Found while fuzzing m-c 20240215-dbe553dd13b7 (--enable-address-sanitizer --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -a --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>

==84465==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000030 (pc 0x7fcf25107db8 bp 0x7ffd5b383dd0 sp 0x7ffd5b383660 T0)
==84465==The signal is caused by a READ memory access.
==84465==Hint: address points to the zero page.
    #0 0x7fcf25107db8 in GetParent /builds/worker/checkouts/gecko/layout/generic/nsIFrame.h:941:48
    #1 0x7fcf25107db8 in nsIFrame::BuildDisplayListForChild(mozilla::nsDisplay88ListBuilder*, nsIFrame*, mozilla::nsDisplayListSet const&, mozilla::EnumSet<nsIFrame::DisplayChildFlag, unsigned int>) /builds/worker/checkouts/gecko/layout/generic/nsIFrame.cpp:4056:40
    #2 0x7fcf250d5878 in DisplayLine(mozilla::nsDisplayListBuilder*, nsLineList_iterator&, bool, mozilla::nsDisplayListSet const&, nsBlockFrame*, mozilla::css::TextOverflow*, unsigned int, int, int&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:7389:13
    #3 0x7fcf250d29b2 in nsBlockFrame::BuildDisplayList(mozilla::nsDisplayListBuilder*, mozilla::nsDisplayListSet const&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:7546:9
    #4 0x7fcf2510a464 in nsIFrame::BuildDisplayListForChild(mozilla::nsDisplayListBuilder*, nsIFrame*, mozilla::nsDisplayListSet const&, mozilla::EnumSet<nsIFrame::DisplayChildFlag, unsigned int>) /builds/worker/checkouts/gecko/layout/generic/nsIFrame.cpp:4300:14
    #5 0x7fcf250f1573 in nsColumnSetFrame::BuildDisplayList(mozilla::nsDisplayListBuilder*, mozilla::nsDisplayListSet const&) /builds/worker/checkouts/gecko/layout/generic/nsColumnSetFrame.cpp:1286:5
    #6 0x7fcf2510a464 in nsIFrame::BuildDisplayListForChild(mozilla::nsDisplayListBuilder*, nsIFrame*, mozilla::nsDisplayListSet const&, mozilla::EnumSet<nsIFrame::DisplayChildFlag, unsigned int>) /builds/worker/checkouts/gecko/layout/generic/nsIFrame.cpp:4300:14
    #7 0x7fcf250d5878 in DisplayLine(mozilla::nsDisplayListBuilder*, nsLineList_iterator&, bool, mozilla::nsDisplayListSet const&, nsBlockFrame*, mozilla::css::TextOverflow*, unsigned int, int, int&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:7389:13
    #8 0x7fcf250d29b2 in nsBlockFrame::BuildDisplayList(mozilla::nsDisplayListBuilder*, mozilla::nsDisplayListSet const&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:7546:9
    #9 0x7fcf25109fc3 in nsIFrame::BuildDisplayListForChild(mozilla::nsDisplayListBuilder*, nsIFrame*, mozilla::nsDisplayListSet const&, mozilla::EnumSet<nsIFrame::DisplayChildFlag, unsigned int>) /builds/worker/checkouts/gecko/layout/generic/nsIFrame.cpp:4315:12
    #10 0x7fcf25288bc2 in nsGridContainerFrame::BuildDisplayList(mozilla::nsDisplayListBuilder*, mozilla::nsDisplayListSet const&) /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:9725:5
    #11 0x7fcf25109fc3 in nsIFrame::BuildDisplayListForChild(mozilla::nsDisplayListBuilder*, nsIFrame*, mozilla::nsDisplayListSet const&, mozilla::EnumSet<nsIFrame::DisplayChildFlag, unsigned int>) /builds/worker/checkouts/gecko/layout/generic/nsIFrame.cpp:4315:12
    #12 0x7fcf250d13a5 in nsBlockFrame::BuildDisplayList(mozilla::nsDisplayListBuilder*, mozilla::nsDisplayListSet const&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:7434:9
    #13 0x7fcf2510a464 in nsIFrame::BuildDisplayListForChild(mozilla::nsDisplayListBuilder*, nsIFrame*, mozilla::nsDisplayListSet const&, mozilla::EnumSet<nsIFrame::DisplayChildFlag, unsigned int>) /builds/worker/checkouts/gecko/layout/generic/nsIFrame.cpp:4300:14
