Closed Bug 1624356 Opened 5 years ago Closed 4 years ago

Hit MOZ_CRASH(ElementAt(aIndex = 0, aLength = 0)) at /builds/worker/checkouts/gecko/xpcom/ds/nsTArray.cpp:29

Categories

(Core :: Layout: Grid, defect, P3)

Product:
Core
Component:
Layout: Grid
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1680184
Tracking Flags:
Tracking Status
firefox76 --- affected

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, testcase, Whiteboard: [bugmon:bisected,confirmed])

Crash Data

Attachments

(2 files)

testcase.html
892 bytes, text/html
Details
reduced_testcase
577 bytes, text/html
Details
Attached file testcase.html

Testcase found while fuzzing mozilla-central rev f131f58b413f (built with --enable-debug).

Hit MOZ_CRASH(ElementAt(aIndex = 0, aLength = 0)) at /builds/worker/checkouts/gecko/xpcom/ds/nsTArray.cpp:29

rax = 0x000055ebdc99b380   rdx = 0x0000000000000000
rcx = 0x0000000000000b40   rbx = 0x000055ebdc99af80
rsi = 0x00007fe5cba978b0   rdi = 0x00007fe5cba96680
rbp = 0x00007ffd127db900   rsp = 0x00007ffd127db8f0
r8 = 0x00007fe5cba978b0    r9 = 0x00007fe5ccbfd780
r10 = 0x0000000000000000   r11 = 0x0000000000000000
r12 = 0x00007ffd127dc150   r13 = 0x00007fe5b0c13b00
r14 = 0x0000000000000000   r15 = 0x00007fe5b2493d28
rip = 0x00007fe5b9c087f7
OS|Linux|0.0.0 Linux 5.3.0-28-generic #30~18.04.1-Ubuntu SMP Fri Jan 17 06:14:09 UTC 2020 x86_64
CPU|amd64|family 6 model 94 stepping 3|8
GPU|||
Crash|SIGSEGV|0x0|0
0|0|libxul.so|InvalidArrayIndex_CRASH(unsigned long, unsigned long)|hg:hg.mozilla.org/mozilla-central:xpcom/ds/nsTArray.cpp:f131f58b413ffb3172afe5f3b50dd66bcf6a3d9e|27|0x28
0|1|libxul.so|nsTArray_Impl<nsGridContainerFrame::TrackSize, nsTArrayInfallibleAllocator>::ElementAt(unsigned long)|hg:hg.mozilla.org/mozilla-central:xpcom/ds/nsTArray.h:f131f58b413ffb3172afe5f3b50dd66bcf6a3d9e|1196|0x5
0|2|libxul.so|CopyUsedTrackSizes|hg:hg.mozilla.org/mozilla-central:layout/generic/nsGridContainerFrame.cpp:f131f58b413ffb3172afe5f3b50dd66bcf6a3d9e|3334|0xa
0|3|libxul.so|nsGridContainerFrame::GridReflowInput::CalculateTrackSizesForAxis(mozilla::LogicalAxis, nsGridContainerFrame::Grid const&, int, SizingConstraint)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsGridContainerFrame.cpp:f131f58b413ffb3172afe5f3b50dd66bcf6a3d9e|3439|0x23
0|4|libxul.so|nsGridContainerFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsGridContainerFrame.cpp:f131f58b413ffb3172afe5f3b50dd66bcf6a3d9e|7447|0xd
0|5|libxul.so|nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsContainerFrame.cpp:f131f58b413ffb3172afe5f3b50dd66bcf6a3d9e|906|0x1d
0|6|libxul.so|nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput*, bool, bool, mozilla::ReflowOutput*)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsGfxScrollFrame.cpp:f131f58b413ffb3172afe5f3b50dd66bcf6a3d9e|653|0x5
0|7|libxul.so|nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput*, mozilla::ReflowOutput const&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsGfxScrollFrame.cpp:f131f58b413ffb3172afe5f3b50dd66bcf6a3d9e|767|0x2f
0|8|libxul.so|nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsGfxScrollFrame.cpp:f131f58b413ffb3172afe5f3b50dd66bcf6a3d9e|1154|0xf
0|9|libxul.so|nsAbsoluteContainingBlock::ReflowAbsoluteFrame(nsIFrame*, nsPresContext*, mozilla::ReflowInput const&, nsRect const&, nsAbsoluteContainingBlock::AbsPosReflowFlags, nsIFrame*, nsReflowStatus&, nsOverflowAreas*)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsAbsoluteContainingBlock.cpp:f131f58b413ffb3172afe5f3b50dd66bcf6a3d9e|760|0x10
0|10|libxul.so|nsAbsoluteContainingBlock::Reflow(nsContainerFrame*, nsPresContext*, mozilla::ReflowInput const&, nsReflowStatus&, nsRect const&, nsAbsoluteContainingBlock::AbsPosReflowFlags, nsOverflowAreas*)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsAbsoluteContainingBlock.cpp:f131f58b413ffb3172afe5f3b50dd66bcf6a3d9e|212|0x2e
0|11|libxul.so|nsGridContainerFrame::ReflowChildren(nsGridContainerFrame::GridReflowInput&, mozilla::LogicalRect const&, mozilla::ReflowOutput&, nsReflowStatus&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsGridContainerFrame.cpp:f131f58b413ffb3172afe5f3b50dd66bcf6a3d9e|7175|0x30
0|12|libxul.so|nsGridContainerFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsGridContainerFrame.cpp:f131f58b413ffb3172afe5f3b50dd66bcf6a3d9e|7514|0x1c
0|13|libxul.so|nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsContainerFrame.cpp:f131f58b413ffb3172afe5f3b50dd66bcf6a3d9e|906|0x1d
0|14|libxul.so|nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput*, bool, bool, mozilla::ReflowOutput*)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsGfxScrollFrame.cpp:f131f58b413ffb3172afe5f3b50dd66bcf6a3d9e|653|0x5
0|15|libxul.so|nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput*, mozilla::ReflowOutput const&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsGfxScrollFrame.cpp:f131f58b413ffb3172afe5f3b50dd66bcf6a3d9e|767|0x2f
0|16|libxul.so|nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsGfxScrollFrame.cpp:f131f58b413ffb3172afe5f3b50dd66bcf6a3d9e|1154|0xf
0|17|libxul.so|nsAbsoluteContainingBlock::ReflowAbsoluteFrame(nsIFrame*, nsPresContext*, mozilla::ReflowInput const&, nsRect const&, nsAbsoluteContainingBlock::AbsPosReflowFlags, nsIFrame*, nsReflowStatus&, nsOverflowAreas*)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsAbsoluteContainingBlock.cpp:f131f58b413ffb3172afe5f3b50dd66bcf6a3d9e|760|0x10
0|18|libxul.so|nsAbsoluteContainingBlock::Reflow(nsContainerFrame*, nsPresContext*, mozilla::ReflowInput const&, nsReflowStatus&, nsRect const&, nsAbsoluteContainingBlock::AbsPosReflowFlags, nsOverflowAreas*)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsAbsoluteContainingBlock.cpp:f131f58b413ffb3172afe5f3b50dd66bcf6a3d9e|212|0x2e
0|19|libxul.so|nsGridContainerFrame::ReflowChildren(nsGridContainerFrame::GridReflowInput&, mozilla::LogicalRect const&, mozilla::ReflowOutput&, nsReflowStatus&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsGridContainerFrame.cpp:f131f58b413ffb3172afe5f3b50dd66bcf6a3d9e|7175|0x30
0|20|libxul.so|nsGridContainerFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsGridContainerFrame.cpp:f131f58b413ffb3172afe5f3b50dd66bcf6a3d9e|7514|0x1c
0|21|libxul.so|nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsContainerFrame.cpp:f131f58b413ffb3172afe5f3b50dd66bcf6a3d9e|906|0x1d
0|22|libxul.so|nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput*, bool, bool, mozilla::ReflowOutput*)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsGfxScrollFrame.cpp:f131f58b413ffb3172afe5f3b50dd66bcf6a3d9e|653|0x5
0|23|libxul.so|nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput*, mozilla::ReflowOutput const&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsGfxScrollFrame.cpp:f131f58b413ffb3172afe5f3b50dd66bcf6a3d9e|767|0x2f
0|24|libxul.so|nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsGfxScrollFrame.cpp:f131f58b413ffb3172afe5f3b50dd66bcf6a3d9e|1154|0xf
0|25|libxul.so|nsAbsoluteContainingBlock::ReflowAbsoluteFrame(nsIFrame*, nsPresContext*, mozilla::ReflowInput const&, nsRect const&, nsAbsoluteContainingBlock::AbsPosReflowFlags, nsIFrame*, nsReflowStatus&, nsOverflowAreas*)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsAbsoluteContainingBlock.cpp:f131f58b413ffb3172afe5f3b50dd66bcf6a3d9e|760|0x10
0|26|libxul.so|nsAbsoluteContainingBlock::Reflow(nsContainerFrame*, nsPresContext*, mozilla::ReflowInput const&, nsReflowStatus&, nsRect const&, nsAbsoluteContainingBlock::AbsPosReflowFlags, nsOverflowAreas*)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsAbsoluteContainingBlock.cpp:f131f58b413ffb3172afe5f3b50dd66bcf6a3d9e|212|0x2e
0|27|libxul.so|nsGridContainerFrame::ReflowChildren(nsGridContainerFrame::GridReflowInput&, mozilla::LogicalRect const&, mozilla::ReflowOutput&, nsReflowStatus&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsGridContainerFrame.cpp:f131f58b413ffb3172afe5f3b50dd66bcf6a3d9e|7175|0x30
0|28|libxul.so|nsGridContainerFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsGridContainerFrame.cpp:f131f58b413ffb3172afe5f3b50dd66bcf6a3d9e|7514|0x1c
0|29|libxul.so|nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsContainerFrame.cpp:f131f58b413ffb3172afe5f3b50dd66bcf6a3d9e|906|0x1d
0|30|libxul.so|nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput*, bool, bool, mozilla::ReflowOutput*)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsGfxScrollFrame.cpp:f131f58b413ffb3172afe5f3b50dd66bcf6a3d9e|653|0x5
0|31|libxul.so|nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput*, mozilla::ReflowOutput const&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsGfxScrollFrame.cpp:f131f58b413ffb3172afe5f3b50dd66bcf6a3d9e|767|0x2f
0|32|libxul.so|nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsGfxScrollFrame.cpp:f131f58b413ffb3172afe5f3b50dd66bcf6a3d9e|1154|0xf
0|33|libxul.so|nsAbsoluteContainingBlock::ReflowAbsoluteFrame(nsIFrame*, nsPresContext*, mozilla::ReflowInput const&, nsRect const&, nsAbsoluteContainingBlock::AbsPosReflowFlags, nsIFrame*, nsReflowStatus&, nsOverflowAreas*)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsAbsoluteContainingBlock.cpp:f131f58b413ffb3172afe5f3b50dd66bcf6a3d9e|760|0x10
0|34|libxul.so|nsAbsoluteContainingBlock::Reflow(nsContainerFrame*, nsPresContext*, mozilla::ReflowInput const&, nsReflowStatus&, nsRect const&, nsAbsoluteContainingBlock::AbsPosReflowFlags, nsOverflowAreas*)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsAbsoluteContainingBlock.cpp:f131f58b413ffb3172afe5f3b50dd66bcf6a3d9e|212|0x2e
0|35|libxul.so|nsGridContainerFrame::ReflowChildren(nsGridContainerFrame::GridReflowInput&, mozilla::LogicalRect const&, mozilla::ReflowOutput&, nsReflowStatus&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsGridContainerFrame.cpp:f131f58b413ffb3172afe5f3b50dd66bcf6a3d9e|7175|0x30
0|36|libxul.so|nsGridContainerFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsGridContainerFrame.cpp:f131f58b413ffb3172afe5f3b50dd66bcf6a3d9e|7514|0x1c
0|37|libxul.so|nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsContainerFrame.cpp:f131f58b413ffb3172afe5f3b50dd66bcf6a3d9e|906|0x1d
0|38|libxul.so|nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsCanvasFrame.cpp:f131f58b413ffb3172afe5f3b50dd66bcf6a3d9e|750|0x1d
0|39|libxul.so|nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsContainerFrame.cpp:f131f58b413ffb3172afe5f3b50dd66bcf6a3d9e|906|0x1d
0|40|libxul.so|nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput*, bool, bool, mozilla::ReflowOutput*)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsGfxScrollFrame.cpp:f131f58b413ffb3172afe5f3b50dd66bcf6a3d9e|653|0x5
0|41|libxul.so|nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput*, mozilla::ReflowOutput const&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsGfxScrollFrame.cpp:f131f58b413ffb3172afe5f3b50dd66bcf6a3d9e|767|0x2f
0|42|libxul.so|nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsGfxScrollFrame.cpp:f131f58b413ffb3172afe5f3b50dd66bcf6a3d9e|1154|0xf
0|43|libxul.so|nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsContainerFrame.cpp:f131f58b413ffb3172afe5f3b50dd66bcf6a3d9e|946|0x19
0|44|libxul.so|mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&)|hg:hg.mozilla.org/mozilla-central:layout/generic/ViewportFrame.cpp:f131f58b413ffb3172afe5f3b50dd66bcf6a3d9e|299|0x2b
0|45|libxul.so|mozilla::PresShell::DoReflow(nsIFrame*, bool, mozilla::OverflowChangedTracker*)|hg:hg.mozilla.org/mozilla-central:layout/base/PresShell.cpp:f131f58b413ffb3172afe5f3b50dd66bcf6a3d9e|9316|0x21
0|46|libxul.so|mozilla::PresShell::ProcessReflowCommands(bool)|hg:hg.mozilla.org/mozilla-central:layout/base/PresShell.cpp:f131f58b413ffb3172afe5f3b50dd66bcf6a3d9e|9489|0x11
0|47|libxul.so|mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush)|hg:hg.mozilla.org/mozilla-central:layout/base/PresShell.cpp:f131f58b413ffb3172afe5f3b50dd66bcf6a3d9e|4160|0x15
Flags: in-testsuite?
Crash Signature: [@ InvalidArrayIndex_CRASH | CopyUsedTrackSizes ]
Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]
Bugmon Analysis: Verified bug as reproducible on mozilla-central 20200323162134-b3fb938012ba. The bug appears to have been introduced in the following build range: > Start: a5f7f53421ebce84b0dd4cb3535b49906fdf78ef (20190522152501) > End: aaae630f30291056f4f40bbd9e12a917309e401e (20190522152821) > Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=a5f7f53421ebce84b0dd4cb3535b49906fdf78ef&tochange=aaae630f30291056f4f40bbd9e12a917309e401e
Attached file reduced_testcase

Attaching a reduced testcase. It seems this crash needs a grid with a subgrid child which itself has a subgrid child and a sibling (doesn't need to be subgrid), where both the subgrid child and grandchild are absolutely positioned. The crash only occurs on reflow.

Attachment #9136994 - Attachment description: crash_1624356.html → reduced_testcase
Bugmon Analysis:

The priority flag is not set for this bug.
:TYLin, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(aethanyc)

I believe this bug is on Emily's radar.

Re comment 2:

Per grid spec, absolutely-positioned children are not grid items. Maybe this is something that causes the array length miscalculation.

Flags: needinfo?(aethanyc)
Priority: -- → P3

Yes, I am currently investigating this bug.

Because this bug's Severity has not been changed from the default since it was filed, and it's Priority is P3 (Backlog,) indicating it has been triaged, the bug's Severity is being updated to S3 (normal.)

Severity: normal → S3
See Also: → 1641587
See Also: → 1680184

Emily any update here?

Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → DUPLICATE

Bugmon Analysis:
No valid actions for resolution (DUPLICATE)
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: