Open
Bug 1429492
Opened 6 years ago
Updated 2 years ago
Assertion failure: aFloat->GetParent() == mBlock || (aFloat->GetStateBits() & NS_FRAME_IS_PUSHED_FLOAT) (float should be in this block unless it was marked as pushed float), at /builds/worker/workspace/build/src/layout/generic/BlockReflowInput.cpp:581
Categories
(Core :: Layout: Block and Inline, defect, P3)
Tracking
()
NEW
| Tracking | Status | |
|---|---|---|
| firefox59 | --- | affected |
People
(Reporter: jkratzer, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: assertion, testcase)
Attachments
(1 file)
|
1.09 KB,
text/html
|
Details |
Testcase found while fuzzing mozilla-central rev d5f42a23909e. OS|Linux|0.0.0 Linux 4.4.0-104-generic #127-Ubuntu SMP Mon Dec 11 12:16:42 UTC 2017 x86_64 CPU|amd64|family 6 model 78 stepping 3|1 GPU||| Crash|SIGSEGV|0x0|0 0|0|libxul.so|mozilla::BlockReflowInput::AddFloat|hg:hg.mozilla.org/mozilla-central:layout/generic/BlockReflowInput.cpp:d5f42a23909e|575|0x18 0|1|libxul.so|nsLineLayout::ReflowFrame|hg:hg.mozilla.org/mozilla-central:layout/generic/nsLineLayout.h:d5f42a23909e|182|0x8 0|2|libxul.so|nsInlineFrame::ReflowInlineFrame|hg:hg.mozilla.org/mozilla-central:layout/generic/nsInlineFrame.cpp:d5f42a23909e|727|0x5 0|3|libxul.so|nsInlineFrame::ReflowFrames|hg:hg.mozilla.org/mozilla-central:layout/generic/nsInlineFrame.cpp:d5f42a23909e|609|0x5 0|4|libxul.so|nsFirstLineFrame::Reflow|hg:hg.mozilla.org/mozilla-central:layout/generic/nsInlineFrame.cpp:d5f42a23909e|1130|0x5 0|5|libxul.so|nsLineLayout::ReflowFrame|hg:hg.mozilla.org/mozilla-central:layout/generic/nsLineLayout.cpp:d5f42a23909e|923|0x30 0|6|libxul.so|nsBlockFrame::ReflowInlineFrame|hg:hg.mozilla.org/mozilla-central:layout/generic/nsBlockFrame.cpp:d5f42a23909e|4159|0x14 0|7|libxul.so|nsBlockFrame::DoReflowInlineFrames|hg:hg.mozilla.org/mozilla-central:layout/generic/nsBlockFrame.cpp:d5f42a23909e|3959|0x29 0|8|libxul.so|nsBlockFrame::ReflowInlineFrames|hg:hg.mozilla.org/mozilla-central:layout/generic/nsBlockFrame.cpp:d5f42a23909e|3836|0x41 0|9|libxul.so|nsBlockFrame::ReflowLine|hg:hg.mozilla.org/mozilla-central:layout/generic/nsBlockFrame.cpp:d5f42a23909e|2817|0x1a 0|10|libxul.so|nsBlockFrame::ReflowDirtyLines|hg:hg.mozilla.org/mozilla-central:layout/generic/nsBlockFrame.cpp:d5f42a23909e|2353|0x20 0|11|libxul.so|nsBlockFrame::Reflow|hg:hg.mozilla.org/mozilla-central:layout/generic/nsBlockFrame.cpp:d5f42a23909e|1226|0xf 0|12|libxul.so|nsContainerFrame::ReflowChild|hg:hg.mozilla.org/mozilla-central:layout/generic/nsContainerFrame.cpp:d5f42a23909e|934|0x1a 0|13|libxul.so|nsColumnSetFrame::ReflowChildren|hg:hg.mozilla.org/mozilla-central:layout/generic/nsColumnSetFrame.cpp:d5f42a23909e|811|0x45 0|14|libxul.so|nsColumnSetFrame::ReflowColumns|hg:hg.mozilla.org/mozilla-central:layout/generic/nsColumnSetFrame.cpp:d5f42a23909e|509|0x8 0|15|libxul.so|nsColumnSetFrame::Reflow|hg:hg.mozilla.org/mozilla-central:layout/generic/nsColumnSetFrame.cpp:d5f42a23909e|1245|0x10 0|16|libxul.so|nsBlockReflowContext::ReflowBlock|hg:hg.mozilla.org/mozilla-central:layout/generic/nsBlockReflowContext.cpp:d5f42a23909e|306|0x10 0|17|libxul.so|nsBlockFrame::ReflowFloat|hg:hg.mozilla.org/mozilla-central:layout/generic/nsBlockFrame.cpp:d5f42a23909e|6337|0x2d 0|18|libxul.so|mozilla::BlockReflowInput::FlowAndPlaceFloat|hg:hg.mozilla.org/mozilla-central:layout/generic/BlockReflowInput.cpp:d5f42a23909e|917|0x9 0|19|libxul.so|nsBlockFrame::ReflowPushedFloats|hg:hg.mozilla.org/mozilla-central:layout/generic/nsBlockFrame.cpp:d5f42a23909e|6462|0xb 0|20|libxul.so|nsBlockFrame::Reflow|hg:hg.mozilla.org/mozilla-central:layout/generic/nsBlockFrame.cpp:d5f42a23909e|1202|0x15 0|21|libxul.so|nsContainerFrame::ReflowChild|hg:hg.mozilla.org/mozilla-central:layout/generic/nsContainerFrame.cpp:d5f42a23909e|934|0x1a 0|22|libxul.so|nsColumnSetFrame::ReflowChildren|hg:hg.mozilla.org/mozilla-central:layout/generic/nsColumnSetFrame.cpp:d5f42a23909e|811|0x45 0|23|libxul.so|nsColumnSetFrame::ReflowColumns|hg:hg.mozilla.org/mozilla-central:layout/generic/nsColumnSetFrame.cpp:d5f42a23909e|509|0x8 0|24|libxul.so|nsColumnSetFrame::FindBestBalanceBSize|hg:hg.mozilla.org/mozilla-central:layout/generic/nsColumnSetFrame.cpp:d5f42a23909e|1147|0x1e 0|25|libxul.so|nsColumnSetFrame::Reflow|hg:hg.mozilla.org/mozilla-central:layout/generic/nsColumnSetFrame.cpp:d5f42a23909e|1255|0x33 0|26|libxul.so|nsBlockReflowContext::ReflowBlock|hg:hg.mozilla.org/mozilla-central:layout/generic/nsBlockReflowContext.cpp:d5f42a23909e|306|0x10 0|27|libxul.so|nsBlockFrame::ReflowBlockFrame|hg:hg.mozilla.org/mozilla-central:layout/generic/nsBlockFrame.cpp:d5f42a23909e|3466|0x1e 0|28|libxul.so|nsBlockFrame::ReflowLine|hg:hg.mozilla.org/mozilla-central:layout/generic/nsBlockFrame.cpp:d5f42a23909e|2814|0x13 0|29|libxul.so|nsBlockFrame::ReflowDirtyLines|hg:hg.mozilla.org/mozilla-central:layout/generic/nsBlockFrame.cpp:d5f42a23909e|2353|0x20 0|30|libxul.so|nsBlockFrame::Reflow|hg:hg.mozilla.org/mozilla-central:layout/generic/nsBlockFrame.cpp:d5f42a23909e|1226|0xf 0|31|libxul.so|nsContainerFrame::ReflowChild|hg:hg.mozilla.org/mozilla-central:layout/generic/nsContainerFrame.cpp:d5f42a23909e|934|0x1a 0|32|libxul.so|nsColumnSetFrame::ReflowChildren|hg:hg.mozilla.org/mozilla-central:layout/generic/nsColumnSetFrame.cpp:d5f42a23909e|811|0x45 0|33|libxul.so|nsColumnSetFrame::Reflow|hg:hg.mozilla.org/mozilla-central:layout/generic/nsColumnSetFrame.cpp:d5f42a23909e|1245|0x10 0|34|libxul.so|nsContainerFrame::ReflowChild|hg:hg.mozilla.org/mozilla-central:layout/generic/nsContainerFrame.cpp:d5f42a23909e|934|0x1a 0|35|libxul.so|nsCanvasFrame::Reflow|hg:hg.mozilla.org/mozilla-central:layout/generic/nsCanvasFrame.cpp:d5f42a23909e|758|0x4d 0|36|libxul.so|nsContainerFrame::ReflowChild|hg:hg.mozilla.org/mozilla-central:layout/generic/nsContainerFrame.cpp:d5f42a23909e|934|0x1a 0|37|libxul.so|nsHTMLScrollFrame::ReflowScrolledFrame|hg:hg.mozilla.org/mozilla-central:layout/generic/nsGfxScrollFrame.cpp:d5f42a23909e|554|0x5 0|38|libxul.so|nsHTMLScrollFrame::ReflowContents|hg:hg.mozilla.org/mozilla-central:layout/generic/nsGfxScrollFrame.cpp:d5f42a23909e|676|0x14 0|39|libxul.so|nsHTMLScrollFrame::Reflow|hg:hg.mozilla.org/mozilla-central:layout/generic/nsGfxScrollFrame.cpp:d5f42a23909e|1052|0x5 0|40|libxul.so|nsContainerFrame::ReflowChild|hg:hg.mozilla.org/mozilla-central:layout/generic/nsContainerFrame.cpp:d5f42a23909e|978|0x19 0|41|libxul.so|mozilla::ViewportFrame::Reflow|hg:hg.mozilla.org/mozilla-central:layout/generic/ViewportFrame.cpp:d5f42a23909e|336|0x2b 0|42|libxul.so|mozilla::PresShell::DoReflow|hg:hg.mozilla.org/mozilla-central:layout/base/PresShell.cpp:d5f42a23909e|8979|0x25 0|43|libxul.so|mozilla::PresShell::ProcessReflowCommands|hg:hg.mozilla.org/mozilla-central:layout/base/PresShell.cpp:d5f42a23909e|9152|0xe 0|44|libxul.so|mozilla::PresShell::DoFlushPendingNotifications|hg:hg.mozilla.org/mozilla-central:layout/base/PresShell.cpp:d5f42a23909e|4263|0x15 0|45|libxul.so|nsRefreshDriver::Tick|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:d5f42a23909e|1920|0x5 0|46|libxul.so|mozilla::RefreshDriverTimer::TickRefreshDrivers|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:d5f42a23909e|306|0xf 0|47|libxul.so|mozilla::RefreshDriverTimer::Tick|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:d5f42a23909e|328|0x12 0|48|libxul.so|mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:d5f42a23909e|769|0x5 0|49|libxul.so|mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:d5f42a23909e|583|0xc 0|50|libxul.so|mozilla::layout::VsyncChild::RecvNotify|hg:hg.mozilla.org/mozilla-central:layout/ipc/VsyncChild.cpp:d5f42a23909e|68|0x9 0|51|libxul.so|mozilla::layout::PVsyncChild::OnMessageReceived|s3:gecko-generated-sources:06086093ccb59dd5a99cf8c9f9fb7f4860fd8ddbfd516af5e5b3508be62029679421dcf2abdf6b1c945b6a054050bd403c9574aad49f857cb4a31d3f4cf56b9a/ipc/ipdl/PVsyncChild.cpp:|155|0xf 0|52|libxul.so|mozilla::ipc::MessageChannel::DispatchAsyncMessage|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:d5f42a23909e|2110|0x6 0|53|libxul.so|mozilla::ipc::MessageChannel::DispatchMessage|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:d5f42a23909e|2040|0xb 0|54|libxul.so|mozilla::ipc::MessageChannel::RunMessage|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:d5f42a23909e|1886|0xb 0|55|libxul.so|mozilla::ipc::MessageChannel::MessageTask::Run|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:d5f42a23909e|1919|0xc 0|56|libxul.so|nsThread::ProcessNextEvent|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:d5f42a23909e|1040|0x15 0|57|libxul.so|NS_ProcessNextEvent|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:d5f42a23909e|517|0x11 0|58|libxul.so|mozilla::ipc::MessagePump::Run|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:d5f42a23909e|97|0xa 0|59|libxul.so|MessageLoop::RunInternal|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:d5f42a23909e|326|0x17 0|60|libxul.so|MessageLoop::Run|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:d5f42a23909e|319|0x8 0|61|libxul.so|nsBaseAppShell::Run|hg:hg.mozilla.org/mozilla-central:widget/nsBaseAppShell.cpp:d5f42a23909e|157|0xd 0|62|libxul.so|XRE_RunAppShell|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:d5f42a23909e|877|0x11 0|63|libxul.so|mozilla::ipc::MessagePumpForChildProcess::Run|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:d5f42a23909e|269|0x5 0|64|libxul.so|MessageLoop::RunInternal|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:d5f42a23909e|326|0x17 0|65|libxul.so|MessageLoop::Run|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:d5f42a23909e|319|0x8 0|66|libxul.so|XRE_InitChildProcess|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:d5f42a23909e|703|0x8 0|67|firefox|content_process_main|hg:hg.mozilla.org/mozilla-central:ipc/contentproc/plugin-container.cpp:d5f42a23909e|63|0x14 0|68|firefox|main|hg:hg.mozilla.org/mozilla-central:browser/app/nsBrowserApp.cpp:d5f42a23909e|280|0x11 0|69|libc-2.23.so||||0x20830 0|70|firefox|MOZ_ReportAssertionFailure|hg:hg.mozilla.org/mozilla-central:mfbt/Assertions.h:d5f42a23909e|165|0x5
Flags: in-testsuite?
|
||
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•