Closed Bug 1533885 Opened 6 months ago Closed 5 months ago

Assertion failure: !IsFramePartOfIBSplit(aParentFrame) (We should have wiped aParentFrame in WipeContainingBlock if it's part of IB split!), at /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:10885

Categories

(Core :: Layout: Columns, defect, P3)

defect

Tracking

()

RESOLVED FIXED
mozilla68
Tracking Status
firefox-esr60 --- unaffected
firefox66 --- unaffected
firefox67 --- disabled
firefox68 --- fixed

People

(Reporter: jkratzer, Assigned: TYLin)

References

(Blocks 2 open bugs)

Details

(Keywords: assertion, crash)

Attachments

(2 files)

Attached file testcase.html

Testcase found while fuzzing mozilla-central rev 54ed5eac2abc.

Assertion failure: !IsFramePartOfIBSplit(aParentFrame) (We should have wiped aParentFrame in WipeContainingBlock if it's part of IB split!), at /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:10885

rax = 0x000056447d5d4e40 rdx = 0x0000000000000000
rcx = 0x00007f5449ab00c7 rbx = 0x00007f543e197428
rsi = 0x00007f54564ee8b0 rdi = 0x00007f54564ed680
rbp = 0x00007ffe65ebb740 rsp = 0x00007ffe65ebb6b0
r8 = 0x00007f54564ee8b0 r9 = 0x00007f5457670740
r10 = 0x0000000000000000 r11 = 0x0000000000000000
r12 = 0x00007ffe65ebb7d8 r13 = 0x00007f543e197288
r14 = 0x00007f543c97d200 r15 = 0x0000000000000000
rip = 0x00007f54463d19e7
OS|Linux|0.0.0 Linux 4.15.0-45-generic #48-Ubuntu SMP Tue Jan 29 16:28:13 UTC 2019 x86_64
CPU|amd64|family 6 model 60 stepping 3|1
GPU|||
Crash|SIGSEGV|0x0|0
0|0|libxul.so|nsCSSFrameConstructor::MaybeRecreateForColumnSpan(nsFrameConstructorState&, nsContainerFrame*, nsFrameList&, nsIFrame*)|hg:hg.mozilla.org/mozilla-central:layout/base/nsCSSFrameConstructor.cpp:13db12a097dfdcf56704ddc1845403207891b013|10883|0x0
0|1|libxul.so|nsCSSFrameConstructor::ContentRangeInserted(nsIContent*, nsIContent*, nsILayoutHistoryState*, nsCSSFrameConstructor::InsertionKind)|hg:hg.mozilla.org/mozilla-central:layout/base/nsCSSFrameConstructor.cpp:13db12a097dfdcf56704ddc1845403207891b013|7333|0x24
0|2|libxul.so|nsCSSFrameConstructor::RecreateFramesForContent(nsIContent*, nsCSSFrameConstructor::InsertionKind)|hg:hg.mozilla.org/mozilla-central:layout/base/nsCSSFrameConstructor.cpp:13db12a097dfdcf56704ddc1845403207891b013|8689|0x19
0|3|libxul.so|mozilla::RestyleManager::ProcessRestyledFrames(nsStyleChangeList&)|hg:hg.mozilla.org/mozilla-central:layout/base/RestyleManager.cpp:13db12a097dfdcf56704ddc1845403207891b013|1583|0x12
0|4|libxul.so|mozilla::RestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags)|hg:hg.mozilla.org/mozilla-central:layout/base/RestyleManager.cpp:13db12a097dfdcf56704ddc1845403207891b013|3107|0xb
0|5|libxul.so|mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush)|hg:hg.mozilla.org/mozilla-central:layout/base/PresShell.cpp:13db12a097dfdcf56704ddc1845403207891b013|4122|0x19
0|6|libxul.so|nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp)|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:13db12a097dfdcf56704ddc1845403207891b013|1888|0x5
0|7|libxul.so|mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&)|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:13db12a097dfdcf56704ddc1845403207891b013|342|0xb
0|8|libxul.so|mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp)|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:13db12a097dfdcf56704ddc1845403207891b013|336|0xf
0|9|libxul.so|mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp)|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:13db12a097dfdcf56704ddc1845403207891b013|777|0xf
0|10|libxul.so|mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&)|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:13db12a097dfdcf56704ddc1845403207891b013|592|0x11
0|11|libxul.so|mozilla::layout::VsyncChild::RecvNotify(mozilla::VsyncEvent const&)|hg:hg.mozilla.org/mozilla-central:layout/ipc/VsyncChild.cpp:13db12a097dfdcf56704ddc1845403207891b013|65|0x8
