Closed Bug 1515124 Opened 1 year ago Closed 1 year ago

Crash in InvalidArrayIndex_CRASH | nsGridContainerFrame::ReflowInFragmentainer

Categories

(Core :: Layout: Block and Inline, defect, critical)

defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla68
Tracking Status
firefox-esr60 --- wontfix
firefox65 --- wontfix
firefox66 --- wontfix
firefox67 --- wontfix
firefox68 --- fixed

People

(Reporter: tsmith, Assigned: mats)

References

(Blocks 1 open bug)

Details

(4 keywords)

Attachments

(1 file)

Attached file testcase.html
#0 0x55c368e8d4d8 in MOZ_CrashOOL(char const*, int, char const*) src/obj-firefox/dist/include/mozilla/Assertions.h:314:3
#1 0x55c368e8d3ed in MOZ_CrashPrintf src/mfbt/Assertions.cpp:55:3
#2 0x7f9a2ec905ca in InvalidArrayIndex_CRASH(unsigned long, unsigned long) src/xpcom/ds/nsTArray.cpp:24:3
#3 0x7f9a39913392 in nsGridContainerFrame::ReflowInFragmentainer(nsGridContainerFrame::GridReflowInput&, mozilla::LogicalRect const&, mozilla::ReflowOutput&, nsReflowStatus&, nsGridContainerFrame::Fragmentainer&, nsSize const&) src/obj-firefox/dist/include/nsTArray.h
#4 0x7f9a39919ede in nsGridContainerFrame::ReflowChildren(nsGridContainerFrame::GridReflowInput&, mozilla::LogicalRect const&, mozilla::ReflowOutput&, nsReflowStatus&) src/layout/generic/nsGridContainerFrame.cpp:5449:13
#5 0x7f9a3991ee0e in nsGridContainerFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsGridContainerFrame.cpp:5806:11
#6 0x7f9a396fc0ee in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) src/layout/generic/nsBlockReflowContext.cpp:297:11
#7 0x7f9a396ee5ea in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:3408:11
#8 0x7f9a396eb6a5 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:2788:5
#9 0x7f9a396dc9c3 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) src/layout/generic/nsBlockFrame.cpp:2334:7
#10 0x7f9a396d080b in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsBlockFrame.cpp:1207:3
#11 0x7f9a396fc0ee in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) src/layout/generic/nsBlockReflowContext.cpp:297:11
#12 0x7f9a396ee5ea in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:3408:11
#13 0x7f9a396eb6a5 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:2788:5
#14 0x7f9a396dc9c3 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) src/layout/generic/nsBlockFrame.cpp:2334:7
#15 0x7f9a396d080b in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsBlockFrame.cpp:1207:3
#16 0x7f9a3974f3d0 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:883:14
#17 0x7f9a397566db in nsColumnSetFrame::ReflowChildren(mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&, nsColumnSetFrame::ReflowConfig const&, bool, nsColumnSetFrame::ColumnBalanceData&) src/layout/generic/nsColumnSetFrame.cpp:752:7
#18 0x7f9a3975f23d in ReflowColumns src/layout/generic/nsColumnSetFrame.cpp:452:19
#19 0x7f9a3975f23d in nsColumnSetFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsColumnSetFrame.cpp:1189
#20 0x7f9a396fc0ee in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) src/layout/generic/nsBlockReflowContext.cpp:297:11
#21 0x7f9a396ee5ea in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:3408:11
#22 0x7f9a396eb6a5 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:2788:5
#23 0x7f9a396dc9c3 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) src/layout/generic/nsBlockFrame.cpp:2334:7
#24 0x7f9a396d080b in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsBlockFrame.cpp:1207:3
#25 0x7f9a3974f3d0 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:883:14
#26 0x7f9a397566db in nsColumnSetFrame::ReflowChildren(mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&, nsColumnSetFrame::ReflowConfig const&, bool, nsColumnSetFrame::ColumnBalanceData&) src/layout/generic/nsColumnSetFrame.cpp:752:7
#27 0x7f9a3975f23d in ReflowColumns src/layout/generic/nsColumnSetFrame.cpp:452:19
#28 0x7f9a3975f23d in nsColumnSetFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsColumnSetFrame.cpp:1189
#29 0x7f9a396fc0ee in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) src/layout/generic/nsBlockReflowContext.cpp:297:11
#30 0x7f9a396ee5ea in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:3408:11
#31 0x7f9a396eb6a5 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:2788:5
#32 0x7f9a396dc9c3 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) src/layout/generic/nsBlockFrame.cpp:2334:7
#33 0x7f9a396d080b in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsBlockFrame.cpp:1207:3
