Closed
Bug 1638906
Opened 5 years ago
Closed 3 years ago
Assertion failure: mGridColEnd <= kTranslatedMaxLine && mGridRowEnd <= kTranslatedMaxLine, at /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:3144
Categories
(Core :: Layout: Grid, defect)
Core
Layout: Grid
Tracking
()
RESOLVED
DUPLICATE
of bug 1638860
| Tracking | Status | |
|---|---|---|
| firefox78 | --- | affected |
People
(Reporter: jkratzer, Assigned: MatsPalmgren_bugz)
References
(Blocks 1 open bug)
Details
(Keywords: assertion, crash, testcase, Whiteboard: [bugmon:bisected,confirmed])
Crash Data
Attachments
(1 file)
|
636 bytes,
text/html
|
Details |
Testcase found while fuzzing mozilla-central rev 8acda9da4ae7 (built with --enable-debug).
Assertion failure: mGridColEnd <= kTranslatedMaxLine && mGridRowEnd <= kTranslatedMaxLine, at /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:3144
rax = 0x00007f9a8a8909ec rdx = 0x0000000000000000
rcx = 0x00005643edea4a78 rbx = 0x0000000000000000
rsi = 0x00007f9a9b8078b0 rdi = 0x00007f9a9b806680
rbp = 0x00007ffc634bda80 rsp = 0x00007ffc634bda80
r8 = 0x00007f9a9b8078b0 r9 = 0x00007f9a9c96d780
r10 = 0x0000000000000002 r11 = 0x0000000000000000
r12 = 0x00005643efecd890 r13 = 0x00005643efecd890
r14 = 0x00005643efecd880 r15 = 0x00005643efecd898
rip = 0x00007f9a8558d35a
OS|Linux|0.0.0 Linux 5.3.0-51-generic #44~18.04.2-Ubuntu SMP Thu Apr 23 14:27:18 UTC 2020 x86_64
CPU|amd64|family 6 model 94 stepping 3|8
GPU|||
Crash|SIGSEGV|0x0|0
0|0|libxul.so|nsGridContainerFrame::Grid::InflateGridFor(nsGridContainerFrame::GridArea const&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsGridContainerFrame.cpp:8acda9da4ae71f0b6561cb2021bcb370e18ce80c|3143|0x29
0|1|libxul.so|nsGridContainerFrame::Grid::PlaceGridItems(nsGridContainerFrame::GridReflowInput&, RepeatTrackSizingInput const&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsGridContainerFrame.cpp:8acda9da4ae71f0b6561cb2021bcb370e18ce80c|4649|0x8
0|2|libxul.so|nsGridContainerFrame::Grid::SubgridPlaceGridItems(nsGridContainerFrame::GridReflowInput&, nsGridContainerFrame::Grid*, nsGridContainerFrame::GridItemInfo const&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsGridContainerFrame.cpp:8acda9da4ae71f0b6561cb2021bcb370e18ce80c|4433|0xb
0|3|libxul.so|nsGridContainerFrame::Grid::PlaceGridItems(nsGridContainerFrame::GridReflowInput&, RepeatTrackSizingInput const&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsGridContainerFrame.cpp:8acda9da4ae71f0b6561cb2021bcb370e18ce80c|4800|0x12
0|4|libxul.so|nsGridContainerFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsGridContainerFrame.cpp:8acda9da4ae71f0b6561cb2021bcb370e18ce80c|8477|0x5
0|5|libxul.so|nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsContainerFrame.cpp:8acda9da4ae71f0b6561cb2021bcb370e18ce80c|927|0x1a
0|6|libxul.so|nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsCanvasFrame.cpp:8acda9da4ae71f0b6561cb2021bcb370e18ce80c|750|0x2a
0|7|libxul.so|nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsContainerFrame.cpp:8acda9da4ae71f0b6561cb2021bcb370e18ce80c|927|0x1a
0|8|libxul.so|nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput*, bool, bool, mozilla::ReflowOutput*)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsGfxScrollFrame.cpp:8acda9da4ae71f0b6561cb2021bcb370e18ce80c|661|0x3a
0|9|libxul.so|nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput*, mozilla::ReflowOutput const&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsGfxScrollFrame.cpp:8acda9da4ae71f0b6561cb2021bcb370e18ce80c|775|0x15
0|10|libxul.so|nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsGfxScrollFrame.cpp:8acda9da4ae71f0b6561cb2021bcb370e18ce80c|1161|0x15
