Open
Bug 1611923
Opened 4 years ago
Updated 7 months ago
Assertion failure: aEnd == int32_t(kAutoLine) || (aEnd >= kMinLine && aEnd <= kMaxLine) (invalid end line), at /builds/worker/workspace/build/src/layout/generic/nsGridContainerFrame.cpp:479
Categories
(Core :: Layout: Grid, defect, P3)
Core
Layout: Grid
Tracking
()
NEW
| Tracking | Status | |
|---|---|---|
| firefox74 | --- | affected |
People
(Reporter: jkratzer, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: assertion, testcase)
Attachments
(1 file)
|
261 bytes,
text/html
|
Details |
Testcase found while fuzzing mozilla-central rev c0fa6d007c58.
Assertion failure: aEnd == int32_t(kAutoLine) || (aEnd >= kMinLine && aEnd <= kMaxLine) (invalid end line), at /builds/worker/workspace/build/src/layout/generic/nsGridContainerFrame.cpp:479
rax = 0x0000560e01de4340 rdx = 0x0000000000000000
rcx = 0x00007fdeaa8b3674 rbx = 0x00007ffd49994158
rsi = 0x00007fdeb62de8b0 rdi = 0x00007fdeb62dd680
rbp = 0x00007ffd49993f40 rsp = 0x00007ffd49993f40
r8 = 0x00007fdeb62de8b0 r9 = 0x00007fdeb7445780
r10 = 0x0000000000000000 r11 = 0x0000000000000000
r12 = 0x00007fde817901a8 r13 = 0x00007ffd49994270
r14 = 0x00007ffd49994100 r15 = 0x00007ffd49994b60
rip = 0x00007fdea6d278f2
OS|Linux|0.0.0 Linux 5.3.0-26-generic #28~18.04.1-Ubuntu SMP Wed Dec 18 16:40:14 UTC 2019 x86_64
CPU|amd64|family 6 model 94 stepping 3|8
GPU|||
Crash|SIGSEGV|0x0|0
0|0|libxul.so|nsGridContainerFrame::LineRange::LineRange(int, int)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsGridContainerFrame.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|475|0x37
0|1|libxul.so|nsGridContainerFrame::Grid::ResolveLineRange(mozilla::StyleGenericGridLine<int> const&, mozilla::StyleGenericGridLine<int> const&, nsGridContainerFrame::LineNameMap const&, mozilla::LogicalAxis, unsigned int, nsStylePosition const*)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsGridContainerFrame.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|3887|0x9
0|2|libxul.so|nsGridContainerFrame::Grid::PlaceDefinite(nsIFrame*, nsGridContainerFrame::LineNameMap const&, nsGridContainerFrame::LineNameMap const&, nsStylePosition const*)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsGridContainerFrame.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|3900|0xb
0|3|libxul.so|nsGridContainerFrame::Grid::PlaceGridItems(nsGridContainerFrame::GridReflowInput&, RepeatTrackSizingInput const&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsGridContainerFrame.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|4325|0x5
0|4|libxul.so|nsGridContainerFrame::Grid::SubgridPlaceGridItems(nsGridContainerFrame::GridReflowInput&, nsGridContainerFrame::Grid*, nsGridContainerFrame::GridItemInfo const&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsGridContainerFrame.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|4204|0x12
0|5|libxul.so|nsGridContainerFrame::Grid::PlaceGridItems(nsGridContainerFrame::GridReflowInput&, RepeatTrackSizingInput const&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsGridContainerFrame.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|4401|0x5
0|6|libxul.so|nsGridContainerFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsGridContainerFrame.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|7400|0x5
0|7|libxul.so|nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsContainerFrame.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|908|0x1d
0|8|libxul.so|nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsCanvasFrame.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|741|0x1d
0|9|libxul.so|nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsContainerFrame.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|908|0x1d
0|10|libxul.so|nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput*, bool, bool, mozilla::ReflowOutput*)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsGfxScrollFrame.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|650|0x5
0|11|libxul.so|nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput*, mozilla::ReflowOutput const&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsGfxScrollFrame.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|764|0x2f
0|12|libxul.so|nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsGfxScrollFrame.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|1143|0x8
0|13|libxul.so|nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsContainerFrame.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|948|0x19
0|14|libxul.so|mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&)|hg:hg.mozilla.org/mozilla-central:layout/generic/ViewportFrame.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|299|0x2b
0|15|libxul.so|mozilla::PresShell::DoReflow(nsIFrame*, bool, mozilla::OverflowChangedTracker*)|hg:hg.mozilla.org/mozilla-central:layout/base/PresShell.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|9240|0x21
0|16|libxul.so|mozilla::PresShell::ProcessReflowCommands(bool)|hg:hg.mozilla.org/mozilla-central:layout/base/PresShell.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|9413|0x11
0|17|libxul.so|mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush)|hg:hg.mozilla.org/mozilla-central:layout/base/PresShell.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|4120|0x15
0|18|libxul.so|nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp)|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|2056|0x5
0|19|libxul.so|mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&)|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|351|0xb
0|20|libxul.so|mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp)|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|367|0x12
0|21|libxul.so|mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp)|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|740|0xf
0|22|libxul.so|mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::ParentProcessVsyncNotifier::Run()|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|538|0x1b
0|23|libxul.so|nsThread::ProcessNextEvent(bool, bool*)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|1220|0xe
0|24|libxul.so|NS_ProcessNextEvent(nsIThread*, bool)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|486|0x11
0|25|libxul.so|mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|87|0xa
0|26|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:c0fa6d007c58437398cc06a97d221c42d41dcf9e|315|0x19
0|27|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:c0fa6d007c58437398cc06a97d221c42d41dcf9e|290|0x8
0|28|libxul.so|nsBaseAppShell::Run()|hg:hg.mozilla.org/mozilla-central:widget/nsBaseAppShell.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|137|0xd
0|29|libxul.so|nsAppStartup::Run()|hg:hg.mozilla.org/mozilla-central:toolkit/components/startup/nsAppStartup.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|272|0x10
0|30|libxul.so|XREMain::XRE_mainRun()|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsAppRunner.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|4624|0x16
0|31|libxul.so|XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsAppRunner.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|4761|0x8
0|32|libxul.so|XRE_main(int, char**, mozilla::BootstrapConfig const&)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsAppRunner.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|4842|0x5
0|33|firefox-bin|do_main|hg:hg.mozilla.org/mozilla-central:browser/app/nsBrowserApp.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|217|0x26
0|34|firefox-bin|main|hg:hg.mozilla.org/mozilla-central:browser/app/nsBrowserApp.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|339|0xf
0|35|libc-2.27.so||||0x21b97
0|36|firefox-bin|__cxa_throw_bad_array_new_length|hg:hg.mozilla.org/mozilla-central:build/unix/stdc++compat/stdc++compat.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|82|0x12
0|37|firefox-bin||||0x10e30
0|38|ld-2.27.so||||0x10733
0|39|libdl-2.27.so||||0x202d80
0|40|libpthread-2.27.so||||0x219bb0
0|41|firefox-bin||||0x10e30
0|42|firefox-bin|_start|||0x29
Flags: in-testsuite?
|
||
Updated•4 years ago
|
Component: Layout → Layout: Grid
Priority: -- → P3
|
||
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•