Open
Bug 1588954
Opened 5 years ago
Updated 2 years ago
Assertion failure: aContainingBlockISize >= 0 (inline-size less than zero), at src/layout/generic/nsFrame.cpp:6581
Categories
(Core :: Layout, defect, P3)
Core
Layout
Tracking
()
People
(Reporter: tsmith, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: assertion, testcase)
Attachments
(3 files)
Reduced with m-c:
BuildID=20191015213743
SourceStamp=e3dc5cfd4d368d281ff8938f5a232f0bf92fe6b6
Assertion failure: aContainingBlockISize >= 0 (inline-size less than zero), at src/layout/generic/nsFrame.cpp:6581
#0 nsIFrame::ComputeISizeValue(gfxContext*, int, int, int, mozilla::StyleLengthPercentage const&, nsIFrame::ComputeSizeFlags) src/layout/generic/nsFrame.cpp:6575:3
#1 int nsIFrame::ComputeISizeValue<mozilla::StyleGenericMaxSize<mozilla::StyleLengthPercentage> >(gfxContext*, int, int, int, mozilla::StyleGenericMaxSize<mozilla::StyleLengthPercentage> const&, nsIFrame::ComputeSizeFlags) src/layout/generic/nsIFrame.h:4185:14
#2 nsFrame::ComputeSize(gfxContext*, mozilla::WritingMode, mozilla::LogicalSize const&, int, mozilla::LogicalSize const&, mozilla::LogicalSize const&, mozilla::LogicalSize const&, nsIFrame::ComputeSizeFlags) src/layout/generic/nsFrame.cpp:5922:16
#3 mozilla::ReflowInput::InitConstraints(nsPresContext*, mozilla::Maybe<mozilla::LogicalSize> const&, nsMargin const*, nsMargin const*, mozilla::LayoutFrameType) src/layout/generic/ReflowInput.cpp:2477:34
#4 mozilla::ReflowInput::Init(nsPresContext*, mozilla::Maybe<mozilla::LogicalSize> const&, nsMargin const*, nsMargin const*) src/layout/generic/ReflowInput.cpp:355:3
#5 mozilla::ReflowInput::ReflowInput(nsPresContext*, mozilla::ReflowInput const&, nsIFrame*, mozilla::LogicalSize const&, mozilla::Maybe<mozilla::LogicalSize> const&, unsigned int) src/layout/generic/ReflowInput.cpp:229:5
#6 void mozilla::Maybe<mozilla::ReflowInput>::emplace<nsPresContext*&, mozilla::ReflowInput const&, nsIFrame*&, mozilla::LogicalSize, mozilla::Maybe<mozilla::LogicalSize>&>(nsPresContext*&, mozilla::ReflowInput const&, nsIFrame*&, mozilla::LogicalSize&&, mozilla::Maybe<mozilla::LogicalSize>&) src/obj-firefox/dist/include/mozilla/Maybe.h:526:32
#7 nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:3599:22
#8 nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:2994:5
#9 nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) src/layout/generic/nsBlockFrame.cpp:2537:7
#10 nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsBlockFrame.cpp:1280:3
#11 nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:910:14
#12 nsColumnSetFrame::ReflowChildren(mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&, nsColumnSetFrame::ReflowConfig const&, bool) src/layout/generic/nsColumnSetFrame.cpp:795:7
#13 nsColumnSetFrame::ReflowColumns(mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&, nsColumnSetFrame::ReflowConfig&, bool) src/layout/generic/nsColumnSetFrame.cpp:452:37
#14 nsColumnSetFrame::FindBestBalanceBSize(mozilla::ReflowInput const&, nsPresContext*, nsColumnSetFrame::ReflowConfig&, nsColumnSetFrame::ColumnBalanceData, mozilla::ReflowOutput&, bool, nsReflowStatus&) src/layout/generic/nsColumnSetFrame.cpp:1285:7
#15 nsColumnSetFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsColumnSetFrame.cpp:1359:5
#16 nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) src/layout/generic/nsBlockReflowContext.cpp:291:11
#17 nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:3643:11
#18 nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:2994:5
#19 nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) src/layout/generic/nsBlockFrame.cpp:2537:7
#20 nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsBlockFrame.cpp:1280:3
#21 nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) src/layout/generic/nsBlockReflowContext.cpp:291:11
#22 nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:3643:11
#23 nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:2994:5
#24 nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) src/layout/generic/nsBlockFrame.cpp:2537:7
#25 nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsBlockFrame.cpp:1280:3
#26 nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:910:14
#27 nsColumnSetFrame::ReflowChildren(mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&, nsColumnSetFrame::ReflowConfig const&, bool) src/layout/generic/nsColumnSetFrame.cpp:795:7
#28 nsColumnSetFrame::ReflowColumns(mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&, nsColumnSetFrame::ReflowConfig&, bool) src/layout/generic/nsColumnSetFrame.cpp:452:37
#29 nsColumnSetFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsColumnSetFrame.cpp:1352:37
#30 nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) src/layout/generic/nsBlockReflowContext.cpp:291:11
#31 nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:3643:11
#32 nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:2994:5
#33 nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) src/layout/generic/nsBlockFrame.cpp:2537:7
#34 nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsBlockFrame.cpp:1280:3
#35 nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:910:14
#36 nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsCanvasFrame.cpp:726:5
#37 nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:910:14
#38 nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput*, bool, bool, mozilla::ReflowOutput*) src/layout/generic/nsGfxScrollFrame.cpp:644:3
#39 nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput*, mozilla::ReflowOutput const&) src/layout/generic/nsGfxScrollFrame.cpp:758:3
#40 nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsGfxScrollFrame.cpp:1160:3
#41 nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:950:14
#42 mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/ViewportFrame.cpp:299:7
#43 mozilla::PresShell::DoReflow(nsIFrame*, bool, mozilla::OverflowChangedTracker*) src/layout/base/PresShell.cpp:9236:11
#44 mozilla::PresShell::ProcessReflowCommands(bool) src/layout/base/PresShell.cpp:9406:24
#45 mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) src/layout/base/PresShell.cpp:4172:11
#46 nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:2014:20
#47 mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) src/layout/base/nsRefreshDriver.cpp:350:7
#48 mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:367:5
#49 mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:727:16
#50 mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) src/layout/base/nsRefreshDriver.cpp:622:9
#51 mozilla::layout::VsyncChild::RecvNotify(mozilla::VsyncEvent const&) src/layout/ipc/VsyncChild.cpp:65:16
#52 mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) src/obj-firefox/ipc/ipdl/PVsyncChild.cpp:187:54
#53 mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) src/obj-firefox/ipc/ipdl/PBackgroundChild.cpp:5876:32
#54 mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) src/ipc/glue/MessageChannel.cpp:2187:25
#55 mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) src/ipc/glue/MessageChannel.cpp:2111:9
#56 mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) src/ipc/glue/MessageChannel.cpp:1954:3
#57 mozilla::ipc::MessageChannel::MessageTask::Run() src/ipc/glue/MessageChannel.cpp:1985:13
#58 nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1225:14
#59 NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:486:10
#60 mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:88:21
#61 MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:315:10
#62 MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:290:3
#63 nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:137:27
#64 XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:934:20
#65 mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:238:9
#66 MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:315:10
#67 MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:290:3
#68 XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:769:34
#69 content_process_main(mozilla::Bootstrap*, int, char**) src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
#70 main src/browser/app/nsBrowserApp.cpp:272:18
Flags: in-testsuite?
|
||
Updated•5 years ago
|
Priority: -- → P3
|
||
Comment 1•5 years ago
•
|
||
The analysis is similar to bug 1586470 comment 3. Fixing bug 1168921 is not enough. BlockReflowInput::ComputeBlockAvailSpace can still return availSpace with a negative BSize().
|
Reporter | |
Comment 2•4 years ago
|
||
Would a Pernosco session be helpful for this issue?
|
|
||
Comment 3•4 years ago
|
||
I can still reproduce this issue, and capture with rr locally.
Flags: needinfo?(aethanyc)
|
|
Reporter | |
Comment 4•4 years ago
|
||
The fuzzers have been tripping over this for a while and it is triggered frequently. Marking as fuzzblocker[1].
A Pernosco session is available here: https://pernos.co/debug/Ms_HwPszFZV3SHi9ynOExQ/index.html
[1] https://firefox-source-docs.mozilla.org/tools/fuzzing/index.html#fuzz-blockers
status-firefox78:
--- → wontfix
status-firefox79:
--- → affected
status-firefox80:
--- → affected
Whiteboard: [fuzzblocker]
|
|
||
Comment 5•4 years ago
|
||
I wrote a testcase that's easier to understand.
The issue happens when we create ReflowInput for the second child <main> under -moz-column-content. In this case, after placing the first child <span>a</span>, the available block-size is negative.
We use ColumnSetWrapper's computed block-size as the container's block-size, which is unconstrained here [1]. Also, <main> is orthogonal to the column container, so in <main>'s writing-mode, the container's inline-size is unconstrained. We then set it in [2] to the negative available inline-size (which is the negative available block-size in parent's writing-mode descried above). Hence the assertion.
[1] https://searchfox.org/mozilla-central/rev/227f22acef5c4865503bde9f835452bf38332c8e/layout/generic/nsBlockFrame.cpp#3669-3670
[2] https://searchfox.org/mozilla-central/rev/227f22acef5c4865503bde9f835452bf38332c8e/layout/generic/ReflowInput.cpp#2418-2422
|
|
||
Comment 6•4 years ago
|
||
nsIFrame::ComputeISizeValue clamps the result to non-negative before
returning it, so the assertion doesn't need to be a hard assertion.
|
||
Updated•4 years ago
|
Assignee: nobody → aethanyc
Status: NEW → ASSIGNED
|
|
||
Comment 7•4 years ago
|
||
|
|
||
Updated•4 years ago
|
Keywords: leave-open
Pushed by aethanyc@gmail.com: https://hg.mozilla.org/integration/autoland/rev/8ec86ac40c7a Downgrade an assertion checking inline-size less than zero to a soft assertion. r=dholbert
|
||
Comment 9•4 years ago
|
||
| bugherder | ||
|
||
Comment 10•3 years ago
|
||
The leave-open keyword is there and there is no activity for 6 months.
:TYLin, maybe it's time to close this bug?
Flags: needinfo?(aethanyc)
|
|
||
Comment 11•3 years ago
|
||
The patch landed in comment 9 just dowgraded the assertion, so we still have a bug to fix.
|
||
Updated•2 years ago
|
Whiteboard: [fuzzblocker]
|
||
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•