0|11|libxul.so|nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsContainerFrame.cpp:8acda9da4ae71f0b6561cb2021bcb370e18ce80c|967|0x18
0|12|libxul.so|mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&)|hg:hg.mozilla.org/mozilla-central:layout/generic/ViewportFrame.cpp:8acda9da4ae71f0b6561cb2021bcb370e18ce80c|296|0x2b
0|13|libxul.so|mozilla::PresShell::DoReflow(nsIFrame*, bool, mozilla::OverflowChangedTracker*)|hg:hg.mozilla.org/mozilla-central:layout/base/PresShell.cpp:8acda9da4ae71f0b6561cb2021bcb370e18ce80c|9332|0x1c
0|14|libxul.so|mozilla::PresShell::ProcessReflowCommands(bool)|hg:hg.mozilla.org/mozilla-central:layout/base/PresShell.cpp:8acda9da4ae71f0b6561cb2021bcb370e18ce80c|9505|0x12
0|15|libxul.so|mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush)|hg:hg.mozilla.org/mozilla-central:layout/base/PresShell.cpp:8acda9da4ae71f0b6561cb2021bcb370e18ce80c|4204|0x12
0|16|libxul.so|nsDocumentViewer::LoadComplete(nsresult)|hg:hg.mozilla.org/mozilla-central:layout/base/nsDocumentViewer.cpp:8acda9da4ae71f0b6561cb2021bcb370e18ce80c|1008|0x29
0|17|libxul.so|nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult)|hg:hg.mozilla.org/mozilla-central:docshell/base/nsDocShell.cpp:8acda9da4ae71f0b6561cb2021bcb370e18ce80c|5841|0x18
0|18|libxul.so|nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult)|hg:hg.mozilla.org/mozilla-central:docshell/base/nsDocShell.cpp:8acda9da4ae71f0b6561cb2021bcb370e18ce80c|5593|0xe
0|19|libxul.so|non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult)|hg:hg.mozilla.org/mozilla-central:docshell/base/nsDocShell.cpp:8acda9da4ae71f0b6561cb2021bcb370e18ce80c|0|0x10
0|20|libxul.so|nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult)|hg:hg.mozilla.org/mozilla-central:uriloader/base/nsDocLoader.cpp:8acda9da4ae71f0b6561cb2021bcb370e18ce80c|1345|0x3
0|21|libxul.so|nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult)|hg:hg.mozilla.org/mozilla-central:uriloader/base/nsDocLoader.cpp:8acda9da4ae71f0b6561cb2021bcb370e18ce80c|905|0x28
0|22|libxul.so|nsDocLoader::DocLoaderIsEmpty(bool)|hg:hg.mozilla.org/mozilla-central:uriloader/base/nsDocLoader.cpp:8acda9da4ae71f0b6561cb2021bcb370e18ce80c|725|0xe
0|23|libxul.so|nsDocLoader::OnStopRequest(nsIRequest*, nsresult)|hg:hg.mozilla.org/mozilla-central:uriloader/base/nsDocLoader.cpp:8acda9da4ae71f0b6561cb2021bcb370e18ce80c|613|0xb
0|24|libxul.so|non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsresult)|hg:hg.mozilla.org/mozilla-central:uriloader/base/nsDocLoader.cpp:8acda9da4ae71f0b6561cb2021bcb370e18ce80c|0|0xd
0|25|libxul.so|mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult)|hg:hg.mozilla.org/mozilla-central:netwerk/base/nsLoadGroup.cpp:8acda9da4ae71f0b6561cb2021bcb370e18ce80c|611|0x14
0|26|libxul.so|mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult)|hg:hg.mozilla.org/mozilla-central:netwerk/base/nsLoadGroup.cpp:8acda9da4ae71f0b6561cb2021bcb370e18ce80c|518|0xe
0|27|libxul.so|mozilla::dom::Document::DoUnblockOnload()|hg:hg.mozilla.org/mozilla-central:dom/base/Document.cpp:8acda9da4ae71f0b6561cb2021bcb370e18ce80c|10698|0x1c
0|28|libxul.so|mozilla::dom::Document::UnblockOnload(bool)|hg:hg.mozilla.org/mozilla-central:dom/base/Document.cpp:8acda9da4ae71f0b6561cb2021bcb370e18ce80c|10630|0x8
0|29|libxul.so|mozilla::css::SheetLoadData::FireLoadEvent(nsIThreadInternal*)|hg:hg.mozilla.org/mozilla-central:layout/style/Loader.cpp:8acda9da4ae71f0b6561cb2021bcb370e18ce80c|448|0x1c
0|30|libxul.so|non-virtual thunk to mozilla::css::SheetLoadData::AfterProcessNextEvent(nsIThreadInternal*, bool)|hg:hg.mozilla.org/mozilla-central:layout/style/Loader.cpp:8acda9da4ae71f0b6561cb2021bcb370e18ce80c|0|0xd
0|31|libxul.so|nsThread::ProcessNextEvent(bool, bool*)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:8acda9da4ae71f0b6561cb2021bcb370e18ce80c|1230|0xf
0|32|libxul.so|NS_ProcessNextEvent(nsIThread*, bool)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:8acda9da4ae71f0b6561cb2021bcb370e18ce80c|501|0xc
0|33|libxul.so|mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:8acda9da4ae71f0b6561cb2021bcb370e18ce80c|87|0x7
0|34|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:8acda9da4ae71f0b6561cb2021bcb370e18ce80c|315|0x17
0|35|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:8acda9da4ae71f0b6561cb2021bcb370e18ce80c|290|0x8
0|36|libxul.so|nsBaseAppShell::Run()|hg:hg.mozilla.org/mozilla-central:widget/nsBaseAppShell.cpp:8acda9da4ae71f0b6561cb2021bcb370e18ce80c|137|0xd
0|37|libxul.so|XRE_RunAppShell()|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:8acda9da4ae71f0b6561cb2021bcb370e18ce80c|909|0xe
0|38|libxul.so|mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:8acda9da4ae71f0b6561cb2021bcb370e18ce80c|237|0x5
0|39|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:8acda9da4ae71f0b6561cb2021bcb370e18ce80c|315|0x17
0|40|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:8acda9da4ae71f0b6561cb2021bcb370e18ce80c|290|0x8
0|41|libxul.so|XRE_InitChildProcess(int, char**, XREChildData const*)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:8acda9da4ae71f0b6561cb2021bcb370e18ce80c|740|0x5
0|42|firefox-bin|content_process_main(mozilla::Bootstrap*, int, char**)|hg:hg.mozilla.org/mozilla-central:ipc/contentproc/plugin-container.cpp:8acda9da4ae71f0b6561cb2021bcb370e18ce80c|56|0x11
0|43|firefox-bin|main|hg:hg.mozilla.org/mozilla-central:browser/app/nsBrowserApp.cpp:8acda9da4ae71f0b6561cb2021bcb370e18ce80c|303|0x20
0|44|libc.so.6||||0x21b97
0|45|firefox-bin|<name omitted>|hg:hg.mozilla.org/mozilla-central:mfbt/UniquePtr.h:8acda9da4ae71f0b6561cb2021bcb370e18ce80c|253|0x1d
Flags: in-testsuite?
|
Reporter | |
Updated•5 years ago
|
Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]
|
|
Reporter | |
Comment 1•5 years ago
|
||
Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20200520152823-5415da14ec9a.
The bug appears to have been introduced in the following build range:
> Start: 6506806b3bf81cf5093c9ce63aec76075bebf58e (20191008012105)
> End: bb30c0d750556c4db5163efe7f00c3067b1d955c (20191008012250)
> Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=6506806b3bf81cf5093c9ce63aec76075bebf58e&tochange=bb30c0d750556c4db5163efe7f00c3067b1d955c
|
||
Updated•5 years ago
|
Crash Signature: [@ OOM | large | NS_ABORT_OOM | nsTArray_base<T>::InsertSlotsAt<T> | nsGridContainerFrame::Grid::CellMap::Fill ]
Keywords: crash
|
Assignee | |
Comment 2•5 years ago
|
||
This is the same underlying issue as bug 1638860. I'll fix it there.
|
||
Comment 3•4 years ago
|
||
:mats, since this bug contains a bisection range, could you fill (if possible) the regressed_by field?
For more information, please visit auto_nag documentation.
Flags: needinfo?(mats)
|
||
Comment 4•3 years ago
|
||
Bugmon Analysis
The bug appears to have been fixed in the following build range:
Start: e7c03faf28809aee2cd8e80d5f6e8700c8e4fa25 (20201203220210)
End: afdbc796fd3e88d859215fdbc870204ce1cf1883 (20201203220553)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=e7c03faf28809aee2cd8e80d5f6e8700c8e4fa25&tochange=afdbc796fd3e88d859215fdbc870204ce1cf1883
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Keywords: bugmon
|
|
Reporter | |
Updated•3 years ago
|
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → DUPLICATE
|
||
Updated•3 years ago
|
Flags: needinfo?(MatsPalmgren_bugz)
You need to log in
before you can comment on or make changes to this bug.
Description
•