    #14 0x7fcf250f1573 in nsColumnSetFrame::BuildDisplayList(mozilla::nsDisplayListBuilder*, mozilla::nsDisplayListSet const&) /builds/worker/checkouts/gecko/layout/generic/nsColumnSetFrame.cpp:1286:5
    #15 0x7fcf2510a464 in nsIFrame::BuildDisplayListForChild(mozilla::nsDisplayListBuilder*, nsIFrame*, mozilla::nsDisplayListSet const&, mozilla::EnumSet<nsIFrame::DisplayChildFlag, unsigned int>) /builds/worker/checkouts/gecko/layout/generic/nsIFrame.cpp:4300:14
    #16 0x7fcf2511a165 in nsContainerFrame::DisplayOverflowContainers(mozilla::nsDisplayListBuilder*, mozilla::nsDisplayListSet const&) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:1220:7
    #17 0x7fcf250d1343 in nsBlockFrame::BuildDisplayList(mozilla::nsDisplayListBuilder*, mozilla::nsDisplayListSet const&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:7431:5
    #18 0x7fcf25109fc3 in nsIFrame::BuildDisplayListForChild(mozilla::nsDisplayListBuilder*, nsIFrame*, mozilla::nsDisplayListSet const&, mozilla::EnumSet<nsIFrame::DisplayChildFlag, unsigned int>) /builds/worker/checkouts/gecko/layout/generic/nsIFrame.cpp:4315:12
    #19 0x7fcf250d13a5 in nsBlockFrame::BuildDisplayList(mozilla::nsDisplayListBuilder*, mozilla::nsDisplayListSet const&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:7434:9
    #20 0x7fcf2510a464 in nsIFrame::BuildDisplayListForChild(mozilla::nsDisplayListBuilder*, nsIFrame*, mozilla::nsDisplayListSet const&, mozilla::EnumSet<nsIFrame::DisplayChildFlag, unsigned int>) /builds/worker/checkouts/gecko/layout/generic/nsIFrame.cpp:4300:14
    #21 0x7fcf250f1573 in nsColumnSetFrame::BuildDisplayList(mozilla::nsDisplayListBuilder*, mozilla::nsDisplayListSet const&) /builds/worker/checkouts/gecko/layout/generic/nsColumnSetFrame.cpp:1286:5
    #22 0x7fcf2510a464 in nsIFrame::BuildDisplayListForChild(mozilla::nsDisplayListBuilder*, nsIFrame*, mozilla::nsDisplayListSet const&, mozilla::EnumSet<nsIFrame::DisplayChildFlag, unsigned int>) /builds/worker/checkouts/gecko/layout/generic/nsIFrame.cpp:4300:14
    #23 0x7fcf250d5878 in DisplayLine(mozilla::nsDisplayListBuilder*, nsLineList_iterator&, bool, mozilla::nsDisplayListSet const&, nsBlockFrame*, mozilla::css::TextOverflow*, unsigned int, int, int&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:7389:13
    #24 0x7fcf250d29b2 in nsBlockFrame::BuildDisplayList(mozilla::nsDisplayListBuilder*, mozilla::nsDisplayListSet const&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:7546:9
    #25 0x7fcf25109fc3 in nsIFrame::BuildDisplayListForChild(mozilla::nsDisplayListBuilder*, nsIFrame*, mozilla::nsDisplayListSet const&, mozilla::EnumSet<nsIFrame::DisplayChildFlag, unsigned int>) /builds/worker/checkouts/gecko/layout/generic/nsIFrame.cpp:4315:12
    #26 0x7fcf250d5878 in DisplayLine(mozilla::nsDisplayListBuilder*, nsLineList_iterator&, bool, mozilla::nsDisplayListSet const&, nsBlockFrame*, mozilla::css::TextOverflow*, unsigned int, int, int&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:7389:13
    #27 0x7fcf250d29b2 in nsBlockFrame::BuildDisplayList(mozilla::nsDisplayListBuilder*, mozilla::nsDisplayListSet const&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:7546:9
    #28 0x7fcf2510a464 in nsIFrame::BuildDisplayListForChild(mozilla::nsDisplayListBuilder*, nsIFrame*, mozilla::nsDisplayListSet const&, mozilla::EnumSet<nsIFrame::DisplayChildFlag, unsigned int>) /builds/worker/checkouts/gecko/layout/generic/nsIFrame.cpp:4300:14
