Closed
Bug 1383938
Opened 7 years ago
Closed 4 years ago
Assertion failure: !inner->GetWritingMode().IsOrthogonalTo(aWM), at /home/worker/workspace/build/src/layout/forms/nsFieldSetFrame.cpp:638
Categories
(Core :: Layout, defect, P3)
Tracking
()
RESOLVED
WORKSFORME
| Tracking | Status | |
|---|---|---|
| firefox-esr52 | --- | unaffected |
| firefox56 | --- | wontfix |
| firefox57 | --- | wontfix |
| firefox58 | --- | wontfix |
| firefox59 | --- | ? |
People
(Reporter: jkratzer, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: assertion, regression, testcase)
Attachments
(1 file)
|
392 bytes,
text/html
|
Details |
Testcase found while fuzzing mozilla-central rev 20170722-c22502562670.
Assertion failure: !inner->GetWritingMode().IsOrthogonalTo(aWM), at /home/worker/workspace/build/src/layout/forms/nsFieldSetFrame.cpp:638
ASAN:DEADLYSIGNAL
=================================================================
==8430==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f930ce939a6 bp 0x7fffd46836f0 sp 0x7fffd4683600 T0)
==8430==The signal is caused by a WRITE memory access.
==8430==Hint: address points to the zero page.
#0 0x7f930ce939a5 in nsFieldSetFrame::GetVerticalAlignBaseline(mozilla::WritingMode, int*) const /home/worker/workspace/build/src/layout/forms/nsFieldSetFrame.cpp:639:15
#1 0x7f930cc7ea55 in nsBlockFrame::GetNaturalBaselineBOffset(mozilla::WritingMode, mozilla::BaselineSharingGroup, int*) const /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:510:16
#2 0x7f930cc7e72d in nsIFrame::BaselineBOffset(mozilla::WritingMode, mozilla::BaselineSharingGroup, mozilla::AlignmentContext) const /home/worker/workspace/build/src/layout/generic/nsIFrameInlines.h:153:7
#3 0x7f930cc7e5bb in nsBlockFrame::GetLogicalBaseline(mozilla::WritingMode) const /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:492:5
#4 0x7f930ce9a9e1 in nsHTMLButtonControlFrame::ReflowButtonContents(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsIFrame*) /home/worker/workspace/build/src/layout/forms/nsHTMLButtonControlFrame.cpp:311:56
#5 0x7f930ce99e12 in nsHTMLButtonControlFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /home/worker/workspace/build/src/layout/forms/nsHTMLButtonControlFrame.cpp:203:3
#6 0x7f930cdd1003 in nsLineLayout::ReflowFrame(nsIFrame*, nsReflowStatus&, mozilla::ReflowOutput*, bool&) /home/worker/workspace/build/src/layout/generic/nsLineLayout.cpp:921:13
#7 0x7f930cca02e7 in nsBlockFrame::ReflowInlineFrame(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsIFrame*, LineReflowStatus*) /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:4220:15
#8 0x7f930cc9eb4c in nsBlockFrame::DoReflowInlineFrames(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool) /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:4016:5
#9 0x7f930cc97279 in nsBlockFrame::ReflowInlineFrames(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:3890:9
#10 0x7f930cc916eb in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2873:5
#11 0x7f930cc88a12 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2409:7
#12 0x7f930cc83bbc in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:1233:3
#13 0x7f930ccc46fa in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /home/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:935:14
#14 0x7f930ccc3972 in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /home/worker/workspace/build/src/layout/generic/nsCanvasFrame.cpp:752:5
#15 0x7f930ccc46fa in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /home/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:935:14
#16 0x7f930cd63069 in nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput*, bool, bool, mozilla::ReflowOutput*, bool) /home/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.cpp:549:3
#17 0x7f930cd642f2 in nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput*, mozilla::ReflowOutput const&) /home/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.cpp:661:3
#18 0x7f930cd66627 in nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /home/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.cpp:1037:3
#19 0x7f930cc736cf in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /home/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:979:14
#20 0x7f930cc72cc2 in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /home/worker/workspace/build/src/layout/generic/ViewportFrame.cpp:329:7
|
||
Updated•7 years ago
|
Priority: -- → P3
|
||
Comment 1•7 years ago
|
||
Still reproducible with or without Stylo enabled. INFO: No more inbound revisions, bisection finished. INFO: Last good revision: 31af743f4a0273ad198f50fe8d20dd6978027979 INFO: First bad revision: b222ec9a5d90805a8bb0e8bcdfbc3a34d42bbbc0 INFO: Pushlog: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=31af743f4a0273ad198f50fe8d20dd6978027979&tochange=b222ec9a5d90805a8bb0e8bcdfbc3a34d42bbbc0
Blocks: 1330962
Has Regression Range: --- → yes
status-firefox56:
--- → wontfix
status-firefox57:
--- → wontfix
status-firefox58:
--- → fix-optional
status-firefox-esr52:
--- → unaffected
Version: unspecified → 54 Branch
|
||
Comment 3•6 years ago
|
||
https://wiki.mozilla.org/Bug_Triage/Projects/Bug_Handling/Bug_Husbandry#Move_fix-optionals
status-firefox59:
--- → ?
|
||
Comment 4•4 years ago
|
||
The attached test case no longer reproduces the issue and the fuzzers last reported this issue in Jan 2019.
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
|
||
Comment 5•4 years ago
|
||
Worksforme is a better resolution for bugs like this where we don't know why the problem went away.
Probably a good idea to land the testcase as a crashtest so that we quickly detect if the problem comes back.
Flags: in-testsuite?
Resolution: FIXED → WORKSFORME
|
||
Updated•4 years ago
|
Keywords: regression
You need to log in
before you can comment on or make changes to this bug.
Description
•