShell.cpp:4166:11
    #26 0x7f4324886745 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:2016:20
    #27 0x7f4324898d01 in TickDriver src/layout/base/nsRefreshDriver.cpp:372:13
    #28 0x7f4324898d01 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) src/layout/base/nsRefreshDriver.cpp:349
    #29 0x7f4324898841 in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:366:5
    #30 0x7f432489c67e in RunRefreshDrivers src/layout/base/nsRefreshDriver.cpp:814:5
    #31 0x7f432489c67e in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:734
    #32 0x7f432489b7b8 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) src/layout/base/nsRefreshDriver.cpp:629:9
    #33 0x7f43250e9414 in mozilla::layout::VsyncChild::RecvNotify(mozilla::VsyncEvent const&) src/layout/ipc/VsyncChild.cpp:65:16
    #34 0x7f431d744934 in mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) src/objdir-ff-ubsan/ipc/ipdl/PVsyncChild.cpp:187:54
    #35 0x7f431d242d58 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) src/objdir-ff-ubsan/ipc/ipdl/PBackgroundChild.cpp:5637:32
    #36 0x7f431ca50b5b in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) src/ipc/glue/MessageChannel.cpp:2184:25
    #37 0x7f431ca4b1f8 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) src/ipc/glue/MessageChannel.cpp:2108:9
    #38 0x7f431ca4d638 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) src/ipc/glue/MessageChannel.cpp:1955:3
    #39 0x7f431ca4e706 in mozilla::ipc::MessageChannel::MessageTask::Run() src/ipc/glue/MessageChannel.cpp:1986:13
    #40 0x7f431b535722 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1225:14
    #41 0x7f431b53c3c6 in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:486:10
    #42 0x7f431ca5d624 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:110:5
    #43 0x7f431c8d1c17 in RunInternal src/ipc/chromium/src/base/message_loop.cc:315:10
    #44 0x7f431c8d1c17 in RunHandler src/ipc/chromium/src/base/message_loop.cc:308
    #45 0x7f431c8d1c17 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:290
    #46 0x7f4324388131 in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:137:27
    #47 0x7f43286fbf6d in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:919:20
    #48 0x7f431c8d1c17 in RunInternal src/ipc/chromium/src/base/message_loop.cc:315:10
    #49 0x7f431c8d1c17 in RunHandler src/ipc/chromium/src/base/message_loop.cc:308
    #50 0x7f431c8d1c17 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:290
    #51 0x7f43286fad10 in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:754:34
    #52 0x561386b1b049 in content_process_main(mozilla::Bootstrap*, int, char**) src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
    #53 0x561386b1b2e5 in main src/browser/app/nsBrowserApp.cpp:267:18
Flags: in-testsuite?
Priority: -- → P3

This is fixed by bug 1575106, and the testcase is added as a crashtest in bug 1575106 Part 4.

Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: