Open
Bug 1486541
Opened 6 years ago
Updated 2 years ago
Assertion failure: !aFits || !mNeedBackup (Shouldn't be updating the break position with a break that fits after we've already flagged an overrun), at /builds/worker/workspace/build/src/layout/generic/nsLineLayout.cpp:1537
Categories
(Core :: Layout: Block and Inline, defect, P3)
Core
Layout: Block and Inline
Tracking
()
NEW
| Tracking | Status | |
|---|---|---|
| firefox-esr68 | --- | affected |
| firefox63 | --- | wontfix |
| firefox64 | --- | wontfix |
| firefox68 | --- | wontfix |
| firefox69 | --- | wontfix |
| firefox70 | --- | wontfix |
| firefox73 | --- | wontfix |
| firefox74 | --- | fix-optional |
| firefox75 | --- | fix-optional |
People
(Reporter: jkratzer, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: assertion, regression, testcase)
Attachments
(3 files)
Testcase found while fuzzing mozilla-central rev 190b827aaa2b. rax = 0x0000000000000000 rdx = 0x0000000000000000 rcx = 0x0000000000000b40 rbx = 0x00007ffcfa943398 rsi = 0x00007faa712928b0 rdi = 0x00007faa71291680 rbp = 0x00007ffcfa942710 rsp = 0x00007ffcfa9426e0 r8 = 0x00007faa712928b0 r9 = 0x00007faa7240a740 r10 = 0x00000000ffffffc7 r11 = 0x0000000000000000 r12 = 0x00007faa570d4068 r13 = 0x000000000000000d r14 = 0x0000000000000001 r15 = 0x000000000000000e rip = 0x00007faa61d97adc OS|Linux|0.0.0 Linux 4.15.0-32-generic #35-Ubuntu SMP Fri Aug 10 17:58:07 UTC 2018 x86_64 CPU|amd64|family 6 model 78 stepping 3|1 GPU||| Crash|SIGSEGV /SEGV_MAPERR|0x0|0 0|0|libxul.so|nsLineLayout::NotifyOptionalBreakPosition(nsIFrame*, int, bool, gfxBreakPriority)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsLineLayout.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|1538|0x18 0|1|libxul.so|nsTextFrame::ReflowText(nsLineLayout&, int, mozilla::gfx::DrawTarget*, mozilla::ReflowOutput&, nsReflowStatus&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsTextFrame.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|9609|0x17 0|2|libxul.so|nsLineLayout::ReflowFrame(nsIFrame*, nsReflowStatus&, mozilla::ReflowOutput*, bool&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsLineLayout.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|944|0x9 0|3|libxul.so|nsFirstLetterFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsFirstLetterFrame.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|242|0x24 0|4|libxul.so|nsLineLayout::ReflowFrame(nsIFrame*, nsReflowStatus&, mozilla::ReflowOutput*, bool&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsLineLayout.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|939|0x30 0|5|libxul.so|nsBlockFrame::ReflowInlineFrame(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsIFrame*, LineReflowStatus*)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsBlockFrame.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|4269|0x14 0|6|libxul.so|nsBlockFrame::DoReflowInlineFrames(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsBlockFrame.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|4069|0x29 0|7|libxul.so|nsBlockFrame::ReflowInlineFrames(mozilla::BlockReflowInput&, nsLineList_iterator, bool*)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsBlockFrame.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|3945|0x41 0|8|libxul.so|nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsBlockFrame.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|2924|0x1a 0|9|libxul.so|nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsBlockFrame.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|2458|0x20 0|10|libxul.so|nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsBlockFrame.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|1292|0xf 0|11|libxul.so|nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsBlockReflowContext.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|309|0x10 0|12|libxul.so|nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsBlockFrame.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|3573|0x1e 0|13|libxul.so|nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsBlockFrame.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|2921|0x13 0|14|libxul.so|nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsBlockFrame.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|2458|0x20 0|15|libxul.so|nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsBlockFrame.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|1292|0xf 0|16|libxul.so|nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsContainerFrame.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|951|0x1a 0|17|libxul.so|nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsCanvasFrame.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|804|0x4d 0|18|libxul.so|nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsContainerFrame.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|951|0x1a 0|19|libxul.so|nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput*, bool, bool, mozilla::ReflowOutput*, bool)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsGfxScrollFrame.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|608|0x5 0|20|libxul.so|nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput*, mozilla::ReflowOutput const&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsGfxScrollFrame.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|731|0x14 0|21|libxul.so|nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsGfxScrollFrame.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|1120|0x5 0|22|libxul.so|nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsContainerFrame.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|995|0x19 0|23|libxul.so|mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&)|hg:hg.mozilla.org/mozilla-central:layout/generic/ViewportFrame.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|339|0x2b 0|24|libxul.so|mozilla::PresShell::DoReflow(nsIFrame*, bool)|hg:hg.mozilla.org/mozilla-central:layout/base/PresShell.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|9022|0x25 0|25|libxul.so|mozilla::PresShell::ProcessReflowCommands(bool)|hg:hg.mozilla.org/mozilla-central:layout/base/PresShell.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|9195|0xe 0|26|libxul.so|mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush)|hg:hg.mozilla.org/mozilla-central:layout/base/PresShell.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|4347|0x15 0|27|libxul.so|nsRefreshDriver::Tick(mozilla::TimeStamp)|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|1926|0x5 0|28|libxul.so|mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&)|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|324|0x8 0|29|libxul.so|mozilla::RefreshDriverTimer::Tick(mozilla::TimeStamp)|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|317|0xc 0|30|libxul.so|mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::TimeStamp)|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|755|0xc 0|31|libxul.so|mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::TimeStamp)|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|571|0xc 0|32|libxul.so|mozilla::layout::VsyncChild::RecvNotify(mozilla::TimeStamp const&)|hg:hg.mozilla.org/mozilla-central:layout/ipc/VsyncChild.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|78|0x9 0|33|libxul.so|mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&)|s3:gecko-generated-sources:0c7cf777c2ff93c34ff1546f677320cb1229427e6947e87c6fa76720f9b9c5b6a4a4d036521ed9a643f4fa5e10a57d8748e2532d47fce8282aa653340c0c00ff/ipc/ipdl/PVsyncChild.cpp:|167|0xc 0|34|libxul.so|mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|2239|0x6 0|35|libxul.so|mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|2166|0xb 0|36|libxul.so|mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|2012|0xb 0|37|libxul.so|mozilla::ipc::MessageChannel::MessageTask::Run()|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|2045|0xc 0|38|libxul.so|nsThread::ProcessNextEvent(bool, bool*)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|1167|0x15 0|39|libxul.so|NS_ProcessNextEvent(nsIThread*, bool)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|519|0x11 0|40|libxul.so|mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|97|0xa 0|41|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|325|0x17 0|42|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|318|0x8 0|43|libxul.so|nsBaseAppShell::Run()|hg:hg.mozilla.org/mozilla-central:widget/nsBaseAppShell.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|158|0xd 0|44|libxul.so|XRE_RunAppShell()|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|944|0x11 0|45|libxul.so|mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|269|0x5 0|46|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|325|0x17 0|47|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|318|0x8 0|48|libxul.so|XRE_InitChildProcess(int, char**, XREChildData const*)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|770|0x8 0|49|firefox|content_process_main(mozilla::Bootstrap*, int, char**)|hg:hg.mozilla.org/mozilla-central:ipc/contentproc/plugin-container.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|50|0x14 0|50|firefox|main|hg:hg.mozilla.org/mozilla-central:browser/app/nsBrowserApp.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|287|0x11 0|51|libc-2.27.so||||0x21b97 0|52|firefox|MOZ_ReportAssertionFailure|hg:hg.mozilla.org/mozilla-central:mfbt/Assertions.h:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|164|0x5
Flags: in-testsuite?
|
||
Comment 1•6 years ago
|
||
This may or may not be a regression from my float / line layout changes. I'll 301 to Jonathan if it's not :)
Flags: needinfo?(emilio)
|
|
||
Comment 2•6 years ago
|
||
Yeah, so this is a longstanding issue, I just upgraded it to a MOZ_ASSERT in bug 488725. Jonathan, looks like you're the one that introduced this assertion, and also the one that's more likely to know what's going on around. Is there any chance you could take a look? Otherwise I'm happy to downgrade the assertion again to NS_ASSERTION or something.
Flags: needinfo?(emilio) → needinfo?(jfkthame)
|
||
Comment 3•6 years ago
|
||
Yeah, so I don't totally understand what's getting confused here, but it seems to be related to bidi (note that there are some Arabic letters in the original testcase) together with the very large letter-spacing applied to the first-letter pseudo. Here's a slightly reduced testcase that hits the same assertion. In the original testcase, I think that in addition to hitting this assertion (and later the "WARNING: We shouldn't be backing up more than once! Someone must have set a break opportunity beyond the available width, even though there were better break opportunities before it" in nsBlockFrame::DoReflowInlineFrames), our rendering is probably incorrect: ISTM we should have taken a line-break somewhere in that random string of text (maybe adjacent to emoji?). So I suspect this assertion is pointing to a genuine bug that we should fix, but it doesn't look critical and I don't have cycles to analyse/debug further at the moment. If the stricter MOZ_ASSERT is causing problems, reverting it to NS_ASSERTION for now seems fine.
Flags: needinfo?(jfkthame)
|
||
Comment 4•6 years ago
|
||
(In reply to Jonathan Kew (:jfkthame) from comment #3) > Created attachment 9004803 [details] > somewhat reduced testcase > > Yeah, so I don't totally understand what's getting confused here, but it > seems to be related to bidi (note that there are some Arabic letters in the > original testcase) together with the very large letter-spacing applied to > the first-letter pseudo. > > Here's a slightly reduced testcase that hits the same assertion. > > In the original testcase, I think that in addition to hitting this assertion > (and later the "WARNING: We shouldn't be backing up more than once! Someone > must have set a break opportunity beyond the available width, even though > there were better break opportunities before it" in > nsBlockFrame::DoReflowInlineFrames), our rendering is probably incorrect: > ISTM we should have taken a line-break somewhere in that random string of > text (maybe adjacent to emoji?). > > So I suspect this assertion is pointing to a genuine bug that we should fix, > but it doesn't look critical and I don't have cycles to analyse/debug > further at the moment. If the stricter MOZ_ASSERT is causing problems, > reverting it to NS_ASSERTION for now seems fine.
Priority: -- → P3
|
||
Comment 5•6 years ago
|
||
bughunter can reproduce on windows and linux at https://www.berliner-sparkasse.de/de/home/onlinebanking/finanzstatus.html?n=true and 14 other urls most from berliner-sparkasse.de. I don't see any opt crashes though.
|
||
Updated•6 years ago
|
status-firefox64:
--- → affected
|
|
||
Comment 6•5 years ago
|
||
Many of the fuzzers are hitting this assertion frequently.
status-firefox68:
--- → wontfix
status-firefox69:
--- → affected
status-firefox70:
--- → affected
status-firefox-esr68:
--- → affected
|
|
||
Comment 7•5 years ago
|
||
It doesn't seem we're going to work on fixing this in the near term.
Pushed by ealvarez@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/c87032ced936 Turn assertion back into a non-fatal assertion. r=jfkthame
|
|
||
Updated•5 years ago
|
Keywords: leave-open
|
||
Comment 9•5 years ago
|
||
| bugherder | ||
|
||
Comment 10•5 years ago
|
||
Bugbug thinks this bug is a regression, but please revert this change in case of error.
Keywords: regression
|
||
Comment 11•5 years ago
|
||
Marking fix-optional to get this out of weekly triage, since it's set to P3.
|
|
||
Comment 12•4 years ago
|
||
The leave-open keyword is there and there is no activity for 6 months.
:svoisen, maybe it's time to close this bug?
Flags: needinfo?(svoisen)
|
|
||
Comment 13•4 years ago
|
||
It's an assertion bug and has a testcase; I don't think we should close it just because we haven't gotten to it.
|
|
||
Updated•4 years ago
|
status-firefox73:
--- → wontfix
status-firefox74:
--- → fix-optional
status-firefox75:
--- → fix-optional
Flags: needinfo?(svoisen)
|
|
||
Comment 14•4 years ago
|
||
A Pernosco session is available here: https://pernos.co/debug/bAEEjutREyJRczI5KHi-ag/index.html
|
|
||
Comment 15•4 years ago
|
||
The leave-open keyword is there and there is no activity for 6 months.
:svoisen, maybe it's time to close this bug?
Flags: needinfo?(svoisen)
|
|
||
Updated•4 years ago
|
Flags: needinfo?(svoisen)
Keywords: leave-open
|
||
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•