0|12|libxul.so|mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&)|s3:gecko-generated-sources:77ce59d8b2c7052469c47c063657e9de1ccc8108986d35814c718a6919e13f00c69b96f485bc73c2590f51f3ea688a95fac179d8497a06fdf9265adfe5cefbb3/ipc/ipdl/PVsyncChild.cpp:|168|0xb
0|13|libxul.so|mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:13db12a097dfdcf56704ddc1845403207891b013|2151|0x6
0|14|libxul.so|mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:13db12a097dfdcf56704ddc1845403207891b013|2078|0xb
0|15|libxul.so|mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:13db12a097dfdcf56704ddc1845403207891b013|1937|0xb
0|16|libxul.so|mozilla::ipc::MessageChannel::MessageTask::Run()|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:13db12a097dfdcf56704ddc1845403207891b013|1968|0xc
0|17|libxul.so|nsThread::ProcessNextEvent(bool, bool*)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:13db12a097dfdcf56704ddc1845403207891b013|1179|0x15
0|18|libxul.so|NS_ProcessNextEvent(nsIThread*, bool)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:13db12a097dfdcf56704ddc1845403207891b013|482|0x11
0|19|libxul.so|mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:13db12a097dfdcf56704ddc1845403207891b013|88|0xa
0|20|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:13db12a097dfdcf56704ddc1845403207891b013|315|0x17
0|21|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:13db12a097dfdcf56704ddc1845403207891b013|308|0x8
0|22|libxul.so|nsBaseAppShell::Run()|hg:hg.mozilla.org/mozilla-central:widget/nsBaseAppShell.cpp:13db12a097dfdcf56704ddc1845403207891b013|137|0xd
0|23|libxul.so|XRE_RunAppShell()|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:13db12a097dfdcf56704ddc1845403207891b013|911|0x11
0|24|libxul.so|mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:13db12a097dfdcf56704ddc1845403207891b013|238|0x5
0|25|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:13db12a097dfdcf56704ddc1845403207891b013|315|0x17
0|26|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:13db12a097dfdcf56704ddc1845403207891b013|308|0x8
0|27|libxul.so|XRE_InitChildProcess(int, char**, XREChildData const*)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:13db12a097dfdcf56704ddc1845403207891b013|749|0xc
0|28|firefox-bin|content_process_main(mozilla::Bootstrap*, int, char**)|hg:hg.mozilla.org/mozilla-central:ipc/contentproc/plugin-container.cpp:13db12a097dfdcf56704ddc1845403207891b013|49|0x14
0|29|firefox-bin|main|hg:hg.mozilla.org/mozilla-central:browser/app/nsBrowserApp.cpp:13db12a097dfdcf56704ddc1845403207891b013|265|0x11
0|30|libc-2.27.so||||0x21b97
0|31|firefox-bin|MOZ_ReportCrash|hg:hg.mozilla.org/mozilla-central:mfbt/Assertions.h:13db12a097dfdcf56704ddc1845403207891b013|184|0x5

Flags: in-testsuite?
Component: Layout → Layout: Columns
Priority: -- → P3

To reproduce the assertion, we need to enable layout.css.column-span.enabled.

Assignee: nobody → aethanyc
Status: NEW → ASSIGNED

The test case triggers MOZ_ASSERT(!IsFramePartOfIBSplit(aParentFrame))
in MaybeRecreateForColumnSpan() because WipeContainingBlock() returns
early when the FrameConstructionItemList is empty. Thus, it doesn't wipe
the aParentFrame even if it's part of an IB split.

Similarly, MaybeRecreateForColumnSpan() doesn't need to do anything if
the frame list is empty because it's no way it can contain a
column-span. (Empty frame construction item list construct no frames.)

Pushed by aethanyc@gmail.com:
https://hg.mozilla.org/integration/autoland/rev/7b5a7b0be77d
Bail out from MaybeRecreateForColumnSpan if aFrameList is empty. r=dbaron
Status: ASSIGNED → RESOLVED
Closed: 5 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla68
See Also: → 1537678
Blocks: 1504053
Flags: in-testsuite? → in-testsuite+
You need to log in before you can comment on or make changes to this bug.