Closed Bug 1547261 Opened 6 years ago Closed 6 years ago

Crash in [@ mozilla::ReflowInput::InitConstraints]

Categories

(Core :: Layout, defect, P2)

Product:
Core
Component:
Layout
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla68
Tracking Flags:
Tracking Status
firefox-esr60 --- unaffected
firefox66 --- unaffected
firefox67 --- unaffected
firefox68 + fixed

People

(Reporter: marcia, Assigned: TYLin)

References

(Regression)

Details

(Keywords: crash, regression, reproducible)

Crash Data

Attachments

(1 file)

Bug 1547261 - Fix a typo in GetIntrinsicImageSize(). r?emilio
47 bytes, text/x-phabricator-request
Details | Review

This bug is for crash report bp-7cf40f9f-0feb-43bf-8628-11d8a0190426.

Seen while looking at nightly MacOS crashes - started in 20190426094913: https://bit.ly/2Pum4lT

Reproducible using https://marketplace.digitalocean.com/category/developer-tools?utm_medium=onboarding&utm_source=local&utm_campaign=Marketplace

MOZ_RELEASE_ASSERT(mIsSome)

Possible regression range based on Build ID: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=0ec836eceb969c548067cee6de2ea213513a43d5&tochange=7d47e7fa2489550ffa83aae67715c5497048923f

Top 10 frames of crashing thread:

0 XUL mozilla::ReflowInput::InitConstraints layout/generic/ReflowInput.cpp:2392
1 XUL mozilla::ReflowInput::Init layout/generic/ReflowInput.cpp:379
2 XUL nsAbsoluteContainingBlock::Reflow layout/generic/ReflowInput.cpp:181
3 XUL nsBlockFrame::Reflow layout/generic/nsBlockFrame.cpp:1435
4 XUL nsBlockReflowContext::ReflowBlock layout/generic/nsBlockReflowContext.cpp:297
5 XUL nsBlockFrame::ReflowLine layout/generic/nsBlockFrame.cpp:2802
6 XUL nsBlockFrame::Reflow layout/generic/nsBlockFrame.cpp:1198
7 XUL nsBlockReflowContext::ReflowBlock layout/generic/nsBlockReflowContext.cpp:297
8 XUL nsBlockFrame::ReflowLine layout/generic/nsBlockFrame.cpp:2802
9 XUL nsBlockFrame::Reflow layout/generic/nsBlockFrame.cpp:1198

There are some similar signatures in an earlier 4-25, maybe regressed by Bug 1546223? ni on :YYLin.

Flags: needinfo?(aethanyc)
Crash Signature: [@ mozilla::ReflowInput::InitConstraints] → [@ mozilla::ReflowInput::InitConstraints] [@ mozilla::ReflowInput::ReflowInput]

[Tracking Requested - why for this release]: Reproducible crash which would be uninitialized memory usage if it gets to release.

tracking-firefox68: --- → ?
Priority: -- → P2

I can reproduce this locally by loading https://marketplace.digitalocean.com/category/developer-tools?utm_medium=onboarding&utm_source=local&utm_campaign=Marketplace

The real bug happens in nsImageFrame::GetIntrinsicImageSize(nsSize&). There's a typo, so we don't check the validity of mIntrinsicSize.height

(rr) bt 20
#0  0x00007f0d05d9fe74 in mozilla::Maybe<int>::operator*() (this=0x7f0ce6fbf270) at /home/tlin/Projects/gecko/obj-firefox/dist/include/mozilla/Maybe.h:512
#1  0x00007f0d0b736529 in nsImageFrame::GetIntrinsicImageSize(nsSize&) (this=0x7f0ce6fbf1a0, aSize=...) at /home/tlin/Projects/gecko/layout/generic/nsImageFrame.cpp:2398
#2  0x00007f0d0b60d975 in GetIntrinsicSizeFor(nsIFrame*, nsSize&, mozilla::LayoutFrameType) (aFrame=0x7f0ce6fbf1a0, aIntrinsicSize=..., aFrameType=mozilla::LayoutFrameType::Image)
    at /home/tlin/Projects/gecko/layout/generic/ReflowInput.cpp:1196
#3  0x00007f0d0b60cbbc in mozilla::ReflowInput::CalculateHypotheticalPosition(nsPresContext*, nsPlaceholderFrame*, mozilla::ReflowInput const*, nsHypotheticalPosition&, mozilla::LayoutFrameType) const (this=0x7ffe6f14e3d0, aPresContext=
    0x7f0cf32bd000, aPlaceholderFrame=0x7f0ce6fbf288, aCBReflowInput=0x7ffe6f14fd18, aHypotheticalPos=..., aFrameType=mozilla::LayoutFrameType::Image) at /home/tlin/Projects/gecko/layout/generic/ReflowInput.cpp:1344
#4  0x00007f0d0b60e121 in mozilla::ReflowInput::InitAbsoluteConstraints(nsPresContext*, mozilla::ReflowInput const*, mozilla::LogicalSize const&, mozilla::LayoutFrameType) (this=0x7ffe6f14e3d0, aPresContext=0x7f0cf32bd000, aCBReflowInput=0x7ffe6f14fd18, aCBSize=..., aFrameType=mozilla::LayoutFrameType::Image) at /home/tlin/Projects/gecko/layout/generic/ReflowInput.cpp:1640
#5  0x00007f0d0b60a7d0 in mozilla::ReflowInput::InitConstraints(nsPresContext*, mozilla::Maybe<mozilla::LogicalSize> const&, nsMargin const*, nsMargin const*, mozilla::LayoutFrameType) (this=0x7ffe6f14e3d0, aPresContext=0x7f0cf32bd000, aContainingBlockSize=..., aBorder=0x0, aPadding=0x0, aFrameType=mozilla::LayoutFrameType::Image) at /home/tlin/Projects/gecko/layout/generic/ReflowInput.cpp:2392
#6  0x00007f0d0b606b78 in mozilla::ReflowInput::Init(nsPresContext*, mozilla::Maybe<mozilla::LogicalSize> const&, nsMargin const*, nsMargin const*) (this=0x7ffe6f14e3d0, aPresContext=0x7f0cf32bd000, aContainingBlockSize=..., aBorder=0x0, aPadding=0x0) at /home/tlin/Projects/gecko/layout/generic/ReflowInput.cpp:379
#7  0x00007f0d0b6081d0 in mozilla::ReflowInput::ReflowInput(nsPresContext*, mozilla::ReflowInput const&, nsIFrame*, mozilla::LogicalSize const&, mozilla::Maybe<mozilla::LogicalSize> const&, unsigned int) (this=0x7ffe6f14e3d0, aPresContext=0x7f0cf32bd000, aParentReflowInput=..., aFrame=0x7f0ce6fbf1a0, aAvailableSpace=..., aContainingBlockSize=..., aFlags=0) at /home/tlin/Projects/gecko/layout/generic/ReflowInput.cpp:226
#8  0x00007f0d0b62e740 in nsAbsoluteContainingBlock::ReflowAbsoluteFrame(nsIFrame*, nsPresContext*, mozilla::ReflowInput const&, nsRect const&, nsAbsoluteContainingBlock::AbsPosReflowFlags, nsIFrame*, nsReflowStatus&, nsOverflowAreas*) (this=0x7f0cfc526220, aDelegatingFrame=0x7f0ce6fbf0e8, aPresContext=0x7f0cf32bd000, aReflowInput=..., aContainingBlock=..., aFlags=nsAbsoluteContainingBlock::AbsPosReflowFlags::ConstrainHeight, aKidFrame=0x7f0ce6fbf1a0, aStatus=..., aOverflowAreas=0x7ffe6f14fe8c) at /home/tlin/Projects/gecko/layout/generic/nsAbsoluteContainingBlock.cpp:668
#9  0x00007f0d0b62d1f2 in nsAbsoluteContainingBlock::Reflow(nsContainerFrame*, nsPresContext*, mozilla::ReflowInput const&, nsReflowStatus&, nsRect const&, nsAbsoluteContainingBlock::AbsPosReflowFlags, nsOverflowAreas*) (this=0x7f0cfc526220, aDelegatingFrame=0x7f0ce6fbf0e8, aPresContext=0x7f0cf32bd000, aReflowInput=..., aReflowStatus=..., aContainingBlock=..., aFlags=nsAbsoluteContainingBlock::AbsPosReflowFlags::ConstrainHeight, aOverflowAreas=0x7ffe6f14fe8c)
    at /home/tlin/Projects/gecko/layout/generic/nsAbsoluteContainingBlock.cpp:161
#10 0x00007f0d0b636c69 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) (this=0x7f0ce6fbf0e8, aPresContext=0x7f0cf32bd000, aMetrics=..., aReflowInput=..., aStatus=...)
    at /home/tlin/Projects/gecko/layout/generic/nsBlockFrame.cpp:1435
(rr) f 1
#1  0x00007f0d0b736529 in nsImageFrame::GetIntrinsicImageSize (this=0x7f0ce6fbf1a0, aSize=...) at /home/tlin/Projects/gecko/layout/generic/nsImageFrame.cpp:2398
warning: Source file is more recent than executable.
2398	    aSize.SizeTo(*mIntrinsicSize.width, *mIntrinsicSize.height);
(rr) l
2393	  return skip;
2394	}
2395	
2396	nsresult nsImageFrame::GetIntrinsicImageSize(nsSize& aSize) {
2397	  if (mIntrinsicSize.width && mIntrinsicSize.width) {
2398	    aSize.SizeTo(*mIntrinsicSize.width, *mIntrinsicSize.height);
2399	    return NS_OK;
2400	  }
2401	
2402	  return NS_ERROR_FAILURE;
Assignee: nobody → aethanyc
Status: NEW → ASSIGNED
Flags: needinfo?(aethanyc)
Regressed by: 1547138

I was going to request a crashtest, but I'll find one. Thanks for finding this Ting-Yu, and sorry :(

Flags: needinfo?(emilio)
Pushed by ealvarez@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/429ab41a30c4 Fix a typo in GetIntrinsicImageSize(). r=emilio

Reduced test-case: data:text/html,<img src="https://marketplace-assets.digitalocean.com/logos/directus-logo.svg" style="width: auto; height: 30px; position: absolute">

Flags: needinfo?(emilio)

No worries emilio, and thank you for adding a crashtest.

Crash Signature: [@ mozilla::ReflowInput::InitConstraints] [@ mozilla::ReflowInput::ReflowInput] → [@ mozilla::ReflowInput::InitConstraints] [@ mozilla::ReflowInput::ReflowInput] [@ nsImageFrame::GetIntrinsicImageSize]

https://hg.mozilla.org/mozilla-central/rev/429ab41a30c4
https://hg.mozilla.org/mozilla-central/rev/808fc8c6a041

Status: ASSIGNED → RESOLVED
Closed: 6 years ago
status-firefox68: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla68
Crash Signature: [@ mozilla::ReflowInput::InitConstraints] [@ mozilla::ReflowInput::ReflowInput] [@ nsImageFrame::GetIntrinsicImageSize] → [@ mozilla::ReflowInput::InitConstraints] [@ mozilla::ReflowInput::ReflowInput] [@ nsImageFrame::GetIntrinsicImageSize]
status-firefox66: --- → unaffected
status-firefox67: --- → unaffected
status-firefox-esr60: --- → unaffected
tracking-firefox68: ?+
Has Regression Range: --- → yes
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: