Closed
Bug 1626970
Opened 4 years ago
Closed 4 years ago
Assertion failure: aMax >= aMin (clamped(): aMax must be greater than or equal to aMin), at /builds/worker/workspace/obj-build/dist/include/nsAlgorithm.h:36
Categories
(Core :: Layout: Scrolling and Overflow, defect, P3)
Core
Layout: Scrolling and Overflow
Tracking
()
VERIFIED
FIXED
mozilla77
People
(Reporter: jkratzer, Assigned: TYLin)
References
(Blocks 1 open bug)
Details
(Keywords: assertion, testcase, Whiteboard: [bugmon:bisected,confirmed])
Attachments
(2 files)
Testcase found while fuzzing mozilla-central rev 95ddb3213aec (built with --enable-debug).
Assertion failure: aMax >= aMin (clamped(): aMax must be greater than or equal to aMin), at /builds/worker/workspace/obj-build/dist/include/nsAlgorithm.h:36
rax = 0x000055e80675f380 rdx = 0x0000000000000000
rcx = 0x00007f5ea71b3eb9 rbx = 0x00007ffe6ea0aca8
rsi = 0x00007f5eb3c338b0 rdi = 0x00007f5eb3c32680
rbp = 0x00007ffe6ea0ac60 rsp = 0x00007ffe6ea0ac60
r8 = 0x00007f5eb3c338b0 r9 = 0x00007f5eb4d99780
r10 = 0x0000000000000000 r11 = 0x0000000000000000
r12 = 0x00007ffe6ea0aca4 r13 = 0x00007ffe6ea0aea0
r14 = 0x0000000000000000 r15 = 0x000000000000003c
rip = 0x00007f5ea20f3016
OS|Linux|0.0.0 Linux 5.3.0-28-generic #30~18.04.1-Ubuntu SMP Fri Jan 17 06:14:09 UTC 2020 x86_64
CPU|amd64|family 6 model 94 stepping 3|8
GPU|||
Crash|SIGSEGV|0x0|0
0|0|libxul.so|int const& mozilla::clamped<int>(int const&, int const&, int const&)|hg:hg.mozilla.org/mozilla-central:xpcom/base/nsAlgorithm.h:95ddb3213aecaf87c0a4f2d3559bd17e0194148c|35|0x16
0|1|libxul.so|ClampAndAlignWithPixels|hg:hg.mozilla.org/mozilla-central:layout/generic/nsGfxScrollFrame.cpp:95ddb3213aecaf87c0a4f2d3559bd17e0194148c|2597|0x5
0|2|libxul.so|mozilla::ScrollFrameHelper::ScrollToImpl(nsPoint, nsRect const&, nsAtom*)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsGfxScrollFrame.cpp:95ddb3213aecaf87c0a4f2d3559bd17e0194148c|2787|0x34
0|3|libxul.so|mozilla::ScrollFrameHelper::CompleteAsyncScroll(nsRect const&, nsAtom*)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsGfxScrollFrame.cpp:95ddb3213aecaf87c0a4f2d3559bd17e0194148c|2200|0x15
0|4|libxul.so|mozilla::ScrollFrameHelper::ScrollToWithOrigin(nsPoint, mozilla::ScrollMode, nsAtom*, nsRect const*, nsIScrollbarMediator::ScrollSnapMode)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsGfxScrollFrame.cpp:95ddb3213aecaf87c0a4f2d3559bd17e0194148c|2326|0xe
0|5|libxul.so|mozilla::ScrollFrameHelper::ScrollBy(mozilla::gfx::IntPointTyped<mozilla::gfx::UnknownUnits>, mozilla::ScrollUnit, mozilla::ScrollMode, mozilla::gfx::IntPointTyped<mozilla::gfx::UnknownUnits>*, nsAtom*, nsIScrollableFrame::ScrollMomentum, nsIScrollbarMediator::ScrollSnapMode)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsGfxScrollFrame.cpp:95ddb3213aecaf87c0a4f2d3559bd17e0194148c|4338|0x1e
0|6|libxul.so|nsGlobalWindowInner::ScrollByLines(int, mozilla::dom::ScrollOptions const&)|hg:hg.mozilla.org/mozilla-central:dom/base/nsGlobalWindowInner.cpp:95ddb3213aecaf87c0a4f2d3559bd17e0194148c|3661|0x4
0|7|libxul.so|mozilla::dom::Window_Binding::scrollByLines|s3:gecko-generated-sources:c0f33c2c2512258fab2ea31492b3754cec568dfe67a4e99d78af3447b21c9d1c07c8450f06e7857267fb18a8b6c9a7ae67f10127527f88579dcd967d8d92e623/dom/bindings/WindowBinding.cpp:|5590|0xf
0|8|libxul.so|bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::MaybeCrossOriginObjectThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*)|hg:hg.mozilla.org/mozilla-central:dom/bindings/BindingUtils.cpp:95ddb3213aecaf87c0a4f2d3559bd17e0194148c|3205|0x21
0|9|libxul.so|CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:95ddb3213aecaf87c0a4f2d3559bd17e0194148c|489|0x19
0|10|libxul.so|js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:95ddb3213aecaf87c0a4f2d3559bd17e0194148c|581|0x12
0|11|libxul.so|InternalCall|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:95ddb3213aecaf87c0a4f2d3559bd17e0194148c|644|0x10
0|12|libxul.so|Interpret|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:95ddb3213aecaf87c0a4f2d3559bd17e0194148c|648|0x18
0|13|libxul.so|js::RunScript(JSContext*, js::RunState&)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:95ddb3213aecaf87c0a4f2d3559bd17e0194148c|422|0x152
0|14|libxul.so|js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:95ddb3213aecaf87c0a4f2d3559bd17e0194148c|616|0xf
0|15|libxul.so|InternalCall|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:95ddb3213aecaf87c0a4f2d3559bd17e0194148c|644|0x10
0|16|libxul.so|js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:95ddb3213aecaf87c0a4f2d3559bd17e0194148c|661|0x8
0|17|libxul.so|JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>)|hg:hg.mozilla.org/mozilla-central:js/src/jsapi.cpp:95ddb3213aecaf87c0a4f2d3559bd17e0194148c|2798|0x1f
0|18|libxul.so|mozilla::dom::EventListener::HandleEvent(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&)|s3:gecko-generated-sources:193e9a85814bae146326c2a291da1e87fa580c482e06e710f97daa3a025bad456a6c4102317b56373145ae30081dfb4e18c0a2449f7be19134cdc5c142912259/dom/bindings/EventListenerBinding.cpp:|54|0x5
0|19|libxul.so|mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*)|s3:gecko-generated-sources:99837b3cdc69c5eb1234f9d2b3e771dcff734d56a022bedb1d00c0cf4ee6243fb5c91397a058f2ddab63bda8ed6b581ea1232a0229033866910c7289d24cbc2d/dist/include/mozilla/dom/EventListenerBinding.h:|66|0x19
0|20|libxul.so|mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool)|hg:hg.mozilla.org/mozilla-central:dom/events/EventListenerManager.cpp:95ddb3213aecaf87c0a4f2d3559bd17e0194148c|1271|0x1c
0|21|libxul.so|mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:95ddb3213aecaf87c0a4f2d3559bd17e0194148c|326|0x6b
0|22|libxul.so|mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:95ddb3213aecaf87c0a4f2d3559bd17e0194148c|558|0x12
0|23|libxul.so|mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:95ddb3213aecaf87c0a4f2d3559bd17e0194148c|1055|0x1a
0|24|libxul.so|mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:95ddb3213aecaf87c0a4f2d3559bd17e0194148c|1160|0x16
0|25|libxul.so|nsINode::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&)|hg:hg.mozilla.org/mozilla-central:dom/base/nsINode.cpp:95ddb3213aecaf87c0a4f2d3559bd17e0194148c|1302|0x5
0|26|libxul.so|nsContentUtils::DispatchEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, mozilla::Trusted, bool*, mozilla::ChromeOnlyDispatch)|hg:hg.mozilla.org/mozilla-central:dom/base/nsContentUtils.cpp:95ddb3213aecaf87c0a4f2d3559bd17e0194148c|4052|0x2a
0|27|libxul.so|nsContentUtils::DispatchTrustedEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, bool*)|hg:hg.mozilla.org/mozilla-central:dom/base/nsContentUtils.cpp:95ddb3213aecaf87c0a4f2d3559bd17e0194148c|4022|0x21
0|28|libxul.so|mozilla::dom::Document::DispatchContentLoadedEvents()|hg:hg.mozilla.org/mozilla-central:dom/base/Document.cpp:95ddb3213aecaf87c0a4f2d3559bd17e0194148c|7265|0x5
0|29|libxul.so|mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run()|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.h:95ddb3213aecaf87c0a4f2d3559bd17e0194148c|1220|0x5
0|30|libxul.so|mozilla::SchedulerGroup::Runnable::Run()|hg:hg.mozilla.org/mozilla-central:xpcom/threads/SchedulerGroup.cpp:95ddb3213aecaf87c0a4f2d3559bd17e0194148c|282|0x14
0|31|libxul.so|nsThread::ProcessNextEvent(bool, bool*)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:95ddb3213aecaf87c0a4f2d3559bd17e0194148c|1220|0xe
0|32|libxul.so|NS_ProcessNextEvent(nsIThread*, bool)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:95ddb3213aecaf87c0a4f2d3559bd17e0194148c|481|0x11
0|33|libxul.so|mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:95ddb3213aecaf87c0a4f2d3559bd17e0194148c|87|0xa
0|34|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:95ddb3213aecaf87c0a4f2d3559bd17e0194148c|315|0x19
0|35|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:95ddb3213aecaf87c0a4f2d3559bd17e0194148c|290|0x8
0|36|libxul.so|nsBaseAppShell::Run()|hg:hg.mozilla.org/mozilla-central:widget/nsBaseAppShell.cpp:95ddb3213aecaf87c0a4f2d3559bd17e0194148c|137|0xd
0|37|libxul.so|XRE_RunAppShell()|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:95ddb3213aecaf87c0a4f2d3559bd17e0194148c|909|0x6
0|38|libxul.so|mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:95ddb3213aecaf87c0a4f2d3559bd17e0194148c|237|0x5
0|39|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:95ddb3213aecaf87c0a4f2d3559bd17e0194148c|315|0x19
0|40|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:95ddb3213aecaf87c0a4f2d3559bd17e0194148c|290|0x8
0|41|libxul.so|XRE_InitChildProcess(int, char**, XREChildData const*)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:95ddb3213aecaf87c0a4f2d3559bd17e0194148c|740|0xc
0|42|firefox-bin|content_process_main(mozilla::Bootstrap*, int, char**)|hg:hg.mozilla.org/mozilla-central:ipc/contentproc/plugin-container.cpp:95ddb3213aecaf87c0a4f2d3559bd17e0194148c|56|0x14
0|43|firefox-bin|main|hg:hg.mozilla.org/mozilla-central:browser/app/nsBrowserApp.cpp:95ddb3213aecaf87c0a4f2d3559bd17e0194148c|303|0x13
0|44|libc.so.6||||0x21b97
0|45|firefox-bin|__cxa_throw_bad_array_new_length|hg:hg.mozilla.org/mozilla-central:build/unix/stdc++compat/stdc++compat.cpp:95ddb3213aecaf87c0a4f2d3559bd17e0194148c|82|0x12
0|46|firefox-bin|_GLOBAL__sub_I_TimeStamp.cpp|hg:hg.mozilla.org/mozilla-central:mozglue/misc/TimeStamp.cpp:95ddb3213aecaf87c0a4f2d3559bd17e0194148c|150|0x4b
0|47|||||0x7ffe6ea0d510
0|48|ld-linux-x86-64.so.2||||0x10733
0|49|libdl.so.2||||0x202d80
0|50|libpthread.so.0||||0x219bb0
0|51|firefox-bin|_GLOBAL__sub_I_TimeStamp.cpp|hg:hg.mozilla.org/mozilla-central:mozglue/misc/TimeStamp.cpp:95ddb3213aecaf87c0a4f2d3559bd17e0194148c|150|0x4b
0|52|||||0x7ffe6ea0d510
0|53|firefox-bin|_start|||0x29
Flags: in-testsuite?
|
Reporter | |
Updated•4 years ago
|
Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]
|
|
Reporter | |
Comment 1•4 years ago
|
||
Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20200402095145-95ddb3213aec.
Failed to bisect testcase (Start build crashes!):
> Start: 95ddb3213aecaf87c0a4f2d3559bd17e0194148c (20200402095145)
> End: 95ddb3213aecaf87c0a4f2d3559bd17e0194148c (20200402095145)
> BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=False, coverage=False, valgrind=False)|
|
Reporter | |
Comment 2•4 years ago
|
||
Looks like I recently broke Bugmon. Removing the bisected and confirmed flags so that it can be re-run.
Whiteboard: [bugmon:bisected,confirmed] → [bugmon:confirm]
|
|
Reporter | |
Updated•4 years ago
|
Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]
|
|
Reporter | |
Comment 3•4 years ago
|
||
Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20200402095145-95ddb3213aec.
Failed to bisect testcase (Start build crashes!):
> Start: 82ba38c4aa6acc7b322bcb56c417c0f64d5d3660 (20190404014638)
> End: 95ddb3213aecaf87c0a4f2d3559bd17e0194148c (20200402095145)
> BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=False, coverage=False, valgrind=False)
|
Assignee | |
Comment 4•4 years ago
|
||
The testcase uses a large number of lines window.scrollByLines(536870912, {}) which can overflow this scroll position.
Priority: -- → P3
|
|
Assignee | |
Comment 5•4 years ago
|
||
|
||
Updated•4 years ago
|
Assignee: nobody → aethanyc
Status: NEW → ASSIGNED
Pushed by aethanyc@gmail.com: https://hg.mozilla.org/integration/autoland/rev/0f37ad2fc083 Use saturating operators to avoid scrolling position overflow. r=botond
|
||
Comment 7•4 years ago
|
||
| bugherder | ||
Status: ASSIGNED → RESOLVED
Closed: 4 years ago
status-firefox77:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla77
|
||
Updated•4 years ago
|
status-firefox75:
--- → wontfix
status-firefox-esr68:
--- → wontfix
Flags: in-testsuite? → in-testsuite+
|
|
Reporter | |
Updated•4 years ago
|
|
|
Reporter | |
Comment 8•4 years ago
|
||
Bugmon Analysis: Verified bug as fixed on rev mozilla-central 20200423145559-03626342f6e6. Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
You need to log in
before you can comment on or make changes to this bug.
Description
•