    #29 0x7fcf250f1573 in nsColumnSetFrame::BuildDisplayList(mozilla::nsDisplayListBuilder*, mozilla::nsDisplayListSet const&) /builds/worker/checkouts/gecko/layout/generic/nsColumnSetFrame.cpp:1286:5
    #30 0x7fcf2510a464 in nsIFrame::BuildDisplayListForChild(mozilla::nsDisplayListBuilder*, nsIFrame*, mozilla::nsDisplayListSet const&, mozilla::EnumSet<nsIFrame::DisplayChildFlag, unsigned int>) /builds/worker/checkouts/gecko/layout/generic/nsIFrame.cpp:4300:14
    #31 0x7fcf250d5878 in DisplayLine(mozilla::nsDisplayListBuilder*, nsLineList_iterator&, bool, mozilla::nsDisplayListSet const&, nsBlockFrame*, mozilla::css::TextOverflow*, unsigned int, int, int&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:7389:13
    #32 0x7fcf250d29b2 in nsBlockFrame::BuildDisplayList(mozilla::nsDisplayListBuilder*, mozilla::nsDisplayListSet const&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:7546:9
    #33 0x7fcf25109fc3 in nsIFrame::BuildDisplayListForChild(mozilla::nsDisplayListBuilder*, nsIFrame*, mozilla::nsDisplayListSet const&, mozilla::EnumSet<nsIFrame::DisplayChildFlag, unsigned int>) /builds/worker/checkouts/gecko/layout/generic/nsIFrame.cpp:4315:12
    #34 0x7fcf250e17a3 in nsCanvasFrame::BuildDisplayList(mozilla::nsDisplayListBuilder*, mozilla::nsDisplayListSet const&) /builds/worker/checkouts/gecko/layout/generic/nsCanvasFrame.cpp:578:5
    #35 0x7fcf2510a464 in nsIFrame::BuildDisplayListForChild(mozilla::nsDisplayListBuilder*, nsIFrame*, mozilla::nsDisplayListSet const&, mozilla::EnumSet<nsIFrame::DisplayChildFlag, unsigned int>) /builds/worker/checkouts/gecko/layout/generic/nsIFrame.cpp:4300:14
    #36 0x7fcf251f5b50 in nsHTMLScrollFrame::BuildDisplayList(mozilla::nsDisplayListBuilder*, mozilla::nsDisplayListSet const&) /builds/worker/checkouts/gecko/layout/generic/nsGfxScrollFrame.cpp:4204:7
    #37 0x7fcf2510a464 in nsIFrame::BuildDisplayListForChild(mozilla::nsDisplayListBuilder*, nsIFrame*, mozilla::nsDisplayListSet const&, mozilla::EnumSet<nsIFrame::DisplayChildFlag, unsigned int>) /builds/worker/checkouts/gecko/layout/generic/nsIFrame.cpp:4300:14
    #38 0x7fcf25081939 in mozilla::ViewportFrame::BuildDisplayList(mozilla::nsDisplayListBuilder*, mozilla::nsDisplayListSet const&) /builds/worker/checkouts/gecko/layout/generic/ViewportFrame.cpp:66:3
    #39 0x7fcf252a8873 in nsIFrame::BuildDisplayListForStackingContext(mozilla::nsDisplayListBuilder*, mozilla::nsDisplayList*, bool*) /builds/worker/checkouts/gecko/layout/generic/nsIFrame.cpp:3454:5
    #40 0x7fcf24f9076d in nsLayoutUtils::PaintFrame(gfxContext*, nsIFrame*, nsRegion const&, unsigned int, mozilla::nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) /builds/worker/checkouts/gecko/layout/base/nsLayoutUtils.cpp:3251:15
    #41 0x7fcf24e54a8a in mozilla::PresShell::PaintInternal(nsView*, mozilla::PaintInternalFlags) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:6481:5
    #42 0x7fcf24378ac3 in nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*) /builds/worker/checkouts/gecko/view/nsViewManager.cpp:408:18
    #43 0x7fcf24377d9b in nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) /builds/worker/checkouts/gecko/view/nsViewManager.cpp:343:22
    #44 0x7fcf2437b277 in nsViewManager::ProcessPendingUpdates() /builds/worker/checkouts/gecko/view/nsViewManager.cpp:916:5
    #45 0x7fcf24da7be2 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2819:11
    #46 0x7fcf24dbdd26 in TickDriver /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:367:13
    #47 0x7fcf24dbdd26 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver>>&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:345:7
