1611922 - Assertion failure: cursorMajor <= gridMajorEnd (we shouldn't need to place items further than 1 track past the current end of the grid, in major dimension), at /builds/worker/workspace/build/src/layout/generic/nsGridContainerFrame.cpp:4465

Status: RESOLVED DUPLICATE of bug 1608851

(Core :: Layout: Grid, defect, P2)

Description

[Jason Kratzer [:jkratzer]]

Attachment: testcase.html

Testcase found while fuzzing mozilla-central rev c0fa6d007c58.

Assertion failure: cursorMajor <= gridMajorEnd (we shouldn't need to place items further than 1 track past the current end of the grid, in major dimension), at /builds/worker/workspace/build/src/layout/generic/nsGridContainerFrame.cpp:4465

rax = 0x000055605a776340   rdx = 0x0000000000000000
rcx = 0x00007fbd689c2868   rbx = 0x00007fbd3fc1fc48
rsi = 0x00007fbd743778b0   rdi = 0x00007fbd74376680
rbp = 0x00007ffdda8ca890   rsp = 0x00007ffdda8ca660
r8 = 0x00007fbd743778b0    r9 = 0x00007fbd754de780
r10 = 0x0000000000000000   r11 = 0x0000000000000000
r12 = 0x0000000000000001   r13 = 0x00007ffdda8ca8f0
r14 = 0x00007ffdda8cb1e0   r15 = 0x0000000000000001
rip = 0x00007fbd64e78193
OS|Linux|0.0.0 Linux 5.3.0-26-generic #28~18.04.1-Ubuntu SMP Wed Dec 18 16:40:14 UTC 2019 x86_64
CPU|amd64|family 6 model 94 stepping 3|8
GPU|||
Crash|SIGSEGV|0x0|0
0|0|libxul.so|nsGridContainerFrame::Grid::PlaceGridItems(nsGridContainerFrame::GridReflowInput&, RepeatTrackSizingInput const&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsGridContainerFrame.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|4240|0x41
0|1|libxul.so|nsGridContainerFrame::Grid::SubgridPlaceGridItems(nsGridContainerFrame::GridReflowInput&, nsGridContainerFrame::Grid*, nsGridContainerFrame::GridItemInfo const&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsGridContainerFrame.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|4204|0x12
0|2|libxul.so|nsGridContainerFrame::Grid::PlaceGridItems(nsGridContainerFrame::GridReflowInput&, RepeatTrackSizingInput const&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsGridContainerFrame.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|4517|0x5
0|3|libxul.so|nsGridContainerFrame::Grid::SubgridPlaceGridItems(nsGridContainerFrame::GridReflowInput&, nsGridContainerFrame::Grid*, nsGridContainerFrame::GridItemInfo const&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsGridContainerFrame.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|4204|0x12
0|4|libxul.so|nsGridContainerFrame::Grid::PlaceGridItems(nsGridContainerFrame::GridReflowInput&, RepeatTrackSizingInput const&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsGridContainerFrame.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|4517|0x5
0|5|libxul.so|nsGridContainerFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsGridContainerFrame.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|7400|0x5
0|6|libxul.so|nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsContainerFrame.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|908|0x1d
0|7|libxul.so|nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsCanvasFrame.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|741|0x1d
0|8|libxul.so|nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsContainerFrame.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|908|0x1d
0|9|libxul.so|nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput*, bool, bool, mozilla::ReflowOutput*)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsGfxScrollFrame.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|650|0x5
0|10|libxul.so|nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput*, mozilla::ReflowOutput const&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsGfxScrollFrame.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|764|0x2f
0|11|libxul.so|nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsGfxScrollFrame.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|1143|0x8
0|12|libxul.so|nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsContainerFrame.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|948|0x19
0|13|libxul.so|mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&)|hg:hg.mozilla.org/mozilla-central:layout/generic/ViewportFrame.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|299|0x2b
0|14|libxul.so|mozilla::PresShell::DoReflow(nsIFrame*, bool, mozilla::OverflowChangedTracker*)|hg:hg.mozilla.org/mozilla-central:layout/base/PresShell.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|9240|0x21
0|15|libxul.so|mozilla::PresShell::ProcessReflowCommands(bool)|hg:hg.mozilla.org/mozilla-central:layout/base/PresShell.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|9413|0x11
0|16|libxul.so|mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush)|hg:hg.mozilla.org/mozilla-central:layout/base/PresShell.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|4120|0x15
0|17|libxul.so|nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp)|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|2056|0x5
0|18|libxul.so|mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&)|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|351|0xb
0|19|libxul.so|mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp)|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|367|0x12
0|20|libxul.so|mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp)|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|740|0xf
0|21|libxul.so|mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::ParentProcessVsyncNotifier::Run()|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|538|0x1b
0|22|libxul.so|nsThread::ProcessNextEvent(bool, bool*)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|1220|0xe
0|23|libxul.so|NS_ProcessNextEvent(nsIThread*, bool)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|486|0x11
0|24|libxul.so|mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|87|0xa
0|25|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:c0fa6d007c58437398cc06a97d221c42d41dcf9e|315|0x19
0|26|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:c0fa6d007c58437398cc06a97d221c42d41dcf9e|290|0x8
0|27|libxul.so|nsBaseAppShell::Run()|hg:hg.mozilla.org/mozilla-central:widget/nsBaseAppShell.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|137|0xd
0|28|libxul.so|nsAppStartup::Run()|hg:hg.mozilla.org/mozilla-central:toolkit/components/startup/nsAppStartup.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|272|0x10
0|29|libxul.so|XREMain::XRE_mainRun()|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsAppRunner.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|4624|0x16
0|30|libxul.so|XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsAppRunner.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|4761|0x8
0|31|libxul.so|XRE_main(int, char**, mozilla::BootstrapConfig const&)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsAppRunner.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|4842|0x5
0|32|firefox-bin|do_main|hg:hg.mozilla.org/mozilla-central:browser/app/nsBrowserApp.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|217|0x26
0|33|firefox-bin|main|hg:hg.mozilla.org/mozilla-central:browser/app/nsBrowserApp.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|339|0xf
0|34|libc-2.27.so||||0x21b97
0|35|firefox-bin|__cxa_throw_bad_array_new_length|hg:hg.mozilla.org/mozilla-central:build/unix/stdc++compat/stdc++compat.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|82|0x12
0|36|firefox-bin||||0x10e30
0|37|ld-2.27.so||||0x10733
0|38|libdl-2.27.so||||0x202d80
0|39|libpthread-2.27.so||||0x219bb0
0|40|firefox-bin||||0x10e30
0|41|firefox-bin|_start|||0x29

Comment 1

[Sean Voisen (:svoisen)]

@Mats: Maybe related to bug 1611851?

Comment 2

[Daniel Holbert [:dholbert]]

Crash report for the nightly crash: bp-2c17f1d2-23ee-4c8a-92f4-bb5950200212

(RE bug 1608851: both bugs are InvalidArrayIndex_CRASH null-derefs for nsTArray out-of-bounds access, so indeed, perhaps related...)

Comment 3

[Andrew McCreight [:mccr8]]

Adding the crash signature from dholbert's crash report.