Closed Bug 1367413 Opened 3 years ago Closed 3 years ago

Assertion failure: kidOverflowBEnd >= kidBEnd, at /mozilla/builds/nightly/mozilla/layout/generic/nsAbsoluteContainingBlock.cpp:154

Categories

(Core :: Layout, defect)

55 Branch
defect
Not set

Tracking

()

RESOLVED FIXED
mozilla55
Tracking Status
firefox-esr45 --- unaffected
firefox-esr52 --- unaffected
firefox53 --- unaffected
firefox54 --- unaffected
firefox55 --- fixed

People

(Reporter: bc, Assigned: dbaron)

References

(Blocks 1 open bug, )

Details

(Keywords: assertion, regression, testcase)

Attachments

(3 files)

Attached file crash report
1. https://www.tumblr.com/search/jody%20comer
2. Assertion failure: kidOverflowBEnd >= kidBEnd, at /home/worker/workspace/build/src/layout/generic/nsAbsoluteContainingBlock.cpp:154

This reproduces on Fedora 25 x86_64. We've seen this on about 133 urls since this assertion landed in bug 1365449 though Windows is the most common occurrence. Urls on https://ok.ru/ are fairly common.

Reproduced locally with a build from https://hg.mozilla.org/mzilla-central/rev/96e18bec9fc8a5ce623c16167c12756bbe190d73

Thread 0 (crashed)
 0  libxul.so!nsAbsoluteContainingBlock::Reflow [nsAbsoluteContainingBlock.cpp:6dfa56094f0c : 154 + 0x18]
Attached file Testcase
|kidOverflowBEnd| comes from GetScrollableOverflowRectRelativeToParent():
http://searchfox.org/mozilla-central/rev/2933592c4a01b634ab53315ce2d0e43fccb82181/layout/generic/nsAbsoluteContainingBlock.cpp#152
which is just GetScrollableOverflowRect() translated to the parent's coordinates.
So I think the invariant doesn't hold, as explained in:
http://searchfox.org/mozilla-central/rev/2933592c4a01b634ab53315ce2d0e43fccb82181/layout/generic/nsIFrame.h#3019-3022
Flags: needinfo?(dbaron)
Keywords: regression, testcase
OS: Unspecified → All
Hardware: Unspecified → All
Version: 53 Branch → 55 Branch
OK, I guess we need to use the version that ignores transforms, and then manually convert to the parent's coordinate space.
Mats's testcase also doesn't hit the assertion for me until I resize the window, so I'll need to modify it a drop to make it a crashtest.
Flags: needinfo?(dbaron)
I confirmed that the test crashes in the crashtest harness without the
patch (although the harness doesn't exit!), whereas it passes with the
patch.

MozReview-Commit-ID: 37S6i1kvw37
Attachment #8870974 - Flags: review?(mats)
Assignee: nobody → dbaron
Status: NEW → ASSIGNED
Attachment #8870974 - Flags: review?(mats) → review+
https://hg.mozilla.org/integration/mozilla-inbound/rev/e6bf2e19464cd774d46d243c82a64fa1b05056c8
Bug 1367413 - Fix assertion that can occur when paginating abs-pos elements with a transform.  r=mats
https://hg.mozilla.org/mozilla-central/rev/e6bf2e19464c
Status: ASSIGNED → RESOLVED
Closed: 3 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla55
You need to log in before you can comment on or make changes to this bug.