Looks like every crash report here involves `nsIFrame::ComputeISizeValue` working with its aStyleBSize param. https://searchfox.org/firefox-main/rev/fd531836ca5e48e18a5afc171418bcbcb9d268e2/layout/generic/nsIFrame.cpp#7305 * in bp-73c1dd54-1f69-4ce4-a5e6-7ad760250926, it's the AsLengthPercentage here ```cpp Maybe<nscoord> iSizeFromAspectRatio = [&]() -> Maybe<nscoord> { ... return Some(ComputeISizeValueFromAspectRatio( aWM, aCBSize, aContentEdgeToBoxSizing, aStyleBSize.AsLengthPercentage(), aAspectRatio)); ``` (This is a case where `aStyleBSize` is `-webkit-fill-available` and we have a constrained `aCBSize.BSize(aWM)`, so we don't take the `IsAutoBSize` return on the previous line.) https://searchfox.org/firefox-main/rev/fd531836ca5e48e18a5afc171418bcbcb9d268e2/layout/generic/nsIFrame.cpp#7333-7334 * in bp-952788e2-a23d-4d83-97f1-7bfdf0250925, it's a AsLengthPercentage buried a bit here: * https://searchfox.org/firefox-main/rev/fd531836ca5e48e18a5afc171418bcbcb9d268e2/layout/generic/nsIFrame.cpp#7322,7333-7335,7340-7341 ```cpp Maybe<nscoord> iSizeFromAspectRatio = [&]() -> Maybe<nscoord> { ... return Some(ComputeISizeValueFromAspectRatio( aWM, aCBSize, aContentEdgeToBoxSizing, aStyleBSize.AsLengthPercentage(), aAspectRatio)); ... const nscoord bSize = ComputeBSizeValueAsPercentageBasis( aStyleBSize, *stylePos->MinBSize(aWM, anchorResolutionParams), ```
Bug 1990034 Comment 3 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
Looks like every crash report here involves `nsIFrame::ComputeISizeValue` working with its aStyleBSize param. https://searchfox.org/firefox-main/rev/fd531836ca5e48e18a5afc171418bcbcb9d268e2/layout/generic/nsIFrame.cpp#7305 * in bp-73c1dd54-1f69-4ce4-a5e6-7ad760250926, it's the AsLengthPercentage here ```cpp Maybe<nscoord> iSizeFromAspectRatio = [&]() -> Maybe<nscoord> { ... return Some(ComputeISizeValueFromAspectRatio( aWM, aCBSize, aContentEdgeToBoxSizing, aStyleBSize.AsLengthPercentage(), aAspectRatio)); ``` https://searchfox.org/firefox-main/rev/fd531836ca5e48e18a5afc171418bcbcb9d268e2/layout/generic/nsIFrame.cpp#7333-7334 (This is a case where `aStyleBSize` is `-webkit-fill-available` and we have a constrained `aCBSize.BSize(aWM)`, so we don't take the `IsAutoBSize` return on the previous line.) * in bp-952788e2-a23d-4d83-97f1-7bfdf0250925, it's a AsLengthPercentage buried a bit here: https://searchfox.org/firefox-main/rev/fd531836ca5e48e18a5afc171418bcbcb9d268e2/layout/generic/nsIFrame.cpp#7322,7333-7335,7340-7341 ```cpp Maybe<nscoord> iSizeFromAspectRatio = [&]() -> Maybe<nscoord> { ... return Some(ComputeISizeValueFromAspectRatio( aWM, aCBSize, aContentEdgeToBoxSizing, aStyleBSize.AsLengthPercentage(), aAspectRatio)); ... const nscoord bSize = ComputeBSizeValueAsPercentageBasis( aStyleBSize, *stylePos->MinBSize(aWM, anchorResolutionParams), ``` That^ `ComputeBSizeValueAsPercentageBasis` invocation calls `ComputeBSizeValueHandlingStretch`, which crashes on the final statement which implies that the bsize there is something *other* than `-webkit-fill-available` (since `-webkit-fill-available would take the `aSize.BehavesLikeStretchOnBlockAxis()` early-return). https://hg-edge.mozilla.org/mozilla-central/file/e0c3190130f016554a7c41fee5b70832d74327c1/layout/base/nsLayoutUtils.h#l1615
Looks like every crash report here involves `nsIFrame::ComputeISizeValue` working with its aStyleBSize param. https://searchfox.org/firefox-main/rev/fd531836ca5e48e18a5afc171418bcbcb9d268e2/layout/generic/nsIFrame.cpp#7305 * in bp-73c1dd54-1f69-4ce4-a5e6-7ad760250926, it's the AsLengthPercentage here ```cpp Maybe<nscoord> iSizeFromAspectRatio = [&]() -> Maybe<nscoord> { ... return Some(ComputeISizeValueFromAspectRatio( aWM, aCBSize, aContentEdgeToBoxSizing, aStyleBSize.AsLengthPercentage(), aAspectRatio)); ``` https://searchfox.org/firefox-main/rev/fd531836ca5e48e18a5afc171418bcbcb9d268e2/layout/generic/nsIFrame.cpp#7333-7334 (This is a case where `aStyleBSize` is `-webkit-fill-available` and we have a constrained `aCBSize.BSize(aWM)`, so we don't take the `IsAutoBSize` return on the previous line.) * in bp-952788e2-a23d-4d83-97f1-7bfdf0250925, it's a AsLengthPercentage buried a bit here: ```cpp const nscoord bSize = ComputeBSizeValueAsPercentageBasis( aStyleBSize, *stylePos->MinBSize(aWM, anchorResolutionParams), ``` https://searchfox.org/firefox-main/rev/fd531836ca5e48e18a5afc171418bcbcb9d268e2/layout/generic/nsIFrame.cpp#7340-7341 That^ `ComputeBSizeValueAsPercentageBasis` invocation calls `ComputeBSizeValueHandlingStretch`, which crashes on the final statement which implies that the bsize there is something *other* than `-webkit-fill-available` (since `-webkit-fill-available would take the `aSize.BehavesLikeStretchOnBlockAxis()` early-return). https://hg-edge.mozilla.org/mozilla-central/file/e0c3190130f016554a7c41fee5b70832d74327c1/layout/base/nsLayoutUtils.h#l1615
Looks like every crash report here involves `nsIFrame::ComputeISizeValue` working with its aStyleBSize param. https://searchfox.org/firefox-main/rev/fd531836ca5e48e18a5afc171418bcbcb9d268e2/layout/generic/nsIFrame.cpp#7305 * in bp-73c1dd54-1f69-4ce4-a5e6-7ad760250926, it's the AsLengthPercentage here ```cpp Maybe<nscoord> iSizeFromAspectRatio = [&]() -> Maybe<nscoord> { ... return Some(ComputeISizeValueFromAspectRatio( aWM, aCBSize, aContentEdgeToBoxSizing, aStyleBSize.AsLengthPercentage(), aAspectRatio)); ``` https://searchfox.org/firefox-main/rev/fd531836ca5e48e18a5afc171418bcbcb9d268e2/layout/generic/nsIFrame.cpp#7333-7334 (This is a case where `aStyleBSize` is `-webkit-fill-available` and we have a constrained `aCBSize.BSize(aWM)`, so we don't take the `IsAutoBSize` return on the previous line.) * in bp-952788e2-a23d-4d83-97f1-7bfdf0250925, it's a AsLengthPercentage buried a bit here: ```cpp const nscoord bSize = ComputeBSizeValueAsPercentageBasis( aStyleBSize, *stylePos->MinBSize(aWM, anchorResolutionParams), *stylePos->MaxBSize(aWM, anchorResolutionParams), aCBSize.BSize(aWM), aContentEdgeToBoxSizing.BSize(aWM)); ``` https://searchfox.org/firefox-main/rev/fd531836ca5e48e18a5afc171418bcbcb9d268e2/layout/generic/nsIFrame.cpp#7340-7343 That^ `ComputeBSizeValueAsPercentageBasis` invocation calls `ComputeBSizeValueHandlingStretch`, which crashes on the final statement which implies that the bsize there is something *other* than `-webkit-fill-available` (since `-webkit-fill-available would take the `aSize.BehavesLikeStretchOnBlockAxis()` early-return). https://hg-edge.mozilla.org/mozilla-central/file/e0c3190130f016554a7c41fee5b70832d74327c1/layout/base/nsLayoutUtils.h#l1615