1467519 - Assertion failure: nscoord((1 << 30) - 1) != aContainingBlockBSize || !aCoord.HasPercent() (unexpected containing block block-size), at nsLayoutUtils.cpp:5630

Status: RESOLVED FIXED

(Core :: Layout, defect, P4)

Description

[Jesse Schwartzentruber (:truber)]

Attachment: testcase.html

The attached testcase causes an assertion in m-c 20180607-199a08519981.

#0: nsLayoutUtils::ComputeBSizeDependentValue(int, nsStyleCoord const&)
        at layout/base/nsLayoutUtils.cpp:5628
#1: mozilla::ReflowInput::InitAbsoluteConstraints(nsPresContext*, mozilla::ReflowInput const*, mozilla::LogicalSize const&, mozilla::LayoutFrameType)
        at layout/generic/ReflowInput.cpp:1682
#2: mozilla::ReflowInput::InitConstraints(nsPresContext*, mozilla::LogicalSize const&, nsMargin const*, nsMargin const*, mozilla::LayoutFrameType)
        at layout/generic/ReflowInput.cpp:2384
#3: mozilla::ReflowInput::Init(nsPresContext*, mozilla::LogicalSize const*, nsMargin const*, nsMargin const*)
        at layout/generic/ReflowInput.cpp:414
#4: nsAbsoluteContainingBlock::ReflowAbsoluteFrame(nsIFrame*, nsPresContext*, mozilla::ReflowInput const&, nsRect const&, nsAbsoluteContainingBlock::AbsPosReflowFlags, nsIFrame*, nsReflowStatus&, nsOverflowAreas*)
        at layout/generic/nsAbsoluteContainingBlock.cpp:703
#5: nsAbsoluteContainingBlock::Reflow(nsContainerFrame*, nsPresContext*, mozilla::ReflowInput const&, nsReflowStatus&, nsRect const&, nsAbsoluteContainingBlock::AbsPosReflowFlags, nsOverflowAreas*)
        at layout/generic/nsAbsoluteContainingBlock.cpp:169
#6: nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&)
        at layout/generic/nsBlockFrame.cpp:1443
#7: nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*)
        at layout/generic/nsContainerFrame.cpp:951
#8: nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&)
        at layout/generic/nsCanvasFrame.cpp:714
#9: nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*)
        at layout/generic/nsContainerFrame.cpp:951
#10: nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput*, bool, bool, mozilla::ReflowOutput*, bool)
        at layout/generic/nsGfxScrollFrame.cpp:557
#11: nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput*, mozilla::ReflowOutput const&)
        at layout/generic/nsGfxScrollFrame.cpp:679
#12: nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&)
        at layout/generic/nsGfxScrollFrame.cpp:1055

Comment 1

[Tyson Smith [:tsmith]]

A Pernosco session is available here: https://pernos.co/debug/1MwtqJz3PqX2xTQIBex5dQ/index.html

Comment 2

[Tyson Smith [:tsmith]]

The fuzzers have been tripping over this for a while and it is triggered frequently. Marking as fuzzblocker.

Comment 4

[BugBot [:suhaib / :marco/ :calixte]]

This bug prevents fuzzing from making progress; however, it has low severity. It is important for fuzz blocker bugs to be addressed in a timely manner (see here why?).
:dholbert, could you increase the severity?

For more information, please visit auto_nag documentation.

Comment 6

[Daniel Holbert [:dholbert]]

Does this testcase still trigger the fatal assertion for anyone?

In a current debug build, I'm just seeing this nonfatal assertion:

###!!! ASSERTION: Can't solve for both start and end: 'NS_AUTOOFFSET != aOffsets->IEnd(outerWM)', file layout/generic/nsAbsoluteContainingBlock.cpp:620

...and no abort or crash.

If fuzzers are still generating testcases that hit this (the fatal unexpected containing block block-size assertion), maybe we could add a new testcase here?

Comment 7

[Jesse Schwartzentruber (:truber)]

(In reply to Daniel Holbert [:dholbert] from comment #6)

If fuzzers are still generating testcases that hit this (the fatal unexpected containing block block-size assertion), maybe we could add a new testcase here?

You're right. The attached testcase doesn't reproduce anymore. We do still see this crash infrequently, and there is a working testcase available. I'm reducing it now and will replace the attached testcase shortly.

Comment 8

[Daniel Holbert [:dholbert]]

Thanks!

Comment 9

[Jesse Schwartzentruber (:truber)]

Attachment: Updated testcase

Updated testcase reproduces on m-c 20221121-a29b80b10710.

[Child 775094, Main Thread] WARNING: containing block bsize must be constrained: 'aCBSize.BSize(cbwm) != NS_UNCONSTRAINEDSIZE', file /builds/worker/checkouts/gecko/layout/generic/ReflowInput.cpp:1613
Assertion failure: nscoord((1 << 30) - 1) != aContainingBlockBSize || !aCoord.HasPercent() (unexpected containing block block-size), at /builds/worker/checkouts/gecko/layout/base/nsLayoutUtils.cpp:5313

    #0 0x7fa7f69ed6e1 in nsLayoutUtils::ComputeBSizeDependentValue(int, mozilla::StyleGenericLengthPercentageOrAuto<mozilla::StyleLengthPercentageUnion> const&) /builds/worker/checkouts/gecko/layout/base/nsLayoutUtils.cpp:5311:3
    #1 0x7fa7f6a2ec31 in mozilla::ReflowInput::InitAbsoluteConstraints(nsPresContext*, mozilla::ReflowInput const*, mozilla::LogicalSize const&, mozilla::LayoutFrameType) /builds/worker/checkouts/gecko/layout/generic/ReflowInput.cpp:1732:26
    #2 0x7fa7f6a2a64b in mozilla::ReflowInput::InitConstraints(nsPresContext*, mozilla::Maybe<mozilla::LogicalSize> const&, mozilla::Maybe<mozilla::LogicalMargin> const&, mozilla::Maybe<mozilla::LogicalMargin> const&, mozilla::LayoutFrameType) /builds/worker/checkouts/gecko/layout/generic/ReflowInput.cpp:2342:7
    #3 0x7fa7f6a26f34 in mozilla::ReflowInput::Init(nsPresContext*, mozilla::Maybe<mozilla::LogicalSize> const&, mozilla::Maybe<mozilla::LogicalMargin> const&, mozilla::Maybe<mozilla::LogicalMargin> const&) /builds/worker/checkouts/gecko/layout/generic/ReflowInput.cpp:360:3
    #4 0x7fa7f6a278ba in mozilla::ReflowInput::ReflowInput(nsPresContext*, mozilla::ReflowInput const&, nsIFrame*, mozilla::LogicalSize const&, mozilla::Maybe<mozilla::LogicalSize> const&, mozilla::EnumSet<mozilla::ReflowInput::InitFlag, unsigned char>, mozilla::StyleSizeOverrides const&, mozilla::EnumSet<mozilla::ComputeSizeFlag, unsigned char>) /builds/worker/checkouts/gecko/layout/generic/ReflowInput.cpp:219:5
    #5 0x7fa7f6a4bf27 in nsAbsoluteContainingBlock::ReflowAbsoluteFrame(nsIFrame*, nsPresContext*, mozilla::ReflowInput const&, nsRect const&, nsAbsoluteContainingBlock::AbsPosReflowFlags, nsIFrame*, nsReflowStatus&, mozilla::OverflowAreas*) /builds/worker/checkouts/gecko/layout/generic/nsAbsoluteContainingBlock.cpp:799:15
    #6 0x7fa7f6a4a38c in nsAbsoluteContainingBlock::Reflow(nsContainerFrame*, nsPresContext*, mozilla::ReflowInput const&, nsReflowStatus&, nsRect const&, nsAbsoluteContainingBlock::AbsPosReflowFlags, mozilla::OverflowAreas*) /builds/worker/checkouts/gecko/layout/generic/nsAbsoluteContainingBlock.cpp:221:7
    #7 0x7fa7f6a5618f in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:1720:26
    #8 0x7fa7f6a4c146 in nsAbsoluteContainingBlock::ReflowAbsoluteFrame(nsIFrame*, nsPresContext*, mozilla::ReflowInput const&, nsRect const&, nsAbsoluteContainingBlock::AbsPosReflowFlags, nsIFrame*, nsReflowStatus&, mozilla::OverflowAreas*) /builds/worker/checkouts/gecko/layout/generic/nsAbsoluteContainingBlock.cpp:817:14
    #9 0x7fa7f6a4a38c in nsAbsoluteContainingBlock::Reflow(nsContainerFrame*, nsPresContext*, mozilla::ReflowInput const&, nsReflowStatus&, nsRect const&, nsAbsoluteContainingBlock::AbsPosReflowFlags, mozilla::OverflowAreas*) /builds/worker/checkouts/gecko/layout/generic/nsAbsoluteContainingBlock.cpp:221:7
    #10 0x7fa7f6a499ac in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/ViewportFrame.cpp:427:35
    #11 0x7fa7f694475a in mozilla::PresShell::DoReflow(nsIFrame*, bool, mozilla::OverflowChangedTracker*) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:9668:11
    #12 0x7fa7f696824f in mozilla::PresShell::ProcessReflowCommands(bool) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:9840:24
    #13 0x7fa7f694dde9 in DoFlushLayout /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:9910:10

Comment 10

[Daniel Holbert [:dholbert]]

Thanks! I'll aim to circle back to this soon.

Given the large length values in the testcase, this is probably a case where we should soften the fatal assertion. It looks like we're reaching the extremely-large sentinel nscoord_MAX size here, and our logic is worried that it represents an intrinsic size that we left unresolved, or something to that effect. We'll likely produce broken layout, and that's likely fine.

Comment 11

[Ting-Yu Lin [:TYLin] (PDT, UTC-7)]

Attachment: Bug 1467519 - Soften a fatal assertion in nsLayoutUtils::ComputeBSizeDependentValue().

Comment 12

[Ting-Yu Lin [:TYLin] (PDT, UTC-7)]

Taking this bug.

Comment 13

[Pulsebot]

Pushed by aethanyc@gmail.com:
https://hg.mozilla.org/integration/autoland/rev/7adb200fc209
Soften a fatal assertion in nsLayoutUtils::ComputeBSizeDependentValue(). r=emilio

Comment 14

[Natalia Csoregi [:nataliaCs]]

https://hg.mozilla.org/mozilla-central/rev/7adb200fc209