Closed
Bug 1608851
Opened 4 years ago
Closed 4 years ago
Assertion failure: mEnd >= 1 && mEnd < uint32_t(kMaxLine) (invalid span), at /builds/worker/workspace/build/src/layout/generic/nsGridContainerFrame.cpp:490
Categories
(Core :: Layout: Grid, defect, P2)
Core
Layout: Grid
Tracking
()
RESOLVED
FIXED
mozilla75
| Tracking | Status | |
|---|---|---|
| firefox-esr68 | --- | unaffected |
| firefox73 | --- | unaffected |
| firefox74 | --- | wontfix |
| firefox75 | --- | fixed |
People
(Reporter: jkratzer, Assigned: MatsPalmgren_bugz)
References
(Blocks 1 open bug, Regression)
Details
(Keywords: crash, regression, testcase)
Crash Data
Attachments
(2 files)
Testcase found while fuzzing mozilla-central rev 7295ca89e880.
Assertion failure: mEnd >= 1 && mEnd < uint32_t(kMaxLine) (invalid span), at /builds/worker/workspace/build/src/layout/generic/nsGridContainerFrame.cpp:490
rax = 0x0000555e55dac320 rdx = 0x0000000000000000
rcx = 0x00007fded9086d02 rbx = 0x00007fdeb04b10e0
rsi = 0x00007fdee4a518b0 rdi = 0x00007fdee4a50680
rbp = 0x00007ffcebf070d0 rsp = 0x00007ffcebf070d0
r8 = 0x00007fdee4a518b0 r9 = 0x00007fdee5bb8780
r10 = 0x0000000000000000 r11 = 0x0000000000000000
r12 = 0x0000000000000000 r13 = 0x00007ffcebf07cb0
r14 = 0x00007ffcebf07cb0 r15 = 0x0000000000000001
rip = 0x00007fded55b85e4
OS|Linux|0.0.0 Linux 5.0.0-36-generic #39~18.04.1-Ubuntu SMP Tue Nov 12 11:09:50 UTC 2019 x86_64
CPU|amd64|family 6 model 94 stepping 3|8
GPU|||
Crash|SIGSEGV|0x0|0
0|0|libxul.so|nsGridContainerFrame::LineRange::Extent() const|hg:hg.mozilla.org/mozilla-central:layout/generic/nsGridContainerFrame.cpp:7295ca89e880c1c930643e72ff0600cb71cebb9e|490|0x34
0|1|libxul.so|nsGridContainerFrame::Grid::PlaceAutoAutoInRowOrder(unsigned int, unsigned int, nsGridContainerFrame::GridArea*, unsigned int, unsigned int) const|hg:hg.mozilla.org/mozilla-central:layout/generic/nsGridContainerFrame.cpp:7295ca89e880c1c930643e72ff0600cb71cebb9e|4028|0xe
0|2|libxul.so|nsGridContainerFrame::Grid::PlaceGridItems(nsGridContainerFrame::GridReflowInput&, RepeatTrackSizingInput const&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsGridContainerFrame.cpp:7295ca89e880c1c930643e72ff0600cb71cebb9e|4380|0x14
0|3|libxul.so|nsGridContainerFrame::Grid::SubgridPlaceGridItems(nsGridContainerFrame::GridReflowInput&, nsGridContainerFrame::Grid*, nsGridContainerFrame::GridItemInfo const&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsGridContainerFrame.cpp:7295ca89e880c1c930643e72ff0600cb71cebb9e|4133|0x12
0|4|libxul.so|nsGridContainerFrame::Grid::PlaceGridItems(nsGridContainerFrame::GridReflowInput&, RepeatTrackSizingInput const&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsGridContainerFrame.cpp:7295ca89e880c1c930643e72ff0600cb71cebb9e|4446|0x5
0|5|libxul.so|nsGridContainerFrame::Grid::SubgridPlaceGridItems(nsGridContainerFrame::GridReflowInput&, nsGridContainerFrame::Grid*, nsGridContainerFrame::GridItemInfo const&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsGridContainerFrame.cpp:7295ca89e880c1c930643e72ff0600cb71cebb9e|4133|0x12
0|6|libxul.so|nsGridContainerFrame::Grid::PlaceGridItems(nsGridContainerFrame::GridReflowInput&, RepeatTrackSizingInput const&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsGridContainerFrame.cpp:7295ca89e880c1c930643e72ff0600cb71cebb9e|4446|0x5
0|7|libxul.so|nsGridContainerFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsGridContainerFrame.cpp:7295ca89e880c1c930643e72ff0600cb71cebb9e|7379|0x5
0|8|libxul.so|nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsContainerFrame.cpp:7295ca89e880c1c930643e72ff0600cb71cebb9e|908|0x1d
0|9|libxul.so|nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsCanvasFrame.cpp:7295ca89e880c1c930643e72ff0600cb71cebb9e|753|0x1d
0|10|libxul.so|nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsContainerFrame.cpp:7295ca89e880c1c930643e72ff0600cb71cebb9e|908|0x1d
