Closed
Bug 1488762
Opened 6 years ago
Closed 6 years ago
Assertion failure: totalDesiredPortionOfOrigFreeSpace == 0 || ((totalDesiredPortionOfOrigFreeSpace > 0) == (availableFreeSpace > 0)) (When we reduce available free space for flex factors < 1,we shouldn't change the sign of the free space...), at /builds/w
Categories
(Core :: Layout: Flexbox, defect, P3)
Core
Layout: Flexbox
Tracking
()
RESOLVED
FIXED
mozilla65
People
(Reporter: jkratzer, Assigned: dholbert)
References
(Blocks 1 open bug)
Details
(Keywords: assertion, testcase)
Attachments
(2 files)
Testcase found while fuzzing mozilla-central rev 26990836dc5c.
rax = 0x0000000000000000 rdx = 0x0000000000000000
rcx = 0x0000000000000b40 rbx = 0x00007f85a6e31d30
rsi = 0x00007f85c10818b0 rdi = 0x00007f85c1080680
rbp = 0x00007ffdc2ae7100 rsp = 0x00007ffdc2ae7080
r8 = 0x00007f85c10818b0 r9 = 0x00007f85c21f9740
r10 = 0x00000000ffffffc7 r11 = 0x0000000000000000
r12 = 0x0000000000000000 r13 = 0x00000000c0000001
r14 = 0x0000000000000000 r15 = 0x0000000000000001
rip = 0x00007f85b1b22d0c
OS|Linux|0.0.0 Linux 4.15.0-33-generic #36-Ubuntu SMP Wed Aug 15 16:00:05 UTC 2018 x86_64
CPU|amd64|family 6 model 78 stepping 3|1
GPU|||
Crash|SIGSEGV /SEGV_MAPERR|0x0|0
0|0|libxul.so|nsFlexContainerFrame::FlexLine::ResolveFlexibleLengths(int, ComputedFlexLineInfo*)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsFlexContainerFrame.cpp:26990836dc5cc3cd1b8027392b79210e71094dc3|2711|0x5
0|1|libxul.so|nsFlexContainerFrame::DoFlexLayout(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&, int, int, nsTArray<nsFlexContainerFrame::StrutInfo>&, nsFlexContainerFrame::FlexboxAxisTracker const&, int, int)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsFlexContainerFrame.cpp:26990836dc5cc3cd1b8027392b79210e71094dc3|4753|0x11
0|2|libxul.so|nsFlexContainerFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsFlexContainerFrame.cpp:26990836dc5cc3cd1b8027392b79210e71094dc3|4400|0x46
0|3|libxul.so|nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsContainerFrame.cpp:26990836dc5cc3cd1b8027392b79210e71094dc3|951|0x1a
0|4|libxul.so|nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsCanvasFrame.cpp:26990836dc5cc3cd1b8027392b79210e71094dc3|804|0x4d
0|5|libxul.so|nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsContainerFrame.cpp:26990836dc5cc3cd1b8027392b79210e71094dc3|951|0x1a
0|6|libxul.so|nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput*, bool, bool, mozilla::ReflowOutput*, bool)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsGfxScrollFrame.cpp:26990836dc5cc3cd1b8027392b79210e71094dc3|608|0x5
0|7|libxul.so|nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput*, mozilla::ReflowOutput const&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsGfxScrollFrame.cpp:26990836dc5cc3cd1b8027392b79210e71094dc3|731|0x14
0|8|libxul.so|nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsGfxScrollFrame.cpp:26990836dc5cc3cd1b8027392b79210e71094dc3|1120|0x5
0|9|libxul.so|nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsContainerFrame.cpp:26990836dc5cc3cd1b8027392b79210e71094dc3|995|0x19
0|10|libxul.so|mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&)|hg:hg.mozilla.org/mozilla-central:layout/generic/ViewportFrame.cpp:26990836dc5cc3cd1b8027392b79210e71094dc3|339|0x2b
0|11|libxul.so|mozilla::PresShell::DoReflow(nsIFrame*, bool)|hg:hg.mozilla.org/mozilla-central:layout/base/PresShell.cpp:26990836dc5cc3cd1b8027392b79210e71094dc3|9026|0x25
0|12|libxul.so|mozilla::PresShell::ProcessReflowCommands(bool)|hg:hg.mozilla.org/mozilla-central:layout/base/PresShell.cpp:26990836dc5cc3cd1b8027392b79210e71094dc3|9199|0xe
0|13|libxul.so|mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush)|hg:hg.mozilla.org/mozilla-central:layout/base/PresShell.cpp:26990836dc5cc3cd1b8027392b79210e71094dc3|4351|0x15
0|14|libxul.so|nsRefreshDriver::Tick(mozilla::TimeStamp)|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:26990836dc5cc3cd1b8027392b79210e71094dc3|1926|0x5
0|15|libxul.so|mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&)|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:26990836dc5cc3cd1b8027392b79210e71094dc3|324|0x8
0|16|libxul.so|mozilla::RefreshDriverTimer::Tick(mozilla::TimeStamp)|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:26990836dc5cc3cd1b8027392b79210e71094dc3|317|0xc
0|17|libxul.so|mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::TimeStamp)|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:26990836dc5cc3cd1b8027392b79210e71094dc3|755|0xc
0|18|libxul.so|mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::TimeStamp)|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:26990836dc5cc3cd1b8027392b79210e71094dc3|571|0xc
0|19|libxul.so|mozilla::layout::VsyncChild::RecvNotify(mozilla::TimeStamp const&)|hg:hg.mozilla.org/mozilla-central:layout/ipc/VsyncChild.cpp:26990836dc5cc3cd1b8027392b79210e71094dc3|78|0x9
0|20|libxul.so|mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&)|s3:gecko-generated-sources:2c36fa176485b987fd1c1ce548d1f34c4c8bfdea36ff5dd016400feb13d3c5c0c7f99d5a56d13733937c9483a48617af010c09f521533a5ce0fc1f74c50b86a2/ipc/ipdl/PVsyncChild.cpp:|167|0xc
0|21|libxul.so|mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:26990836dc5cc3cd1b8027392b79210e71094dc3|2248|0x6
0|22|libxul.so|mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:26990836dc5cc3cd1b8027392b79210e71094dc3|2175|0xb
0|23|libxul.so|mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:26990836dc5cc3cd1b8027392b79210e71094dc3|2012|0xb
0|24|libxul.so|mozilla::ipc::MessageChannel::MessageTask::Run()|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:26990836dc5cc3cd1b8027392b79210e71094dc3|2045|0xc
0|25|libxul.so|nsThread::ProcessNextEvent(bool, bool*)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:26990836dc5cc3cd1b8027392b79210e71094dc3|1161|0x15
0|26|libxul.so|NS_ProcessNextEvent(nsIThread*, bool)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:26990836dc5cc3cd1b8027392b79210e71094dc3|519|0x11
0|27|libxul.so|mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:26990836dc5cc3cd1b8027392b79210e71094dc3|125|0xd
0|28|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:26990836dc5cc3cd1b8027392b79210e71094dc3|325|0x17
0|29|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:26990836dc5cc3cd1b8027392b79210e71094dc3|318|0x8
0|30|libxul.so|nsBaseAppShell::Run()|hg:hg.mozilla.org/mozilla-central:widget/nsBaseAppShell.cpp:26990836dc5cc3cd1b8027392b79210e71094dc3|158|0xd
0|31|libxul.so|XRE_RunAppShell()|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:26990836dc5cc3cd1b8027392b79210e71094dc3|944|0x11
0|32|libxul.so|mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:26990836dc5cc3cd1b8027392b79210e71094dc3|269|0x5
0|33|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:26990836dc5cc3cd1b8027392b79210e71094dc3|325|0x17
0|34|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:26990836dc5cc3cd1b8027392b79210e71094dc3|318|0x8
0|35|libxul.so|XRE_InitChildProcess(int, char**, XREChildData const*)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:26990836dc5cc3cd1b8027392b79210e71094dc3|770|0x8
0|36|firefox|content_process_main(mozilla::Bootstrap*, int, char**)|hg:hg.mozilla.org/mozilla-central:ipc/contentproc/plugin-container.cpp:26990836dc5cc3cd1b8027392b79210e71094dc3|50|0x14
0|37|firefox|main|hg:hg.mozilla.org/mozilla-central:browser/app/nsBrowserApp.cpp:26990836dc5cc3cd1b8027392b79210e71094dc3|287|0x11
0|38|libc-2.27.so||||0x21b97
0|39|firefox|MOZ_ReportAssertionFailure|hg:hg.mozilla.org/mozilla-central:mfbt/Assertions.h:26990836dc5cc3cd1b8027392b79210e71094dc3|164|0x5
Flags: in-testsuite?
|
||
Updated•6 years ago
|
Component: Layout → Layout: Flexbox
|
Assignee | |
Comment 1•6 years ago
|
||
There's likely some integer underflow/overflow here... The testcase has
margin: -18069em [...];
font-size: calc(59902%);
So the font-size is huge, which makes that large negative "em" margin-value extra-huge.
It's possible the fatal assertion just needs to be nonfatal, if it's not underflow-resistant. (as long as its failure condition doesn't hork the logic / codepath too horribly)
Priority: -- → P3
|
|
Assignee | |
Comment 2•6 years ago
|
||
Before we hit the fatal assertion, we also hit this nonfatal one, which is a sign about what's going wrong:
###!!! ASSERTION: availableFreeSpace's sign should match isUsingFlexGrow: '(isUsingFlexGrow && availableFreeSpace >= 0) || (!isUsingFlexGrow && availableFreeSpace <= 0)', file /scratch/work/builds/mozilla-central/mozilla/layout/generic/nsFlexContainerFrame.cpp, line 2778
And there's one other sign that things are bogus -- our line's "mTotalOuterHypotheticalMainSize" is -1062011227. (which is saying that its items collectively want to be a huge negative size, basically.)
It seems like we've got integer overflow which is throwing off all of our assumptions that our computations should be internally consistent (that e.g. sizes should be nonnegative, that the sign of the free space should match our initial computation of which flex factor to use, and that the sign of the free space shouldn't change while we're handing out portions of it).
This all arizes from absurdly-large sizes in the testcase, which removes all guarantees about coming up with a consistent layout, so we're fine as long as we don't crash or infinite loop or anything -- and we don't, fortunately.
So, let's just relax the fatal assertion, since its asserted condition isn't really guaranteed in light of the possibility of integer overflow.
Assignee: nobody → dholbert
Status: NEW → ASSIGNED
|
|
Assignee | |
Comment 3•6 years ago
|
||
Pushed by dholbert@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/6e831cc55b0c
Soften an assertion about sign of free space in flex layout, since absurdly large sizes can cause it to fail. r=bradwerth
|
||
Comment 5•6 years ago
|
||
| bugherder | ||
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
status-firefox65:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla65
|
||
Comment 6•6 years ago
|
||
Since this is not a recent regression, wontfix for 63 and esr60.
status-firefox63:
--- → wontfix
status-firefox-esr60:
--- → wontfix
|
||
Updated•6 years ago
|
Flags: in-testsuite? → in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•