Closed Bug 1461979 Opened 7 years ago Closed 7 years ago

Assertion failure: aCBSize.BSize(cbwm) != nscoord((1 << 30) - 1) (containing block bsize must be constrained), at /builds/worker/workspace/build/src/layout/generic/ReflowInput.cpp:1596

Categories

(Core :: Layout, defect)

59 Branch
defect
Not set
normal

Tracking

()

RESOLVED FIXED
mozilla62
Tracking Status
firefox-esr52 --- unaffected
firefox-esr60 --- unaffected
firefox60 --- unaffected
firefox61 --- unaffected
firefox62 --- fixed

People

(Reporter: jkratzer, Assigned: morgan)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, regression, testcase)

Attachments

(2 files)

Attached file trigger.html
Testcase found while fuzzing mozilla-central rev 3c9d69736f4a421218e5eb01b6571d535d38318a. rax = 0x0000000000000000 rdx = 0x0000000000000000 rcx = 0x00007f7aacb562dd rbx = 0x00007ffff4816ed0 rsi = 0x00007f7aace25770 rdi = 0x00007f7aace24540 rbp = 0x00007ffff4815f40 rsp = 0x00007ffff4815da0 r8 = 0x00007f7aace25770 r9 = 0x00007f7aadef4740 r10 = 0x0000000000000039 r11 = 0x0000000000000000 r12 = 0x00007f7a8a16db38 r13 = 0x00007ffff4815f00 r14 = 0x0000000000000002 r15 = 0x00007ffff4816410 rip = 0x00007f7a9cdc2e00 OS|Linux|0.0.0 Linux 4.4.0-122-generic #146-Ubuntu SMP Mon Apr 23 15:34:04 UTC 2018 x86_64 CPU|amd64|family 6 model 78 stepping 3|1 GPU||| Crash|SIGSEGV|0x0|0 0|0|libxul.so|mozilla::ReflowInput::InitAbsoluteConstraints|hg:hg.mozilla.org/mozilla-central:layout/generic/nsIFrame.h:3c9d69736f4a421218e5eb01b6571d535d38318a|884|0x1e 0|1|libxul.so|mozilla::ReflowInput::InitConstraints|hg:hg.mozilla.org/mozilla-central:layout/generic/ReflowInput.cpp:3c9d69736f4a421218e5eb01b6571d535d38318a|2384|0x5 0|2|libxul.so|mozilla::ReflowInput::Init|hg:hg.mozilla.org/mozilla-central:layout/generic/ReflowInput.cpp:3c9d69736f4a421218e5eb01b6571d535d38318a|414|0x23 0|3|libxul.so|nsAbsoluteContainingBlock::ReflowAbsoluteFrame|hg:hg.mozilla.org/mozilla-central:layout/generic/nsAbsoluteContainingBlock.cpp:3c9d69736f4a421218e5eb01b6571d535d38318a|703|0x6 0|4|libxul.so|nsAbsoluteContainingBlock::Reflow|hg:hg.mozilla.org/mozilla-central:layout/generic/nsAbsoluteContainingBlock.cpp:3c9d69736f4a421218e5eb01b6571d535d38318a|169|0x32 0|5|libxul.so|nsBlockFrame::Reflow|hg:hg.mozilla.org/mozilla-central:layout/generic/nsBlockFrame.cpp:3c9d69736f4a421218e5eb01b6571d535d38318a|1443|0x2b 0|6|libxul.so|nsAbsoluteContainingBlock::ReflowAbsoluteFrame|hg:hg.mozilla.org/mozilla-central:layout/generic/nsAbsoluteContainingBlock.cpp:3c9d69736f4a421218e5eb01b6571d535d38318a|744|0x26 0|7|libxul.so|nsAbsoluteContainingBlock::Reflow|hg:hg.mozilla.org/mozilla-central:layout/generic/nsAbsoluteContainingBlock.cpp:3c9d69736f4a421218e5eb01b6571d535d38318a|169|0x32 0|8|libxul.so|nsFrame::ReflowAbsoluteFrames|hg:hg.mozilla.org/mozilla-central:layout/generic/nsFrame.cpp:3c9d69736f4a421218e5eb01b6571d535d38318a|6507|0xc 0|9|libxul.so|nsFrame::FinishReflowWithAbsoluteFrames|hg:hg.mozilla.org/mozilla-central:layout/generic/nsFrame.cpp:3c9d69736f4a421218e5eb01b6571d535d38318a|6472|0x5 0|10|libxul.so|nsCanvasFrame::Reflow|hg:hg.mozilla.org/mozilla-central:layout/generic/nsCanvasFrame.cpp:3c9d69736f4a421218e5eb01b6571d535d38318a|777|0x26 0|11|libxul.so|nsContainerFrame::ReflowChild|hg:hg.mozilla.org/mozilla-central:layout/generic/nsContainerFrame.cpp:3c9d69736f4a421218e5eb01b6571d535d38318a|951|0x1a 0|12|libxul.so|nsHTMLScrollFrame::ReflowScrolledFrame|hg:hg.mozilla.org/mozilla-central:layout/generic/nsGfxScrollFrame.cpp:3c9d69736f4a421218e5eb01b6571d535d38318a|557|0x5 0|13|libxul.so|nsHTMLScrollFrame::ReflowContents|hg:hg.mozilla.org/mozilla-central:layout/generic/nsGfxScrollFrame.cpp:3c9d69736f4a421218e5eb01b6571d535d38318a|679|0x14 0|14|libxul.so|nsHTMLScrollFrame::Reflow|hg:hg.mozilla.org/mozilla-central:layout/generic/nsGfxScrollFrame.cpp:3c9d69736f4a421218e5eb01b6571d535d38318a|1055|0x5 0|15|libxul.so|nsContainerFrame::ReflowChild|hg:hg.mozilla.org/mozilla-central:layout/generic/nsContainerFrame.cpp:3c9d69736f4a421218e5eb01b6571d535d38318a|995|0x19 0|16|libxul.so|mozilla::ViewportFrame::Reflow|hg:hg.mozilla.org/mozilla-central:layout/generic/ViewportFrame.cpp:3c9d69736f4a421218e5eb01b6571d535d38318a|336|0x2b 0|17|libxul.so|mozilla::PresShell::DoReflow|hg:hg.mozilla.org/mozilla-central:layout/base/PresShell.cpp:3c9d69736f4a421218e5eb01b6571d535d38318a|8941|0x25 0|18|libxul.so|mozilla::PresShell::ProcessReflowCommands|hg:hg.mozilla.org/mozilla-central:layout/base/PresShell.cpp:3c9d69736f4a421218e5eb01b6571d535d38318a|9114|0xe 0|19|libxul.so|mozilla::PresShell::DoFlushPendingNotifications|hg:hg.mozilla.org/mozilla-central:layout/base/PresShell.cpp:3c9d69736f4a421218e5eb01b6571d535d38318a|4331|0x15 0|20|libxul.so|nsRefreshDriver::Tick|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:3c9d69736f4a421218e5eb01b6571d535d38318a|1951|0x5 0|21|libxul.so|mozilla::RefreshDriverTimer::TickRefreshDrivers|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:3c9d69736f4a421218e5eb01b6571d535d38318a|307|0xf 0|22|libxul.so|mozilla::RefreshDriverTimer::Tick|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:3c9d69736f4a421218e5eb01b6571d535d38318a|329|0x12 0|23|libxul.so|mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:3c9d69736f4a421218e5eb01b6571d535d38318a|770|0x5 0|24|libxul.so|mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:3c9d69736f4a421218e5eb01b6571d535d38318a|584|0xc 0|25|libxul.so|mozilla::layout::VsyncChild::RecvNotify|hg:hg.mozilla.org/mozilla-central:layout/ipc/VsyncChild.cpp:3c9d69736f4a421218e5eb01b6571d535d38318a|68|0x9 0|26|libxul.so|mozilla::layout::PVsyncChild::OnMessageReceived|s3:gecko-generated-sources:0c7cf777c2ff93c34ff1546f677320cb1229427e6947e87c6fa76720f9b9c5b6a4a4d036521ed9a643f4fa5e10a57d8748e2532d47fce8282aa653340c0c00ff/ipc/ipdl/PVsyncChild.cpp:|167|0xc 0|27|libxul.so|mozilla::ipc::MessageChannel::DispatchAsyncMessage|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:3c9d69736f4a421218e5eb01b6571d535d38318a|2136|0x6 0|28|libxul.so|mozilla::ipc::MessageChannel::DispatchMessage|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:3c9d69736f4a421218e5eb01b6571d535d38318a|2066|0xb 0|29|libxul.so|mozilla::ipc::MessageChannel::RunMessage|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:3c9d69736f4a421218e5eb01b6571d535d38318a|1912|0xb 0|30|libxul.so|mozilla::ipc::MessageChannel::MessageTask::Run|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:3c9d69736f4a421218e5eb01b6571d535d38318a|1945|0xc 