    #48 0x7fcf24dbd9fe in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:361:5
    #49 0x7fcf24dbd651 in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:951:5
    #50 0x7fcf24dbc504 in mozilla::VsyncRefreshDriverTimer::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:861:5
    #51 0x7fcf24dbb044 in mozilla::VsyncRefreshDriverTimer::NotifyVsyncOnMainThread(mozilla::VsyncEvent const&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:758:5
    #52 0x7fcf24dba642 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsyncTimerOnMainThread() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:592:14
    #53 0x7fcf24dba1f5 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:549:9
    #54 0x7fcf230f0f6b in mozilla::dom::VsyncMainChild::RecvNotify(mozilla::VsyncEvent const&, float const&) /builds/worker/checkouts/gecko/dom/ipc/VsyncMainChild.cpp:66:15
    #55 0x7fcf237095dd in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:237:78
    #56 0x7fcf234b71fa in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PContentChild.cpp:8276:32
    #57 0x7fcf1acb5e75 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1813:25
    #58 0x7fcf1acb187b in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1732:9
    #59 0x7fcf1acb2c29 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1525:3
    #60 0x7fcf1acb41a3 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1623:14
    #61 0x7fcf18fc849a in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:578:16
    #62 0x7fcf18fae31b in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:905:26
    #63 0x7fcf18faaef8 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:728:15
    #64 0x7fcf18fab5f9 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:514:36
    #65 0x7fcf18fd05c4 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:235:37
    #66 0x7fcf18fd05c4 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_1>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548:5
    #67 0x7fcf18ff850f in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1199:16
    #68 0x7fcf1900624a in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10
    #69 0x7fcf1acbf473 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:107:5
    #70 0x7fcf1aade45a in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:370:10
    #71 0x7fcf1aade45a in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
    #72 0x7fcf1aade45a in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
    #73 0x7fcf244b2819 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
    #74 0x7fcf246bee82 in nsAppShell::Run() /builds/worker/checkouts/gecko/widget/gtk/nsAppShell.cpp:470:33
    #75 0x7fcf294c0ace in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:721:20
    #76 0x7fcf1aade45a in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:370:10
    #77 0x7fcf1aade45a in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
    #78 0x7fcf1aade45a in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
    #79 0x7fcf294c0073 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:656:34
    #80 0x55dcbebf353c in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
    #81 0x55dcbebf353c in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:375:18
    #82 0x7fcf41829d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #83 0x7fcf41829e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #84 0x55dcbeb17848 in _start (/home/user/workspace/browsers/m-c-20240221213323-fuzzing-asan-opt/firefox+0xdc848) (BuildId: 65fdf1733480c5bac694ad0fac37bab10d072067)

