Closed
Bug 1606516
Opened 4 years ago
Closed 4 years ago
Hit MOZ_CRASH(ElementAt(aIndex = 0, aLength = 0)) in [@ CopyUsedTrackSizes]
Categories
(Core :: Layout: Grid, defect, P2)
Core
Layout: Grid
Tracking
()
RESOLVED
FIXED
mozilla74
| Tracking | Status | |
|---|---|---|
| firefox-esr68 | --- | unaffected |
| firefox72 | --- | wontfix |
| firefox73 | --- | wontfix |
| firefox74 | --- | fixed |
People
(Reporter: tsmith, Assigned: MatsPalmgren_bugz)
References
(Blocks 1 open bug)
Details
(4 keywords)
Crash Data
Attachments
(3 files, 1 obsolete file)
Reduced with m-c:
BuildID=20191231094349
SourceStamp=66a1c07a8f48c5129aa3867813bacb6e7ef22d8c
Hit MOZ_CRASH(ElementAt(aIndex = 0, aLength = 0)) at src/xpcom/ds/nsTArray.cpp:29
#0 MOZ_Crash(char const*, int, char const*) src/obj-firefox/dist/include/mozilla/Assertions.h:332:3
#1 InvalidArrayIndex_CRASH(unsigned long, unsigned long) src/xpcom/ds/nsTArray.cpp:27:3
#2 nsTArray_Impl<nsGridContainerFrame::TrackSize, nsTArrayInfallibleAllocator>::ElementAt(unsigned long) src/obj-firefox/dist/include/nsTArray.h:1067:7
#3 CopyUsedTrackSizes(nsTArray<nsGridContainerFrame::TrackSize>&, nsGridContainerFrame const*, nsGridContainerFrame::UsedTrackSizes const*, nsGridContainerFrame const*, nsGridContainerFrame::Subgrid const*, mozilla::LogicalAxis) src/layout/generic/nsGridContainerFrame.cpp:3244:5
#4 nsGridContainerFrame::GridReflowInput::CalculateTrackSizesForAxis(mozilla::LogicalAxis, nsGridContainerFrame::Grid const&, int, SizingConstraint) src/layout/generic/nsGridContainerFrame.cpp:3352:7
#5 nsGridContainerFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsGridContainerFrame.cpp:7386:21
#6 nsAbsoluteContainingBlock::ReflowAbsoluteFrame(nsIFrame*, nsPresContext*, mozilla::ReflowInput const&, nsRect const&, nsAbsoluteContainingBlock::AbsPosReflowFlags, nsIFrame*, nsReflowStatus&, nsOverflowAreas*) src/layout/generic/nsAbsoluteContainingBlock.cpp:760:14
#7 nsAbsoluteContainingBlock::Reflow(nsContainerFrame*, nsPresContext*, mozilla::ReflowInput const&, nsReflowStatus&, nsRect const&, nsAbsoluteContainingBlock::AbsPosReflowFlags, nsOverflowAreas*) src/layout/generic/nsAbsoluteContainingBlock.cpp:212:7
#8 nsGridContainerFrame::ReflowChildren(nsGridContainerFrame::GridReflowInput&, mozilla::LogicalRect const&, mozilla::ReflowOutput&, nsReflowStatus&) src/layout/generic/nsGridContainerFrame.cpp:7114:37
#9 nsGridContainerFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsGridContainerFrame.cpp:7453:11
#10 nsAbsoluteContainingBlock::ReflowAbsoluteFrame(nsIFrame*, nsPresContext*, mozilla::ReflowInput const&, nsRect const&, nsAbsoluteContainingBlock::AbsPosReflowFlags, nsIFrame*, nsReflowStatus&, nsOverflowAreas*) src/layout/generic/nsAbsoluteContainingBlock.cpp:760:14
#11 nsAbsoluteContainingBlock::Reflow(nsContainerFrame*, nsPresContext*, mozilla::ReflowInput const&, nsReflowStatus&, nsRect const&, nsAbsoluteContainingBlock::AbsPosReflowFlags, nsOverflowAreas*) src/layout/generic/nsAbsoluteContainingBlock.cpp:212:7
#12 nsGridContainerFrame::ReflowChildren(nsGridContainerFrame::GridReflowInput&, mozilla::LogicalRect const&, mozilla::ReflowOutput&, nsReflowStatus&) src/layout/generic/nsGridContainerFrame.cpp:7114:37
#13 nsGridContainerFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsGridContainerFrame.cpp:7453:11
#14 nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:908:14
#15 nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsCanvasFrame.cpp:753:5
#16 nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:908:14
#17 nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput*, bool, bool, mozilla::ReflowOutput*) src/layout/generic/nsGfxScrollFrame.cpp:650:3
#18 nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput*, mozilla::ReflowOutput const&) src/layout/generic/nsGfxScrollFrame.cpp:764:3
#19 nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsGfxScrollFrame.cpp:1143:3
#20 nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:948:14
#21 mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/ViewportFrame.cpp:299:7
#22 mozilla::PresShell::DoReflow(nsIFrame*, bool, mozilla::OverflowChangedTracker*) src/layout/base/PresShell.cpp:9159:11
#23 mozilla::PresShell::ProcessReflowCommands(bool) src/layout/base/PresShell.cpp:9332:24
#24 mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) src/layout/base/PresShell.cpp:4114:11
#25 nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:2050:20
#26 mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) src/layout/base/nsRefreshDriver.cpp:351:7
#27 mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:368:5
#28 mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:740:16
#29 mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) src/layout/base/nsRefreshDriver.cpp:635:9
#30 mozilla::layout::VsyncChild::RecvNotify(mozilla::VsyncEvent const&) src/layout/ipc/VsyncChild.cpp:65:16
#31 mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) src/obj-firefox/ipc/ipdl/PVsyncChild.cpp:187:54
#32 mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) src/obj-firefox/ipc/ipdl/PBackgroundChild.cpp:5876:32
#33 mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) src/ipc/glue/MessageChannel.cpp:2212:25
#34 mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) src/ipc/glue/MessageChannel.cpp:2134:9
#35 mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) src/ipc/glue/MessageChannel.cpp:1973:3
#36 mozilla::ipc::MessageChannel::MessageTask::Run() src/ipc/glue/MessageChannel.cpp:2004:13
#37 nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1241:14
#38 NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:486:10
#39 mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:87:21
#40 MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:315:10
#41 MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:290:3
#42 nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:137:27
#43 XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:946:20
#44 mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:237:9
#45 MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:315:10
#46 MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:290:3
#47 XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:781:34
#48 content_process_main(mozilla::Bootstrap*, int, char**) src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
#49 main src/browser/app/nsBrowserApp.cpp:303:18
Flags: in-testsuite?
|
Reporter | |
Comment 1•4 years ago
|
||
A Pernosco session is available here: https://pernos.co/debug/Axof7UJnVYVISRrV30AguQ/index.html
|
||
Updated•4 years ago
|
Crash Signature: [@ InvalidArrayIndex_CRASH | CopyUsedTrackSizes ]
|
||
Comment 2•4 years ago
|
||
Emily, since you've been looking at some grid-related things lately, would you like to take a look at this fuzzer bug?
Flags: needinfo?(emcdonough)
Priority: -- → P2
|
||
Comment 4•4 years ago
|
||
The huge repeat's are kind of a red herring, you can change the grid attribtute to something like grid: subgrid [a] / 1fr; and it will still crash. The position and a display of either grid or inline-grid are still needed to reproduce.
|
|
||
Comment 5•4 years ago
|
||
Posting a reduced testcase.
|
|
||
Comment 6•4 years ago
|
||
|
||
Updated•4 years ago
|
Attachment #9121191 -
Attachment is obsolete: true
|
||
Comment 8•4 years ago
|
||
Regression window:
https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=fbbf969a151c4f0194114822f8f39285e61c8014&tochange=81136d6972e80a961b2d4f0c4eb0d36e7d9e179f
Setting layout.css.grid-template-subgrid-value.enabled to false fixes the crash
status-firefox72:
--- → affected
status-firefox74:
--- → affected
status-firefox-esr68:
--- → unaffected
|
||
Comment 9•4 years ago
|
||
@Mats, according to the pushlog it appears that one of your patches might have influenced this.
Mind taking a look and confirming if this is the case?
Thanks!
Flags: needinfo?(mats)
Keywords: regressionwindow-wanted → regression
|
Assignee | |
Comment 10•4 years ago
|
||
Thanks Alice! So, it goes back all the way to the original subgrid code then. After debugging this for a bit that makes sense to me.
Assignee: nobody → mats
Flags: needinfo?(mats)
|
|
Assignee | |
Comment 11•4 years ago
|
||
So, the problem boils down to an abs.pos. subgrid inside a parent grid that has no (in-flow) grid items, nor any grid-template-*styles that would create a track in the subgridded axis. There are a few invariants that are relevant here:
- an abs.pos. "item" does not affect its grid container in any way, in particular it doesn't trigger any implicit tracks to accommodate its span
- a subgrid axis never creates any tracks of its own, it simply "inherits" its grid container's tracks
- an (in-flow) grid item must be placed inside the implicit grid, i.e. there must be enough tracks for it in both axes
So, given 1 and 2, the subgrid has zero tracks in its subgridded axis. Now, placing an item inside that subgrid is going to violate 3.
I think the solution here is to refuse to subgrid a parent axis with zero tracks. Something like so:
https://treeherder.mozilla.org/#/jobs?repo=try&revision=ca36a9e07fe0095f939e116df53ae1a390b254a9
|
||
Updated•4 years ago
|
|
|
Assignee | |
Comment 12•4 years ago
|
||
Depends on D60565
|
||
Comment 13•4 years ago
|
||
Pushed by mpalmgren@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/b6259affc71f Inhibit subgridding a parent axis that has no tracks. r=dholbert
Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/21425 for changes under testing/web-platform/tests
Can't merge web-platform-tests PR due to failing upstream checks: Github PR https://github.com/web-platform-tests/wpt/pull/21425 * Community-TC (pull_request) (https://community-tc.services.mozilla.com/tasks/groups/Dmc883UrS36XiwMyZsd7iw)
Flags: needinfo?(mats)
|
||
Comment 16•4 years ago
|
||
| bugherder | ||
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla74
|
|
||
Updated•4 years ago
|
Upstream PR was closed without merging
Upstream PR merged by moz-wptsync-bot
|
|
||
Updated•4 years ago
|
QA Whiteboard: [qa-74b-p2]
|
||
Updated•2 years ago
|
Flags: needinfo?(MatsPalmgren_bugz)
You need to log in
before you can comment on or make changes to this bug.
Description
•