Closed
Bug 1638860
Opened 4 years ago
Closed 3 years ago
Assertion failure: mEnd >= 1 && mEnd < uint32_t(kMaxLine) (invalid span), at /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:412
Categories
(Core :: Layout: Grid, defect)
Core
Layout: Grid
Tracking
()
VERIFIED
FIXED
85 Branch
People
(Reporter: jkratzer, Assigned: MatsPalmgren_bugz)
References
(Blocks 1 open bug)
Details
(Keywords: assertion, crash, testcase, Whiteboard: [bugmon:bisected,confirmed], [wptsync upstream])
Crash Data
Attachments
(2 files)
|
632 bytes,
text/html
|
Details | |
|
Bug 1638860 - Inhibit subgridding for abs.pos. subgrids that doesn't span a parent track. r=dholbert
47 bytes,
text/x-phabricator-request
|
Details | Review |
Testcase found while fuzzing mozilla-central rev 8acda9da4ae7 (built with --enable-debug).
Assertion failure: mEnd >= 1 && mEnd < uint32_t(kMaxLine) (invalid span), at /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:412
rax = 0x00007fa2b1cb360a rdx = 0x0000000000000000
rcx = 0x000055f45de69a78 rbx = 0x0000000000000000
rsi = 0x00007fa2c2be08b0 rdi = 0x00007fa2c2bdf680
rbp = 0x00007ffffa2453e0 rsp = 0x00007ffffa2453e0
r8 = 0x00007fa2c2be08b0 r9 = 0x00007fa2c3d46780
r10 = 0x0000000000000002 r11 = 0x0000000000000000
r12 = 0x000055f460222f50 r13 = 0x0000000000000000
r14 = 0x000055f460222f50 r15 = 0x000055f460222f48
rip = 0x00007fa2ac9a9586
OS|Linux|0.0.0 Linux 5.3.0-51-generic #44~18.04.2-Ubuntu SMP Thu Apr 23 14:27:18 UTC 2020 x86_64
CPU|amd64|family 6 model 94 stepping 3|8
GPU|||
Crash|SIGSEGV|0x0|0
0|0|libxul.so|nsGridContainerFrame::LineRange::Extent() const|hg:hg.mozilla.org/mozilla-central:layout/generic/nsGridContainerFrame.cpp:8acda9da4ae71f0b6561cb2021bcb370e18ce80c|412|0x34
0|1|libxul.so|nsGridContainerFrame::Grid::PlaceAutoAutoInRowOrder(unsigned int, unsigned int, nsGridContainerFrame::GridArea*, unsigned int, unsigned int) const|hg:hg.mozilla.org/mozilla-central:layout/generic/nsGridContainerFrame.cpp:8acda9da4ae71f0b6561cb2021bcb370e18ce80c|4281|0x8
0|2|libxul.so|nsGridContainerFrame::Grid::PlaceGridItems(nsGridContainerFrame::GridReflowInput&, RepeatTrackSizingInput const&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsGridContainerFrame.cpp:8acda9da4ae71f0b6561cb2021bcb370e18ce80c|4691|0x16
0|3|libxul.so|nsGridContainerFrame::Grid::SubgridPlaceGridItems(nsGridContainerFrame::GridReflowInput&, nsGridContainerFrame::Grid*, nsGridContainerFrame::GridItemInfo const&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsGridContainerFrame.cpp:8acda9da4ae71f0b6561cb2021bcb370e18ce80c|4433|0xb
0|4|libxul.so|nsGridContainerFrame::Grid::PlaceGridItems(nsGridContainerFrame::GridReflowInput&, RepeatTrackSizingInput const&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsGridContainerFrame.cpp:8acda9da4ae71f0b6561cb2021bcb370e18ce80c|4800|0x12
0|5|libxul.so|nsGridContainerFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsGridContainerFrame.cpp:8acda9da4ae71f0b6561cb2021bcb370e18ce80c|8477|0x5
0|6|libxul.so|nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsContainerFrame.cpp:8acda9da4ae71f0b6561cb2021bcb370e18ce80c|927|0x1a
0|7|libxul.so|nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsCanvasFrame.cpp:8acda9da4ae71f0b6561cb2021bcb370e18ce80c|750|0x2a
0|8|libxul.so|nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsContainerFrame.cpp:8acda9da4ae71f0b6561cb2021bcb370e18ce80c|927|0x1a
0|9|libxul.so|nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput*, bool, bool, mozilla::ReflowOutput*)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsGfxScrollFrame.cpp:8acda9da4ae71f0b6561cb2021bcb370e18ce80c|661|0x3a
0|10|libxul.so|nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput*, mozilla::ReflowOutput const&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsGfxScrollFrame.cpp:8acda9da4ae71f0b6561cb2021bcb370e18ce80c|775|0x15
0|11|libxul.so|nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsGfxScrollFrame.cpp:8acda9da4ae71f0b6561cb2021bcb370e18ce80c|1161|0x15
0|12|libxul.so|nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsContainerFrame.cpp:8acda9da4ae71f0b6561cb2021bcb370e18ce80c|967|0x18
0|13|libxul.so|mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&)|hg:hg.mozilla.org/mozilla-central:layout/generic/ViewportFrame.cpp:8acda9da4ae71f0b6561cb2021bcb370e18ce80c|296|0x2b
0|14|libxul.so|mozilla::PresShell::DoReflow(nsIFrame*, bool, mozilla::OverflowChangedTracker*)|hg:hg.mozilla.org/mozilla-central:layout/base/PresShell.cpp:8acda9da4ae71f0b6561cb2021bcb370e18ce80c|9332|0x1c
0|15|libxul.so|mozilla::PresShell::ProcessReflowCommands(bool)|hg:hg.mozilla.org/mozilla-central:layout/base/PresShell.cpp:8acda9da4ae71f0b6561cb2021bcb370e18ce80c|9505|0x12
0|16|libxul.so|mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush)|hg:hg.mozilla.org/mozilla-central:layout/base/PresShell.cpp:8acda9da4ae71f0b6561cb2021bcb370e18ce80c|4204|0x12
0|17|libxul.so|nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp)|hg:hg.mozilla.org/mozilla-central:layout/base/PresShell.h:8acda9da4ae71f0b6561cb2021bcb370e18ce80c|1434|0xb
0|18|libxul.so|mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&)|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:8acda9da4ae71f0b6561cb2021bcb370e18ce80c|373|0xb
0|19|libxul.so|mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp)|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:8acda9da4ae71f0b6561cb2021bcb370e18ce80c|367|0x12
0|20|libxul.so|mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp)|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:8acda9da4ae71f0b6561cb2021bcb370e18ce80c|745|0x17
0|21|libxul.so|mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&)|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:8acda9da4ae71f0b6561cb2021bcb370e18ce80c|644|0xf
0|22|libxul.so|mozilla::layout::VsyncChild::RecvNotify(mozilla::VsyncEvent const&)|hg:hg.mozilla.org/mozilla-central:layout/ipc/VsyncChild.cpp:8acda9da4ae71f0b6561cb2021bcb370e18ce80c|55|0x13
0|23|libxul.so|mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&)|s3:gecko-generated-sources:27495909b8eb16a2f6224f9af7a0c052f58ac4a1f37ddd12d240b8b6a62795d131a51db23214bbde8ed61a33c6a97d727ae972f588d3f35141a1a66f3aadceeb/ipc/ipdl/PVsyncChild.cpp:|187|0x8
0|24|libxul.so|mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&)|s3:gecko-generated-sources:75695bbbf1ec93aad4718f03c359901f1be9ae34cba79945a5c42f3e8a2da054cc4ed1a56d373be9953080b82b366a6cd792a7b5323cd7f0d62bfa3c3b040098/ipc/ipdl/PBackgroundChild.cpp:|6083|0x24
0|25|libxul.so|mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:8acda9da4ae71f0b6561cb2021bcb370e18ce80c|2186|0x1c
0|26|libxul.so|mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:8acda9da4ae71f0b6561cb2021bcb370e18ce80c|2110|0x18
0|27|libxul.so|mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:8acda9da4ae71f0b6561cb2021bcb370e18ce80c|1958|0xb
0|28|libxul.so|mozilla::ipc::MessageChannel::MessageTask::Run()|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:8acda9da4ae71f0b6561cb2021bcb370e18ce80c|1989|0x12
0|29|libxul.so|nsThread::ProcessNextEvent(bool, bool*)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:8acda9da4ae71f0b6561cb2021bcb370e18ce80c|1211|0x11