#34 0x7f9a3974f3d0 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:883:14
#35 0x7f9a397566db in nsColumnSetFrame::ReflowChildren(mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&, nsColumnSetFrame::ReflowConfig const&, bool, nsColumnSetFrame::ColumnBalanceData&) src/layout/generic/nsColumnSetFrame.cpp:752:7
#36 0x7f9a3975f23d in ReflowColumns src/layout/generic/nsColumnSetFrame.cpp:452:19
#37 0x7f9a3975f23d in nsColumnSetFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsColumnSetFrame.cpp:1189
#38 0x7f9a3974f3d0 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:883:14
#39 0x7f9a3974cb5f in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsCanvasFrame.cpp:731:5
#40 0x7f9a3974f3d0 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:883:14
#41 0x7f9a3988cc5d in nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput*, bool, bool, mozilla::ReflowOutput*, bool) src/layout/generic/nsGfxScrollFrame.cpp:573:3
#42 0x7f9a3988e7ce in nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput*, mozilla::ReflowOutput const&) src/layout/generic/nsGfxScrollFrame.cpp:686:3
#43 0x7f9a39893fe4 in nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsGfxScrollFrame.cpp:1052:3
#44 0x7f9a396aa966 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:922:14
#45 0x7f9a396a9226 in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/ViewportFrame.cpp:314:7
#46 0x7f9a393e15db in mozilla::PresShell::DoReflow(nsIFrame*, bool) src/layout/base/PresShell.cpp:8486:11
#47 0x7f9a3940000c in mozilla::PresShell::ProcessReflowCommands(bool) src/layout/base/PresShell.cpp:8655:24
#48 0x7f9a393fd8be in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) src/layout/base/PresShell.cpp:4081:11
#49 0x7f9a39369f32 in FlushPendingNotifications src/layout/base/nsIPresShell.h:575:5
#50 0x7f9a39369f32 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:1783
#51 0x7f9a3937cbca in TickDriver src/layout/base/nsRefreshDriver.cpp:327:13
#52 0x7f9a3937cbca in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) src/layout/base/nsRefreshDriver.cpp:304
#53 0x7f9a3937c36f in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:321:5
#54 0x7f9a3937fd1e in RunRefreshDrivers src/layout/base/nsRefreshDriver.cpp:726:5
#55 0x7f9a3937fd1e in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:646
#56 0x7f9a3937f680 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) src/layout/base/nsRefreshDriver.cpp:546:9
#57 0x7f9a39e74655 in mozilla::layout::VsyncChild::RecvNotify(mozilla::VsyncEvent const&) src/layout/ipc/VsyncChild.cpp:65:16
#58 0x7f9a30b8146b in mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) src/obj-firefox/ipc/ipdl/PVsyncChild.cpp:167:20
#59 0x7f9a30792d0a in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) src/obj-firefox/ipc/ipdl/PBackgroundChild.cpp:2788:28
#60 0x7f9a300261a9 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) src/ipc/glue/MessageChannel.cpp:2159:21
#61 0x7f9a30021dc9 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) src/ipc/glue/MessageChannel.cpp:2086:9
#62 0x7f9a30023ea1 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) src/ipc/glue/MessageChannel.cpp:1935:3
#63 0x7f9a30024bf7 in mozilla::ipc::MessageChannel::MessageTask::Run() src/ipc/glue/MessageChannel.cpp:1966:13
#64 0x7f9a2edd627c in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1157:14
#65 0x7f9a2edde984 in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:468:10
#66 0x7f9a3002f22f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:88:21
#67 0x7f9a2ff27fae in RunInternal src/ipc/chromium/src/base/message_loop.cc:314:10
#68 0x7f9a2ff27fae in RunHandler src/ipc/chromium/src/base/message_loop.cc:307
#69 0x7f9a2ff27fae in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:289
#70 0x7f9a38c84143 in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:137:27
#71 0x7f9a3d5a145e in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:915:20
#72 0x7f9a2ff27fae in RunInternal src/ipc/chromium/src/base/message_loop.cc:314:10
#73 0x7f9a2ff27fae in RunHandler src/ipc/chromium/src/base/message_loop.cc:307
#74 0x7f9a2ff27fae in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:289
#75 0x7f9a3d5a052e in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:753:34
#76 0x55c368e1a864 in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:49:28
#77 0x55c368e1a864 in main src/browser/app/nsBrowserApp.cpp:265
#78 0x7f9a51b25b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
#79 0x55c368d3feec in _start (firefox+0x2deec)



The same testcase also triggers:

Assertion failure: mGridItems.Length() == len + 1 (can't find GridItemInfo), at src/layout/generic/nsGridContainerFrame.cpp:1815

#0 nsGridContainerFrame::GridReflowInput::InitializeForContinuation(nsGridContainerFrame*, int) src/layout/generic/nsGridContainerFrame.cpp:1800:43
#1 nsGridContainerFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsGridContainerFrame.cpp:5774:21
#2 nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) src/layout/generic/nsBlockReflowContext.cpp:297:11
#3 nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:3408:11
#4 nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:2788:5
#5 nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) src/layout/generic/nsBlockFrame.cpp:2334:7
#6 nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsBlockFrame.cpp:1207:3
...
Flags: in-testsuite?
The bug is actually not in the Grid layout code, but in RenumberList().
We call RenumberList() for every block fragment here:
https://searchfox.org/mozilla-central/rev/9528360768d81b1fc84258b5fb3601b5d4f40076/layout/generic/nsBlockFrame.cpp#1164
but RenumberList() is actually just processing the FirstInFlow():
https://searchfox.org/mozilla-central/source/layout/generic/nsContainerFrame.cpp#1731,1734
so what happens here is that we called RenumberList() on a continuation
that left some NS_FRAME_HAS_DIRTY_CHILDREN around in the FIF subtree.
This means that we can get into a frame tree state like so:
<reflow-root frame that does not have NS_FRAME_HAS_DIRTY_CHILDREN>
  <non-reflow-root frame without NS_FRAME_HAS_DIRTY_CHILDREN>
    ...
      <A1: first-in-flow block with a counter scope, without NS_FRAME_HAS_DIRTY_CHILDREN>
        <B1: block with NS_FRAME_HAS_DIRTY_CHILDREN>
          ...
            <C1: first-in-flow grid container frame>
...
      <A2: next-in-flow of A1>
        <B2: next-in-flow of B1>
          ...
            <C2: next-in-flow of C1>

after reflowing A2 (the RenumberList() call added the bits on B1).

Now, an unsuspecting nsGridContainerFrame (with pushed grid items) comes along
and calls FrameNeedsReflow because a child was inserted in it:
https://searchfox.org/mozilla-central/rev/9528360768d81b1fc84258b5fb3601b5d4f40076/layout/generic/nsGridContainerFrame.cpp#6520
The PresShell::FrameNeedsReflow call on C1 then bails out when it
sees NS_FRAME_HAS_DIRTY_CHILDREN on B1:
https://searchfox.org/mozilla-central/rev/9528360768d81b1fc84258b5fb3601b5d4f40076/layout/base/PresShell.cpp#2707,2711,2716
so we never actually add C1's reflow root to mDirtyRoots.
This eventually leads to a reflow of C2 without reflowing C1, which
violates nsGridContainerFrame invariants.
Assignee: nobody → mats
Severity: normal → critical
Component: Layout: Grid → Layout: Block and Inline
OS: Unspecified → All
Hardware: Unspecified → All
Is this a regression from the dirty roots change?
What is "the dirty roots change"?
The crash also occurs in rev 0bb1f2417265 just before that bug landed.
(also, the testcase contains no specified width/height)

Would you be able to set a priority for this to get it off the triage queue, Mats?

Flags: needinfo?(mats)

I removed RenumberList() and all related code in bug 288704,
so this should be fixed now. I pushed the crashtest.

Status: NEW → RESOLVED
Closed: 1 year ago
Depends on: 288704
Flags: needinfo?(mats)
Flags: in-testsuite?
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla68
You need to log in before you can comment on or make changes to this bug.