==30121==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00000055c658 bp 0x7ffd421529f0 sp 0x7ffd42152880 T0) ==30121==The signal is caused by a WRITE memory access. ==30121==Hint: address points to the zero page. #0 0x55c657 in MOZ_CrashPrintf src/mfbt/Assertions.cpp:63:3 #1 0x7f19967dbffd in GetOldListIndex src/layout/painting/nsDisplayList.h:2868:7 #2 0x7f19967dbffd in MergeState::HasMatchingItemInOldList(nsDisplayItem*, Index<OldListUnits>*) src/layout/painting/RetainedDisplayListBuilder.cpp:334 #3 0x7f19966d2baf in MergeState::ProcessItemFromNewList(nsDisplayItem*, mozilla::Maybe<Index<MergedListUnits> > const&) src/layout/painting/RetainedDisplayListBuilder.cpp:281:9 #4 0x7f19966d20c2 in RetainedDisplayListBuilder::MergeDisplayLists(nsDisplayList*, RetainedDisplayList*, RetainedDisplayList*, mozilla::Maybe<mozilla::ActiveScrolledRoot const*>&) src/layout/painting/RetainedDisplayListBuilder.cpp:506:36 #5 0x7f19966d2fba in MergeState::ProcessItemFromNewList(nsDisplayItem*, mozilla::Maybe<Index<MergedListUnits> > const&) src/layout/painting/RetainedDisplayListBuilder.cpp:289:25 #6 0x7f19966d20c2 in RetainedDisplayListBuilder::MergeDisplayLists(nsDisplayList*, RetainedDisplayList*, RetainedDisplayList*, mozilla::Maybe<mozilla::ActiveScrolledRoot const*>&) src/layout/painting/RetainedDisplayListBuilder.cpp:506:36 #7 0x7f19966d2fba in MergeState::ProcessItemFromNewList(nsDisplayItem*, mozilla::Maybe<Index<MergedListUnits> > const&) src/layout/painting/RetainedDisplayListBuilder.cpp:289:25 #8 0x7f19966d20c2 in RetainedDisplayListBuilder::MergeDisplayLists(nsDisplayList*, RetainedDisplayList*, RetainedDisplayList*, mozilla::Maybe<mozilla::ActiveScrolledRoot const*>&) src/layout/painting/RetainedDisplayListBuilder.cpp:506:36 #9 0x7f19966db0ae in RetainedDisplayListBuilder::AttemptPartialUpdate(unsigned int, mozilla::DisplayListChecker*) src/layout/painting/RetainedDisplayListBuilder.cpp:1198:7 #10 0x7f1995e9344b in nsLayoutUtils::PaintFrame(gfxContext*, nsIFrame*, nsRegion const&, unsigned int, nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) src/layout/base/nsLayoutUtils.cpp:3683:40 #11 0x7f1995d86f57 in mozilla::PresShell::Paint(nsView*, nsRegion const&, unsigned int) src/layout/base/PresShell.cpp:6312:5 #12 0x7f1995734c4a in nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*) src/view/nsViewManager.cpp:480:19 #13 0x7f1995733a4c in nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) src/view/nsViewManager.cpp:412:33 #14 0x7f19957390a6 in nsViewManager::ProcessPendingUpdates() src/view/nsViewManager.cpp:1102:5 #15 0x7f1995d00445 in nsRefreshDriver::Tick(long, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:2039:11 #16 0x7f1995d0d21b in TickDriver src/layout/base/nsRefreshDriver.cpp:328:13 #17 0x7f1995d0d21b in mozilla::RefreshDriverTimer::TickRefreshDrivers(long, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) src/layout/base/nsRefreshDriver.cpp:301 #18 0x7f1995d0cdf9 in mozilla::RefreshDriverTimer::Tick(long, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:320:5 #19 0x7f1995d0f93e in RunRefreshDrivers src/layout/base/nsRefreshDriver.cpp:760:5 #20 0x7f1995d0f93e in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:673 #21 0x7f1995d0f53e in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:574:9 #22 0x7f19965b68ef in mozilla::layout::VsyncChild::RecvNotify(mozilla::TimeStamp const&) src/layout/ipc/VsyncChild.cpp:68:16 #23 0x7f198f302034 in mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) src/obj-firefox/ipc/ipdl/PVsyncChild.cpp:167:20 #24 0x7f198f1d9f43 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) src/obj-firefox/ipc/ipdl/PBackgroundChild.cpp:1988:28 #25 0x7f198ed4935e in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) src/ipc/glue/MessageChannel.cpp:2136:25 #26 0x7f198ed462a2 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) src/ipc/glue/MessageChannel.cpp:2066:17 #27 0x7f198ed47adc in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) src/ipc/glue/MessageChannel.cpp:1912:5 #28 0x7f198ed48138 in mozilla::ipc::MessageChannel::MessageTask::Run() src/ipc/glue/MessageChannel.cpp:1945:15 #29 0x7f198de55c46 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1090:14 #30 0x7f198de71b80 in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:519:10 #31 0x7f198ed50ffa in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:97:21 #32 0x7f198eca5489 in RunInternal src/ipc/chromium/src/base/message_loop.cc:326:10 #33 0x7f198eca5489 in RunHandler src/ipc/chromium/src/base/message_loop.cc:319 #34 0x7f198eca5489 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:299 #35 0x7f19957c29da in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:157:27 #36 0x7f1999a16f2b in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:893:22 #37 0x7f198eca5489 in RunInternal src/ipc/chromium/src/base/message_loop.cc:326:10 #38 0x7f198eca5489 in RunHandler src/ipc/chromium/src/base/message_loop.cc:319 #39 0x7f198eca5489 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:299 #40 0x7f1999a168f0 in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:719:34 #41 0x4f1875 in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30 #42 0x4f1875 in main src/browser/app/nsBrowserApp.cpp:282 #43 0x7f19ad66b82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291 #44 0x420f48 in _start (firefox+0x420f48)

