==25714==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fb2dd7e605b bp 0x7ffe463c0390 sp 0x7ffe463c0240 T0) ==25714==The signal is caused by a WRITE memory access. ==25714==Hint: address points to the zero page. #0 0x7fb2dd7e605a in nsCSSFrameConstructor::CreateContinuingFrame(nsPresContext*, nsIFrame*, nsContainerFrame*, bool) /src/layout/base/nsCSSFrameConstructor.cpp #1 0x7fb2dd939185 in nsAbsoluteContainingBlock::Reflow(nsContainerFrame*, nsPresContext*, mozilla::ReflowInput const&, nsReflowStatus&, nsRect const&, nsAbsoluteContainingBlock::AbsPosReflowFlags, nsOverflowAreas*) /src/layout/generic/nsAbsoluteContainingBlock.cpp:184:15 #2 0x7fb2dd954f20 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /src/layout/generic/nsBlockFrame.cpp:1441:26 #3 0x7fb2dd9721e7 in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) /src/layout/generic/nsBlockReflowContext.cpp:306:11 #4 0x7fb2dd9673fb in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /src/layout/generic/nsBlockFrame.cpp:3464:11 #5 0x7fb2dd965395 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /src/layout/generic/nsBlockFrame.cpp:2814:5 #6 0x7fb2dd95d461 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /src/layout/generic/nsBlockFrame.cpp:2638:11 #7 0x7fb2dd952c65 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /src/layout/generic/nsBlockFrame.cpp:1226:3 #8 0x7fb2dd9b2686 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /src/layout/generic/nsContainerFrame.cpp:941:14 #9 0x7fb2dd9b7072 in nsColumnSetFrame::ReflowChildren(mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&, nsColumnSetFrame::ReflowConfig const&, bool, nsCollapsingMargin*, nsColumnSetFrame::ColumnBalanceData&) /src/layout/generic/nsColumnSetFrame.cpp:798:7 #10 0x7fb2dd9bba67 in ReflowColumns /src/layout/generic/nsColumnSetFrame.cpp:495:19 #11 0x7fb2dd9bba67 in nsColumnSetFrame::FindBestBalanceBSize(mozilla::ReflowInput const&, nsPresContext*, nsColumnSetFrame::ReflowConfig&, nsColumnSetFrame::ColumnBalanceData&, mozilla::ReflowOutput&, nsCollapsingMargin&, bool&, bool&, nsReflowStatus&) /src/layout/generic/nsColumnSetFrame.cpp:1134 #12 0x7fb2dd9bcb5e in nsColumnSetFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /src/layout/generic/nsColumnSetFrame.cpp:1241:5 #13 0x7fb2dd9721e7 in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) /src/layout/generic/nsBlockReflowContext.cpp:306:11 #14 0x7fb2dd9673fb in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /src/layout/generic/nsBlockFrame.cpp:3464:11 #15 0x7fb2dd965395 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /src/layout/generic/nsBlockFrame.cpp:2814:5 #16 0x7fb2dd95afea in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /src/layout/generic/nsBlockFrame.cpp:2353:7 #17 0x7fb2dd952c65 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /src/layout/generic/nsBlockFrame.cpp:1226:3 #18 0x7fb2dd9721e7 in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) /src/layout/generic/nsBlockReflowContext.cpp:306:11 #19 0x7fb2dd9673fb in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /src/layout/generic/nsBlockFrame.cpp:3464:11 #20 0x7fb2dd965395 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /src/layout/generic/nsBlockFrame.cpp:2814:5 #21 0x7fb2dd95afea in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /src/layout/generic/nsBlockFrame.cpp:2353:7 #22 0x7fb2dd952c65 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /src/layout/generic/nsBlockFrame.cpp:1226:3 #23 0x7fb2dd9b2686 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /src/layout/generic/nsContainerFrame.cpp:941:14 #24 0x7fb2dd9b0e2d in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /src/layout/generic/nsCanvasFrame.cpp:761:5 #25 0x7fb2dd9b2686 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /src/layout/generic/nsContainerFrame.cpp:941:14 #26 0x7fb2dda86e5d in nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput*, bool, bool, mozilla::ReflowOutput*, bool) /src/layout/generic/nsGfxScrollFrame.cpp:552:3 #27 0x7fb2dda88129 in nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput*, mozilla::ReflowOutput const&) /src/layout/generic/nsGfxScrollFrame.cpp:675:3 #28 0x7fb2dda8c059 in nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /src/layout/generic/nsGfxScrollFrame.cpp:1052:3 #29 0x7fb2dd937c8e in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /src/layout/generic/nsContainerFrame.cpp:985:14 #30 0x7fb2dd936769 in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /src/layout/generic/ViewportFrame.cpp:335:7 #31 0x7fb2dd70eb28 in mozilla::PresShell::DoReflow(nsIFrame*, bool) /src/layout/base/PresShell.cpp:8970:11 #32 0x7fb2dd725800 in mozilla::PresShell::ProcessReflowCommands(bool) /src/layout/base/PresShell.cpp:9143:24 #33 0x7fb2dd724500 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /src/layout/base/PresShell.cpp:4263:11 #34 0x7fb2dd68b374 in FlushPendingNotifications /src/obj-firefox/dist/include/nsIPresShell.h:584:5 #35 0x7fb2dd68b374 in nsRefreshDriver::Tick(long, mozilla::TimeStamp) /src/layout/base/nsRefreshDriver.cpp:1920 #36 0x7fb2dd69a930 in TickDriver /src/layout/base/nsRefreshDriver.cpp:336:13 #37 0x7fb2dd69a930 in mozilla::RefreshDriverTimer::TickRefreshDrivers(long, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /src/layout/base/nsRefreshDriver.cpp:306 #38 0x7fb2dd69a4e4 in mozilla::RefreshDriverTimer::Tick(long, mozilla::TimeStamp) /src/layout/base/nsRefreshDriver.cpp:327:5 #39 0x7fb2dd69d26e in RunRefreshDrivers /src/layout/base/nsRefreshDriver.cpp:769:5 #40 0x7fb2dd69d26e in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::TimeStamp) /src/layout/base/nsRefreshDriver.cpp:682 #41 0x7fb2dd698357 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::ParentProcessVsyncNotifier::Run() /src/layout/base/nsRefreshDriver.cpp:528:20 #42 0x7fb2d5cfb7ad in nsThread::ProcessNextEvent(bool, bool*) /src/xpcom/threads/nsThread.cpp:1040:14 #43 0x7fb2d5d16580 in NS_ProcessNextEvent(nsIThread*, bool) /src/xpcom/threads/nsThreadUtils.cpp:517:10 #44 0x7fb2d6b9d08a in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /src/ipc/glue/MessagePump.cpp:97:21 #45 0x7fb2d6af48f9 in RunInternal /src/ipc/chromium/src/base/message_loop.cc:326:10 #46 0x7fb2d6af48f9 in RunHandler /src/ipc/chromium/src/base/message_loop.cc:319 #47 0x7fb2d6af48f9 in MessageLoop::Run() /src/ipc/chromium/src/base/message_loop.cc:299 #48 0x7fb2dcf2efba in nsBaseAppShell::Run() /src/widget/nsBaseAppShell.cpp:157:27 #49 0x7fb2e13bf5ab in nsAppStartup::Run() /src/toolkit/components/startup/nsAppStartup.cpp:288:30 #50 0x7fb2e15cb47a in XREMain::XRE_mainRun() /src/toolkit/xre/nsAppRunner.cpp:4707:22 #51 0x7fb2e15ce45e in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /src/toolkit/xre/nsAppRunner.cpp:4842:8 #52 0x7fb2e15cf8d4 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /src/toolkit/xre/nsAppRunner.cpp:4934:21 #53 0x4f168b in do_main /src/browser/app/nsBrowserApp.cpp:231:22 #54 0x4f168b in main /src/browser/app/nsBrowserApp.cpp:304 #55 0x7fb2f473882f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291 #56 0x420f48 in _start (firefox+0x420f48)

This is crashing in https://searchfox.org/mozilla-central/rev/e3cba77cee3ff1be38313abe9c804d13c51bd95b/layout/base/nsCSSFrameConstructor.cpp#9245 And is a regression (doesn't crash in 57). Running mozregression right now.

I should've guessed it :) https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=c67fb9e69640fa3070ae229ae5bd8295b687e60d&tochange=9a0a943fd35d07a935d7ac027f3d33aa16f7cd29

FWIW, in case it helps, we're trying to create a continuation for the comboboxcontrol frame... Gah, fragmentation is always hard :( Let me know if you want me to try to poke at this Mats (no idea of what the right fix may be as of right now though)

nsCSSFrameConstructor::CreateContinuingFrame 9245 MOZ_CRASH("unexpected frame type"); (gdb) p frameType $1 = mozilla::LayoutFrameType::ComboboxControl

:mats, is anything blocking the next steps here?

Yeah, I didn't like the approach in that patch much, but I have a better idea now: https://treeherder.mozilla.org/#/jobs?repo=try&revision=4991ee8ffee0cdd03cb78c366b71816ba1bf6dbd

This patch reverts the fix for bug 1431232 that caused this regression (first hunk, apart from the added assert). Instead we prevent abs.pos. boxes from ever creating a break-before reflow status (second hunk), which prevents the situation in bug 1431232 from occurring. The added condition is: !(HasAnyStateBits(NS_FRAME_OUT_OF_FLOW) && IsAbsolutelyPositioned(disp)) (I had to move it to the .cpp because #include hell.)

Comment on attachment 8951008 [details] [diff] [review] fix Review of attachment 8951008 [details] [diff] [review]: ----------------------------------------------------------------- r=me

Pushed by mpalmgren@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/7d47e64db8a8 Disable 'page-break-inside:avoid' on abs.pos. frames for now. r=dholbert https://hg.mozilla.org/integration/mozilla-inbound/rev/4a5043e1601a Crashtest.

https://hg.mozilla.org/mozilla-central/rev/7d47e64db8a8 https://hg.mozilla.org/mozilla-central/rev/4a5043e1601a