0|31|libxul.so|nsThread::ProcessNextEvent|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:3c9d69736f4a421218e5eb01b6571d535d38318a|1090|0x15 0|32|libxul.so|NS_ProcessNextEvent|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:3c9d69736f4a421218e5eb01b6571d535d38318a|519|0x11 0|33|libxul.so|mozilla::ipc::MessagePump::Run|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:3c9d69736f4a421218e5eb01b6571d535d38318a|97|0xa 0|34|libxul.so|MessageLoop::RunInternal|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:3c9d69736f4a421218e5eb01b6571d535d38318a|326|0x17 0|35|libxul.so|MessageLoop::Run|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:3c9d69736f4a421218e5eb01b6571d535d38318a|319|0x8 0|36|libxul.so|nsBaseAppShell::Run|hg:hg.mozilla.org/mozilla-central:widget/nsBaseAppShell.cpp:3c9d69736f4a421218e5eb01b6571d535d38318a|157|0xd 0|37|libxul.so|XRE_RunAppShell|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:3c9d69736f4a421218e5eb01b6571d535d38318a|893|0x11 0|38|libxul.so|mozilla::ipc::MessagePumpForChildProcess::Run|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:3c9d69736f4a421218e5eb01b6571d535d38318a|269|0x5 0|39|libxul.so|MessageLoop::RunInternal|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:3c9d69736f4a421218e5eb01b6571d535d38318a|326|0x17 0|40|libxul.so|MessageLoop::Run|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:3c9d69736f4a421218e5eb01b6571d535d38318a|319|0x8 0|41|libxul.so|XRE_InitChildProcess|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:3c9d69736f4a421218e5eb01b6571d535d38318a|719|0x8 0|42|firefox|content_process_main|hg:hg.mozilla.org/mozilla-central:ipc/contentproc/plugin-container.cpp:3c9d69736f4a421218e5eb01b6571d535d38318a|50|0x14 0|43|firefox|main|hg:hg.mozilla.org/mozilla-central:browser/app/nsBrowserApp.cpp:3c9d69736f4a421218e5eb01b6571d535d38318a|282|0x11
Flags: in-testsuite?
I think this is very similar to bug 1460787, where we're unreasonably asserting that no specified length could possibly end up equal to the sentinel value nscoord_MAX. Like that bug, I'm going to co-opt this as a "good first bug" for an intern starting next week.
Flags: needinfo?(dholbert)
We'll want to use NS_WARNING_ASSERTION(...) rather than MOZ_ASSERT(...) here. NS_WARNING_ASSERTION is non-fatal if it fails.
Assignee: nobody → mreschenberg
Status: NEW → ASSIGNED
Flags: needinfo?(dholbert)
Comment on attachment 8979398 [details] Bug 1461979 - change faulty assert to warning https://reviewboard.mozilla.org/r/245560/#review251598 This looks good! r=me assuming the Try run passes
Attachment #8979398 - Flags: review?(dholbert) → review+
Pushed by dholbert@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/5c86999026ea change faulty assert to warning r=dholbert
Try run looks good, so I triggered autoland ^
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla62
Blocks: 1457813
Flags: in-testsuite? → in-testsuite+
Why did this get labelled as a regression? Did something break?
Flags: needinfo?(dholbert)
It just means this original bug was something that broke (at a specific point in time, vs. having just been always broken). It's still fixed, so all is well. :)
Flags: needinfo?(dholbert)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: