Assertion failure: kidOverflowBEnd >= kidBEnd

NEW
Unassigned

Status

()

Core
Layout: R & A Pos
P3
normal
6 months ago
3 months ago

People

(Reporter: jkratzer, Unassigned)

Tracking

(Blocks: 1 bug, {assertion, testcase})

56 Branch
assertion, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite ?

Firefox Tracking Flags

(firefox-esr52 unaffected, firefox55 unaffected, firefox56 wontfix, firefox57 affected, firefox58 affected)

Details

Attachments

(1 attachment)

(Reporter)

Description

6 months ago
Testcase found while fuzzing mozilla-central rev 20170825-2306e153fba9.

Assertion failure: kidOverflowBEnd >= kidBEnd, at /home/worker/workspace/build/src/layout/generic/nsAbsoluteContainingBlock.cpp:156
#01: nsBlockFrame::Reflow at layout/generic/nsBlockFrame.h:216
#02: nsBlockReflowContext::ReflowBlock at layout/generic/nsBlockReflowContext.cpp:307
#03: nsBlockFrame::ReflowFloat at layout/generic/nsBlockFrame.cpp:6395
#04: mozilla::BlockReflowInput::FlowAndPlaceFloat at layout/generic/BlockReflowInput.cpp:912
#05: mozilla::BlockReflowInput::AddFloat at layout/generic/BlockReflowInput.cpp:630
#06: nsLineLayout::ReflowFrame at layout/generic/nsLineLayout.cpp:963
#07: nsBlockFrame::ReflowInlineFrame at layout/generic/nsBlockFrame.cpp:4220
#08: nsBlockFrame::DoReflowInlineFrames at layout/generic/nsBlockFrame.cpp:4015
#09: nsBlockFrame::ReflowInlineFrames at layout/generic/nsBlockFrame.cpp:3892
#10: nsBlockFrame::ReflowLine at layout/generic/nsBlockFrame.cpp:2874
#11: nsBlockFrame::ReflowDirtyLines at layout/generic/nsBlockFrame.cpp:2407
#12: nsBlockFrame::Reflow at layout/generic/nsBlockFrame.cpp:1246
#13: nsContainerFrame::ReflowChild at layout/generic/nsContainerFrame.cpp:937
#14: nsColumnSetFrame::ReflowChildren at layout/generic/nsIFrame.h:294
#15: nsColumnSetFrame::ReflowColumns at layout/generic/nsColumnSetFrame.cpp:508
#16: nsColumnSetFrame::Reflow at layout/generic/nsColumnSetFrame.cpp:1250
#17: nsContainerFrame::ReflowChild at layout/generic/nsContainerFrame.cpp:937
#18: nsCanvasFrame::Reflow at layout/generic/nsCanvasFrame.cpp:758
#19: nsContainerFrame::ReflowChild at layout/generic/nsContainerFrame.cpp:937
#20: nsHTMLScrollFrame::ReflowScrolledFrame at layout/generic/nsGfxScrollFrame.cpp:553
#21: nsHTMLScrollFrame::TryLayout at layout/generic/nsGfxScrollFrame.cpp:347
#22: nsHTMLScrollFrame::ReflowContents at layout/generic/nsGfxScrollFrame.cpp:708
#23: nsHTMLScrollFrame::Reflow at layout/generic/nsGfxScrollFrame.cpp:1039
#24: nsContainerFrame::ReflowChild at layout/generic/nsContainerFrame.cpp:980
#25: mozilla::ViewportFrame::Reflow at layout/generic/ViewportFrame.cpp:334
#26: mozilla::PresShell::DoReflow at layout/generic/ReflowOutput.h:282
#27: mozilla::PresShell::ProcessReflowCommands at layout/base/PresShell.cpp:9514
#28: mozilla::PresShell::DoFlushPendingNotifications at layout/base/PresShell.cpp:4210
#29: nsRefreshDriver::Tick at mfbt/RefPtr.h:284
#30: nsRefreshDriver::DoTick at layout/base/nsRefreshDriver.cpp:1528
Flags: in-testsuite?

Updated

6 months ago
Priority: -- → P3
Did you mean to attach a testcase to this?
Flags: needinfo?(jkratzer)
(Reporter)

Comment 2

5 months ago
Created attachment 8913382 [details]
trigger.html

My apologies.  Testcase attached here.
Flags: needinfo?(jkratzer)
INFO: Last good revision: e6e712904806da25a9c8f48ea4533abe7c6ea8f4
INFO: First bad revision: d6bf703c5deaf1e328babd03d5e68ff2a4ffe10e
INFO: Pushlog:
https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=e6e712904806da25a9c8f48ea4533abe7c6ea8f4&tochange=d6bf703c5deaf1e328babd03d5e68ff2a4ffe10e
status-firefox55: --- → unaffected
status-firefox56: --- → wontfix
status-firefox57: --- → affected
status-firefox58: --- → affected
status-firefox-esr52: --- → unaffected
Version: unspecified → 56 Branch
Blocks: 1308876
Has Regression Range: --- → yes
FYI -- I'm aware that a bunch of regressions from bug 1308876 turned up after it hit release (after none were reported while it was on nightly or beta -- except this one which was reported but not triaged).  See https://bugzilla.mozilla.org/show_bug.cgi?id=1308876#a30998038_3881 and below.  I'm going to try to look into them over the next week or two -- and hopefully there are fewer underlying problems than there are bug reports -- but these can be somewhat difficult bugs, so it might take a little time.
While investigating bug 1420122, I consistently hit this bug in the wild on local linux64 debug builds with default prefs (hg rev 781485c695e1).

STR:
1) Go to https://vegas.betway.com/lobby/en/#/home
2) Hover over the "Phantom of the Opera" game.
3) Click on the "Practice Play"
4) Crashes while loading the game.
You need to log in before you can comment on or make changes to this bug.