Comment on attachment 8976756 [details] Bug 1462477 - Always initialize the value of aOutIsTransformedFixed, even we don't have an image to paint. https://reviewboard.mozilla.org/r/244858/#review251152

Pushed by ryanvm@gmail.com: https://hg.mozilla.org/integration/autoland/rev/266c78fab1d6 Always initialize the value of aOutIsTransformedFixed, even we don't have an image to paint. r=mstange

Please request Beta approval on this when you get a chance.

Comment on attachment 8976756 [details] Bug 1462477 - Always initialize the value of aOutIsTransformedFixed, even we don't have an image to paint. Approval Request Comment [Feature/Bug causing the regression]: Retained-dl [User impact if declined]: Crashes on some pages [Is this code covered by automated tests?]: No, fuzzing test was too unreliable to be useful in automation. [Has the fix been verified in Nightly?]: By me! [Needs manual test from QE? If yes, steps to reproduce]: No. [List of other uplifts needed for the feature/fix]: None. [Is the change risky?]: No. [Why is the change risky/not risky?]: Just stops us skipping quite as much work on an early return path, matches code from the normal path. [String changes made/needed]: None.

Comment on attachment 8976756 [details] Bug 1462477 - Always initialize the value of aOutIsTransformedFixed, even we don't have an image to paint. RDL stability fix. Approved for 61.0b8.

Bustage follow-up: https://hg.mozilla.org/releases/mozilla-beta/rev/ee7c06a83c6b

I couldn't reproduce this crash on any affected/unaffected/fixed Fx versions (62.0a1, 61.0b6, 60.0b9 or 63.0a1) Seeing the crash stats ( https://crash-stats.mozilla.com/signature/?signature=MergeState%3A%3AHasMatchingItemInOldList&date=%3E%3D2018-08-02T09%3A03%3A23.000Z&date=%3C2018-08-09T09%3A03%3A23.000Z&_columns=date&_columns=product&_columns=version&_columns=build_id&_columns=platform&_columns=reason&_columns=address&_columns=install_time&_sort=-build_id&_sort=version&_sort=-date&page=1) Crashes with this signature are still reproducible on current Nightly and on beta 62.0b15.