Closed Bug 1560349 Opened 5 years ago Closed 5 years ago

MozCrash near [@ nsGridContainerFrame::Tracks::ResolveIntrinsicSizeStep1]

Categories

(Core :: Layout: Grid, defect, P3)

Product:
Core
Component:
Layout: Grid
Type:
defect

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: jkratzer, Assigned: MatsPalmgren_bugz)

References

(Blocks 1 open bug)

Details

Attachments

(1 file)

testcase.html
513 bytes, text/html
Details
Attached file testcase.html

Testcase found while fuzzing mozilla-central rev 19cf79b6f07d.

==7426==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 (pc 0x7fcde7aaf117 bp 0x7ffc36b0a2b0 sp 0x7ffc36b0a2b0 T0)
==7426==The signal is caused by a WRITE memory access.
==7426==Hint: address points to the zero page.
    #0 0x7fcde7aaf116 in MOZ_Crash /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/Assertions.h:313:3
    #1 0x7fcde7aaf116 in InvalidArrayIndex_CRASH(unsigned long, unsigned long) /builds/worker/workspace/build/src/xpcom/ds/nsTArray.cpp:27
    #2 0x7fcdf32d0449 in ElementAt /builds/worker/workspace/build/src/obj-firefox/dist/include/nsTArray.h:1034:7
    #3 0x7fcdf32d0449 in operator[] /builds/worker/workspace/build/src/obj-firefox/dist/include/nsTArray.h:1070
    #4 0x7fcdf32d0449 in nsGridContainerFrame::Tracks::ResolveIntrinsicSizeStep1(nsGridContainerFrame::GridReflowInput&, nsGridContainerFrame::TrackSizingFunctions const&, int, SizingConstraint, nsGridContainerFrame::LineRange const&, nsGridContainerFrame::GridItemInfo const&) /builds/worker/workspace/build/src/layout/generic/nsGridContainerFrame.cpp:4805
    #5 0x7fcdf32c6d5e in nsGridContainerFrame::Tracks::ResolveIntrinsicSize(nsGridContainerFrame::GridReflowInput&, nsTArray<nsGridContainerFrame::GridItemInfo>&, nsGridContainerFrame::TrackSizingFunctions const&, nsGridContainerFrame::LineRange nsGridContainerFrame::GridArea::*, int, SizingConstraint) /builds/worker/workspace/build/src/layout/generic/nsGridContainerFrame.cpp:5274:11
    #6 0x7fcdf32a4178 in CalculateSizes /builds/worker/workspace/build/src/layout/generic/nsGridContainerFrame.cpp:4764:3
    #7 0x7fcdf32a4178 in nsGridContainerFrame::GridReflowInput::CalculateTrackSizesForAxis(mozilla::LogicalAxis, nsGridContainerFrame::Grid const&, int, SizingConstraint) /builds/worker/workspace/build/src/layout/generic/nsGridContainerFrame.cpp:3086
    #8 0x7fcdf32f1eb9 in CalculateTrackSizes /builds/worker/workspace/build/src/layout/generic/nsGridContainerFrame.cpp:3130:3
    #9 0x7fcdf32f1eb9 in nsGridContainerFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsGridContainerFrame.cpp:7078
    #10 0x7fcdf334c581 in nsLineLayout::ReflowFrame(nsIFrame*, nsReflowStatus&, mozilla::ReflowOutput*, bool&) /builds/worker/workspace/build/src/layout/generic/nsLineLayout.cpp:877:13
    #11 0x7fcdf30ab21e in nsBlockFrame::ReflowInlineFrame(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsIFrame*, LineReflowStatus*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:4343:15
    #12 0x7fcdf30a93f2 in nsBlockFrame::DoReflowInlineFrames(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:4145:5
    #13 0x7fcdf309dc2d in nsBlockFrame::ReflowInlineFrames(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:4030:9
    #14 0x7fcdf309470b in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:3062:5
    #15 0x7fcdf3085fbd in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2601:7
    #16 0x7fcdf3079b14 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:1341:3
    #17 0x7fcdf30a5f24 in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) /builds/worker/workspace/build/src/layout/generic/nsBlockReflowContext.cpp:297:11
    #18 0x7fcdf3098228 in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:3667:11
    #19 0x7fcdf3094775 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:3059:5
    #20 0x7fcdf3085fbd in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2601:7
    #21 0x7fcdf3079b14 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:1341:3
    #22 0x7fcdf30eca12 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:894:14
    #23 0x7fcdf30ea8c7 in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsCanvasFrame.cpp:730:5
    #24 0x7fcdf30eca12 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:894:14
    #25 0x7fcdf323f6d9 in nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput*, bool, bool, mozilla::ReflowOutput*) /builds/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.cpp:562:3
    #26 0x7fcdf3240eb0 in nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput*, mozilla::ReflowOutput const&) /builds/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.cpp:675:3
    #27 0x7fcdf3248ed4 in nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.cpp:1077:3
    #28 0x7fcdf3060173 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:933:14
    #29 0x7fcdf305ed38 in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/ViewportFrame.cpp:307:7
    #30 0x7fcdf2d95d92 in mozilla::PresShell::DoReflow(nsIFrame*, bool, mozilla::OverflowChangedTracker*) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:9285:11
    #31 0x7fcdf2db6b40 in mozilla::PresShell::ProcessReflowCommands(bool) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:9455:24
    #32 0x7fcdf2db3c22 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:4233:11
    #33 0x7fcdf2d1a23a in FlushPendingNotifications /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/PresShell.h:1468:5
    #34 0x7fcdf2d1a23a in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:1979
    #35 0x7fcdf2d2f689 in TickDriver /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:349:13
    #36 0x7fcdf2d2f689 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:326
    #37 0x7fcdf2d2ef10 in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:342:5
    #38 0x7fcdf2d3335f in RunRefreshDrivers /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:789:5
    #39 0x7fcdf2d3335f in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:709
    #40 0x7fcdf2d2c620 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::ParentProcessVsyncNotifier::Run() /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:509:20
    #41 0x7fcde7c36b33 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1215:14
    #42 0x7fcde7c3e8f4 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:486:10
    #43 0x7fcde9047b7f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:88:21
    #44 0x7fcde8f1eace in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
    #45 0x7fcde8f1eace in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308
    #46 0x7fcde8f1eace in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290
    #47 0x7fcdf2630563 in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:137:27
    #48 0x7fcdf692eb40 in nsAppStartup::Run() /builds/worker/workspace/build/src/toolkit/components/startup/nsAppStartup.cpp:276:30
    #49 0x7fcdf6c6e7fa in XREMain::XRE_mainRun() /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4639:22
    #50 0x7fcdf6c71064 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4778:8
    #51 0x7fcdf6c72a59 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4859:21
    #52 0x5621af739b14 in do_main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:213:22
    #53 0x5621af739b14 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:295
    #54 0x7fce0c947b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
Flags: in-testsuite?

The priority flag is not set for this bug.
:mats, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(mats)

This is basically the same underlying issue as bug 1560397 so I'll fix it there.

Assignee: nobody → mats
Status: NEW → ASSIGNED
Depends on: 1560397
Flags: needinfo?(mats)
OS: Unspecified → All
Priority: -- → P3
Hardware: Unspecified → All
Status: ASSIGNED → RESOLVED
Closed: 5 years ago
Flags: in-testsuite? → in-testsuite+
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: