Closed Bug 1461979 Opened 6 years ago Closed 6 years ago

Assertion failure: aCBSize.BSize(cbwm) != nscoord((1 << 30) - 1) (containing block bsize must be constrained), at /builds/worker/workspace/build/src/layout/generic/ReflowInput.cpp:1596

Categories

(Core :: Layout, defect)

59 Branch
defect
Not set
normal

Tracking

()

RESOLVED FIXED
mozilla62
Tracking Status
firefox-esr52 --- unaffected
firefox-esr60 --- unaffected
firefox60 --- unaffected
firefox61 --- unaffected
firefox62 --- fixed

People

(Reporter: jkratzer, Assigned: morgan)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, regression, testcase)

Attachments

(2 files)

Attached file trigger.html
Testcase found while fuzzing mozilla-central rev 3c9d69736f4a421218e5eb01b6571d535d38318a.

rax = 0x0000000000000000   rdx = 0x0000000000000000
rcx = 0x00007f7aacb562dd   rbx = 0x00007ffff4816ed0
rsi = 0x00007f7aace25770   rdi = 0x00007f7aace24540
rbp = 0x00007ffff4815f40   rsp = 0x00007ffff4815da0
r8 = 0x00007f7aace25770    r9 = 0x00007f7aadef4740
r10 = 0x0000000000000039   r11 = 0x0000000000000000
r12 = 0x00007f7a8a16db38   r13 = 0x00007ffff4815f00
r14 = 0x0000000000000002   r15 = 0x00007ffff4816410
rip = 0x00007f7a9cdc2e00
OS|Linux|0.0.0 Linux 4.4.0-122-generic #146-Ubuntu SMP Mon Apr 23 15:34:04 UTC 2018 x86_64
CPU|amd64|family 6 model 78 stepping 3|1
GPU|||
Crash|SIGSEGV|0x0|0
0|0|libxul.so|mozilla::ReflowInput::InitAbsoluteConstraints|hg:hg.mozilla.org/mozilla-central:layout/generic/nsIFrame.h:3c9d69736f4a421218e5eb01b6571d535d38318a|884|0x1e
0|1|libxul.so|mozilla::ReflowInput::InitConstraints|hg:hg.mozilla.org/mozilla-central:layout/generic/ReflowInput.cpp:3c9d69736f4a421218e5eb01b6571d535d38318a|2384|0x5
0|2|libxul.so|mozilla::ReflowInput::Init|hg:hg.mozilla.org/mozilla-central:layout/generic/ReflowInput.cpp:3c9d69736f4a421218e5eb01b6571d535d38318a|414|0x23
0|3|libxul.so|nsAbsoluteContainingBlock::ReflowAbsoluteFrame|hg:hg.mozilla.org/mozilla-central:layout/generic/nsAbsoluteContainingBlock.cpp:3c9d69736f4a421218e5eb01b6571d535d38318a|703|0x6
0|4|libxul.so|nsAbsoluteContainingBlock::Reflow|hg:hg.mozilla.org/mozilla-central:layout/generic/nsAbsoluteContainingBlock.cpp:3c9d69736f4a421218e5eb01b6571d535d38318a|169|0x32
0|5|libxul.so|nsBlockFrame::Reflow|hg:hg.mozilla.org/mozilla-central:layout/generic/nsBlockFrame.cpp:3c9d69736f4a421218e5eb01b6571d535d38318a|1443|0x2b
0|6|libxul.so|nsAbsoluteContainingBlock::ReflowAbsoluteFrame|hg:hg.mozilla.org/mozilla-central:layout/generic/nsAbsoluteContainingBlock.cpp:3c9d69736f4a421218e5eb01b6571d535d38318a|744|0x26
0|7|libxul.so|nsAbsoluteContainingBlock::Reflow|hg:hg.mozilla.org/mozilla-central:layout/generic/nsAbsoluteContainingBlock.cpp:3c9d69736f4a421218e5eb01b6571d535d38318a|169|0x32
0|8|libxul.so|nsFrame::ReflowAbsoluteFrames|hg:hg.mozilla.org/mozilla-central:layout/generic/nsFrame.cpp:3c9d69736f4a421218e5eb01b6571d535d38318a|6507|0xc
0|9|libxul.so|nsFrame::FinishReflowWithAbsoluteFrames|hg:hg.mozilla.org/mozilla-central:layout/generic/nsFrame.cpp:3c9d69736f4a421218e5eb01b6571d535d38318a|6472|0x5
0|10|libxul.so|nsCanvasFrame::Reflow|hg:hg.mozilla.org/mozilla-central:layout/generic/nsCanvasFrame.cpp:3c9d69736f4a421218e5eb01b6571d535d38318a|777|0x26
0|11|libxul.so|nsContainerFrame::ReflowChild|hg:hg.mozilla.org/mozilla-central:layout/generic/nsContainerFrame.cpp:3c9d69736f4a421218e5eb01b6571d535d38318a|951|0x1a
0|12|libxul.so|nsHTMLScrollFrame::ReflowScrolledFrame|hg:hg.mozilla.org/mozilla-central:layout/generic/nsGfxScrollFrame.cpp:3c9d69736f4a421218e5eb01b6571d535d38318a|557|0x5
0|13|libxul.so|nsHTMLScrollFrame::ReflowContents|hg:hg.mozilla.org/mozilla-central:layout/generic/nsGfxScrollFrame.cpp:3c9d69736f4a421218e5eb01b6571d535d38318a|679|0x14
0|14|libxul.so|nsHTMLScrollFrame::Reflow|hg:hg.mozilla.org/mozilla-central:layout/generic/nsGfxScrollFrame.cpp:3c9d69736f4a421218e5eb01b6571d535d38318a|1055|0x5
0|15|libxul.so|nsContainerFrame::ReflowChild|hg:hg.mozilla.org/mozilla-central:layout/generic/nsContainerFrame.cpp:3c9d69736f4a421218e5eb01b6571d535d38318a|995|0x19
0|16|libxul.so|mozilla::ViewportFrame::Reflow|hg:hg.mozilla.org/mozilla-central:layout/generic/ViewportFrame.cpp:3c9d69736f4a421218e5eb01b6571d535d38318a|336|0x2b
0|17|libxul.so|mozilla::PresShell::DoReflow|hg:hg.mozilla.org/mozilla-central:layout/base/PresShell.cpp:3c9d69736f4a421218e5eb01b6571d535d38318a|8941|0x25
0|18|libxul.so|mozilla::PresShell::ProcessReflowCommands|hg:hg.mozilla.org/mozilla-central:layout/base/PresShell.cpp:3c9d69736f4a421218e5eb01b6571d535d38318a|9114|0xe
0|19|libxul.so|mozilla::PresShell::DoFlushPendingNotifications|hg:hg.mozilla.org/mozilla-central:layout/base/PresShell.cpp:3c9d69736f4a421218e5eb01b6571d535d38318a|4331|0x15
0|20|libxul.so|nsRefreshDriver::Tick|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:3c9d69736f4a421218e5eb01b6571d535d38318a|1951|0x5
0|21|libxul.so|mozilla::RefreshDriverTimer::TickRefreshDrivers|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:3c9d69736f4a421218e5eb01b6571d535d38318a|307|0xf
0|22|libxul.so|mozilla::RefreshDriverTimer::Tick|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:3c9d69736f4a421218e5eb01b6571d535d38318a|329|0x12
0|23|libxul.so|mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:3c9d69736f4a421218e5eb01b6571d535d38318a|770|0x5
0|24|libxul.so|mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:3c9d69736f4a421218e5eb01b6571d535d38318a|584|0xc
0|25|libxul.so|mozilla::layout::VsyncChild::RecvNotify|hg:hg.mozilla.org/mozilla-central:layout/ipc/VsyncChild.cpp:3c9d69736f4a421218e5eb01b6571d535d38318a|68|0x9
0|26|libxul.so|mozilla::layout::PVsyncChild::OnMessageReceived|s3:gecko-generated-sources:0c7cf777c2ff93c34ff1546f677320cb1229427e6947e87c6fa76720f9b9c5b6a4a4d036521ed9a643f4fa5e10a57d8748e2532d47fce8282aa653340c0c00ff/ipc/ipdl/PVsyncChild.cpp:|167|0xc
0|27|libxul.so|mozilla::ipc::MessageChannel::DispatchAsyncMessage|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:3c9d69736f4a421218e5eb01b6571d535d38318a|2136|0x6
0|28|libxul.so|mozilla::ipc::MessageChannel::DispatchMessage|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:3c9d69736f4a421218e5eb01b6571d535d38318a|2066|0xb
0|29|libxul.so|mozilla::ipc::MessageChannel::RunMessage|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:3c9d69736f4a421218e5eb01b6571d535d38318a|1912|0xb
0|30|libxul.so|mozilla::ipc::MessageChannel::MessageTask::Run|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:3c9d69736f4a421218e5eb01b6571d535d38318a|1945|0xc
0|31|libxul.so|nsThread::ProcessNextEvent|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:3c9d69736f4a421218e5eb01b6571d535d38318a|1090|0x15
0|32|libxul.so|NS_ProcessNextEvent|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:3c9d69736f4a421218e5eb01b6571d535d38318a|519|0x11
0|33|libxul.so|mozilla::ipc::MessagePump::Run|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:3c9d69736f4a421218e5eb01b6571d535d38318a|97|0xa
0|34|libxul.so|MessageLoop::RunInternal|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:3c9d69736f4a421218e5eb01b6571d535d38318a|326|0x17
0|35|libxul.so|MessageLoop::Run|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:3c9d69736f4a421218e5eb01b6571d535d38318a|319|0x8
0|36|libxul.so|nsBaseAppShell::Run|hg:hg.mozilla.org/mozilla-central:widget/nsBaseAppShell.cpp:3c9d69736f4a421218e5eb01b6571d535d38318a|157|0xd
0|37|libxul.so|XRE_RunAppShell|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:3c9d69736f4a421218e5eb01b6571d535d38318a|893|0x11
0|38|libxul.so|mozilla::ipc::MessagePumpForChildProcess::Run|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:3c9d69736f4a421218e5eb01b6571d535d38318a|269|0x5
0|39|libxul.so|MessageLoop::RunInternal|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:3c9d69736f4a421218e5eb01b6571d535d38318a|326|0x17
0|40|libxul.so|MessageLoop::Run|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:3c9d69736f4a421218e5eb01b6571d535d38318a|319|0x8
0|41|libxul.so|XRE_InitChildProcess|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:3c9d69736f4a421218e5eb01b6571d535d38318a|719|0x8
0|42|firefox|content_process_main|hg:hg.mozilla.org/mozilla-central:ipc/contentproc/plugin-container.cpp:3c9d69736f4a421218e5eb01b6571d535d38318a|50|0x14
0|43|firefox|main|hg:hg.mozilla.org/mozilla-central:browser/app/nsBrowserApp.cpp:3c9d69736f4a421218e5eb01b6571d535d38318a|282|0x11
Flags: in-testsuite?
I think this is very similar to bug 1460787, where we're unreasonably asserting that no specified length could possibly end up equal to the sentinel value nscoord_MAX.

Like that bug, I'm going to co-opt this as a "good first bug" for an intern starting next week.
Flags: needinfo?(dholbert)
We'll want to use NS_WARNING_ASSERTION(...) rather than MOZ_ASSERT(...) here. NS_WARNING_ASSERTION is non-fatal if it fails.
Assignee: nobody → mreschenberg
Status: NEW → ASSIGNED
Flags: needinfo?(dholbert)
Comment on attachment 8979398 [details]
Bug 1461979 - change faulty assert to warning

https://reviewboard.mozilla.org/r/245560/#review251598

This looks good! r=me assuming the Try run passes
Attachment #8979398 - Flags: review?(dholbert) → review+
Pushed by dholbert@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/5c86999026ea
change faulty assert to warning r=dholbert
Try run looks good, so I triggered autoland ^
https://hg.mozilla.org/mozilla-central/rev/5c86999026ea
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla62
Blocks: 1457813
Flags: in-testsuite? → in-testsuite+
Why did this get labelled as a regression? Did something break?
Flags: needinfo?(dholbert)
It just means this original bug was something that broke (at a specific point in time, vs. having just been always broken).

It's still fixed, so all is well. :)
Flags: needinfo?(dholbert)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: