Closed
Bug 1590569
Opened 5 years ago
Closed 5 years ago
Assertion failure: [GFX1]: invalid offset 6 for gfxSkipChars length 2, at src/gfx/2d/Logging.h:740
Categories
(Core :: Layout: Columns, defect, P2)
Core
Layout: Columns
Tracking
()
RESOLVED
FIXED
mozilla72
| Tracking | Status | |
|---|---|---|
| firefox-esr68 | --- | unaffected |
| firefox70 | --- | disabled |
| firefox71 | --- | disabled |
| firefox72 | --- | fixed |
People
(Reporter: tsmith, Assigned: TYLin)
References
(Blocks 1 open bug)
Details
(4 keywords)
Attachments
(2 files)
Reduced with m-c:
BuildID=20191022155300
SourceStamp=a8089b1fa5c4f678f64ae07102ee3863a63d8c31
Assertion failure: [GFX1]: invalid offset 6 for gfxSkipChars length 2, at src/gfx/2d/Logging.h:740
#0 mozilla::gfx::Log<1, mozilla::gfx::CriticalLogger>::WriteLog(std::string const&) src/gfx/2d/Logging.h:741:9
#1 mozilla::gfx::Log<1, mozilla::gfx::CriticalLogger>::Flush() src/gfx/2d/Logging.h:279:7
#2 mozilla::gfx::Log<1, mozilla::gfx::CriticalLogger>::~Log() src/gfx/2d/Logging.h:272:12
#3 gfxSkipCharsIterator::SetOriginalOffset(int) src/gfx/thebes/gfxSkipChars.cpp:22:5
#4 gfxSkipCharsIterator::ConvertOriginalToSkipped(int) src/obj-firefox/dist/include/gfxSkipChars.h:192:5
#5 nsTextFrame::ReflowText(nsLineLayout&, int, mozilla::gfx::DrawTarget*, mozilla::ReflowOutput&, nsReflowStatus&) src/layout/generic/nsTextFrame.cpp:9196:3
#6 nsLineLayout::ReflowFrame(nsIFrame*, nsReflowStatus&, mozilla::ReflowOutput*, bool&) src/layout/generic/nsLineLayout.cpp:881:40
#7 nsInlineFrame::ReflowInlineFrame(nsPresContext*, mozilla::ReflowInput const&, nsInlineFrame::InlineReflowInput&, nsIFrame*, nsReflowStatus&) src/layout/generic/nsInlineFrame.cpp:674:15
#8 nsInlineFrame::ReflowFrames(nsPresContext*, mozilla::ReflowInput const&, nsInlineFrame::InlineReflowInput&, mozilla::ReflowOutput&, nsReflowStatus&) src/layout/generic/nsInlineFrame.cpp:548:7
#9 nsInlineFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsInlineFrame.cpp:363:3
#10 nsLineLayout::ReflowFrame(nsIFrame*, nsReflowStatus&, mozilla::ReflowOutput*, bool&) src/layout/generic/nsLineLayout.cpp:878:13
#11 nsBlockFrame::ReflowInlineFrame(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsIFrame*, LineReflowStatus*) src/layout/generic/nsBlockFrame.cpp:4325:15
#12 nsBlockFrame::DoReflowInlineFrames(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool) src/layout/generic/nsBlockFrame.cpp:4127:5
#13 nsBlockFrame::ReflowInlineFrames(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:4012:9
#14 nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:2997:5
#15 nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) src/layout/generic/nsBlockFrame.cpp:2537:7
#16 nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsBlockFrame.cpp:1280:3
#17 nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) src/layout/generic/nsBlockReflowContext.cpp:291:11
#18 nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:3643:11
#19 nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:2994:5
#20 nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) src/layout/generic/nsBlockFrame.cpp:2537:7
#21 nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsBlockFrame.cpp:1280:3
#22 nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:910:14
#23 nsColumnSetFrame::ReflowChildren(mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&, nsColumnSetFrame::ReflowConfig const&, bool) src/layout/generic/nsColumnSetFrame.cpp:795:7
#24 nsColumnSetFrame::ReflowColumns(mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&, nsColumnSetFrame::ReflowConfig&, bool) src/layout/generic/nsColumnSetFrame.cpp:464:10
#25 nsColumnSetFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsColumnSetFrame.cpp:1352:37
#26 nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) src/layout/generic/nsBlockReflowContext.cpp:291:11
#27 nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:3643:11
#28 nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:2994:5
#29 nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) src/layout/generic/nsBlockFrame.cpp:2537:7
#30 nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsBlockFrame.cpp:1280:3
#31 mozilla::PresShell::DoReflow(nsIFrame*, bool, mozilla::OverflowChangedTracker*) src/layout/base/PresShell.cpp:9236:11
#32 mozilla::PresShell::ProcessReflowCommands(bool) src/layout/base/PresShell.cpp:9406:24
#33 mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) src/layout/base/PresShell.cpp:4172:11
#34 nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:2014:20
#35 mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) src/layout/base/nsRefreshDriver.cpp:350:7
#36 mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:367:5
#37 mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:727:16
#38 mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) src/layout/base/nsRefreshDriver.cpp:622:9
#39 mozilla::layout::VsyncChild::RecvNotify(mozilla::VsyncEvent const&) src/layout/ipc/VsyncChild.cpp:65:16
#40 mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) src/obj-firefox/ipc/ipdl/PVsyncChild.cpp:187:54
#41 mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) src/obj-firefox/ipc/ipdl/PBackgroundChild.cpp:5876:32
#42 mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) src/ipc/glue/MessageChannel.cpp:2208:25
#43 mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) src/ipc/glue/MessageChannel.cpp:2130:9
#44 mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) src/ipc/glue/MessageChannel.cpp:1972:3
#45 mozilla::ipc::MessageChannel::MessageTask::Run() src/ipc/glue/MessageChannel.cpp:2003:13
#46 nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1225:14
#47 NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:486:10
#48 mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:88:21
#49 MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:315:10
#50 MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:290:3
#51 nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:137:27
#52 XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:934:20
#53 mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:238:9
#54 MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:315:10
#55 MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:290:3
#56 XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:769:34
#57 content_process_main(mozilla::Bootstrap*, int, char**) src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
#58 main src/browser/app/nsBrowserApp.cpp:272:18
Flags: in-testsuite?
|
||
Comment 1•5 years ago
|
||
Interesting that we're ending up in nsColumnSetFrame at all here. The testcase has columns: 0;, but according to https://developer.mozilla.org/en-US/docs/Web/CSS/column-count the property expects a strictly positive value, so zero should be rejected as invalid.
We seem to be incorrectly trying to use the invalid column-count value here; how's that getting through CSS parsing and computation?
Flags: needinfo?(emilio)
Priority: -- → P2
|
||
Comment 2•5 years ago
|
||
columns: 0 is tricky, it's not parsing column-count but column-width (because zero is a valid unitless length).
So the test-case is using column-width: 0px; column-count: auto;. I thinks that is working as expected from the style system's POV.
Flags: needinfo?(emilio)
|
|
||
Comment 3•5 years ago
|
||
Ah, that's why it didn't make sense to me - I was mentally mis-parsing it. Thanks for clarifying!
|
|
||
Comment 4•5 years ago
|
||
It's interesting that the behavior here seems to vary depending whether layout.css.column-span.enabled is true or false, given that there's no column-span in the testcase. It crashes (in a debug build) whether the pref is on or off, though, so perhaps it's not really relevant.
Ting-Yu, would you have time to try and look into this?
Flags: needinfo?(aethanyc)
|
||
Updated•5 years ago
|
Keywords: sec-moderate
|
Reporter | |
Comment 5•5 years ago
|
||
Please let me know if a Pernosco session would be helpful and I will create one.
|
Assignee | |
Comment 6•5 years ago
|
||
Sure. I can take a look. (Keeping the NI as a reminder.)
FWIW, a column container having limited space such as column-width: 0 or height: 0 combined with some word breaking properties like `word-break:break-all" can often lead to unexpected fragmented frame tree during column balancing ...
|
|
Assignee | |
Comment 7•5 years ago
|
||
(In reply to Tyson Smith [:tsmith] from comment #5)
Please let me know if a Pernosco session would be helpful and I will create one.
Tyson, thanks for the help. I can reproduce this locally, so I'll use rr to figure this out.
|
|
Assignee | |
Comment 8•5 years ago
|
||
mozregression discovers that this is fixed by bug 1596310. I'll upload a patch to add the testcase as a crashtest.
|
|
Assignee | |
Comment 9•5 years ago
|
||
This is fixed by bug 1596310.
|
||
Comment 10•5 years ago
|
||
Test case:
https://hg.mozilla.org/integration/autoland/rev/f6a28fa31323efceabd00a39c689d92c81667378
https://hg.mozilla.org/mozilla-central/rev/f6a28fa31323
Group: layout-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 5 years ago
status-firefox76:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla76
|
||
Updated•5 years ago
|
status-firefox76:
fixed → ---
status-firefox-esr68:
--- → unaffected
Flags: in-testsuite? → in-testsuite+
Target Milestone: mozilla76 → mozilla72
|
|
||
Updated•4 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•