Closed
Bug 1340571
Opened 8 years ago
Closed 6 years ago
Crash [@nsCSSFrameConstructor::RecreateFramesForContent]
Categories
(Core :: Layout, defect)
Core
Layout
Tracking
()
People
(Reporter: jkratzer, Assigned: jkratzer)
References
(Blocks 1 open bug)
Details
(Keywords: crash, csectype-nullptr, testcase, Whiteboard: [fixed by stylo])
Attachments
(1 file)
|
629 bytes,
text/html
|
Details |
Testcase found by fuzzing on mozilla-central rev 20170216-a9ec72f82299.
ASAN:DEADLYSIGNAL
=================================================================
==3722==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000019 (pc 0x7f96513d810f bp 0x7ffe2f83afb0 sp 0x7ffe2f83aea0 T0)
#0 0x7f96513d810e in HasFlag /home/worker/workspace/build/src/obj-firefox/dist/include/nsWrapperCache.h:217:14
#1 0x7f96513d810e in IsInShadowTree /home/worker/workspace/build/src/dom/base/nsINode.h:1204
#2 0x7f96513d810e in GetComposedDoc /home/worker/workspace/build/src/dom/base/nsINode.h:549
#3 0x7f96513d810e in nsCSSFrameConstructor::RecreateFramesForContent(nsIContent*, bool, nsCSSFrameConstructor::RemoveFlags, nsIContent**) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:9647
#4 0x7f965130ca36 in mozilla::RestyleManager::ProcessRestyledFrames(nsStyleChangeList&) /home/worker/workspace/build/src/layout/base/RestyleManager.cpp:1481:7
#5 0x7f96512f1984 in mozilla::GeckoRestyleManager::ComputeAndProcessStyleChange(nsIFrame*, nsChangeHint, mozilla::RestyleTracker&, nsRestyleHint, mozilla::RestyleHintData const&) /home/worker/workspace/build/src/layout/base/GeckoRestyleManager.cpp:3476:3
#6 0x7f96512f14e5 in mozilla::GeckoRestyleManager::StartRebuildAllStyleData(mozilla::RestyleTracker&) /home/worker/workspace/build/src/layout/base/GeckoRestyleManager.cpp:435:3
#7 0x7f96512f0dc9 in mozilla::GeckoRestyleManager::RestyleElement(mozilla::dom::Element*, nsIFrame*, nsChangeHint, mozilla::RestyleTracker&, nsRestyleHint, mozilla::RestyleHintData const&) /home/worker/workspace/build/src/layout/base/GeckoRestyleManager.cpp:142:9
#8 0x7f965137de53 in ProcessOneRestyle /home/worker/workspace/build/src/layout/base/RestyleTracker.cpp:95:5
#9 0x7f965137de53 in mozilla::RestyleTracker::DoProcessRestyles() /home/worker/workspace/build/src/layout/base/RestyleTracker.cpp:262
#10 0x7f96512f512f in ProcessRestyles /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/GeckoRestyleManager.h:386:7
#11 0x7f96512f512f in mozilla::GeckoRestyleManager::ProcessPendingRestyles() /home/worker/workspace/build/src/layout/base/GeckoRestyleManager.cpp:505
#12 0x7f965134125b in ProcessPendingRestyles /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RestyleManagerInlines.h:44:3
#13 0x7f965134125b in mozilla::PresShell::FlushPendingNotifications(mozilla::ChangesToFlush) /home/worker/workspace/build/src/layout/base/PresShell.cpp:4196
#14 0x7f96512b2979 in nsRefreshDriver::Tick(long, mozilla::TimeStamp) /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:1879:11
#15 0x7f96512c1495 in mozilla::RefreshDriverTimer::TickRefreshDrivers(long, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:305:7Flags: in-testsuite?
|
||
Comment 1•8 years ago
|
||
The testcase creates an embed element, and replaces the root element with that. That causes a ContentStateChanged call, which posts a restyle with the reconstruct frame hint because of this block in RestyleManagerBase::ContentStateChangedInternal https://dxr.mozilla.org/mozilla-central/rev/0eef1d5a39366059677c6d7944cfe8a97265a011/layout/base/RestyleManagerBase.cpp#53 I'm guessing either the broken or loading state is changing. Then when we process the restyle in RestyleManager::RestyleElement we hit the UsesRootEMUnits case because the testcase has a rem unit in a style element. This sets mRebuildAllExtraHint to the reconstruct frame hint. So in RestyleManager::StartRebuildAllStyleData we use that hint, and we use the root frame (which doesn't have a content node), so a recreate frame call is asked for on a null content node.
|
||
Comment 2•7 years ago
|
||
This doesn't reproduce with Stylo enabled, so we can probably close this out once that's the only configuration we support.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
|
|
||
Comment 3•7 years ago
|
||
On second thought, better to hold off on closing this until Stylo is shipping on all platforms.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
|
|
||
Updated•7 years ago
|
Has Regression Range: --- → no
status-firefox56:
--- → wontfix
status-firefox57:
--- → fixed
status-firefox58:
--- → fixed
status-firefox-esr52:
--- → wontfix
Whiteboard: [fixed by stylo]
Pushed by mpalmgren@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/78a4d0d2dfb7 Add crashtest. r=me DONTBUILD
|
||
Updated•6 years ago
|
Status: REOPENED → RESOLVED
Closed: 7 years ago → 6 years ago
Flags: in-testsuite? → in-testsuite+
Resolution: --- → FIXED
|
||
Comment 5•6 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/78a4d0d2dfb7
|
||
Updated•6 years ago
|
Assignee: nobody → jkratzer
You need to log in
before you can comment on or make changes to this bug.
Description
•