Closed Bug 1633434 Opened 4 years ago Closed 4 years ago

Assertion failure: *this, at /builds/worker/workspace/obj-build/dist/include/mozilla/AspectRatio.h:32

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla77
Tracking Flags:
Tracking Status
firefox-esr68 --- wontfix
firefox75 --- wontfix
firefox76 --- wontfix
firefox77 --- verified

People

(Reporter: jkratzer, Assigned: emilio)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: crash, regression, testcase, Whiteboard: [bugmon:bisected,confirmed])

Crash Data

Attachments

(2 files)

testcase.html
484 bytes, text/html
Details
Bug 1633434 - Ensure inverting a valid aspect ratio generates a valid aspect ratio. r=dholbert
47 bytes, text/x-phabricator-request
Details | Review
Attached file testcase.html

Testcase found while fuzzing mozilla-central rev c9955025d4a5.

Assertion failure: *this, at /builds/worker/workspace/obj-build/dist/include/mozilla/AspectRatio.h:32

==8490==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 (pc 0x7f3a0efb739b bp 0x7ffffd250370 sp 0x7ffffd24ffc0 T0)
==8490==The signal is caused by a WRITE memory access.
==8490==Hint: address points to the zero page.
    #0 0x7f3a0efb739a in ApplyTo /builds/worker/workspace/obj-build/dist/include/mozilla/AspectRatio.h:32:5
    #1 0x7f3a0efb739a in nsFrame::ComputeSizeWithIntrinsicDimensions(gfxContext*, mozilla::WritingMode, mozilla::IntrinsicSize const&, mozilla::AspectRatio const&, mozilla::LogicalSize const&, mozilla::LogicalSize const&, mozilla::LogicalSize const&, mozilla::LogicalSize const&, nsIFrame::ComputeSizeFlags) /builds/worker/checkouts/gecko/layout/generic/nsFrame.cpp:6663:47
    #2 0x7f3a0f2e79c6 in nsSVGOuterSVGFrame::ComputeSize(gfxContext*, mozilla::WritingMode, mozilla::LogicalSize const&, int, mozilla::LogicalSize const&, mozilla::LogicalSize const&, mozilla::LogicalSize const&, nsIFrame::ComputeSizeFlags) /builds/worker/checkouts/gecko/layout/svg/nsSVGOuterSVGFrame.cpp:359:10
    #3 0x7f3a0ee85a21 in mozilla::ReflowInput::InitConstraints(nsPresContext*, mozilla::Maybe<mozilla::LogicalSize> const&, nsMargin const*, nsMargin const*, mozilla::LayoutFrameType) /builds/worker/checkouts/gecko/layout/generic/ReflowInput.cpp:2377:34
    #4 0x7f3a0ee7ea1a in mozilla::ReflowInput::Init(nsPresContext*, mozilla::Maybe<mozilla::LogicalSize> const&, nsMargin const*, nsMargin const*) /builds/worker/checkouts/gecko/layout/generic/ReflowInput.cpp:354:3
    #5 0x7f3a0f0ed59f in void mozilla::Maybe<mozilla::ReflowInput>::emplace<nsPresContext*&, mozilla::ReflowInput const&, nsIFrame*&, mozilla::LogicalSize&>(nsPresContext*&, mozilla::ReflowInput const&, nsIFrame*&, mozilla::LogicalSize&) /builds/worker/workspace/obj-build/dist/include/mozilla/Maybe.h:778:39
    #6 0x7f3a0f0ea7ae in nsLineLayout::ReflowFrame(nsIFrame*, nsReflowStatus&, mozilla::ReflowOutput*, bool&) /builds/worker/checkouts/gecko/layout/generic/nsLineLayout.cpp:819:23
    #7 0x7f3a0eeecdcb in nsBlockFrame::ReflowInlineFrame(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsIFrame*, LineReflowStatus*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:4467:15
    #8 0x7f3a0eeeb8b4 in nsBlockFrame::DoReflowInlineFrames(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:4269:5
    #9 0x7f3a0eee3dcb in nsBlockFrame::ReflowInlineFrames(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:4154:9
    #10 0x7f3a0eedc673 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:3135:5
    #11 0x7f3a0eed37b3 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:2671:7
    #12 0x7f3a0eecc4f1 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:1383:3
    #13 0x7f3a0ef18384 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:927:14
    #14 0x7f3a0ef1716d in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsCanvasFrame.cpp:750:5
    #15 0x7f3a0ef18384 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:927:14
    #16 0x7f3a0efff881 in nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput*, bool, bool, mozilla::ReflowOutput*) /builds/worker/checkouts/gecko/layout/generic/nsGfxScrollFrame.cpp:654:3
    #17 0x7f3a0f0010b5 in nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput*, mozilla::ReflowOutput const&) /builds/worker/checkouts/gecko/layout/generic/nsGfxScrollFrame.cpp:768:3
    #18 0x7f3a0f005008 in nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsGfxScrollFrame.cpp:1155:3
    #19 0x7f3a0eebce81 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:967:14
    #20 0x7f3a0eebc4eb in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/ViewportFrame.cpp:298:7
    #21 0x7f3a0ece4c39 in mozilla::PresShell::DoReflow(nsIFrame*, bool, mozilla::OverflowChangedTracker*) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:9356:11
    #22 0x7f3a0ecf7567 in mozilla::PresShell::ProcessReflowCommands(bool) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:9529:24
    #23 0x7f3a0ecf5fdd in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4221:11
    #24 0x7f3a0edae442 in FlushPendingNotifications /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:1434:5
    #25 0x7f3a0edae442 in nsDocumentViewer::LoadComplete(nsresult) /builds/worker/checkouts/gecko/layout/base/nsDocumentViewer.cpp:1007:16
    #26 0x7f3a11911dbb in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:5918:20
    #27 0x7f3a11910f65 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:5661:7
    #28 0x7f3a1191699f in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp
    #29 0x7f3a08d7a300 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:1345:3
    #30 0x7f3a08d792cc in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:905:14
    #31 0x7f3a08d755a0 in nsDocLoader::DocLoaderIsEmpty(bool) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:725:9
    #32 0x7f3a08d77dd3 in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:613:5
    #33 0x7f3a08d78e5c in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp
    #34 0x7f3a0662b187 in mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:610:22
    #35 0x7f3a0662e397 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:517:10
    #36 0x7f3a0a2dbfaf in mozilla::dom::Document::DoUnblockOnload() /builds/worker/checkouts/gecko/dom/base/Document.cpp:10723:18
    #37 0x7f3a0a2922e6 in mozilla::dom::Document::UnblockOnload(bool) /builds/worker/checkouts/gecko/dom/base/Document.cpp:10655:9
    #38 0x7f3a0a2b749f in mozilla::dom::Document::DispatchContentLoadedEvents() /builds/worker/checkouts/gecko/dom/base/Document.cpp:7322:3
    #39 0x7f3a0a386594 in applyImpl<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1168:12
    #40 0x7f3a0a386594 in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1174:12
    #41 0x7f3a0a386594 in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1220:13
    #42 0x7f3a0635895d in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/checkouts/gecko/xpcom/threads/SchedulerGroup.cpp:146:20
    #43 0x7f3a063914f6 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1200:14
    #44 0x7f3a0639bc5c in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:481:10
    #45 0x7f3a076a60ff in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:87:21
    #46 0x7f3a07593127 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:315:10
    #47 0x7f3a07593127 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:308:3
    #48 0x7f3a07593127 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:290:3
    #49 0x7f3a0e7e96c8 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137:27
    #50 0x7f3a12376b26 in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:909:20
    #51 0x7f3a07593127 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:315:10
    #52 0x7f3a07593127 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:308:3
    #53 0x7f3a07593127 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:290:3
    #54 0x7f3a123761da in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:740:34
    #55 0x5585ddc92bd3 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
    #56 0x5585ddc92bd3 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:303:18
    #57 0x7f3a2961cb96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /builds/worker/workspace/obj-build/dist/include/mozilla/AspectRatio.h:32:5 in ApplyTo
Flags: in-testsuite?
Crash Signature: [@ mozilla::AspectRatio::ApplyTo ]
Keywords: crash
Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]
Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20200428100141-a99c73301874.
The bug appears to have been introduced in the following build range:
> Start: 083106d8fc7407c880a3a044c83d4e15e5961063 (20190503041749)
> End: 03166449953fbcaaf6c66d2c3b358319781a0e52 (20190503125914)
> Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=083106d8fc7407c880a3a044c83d4e15e5961063&tochange=03166449953fbcaaf6c66d2c3b358319781a0e52

(In reply to Jason Kratzer [:jkratzer] from comment #1)

Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=083106d8fc7407c880a3a044c83d4e15e5961063&tochange=03166449953fbcaaf6c66d2c3b358319781a0e52

Woah, that auto-bisect was so cool :)

So bug 1547792, which introduced this assertion.

Assignee: nobody → emilio
Regressed by: 1547792
Has Regression Range: --- → yes

That massive number means this is probably just a number precision errors.

Flags: needinfo?(emilio)

It seems like a reasonable expectation, but it may not hold with massive
ratios. Make it hold by returning the floating point epsilon in that
case.

Flags: needinfo?(emilio)
Pushed by ealvarez@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/7de5317decf3
Ensure inverting a valid aspect ratio generates a valid aspect ratio. r=dholbert

https://hg.mozilla.org/mozilla-central/rev/7de5317decf3

Status: NEW → RESOLVED
Closed: 4 years ago
status-firefox77: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla77
status-firefox75: --- → wontfix
status-firefox76: --- → wontfix
status-firefox-esr68: --- → wontfix
Flags: in-testsuite? → in-testsuite+
Status: RESOLVED → VERIFIED
status-firefox77: fixedverified
Keywords: bugmon
Bugmon Analysis:
Verified bug as fixed on rev mozilla-central 20200518152416-a627b6676824.
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: