Not sure if this is the same crash as in bug 1041212 ==125321==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000050 (pc 0x7fe1f7dbe8be bp 0x7ffd634d5810 sp 0x7ffd634d5480 T0) ==125321==The signal is caused by a READ memory access. ==125321==Hint: address points to the zero page. #0 0x7fe1f7dbe8bd in GetStateBits /src/layout/generic/nsIFrame.h:2031:46 #1 0x7fe1f7dbe8bd in mozilla::PresShell::FrameNeedsReflow(nsIFrame*, nsIPresShell::IntrinsicDirty, nsFrameState, nsIPresShell::ReflowRootHandling) /src/layout/base/PresShell.cpp:2723 #2 0x7fe1f7da3140 in StyleChangeReflow /src/layout/base/RestyleManager.cpp:1238:41 #3 0x7fe1f7da3140 in mozilla::RestyleManager::ProcessRestyledFrames(nsStyleChangeList&) /src/layout/base/RestyleManager.cpp:1567 #4 0x7fe1f7e183ea in mozilla::ServoRestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) /src/layout/base/ServoRestyleManager.cpp:1159:9 #5 0x7fe1f7dd7310 in ProcessPendingRestyles /src/layout/base/ServoRestyleManager.cpp:1235:3 #6 0x7fe1f7dd7310 in ProcessPendingRestyles /src/obj-firefox/dist/include/mozilla/RestyleManagerInlines.h:44 #7 0x7fe1f7dd7310 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /src/layout/base/PresShell.cpp:4196 #8 0x7fe1f7d4b108 in FlushPendingNotifications /src/obj-firefox/dist/include/nsIPresShell.h:581:5 #9 0x7fe1f7d4b108 in nsRefreshDriver::Tick(long, mozilla::TimeStamp) /src/layout/base/nsRefreshDriver.cpp:1882 #10 0x7fe1f7d5863b in TickDriver /src/layout/base/nsRefreshDriver.cpp:336:13 #11 0x7fe1f7d5863b in mozilla::RefreshDriverTimer::TickRefreshDrivers(long, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /src/layout/base/nsRefreshDriver.cpp:306 #12 0x7fe1f7d58336 in mozilla::RefreshDriverTimer::Tick(long, mozilla::TimeStamp) /src/layout/base/nsRefreshDriver.cpp:328:5 #13 0x7fe1f7d5a88b in RunRefreshDrivers /src/layout/base/nsRefreshDriver.cpp:769:5 #14 0x7fe1f7d5a88b in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::TimeStamp) /src/layout/base/nsRefreshDriver.cpp:682 #15 0x7fe1f7d5a496 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::TimeStamp) /src/layout/base/nsRefreshDriver.cpp:583:9 #16 0x7fe1f85af6b2 in mozilla::layout::VsyncChild::RecvNotify(mozilla::TimeStamp const&) /src/layout/ipc/VsyncChild.cpp:68:16 #17 0x7fe1f2144021 in mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) /src/obj-firefox/ipc/ipdl/PVsyncChild.cpp:155:20 #18 0x7fe1f200ffb5 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /src/obj-firefox/ipc/ipdl/PBackgroundChild.cpp:1815:28 #19 0x7fe1f1c65ba9 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /src/ipc/glue/MessageChannel.cpp:2119:25 #20 0x7fe1f1c62bbf in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /src/ipc/glue/MessageChannel.cpp:2049:17 #21 0x7fe1f1c642f4 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /src/ipc/glue/MessageChannel.cpp:1895:5 #22 0x7fe1f1c64948 in mozilla::ipc::MessageChannel::MessageTask::Run() /src/ipc/glue/MessageChannel.cpp:1928:15 #23 0x7fe1f0e813a6 in nsThread::ProcessNextEvent(bool, bool*) /src/xpcom/threads/nsThread.cpp:1037:14 #24 0x7fe1f0e9b868 in NS_ProcessNextEvent(nsIThread*, bool) /src/xpcom/threads/nsThreadUtils.cpp:513:10 #25 0x7fe1f1c6d811 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /src/ipc/glue/MessagePump.cpp:97:21 #26 0x7fe1f1bcde6b in RunInternal /src/ipc/chromium/src/base/message_loop.cc:326:10 #27 0x7fe1f1bcde6b in RunHandler /src/ipc/chromium/src/base/message_loop.cc:319 #28 0x7fe1f1bcde6b in MessageLoop::Run() /src/ipc/chromium/src/base/message_loop.cc:299 #29 0x7fe1f765092f in nsBaseAppShell::Run() /src/widget/nsBaseAppShell.cpp:158:27 #30 0x7fe1fb969487 in XRE_RunAppShell() /src/toolkit/xre/nsEmbedFunctions.cpp:877:22 #31 0x7fe1f1bcde6b in RunInternal /src/ipc/chromium/src/base/message_loop.cc:326:10 #32 0x7fe1f1bcde6b in RunHandler /src/ipc/chromium/src/base/message_loop.cc:319 #33 0x7fe1f1bcde6b in MessageLoop::Run() /src/ipc/chromium/src/base/message_loop.cc:299 #34 0x7fe1fb968e3a in XRE_InitChildProcess(int, char**, XREChildData const*) /src/toolkit/xre/nsEmbedFunctions.cpp:703:34 #35 0x4ec2de in content_process_main /src/browser/app/../../ipc/contentproc/plugin-container.cpp:63:30 #36 0x4ec2de in main /src/browser/app/nsBrowserApp.cpp:280 #37 0x7fe20e9db82f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291 #38 0x41dbc8 in _start (firefox+0x41dbc8)

Works for me in an up-to-date local m-c ASAN Linux build.

Hmm. I just triple checked and I have no issues reproducing it with: m-c ASan opt Linux BuildID=20171108184714 SourceStamp=26d7a3a91c8596ca6834effec4b77a2c13d5f622 Jason: Can you please give us a sanity check here?

(In reply to Tyson Smith [:tsmith] from comment #2) > Hmm. I just triple checked and I have no issues reproducing it with: > m-c ASan opt Linux > BuildID=20171108184714 > SourceStamp=26d7a3a91c8596ca6834effec4b77a2c13d5f622 > > Jason: Can you please give us a sanity check here? It repros for me on rev f63559d7e6a5 (20171108) on Ubuntu 16.04.

Reproduces for me on Ubuntu 17.10 with a regular debug build. Also hits the below assertions: ASSERTION: frame tree not empty, but caller reported complete status: 'aSubtreeRoot->GetPrevInFlow()', file layout/base/nsLayoutUtils.cpp, line 7859 ASSERTION: Placeholder relationship should have been torn down already; this might mean we have a stray placeholder in the tree.: '!placeholder || nsLayoutUtils::IsProperAncestorFrame(aDestructRoot, placeholder)', file layout/generic/nsFrame.cpp, line 760 ASSERTION: Null out-of-flow for placeholder?: 'outOfFlow', file layout/generic/nsPlaceholderFrame.h, line 183 Regression range (with the dom.forms.datetime pref forced on): INFO: Last good revision: 3e6775cee4f7098f4d11bdd452c276a56ac1f29a INFO: First bad revision: feaeb4c4a1149a7925e9d0e32a61fde7ad74b8f2 INFO: Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=3e6775cee4f7098f4d11bdd452c276a56ac1f29a&tochange=feaeb4c4a1149a7925e9d0e32a61fde7ad74b8f2