1547261 - Crash in [@ mozilla::ReflowInput::InitConstraints]

Status: RESOLVED FIXED

(Core :: Layout, defect, P2)

Description

[Marcia Knous [:marcia]]

This bug is for crash report bp-7cf40f9f-0feb-43bf-8628-11d8a0190426.

Seen while looking at nightly MacOS crashes - started in 20190426094913: https://bit.ly/2Pum4lT

Reproducible using https://marketplace.digitalocean.com/category/developer-tools?utm_medium=onboarding&utm_source=local&utm_campaign=Marketplace

MOZ_RELEASE_ASSERT(mIsSome)

Possible regression range based on Build ID: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=0ec836eceb969c548067cee6de2ea213513a43d5&tochange=7d47e7fa2489550ffa83aae67715c5497048923f

Top 10 frames of crashing thread:

0 XUL mozilla::ReflowInput::InitConstraints layout/generic/ReflowInput.cpp:2392
1 XUL mozilla::ReflowInput::Init layout/generic/ReflowInput.cpp:379
2 XUL nsAbsoluteContainingBlock::Reflow layout/generic/ReflowInput.cpp:181
3 XUL nsBlockFrame::Reflow layout/generic/nsBlockFrame.cpp:1435
4 XUL nsBlockReflowContext::ReflowBlock layout/generic/nsBlockReflowContext.cpp:297
5 XUL nsBlockFrame::ReflowLine layout/generic/nsBlockFrame.cpp:2802
6 XUL nsBlockFrame::Reflow layout/generic/nsBlockFrame.cpp:1198
7 XUL nsBlockReflowContext::ReflowBlock layout/generic/nsBlockReflowContext.cpp:297
8 XUL nsBlockFrame::ReflowLine layout/generic/nsBlockFrame.cpp:2802
9 XUL nsBlockFrame::Reflow layout/generic/nsBlockFrame.cpp:1198

Comment 1

[Marcia Knous [:marcia]]

There are some similar signatures in an earlier 4-25, maybe regressed by Bug 1546223? ni on :YYLin.

Comment 2

[Emilio Cobos Álvarez (:emilio)]

[Tracking Requested - why for this release]: Reproducible crash which would be uninitialized memory usage if it gets to release.

Comment 3

[Ting-Yu Lin [:TYLin] (PST, UTC-8)]

I can reproduce this locally by loading https://marketplace.digitalocean.com/category/developer-tools?utm_medium=onboarding&utm_source=local&utm_campaign=Marketplace

The real bug happens in nsImageFrame::GetIntrinsicImageSize(nsSize&). There's a typo, so we don't check the validity of mIntrinsicSize.height

(rr) bt 20
#0  0x00007f0d05d9fe74 in mozilla::Maybe<int>::operator*() (this=0x7f0ce6fbf270) at /home/tlin/Projects/gecko/obj-firefox/dist/include/mozilla/Maybe.h:512
#1  0x00007f0d0b736529 in nsImageFrame::GetIntrinsicImageSize(nsSize&) (this=0x7f0ce6fbf1a0, aSize=...) at /home/tlin/Projects/gecko/layout/generic/nsImageFrame.cpp:2398
#2  0x00007f0d0b60d975 in GetIntrinsicSizeFor(nsIFrame*, nsSize&, mozilla::LayoutFrameType) (aFrame=0x7f0ce6fbf1a0, aIntrinsicSize=..., aFrameType=mozilla::LayoutFrameType::Image)
    at /home/tlin/Projects/gecko/layout/generic/ReflowInput.cpp:1196
#3  0x00007f0d0b60cbbc in mozilla::ReflowInput::CalculateHypotheticalPosition(nsPresContext*, nsPlaceholderFrame*, mozilla::ReflowInput const*, nsHypotheticalPosition&, mozilla::LayoutFrameType) const (this=0x7ffe6f14e3d0, aPresContext=
    0x7f0cf32bd000, aPlaceholderFrame=0x7f0ce6fbf288, aCBReflowInput=0x7ffe6f14fd18, aHypotheticalPos=..., aFrameType=mozilla::LayoutFrameType::Image) at /home/tlin/Projects/gecko/layout/generic/ReflowInput.cpp:1344
#4  0x00007f0d0b60e121 in mozilla::ReflowInput::InitAbsoluteConstraints(nsPresContext*, mozilla::ReflowInput const*, mozilla::LogicalSize const&, mozilla::LayoutFrameType) (this=0x7ffe6f14e3d0, aPresContext=0x7f0cf32bd000, aCBReflowInput=0x7ffe6f14fd18, aCBSize=..., aFrameType=mozilla::LayoutFrameType::Image) at /home/tlin/Projects/gecko/layout/generic/ReflowInput.cpp:1640
#5  0x00007f0d0b60a7d0 in mozilla::ReflowInput::InitConstraints(nsPresContext*, mozilla::Maybe<mozilla::LogicalSize> const&, nsMargin const*, nsMargin const*, mozilla::LayoutFrameType) (this=0x7ffe6f14e3d0, aPresContext=0x7f0cf32bd000, aContainingBlockSize=..., aBorder=0x0, aPadding=0x0, aFrameType=mozilla::LayoutFrameType::Image) at /home/tlin/Projects/gecko/layout/generic/ReflowInput.cpp:2392
#6  0x00007f0d0b606b78 in mozilla::ReflowInput::Init(nsPresContext*, mozilla::Maybe<mozilla::LogicalSize> const&, nsMargin const*, nsMargin const*) (this=0x7ffe6f14e3d0, aPresContext=0x7f0cf32bd000, aContainingBlockSize=..., aBorder=0x0, aPadding=0x0) at /home/tlin/Projects/gecko/layout/generic/ReflowInput.cpp:379
#7  0x00007f0d0b6081d0 in mozilla::ReflowInput::ReflowInput(nsPresContext*, mozilla::ReflowInput const&, nsIFrame*, mozilla::LogicalSize const&, mozilla::Maybe<mozilla::LogicalSize> const&, unsigned int) (this=0x7ffe6f14e3d0, aPresContext=0x7f0cf32bd000, aParentReflowInput=..., aFrame=0x7f0ce6fbf1a0, aAvailableSpace=..., aContainingBlockSize=..., aFlags=0) at /home/tlin/Projects/gecko/layout/generic/ReflowInput.cpp:226
#8  0x00007f0d0b62e740 in nsAbsoluteContainingBlock::ReflowAbsoluteFrame(nsIFrame*, nsPresContext*, mozilla::ReflowInput const&, nsRect const&, nsAbsoluteContainingBlock::AbsPosReflowFlags, nsIFrame*, nsReflowStatus&, nsOverflowAreas*) (this=0x7f0cfc526220, aDelegatingFrame=0x7f0ce6fbf0e8, aPresContext=0x7f0cf32bd000, aReflowInput=..., aContainingBlock=..., aFlags=nsAbsoluteContainingBlock::AbsPosReflowFlags::ConstrainHeight, aKidFrame=0x7f0ce6fbf1a0, aStatus=..., aOverflowAreas=0x7ffe6f14fe8c) at /home/tlin/Projects/gecko/layout/generic/nsAbsoluteContainingBlock.cpp:668
#9  0x00007f0d0b62d1f2 in nsAbsoluteContainingBlock::Reflow(nsContainerFrame*, nsPresContext*, mozilla::ReflowInput const&, nsReflowStatus&, nsRect const&, nsAbsoluteContainingBlock::AbsPosReflowFlags, nsOverflowAreas*) (this=0x7f0cfc526220, aDelegatingFrame=0x7f0ce6fbf0e8, aPresContext=0x7f0cf32bd000, aReflowInput=..., aReflowStatus=..., aContainingBlock=..., aFlags=nsAbsoluteContainingBlock::AbsPosReflowFlags::ConstrainHeight, aOverflowAreas=0x7ffe6f14fe8c)
    at /home/tlin/Projects/gecko/layout/generic/nsAbsoluteContainingBlock.cpp:161
#10 0x00007f0d0b636c69 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) (this=0x7f0ce6fbf0e8, aPresContext=0x7f0cf32bd000, aMetrics=..., aReflowInput=..., aStatus=...)
    at /home/tlin/Projects/gecko/layout/generic/nsBlockFrame.cpp:1435
(rr) f 1
#1  0x00007f0d0b736529 in nsImageFrame::GetIntrinsicImageSize (this=0x7f0ce6fbf1a0, aSize=...) at /home/tlin/Projects/gecko/layout/generic/nsImageFrame.cpp:2398
warning: Source file is more recent than executable.
2398	    aSize.SizeTo(*mIntrinsicSize.width, *mIntrinsicSize.height);
(rr) l
2393	  return skip;
2394	}
2395	
2396	nsresult nsImageFrame::GetIntrinsicImageSize(nsSize& aSize) {
2397	  if (mIntrinsicSize.width && mIntrinsicSize.width) {
2398	    aSize.SizeTo(*mIntrinsicSize.width, *mIntrinsicSize.height);
2399	    return NS_OK;
2400	  }
2401	
2402	  return NS_ERROR_FAILURE;

Comment 4

[Ting-Yu Lin [:TYLin] (PST, UTC-8)]

Attachment: Bug 1547261 - Fix a typo in GetIntrinsicImageSize(). r?emilio

Comment 5

[Emilio Cobos Álvarez (:emilio)]

I was going to request a crashtest, but I'll find one. Thanks for finding this Ting-Yu, and sorry :(

Comment 6

[Pulsebot]

Pushed by ealvarez@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/429ab41a30c4
Fix a typo in GetIntrinsicImageSize(). r=emilio

Comment 7

[Emilio Cobos Álvarez (:emilio)]

Reduced test-case: data:text/html,<img src="https://marketplace-assets.digitalocean.com/logos/directus-logo.svg" style="width: auto; height: 30px; position: absolute">

Comment 8

[Pulsebot]

Pushed by emilio@crisal.io:
https://hg.mozilla.org/integration/autoland/rev/808fc8c6a041
Add a crashtest. r=me

Comment 9

[Ting-Yu Lin [:TYLin] (PST, UTC-8)]

No worries emilio, and thank you for adding a crashtest.

Comment 11

[Razvan Maries]

https://hg.mozilla.org/mozilla-central/rev/429ab41a30c4
https://hg.mozilla.org/mozilla-central/rev/808fc8c6a041