Closed Bug 1528771 Opened 5 years ago Closed 5 years ago

Assertion failure: !mHasRepeatAuto || (mMinSizingFunctions.Length() >= 1 && mRepeatAutoStart < mMinSizingFunctions.Length()), > at layout/generic/nsGridContainerFrame.cpp:868

Categories

(Core :: Layout: Grid, defect, P3)

Product:
Core
Component:
Layout: Grid
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1560397

People

(Reporter: jkratzer, Assigned: MatsPalmgren_bugz)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, crash, testcase, Whiteboard: [fuzzblocker])

Attachments

(1 file)

testcase.html
233 bytes, text/html
Details
Attached file testcase.html

Testcase found while fuzzing mozilla-central rev 8ef512bad00f.

==18613==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 (pc 0x55f853eb05da bp 0x7f83fb325350 sp 0x7f83fb325340 T0)
==18613==The signal is caused by a WRITE memory access.
==18613==Hint: address points to the zero page.
#0 0x55f853eb05d9 in mozalloc_abort /builds/worker/workspace/build/src/memory/mozalloc/mozalloc_abort.cpp:33:3
#1 0x7f83d5dc8c35 in Abort(char const*) /builds/worker/workspace/build/src/xpcom/base/nsDebugImpl.cpp:438:39
#2 0x7f83d5dc87fd in NS_DebugBreak /builds/worker/workspace/build/src/xpcom/base/nsDebugImpl.cpp
#3 0x7f83e50d22be in fpehandler(int, siginfo*, void*) /builds/worker/workspace/build/src/toolkit/xre/nsSigHandlers.cpp:148:5
#4 0x7f83faf0188f (/lib/x86_64-linux-gnu/libpthread.so.0+0x1288f)
#5 0x7f83f9df6932 in div /build/glibc-OTsEL5/glibc-2.27/stdlib/div.c:55
#6 0x7f83e1267c46 in nsGridContainerFrame::TrackSizingFunctions::CalculateRepeatFillCount(nsStyleCoord const&, int, int, int) const /builds/worker/workspace/build/src/layout/generic/nsGridContainerFrame.cpp:941:15
#7 0x7f83e1195f33 in nsGridContainerFrame::TrackSizingFunctions::InitRepeatTracks(nsStyleCoord const&, int, int, int) /builds/worker/workspace/build/src/layout/generic/nsGridContainerFrame.cpp:878:9
#8 0x7f83e118def9 in nsGridContainerFrame::Grid::PlaceGridItems(nsGridContainerFrame::GridReflowInput&, mozilla::LogicalSize const&, mozilla::LogicalSize const&, mozilla::LogicalSize const&) /builds/worker/workspace/build/src/layout/generic/nsGridContainerFrame.cpp:2997:49
#9 0x7f83e11c2db7 in nsGridContainerFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsGridContainerFrame.cpp:5758:10
#10 0x7f83e0fdb88a in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:889:14
#11 0x7f83e0fd9898 in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsCanvasFrame.cpp:731:5
#12 0x7f83e0fdb88a in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:889:14
#13 0x7f83e112a61b in nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput*, bool, bool, mozilla::ReflowOutput*) /builds/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.cpp:583:3
#14 0x7f83e112bf38 in nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput*, mozilla::ReflowOutput const&) /builds/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.cpp:696:3
#15 0x7f83e1133901 in nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.cpp:1090:3
#16 0x7f83e0f502df in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:928:14
#17 0x7f83e0f4eec4 in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/ViewportFrame.cpp:320:7
#18 0x7f83e0c89bbb in nsIPresShell::DoReflow(nsIFrame*, bool, mozilla::OverflowChangedTracker*) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:8981:11
#19 0x7f83e0ca9410 in nsIPresShell::ProcessReflowCommands(bool) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:9151:24
#20 0x7f83e0ca64bf in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:4174:11
#21 0x7f83dde87860 in FlushPendingNotifications /builds/worker/workspace/build/src/obj-firefox/dist/include/nsIPresShell.h:573:5
#22 0x7f83dde87860 in FlushPendingEvents /builds/worker/workspace/build/src/dom/events/EventStateManager.cpp:5420
#23 0x7f83dde87860 in mozilla::EventStateManager::PreHandleEvent(nsPresContext*, mozilla::WidgetEvent*, nsIFrame*, nsIContent*, nsEventStatus*, nsIContent*) /builds/worker/workspace/build/src/dom/events/EventStateManager.cpp:636
#24 0x7f83e0cde284 in mozilla::PresShell::EventHandler::HandleEventInternal(mozilla::WidgetEvent*, nsEventStatus*, bool, nsIContent*) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:7724:19
#25 0x7f83e0cd5ba3 in mozilla::PresShell::EventHandler::HandleEvent(nsIFrame*, mozilla::WidgetGUIEvent*, bool, nsEventStatus*) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:6760:32
#26 0x7f83e0cd1705 in mozilla::PresShell::HandleEvent(nsIFrame*, mozilla::WidgetGUIEvent*, bool, nsEventStatus*) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:6443:23
#27 0x7f83e0436fa4 in nsViewManager::DispatchEvent(mozilla::WidgetGUIEvent*, nsView*, nsEventStatus*) /builds/worker/workspace/build/src/view/nsViewManager.cpp:755:14
#28 0x7f83e0436944 in nsView::HandleEvent(mozilla::WidgetGUIEvent*, bool) /builds/worker/workspace/build/src/view/nsView.cpp:1061:9
#29 0x7f83e04de7bd in mozilla::widget::PuppetWidget::DispatchEvent(mozilla::WidgetGUIEvent*, nsEventStatus&) /builds/worker/workspace/build/src/widget/PuppetWidget.cpp:380:37
#30 0x7f83d95e85ba in mozilla::layers::APZCCallbackHelper::DispatchWidgetEvent(mozilla::WidgetGUIEvent&) /builds/worker/workspace/build/src/gfx/layers/apz/util/APZCCallbackHelper.cpp:528:21
#31 0x7f83dfaf91d6 in DispatchWidgetEventViaAPZ /builds/worker/workspace/build/src/dom/ipc/TabChild.cpp:1607:10
#32 0x7f83dfaf91d6 in mozilla::dom::TabChild::HandleRealMouseButtonEvent(mozilla::WidgetMouseEvent const&, mozilla::layers::ScrollableLayerGuid const&, unsigned long const&) /builds/worker/workspace/build/src/dom/ipc/TabChild.cpp:1546
#33 0x7f83dfafa3ff in mozilla::dom::TabChild::RecvRealMouseButtonEvent(mozilla::WidgetMouseEvent const&, mozilla::layers::ScrollableLayerGuid const&, unsigned long const&) /builds/worker/workspace/build/src/dom/ipc/TabChild.cpp:1519:3
#34 0x7f83dfafa6f0 in RecvSynthMouseMoveEvent /builds/worker/workspace/build/src/dom/ipc/TabChild.cpp:1484:8
#35 0x7f83dfafa6f0 in non-virtual thunk to mozilla::dom::TabChild::RecvSynthMouseMoveEvent(mozilla::WidgetMouseEvent const&, mozilla::layers::ScrollableLayerGuid const&, unsigned long const&) /builds/worker/workspace/build/src/dom/ipc/TabChild.cpp
#36 0x7f83d8159ee9 in mozilla::dom::PBrowserChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PBrowserChild.cpp:3746:20
#37 0x7f83d762e8ea in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PContentChild.cpp:5663:28
#38 0x7f83d72eda89 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2150:21
#39 0x7f83d72e988a in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2077:9
#40 0x7f83d72eba91 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1936:3
#41 0x7f83d72ec857 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1967:13
#42 0x7f83d6028295 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:292:32
#43 0x7f83d6067486 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1162:14
#44 0x7f83d606f32d in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:474:10
#45 0x7f83d72f6e8f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:88:21
#46 0x7f83d71e0fae in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
#47 0x7f83d71e0fae in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308
#48 0x7f83d71e0fae in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290
#49 0x7f83e0530433 in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:137:27
#50 0x7f83e50c565e in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:908:20
#51 0x7f83d71e0fae in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
#52 0x7f83d71e0fae in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308
#53 0x7f83d71e0fae in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290
#54 0x7f83e50c47b3 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:746:34
#55 0x55f853eae874 in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:49:28
#56 0x55f853eae874 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:265
#57 0x7f83f9dd4b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

Flags: in-testsuite?

This isn't an ASAN-specific thing, or really a crash or a memory-related issue -- it's just a fatal assertion failure (which aborts via NS_DebugBreak/Abort/mozalloc_abort, as shown in the first few stack frames).

Specifically: running this in a debug build, I get the following fatal assertion-failure:

Assertion failure: !mHasRepeatAuto || (mMinSizingFunctions.Length() >= 1 && mRepeatAutoStart < mMinSizingFunctions.Length()),
at /scratch/work/builds/mozilla-central/mozilla/layout/generic/nsGridContainerFrame.cpp:868

The assertion is here:
https://searchfox.org/mozilla-central/rev/dbddac86aadf1d4871fb350bbe66db43728a9f81/layout/generic/nsGridContainerFrame.cpp#866

Flags: needinfo?(mats)
Keywords: crashassertion
Summary: AddressSanitizer: SEGV /builds/worker/workspace/build/src/memory/mozalloc/mozalloc_abort.cpp:33:3 in mozalloc_abort → Assertion failure: !mHasRepeatAuto || (mMinSizingFunctions.Length() >= 1 && mRepeatAutoStart < mMinSizingFunctions.Length()), > at layout/generic/nsGridContainerFrame.cpp:868

I get a crash in an opt (non-debug) Nightly build, too. Crash report: bp-199a3828-35a9-4577-b1d2-949c50190226

Looks like the Crash Reason is "SIGFPE / FPE_INTDIV" which I believe means divide-by-zero, probably due to one of the conditions in the assertion being violated.

Keywords: crash
Priority: -- → P3

I have a fix for this in bug 1560397. I'll include this testcase as a crashtest there.

Assignee: nobody → mats
Status: NEW → RESOLVED
Closed: 5 years ago
Flags: needinfo?(mats)
Flags: in-testsuite?
Flags: in-testsuite+
OS: Unspecified → All
Hardware: Unspecified → All
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: