Assertion failure: false (MOZ_ASSERT_UNREACHABLE: should have been handled already), at /builds/worker/workspace/build/src/intl/lwbrk/LineBreaker.cpp:523

RESOLVED FIXED in Firefox 69

Status

()

defect
P2
normal
RESOLVED FIXED
2 months ago
Last month

People

(Reporter: jkratzer, Assigned: jfkthame)

Tracking

(Blocks 1 bug, Regression, {assertion, regression, testcase})

Trunk
mozilla69
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite ?

Firefox Tracking Flags

(firefox-esr60 unaffected, firefox67 unaffected, firefox68 unaffected, firefox69 fixed)

Details

Attachments

(3 attachments)

Posted file testcase.html

Testcase found while fuzzing mozilla-central rev 840b7106d8ae.

Assertion failure: false (MOZ_ASSERT_UNREACHABLE: should have been handled already), at /builds/worker/workspace/build/src/intl/lwbrk/LineBreaker.cpp:523

rax = 0x000055b268b76e40   rdx = 0x0000000000000000
rcx = 0x00007fb606341321   rbx = 0x000000000000fffd
rsi = 0x00007fb6123b28b0   rdi = 0x00007fb6123b1680
rbp = 0x00007ffd3e6c5a90   rsp = 0x00007ffd3e6c5a70
r8 = 0x00007fb6123b28b0    r9 = 0x00007fb61351c740
r10 = 0x0000000000000000   r11 = 0x0000000000000000
r12 = 0x0000000000000000   r13 = 0x0000000000000001
r14 = 0x0000000000000004   r15 = 0x0000000000000002
rip = 0x00007fb6017d5dab
OS|Linux|0.0.0 Linux 4.18.0-17-generic #18~18.04.1-Ubuntu SMP Fri Mar 15 15:27:12 UTC 2019 x86_64
CPU|amd64|family 6 model 94 stepping 3|1
GPU|||
Crash|SIGSEGV|0x0|0
0|0|libxul.so|GetClass|hg:hg.mozilla.org/mozilla-central:intl/lwbrk/LineBreaker.cpp:840b7106d8ae3158aeba8268d2ac0b40c3682bcb|523|0x3
0|1|libxul.so|mozilla::intl::LineBreaker::GetJISx4051Breaks(char16_t const*, unsigned int, mozilla::intl::LineBreaker::WordBreak, mozilla::intl::LineBreaker::Strictness, bool, unsigned char*)|hg:hg.mozilla.org/mozilla-central:intl/lwbrk/LineBreaker.cpp:840b7106d8ae3158aeba8268d2ac0b40c3682bcb|988|0x5
0|2|libxul.so|nsLineBreaker::AppendText(nsAtom*, char16_t const*, unsigned int, unsigned int, nsILineBreakSink*)|hg:hg.mozilla.org/mozilla-central:dom/base/nsLineBreaker.cpp:840b7106d8ae3158aeba8268d2ac0b40c3682bcb|258|0x15
0|3|libxul.so|BuildTextRunsScanner::SetupBreakSinksForTextRun(gfxTextRun*, void const*)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsTextFrame.cpp:840b7106d8ae3158aeba8268d2ac0b40c3682bcb|2691|0x1c
0|4|libxul.so|BuildTextRunsScanner::BuildTextRunForFrames(void*)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsTextFrame.cpp:840b7106d8ae3158aeba8268d2ac0b40c3682bcb|2475|0xf
0|5|libxul.so|BuildTextRunsScanner::FlushFrames(bool, bool)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsTextFrame.cpp:840b7106d8ae3158aeba8268d2ac0b40c3682bcb|1642|0x24
0|6|libxul.so|BuildTextRuns|hg:hg.mozilla.org/mozilla-central:layout/generic/nsTextFrame.cpp:840b7106d8ae3158aeba8268d2ac0b40c3682bcb|1566|0x5
0|7|libxul.so|nsTextFrame::EnsureTextRun(nsTextFrame::TextRunType, mozilla::gfx::DrawTarget*, nsIFrame*, nsLineList_iterator const*, unsigned int*)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsTextFrame.cpp:840b7106d8ae3158aeba8268d2ac0b40c3682bcb|2901|0x12
0|8|libxul.so|nsTextFrame::ReflowText(nsLineLayout&, int, mozilla::gfx::DrawTarget*, mozilla::ReflowOutput&, nsReflowStatus&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsTextFrame.cpp:840b7106d8ae3158aeba8268d2ac0b40c3682bcb|8908|0x42
0|9|libxul.so|nsLineLayout::ReflowFrame(nsIFrame*, nsReflowStatus&, mozilla::ReflowOutput*, bool&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsLineLayout.cpp:840b7106d8ae3158aeba8268d2ac0b40c3682bcb|883|0x9
0|10|libxul.so|nsBlockFrame::ReflowInlineFrame(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsIFrame*, LineReflowStatus*)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsBlockFrame.cpp:840b7106d8ae3158aeba8268d2ac0b40c3682bcb|4333|0x14
0|11|libxul.so|nsBlockFrame::DoReflowInlineFrames(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsBlockFrame.cpp:840b7106d8ae3158aeba8268d2ac0b40c3682bcb|4135|0x2d
0|12|libxul.so|nsBlockFrame::ReflowInlineFrames(mozilla::BlockReflowInput&, nsLineList_iterator, bool*)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsBlockFrame.cpp:840b7106d8ae3158aeba8268d2ac0b40c3682bcb|4022|0x41
0|13|libxul.so|nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsBlockFrame.cpp:840b7106d8ae3158aeba8268d2ac0b40c3682bcb|3052|0x20
0|14|libxul.so|nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsBlockFrame.cpp:840b7106d8ae3158aeba8268d2ac0b40c3682bcb|2594|0x20
0|15|libxul.so|nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsBlockFrame.cpp:840b7106d8ae3158aeba8268d2ac0b40c3682bcb|1334|0xf
0|16|libxul.so|nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsBlockReflowContext.cpp:840b7106d8ae3158aeba8268d2ac0b40c3682bcb|297|0x10
0|17|libxul.so|nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsBlockFrame.cpp:840b7106d8ae3158aeba8268d2ac0b40c3682bcb|3659|0x1e
0|18|libxul.so|nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsBlockFrame.cpp:840b7106d8ae3158aeba8268d2ac0b40c3682bcb|3049|0x19
0|19|libxul.so|nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsBlockFrame.cpp:840b7106d8ae3158aeba8268d2ac0b40c3682bcb|2594|0x20
0|20|libxul.so|nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsBlockFrame.cpp:840b7106d8ae3158aeba8268d2ac0b40c3682bcb|1334|0xf
0|21|libxul.so|Gecko_ComputedStyle_Init|hg:hg.mozilla.org/mozilla-central:layout/style/GeckoBindings.cpp:840b7106d8ae3158aeba8268d2ac0b40c3682bcb|183|0x12
0|22|libxul.so|style::gecko_properties::<impl style::gecko_bindings::structs::root::ServoComputedData>::to_outer|s3:gecko-generated-sources:d6d7237e7f6742395d272b920cbe495dc091117f8a6b8114036b9dc48f2815a3a384c26efb9d855f58c1191a50b20fb33cf5b49199460f75afeb8d0d77fbc5a1/x86_64-unknown-linux-gnu/debug/build/style-eb27a1892e2c4afb/out/gecko_properties.rs:|507|0x10
0|23|libxul.so|style::properties::StyleBuilder::build|s3:gecko-generated-sources:47d240ff01ebee8c0b0c4879b65a3cf86d312f4117fcccb49024f2e30911e978a832667693e56377c2fff83c25c185b0ce1b6f710c620dc1cf9b4affae4209d5/x86_64-unknown-linux-gnu/debug/build/style-eb27a1892e2c4afb/out/properties.rs:|85098|0xc1
Flags: in-testsuite?

Looks like a regression from line-break.

Jason, is that stack right? Most of the stack makes sense, but this:

0|20|libxul.so|nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsBlockFrame.cpp:840b7106d8ae3158aeba8268d2ac0b40c3682bcb|1334|0xf
0|21|libxul.so|Gecko_ComputedStyle_Init|hg:hg.mozilla.org/mozilla-central:layout/style/GeckoBindings.cpp:840b7106d8ae3158aeba8268d2ac0b40c3682bcb|183|0x12
0|22|libxul.so|style::gecko_properties::<impl style::gecko_bindings::structs::root::ServoComputedData>::to_outer|s3:gecko-generated-sources:d6d7237e7f6742395d272b920cbe495dc091117f8a6b8114036b9dc48f2815a3a384c26efb9d855f58c1191a50b20fb33cf5b49199460f75afeb8d0d77fbc5a1/x86_64-unknown-linux-gnu/debug/build/style-eb27a1892e2c4afb/out/gecko_properties.rs:|507|0x10
0|23|libxul.so|style::properties::StyleBuilder::build|s3:gecko-generated-sources:47d240ff01ebee8c0b0c4879b65a3cf86d312f4117fcccb49024f2e30911e978a832667693e56377c2fff83c25c185b0ce1b6f710c620dc1cf9b4affae4209d5/x86_64-unknown-linux-gnu/debug/build/style-eb27a1892e2c4afb/out/properties.rs:|85098|0xc1

Makes zero sense :)

Flags: needinfo?(jfkthame)
Regressed by: 1531715

Yeah, clearly the fuzzer has found some kind of case that I overlooked or didn't think could happen; will investigate.

Assignee: nobody → jfkthame
Flags: needinfo?(jfkthame)
Priority: -- → P2

OK, this looks fairly straightforward: line-break:anywhere is intended to be handled without calling in to the advanced word-breaker at all, but I didn't properly deal with all the code paths leading there.

Pushed by jkew@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/ec11290605e4
Skip calling in to GetJISx4051Breaks when line-break:anywhere is in effect. r=emilio
Status: NEW → RESOLVED
Closed: 2 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla69

Can/should we land a test for this?

Flags: needinfo?(jfkthame)

Sure, we can land Jason's testcase as a layout crashtest, so it'll start asserting if we ever re-break this. I'll put up a patch.

Flags: needinfo?(jfkthame)
You need to log in before you can comment on or make changes to this bug.