Closed Bug 1654925 Opened 4 years ago Closed 4 years ago

crash near null in [@ nsLayoutUtils::FindNearestCommonAncestorFrameWithinBlock]

Tracking

()

Status:

VERIFIED FIXED

Milestone:

mozilla80

Tracking Flags:

Tracking

Status

firefox-esr68

---

unaffected

firefox-esr78

---

unaffected

firefox79

---

wontfix

firefox80

---

verified

People

(Reporter: tsmith, Assigned: heycam)

References

(Blocks 1 open bug, Regressed 1 open bug)

Details

(Keywords: crash, testcase)

Attachments

(2 files)

testcase.html 4 years ago Tyson Smith [:tsmith] (deleted), text/html		Details
Bug 1654925 - Make FindNearestCommonAncestorFrameWithinBlock handle bad frame trees without crashing. 4 years ago Cameron McCormack (:heycam) (deleted), text/x-phabricator-request		Details

Tyson Smith [:tsmith]

Reporter

Description

•

4 years ago

Attached file testcase.html (deleted) — Details

Reported with m-c 20200709-ccd521ebc464

==75692==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000030 (pc 0x7f56b4305ff4 bp 0x7ffcb37a3150 sp 0x7ffcb37a3060 T0)
==75692==The signal is caused by a READ memory access.
==75692==Hint: address points to the zero page.
    #0 0x7f56b4305ff3 in nsLayoutUtils::FindNearestCommonAncestorFrameWithinBlock(nsTextFrame const*, nsTextFrame const*) /gecko/layout/base/nsLayoutUtils.cpp
    #1 0x7f56b4677e4c in BuildTextRunsScanner::ContinueTextRunAcrossFrames(nsTextFrame*, nsTextFrame*) /gecko/layout/generic/nsTextFrame.cpp:1917:9
    #2 0x7f56b4680c22 in BuildTextRunsScanner::ScanFrame(nsIFrame*) /gecko/layout/generic/nsTextFrame.cpp:2013:12
    #3 0x7f56b4680dea in BuildTextRunsScanner::ScanFrame(nsIFrame*) /gecko/layout/generic/nsTextFrame.cpp:2068:5
    #4 0x7f56b468647b in BuildTextRuns /gecko/layout/generic/nsTextFrame.cpp:1449:15
    #5 0x7f56b468647b in nsTextFrame::EnsureTextRun(nsTextFrame::TextRunType, mozilla::gfx::DrawTarget*, nsIFrame*, nsLineList_iterator const*, unsigned int*) /gecko/layout/generic/nsTextFrame.cpp:2989:7
    #6 0x7f56b46b9e11 in nsTextFrame::AddInlineMinISizeForFlow(gfxContext*, nsIFrame::InlineMinISizeData*, nsTextFrame::TextRunType) /gecko/layout/generic/nsTextFrame.cpp:8282:7
    #7 0x7f56b46bbec6 in nsTextFrame::AddInlineMinISize(gfxContext*, nsIFrame::InlineMinISizeData*) /gecko/layout/generic/nsTextFrame.cpp:8465:10
    #8 0x7f56b431ed0b in nsLayoutUtils::MinISizeFromInline(nsIFrame*, gfxContext*) /gecko/layout/base/nsLayoutUtils.cpp:6111:11
    #9 0x7f56b431a159 in nsLayoutUtils::IntrinsicForAxis(mozilla::PhysicalAxis, gfxContext*, nsIFrame*, nsLayoutUtils::IntrinsicISizeType, mozilla::Maybe<mozilla::LogicalSize> const&, unsigned int, int) /gecko/layout/base/nsLayoutUtils.cpp
    #10 0x7f56b431c84c in nsLayoutUtils::IntrinsicForContainer(gfxContext*, nsIFrame*, nsLayoutUtils::IntrinsicISizeType, unsigned int) /gecko/layout/base/nsLayoutUtils.cpp:5818:10
    #11 0x7f56b45950d0 in nsIFrame::ShrinkWidthToFit(gfxContext*, int, nsIFrame::ComputeSizeFlags) /gecko/layout/generic/nsIFrame.cpp:6329:22
    #12 0x7f56b444eabb in nsContainerFrame::ComputeAutoSize(gfxContext*, mozilla::WritingMode, mozilla::LogicalSize const&, int, mozilla::LogicalSize const&, mozilla::LogicalSize const&, mozilla::LogicalSize const&, nsIFrame::ComputeSizeFlags) /gecko/layout/generic/nsContainerFrame.cpp:991:11
    #13 0x7f56b45926c2 in nsIFrame::ComputeSize(gfxContext*, mozilla::WritingMode, mozilla::LogicalSize const&, int, mozilla::LogicalSize const&, mozilla::LogicalSize const&, mozilla::LogicalSize const&, nsIFrame::ComputeSizeFlags) /gecko/layout/generic/nsIFrame.cpp:6044:7
    #14 0x7f56b46d6125 in nsVideoFrame::ComputeSize(gfxContext*, mozilla::WritingMode, mozilla::LogicalSize const&, int, mozilla::LogicalSize const&, mozilla::LogicalSize const&, mozilla::LogicalSize const&, nsIFrame::ComputeSizeFlags) /gecko/layout/generic/nsVideoFrame.cpp:584:30
    #15 0x7f56b43b7326 in mozilla::ReflowInput::InitAbsoluteConstraints(nsPresContext*, mozilla::ReflowInput const*, mozilla::LogicalSize const&, mozilla::LayoutFrameType) /gecko/layout/generic/ReflowInput.cpp:1678:28
    #16 0x7f56b43ad941 in mozilla::ReflowInput::InitConstraints(nsPresContext*, mozilla::Maybe<mozilla::LogicalSize> const&, nsMargin const*, nsMargin const*, mozilla::LayoutFrameType) /gecko/layout/generic/ReflowInput.cpp:2327:7
    #17 0x7f56b43a73ca in mozilla::ReflowInput::Init(nsPresContext*, mozilla::Maybe<mozilla::LogicalSize> const&, nsMargin const*, nsMargin const*) /gecko/layout/generic/ReflowInput.cpp:372:3
    #18 0x7f56b43e907e in nsAbsoluteContainingBlock::ReflowAbsoluteFrame(nsIFrame*, nsPresContext*, mozilla::ReflowInput const&, nsRect const&, nsAbsoluteContainingBlock::AbsPosReflowFlags, nsIFrame*, nsReflowStatus&, nsOverflowAreas*) /gecko/layout/generic/nsAbsoluteContainingBlock.cpp:707:15
    #19 0x7f56b43e66e4 in nsAbsoluteContainingBlock::Reflow(nsContainerFrame*, nsPresContext*, mozilla::ReflowInput const&, nsReflowStatus&, nsRect const&, nsAbsoluteContainingBlock::AbsPosReflowFlags, nsOverflowAreas*) /gecko/layout/generic/nsAbsoluteContainingBlock.cpp:212:7
    #20 0x7f56b43e4d00 in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /gecko/layout/generic/ViewportFrame.cpp:340:35
    #21 0x7f56b42032cd in mozilla::PresShell::DoReflow(nsIFrame*, bool, mozilla::OverflowChangedTracker*) /gecko/layout/base/PresShell.cpp:9608:11
    #22 0x7f56b4215977 in mozilla::PresShell::ProcessReflowCommands(bool) /gecko/layout/base/PresShell.cpp:9781:24
    #23 0x7f56b42143ed in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /gecko/layout/base/PresShell.cpp:4240:11
    #24 0x7f56af6bc69d in FlushPendingNotifications /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:1443:5
    #25 0x7f56af6bc69d in mozilla::dom::Document::FlushPendingNotifications(mozilla::ChangesToFlush) /gecko/dom/base/Document.cpp:10064:16
    #26 0x7f56b412a97c in nsComputedDOMStyle::Flush(mozilla::dom::Document&, mozilla::FlushType) /gecko/layout/style/nsComputedDOMStyle.cpp:962:13
    #27 0x7f56b41278ca in nsComputedDOMStyle::UpdateCurrentStyleSources(nsCSSPropertyID) /gecko/layout/style/nsComputedDOMStyle.cpp:1015:5
    #28 0x7f56b4126a19 in nsComputedDOMStyle::GetPropertyValue(nsTSubstring<char> const&, nsTSubstring<char16_t>&) /gecko/layout/style/nsComputedDOMStyle.cpp:402:3
    #29 0x7f56b412687b in nsComputedDOMStyle::GetPropertyValue(nsCSSPropertyID, nsTSubstring<char16_t>&) /gecko/layout/style/nsComputedDOMStyle.cpp:347:10
    #30 0x7f56afc42aa3 in GetWidth /builds/worker/workspace/obj-build/dist/include/mozilla/ServoCSSPropList.h:349:1
    #31 0x7f56afc42aa3 in mozilla::dom::CSS2Properties_Binding::get_width(JSContext*, JS::Handle<JSObject*>, void*, JSJitGetterCallArgs) /builds/worker/workspace/obj-build/dom/bindings/CSS2PropertiesBinding.cpp:26811:24
    #32 0x7f56b1440442 in bool mozilla::dom::binding_detail::GenericGetter<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /gecko/dom/bindings/BindingUtils.cpp:3101:13
    #33 0x7f56b7b1dd0b in CallJSNative /gecko/js/src/vm/Interpreter.cpp:484:13
    #34 0x7f56b7b1dd0b in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:576:12
    #35 0x7f56b7b1ffa8 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:639:10
    #36 0x7f56b7b20286 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:656:8
    #37 0x7f56b7cc3ed0 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /gecko/js/src/jsapi.cpp:2846:10
    #38 0x7f56ada6491d in Call /builds/worker/workspace/obj-build/dist/include/jsapi.h:1516:10
    #39 0x7f56ada6491d in xpc::XrayWrapper<js::CrossCompartmentWrapper, xpc::DOMXrayTraits>::get(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JS::Value>) const /gecko/js/xpconnect/wrappers/XrayWrapper.cpp:2101:10
    #40 0x7f56b7d5489a in getInternal /gecko/js/src/proxy/Proxy.cpp:331:19
    #41 0x7f56b7d5489a in js::Proxy::get(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JS::Value>) /gecko/js/src/proxy/Proxy.cpp:339:10
    #42 0x7f56b7d54a18 in GetProperty /gecko/js/src/vm/ObjectOperations-inl.h:114:12
    #43 0x7f56b7d54a18 in getInternal /gecko/js/src/proxy/Proxy.cpp:327:14
    #44 0x7f56b7d54a18 in js::Proxy::get(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JS::Value>) /gecko/js/src/proxy/Proxy.cpp:339:10
    #45 0x7f56b7b28ec5 in GetProperty /gecko/js/src/vm/ObjectOperations-inl.h:114:12
    #46 0x7f56b7b28ec5 in js::GetProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, js::PropertyName*, JS::MutableHandle<JS::Value>) /gecko/js/src/vm/ObjectOperations-inl.h:124:10
    #47 0x7f56b7b27d32 in js::GetProperty(JSContext*, JS::Handle<JS::Value>, JS::Handle<js::PropertyName*>, JS::MutableHandle<JS::Value>) /gecko/js/src/vm/Interpreter.cpp:4736:10
    #48 0x7f56b7b04718 in GetPropertyOperation /gecko/js/src/vm/Interpreter.cpp:217:10
    #49 0x7f56b7b04718 in Interpret(JSContext*, js::RunState&) /gecko/js/src/vm/Interpreter.cpp:2977:12
    #50 0x7f56b7ae8bc1 in js::RunScript(JSContext*, js::RunState&) /gecko/js/src/vm/Interpreter.cpp:456:10
    #51 0x7f56b7b1dded in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:611:13
    #52 0x7f56b7b1ffa8 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:639:10
    #53 0x7f56b7b20286 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:656:8
    #54 0x7f56b7d73f9b in js::ForwardingProxyHandler::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /gecko/js/src/proxy/Wrapper.cpp:162:10
    #55 0x7f56b7d586e6 in js::Proxy::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) /gecko/js/src/proxy/Proxy.cpp:491:19
    #56 0x7f56b7b1e298 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:550:14
    #57 0x7f56b7b1ffa8 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:639:10
    #58 0x7f56b7b20286 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:656:8
    #59 0x7f56b7d73f9b in js::ForwardingProxyHandler::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /gecko/js/src/proxy/Wrapper.cpp:162:10
    #60 0x7f56b7d490c5 in js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /gecko/js/src/proxy/CrossCompartmentWrapper.cpp:238:19
    #61 0x7f56ada84bd1 in xpc::WaiveXrayWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /gecko/js/xpconnect/wrappers/WaiveXrayWrapper.cpp:53:35
    #62 0x7f56b7d586e6 in js::Proxy::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) /gecko/js/src/proxy/Proxy.cpp:491:19
    #63 0x7f56b7b1e298 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:550:14
    #64 0x7f56b7b1ffa8 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:639:10
    #65 0x7f56b7b078a6 in CallFromStack /gecko/js/src/vm/Interpreter.cpp:643:10
    #66 0x7f56b7b078a6 in Interpret(JSContext*, js::RunState&) /gecko/js/src/vm/Interpreter.cpp:3332:16
    #67 0x7f56b7ae8bc1 in js::RunScript(JSContext*, js::RunState&) /gecko/js/src/vm/Interpreter.cpp:456:10
    #68 0x7f56b7b1dded in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:611:13
    #69 0x7f56b7b1ffa8 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:639:10
    #70 0x7f56b7b20286 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:656:8
    #71 0x7f56b7cc3ed0 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /gecko/js/src/jsapi.cpp:2846:10
    #72 0x7f56b103edde in mozilla::dom::EventListener::HandleEvent(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventListenerBinding.cpp:55:8
    #73 0x7f56b356b529 in mozilla::dom::EventListener::HandleEvent(mozilla::dom::Event&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventListenerBinding.h:81:12
    #74 0x7f56b3567268 in HandleEvent /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventListenerBinding.h:94:12
    #75 0x7f56b3567268 in mozilla::dom::JSWindowActorProtocol::HandleEvent(mozilla::dom::Event*) /gecko/dom/ipc/jsactor/JSWindowActorProtocol.cpp:192:18
    #76 0x7f56b1b46b1e in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /gecko/dom/events/EventListenerManager.cpp:1088:22
    #77 0x7f56b1b482a0 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /gecko/dom/events/EventListenerManager.cpp:1279:17
    #78 0x7f56b1b363ff in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /gecko/dom/events/EventDispatcher.cpp:355:17
    #79 0x7f56b1b34b9d in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /gecko/dom/events/EventDispatcher.cpp:557:16
    #80 0x7f56b1b390f6 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /gecko/dom/events/EventDispatcher.cpp:1054:11
    #81 0x7f56b1b3de29 in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) /gecko/dom/events/EventDispatcher.cpp
    #82 0x7f56af61fa15 in nsWindowRoot::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) /gecko/dom/base/nsWindowRoot.cpp:91:17
    #83 0x7f56af3e3b76 in nsContentUtils::DispatchChromeEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, bool*) /gecko/dom/base/nsContentUtils.cpp:4289:17
    #84 0x7f56af78ca67 in operator() /gecko/dom/base/Element.cpp:1160:9
    #85 0x7f56af78ca67 in mozilla::detail::RunnableFunction<mozilla::dom::Element::NotifyUAWidgetSetupOrChange()::$_40>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:577:5
    #86 0x7f56af3ed5c3 in nsContentUtils::RemoveScriptBlocker() /gecko/dom/base/nsContentUtils.cpp:5344:15
    #87 0x7f56af69bc08 in mozilla::dom::Document::EndUpdate() /gecko/dom/base/Document.cpp:7132:3
    #88 0x7f56af35d136 in mozAutoDocUpdate::~mozAutoDocUpdate() /gecko/dom/base/mozAutoDocUpdate.h:34:18
    #89 0x7f56af990f2a in nsINode::ReplaceOrInsertBefore(bool, nsINode*, nsINode*, mozilla::ErrorResult&) /gecko/dom/base/nsINode.cpp:2696:1
    #90 0x7f56b00c6950 in InsertBefore /gecko/dom/base/nsINode.h:1971:12
    #91 0x7f56b00c6950 in AppendChild /gecko/dom/base/nsINode.h:1974:12
    #92 0x7f56b00c6950 in mozilla::dom::Node_Binding::appendChild(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/NodeBinding.cpp:989:60
    #93 0x7f56b1449598 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /gecko/dom/bindings/BindingUtils.cpp:3219:13
    #94 0x7f56b7b1dd0b in CallJSNative /gecko/js/src/vm/Interpreter.cpp:484:13
    #95 0x7f56b7b1dd0b in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:576:12
    #96 0x7f56b7b1ffa8 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:639:10
    #97 0x7f56b7b078a6 in CallFromStack /gecko/js/src/vm/Interpreter.cpp:643:10
    #98 0x7f56b7b078a6 in Interpret(JSContext*, js::RunState&) /gecko/js/src/vm/Interpreter.cpp:3332:16
    #99 0x7f56b7ae8bc1 in js::RunScript(JSContext*, js::RunState&) /gecko/js/src/vm/Interpreter.cpp:456:10
    #100 0x7f56b7b1dded in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:611:13
    #101 0x7f56b7b1ffa8 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:639:10
    #102 0x7f56b7b20286 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:656:8
    #103 0x7f56b7cc3ed0 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /gecko/js/src/jsapi.cpp:2846:10
    #104 0x7f56b103c029 in mozilla::dom::EventHandlerNonNull::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventHandlerBinding.cpp:276:37
    #105 0x7f56b1b83b1e in void mozilla::dom::EventHandlerNonNull::Call<nsCOMPtr<mozilla::dom::EventTarget> >(nsCOMPtr<mozilla::dom::EventTarget> const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventHandlerBinding.h:367:12
    #106 0x7f56b1b81d24 in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) /gecko/dom/events/JSEventHandler.cpp:201:12
    #107 0x7f56b1b46b1e in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /gecko/dom/events/EventListenerManager.cpp:1088:22
    #108 0x7f56b1b482a0 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /gecko/dom/events/EventListenerManager.cpp:1279:17
    #109 0x7f56b1b363ff in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /gecko/dom/events/EventDispatcher.cpp:355:17
    #110 0x7f56b1b34b9d in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /gecko/dom/events/EventDispatcher.cpp:557:16
    #111 0x7f56b1b390f6 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /gecko/dom/events/EventDispatcher.cpp:1054:11
    #112 0x7f56b42d4ee2 in nsDocumentViewer::LoadComplete(nsresult) /gecko/layout/base/nsDocumentViewer.cpp:1140:7
    #113 0x7f56b6e6177c in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /gecko/docshell/base/nsDocShell.cpp:6030:20
    #114 0x7f56b6e60975 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /gecko/docshell/base/nsDocShell.cpp:5499:7
    #115 0x7f56b6e6408f in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /gecko/docshell/base/nsDocShell.cpp
    #116 0x7f56ae0fa590 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /gecko/uriloader/base/nsDocLoader.cpp:1331:3
    #117 0x7f56ae0f945c in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /gecko/uriloader/base/nsDocLoader.cpp:937:14
    #118 0x7f56ae0f59db in nsDocLoader::DocLoaderIsEmpty(bool, mozilla::Maybe<nsresult> const&) /gecko/uriloader/base/nsDocLoader.cpp:757:9
    #119 0x7f56ae0f7f4d in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /gecko/uriloader/base/nsDocLoader.cpp:640:5
    #120 0x7f56ae0f8fec in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /gecko/uriloader/base/nsDocLoader.cpp
    #121 0x7f56ab937317 in mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) /gecko/netwerk/base/nsLoadGroup.cpp:615:22
    #122 0x7f56ab93a527 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /gecko/netwerk/base/nsLoadGroup.cpp:522:10
    #123 0x7f56af1f9eb6 in imgRequestProxy::RemoveFromLoadGroup() /gecko/image/imgRequestProxy.cpp:370:15
    #124 0x7f56af2054ba in imgRequestProxy::OnLoadComplete(bool) /gecko/image/imgRequestProxy.cpp:1003:7
    #125 0x7f56af1b737b in operator() /gecko/image/ProgressTracker.cpp:351:13
    #126 0x7f56af1b737b in void mozilla::image::ImageObserverNotifier<mozilla::image::ObserverTable const*>::operator()<void mozilla::image::SyncNotifyInternal<mozilla::image::ObserverTable const*>(mozilla::image::ObserverTable const* const&, bool, unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&)::'lambda5'(mozilla::image::IProgressObserver*)>(mozilla::image::ObserverTable const*) /gecko/image/ProgressTracker.cpp:281:9
    #127 0x7f56af1b4609 in void mozilla::image::SyncNotifyInternal<mozilla::image::ObserverTable const*>(mozilla::image::ObserverTable const* const&, bool, unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /gecko/image/ProgressTracker.cpp:350:5
    #128 0x7f56af137658 in operator() /gecko/image/ProgressTracker.cpp:369:5
    #129 0x7f56af137658 in Read<(lambda at /builds/worker/checkouts/gecko/image/ProgressTracker.cpp:368:19)> /gecko/image/CopyOnWrite.h:155:12
    #130 0x7f56af137658 in mozilla::image::ProgressTracker::SyncNotifyProgress(unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /gecko/image/ProgressTracker.cpp:368:14
    #131 0x7f56af1873a5 in mozilla::image::VectorImage::OnSVGDocumentLoaded() /gecko/image/VectorImage.cpp:1444:23
    #132 0x7f56af196d87 in mozilla::image::SVGLoadEventListener::HandleEvent(mozilla::dom::Event*) /gecko/image/VectorImage.cpp:210:15
    #133 0x7f56b1b46b1e in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /gecko/dom/events/EventListenerManager.cpp:1088:22
    #134 0x7f56b1b482a0 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /gecko/dom/events/EventListenerManager.cpp:1279:17
    #135 0x7f56b1b363ff in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /gecko/dom/events/EventDispatcher.cpp:355:17
    #136 0x7f56b1b34b9d in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /gecko/dom/events/EventDispatcher.cpp:557:16
    #137 0x7f56b1b390f6 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /gecko/dom/events/EventDispatcher.cpp:1054:11
    #138 0x7f56b1b3de29 in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) /gecko/dom/events/EventDispatcher.cpp
    #139 0x7f56af987bce in nsINode::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) /gecko/dom/base/nsINode.cpp:1300:17
    #140 0x7f56b1b54d69 in mozilla::dom::EventTarget::DispatchEvent(mozilla::dom::Event&) /gecko/dom/events/EventTarget.cpp:178:13
    #141 0x7f56b1add31e in mozilla::AsyncEventDispatcher::Run() /gecko/dom/events/AsyncEventDispatcher.cpp:69:12
    #142 0x7f56ab645d59 in mozilla::RunnableTask::Run() /gecko/xpcom/threads/TaskController.cpp:209:16
    #143 0x7f56ab6422e8 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:459:24
    #144 0x7f56ab640638 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:337:20
    #145 0x7f56ab640a43 in mozilla::TaskController::ProcessPendingMTTask() /gecko/xpcom/threads/TaskController.cpp:152:3
    #146 0x7f56ab651aef in operator() /gecko/xpcom/threads/TaskController.cpp:82:37
    #147 0x7f56ab651aef in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_4>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:577:5
    #148 0x7f56ab676b65 in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1234:14
    #149 0x7f56ab6818fc in NS_ProcessNextEvent(nsIThread*, bool) /gecko/xpcom/threads/nsThreadUtils.cpp:513:10
    #150 0x7f56aca3199f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /gecko/ipc/glue/MessagePump.cpp:87:21
    #151 0x7f56ac90f917 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:334:10
    #152 0x7f56ac90f917 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:327:3
    #153 0x7f56ac90f917 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:309:3
    #154 0x7f56b3cfbf28 in nsBaseAppShell::Run() /gecko/widget/nsBaseAppShell.cpp:137:27
    #155 0x7f56b78aa836 in XRE_RunAppShell() /gecko/toolkit/xre/nsEmbedFunctions.cpp:913:20
    #156 0x7f56ac90f917 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:334:10
    #157 0x7f56ac90f917 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:327:3
    #158 0x7f56ac90f917 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:309:3
    #159 0x7f56b78a9e1f in XRE_InitChildProcess(int, char**, XREChildData const*) /gecko/toolkit/xre/nsEmbedFunctions.cpp:744:34
    #160 0x5644cc5b9723 in content_process_main /gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
    #161 0x5644cc5b9723 in main /gecko/browser/app/nsBrowserApp.cpp:303:18
    #162 0x7f56cf6a0b96 in __libc_start_main /build/glibc-2ORdQG/glibc-2.27/csu/../csu/libc-start.c:310
    #163 0x5644cc50e089 in _start (/home/worker/builds/m-c-20200709154210-fuzzing-asan-opt/firefox+0xa4089)

Flags: in-testsuite?

Mats Palmgren (inactive)

Updated

•

4 years ago

Severity: -- → S3

Priority: -- → P2

Tyson Smith [:tsmith]

Reporter

Comment 1

•

4 years ago

A Pernosco session is available here: https://pernos.co/debug/ivqVG9Nzj2vMO4PGsMFcHQ/index.html

Cameron McCormack (:heycam)

Assignee

Comment 2

•

4 years ago

I guess this was caused by me in bug 1645713.

Assignee: nobody → cam

Status: NEW → ASSIGNED

Regressions: 1645713

Cameron McCormack (:heycam)

Assignee

Comment 3

•

4 years ago

The frame tree's a bit weird, and there are non-fatal assertions about nsVideoFrame having children it doesn't expect. We should probably handle this without crashing.

Cameron McCormack (:heycam)

Assignee

Comment 4

•

4 years ago

Attached file Bug 1654925 - Make FindNearestCommonAncestorFrameWithinBlock handle bad frame trees without crashing. (deleted) — Details

Pulsebot

Comment 5

•

4 years ago

Pushed by cmccormack@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/d8700c3b6dc0 Make FindNearestCommonAncestorFrameWithinBlock handle bad frame trees without crashing. r=jfkthame

Narcis Beleuzu [:NarcisB]

Comment 6

•

4 years ago

bugherder

https://hg.mozilla.org/mozilla-central/rev/d8700c3b6dc0

Status: ASSIGNED → RESOLVED

Closed: 4 years ago

status-firefox80: affected → fixed

Resolution: --- → FIXED

Target Milestone: --- → mozilla80

Jason Kratzer [:jkratzer]

Updated

•

4 years ago

Status: RESOLVED → VERIFIED

status-firefox80: fixed → verified

Keywords: bugmon

Jason Kratzer [:jkratzer]

Comment 7

•

4 years ago

Bugmon Analysis: Verified bug as fixed on rev mozilla-central 20200725094010-3ad2fc2915b1. Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Ryan VanderMeulen [:RyanVM]

Updated

•

4 years ago

status-firefox79: --- → wontfix

status-firefox-esr68: --- → unaffected

status-firefox-esr78: --- → unaffected

Flags: in-testsuite? → in-testsuite+

Alice0775 White

Updated

•

1 year ago

Regressions: 1851399

You need to log in before you can comment on or make changes to this bug.

Bugzilla

crash near null in [@ nsLayoutUtils::FindNearestCommonAncestorFrameWithinBlock]

Categories

(Core :: Layout: Text and Fonts, defect, P2)

Tracking

()

People

(Reporter: tsmith, Assigned: heycam)

References

(Blocks 1 open bug, Regressed 1 open bug)

Details

(Keywords: crash, testcase)

Crash Data

Security

(public)

User Story

Attachments

(2 files)

Description

Updated

Comment 1

Comment 2

Comment 3

Comment 4

Comment 5

Comment 6

Updated

Comment 7

Updated

Updated

Attachment

General

Description

File Name

Content Type