Assertion failure: value >= minimum && value <= maximum (Unsanitized value)

RESOLVED FIXED in Firefox 55

Status

()

defect
RESOLVED FIXED
3 years ago
2 years ago

People

(Reporter: tsmith, Assigned: bzbarsky)

Tracking

(Blocks 1 bug, {assertion, testcase})

Trunk
mozilla55
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(firefox-esr52 wontfix, firefox53 wontfix, firefox55 fixed)

Details

Attachments

(2 attachments)

Reporter

Description

3 years ago
Posted file test_case.html
Assertion failure: value >= minimum && value <= maximum (Unsanitized value), at /home/worker/workspace/build/src/layout/forms/nsRangeFrame.cpp:510

==5155==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f66bd8898d5 bp 0x7fff2fb14670 sp 0x7fff2fb14440 T0)
    #0 0x7f66bd8898d4 in nsRangeFrame::GetValueAsFractionOfRange() /home/worker/workspace/build/src/layout/forms/nsRangeFrame.cpp:496:3
    #1 0x7f66bd889078 in nsRangeFrame::DoUpdateRangeProgressFrame(nsIFrame*, nsSize const&) /home/worker/workspace/build/src/layout/forms/nsRangeFrame.cpp:707:21
    #2 0x7f66bd88ae18 in nsRangeFrame::UpdateForValueChange() /home/worker/workspace/build/src/layout/forms/nsRangeFrame.cpp:615:5
    #3 0x7f66bd88b16b in nsRangeFrame::AttributeChanged(int, nsIAtom*, int) /home/worker/workspace/build/src/layout/forms/nsRangeFrame.cpp:755:9
    #4 0x7f66bd4d10c0 in mozilla::RestyleManager::AttributeChanged(mozilla::dom::Element*, int, nsIAtom*, int, nsAttrValue const*) /home/worker/workspace/build/src/layout/base/RestyleManager.cpp:362:5
    #5 0x7f66bd4a70db in mozilla::PresShell::AttributeChanged(nsIDocument*, mozilla::dom::Element*, int, nsIAtom*, int, nsAttrValue const*) /home/worker/workspace/build/src/layout/base/PresShell.cpp:4297:5
    #6 0x7f66ba2bfec8 in nsNodeUtils::AttributeChanged(mozilla::dom::Element*, int, nsIAtom*, int, nsAttrValue const*) /home/worker/workspace/build/src/dom/base/nsNodeUtils.cpp:145:3
    #7 0x7f66ba067ec1 in mozilla::dom::Element::UnsetAttr(int, nsIAtom*, bool) /home/worker/workspace/build/src/dom/base/Element.cpp:2754:5
...
See log.txt
Reporter

Comment 1

3 years ago
Posted file log.txt

Updated

3 years ago
Component: Layout → Layout: Form Controls
INFO: First good revision: 126828c05e0838795debf813cac591bf0ea5ecd5
INFO: Last bad revision: 38ecd019ecebe7533852db0253393d2708527437
INFO: Pushlog:
https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=38ecd019ecebe7533852db0253393d2708527437&tochange=126828c05e0838795debf813cac591bf0ea5ecd5

Fixed by something in Boris' push, which at looks plausible. NI myself to land a crashtest.
Assignee: nobody → bzbarsky
Status: NEW → RESOLVED
Closed: 2 years ago
Flags: needinfo?(ryanvm)
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla55
Yeah, that does look plausible, and in fact certain.  ;)  The changes for bug 656197 changed the oredr of AfterSetAttr and the AttributeChanged notification: before that change we did AttributeChanged _before_ calling AfterSetAttr, but now we call it _after_.

The stack above is running under AttributeChanged and asserting that the value it got from the input is in the (min, max) range.  Now when it does GetMaximum(), since it's running _after_ the max attr has been removed, it gets back the default max value, which is 100.  But the value it gets from GetValueAsDecimal() is 383, because range inputs default the value to (min+max)/2 and the max in this case is 765, while the min defaults to 0. HTMLInputElement::AfterSetAttr is what updates the value to fit in the new (0, 100) range when the "max" attr is removed.  But that used to happen after AttributeChanged, so we hit the assert.

In the new world, we finish updating all our internal state before telling people that it changed (the whole point of bug 656197), so everything is much better.  ;)
Depends on: 656197
Flags: needinfo?(ryanvm)
Flags: in-testsuite?
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.