1393841 - Assertion failure: kidOverflowBEnd >= kidBEnd

Status: NEW

(Core :: Layout: Positioned, defect, P3)

Description

[Jason Kratzer [:jkratzer]]

Testcase found while fuzzing mozilla-central rev 20170825-2306e153fba9.

Assertion failure: kidOverflowBEnd >= kidBEnd, at /home/worker/workspace/build/src/layout/generic/nsAbsoluteContainingBlock.cpp:156
#01: nsBlockFrame::Reflow at layout/generic/nsBlockFrame.h:216
#02: nsBlockReflowContext::ReflowBlock at layout/generic/nsBlockReflowContext.cpp:307
#03: nsBlockFrame::ReflowFloat at layout/generic/nsBlockFrame.cpp:6395
#04: mozilla::BlockReflowInput::FlowAndPlaceFloat at layout/generic/BlockReflowInput.cpp:912
#05: mozilla::BlockReflowInput::AddFloat at layout/generic/BlockReflowInput.cpp:630
#06: nsLineLayout::ReflowFrame at layout/generic/nsLineLayout.cpp:963
#07: nsBlockFrame::ReflowInlineFrame at layout/generic/nsBlockFrame.cpp:4220
#08: nsBlockFrame::DoReflowInlineFrames at layout/generic/nsBlockFrame.cpp:4015
#09: nsBlockFrame::ReflowInlineFrames at layout/generic/nsBlockFrame.cpp:3892
#10: nsBlockFrame::ReflowLine at layout/generic/nsBlockFrame.cpp:2874
#11: nsBlockFrame::ReflowDirtyLines at layout/generic/nsBlockFrame.cpp:2407
#12: nsBlockFrame::Reflow at layout/generic/nsBlockFrame.cpp:1246
#13: nsContainerFrame::ReflowChild at layout/generic/nsContainerFrame.cpp:937
#14: nsColumnSetFrame::ReflowChildren at layout/generic/nsIFrame.h:294
#15: nsColumnSetFrame::ReflowColumns at layout/generic/nsColumnSetFrame.cpp:508
#16: nsColumnSetFrame::Reflow at layout/generic/nsColumnSetFrame.cpp:1250
#17: nsContainerFrame::ReflowChild at layout/generic/nsContainerFrame.cpp:937
#18: nsCanvasFrame::Reflow at layout/generic/nsCanvasFrame.cpp:758
#19: nsContainerFrame::ReflowChild at layout/generic/nsContainerFrame.cpp:937
#20: nsHTMLScrollFrame::ReflowScrolledFrame at layout/generic/nsGfxScrollFrame.cpp:553
#21: nsHTMLScrollFrame::TryLayout at layout/generic/nsGfxScrollFrame.cpp:347
#22: nsHTMLScrollFrame::ReflowContents at layout/generic/nsGfxScrollFrame.cpp:708
#23: nsHTMLScrollFrame::Reflow at layout/generic/nsGfxScrollFrame.cpp:1039
#24: nsContainerFrame::ReflowChild at layout/generic/nsContainerFrame.cpp:980
#25: mozilla::ViewportFrame::Reflow at layout/generic/ViewportFrame.cpp:334
#26: mozilla::PresShell::DoReflow at layout/generic/ReflowOutput.h:282
#27: mozilla::PresShell::ProcessReflowCommands at layout/base/PresShell.cpp:9514
#28: mozilla::PresShell::DoFlushPendingNotifications at layout/base/PresShell.cpp:4210
#29: nsRefreshDriver::Tick at mfbt/RefPtr.h:284
#30: nsRefreshDriver::DoTick at layout/base/nsRefreshDriver.cpp:1528

Comment 1

[Ryan VanderMeulen [:RyanVM]]

Did you mean to attach a testcase to this?

Comment 2

[Jason Kratzer [:jkratzer]]

Attachment: trigger.html

My apologies.  Testcase attached here.

Comment 3

[Ryan VanderMeulen [:RyanVM]]

INFO: Last good revision: e6e712904806da25a9c8f48ea4533abe7c6ea8f4
INFO: First bad revision: d6bf703c5deaf1e328babd03d5e68ff2a4ffe10e
INFO: Pushlog:
https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=e6e712904806da25a9c8f48ea4533abe7c6ea8f4&tochange=d6bf703c5deaf1e328babd03d5e68ff2a4ffe10e

Comment 4

[David Baron :dbaron: (⌚️UTC-4, no longer working on Mozilla)]

FYI -- I'm aware that a bunch of regressions from bug 1308876 turned up after it hit release (after none were reported while it was on nightly or beta -- except this one which was reported but not triaged).  See https://bugzilla.mozilla.org/show_bug.cgi?id=1308876#a30998038_3881 and below.  I'm going to try to look into them over the next week or two -- and hopefully there are fewer underlying problems than there are bug reports -- but these can be somewhat difficult bugs, so it might take a little time.

Comment 5

[Andrew Osmond [:aosmond] (he/him)]

While investigating bug 1420122, I consistently hit this bug in the wild on local linux64 debug builds with default prefs (hg rev 781485c695e1).

STR:
1) Go to https://vegas.betway.com/lobby/en/#/home
2) Hover over the "Phantom of the Opera" game.
3) Click on the "Practice Play"
4) Crashes while loading the game.

Comment 6

[David Baron :dbaron: (⌚️UTC-4, no longer working on Mozilla)]

This bug is still present.

Comment 7

[David Baron :dbaron: (⌚️UTC-4, no longer working on Mozilla)]

Seems like it may be fixed by bug 1420528 or something else recent -- need to investigate further.

Comment 8

[David Baron :dbaron: (⌚️UTC-4, no longer working on Mozilla)]

It turns out the testcase here was fixed in this range, a bit to my surprise. I need to look into whether that's just something about this testcase or whether the underlying problem here was really fixed...

Maybe you have testcases that are still hitting this?

Comment 9

[Jason Kratzer [:jkratzer]]

:dbaron, the last instance of our fuzzers hitting this bug was 11/28/2018. Unfortunately, I'm not really sure what may have changed on our end that is preventing us from hitting it.