Got a crash from the testcase: https://crash-stats.mozilla.org/report/index/21b551e2-2ad3-403e-9595-07d390240222#tab-bugzilla

Verified bug as reproducible on mozilla-central 20240222043825-445c60e096fe.
Unable to bisect testcase (Testcase reproduces on start build!):

Start: e4d0dac7f34f555d2085fd2f9fe07dc9318c87a6 (20230223094032)
End: dbe553dd13b79a3c4821f203f3adca31fe71cc56 (20240215210102)
BuildFlags: BuildFlags(asan=True, tsan=False, debug=False, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False, nyx=False)

Successfully recorded a pernosco session. A link to the pernosco session will be added here shortly.

A pernosco session for this bug can be found here.

A placeholder frame has no out of flow frame. Previously seen that in bug 1845417 and bug 1488781.

I get this for regression range
https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=20b482455364fc14118bd32de96ae52cc81c7f3a&tochange=abda04d0bfe3304e216ac64e2848e9867d9f494b

The only thing that seems like it could be related is
0479e0a4cc15b77b14e1f9de8f5358bdbf2313ec Sean Feng — Bug 1591366 - Improve nested grid layout performance r=mats

We clear the oof frame pointer on the placeholder with a stack during reflow in the attachment I just posted.

Not sure who/where is responsible for destroying the placeholder after it's oof goes away.

The severity field is not set for this bug.
:jwatt, could you have a look please?

For more information, please visit BugBot documentation.

(In reply to Timothy Nikkel (:tnikkel) from comment #7)

Not sure who/where is responsible for destroying the placeholder after it's oof goes away.

I'm not sure either. Daniel, would you have any idea about that without too much digging?

(In reply to Jonathan Watt [:jwatt] from comment #9)

(In reply to Timothy Nikkel (:tnikkel) from comment #7)

Not sure who/where is responsible for destroying the placeholder after it's oof goes away.

I'm not sure either. Daniel, would you have any idea about that without too much digging?

Looks like we've got some documentation here:
https://searchfox.org/mozilla-central/rev/6b39381c0056c0dff0820fffebedf9980adc8883/layout/generic/nsPlaceholderFrame.h#12-32

Per the documentation there, the expectation is that we destroy the placeholder before its oof goes away; so if the placeholder is still around after its OOF goes away, we're already in trouble.

I suspect the intended destruction-order normally happens "for free" since we do frame destruction using a sort of depth-first traversal, I think (and placeholders must be as-deep-or-deeper in the frame tree than their out-of-flow frame), but it seems we've got a case here where something's going amiss for whatever reason.

FWIW: in a debug build, I hit these assertions (nonfatal and then fatal) rather than crashing (presumably this is part of the setup for the conditions that would result in a crash in an opt build):

[Child 374001, Main Thread] ###!!! ASSERTION: Available block-size should be constrained because it's restricted by the computed block-size when our reflow input is created in nsBlockFrame::ReflowBlockFrame()!: 'aReflowInput.AvailableBSize() != NS_UNCONSTRAINEDSIZE', file layout/generic/nsColumnSetFrame.cpp:898
[Child 374001, Main Thread] ###!!! ASSERTION: Available block-size should be constrained because it's restricted by the computed block-size when our reflow input is created in nsBlockFrame::ReflowBlockFrame()!: 'aReflowInput.AvailableBSize() != NS_UNCONSTRAINEDSIZE', file layout/generic/nsColumnSetFrame.cpp:898
[Child 374001, Main Thread] ###!!! ASSERTION: Available block-size should be constrained because it's restricted by the computed block-size when our reflow input is created in nsBlockFrame::ReflowBlockFrame()!: 'aReflowInput.AvailableBSize() != NS_UNCONSTRAINEDSIZE', file layout/generic/nsColumnSetFrame.cpp:898
[374001] Assertion failure: aStatus.IsEmpty() (Caller should pass a fresh reflow status!), at layout/generic/nsBlockFrame.cpp:1347

(In reply to Daniel Holbert [:dholbert] from comment #11)

FWIW: in a debug build, I hit these assertions (nonfatal and then fatal)

For the fatal "caller should pass a fresh reflow status" assertion, we've got a handful of existing fuzzer bugs; bug 1410243 and bug 1741488 at least. Though I'm not immediately repro'ing that assertion failure with the testcases on those bugs at this point. (But I can with this bug's testcase, per comment 11).

Here's a pernosco trace of this bug's testcase terminating at that assertion-failure, in a debug build, FWIW:
https://pernos.co/debug/WU-gO4uNbl9T7txf9v1yvw/index.html

That makes it clear that we are indeed violating the contract of nsReflowStatus -- nsGridContainerFrame improperly reuses its own aStatus for its children in one case. We should fix that, and I think that might fix this crash too. (I suspect we're improperly reacting to the improperly-reused status somehow which ends up taking us down a path that makes us fail to remove the placeholder frame.)

I'll try landing a patch to address that fatal assertion over on bug 1410243, and if it works like I think it should, we can close this bug as fixed-by-that-one.

This is fixed via bug 1410243 (and I included a version of this bug's testcase as a crashtest there, which crashes before the patch but loads just fine after the patch).

--> Duping.

No valid actions for resolution (DUPLICATE).
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.