1354671 – [aarch64] crash @ nsLayoutUtils::GetLastSibling

Bug 1354671 - [aarch64] crash @ nsLayoutUtils::GetLastSibling

Summary: [aarch64] crash @ nsLayoutUtils::GetLastSibling

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	firefox
Sub Component:
Version:	26
Hardware:	aarch64
OS:	Linux
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Martin Stransky
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:	https://retrace.fedoraproject.org/faf...
Whiteboard:	abrt_hash:dfeb29614ecacabf90a0a86b674...
Duplicates (2):	1374850 1404344 (view as bug list)
Depends On:
Blocks:	ARMTracker
TreeView+	depends on / blocked

Reported:	2016-07-11 22:27 UTC by Jeremy Linton
Modified:	2018-01-17 09:48 UTC (History)
CC List:	9 users (show)
Fixed In Version:	firefox-51.0-3.fc24
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-01-17 09:48:03 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
File: backtrace (12.83 KB, text/plain) 2016-07-11 22:27 UTC, Jeremy Linton	no flags	Details
File: cgroup (369 bytes, text/plain) 2016-07-11 22:27 UTC, Jeremy Linton	no flags	Details
File: core_backtrace (8.19 KB, text/plain) 2016-07-11 22:27 UTC, Jeremy Linton	no flags	Details
File: dso_list (13.02 KB, text/plain) 2016-07-11 22:27 UTC, Jeremy Linton	no flags	Details
File: environ (3.09 KB, text/plain) 2016-07-11 22:27 UTC, Jeremy Linton	no flags	Details
File: limits (1.29 KB, text/plain) 2016-07-11 22:27 UTC, Jeremy Linton	no flags	Details
File: maps (51.76 KB, text/plain) 2016-07-11 22:27 UTC, Jeremy Linton	no flags	Details
File: mountinfo (3.14 KB, text/plain) 2016-07-11 22:27 UTC, Jeremy Linton	no flags	Details
File: namespaces (102 bytes, text/plain) 2016-07-11 22:28 UTC, Jeremy Linton	no flags	Details
File: open_fds (3.09 KB, text/plain) 2016-07-11 22:28 UTC, Jeremy Linton	no flags	Details
File: proc_pid_status (958 bytes, text/plain) 2016-07-11 22:28 UTC, Jeremy Linton	no flags	Details
File: var_log_messages (308 bytes, text/plain) 2016-07-11 22:28 UTC, Jeremy Linton	no flags	Details
File: backtrace (4.24 KB, text/plain) 2016-09-20 15:59 UTC, Paul Whalen	no flags	Details
Patch as suggested in comments. (1.55 KB, patch) 2017-01-20 17:38 UTC, Tarell Ware	no flags	Details \| Diff
View All

Description Jeremy Linton 2016-07-11 22:27:48 UTC

Description of problem:
Just trying to start firefox. 

Tried using cinnamon, and now kde. The graphics card is a radeon HD 5450 in an JunoR2, using DRM (rather than the ati driver at the moment)

Version-Release number of selected component:
firefox-47.0-6.fc24

Additional info:
reporter:       libreport-2.7.1
backtrace_rating: 3
cmdline:        /usr/lib64/firefox/firefox
crash_function: raise
executable:     /usr/lib64/firefox/firefox
global_pid:     14996
kernel:         4.5.5-300.fc24.aarch64
pkg_fingerprint: B863 5EEB 030D 5AED
pkg_vendor:     Fedora Project
reproducible:   The problem occurs regularly
runlevel:       N 3
type:           CCpp
uid:            0

Truncated backtrace:
Thread no. 1 (10 frames)
 #0 raise
 #1 nsProfileLock::FatalSignalHandler at /usr/src/debug/firefox-47.0/firefox-47.0/toolkit/profile/nsProfileLock.cpp:181
 #3 nsLayoutUtils::GetLastSibling at /usr/src/debug/firefox-47.0/firefox-47.0/layout/base/nsLayoutUtils.cpp:1797
 #4 nsFrameList::SetFrames at /usr/src/debug/firefox-47.0/firefox-47.0/layout/generic/nsFrameList.cpp:68
 #5 nsFrameConstructorState::AddChild at /usr/src/debug/firefox-47.0/firefox-47.0/layout/base/nsCSSFrameConstructor.cpp:1245
 #6 nsCSSFrameConstructor::ConstructFrameFromItemInternal at /usr/src/debug/firefox-47.0/firefox-47.0/layout/base/nsCSSFrameConstructor.cpp:3913
 #7 nsCSSFrameConstructor::ConstructFramesFromItem at /usr/src/debug/firefox-47.0/firefox-47.0/layout/base/nsCSSFrameConstructor.cpp:6049
 #8 nsCSSFrameConstructor::ConstructFramesFromItemList at /usr/src/debug/firefox-47.0/firefox-47.0/layout/base/nsCSSFrameConstructor.cpp:10411
 #9 nsCSSFrameConstructor::ProcessChildren at /usr/src/debug/firefox-47.0/firefox-47.0/layout/base/nsCSSFrameConstructor.cpp:10611
 #10 nsCSSFrameConstructor::ConstructFrameFromItemInternal at /usr/src/debug/firefox-47.0/firefox-47.0/layout/base/nsCSSFrameConstructor.cpp:3978

Comment 1 Jeremy Linton 2016-07-11 22:27:51 UTC

Created attachment 1178576 [details]
File: backtrace

Comment 2 Jeremy Linton 2016-07-11 22:27:52 UTC

Created attachment 1178577 [details]
File: cgroup

Comment 3 Jeremy Linton 2016-07-11 22:27:53 UTC

Created attachment 1178578 [details]
File: core_backtrace

Comment 4 Jeremy Linton 2016-07-11 22:27:54 UTC

Created attachment 1178579 [details]
File: dso_list

Comment 5 Jeremy Linton 2016-07-11 22:27:55 UTC

Created attachment 1178580 [details]
File: environ

Comment 6 Jeremy Linton 2016-07-11 22:27:56 UTC

Created attachment 1178581 [details]
File: limits

Comment 7 Jeremy Linton 2016-07-11 22:27:58 UTC

Created attachment 1178582 [details]
File: maps

Comment 8 Jeremy Linton 2016-07-11 22:27:59 UTC

Created attachment 1178583 [details]
File: mountinfo

Comment 9 Jeremy Linton 2016-07-11 22:28:00 UTC

Created attachment 1178584 [details]
File: namespaces

Comment 10 Jeremy Linton 2016-07-11 22:28:01 UTC

Created attachment 1178585 [details]
File: open_fds

Comment 11 Jeremy Linton 2016-07-11 22:28:02 UTC

Created attachment 1178586 [details]
File: proc_pid_status

Comment 12 Jeremy Linton 2016-07-11 22:28:03 UTC

Created attachment 1178587 [details]
File: var_log_messages

Comment 13 Jeremy Linton 2016-08-02 18:14:46 UTC

Same things happens with acceleration turned on.

Comment 14 Paul Whalen 2016-09-09 20:33:06 UTC

*** Bug 1374850 has been marked as a duplicate of this bug. ***

Comment 15 Peter Robinson 2016-09-10 20:47:02 UTC

Can you try v48, or possibly even v49 from rawhide/f26

Comment 16 Jeremy Linton 2016-09-13 17:00:59 UTC

[root@mammon-juno ~]# rpm -q firefox
firefox-48.0.1-1.fc25.aarch64
[root@mammon-juno ~]# firefox 
Segmentation fault (core dumped)
gdb /usr/lib64/firefox/firefox core.firefox.1473783380.14629
(trimming)
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
Core was generated by `/usr/lib64/firefox/firefox'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  raise (sig=sig@entry=11) at ../sysdeps/unix/sysv/linux/raise.c:58
58      }
[Current thread is 1 (Thread 0x3ff80815070 (LWP 14629))]
(gdb) bt
#0  raise (sig=sig@entry=11) at ../sysdeps/unix/sysv/linux/raise.c:58
#1  0x000003ff7c521c4c in nsProfileLock::FatalSignalHandler (signo=11, info=0x3ffd61162e0, context=0x3ffd6116360) at /usr/src/debug/firefox-48.0.1/firefox-48.0.1/toolkit/profile/nsProfileLock.cpp:181
#2  <signal handler called>
#3  0x000003ff7c079c04 in nsLayoutUtils::GetLastSibling (aFrame=0xe5e5e5e5e5e5e5e5) at /usr/src/debug/firefox-48.0.1/firefox-48.0.1/layout/base/nsLayoutUtils.cpp:1914
#4  0x000003ff7c0f2d54 in nsFrameList::SetFrames (this=0x3ffd6117c78, aFrameList=<optimized out>) at /usr/src/debug/firefox-48.0.1/firefox-48.0.1/layout/generic/nsFrameList.cpp:68
#5  0x000003ff7c03e798 in nsFrameConstructorState::AddChild (this=0x3ffd61181d8, aNewFrame=0x3ff61e5e930, aFrameItems=..., aContent=0x3ff5e466820, aStyleContext=0x3ff61e5e5c0, aParentFrame=
    0x3ff61e41c40, aCanBePositioned=<optimized out>, aCanBeFloated=<optimized out>, aIsOutOfFlowPopup=false, aInsertAfter=false, aInsertAfterFrame=0x0)
    at /usr/src/debug/firefox-48.0.1/firefox-48.0.1/layout/base/nsCSSFrameConstructor.cpp:1302
#6  0x000003ff7c0604ac in nsCSSFrameConstructor::ConstructFrameFromItemInternal (this=this@entry=0x3ff68b37780, aItem=..., aState=..., aParentFrame=0x3ff61e41c40, aFrameItems=...)
    at /usr/src/debug/firefox-48.0.1/firefox-48.0.1/layout/base/nsCSSFrameConstructor.cpp:3937
#7  0x000003ff7c060c58 in nsCSSFrameConstructor::ConstructFramesFromItem (this=0x3ff68b37780, aState=..., aIter=..., aParentFrame=0x3ff61e41c40, aFrameItems=...)
    at /usr/src/debug/firefox-48.0.1/firefox-48.0.1/layout/base/nsCSSFrameConstructor.cpp:6081
#8  0x000003ff7c0612d8 in nsCSSFrameConstructor::ConstructFramesFromItemList (this=this@entry=0x3ff68b37780, aState=..., aItems=..., aParentFrame=aParentFrame@entry=0x3ff61e41c40, aFrameItems=...)
    at /usr/src/debug/firefox-48.0.1/firefox-48.0.1/layout/base/nsCSSFrameConstructor.cpp:10498
#9  0x000003ff7c05f954 in nsCSSFrameConstructor::ProcessChildren (this=0x3ff68b37780, aState=..., aContent=0x3ff5e4660d0, aStyleContext=<optimized out>, aFrame=0x3ff61e41c40, 
    aCanHaveGeneratedContent=true, aFrameItems=..., aAllowBlockStyles=<optimized out>, aPendingBinding=0x3ff5e447f20, aPossiblyLeafFrame=0x3ff61e41c40)
    at /usr/src/debug/firefox-48.0.1/firefox-48.0.1/layout/base/nsCSSFrameConstructor.cpp:10699
#10 0x000003ff7c0608f4 in nsCSSFrameConstructor::ConstructFrameFromItemInternal (this=this@entry=0x3ff68b37780, aItem=..., aState=..., aParentFrame=<optimized out>, aFrameItems=...)
    at /usr/src/debug/firefox-48.0.1/firefox-48.0.1/layout/base/nsCSSFrameConstructor.cpp:4002
#11 0x000003ff7c060c58 in nsCSSFrameConstructor::ConstructFramesFromItem (this=0x3ff68b37780, aState=..., aIter=..., aParentFrame=0x3ff61e41440, aFrameItems=...)
    at /usr/src/debug/firefox-48.0.1/firefox-48.0.1/layout/base/nsCSSFrameConstructor.cpp:6081
#12 0x000003ff7c0612d8 in nsCSSFrameConstructor::ConstructFramesFromItemList (this=0x3ff68b37780, aState=..., aItems=..., aParentFrame=0x3ff61e41440, aFrameItems=...)
    at /usr/src/debug/firefox-48.0.1/firefox-48.0.1/layout/base/nsCSSFrameConstructor.cpp:10498
#13 0x000003ff7c062044 in nsCSSFrameConstructor::CreateAnonymousFrames (this=this@entry=0x3ff68b37780, aState=..., aParent=aParent@entry=0x3ff618f7730, aParentFrame=aParentFrame@entry=0x3ff61e41440, 
    aPendingBinding=aPendingBinding@entry=0x0, aChildItems=...) at /usr/src/debug/firefox-48.0.1/firefox-48.0.1/layout/base/nsCSSFrameConstructor.cpp:4132
#14 0x000003ff7c06258c in nsCSSFrameConstructor::BeginBuildingScrollFrame (this=0x3ff68b37780, aState=..., aContent=0x3ff618f7730, aContentStyle=0x3ff61e40140, aParentFrame=<optimized out>, 
    aScrolledPseudo=0x3ff6ea92620, aIsRoot=<optimized out>, aNewFrame=@0x3ffd61181b8: 0x0) at /usr/src/debug/firefox-48.0.1/firefox-48.0.1/layout/base/nsCSSFrameConstructor.cpp:4540
#15 0x000003ff7c062768 in nsCSSFrameConstructor::SetUpDocElementContainingBlock (this=this@entry=0x3ff68b37780, aDocElement=aDocElement@entry=0x3ff618f7730)
    at /usr/src/debug/firefox-48.0.1/firefox-48.0.1/layout/base/nsCSSFrameConstructor.cpp:2875
#16 0x000003ff7c068d50 in nsCSSFrameConstructor::ConstructDocElementFrame (this=0x3ff68b37780, aDocElement=0x3ff618f7730, aFrameState=0x0)
    at /usr/src/debug/firefox-48.0.1/firefox-48.0.1/layout/base/nsCSSFrameConstructor.cpp:2411
#17 0x000003ff7c069cb8 in nsCSSFrameConstructor::ContentRangeInserted (this=0x3ff68b37780, aContainer=aContainer@entry=0x0, aStartChild=aStartChild@entry=0x3ff618f7730, aEndChild=0x0, 
    aFrameState=aFrameState@entry=0x0, aAllowLazyConstruction=aAllowLazyConstruction@entry=false) at /usr/src/debug/firefox-48.0.1/firefox-48.0.1/layout/base/nsCSSFrameConstructor.cpp:7631
#18 0x000003ff7c06a458 in nsCSSFrameConstructor::ContentInserted (this=<optimized out>, aContainer=aContainer@entry=0x0, aChild=aChild@entry=0x3ff618f7730, aFrameState=aFrameState@entry=0x0, 
    aAllowLazyConstruction=aAllowLazyConstruction@entry=false) at /usr/src/debug/firefox-48.0.1/firefox-48.0.1/layout/base/nsCSSFrameConstructor.cpp:7521
#19 0x000003ff7c0af864 in PresShell::Initialize (this=0x3ff61853800, aWidth=<optimized out>, aHeight=<optimized out>) at /usr/src/debug/firefox-48.0.1/firefox-48.0.1/layout/base/nsPresShell.cpp:1685
#20 0x000003ff7af173dc in nsContentSink::StartLayout (this=<optimized out>, aIgnorePendingSheets=aIgnorePendingSheets@entry=false, this=<optimized out>)
    at /usr/src/debug/firefox-48.0.1/firefox-48.0.1/dom/base/nsContentSink.cpp:1216
#21 0x000003ff7abedf20 in nsHtml5TreeOpExecutor::StartLayout (this=this@entry=0x3ff61852400) at /usr/src/debug/firefox-48.0.1/firefox-48.0.1/parser/html/nsHtml5TreeOpExecutor.cpp:614
#22 0x000003ff7ac0d344 in nsHtml5TreeOperation::Perform (this=0x3ff6185bad8, aBuilder=0x3ff61852400, aScriptElement=<optimized out>)
    at /usr/src/debug/firefox-48.0.1/firefox-48.0.1/parser/html/nsHtml5TreeOperation.cpp:991
#23 0x000003ff7ac09898 in nsHtml5TreeOpExecutor::RunFlushLoop (this=0x3ff61852400) at /usr/src/debug/firefox-48.0.1/firefox-48.0.1/parser/html/nsHtml5TreeOpExecutor.cpp:451
#24 0x000003ff7ac09be0 in nsHtml5ExecutorFlusher::Run (this=<optimized out>) at /usr/src/debug/firefox-48.0.1/firefox-48.0.1/parser/html/nsHtml5StreamParser.cpp:125
#25 0x000003ff7a5d6400 in nsThread::ProcessNextEvent (this=0x3ff7db60eb0, aMayWait=<optimized out>, aResult=0x3ffd6118e97) at /usr/src/debug/firefox-48.0.1/firefox-48.0.1/xpcom/threads/nsThread.cpp:994
#26 0x000003ff7a5f9184 in NS_ProcessNextEvent (aThread=<optimized out>, aThread@entry=0x3ff7db60eb0, aMayWait=aMayWait@entry=false)
    at /usr/src/debug/firefox-48.0.1/firefox-48.0.1/xpcom/glue/nsThreadUtils.cpp:290
#27 0x000003ff7a83d3c4 in mozilla::ipc::MessagePump::Run (this=0x3ff7e786f40, aDelegate=0x3ff70860080) at /usr/src/debug/firefox-48.0.1/firefox-48.0.1/ipc/glue/MessagePump.cpp:98
#28 0x000003ff7a820b1c in MessageLoop::Run (this=<optimized out>) at /usr/src/debug/firefox-48.0.1/firefox-48.0.1/ipc/chromium/src/base/message_loop.cc:230
#29 0x000003ff7be19b44 in nsBaseAppShell::Run (this=0x3ff6ac255c0) at /usr/src/debug/firefox-48.0.1/firefox-48.0.1/widget/nsBaseAppShell.cpp:156
#30 0x000003ff7c4e0be4 in nsAppStartup::Run (this=0x3ff6a9f2360) at /usr/src/debug/firefox-48.0.1/firefox-48.0.1/toolkit/components/startup/nsAppStartup.cpp:284
#31 0x000003ff7c52a07c in XREMain::XRE_mainRun (this=this@entry=0x3ffd6119138) at /usr/src/debug/firefox-48.0.1/firefox-48.0.1/toolkit/xre/nsAppRunner.cpp:4347
#32 0x000003ff7c52a880 in XREMain::XRE_main (this=this@entry=0x3ffd6119138, argc=argc@entry=1, argv=argv@entry=0x3ffd611a668, aAppData=aAppData@entry=0x3ffd6119338)
    at /usr/src/debug/firefox-48.0.1/firefox-48.0.1/toolkit/xre/nsAppRunner.cpp:4451
#33 0x000003ff7c52aad8 in XRE_main (argc=1, argv=0x3ffd611a668, aAppData=0x3ffd6119338, aFlags=<optimized out>) at /usr/src/debug/firefox-48.0.1/firefox-48.0.1/toolkit/xre/nsAppRunner.cpp:4559
#34 0x000002aae19d5738 in do_main (argc=1, argv=0x3ffd611a668, envp=<optimized out>, xreDirectory=0x3ff7e741d20) at /usr/src/debug/firefox-48.0.1/firefox-48.0.1/browser/app/nsBrowserApp.cpp:220
#35 0x000002aae19d4c78 in main (argc=1, argv=0x3ffd611a668, envp=0x3ffd611a678) at /usr/src/debug/firefox-48.0.1/firefox-48.0.1/browser/app/nsBrowserApp.cpp:360

Comment 17 Paul Whalen 2016-09-20 15:59:57 UTC

Similar problem has been detected:

Attempt to launch Firefox on aarch64.

reporter:       libreport-2.8.0
backtrace_rating: 4
cmdline:        /usr/lib64/firefox/firefox
crash_function: raise
executable:     /usr/lib64/firefox/firefox
global_pid:     1951
kernel:         4.8.0-0.rc6.git0.1.fc25.aarch64
package:        firefox-49.0-2.fc26
pkg_vendor:     Fedora Project
reason:         firefox killed by SIGSEGV
runlevel:       N 3
type:           CCpp
uid:            1000

Comment 18 Paul Whalen 2016-09-20 15:59:59 UTC

Created attachment 1202956 [details]
File: backtrace

Comment 19 Jeremy Linton 2016-10-21 18:36:35 UTC

Still there with
[root@localhost ~]# rpm -qa |grep firefox
firefox-49.0-3.fc26.aarch64

Comment 20 Jeremy Linton 2016-10-25 15:42:45 UTC

Dope, wrong bug.. Unblocking all that.

Comment 21 Paul Whalen 2016-12-13 16:06:18 UTC

*** Bug 1404344 has been marked as a duplicate of this bug. ***

Comment 22 Paul Whalen 2016-12-13 16:07:44 UTC

This still happens with firefox-50.0.2-2.fc26.aarch64

Comment 23 Jeremy Linton 2016-12-15 21:29:27 UTC

As a futher datapoint firefox-50.1.0-1.fc26.aarch64 is coredumping, in the usual place, while a local build of a patched firefox repo is working. So this looks like it could be specific to the fedora configuration/compiler flags/etc.