0|11|libxul.so|nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput*, bool, bool, mozilla::ReflowOutput*)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsGfxScrollFrame.cpp:7295ca89e880c1c930643e72ff0600cb71cebb9e|650|0x5
0|12|libxul.so|nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput*, mozilla::ReflowOutput const&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsGfxScrollFrame.cpp:7295ca89e880c1c930643e72ff0600cb71cebb9e|764|0x2f
0|13|libxul.so|nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsGfxScrollFrame.cpp:7295ca89e880c1c930643e72ff0600cb71cebb9e|1143|0x8
0|14|libxul.so|nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsContainerFrame.cpp:7295ca89e880c1c930643e72ff0600cb71cebb9e|948|0x19
0|15|libxul.so|mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&)|hg:hg.mozilla.org/mozilla-central:layout/generic/ViewportFrame.cpp:7295ca89e880c1c930643e72ff0600cb71cebb9e|299|0x2b
0|16|libxul.so|mozilla::PresShell::DoReflow(nsIFrame*, bool, mozilla::OverflowChangedTracker*)|hg:hg.mozilla.org/mozilla-central:layout/base/PresShell.cpp:7295ca89e880c1c930643e72ff0600cb71cebb9e|9185|0x21
0|17|libxul.so|mozilla::PresShell::ProcessReflowCommands(bool)|hg:hg.mozilla.org/mozilla-central:layout/base/PresShell.cpp:7295ca89e880c1c930643e72ff0600cb71cebb9e|9358|0x11
0|18|libxul.so|mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush)|hg:hg.mozilla.org/mozilla-central:layout/base/PresShell.cpp:7295ca89e880c1c930643e72ff0600cb71cebb9e|4117|0x15
0|19|libxul.so|nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp)|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:7295ca89e880c1c930643e72ff0600cb71cebb9e|2050|0x5
0|20|libxul.so|mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&)|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:7295ca89e880c1c930643e72ff0600cb71cebb9e|351|0xb
0|21|libxul.so|mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp)|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:7295ca89e880c1c930643e72ff0600cb71cebb9e|367|0x12
0|22|libxul.so|mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp)|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:7295ca89e880c1c930643e72ff0600cb71cebb9e|740|0xf
0|23|libxul.so|mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::ParentProcessVsyncNotifier::Run()|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:7295ca89e880c1c930643e72ff0600cb71cebb9e|538|0x1b
0|24|libxul.so|nsThread::ProcessNextEvent(bool, bool*)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:7295ca89e880c1c930643e72ff0600cb71cebb9e|1248|0x15
0|25|libxul.so|NS_ProcessNextEvent(nsIThread*, bool)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:7295ca89e880c1c930643e72ff0600cb71cebb9e|486|0x11
0|26|libxul.so|mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:7295ca89e880c1c930643e72ff0600cb71cebb9e|87|0xa
0|27|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:7295ca89e880c1c930643e72ff0600cb71cebb9e|315|0x19
0|28|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:7295ca89e880c1c930643e72ff0600cb71cebb9e|290|0x8
0|29|libxul.so|nsBaseAppShell::Run()|hg:hg.mozilla.org/mozilla-central:widget/nsBaseAppShell.cpp:7295ca89e880c1c930643e72ff0600cb71cebb9e|137|0xd
0|30|libxul.so|nsAppStartup::Run()|hg:hg.mozilla.org/mozilla-central:toolkit/components/startup/nsAppStartup.cpp:7295ca89e880c1c930643e72ff0600cb71cebb9e|272|0x10
0|31|libxul.so|XREMain::XRE_mainRun()|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsAppRunner.cpp:7295ca89e880c1c930643e72ff0600cb71cebb9e|4594|0x16
0|32|libxul.so|XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsAppRunner.cpp:7295ca89e880c1c930643e72ff0600cb71cebb9e|4731|0x8
0|33|libxul.so|XRE_main(int, char**, mozilla::BootstrapConfig const&)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsAppRunner.cpp:7295ca89e880c1c930643e72ff0600cb71cebb9e|4812|0x5
0|34|firefox-bin|do_main|hg:hg.mozilla.org/mozilla-central:browser/app/nsBrowserApp.cpp:7295ca89e880c1c930643e72ff0600cb71cebb9e|217|0x26
0|35|firefox-bin|main|hg:hg.mozilla.org/mozilla-central:browser/app/nsBrowserApp.cpp:7295ca89e880c1c930643e72ff0600cb71cebb9e|339|0xf
0|36|libc-2.27.so||||0x21b97
0|37|firefox-bin|__cxa_throw_bad_array_new_length|hg:hg.mozilla.org/mozilla-central:build/unix/stdc++compat/stdc++compat.cpp:7295ca89e880c1c930643e72ff0600cb71cebb9e|82|0x12
0|38|firefox-bin|_GLOBAL__sub_I_TimeStamp.cpp|hg:hg.mozilla.org/mozilla-central:mozglue/misc/TimeStamp.cpp:7295ca89e880c1c930643e72ff0600cb71cebb9e|150|0x4b
0|39|||||0x7ffcebf0c560
0|40|ld-2.27.so||||0x10733
0|41|libdl-2.27.so||||0x202d80
0|42|libpthread-2.27.so||||0x219bb0
0|43|firefox-bin|_GLOBAL__sub_I_TimeStamp.cpp|hg:hg.mozilla.org/mozilla-central:mozglue/misc/TimeStamp.cpp:7295ca89e880c1c930643e72ff0600cb71cebb9e|150|0x4b
0|44|||||0x7ffcebf0c560
0|45|firefox-bin|_start|||0x29
Flags: in-testsuite?
|
||
Comment 1•4 years ago
|
||
Mats, can you take a look? FWIW, the testcase here immediately crashed my tab in a normal (non-debug) build.
Flags: needinfo?(mats)
Priority: -- → P2
|
||
Comment 2•4 years ago
|
||
Crash report from Nightly when loading this testcase: bp-0935ead1-a528-4d79-931f-98f070200212
(Fortunately, just a null deref.)
|
||
Comment 3•4 years ago
|
||
I came across this crash while triaging Nightly crashes. It isn't a null deref, per se. We're actually hitting a runtime bounds check, which matches up with the assertion in comment 0.
The actual crash reason is: ElementAt(aIndex = 4294967295, aLength = 0)
Bug 1554279 was filed last year for the same signature, but got closed as incomplete.
Crash Signature: [@ InvalidArrayIndex_CRASH | nsGridContainerFrame::LineRange::ToLength ]
See Also: → 1554279
|
|
||
Comment 4•4 years ago
|
||
(To be clear, I came across it in Nightly crash triage because of dholbert running the test case, not because it was happening otherwise.)
|
Assignee | |
Comment 5•4 years ago
|
||
I think it's the same underlying issue as bug 1606516 but the fix is incomplete. I'll take a look...
Assignee: nobody → mats
Flags: needinfo?(mats)
OS: Unspecified → All
Hardware: Unspecified → All
|
|
Assignee | |
Comment 6•4 years ago
|
||
|
|
Assignee | |
Comment 7•4 years ago
|
||
|
||
Updated•4 years ago
|
Crash Signature: [@ InvalidArrayIndex_CRASH | nsGridContainerFrame::LineRange::ToLength ] → [@ InvalidArrayIndex_CRASH | nsGridContainerFrame::LineRange::ToLength ]
[@ InvalidArrayIndex_CRASH | nsGridContainerFrame::LineRange::ToPositionAndLength]
|
|
||
Comment 9•4 years ago
|
||
Bugbug thinks this bug is a regression, but please revert this change in case of error.
Keywords: regression
|
||
Comment 10•4 years ago
|
||
Pushed by mpalmgren@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/48672c042378 Only an actual <track-list> guarantees a track (not an ignored 'subgrid' value). r=dholbert
|
||
Comment 11•4 years ago
|
||
| bugherder | ||
Status: NEW → RESOLVED
Closed: 4 years ago
status-firefox75:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla75
|
||
Updated•4 years ago
|
Crash Signature: [@ InvalidArrayIndex_CRASH | nsGridContainerFrame::LineRange::ToLength ]
[@ InvalidArrayIndex_CRASH | nsGridContainerFrame::LineRange::ToPositionAndLength] → [@ InvalidArrayIndex_CRASH | nsGridContainerFrame::LineRange::ToLength ]
[@ InvalidArrayIndex_CRASH | nsGridContainerFrame::LineRange::ToPositionAndLength]
|
||
Updated•4 years ago
|
status-firefox73:
--- → unaffected
status-firefox-esr68:
--- → unaffected
Flags: in-testsuite? → in-testsuite+
Regressed by: 1606516
|
||
Updated•4 years ago
|
Has Regression Range: --- → yes
You need to log in
before you can comment on or make changes to this bug.
Description
•