Open
Bug 1429172
Opened 7 years ago
Updated 3 years ago
Crash near null [@ Type | nsBidiPresUtils::ChildListMayRequireBidi] with floats and multicol
Categories
(Core :: Layout, defect, P3)
Core
Layout
Tracking
()
NEW
| Tracking | Status | |
|---|---|---|
| firefox59 | --- | affected |
People
(Reporter: truber, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: assertion, crash, testcase)
Crash Data
Attachments
(2 files)
The attached testcase causes a crash near null in m-c rev 20180109-6f5fac320fcb.
The testcase is very fragile and even whitespace changes change the signature to bug 1411689.
==2758==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000065 (pc 0x7f28d8224032 bp 0x7ffd0010af70 sp 0x7ffd0010af40 T0)
==2758==The signal is caused by a READ memory access.
==2758==Hint: address points to the zero page.
#0 0x7f28d8224031 in Type /builds/worker/workspace/build/src/layout/generic/nsIFrame.h:2797:38
#1 0x7f28d8224031 in IsLetterFrame /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/FrameTypeList.h:40
#2 0x7f28d8224031 in nsBidiPresUtils::ChildListMayRequireBidi(nsIFrame*, nsIContent**) /builds/worker/workspace/build/src/layout/base/nsBidiPresUtils.cpp:1309
#3 0x7f28d8222eb4 in nsBidiPresUtils::Resolve(nsBlockFrame*) /builds/worker/workspace/build/src/layout/base/nsBidiPresUtils.cpp:725:11
#4 0x7f28d83f87a2 in ResolveBidi /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:7510:10
#5 0x7f28d83f87a2 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:1179
#6 0x7f28d8418277 in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) /builds/worker/workspace/build/sr
c/layout/generic/nsBlockReflowContext.cpp:306:11
#7 0x7f28d840d48b in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:3464:11
#8 0x7f28d840b425 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2814:5
#9 0x7f28d840107a in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2353:7
#10 0x7f28d83f8e35 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:1226:3
#11 0x7f28d8418277 in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) /builds/worker/workspace/build/s
rc/layout/generic/nsBlockReflowContext.cpp:306:11
#12 0x7f28d840d48b in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:3464:11
#13 0x7f28d840b425 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2814:5
#14 0x7f28d840107a in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2353:7
#15 0x7f28d83f8e35 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:1226:3
#16 0x7f28d8418277 in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) /builds/worker/workspace/build/s
rc/layout/generic/nsBlockReflowContext.cpp:306:11
|
||
Comment 1•7 years ago
|
||
In a debug build, I'm seeing this testcase fail some nonfatal assertions, and crash in a different place (while evaluating an assertion condition).
I get 4 copies of this assertion:
###!!! ASSERTION: frame tree not empty, but caller reported complete status: 'aSubtreeRoot->GetPrevInFlow()', file layout/base/nsLayoutUtils.cpp, line 7975
...and then 4 copies of this:
###!!! ASSERTION: Placeholder relationship should have been torn down already; this might mean we have a stray placeholder in the tree.: '!placeholder || nsLayoutUtils::IsProperAncestorFrame(aDestructRoot, placeholder)', file layout/generic/nsFrame.cpp, line 767
...and then 1 copy of this:
###!!! ASSERTION: Null out-of-flow for placeholder?: 'outOfFlow', file ../../../mozilla/layout/generic/nsPlaceholderFrame.h, line 183
And then we crash while evaluating the lower assertion here because "outOfFlowFrame" is null (and we dereference it in the NS_ASSERTION condition):
> nsIFrame*
> nsLayoutUtils::GetFloatFromPlaceholder(nsIFrame* aFrame) {
> NS_ASSERTION(aFrame->IsPlaceholderFrame(), "Must have a placeholder here");
> if (aFrame->GetStateBits() & PLACEHOLDER_FOR_FLOAT) {
> nsIFrame *outOfFlowFrame =
> nsPlaceholderFrame::GetRealFrameForPlaceholder(aFrame);
> NS_ASSERTION(outOfFlowFrame->IsFloating(),
> "How did that happen?");
|
|
||
Comment 2•7 years ago
|
||
|
|
||
Comment 3•7 years ago
|
||
(This is likely a multicol/float interaction bug -- I suspect it has nothing to do with nsBidiPresUtils except that that's where we end up using the unexpectedly-null out-of-flow frame pointer first.)
Keywords: assertion
Summary: Crash near null [@ Type | nsBidiPresUtils::ChildListMayRequireBidi] → Crash near null [@ Type | nsBidiPresUtils::ChildListMayRequireBidi] with floats and multicol
|
|
||
Updated•7 years ago
|
Priority: -- → P3
|
||
Comment 4•3 years ago
|
||
Since the crash volume is low (less than 5 per week), the severity is downgraded to S3. Feel free to change it back if you think the bug is still critical.
For more information, please visit auto_nag documentation.
Severity: critical → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•