0|30|libxul.so|NS_ProcessNextEvent(nsIThread*, bool)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:8acda9da4ae71f0b6561cb2021bcb370e18ce80c|501|0xc
0|31|libxul.so|mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:8acda9da4ae71f0b6561cb2021bcb370e18ce80c|109|0x14
0|32|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:8acda9da4ae71f0b6561cb2021bcb370e18ce80c|315|0x17
0|33|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:8acda9da4ae71f0b6561cb2021bcb370e18ce80c|290|0x8
0|34|libxul.so|nsBaseAppShell::Run()|hg:hg.mozilla.org/mozilla-central:widget/nsBaseAppShell.cpp:8acda9da4ae71f0b6561cb2021bcb370e18ce80c|137|0xd
0|35|libxul.so|XRE_RunAppShell()|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:8acda9da4ae71f0b6561cb2021bcb370e18ce80c|909|0xe
0|36|libxul.so|mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:8acda9da4ae71f0b6561cb2021bcb370e18ce80c|237|0x5
0|37|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:8acda9da4ae71f0b6561cb2021bcb370e18ce80c|315|0x17
0|38|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:8acda9da4ae71f0b6561cb2021bcb370e18ce80c|290|0x8
0|39|libxul.so|XRE_InitChildProcess(int, char**, XREChildData const*)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:8acda9da4ae71f0b6561cb2021bcb370e18ce80c|740|0x5
0|40|firefox-bin|content_process_main(mozilla::Bootstrap*, int, char**)|hg:hg.mozilla.org/mozilla-central:ipc/contentproc/plugin-container.cpp:8acda9da4ae71f0b6561cb2021bcb370e18ce80c|56|0x11
0|41|firefox-bin|main|hg:hg.mozilla.org/mozilla-central:browser/app/nsBrowserApp.cpp:8acda9da4ae71f0b6561cb2021bcb370e18ce80c|303|0x20
0|42|libc.so.6||||0x21b97
0|43|firefox-bin|<name omitted>|hg:hg.mozilla.org/mozilla-central:mfbt/UniquePtr.h:8acda9da4ae71f0b6561cb2021bcb370e18ce80c|253|0x1d
Flags: in-testsuite?
|
Assignee | |
Updated•4 years ago
|
Assignee: nobody → mats
|
Reporter | |
Updated•4 years ago
|
Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]
|
|
Reporter | |
Comment 1•4 years ago
|
||
Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20200520152823-5415da14ec9a.
The bug appears to have been introduced in the following build range:
> Start: a5f7f53421ebce84b0dd4cb3535b49906fdf78ef (20190522152501)
> End: aaae630f30291056f4f40bbd9e12a917309e401e (20190522152821)
> Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=a5f7f53421ebce84b0dd4cb3535b49906fdf78ef&tochange=aaae630f30291056f4f40bbd9e12a917309e401e
|
||
Updated•4 years ago
|
Crash Signature: [@ InvalidArrayIndex_CRASH | nsGridContainerFrame::LineRange::ToLength ]
Keywords: crash
|
|
Assignee | |
Comment 2•4 years ago
|
||
I'm fixing three bugs, in the order they appear in the patch:
- when inhibiting subgridding we remove the frame bit on the wrong frame
when the item has an anonymous frame (e.g. a scroll frame) - we used
mFrame instead of the correct SubgridFrame() - an abs.pos. subgrid using 'auto' lines should span all parent tracks,
not just explicit tracks (i.e. it should behave the same as the non-
abs.pos. case) - when spanning from the first/last line to the padding edge using 'auto'
then the subgrid technically doesn't span any parent tracks, so we
need to inhibit subgridding in this case. The subgrid itself will still
span that area though so the layout inside will behave as if it were
"subgridded" to a hypothetical track corresponding to that area. IOW,
inhibitting subgridding in this case should do what the author expects
anyway.
|
||
Comment 3•4 years ago
|
||
There's a r+ patch which didn't land and no activity in this bug for 2 weeks.
:mats, could you have a look please?
For more information, please visit auto_nag documentation.
Flags: needinfo?(mats)
Pushed by mpalmgren@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/afdbc796fd3e Inhibit subgridding for abs.pos. subgrids that doesn't span a parent track. r=dholbert
Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/26749 for changes under testing/web-platform/tests
Whiteboard: [bugmon:bisected,confirmed] → [bugmon:bisected,confirmed], [wptsync upstream]
|
|
Assignee | |
Updated•3 years ago
|
Flags: needinfo?(mats)
|
|
||
Updated•3 years ago
|
Crash Signature: [@ InvalidArrayIndex_CRASH | nsGridContainerFrame::LineRange::ToLength ] → [@ InvalidArrayIndex_CRASH | nsGridContainerFrame::LineRange::ToLength ]
[@ InvalidArrayIndex_CRASH | CopyUsedTrackSizes]
|
||
Comment 7•3 years ago
|
||
| bugherder | ||
Status: NEW → RESOLVED
Closed: 3 years ago
status-firefox85:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 85 Branch
|
||
Updated•3 years ago
|
Crash Signature: [@ InvalidArrayIndex_CRASH | nsGridContainerFrame::LineRange::ToLength ]
[@ InvalidArrayIndex_CRASH | CopyUsedTrackSizes] → [@ InvalidArrayIndex_CRASH | nsGridContainerFrame::LineRange::ToLength ]
[@ InvalidArrayIndex_CRASH | CopyUsedTrackSizes]
status-firefox83:
--- → wontfix
status-firefox84:
--- → wontfix
status-firefox-esr78:
--- → wontfix
Flags: in-testsuite? → in-testsuite+
Upstream PR merged by moz-wptsync-bot
|
|
||
Comment 9•3 years ago
|
||
:mats, since this bug contains a bisection range, could you fill (if possible) the regressed_by field?
For more information, please visit auto_nag documentation.
Flags: needinfo?(mats)
|
|
Reporter | |
Comment 10•3 years ago
|
||
Bugmon Analysis
Verified bug as fixed on rev mozilla-central 20201204033450-ee7cd95a414c.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Status: RESOLVED → VERIFIED
Keywords: bugmon
|
|
||
Updated•3 years ago
|
Crash Signature: [@ InvalidArrayIndex_CRASH | nsGridContainerFrame::LineRange::ToLength ]
[@ InvalidArrayIndex_CRASH | CopyUsedTrackSizes] → [@ InvalidArrayIndex_CRASH | nsGridContainerFrame::LineRange::ToLength ]
[@ InvalidArrayIndex_CRASH | CopyUsedTrackSizes]
[@ OOM | large | NS_ABORT_OOM | nsTArray_base<T>::InsertSlotsAt<T> | nsGridContainerFrame::Grid::CellMap::Fill]
|
||
Comment 12•2 years ago
|
||
(Removing old ni?s from Mats' solved bugs, hopefully it's fine for you Mats)
Crash Signature: [@ InvalidArrayIndex_CRASH | nsGridContainerFrame::LineRange::ToLength ]
[@ InvalidArrayIndex_CRASH | CopyUsedTrackSizes]
[@ OOM | large | NS_ABORT_OOM | nsTArray_base<T>::InsertSlotsAt<T> | nsGridContainerFrame::Grid::CellMap::Fill] → [@ InvalidArrayIndex_CRASH | nsGridContainerFrame::LineRange::ToLength ]
[@ InvalidArrayIndex_CRASH | CopyUsedTrackSizes]
[@ OOM | large | NS_ABORT_OOM | nsTArray_base<T>::InsertSlotsAt<T> | nsGridContainerFrame::Grid::CellMap::Fill]
Flags: needinfo?(MatsPalmgren_bugz)
You need to log in
before you can comment on or make changes to this bug.
Description
•