Closed Bug 1547305 Opened 5 years ago Closed 3 years ago

Assertion failure: mGridItems.Length() == len + 1 (can't find GridItemInfo), at /builds/worker/workspace/build/src/layout/generic/nsGridContainerFrame.cpp:1817

Categories

(Core :: Layout: Grid, defect, P3)

Product:
Core
Component:
Layout: Grid
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1644819
Tracking Flags:
Tracking Status
firefox68 --- fix-optional

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 2 open bugs, Regression)

Details

(4 keywords)

Crash Data

Attachments

(1 file)

testcase.html
459 bytes, text/html
Details
Attached file testcase.html

Testcase found while fuzzing mozilla-central rev 0ec836eceb96.

Assertion failure: mGridItems.Length() == len + 1 (can't find GridItemInfo), at /builds/worker/workspace/build/src/layout/generic/nsGridContainerFrame.cpp:1817

rax = 0x0000557f5347be40 rdx = 0x0000000000000000
rcx = 0x00007fa91a8d95ca rbx = 0x00007ffd63121bc0
rsi = 0x00007fa9257498b0 rdi = 0x00007fa925748680
rbp = 0x00007ffd63121990 rsp = 0x00007ffd631218c0
r8 = 0x00007fa9257498b0 r9 = 0x00007fa9268b3740
r10 = 0x0000000000000000 r11 = 0x0000000000000000
r12 = 0x0000000000000001 r13 = 0x00007fa8f1008530
r14 = 0x00007ffd63121930 r15 = 0x0000000000000002
rip = 0x00007fa91716618f
OS|Linux|0.0.0 Linux 4.18.0-17-generic #18~18.04.1-Ubuntu SMP Fri Mar 15 15:27:12 UTC 2019 x86_64
CPU|amd64|family 6 model 94 stepping 3|1
GPU|||
Crash|SIGSEGV /SEGV_MAPERR|0x0|0
0|0|libxul.so|nsGridContainerFrame::GridReflowInput::InitializeForContinuation(nsGridContainerFrame*, int)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsGridContainerFrame.cpp:0ec836eceb969c548067cee6de2ea213513a43d5|1757|0x0
0|1|libxul.so|nsGridContainerFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsGridContainerFrame.cpp:0ec836eceb969c548067cee6de2ea213513a43d5|5776|0x5
0|2|libxul.so|nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsContainerFrame.cpp:0ec836eceb969c548067cee6de2ea213513a43d5|893|0x1d
0|3|libxul.so|nsContainerFrame::ReflowOverflowContainerChildren(nsPresContext*, mozilla::ReflowInput const&, nsOverflowAreas&, unsigned int, nsReflowStatus&, void ()(nsFrameList&, nsFrameList&, nsContainerFrame))|hg:hg.mozilla.org/mozilla-central:layout/generic/nsContainerFrame.cpp:0ec836eceb969c548067cee6de2ea213513a43d5|1141|0x1f
0|4|libxul.so|nsGridContainerFrame::ReflowChildren(nsGridContainerFrame::GridReflowInput&, mozilla::LogicalRect const&, mozilla::ReflowOutput&, nsReflowStatus&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsGridContainerFrame.cpp:0ec836eceb969c548067cee6de2ea213513a43d5|5441|0x37
0|5|libxul.so|nsGridContainerFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsGridContainerFrame.cpp:0ec836eceb969c548067cee6de2ea213513a43d5|5810|0x29
0|6|libxul.so|nsIPresShell::DoReflow(nsIFrame*, bool, mozilla::OverflowChangedTracker*)|hg:hg.mozilla.org/mozilla-central:layout/base/PresShell.cpp:0ec836eceb969c548067cee6de2ea213513a43d5|9197|0x1e
0|7|libxul.so|mozilla::PresShell::ProcessReflowCommands(bool)|hg:hg.mozilla.org/mozilla-central:layout/base/PresShell.cpp:0ec836eceb969c548067cee6de2ea213513a43d5|9367|0x11
0|8|libxul.so|mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush)|hg:hg.mozilla.org/mozilla-central:layout/base/PresShell.cpp:0ec836eceb969c548067cee6de2ea213513a43d5|4198|0x15
0|9|libxul.so|nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp)|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:0ec836eceb969c548067cee6de2ea213513a43d5|1949|0x13
0|10|libxul.so|mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&)|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:0ec836eceb969c548067cee6de2ea213513a43d5|325|0xb
0|11|libxul.so|mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp)|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:0ec836eceb969c548067cee6de2ea213513a43d5|341|0xf
0|12|libxul.so|mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp)|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:0ec836eceb969c548067cee6de2ea213513a43d5|708|0xf
0|13|libxul.so|mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::ParentProcessVsyncNotifier::Run()|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:0ec836eceb969c548067cee6de2ea213513a43d5|508|0x15
0|14|libxul.so|nsThread::ProcessNextEvent(bool, bool*)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:0ec836eceb969c548067cee6de2ea213513a43d5|1180|0x15
0|15|libxul.so|NS_ProcessNextEvent(nsIThread*, bool)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:0ec836eceb969c548067cee6de2ea213513a43d5|486|0x11
0|16|libxul.so|mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:0ec836eceb969c548067cee6de2ea213513a43d5|88|0xa
0|17|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:0ec836eceb969c548067cee6de2ea213513a43d5|315|0x17
0|18|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:0ec836eceb969c548067cee6de2ea213513a43d5|290|0x8
0|19|libxul.so|nsBaseAppShell::Run()|hg:hg.mozilla.org/mozilla-central:widget/nsBaseAppShell.cpp:0ec836eceb969c548067cee6de2ea213513a43d5|137|0xd
0|20|libxul.so|nsAppStartup::Run()|hg:hg.mozilla.org/mozilla-central:toolkit/components/startup/nsAppStartup.cpp:0ec836eceb969c548067cee6de2ea213513a43d5|270|0xe
0|21|libxul.so|XREMain::XRE_mainRun()|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsAppRunner.cpp:0ec836eceb969c548067cee6de2ea213513a43d5|4584|0x11
0|22|libxul.so|XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsAppRunner.cpp:0ec836eceb969c548067cee6de2ea213513a43d5|4722|0x8
0|23|libxul.so|XRE_main(int, char**, mozilla::BootstrapConfig const&)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsAppRunner.cpp:0ec836eceb969c548067cee6de2ea213513a43d5|4803|0x5
0|24|firefox-bin|do_main|hg:hg.mozilla.org/mozilla-central:browser/app/nsBrowserApp.cpp:0ec836eceb969c548067cee6de2ea213513a43d5|212|0x22
0|25|firefox-bin|main|hg:hg.mozilla.org/mozilla-central:browser/app/nsBrowserApp.cpp:0ec836eceb969c548067cee6de2ea213513a43d5|291|0xd
0|26|libc-2.27.so|__libc_start_main|||0xe7
0|27|firefox-bin|_start|||0x29

Flags: in-testsuite?
Flags: needinfo?(mats)

Before the fatal assertion above, there's a non-fatal assertion:
###!!! ASSERTION: reflow roots should never split: '!target->GetNextInFlow() && !target->GetPrevInFlow()', file layout/base/PresShell.cpp, line 913
'target' is a nsGridContainerFrame, which is a child of a ColumnSetFrame,
so it has been fragmented, hence the non-null GetNextInFlow/GetPrevInFlow.
It has NS_FRAME_DYNAMIC_REFLOW_ROOT set though, which I assume violates
some new invariant associated with this bit?
The assertion seems to imply that frames with NS_FRAME_DYNAMIC_REFLOW_ROOT
should never return INCOMPLETE reflow status. (since that leads to
fragmentation)

(If so, then this assertion should instead/also be placed in
nsCSSFrameConstructor::CreateContinuingFrame to catch this error
earlier.)

FWIW, if I make the following change to ReflowInput::InitDynamicReflowRoot
then there's no assertion or crash:

+  if (mFrame->IsGridContainerFrame()) {
+    canBeDynamicReflowRoot = false;
+  }
+
   if (canBeDynamicReflowRoot) {
     mFrame->AddStateBits(NS_FRAME_DYNAMIC_REFLOW_ROOT);
   } else {
     mFrame->RemoveStateBits(NS_FRAME_DYNAMIC_REFLOW_ROOT);
   }

so I'm guessing this is a regression from bug 1159042.

Severity: normal → critical
Flags: needinfo?(mats)
Keywords: crash, regression
OS: Unspecified → All
Regressed by: 1159042
Hardware: Unspecified → All
Priority: -- → P3

Maybe we need to just turn off dynamic reflow roots inside of fragmentainers. (Probably need to think about this a bit more.)

InitDynamicReflowRoot() should perhaps check if we're being fragmented?

Bughunter reproduces the assertion on Nightly Windows and Linux and also crashes in opt builds on Windows: bp-3785b092-45ed-4ceb-85ce-427d30191112 I do not crash Firefox Release on Windows however.

Correction: While I couldn't reproduce the crash in opt Linux Nightly builds, Bughunter could.

Crash Signature: [@ InvalidArrayIndex_CRASH | nsGridContainerFrame::ReflowChildren ]

(In reply to Bob Clary [:bc:] from comment #3)

Bughunter reproduces the assertion on Nightly Windows and Linux [...] I do not crash Firefox Release on Windows however.

This makes sense, given that this bug involves dynamic reflow roots which aren't enabled past early-beta.

Hey Jason,
Please update the resolution or the affected flags for this issue when you have the time. Thank you!

Flags: needinfo?(jkratzer)

This issue no longer reproduces on mozilla-central rev fc74eb2c7b84. A bisection appears to show that it has been fixed by bug 1644819.

Start: b4fee14fe36ae084fb392de2a40bcbd9a226bec3 (20200613191228)
End: f4f558d1cc36ef3e1c3d3c0ca9ab576a315cedea (20200613192642)
https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=b4fee14fe36ae084fb392de2a40bcbd9a226bec3&tochange=f4f558d1cc36ef3e1c3d3c0ca9ab576a315cedea

Status: NEW → RESOLVED
Closed: 3 years ago
Flags: needinfo?(jkratzer)
Resolution: --- → DUPLICATE
Has Regression Range: --- → yes
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: