1364144 - Assertion failure: !aStatus.IsIncomplete() || isPaginated (Table contents should only fragment in paginated contexts), @ [/home/worker/workspace/build/src/layout/tables/nsTableFrame.cpp:3323]

Status: NEW

(Core :: Layout: Tables, defect, P3)

Description

[Jason Kratzer [:jkratzer]]

Attachment: Testcase

Testcase found while fuzzing mozilla-central rev 20170510-d8762cb96742.

Assertion failure: !aStatus.IsIncomplete() || isPaginated (Table contents should only fragment in paginated contexts), at /home/worker/workspace/build/src/layout/tables/nsTableFrame.cpp:3323

ASAN:DEADLYSIGNAL
=================================================================
==26456==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7efc58ddd4dc bp 0x7ffebb1cc930 sp 0x7ffebb1cc180 T0)
==26456==The signal is caused by a WRITE memory access.
==26456==Hint: address points to the zero page.
    #0 0x7efc58ddd4db in nsTableFrame::ReflowChildren(mozilla::TableReflowInput&, nsReflowStatus&, nsIFrame*&, nsOverflowAreas&) /home/worker/workspace/build/src/layout/tables/nsTableFrame.cpp:3111:56
    #1 0x7efc58dd9250 in nsTableFrame::ReflowTable(mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, nsIFrame*&, nsReflowStatus&) /home/worker/workspace/build/src/layout/tables/nsTableFrame.cpp:2179:3
    #2 0x7efc58dd8158 in nsTableFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /home/worker/workspace/build/src/layout/tables/nsTableFrame.cpp:1979:5
    #3 0x7efc58b9744a in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /home/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:898:14
    #4 0x7efc58e14303 in nsTableWrapperFrame::OuterDoReflowChild(nsPresContext*, nsIFrame*, mozilla::ReflowInput const&, mozilla::ReflowOutput&, nsReflowStatus&) /home/worker/workspace/build/src/layout/tables/nsTableWrapperFrame.cpp:835:3
    #5 0x7efc58e155b8 in nsTableWrapperFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /home/worker/workspace/build/src/layout/tables/nsTableWrapperFrame.cpp:997:3
    #6 0x7efc58b6e3ca in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) /home/worker/workspace/build/src/layout/generic/nsBlockReflowContext.cpp:306:11
    #7 0x7efc58b7d909 in nsBlockFrame::ReflowFloat(mozilla::BlockReflowInput&, mozilla::LogicalRect const&, nsIFrame*, mozilla::LogicalMargin&, mozilla::LogicalMargin&, bool, nsReflowStatus&) /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:6333:9
    #8 0x7efc58b0a979 in mozilla::BlockReflowInput::FlowAndPlaceFloat(nsIFrame*) /home/worker/workspace/build/src/layout/generic/BlockReflowInput.cpp:911:13
    #9 0x7efc58b092b0 in mozilla::BlockReflowInput::AddFloat(nsLineLayout*, nsIFrame*, int) /home/worker/workspace/build/src/layout/generic/BlockReflowInput.cpp:629:14
    #10 0x7efc58c97663 in nsLineLayout::ReflowFrame(nsIFrame*, nsReflowStatus&, mozilla::ReflowOutput*, bool&) /home/worker/workspace/build/src/layout/generic/nsLineLayout.cpp:962:11
    #11 0x7efc58b722de in nsBlockFrame::ReflowInlineFrame(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsIFrame*, LineReflowStatus*) /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:4215:15
    #12 0x7efc58b70b4c in nsBlockFrame::DoReflowInlineFrames(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool) /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:4016:5
    #13 0x7efc58b69299 in nsBlockFrame::ReflowInlineFrames(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:3890:9
    #14 0x7efc58b6351b in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2876:5
    #15 0x7efc58b5a4a2 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2412:7
    #16 0x7efc58b555af in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:1232:3

Comment 1

[Ryan VanderMeulen [:RyanVM]]

Still reproducible with or without Stylo enabled. This assertion goes back more than a year, which is the furthest back mozregression can bisect debug builds.

Comment 2

[Firefox Bug Husbandry Bot]

https://wiki.mozilla.org/Bug_Triage/Projects/Bug_Handling/Bug_Husbandry#Move_fix-optionals

Comment 3

[Cameron McCormack (:heycam)]

I run into this assertion when I try to load the test case from bug 1606540 in the Layout Debugger with paged mode turned on. Ting-Yu, is the paged reftest mode that the Layout Debugger uses different from what's used when printing in a way that would cause this assertion to fail?

Comment 4

[Ting-Yu Lin [:TYLin] (UTC-8)]

Layout debugger's paged mode uses nsPresContext::eContext_PageLayout [1], so presContext->IsPaginated() [2] should be true per [3]. It must be an unconstrained aReflowInput.availSize.BSize(wm) that makes isPaginated in nsTableFrame::ReflowChildren() become false.

[1] https://searchfox.org/mozilla-central/rev/ba4fab1cc2f1c9c4e07cdb71542b8d441707c577/layout/base/nsDocumentViewer.cpp#4056-40573
[2] https://searchfox.org/mozilla-central/rev/ba4fab1cc2f1c9c4e07cdb71542b8d441707c577/layout/tables/nsTableFrame.cpp#2888
[3] https://searchfox.org/mozilla-central/rev/ba4fab1cc2f1c9c4e07cdb71542b8d441707c577/layout/base/nsPresContext.cpp#194

Comment 5

[Jason Kratzer [:jkratzer]]

Testcase still reproduces on mozilla-central rev 2aa3b889d603 (built with --enable-debug)