Closed
Bug 1690166
Opened 4 years ago
Closed 4 years ago
crash near null in [@ nsIFrame::UpdateStyleOfChildAnonBox]
Categories
(Core :: Layout, defect, P2)
Core
Layout
Tracking
()
VERIFIED
FIXED
87 Branch
People
(Reporter: tsmith, Assigned: MatsPalmgren_bugz)
References
(Blocks 1 open bug, Regression)
Details
(Keywords: crash, regression, testcase, Whiteboard: [bugmon:bisected,confirmed])
Attachments
(2 files)
==28808==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000020 (pc 0x7f74eeaf8630 bp 0x7ffd58485d30 sp 0x7ffd58485be0 T0)
==28808==The signal is caused by a READ memory access.
==28808==Hint: address points to the zero page.
#0 0x7f74eeaf8630 in GetPseudoType /builds/worker/workspace/obj-build/dist/include/mozilla/ComputedStyle.h:95:50
#1 0x7f74eeaf8630 in nsIFrame::UpdateStyleOfChildAnonBox(nsIFrame*, mozilla::ServoRestyleState&) /gecko/layout/generic/nsIFrame.cpp:10720:39
#2 0x7f74eeafafb8 in nsIFrame::DoUpdateStyleOfOwnedAnonBoxes(mozilla::ServoRestyleState&) /gecko/layout/generic/nsIFrame.cpp:11075:7
#3 0x7f74eeaf876e in UpdateStyleOfOwnedAnonBoxes /gecko/layout/generic/nsIFrame.h:3984:7
#4 0x7f74eeaf876e in nsIFrame::UpdateStyleOfChildAnonBox(nsIFrame*, mozilla::ServoRestyleState&) /gecko/layout/generic/nsIFrame.cpp:10737:16
#5 0x7f74eeafafb8 in nsIFrame::DoUpdateStyleOfOwnedAnonBoxes(mozilla::ServoRestyleState&) /gecko/layout/generic/nsIFrame.cpp:11075:7
#6 0x7f74ee79c419 in UpdateStyleOfOwnedAnonBoxes /gecko/layout/generic/nsIFrame.h:3984:7
#7 0x7f74ee79c419 in mozilla::RestyleManager::ProcessPostTraversal(mozilla::dom::Element*, mozilla::ServoRestyleState&, mozilla::ServoPostTraversalFlags) /gecko/layout/base/RestyleManager.cpp:2816:19
#8 0x7f74ee79c2a5 in mozilla::RestyleManager::ProcessPostTraversal(mozilla::dom::Element*, mozilla::ServoRestyleState&, mozilla::ServoPostTraversalFlags) /gecko/layout/base/RestyleManager.cpp:2798:32
#9 0x7f74ee79c2a5 in mozilla::RestyleManager::ProcessPostTraversal(mozilla::dom::Element*, mozilla::ServoRestyleState&, mozilla::ServoPostTraversalFlags) /gecko/layout/base/RestyleManager.cpp:2798:32
#10 0x7f74ee79c2a5 in mozilla::RestyleManager::ProcessPostTraversal(mozilla::dom::Element*, mozilla::ServoRestyleState&, mozilla::ServoPostTraversalFlags) /gecko/layout/base/RestyleManager.cpp:2798:32
#11 0x7f74ee79ebb1 in mozilla::RestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) /gecko/layout/base/RestyleManager.cpp:3004:28
#12 0x7f74ee75ea9f in ProcessPendingRestyles /gecko/layout/base/RestyleManager.cpp:3111:3
#13 0x7f74ee75ea9f in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /gecko/layout/base/PresShell.cpp:4208:39
#14 0x7f74ee6e5b9f in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /gecko/layout/base/nsRefreshDriver.cpp:2194:22
#15 0x7f74ee6f3ef9 in TickDriver /gecko/layout/base/nsRefreshDriver.cpp:357:13
#16 0x7f74ee6f3ef9 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /gecko/layout/base/nsRefreshDriver.cpp:336:7
#17 0x7f74ee6f3b71 in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /gecko/layout/base/nsRefreshDriver.cpp:351:5
#18 0x7f74ee6f2d84 in RunRefreshDrivers /gecko/layout/base/nsRefreshDriver.cpp:799:5
#19 0x7f74ee6f2d84 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /gecko/layout/base/nsRefreshDriver.cpp:722:16
#20 0x7f74ee6f21c5 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyParentProcessVsync() /gecko/layout/base/nsRefreshDriver.cpp:624:7
#21 0x7f74ee6f1980 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) /gecko/layout/base/nsRefreshDriver.cpp:545:9
#22 0x7f74ed813987 in mozilla::dom::VsyncChild::RecvNotify(mozilla::VsyncEvent const&, float const&) /gecko/dom/ipc/VsyncChild.cpp:68:15
#23 0x7f74e7cfc4cc in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:178:54
#24 0x7f74e78ecaa4 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundChild.cpp:6286:32
#25 0x7f74e7344c0e in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /gecko/ipc/glue/MessageChannel.cpp:2153:25
#26 0x7f74e7340a74 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /gecko/ipc/glue/MessageChannel.cpp:2077:9
#27 0x7f74e7342878 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /gecko/ipc/glue/MessageChannel.cpp:1925:3
#28 0x7f74e7343498 in mozilla::ipc::MessageChannel::MessageTask::Run() /gecko/ipc/glue/MessageChannel.cpp:1956:13
#29 0x7f74e600d439 in mozilla::RunnableTask::Run() /gecko/xpcom/threads/TaskController.cpp:472:16
#30 0x7f74e6009b21 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:753:26
#31 0x7f74e6007617 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:611:15
#32 0x7f74e6007a6d in mozilla::TaskController::ProcessPendingMTTask(bool) /gecko/xpcom/threads/TaskController.cpp:395:36
#33 0x7f74e6014fe4 in operator() /gecko/xpcom/threads/TaskController.cpp:136:37
#34 0x7f74e6014fe4 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_4>::Run() /gecko/xpcom/threads/nsThreadUtils.h:534:5
#35 0x7f74e603504d in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1171:16
#36 0x7f74e6040b7c in NS_ProcessNextEvent(nsIThread*, bool) /gecko/xpcom/threads/nsThreadUtils.cpp:548:10
#37 0x7f74e734d824 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /gecko/ipc/glue/MessagePump.cpp:109:5
#38 0x7f74e7243b11 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:335:10
#39 0x7f74e7243b11 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:328:3
#40 0x7f74e7243b11 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:310:3
#41 0x7f74ee1d6b27 in nsBaseAppShell::Run() /gecko/widget/nsBaseAppShell.cpp:137:27
#42 0x7f74f1fa61cf in XRE_RunAppShell() /gecko/toolkit/xre/nsEmbedFunctions.cpp:902:20
#43 0x7f74e7243b11 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:335:10
#44 0x7f74e7243b11 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:328:3
#45 0x7f74e7243b11 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:310:3
#46 0x7f74f1fa576c in XRE_InitChildProcess(int, char**, XREChildData const*) /gecko/toolkit/xre/nsEmbedFunctions.cpp:733:34
#47 0x55c0f920ff3d in content_process_main(mozilla::Bootstrap*, int, char**) /gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#48 0x55c0f9210377 in main /gecko/browser/app/nsBrowserApp.cpp:306:18
#49 0x7f75069d50b2 in __libc_start_main /build/glibc-ZN95T4/glibc-2.31/csu/../csu/libc-start.c:308:16
#50 0x55c0f91638d9 in _start (/home/worker/builds/m-c-20210127043248-fuzzing-asan-opt/firefox+0x5a8d9)
Flags: in-testsuite?
|
||
Comment 1•4 years ago
|
||
Fieldset-related, so I want to bet on the recent changes.
Flags: needinfo?(mats)
|
|
||
Comment 2•4 years ago
|
||
On a debug build I get:
Assertion failure: !kidStatus.IsInlineBreakBefore() (ShouldAvoidBreakInside should prevent this from happening), at /home/emilio/src/moz/gecko-5/layout/generic/nsAbsoluteContainingBlock.cpp:223
|
Reporter | |
Comment 3•4 years ago
|
||
A Pernosco session is available here: https://pernos.co/debug/zrvvKAEO5NFKs-jAa__erw/index.html
|
||
Comment 4•4 years ago
|
||
Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20210202033500-babdc3b3a300.
Failed to bisect testcase (Testcase reproduces on start build!):
Start: c32017c40f1904b0614607fbe3ec6cceffa91ce4 (20200204040416)
End: babdc3b3a30001ae014cc9180992549c5e4d5045 (20210202033500)
BuildFlags: BuildFlags(asan=True, tsan=False, debug=False, fuzzing=False, coverage=False, valgrind=False)
Whiteboard: [bugmon:bisected,confirmed]
|
Assignee | |
Comment 5•4 years ago
|
||
Fieldset-related, so I want to bet on the recent changes.
I think this is an older bug... likely bug 471015.
The testcase has position:fixed <fieldset> with a rendered legend that has break-before:page, which we propagate to the fieldset...
Which we shouldn't do because it's out-of-flow.
Tentative fix:
https://hg.mozilla.org/try/rev/1c39914eecc426ac614e02a7d429f9229de12da7
Assignee: nobody → mats
Severity: -- → S2
Flags: needinfo?(mats)
OS: Unspecified → All
Priority: -- → P2
Regressed by: 471015
Hardware: Unspecified → All
|
||
Updated•4 years ago
|
Has Regression Range: --- → yes
|
|
Assignee | |
Comment 6•4 years ago
|
||
|
||
Updated•4 years ago
|
Attachment #9200757 -
Attachment description: Bug 1690166 - Don't report BreakBefore reflow status if the <fieldset> is out-of-flow. r=TYLin → Bug 1690166 - Don't report BreakBefore reflow status if the <fieldset> is an abs/fixed positioned out-of-flow. r=TYLin
Pushed by mpalmgren@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/40234f92c842
Don't report BreakBefore reflow status if the <fieldset> is an abs/fixed positioned out-of-flow. r=TYLin
|
||
Comment 8•4 years ago
|
||
| bugherder | ||
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → 87 Branch
|
|
||
Comment 9•4 years ago
|
||
Bugmon Analysis:
Verified bug as fixed on rev mozilla-central 20210204093834-32690d048b75.
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.
|
||
Updated•4 years ago
|
status-firefox85:
--- → wontfix
status-firefox86:
--- → wontfix
status-firefox-esr78:
--- → wontfix
Flags: in-testsuite? → in-testsuite+
|
||
Updated•3 years ago
|
Keywords: regression
You need to log in
before you can comment on or make changes to this bug.
Description
•