Comment 24 Jeremy Linton 2016-12-16 01:45:31 UTC

Ok, a `fedpkg local` built version fails, yet a patched version generated with make works.

Digging into it a little more and we find:

(gdb) print *(nsIFrame *) 0xffffa2365c70
$59 = {<nsQueryFrame> = {_vptr.nsQueryFrame = 0xffffb4fea150 <vtable for nsScrollbarFrame+16>}, static kFrameIID = nsQueryFrame::nsIFrame_id, static kPrincipalList = mozilla::layout::kPrincipalList, static kAbsoluteList = mozilla::layout::kAbsoluteList, static kBulletList = mozilla::layout::kBulletList, 
  static kCaptionList = mozilla::layout::kCaptionList, static kColGroupList = mozilla::layout::kColGroupList, static kExcessOverflowContainersList = mozilla::layout::kExcessOverflowContainersList, static kFixedList = mozilla::layout::kFixedList, static kFloatList = mozilla::layout::kFloatList, 
  static kOverflowContainersList = mozilla::layout::kOverflowContainersList, static kOverflowList = mozilla::layout::kOverflowList, static kOverflowOutOfFlowList = mozilla::layout::kOverflowOutOfFlowList, static kPopupList = mozilla::layout::kPopupList, static kPushedFloatsList = mozilla::layout::kPushedFloatsList, 
  static kSelectPopupList = mozilla::layout::kSelectPopupList, static kBackdropList = mozilla::layout::kBackdropList, static kNoReflowPrincipalList = mozilla::layout::kNoReflowPrincipalList, static sLayerIsPrerenderedDataKey = 0 '\000', mRect = {<mozilla::gfx::BaseRect<int, nsRect, nsPoint, nsSize, nsMargin>> = {
      x = 0, y = 0, width = 0, height = 0}, <No data fields>}, mContent = 0xe5e5e5e5e5e5e5e5, mStyleContext = 0xffffa2364ce0, mParent = 0xe5e5e5e5e5e5e5e5, mNextSibling = 0xe5e5e5e5e5e5e5e5, mPrevSibling = 0xe5e5e5e5e5e5e5e5, mState = 12583938, mOverflow = {mType = 3857049061, mVisualDeltas = {mLeft = 229 '\345', 
      mTop = 229 '\345', mRight = 229 '\345', mBottom = 229 '\345'}}}
(gdb) bt
#0  0x0000ffffb3615b60 in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameItems&) (this=this@entry=0xffffa5b311f0, aItem=..., aState=..., aParentFrame=0xffffa2365468, aFrameItems=...)
    at /root/firefox/firefox-50.1.0/firefox-50.1.0/layout/base/nsCSSFrameConstructor.cpp:3881
#1  0x0000ffffb3616468 in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameItems&) (this=this@entry=0xffffa5b311f0, aState=..., aIter=..., aParentFrame=aParentFrame@entry=0xffffa2365468, aFrameItems=...)
    at /root/firefox/firefox-50.1.0/firefox-50.1.0/layout/base/nsCSSFrameConstructor.cpp:6103
#2  0x0000ffffb3616a94 in nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsContainerFrame*, nsFrameItems&) (this=this@entry=0xffffa5b311f0, aState=..., aItems=..., aParentFrame=aParentFrame@entry=0xffffa2365468, aFrameItems=...)
    at /root/firefox/firefox-50.1.0/firefox-50.1.0/layout/base/nsCSSFrameConstructor.cpp:10524
#3  0x0000ffffb3617898 in nsCSSFrameConstructor::CreateAnonymousFrames(nsFrameConstructorState&, nsIContent*, nsContainerFrame*, PendingBinding*, nsFrameItems&) (this=this@entry=0xffffa5b311f0, aState=..., aParent=aParent@entry=0xffffa5b6a330, aParentFrame=aParentFrame@entry=0xffffa2365468, aPendingBinding=aPendingBinding@entry=0x0, aChildItems=...) at /root/firefox/firefox-50.1.0/firefox-50.1.0/layout/base/nsCSSFrameConstructor.cpp:4150
#4  0x0000ffffb3617d7c in nsCSSFrameConstructor::BeginBuildingScrollFrame(nsFrameConstructorState&, nsIContent*, nsStyleContext*, nsContainerFrame*, nsIAtom*, bool, nsContainerFrame*&) (this=this@entry=0xffffa5b311f0, aState=..., aContent=aContent@entry=0xffffa5b6a330, aContentStyle=aContentStyle@entry=0xffffa2364140, aParentFrame=aParentFrame@entry=0xffffa2364938, aScrolledPseudo=aScrolledPseudo@entry=0xffffac892700, aIsRoot=aIsRoot@entry=true, aNewFrame=@0xffffffffba78: 0x0) at /root/firefox/firefox-50.1.0/firefox-50.1.0/layout/base/nsCSSFrameConstructor.cpp:4565
#5  0x0000ffffb3617f58 in nsCSSFrameConstructor::SetUpDocElementContainingBlock(nsIContent*) (this=this@entry=0xffffa5b311f0, aDocElement=aDocElement@entry=0xffffa5b6a330) at /root/firefox/firefox-50.1.0/firefox-50.1.0/layout/base/nsCSSFrameConstructor.cpp:2891
#6  0x0000ffffb361da00 in nsCSSFrameConstructor::ConstructDocElementFrame(mozilla::dom::Element*, nsILayoutHistoryState*) (this=this@entry=0xffffa5b311f0, aDocElement=aDocElement@entry=0xffffa5b6a330, aFrameState=aFrameState@entry=0x0)
    at /root/firefox/firefox-50.1.0/firefox-50.1.0/layout/base/nsCSSFrameConstructor.cpp:2411
#7  0x0000ffffb361ea38 in nsCSSFrameConstructor::ContentRangeInserted(nsIContent*, nsIContent*, nsIContent*, nsILayoutHistoryState*, bool) (this=0xffffa5b311f0, aContainer=aContainer@entry=0x0, aStartChild=aStartChild@entry=0xffffa5b6a330, aEndChild=0x0, aFrameState=aFrameState@entry=0x0, aAllowLazyConstruction=aAllowLazyConstruction@entry=false) at /root/firefox/firefox-50.1.0/firefox-50.1.0/layout/base/nsCSSFrameConstructor.cpp:7657
#8  0x0000ffffb361f1f0 in nsCSSFrameConstructor::ContentInserted(nsIContent*, nsIContent*, nsILayoutHistoryState*, bool) (this=<optimized out>, aContainer=aContainer@entry=0x0, aChild=aChild@entry=0xffffa5b6a330, aFrameState=aFrameState@entry=0x0, aAllowLazyConstruction=aAllowLazyConstruction@entry=false)
    at /root/firefox/firefox-50.1.0/firefox-50.1.0/layout/base/nsCSSFrameConstructor.cpp:7547
#9  0x0000ffffb3687418 in PresShell::Initialize(int, int) (this=0xffffa2354000, aWidth=<optimized out>, aHeight=<optimized out>) at /root/firefox/firefox-50.1.0/firefox-50.1.0/layout/base/nsPresShell.cpp:1731
#10 0x0000ffffb242a5c4 in nsContentSink::StartLayout(bool) (this=this@entry=0xffffa2352c00, aIgnorePendingSheets=aIgnorePendingSheets@entry=false, this=<optimized out>) at /root/firefox/firefox-50.1.0/firefox-50.1.0/dom/base/nsContentSink.cpp:1210
#11 0x0000ffffb20bb840 in nsHtml5TreeOpExecutor::StartLayout() (this=0xffffa2352c00) at /root/firefox/firefox-50.1.0/firefox-50.1.0/parser/html/nsHtml5TreeOpExecutor.cpp:614
#12 0x0000ffffb20dc07c in nsHtml5TreeOperation::Perform(nsHtml5TreeOpExecutor*, nsIContent**) (this=this@entry=0xffffa235bea8, aBuilder=aBuilder@entry=0xffffa2352c00, aScriptElement=aScriptElement@entry=0xffffffffc6a0) at /root/firefox/firefox-50.1.0/firefox-50.1.0/parser/html/nsHtml5TreeOperation.cpp:990
#13 0x0000ffffb20d8638 in nsHtml5TreeOpExecutor::RunFlushLoop() (this=0xffffa2352c00) at /root/firefox/firefox-50.1.0/firefox-50.1.0/parser/html/nsHtml5TreeOpExecutor.cpp:449
#14 0x0000ffffb20d88b8 in nsHtml5TreeOpExecutor::RunFlushLoop() (this=<optimized out>) at /root/firefox/firefox-50.1.0/firefox-50.1.0/parser/html/nsHtml5StreamParser.cpp:125
#15 0x0000ffffb20d88b8 in nsHtml5ExecutorFlusher::Run() (this=<optimized out>) at /root/firefox/firefox-50.1.0/firefox-50.1.0/parser/html/nsHtml5StreamParser.cpp:128
#16 0x0000ffffb1a66248 in nsThread::ProcessNextEvent(bool, bool*) (this=0xffffb5370de0, aMayWait=<optimized out>, aResult=0xffffffffc7b7) at /root/firefox/firefox-50.1.0/firefox-50.1.0/xpcom/threads/nsThread.cpp:1076
#17 0x0000ffffb1a89474 in NS_ProcessNextEvent(nsIThread*, bool) (aThread=<optimized out>, aThread@entry=0xffffb5370de0, aMayWait=aMayWait@entry=true) at /root/firefox/firefox-50.1.0/firefox-50.1.0/xpcom/glue/nsThreadUtils.cpp:290
#18 0x0000ffffb38edcb4 in nsXULWindow::ShowModal() (this=0xffffb535f450) at /root/firefox/firefox-50.1.0/firefox-50.1.0/xpfe/appshell/nsXULWindow.cpp:408
#19 0x0000ffffb38b5140 in nsWindowWatcher::OpenWindowInternal(mozIDOMWindowProxy*, char const*, char const*, char const*, bool, bool, bool, nsIArray*, float*, mozIDOMWindowProxy**) (this=this@entry=0xffffa7630d80, aParent=aParent@entry=0x0, aUrl=aUrl@entry=0xffffa2da7d20 "chrome://browser/content/safeMode.xul", aName=aName@entry=0xffffa2fd0910 "_blank", aFeatures=aFeatures@entry=0xffffa2da7db0 "chrome,centerscreen,modal,resizable=no", aCalledFromJS=aCalledFromJS@entry=false, aDialog=aDialog@entry=false, aNavigate=aNavigate@entry=true, aArgv=aArgv@entry=0x0, aOpenerFullZoom=aOpenerFullZoom@entry=0x0, aResult=aResult@entry=0xffffffffcea8) at /root/firefox/firefox-50.1.0/firefox-50.1.0/embedding/components/windowwatcher/nsWindowWatcher.cpp:1307
#20 0x0000ffffb38b5764 in nsWindowWatcher::OpenWindow(mozIDOMWindowProxy*, char const*, char const*, char const*, nsISupports*, mozIDOMWindowProxy**) (this=0xffffa7630d80, aParent=0x0, aUrl=0xffffa2da7d20 "chrome://browser/content/safeMode.xul", aName=0xffffa2fd0910 "_blank", aFeatures=0xffffa2da7db0 "chrome,centerscreen,modal,resizable=no", aArguments=<optimized out>, aResult=0xffffffffcea8) at /root/firefox/firefox-50.1.0/firefox-50.1.0/embedding/components/windowwatcher/nsWindowWatcher.cpp:375
#21 0x0000ffffb1a706e4 in _NS_InvokeByIndex () at /root/firefox/firefox-50.1.0/firefox-50.1.0/xpcom/reflect/xptcall/md/unix/xptcinvoke_asm_aarch64.s:58
#22 0x0000000000000000 in  ()


Which makes it appear like the pointer members of nsIFrame are not being initialized to nullptr. So they then get carried along an used as valid pointers.


The nsBox() constructor is being called by nsFrame's constructor, but it seems that either the nsIframe's constructor isn't initializing the pointers, or its not being called by nsBox's. 

More to come tomorrow.

Comment 25 Jeremy Linton 2016-12-16 21:17:04 UTC

Yah, so I double verified this. C++ doesn't initialize built in types declared in classes, which is why Weffc++ warns about initializer lists. So, its a bug in firefox. The nsIFrame needs a constructor to initialize the members, in particular mContent(nullptr), mStyleContext(nullptr), mParent(nullptr), mNextSibling(nullptr), mPrevSibling(nullptr).

That fixes the bug indicated by the initial calltrace, but then crashes in:

#0  0x000003ffb372a30c in nsSplittableFrame::FirstContinuation() const (this=<optimized out>)
    at /root/firefox/firefox-50.1.0/firefox-50.1.0/layout/generic/nsSplittableFrame.cpp:82
#1  0x000003ffb35fea14 in AdjustAbsoluteContainingBlock (aContainingBlockIn=0x3ffa1d6b100)
    at /root/firefox/firefox-50.1.0/firefox-50.1.0/layout/base/nsCSSFrameConstructor.cpp:1048
#2  0x000003ffb35fea14 in nsFrameConstructorState::PushAbsoluteContainingBlock(nsContainerFrame*, nsIFrame*, nsFrameConstructorSaveState&) (
    this=this@entry=0x3ffffffd228, aNewAbsoluteContainingBlock=0x3ffa1d6b100, aPositionedFrame=0x3ffa1d6b100, aSaveState=...)
    at /root/firefox/firefox-50.1.0/firefox-50.1.0/layout/base/nsCSSFrameConstructor.cpp:1070
#3  0x000003ffb361dec0 in nsCSSFrameConstructor::ConstructDocElementFrame(mozilla::dom::Element*, nsILayoutHistoryState*) (this=this@entry=0x3ffa4b46810, aDocElement=aDocElement@entry=0x3ffa09a3cc0, aFrameState=aFrameState@entry=0x0) at /root/firefox/firefox-50.1.0/firefox-50.1.0/layout/base/nsCSSFrameConstructor.cpp:2506
#4  0x000003ffb361ea38 in nsCSSFrameConstructor::ContentRangeInserted(nsIContent*, nsIContent*, nsIContent*, nsILayoutHistoryState*, bool) (this=0x3ffa4b46810, aContainer=aContainer@entry=0x0, aStartChild=aStartChild@entry=0x3ffa09a3cc0, aEndChild=0x0, aFrameState=aFrameState@entry=0x0, aAllowLazyConstruction=aAllowLazyConstruction@entry=false) at /root/firefox/firefox-50.1.0/firefox-50.1.0/layout/base/nsCSSFrameConstructor.cpp:7657
#5  0x000003ffb361f1f0 in nsCSSFrameConstructor::ContentInserted(nsIContent*, nsIContent*, nsILayoutHistoryState*, bool) (this=<optimized out>, aContainer=aContainer@entry=0x0, aChild=aChild@entry=0x3ffa09a3cc0, aFrameState=aFrameState@entry=0x0, aAllowLazyConstruction=aAllowLazyConstruction@entry=false)
    at /root/firefox/firefox-50.1.0/firefox-50.1.0/layout/base/nsCSSFrameConstructor.cpp:7547
#6  0x000003ffb3687418 in PresShell::Initialize(int, int) (this=0x3ffa1d55400, aWidth=<optimized out>, aHeight=<optimized out>)
    at /root/firefox/firefox-50.1.0/firefox-50.1.0/layout/base/nsPresShell.cpp:1731
#7  0x000003ffb242a5c4 in nsContentSink::StartLayout(bool) (this=this@entry=0x3ffa1d54000, aIgnorePendingSheets=aIgnorePendingSheets@entry=false, this=<optimized out>)
    at /root/firefox/firefox-50.1.0/firefox-50.1.0/dom/base/nsContentSink.cpp:1210
#8  0x000003ffb20bb840 in nsHtml5TreeOpExecutor::StartLayout() (this=0x3ffa1d54000)
    at /root/firefox/firefox-50.1.0/firefox-50.1.0/parser/html/nsHtml5TreeOpExecutor.cpp:614


With another similar crash.

Basically whats happening is the heap poisoning is filling the objects with garbage and classes which are missing initializers for pointers are then getting 0xe5e5e5e5e5e5e5e5 which are passing all the null pointer checks.

Comment 26 Jeremy Linton 2016-12-16 23:36:56 UTC

So, there are a couple fixes here. A whole class of these problems can be fixed by putting and __attribute__((optimizer("no-lifetime-dse")) in the class being called by the session classes new operators. like:

void* __attribute__((optimize("no-lifetime-dse"))) AllocateFrame(nsQueryFrame::FrameIID aID, size_t aSize)

in the nsIpressShell.h's nsIPressShell class.


That hides a whole host of classes lacking proper initializers on their pointer structures. 

For instance the crash listed in this defect is correctly solved via a constructor in nsIframe.h like:

 nsIFrame() : nsQueryFrame(), mRect(), mContent(nullptr),
               mStyleContext(nullptr), mParent(nullptr), mNextSibling(nullptr),
               mPrevSibling(nullptr), mState()
  {
  }

That moves the crash to nsSplittableFrame a few million cycles later.

That can be solved via

  explicit nsSplittableFrame(nsStyleContext* aContext) : nsFrame(aContext), mPrevContinuation(nullptr),  mNextContinuation(nullptr)
  {
  }

and on and on, until I got bored fixing them and just tossed the no-lifetime-dse into AllocateFrame.

If you want a quick fix I would just plug in DSE tweak into AllocateFrame.

Comment 27 Jeremy Linton 2017-01-13 15:48:20 UTC

Upstream bug is here:

https://bugzilla.mozilla.org/show_bug.cgi?id=1321579

Comment 28 Tarell Ware 2017-01-20 17:38:40 UTC

Created attachment 1242952 [details]
Patch as suggested in comments.

Comment 29 Martin Stransky 2017-01-24 10:27:02 UTC

(In reply to Tarell Ware from comment #28)
> Created attachment 1242952 [details]
> Patch as suggested in comments.

Great, thanks. Can you please attach the patch at https://bugzilla.mozilla.org/show_bug.cgi?id=1321579 to get it upstream?

Comment 30 Fedora Update System 2017-01-24 11:58:54 UTC

firefox-51.0-3.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-36b325dac3

Comment 31 Fedora Update System 2017-01-24 11:59:05 UTC

firefox-51.0-3.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2017-5df7a4018c

Comment 32 Tarell Ware 2017-01-24 18:23:50 UTC

Posted to Mozilla.

Comment 33 Fedora Update System 2017-01-25 01:23:08 UTC

firefox-51.0-3.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-5df7a4018c

Comment 34 Rob Clark 2017-01-25 15:57:24 UTC

btw, anyone have any idea if this is related to (or will fix) this crash in gnome-shell?

0x0000ffffb50df570 in js::ObjectImpl::setFlag(js::ExclusiveContext*, unsigned int, js::ObjectImpl::GenerateShape) () from /lib64/libmozjs-31.so

Comment 35 Jeremy Linton (ARM) 2017-01-25 16:44:13 UTC

Whats the full backtrace? (is there another bug) I need to also watch out for 48bit VA issues, because I don't think this patch has been merged.

https://bugzilla.redhat.com/show_bug.cgi?id=1395969

Comment 36 Rob Clark 2017-01-25 16:53:23 UTC

(In reply to Jeremy Linton from comment #35)
> Whats the full backtrace? (is there another bug) I need to also watch out
> for 48bit VA issues, because I don't think this patch has been merged.
> 
> https://bugzilla.redhat.com/show_bug.cgi?id=1395969

somehow (and maybe this is just a transient issue), I'm having trouble getting debuginfo for full backtrace at the moment:

  Error: Failed to synchronize cache for repo 'rawhide-debuginfo'

It is an self-built kernel but I do have CONFIG_ARM64_VA_BITS_48=y.  I'm firing off a kernel build w/ 39b va instead.

(g-s did work in rawhide, at least as of a few weeks ago.  I can't guarantee that I was using same va size before, but unless that changed in defconfig recently upstream I probably was using 48b)

Comment 37 Jeremy Linton 2017-01-25 16:59:26 UTC

A few weeks ago gnome shell was linked against mozjs24...

Comment 38 Fedora Update System 2017-01-25 20:22:50 UTC

firefox-51.0-3.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.

Comment 39 Fedora Update System 2017-01-28 19:20:08 UTC

firefox-51.0-3.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-36b325dac3

Comment 40 Fedora End Of Life 2017-02-28 10:00:03 UTC

This bug appears to have been reported against 'rawhide' during the Fedora 26 development cycle.
Changing version to '26'.

Comment 41 Martin Stransky 2018-01-17 09:48:03 UTC

Hope it's fixed now.

Note You need to log in before you can comment on or make changes to this bug.