Assertion failure: aSize >= 0, at src/layout/base/nsLayoutUtils.cpp:2332
Categories
(Core :: SVG, defect, P3)
Tracking
()
People
(Reporter: tsmith, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: assertion, testcase)
Attachments
(1 file)
|
170 bytes,
text/html
|
Details |
Reduced with m-c:
BuildID=20190710154620
SourceStamp=241af4dbb96483e0b9371681d2f19e4f28e5d6ed
Assertion failure: aSize >= 0, at src/layout/base/nsLayoutUtils.cpp:2332
#0 ConstrainToCoordValues(float&, float&) src/layout/base/nsLayoutUtils.cpp:2332:3
#1 nsLayoutUtils::RoundGfxRectToAppRect(mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> const&, float) src/layout/base/nsLayoutUtils.cpp:2403:3
#2 nsSVGImageFrame::ReflowSVG() src/layout/svg/nsSVGImageFrame.cpp:453:13
#3 nsSVGDisplayContainerFrame::ReflowSVG() src/layout/svg/nsSVGContainerFrame.cpp:317:17
#4 nsSVGOuterSVGFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/svg/nsSVGOuterSVGFrame.cpp:453:14
#5 mozilla::PresShell::DoReflow(nsIFrame*, bool, mozilla::OverflowChangedTracker*) src/layout/base/PresShell.cpp:9302:11
#6 mozilla::PresShell::ProcessReflowCommands(bool) src/layout/base/PresShell.cpp:9472:24
#7 mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) src/layout/base/PresShell.cpp:4238:11
#8 mozilla::PresShell::DoFlushPendingNotifications(mozilla::FlushType) src/layout/base/PresShell.cpp:4016:3
#9 nsDocumentViewer::LoadComplete(nsresult) src/layout/base/nsDocumentViewer.cpp:1008:16
#10 nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) src/docshell/base/nsDocShell.cpp:6676:20
#11 nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) src/docshell/base/nsDocShell.cpp:6476:7
#12 non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) src/docshell/base/nsDocShell.cpp
#13 nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) src/uriloader/base/nsDocLoader.cpp:1333:3
#14 nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) src/uriloader/base/nsDocLoader.cpp:892:14
#15 nsDocLoader::DocLoaderIsEmpty(bool) src/uriloader/base/nsDocLoader.cpp:726:9
#16 nsDocLoader::OnStopRequest(nsIRequest*, nsresult) src/uriloader/base/nsDocLoader.cpp:614:5
#17 non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsresult) src/uriloader/base/nsDocLoader.cpp
#18 mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) src/netwerk/base/nsLoadGroup.cpp:568:22
#19 mozilla::dom::Document::DoUnblockOnload() src/dom/base/Document.cpp:10703:18
#20 mozilla::dom::Document::UnblockOnload(bool) src/dom/base/Document.cpp:10635:9
#21 mozilla::dom::Document::DispatchContentLoadedEvents() src/dom/base/Document.cpp:7130:3
#22 mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() src/obj-firefox/dist/include/nsThreadUtils.h:1176:13
#23 mozilla::SchedulerGroup::Runnable::Run() src/xpcom/threads/SchedulerGroup.cpp:295:32
#24 nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1225:14
#25 NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:486:10
#26 mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:88:21
#27 MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:315:10
#28 MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:290:3
#29 nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:137:27
#30 XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:919:20
#31 mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:238:9
#32 MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:315:10
#33 MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:290:3
#34 XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:754:34
#35 content_process_main(mozilla::Bootstrap*, int, char**) src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
#36 main src/browser/app/nsBrowserApp.cpp:267:18
|
||
Comment 1•5 years ago
|
||
The priority flag is not set for this bug.
:heycam, could you have a look please?
For more information, please visit auto_nag documentation.
|
||
Comment 2•5 years ago
•
|
||
Took a quick look in gdb while doing triage. The code in question is:
static void ConstrainToCoordValues(float& aStart, float& aSize) {
MOZ_ASSERT(aSize >= 0);
...and we have aStart = inf and aSize = -nan(0x400000). And NaN fails all comparisons, so it fails the >=0 comparison here.
How do we get inf and NaN? Well, up one level, in RoundGfxRectToAppRect, we have a passed-in aRect with these components:
{
x = 3.40282347e+38,
y = 0,
width = 6,
height = 6
}
And we scale up that rect using a call to ScaleRoundOut(), which basically sets x = x*60 and then sets width = XMost()*60 - x. Our x value is large enough that the 60x multiplication bumps it up to be infinity, and so XMost() is also infinity, so we end up with x = inf and width = (inf - inf) = NaN, and then those are the values we pass into this nsLayoutUtils API.
More than likely, nothing terrible happens as a result. But we should probably be clamping and/or checking for NaN here somewhere. Probably nsLayoutUtils::RoundGfxRectToAppRect() should be prepared for having huge & possibly NaN/inf values in its rect variables (either from being passed-in or from creating them locally via the 60x scaling), and it should simply clamp those to something sensible like (0,0,0,0) perhaps.
|
|
||
Updated•5 years ago
|
| Comment hidden (Intermittent Failures Robot) |
| Comment hidden (Intermittent Failures Robot) |
|
||
Updated•2 years ago
|
Description
•