Closed Bug 1645152 Opened 4 years ago Closed 4 years ago

Assertion failure: cursorMajor <= gridMajorEnd (we shouldn't need to place items further than 1 track past the current end of the grid, in major dimension), at /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:4687

Categories

(Core :: Layout: Grid, defect)

defect
Not set
normal

Tracking

()

RESOLVED DUPLICATE of bug 1638860
Tracking Status
firefox-esr68 --- wontfix
firefox-esr78 --- wontfix
firefox78 --- wontfix
firefox79 --- wontfix
firefox80 --- fix-optional

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 1 open bug, Regression)

Details

(4 keywords, Whiteboard: [bugmon:bisected,confirmed])

Crash Data

Attachments

(1 file)

Attached file testcase.html

Testcase found while fuzzing mozilla-central rev 10ad7868f3ca (built with --enable-debug).

Assertion failure: cursorMajor <= gridMajorEnd (we shouldn't need to place items further than 1 track past the current end of the grid, in major dimension), at /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:4687

rax = 0x00007f376e4a5f3b   rdx = 0x0000000000000000
rcx = 0x000055ff5d322a58   rbx = 0x000055ff5e00e028
rsi = 0x00007f377f3ec8b0   rdi = 0x00007f377f3eb680
rbp = 0x00007ffeb1201540   rsp = 0x00007ffeb12012f0
r8 = 0x00007f377f3ec8b0    r9 = 0x00007f3780552780
r10 = 0x0000000000000002   r11 = 0x0000000000000000
r12 = 0x000055ff5e00e018   r13 = 0x000055ff5e00e018
r14 = 0x000055ff5e00e020   r15 = 0x0000000000000000
rip = 0x00007f3768e1ff92
OS|Linux|0.0.0 Linux 5.3.0-51-generic #44~18.04.2-Ubuntu SMP Thu Apr 23 14:27:18 UTC 2020 x86_64
CPU|amd64|family 6 model 94 stepping 3|8
GPU|||
Crash|SIGSEGV|0x0|0
0|0|libxul.so|nsGridContainerFrame::Grid::PlaceGridItems(nsGridContainerFrame::GridReflowInput&, RepeatTrackSizingInput const&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsGridContainerFrame.cpp:10ad7868f3ca27cb90db9bd1d392ff4d7852a0cd|4685|0x0
0|1|libxul.so|nsGridContainerFrame::Grid::SubgridPlaceGridItems(nsGridContainerFrame::GridReflowInput&, nsGridContainerFrame::Grid*, nsGridContainerFrame::GridItemInfo const&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsGridContainerFrame.cpp:10ad7868f3ca27cb90db9bd1d392ff4d7852a0cd|4415|0xb
0|2|libxul.so|nsGridContainerFrame::Grid::PlaceGridItems(nsGridContainerFrame::GridReflowInput&, RepeatTrackSizingInput const&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsGridContainerFrame.cpp:10ad7868f3ca27cb90db9bd1d392ff4d7852a0cd|4782|0x12
0|3|libxul.so|nsGridContainerFrame::IntrinsicISize(gfxContext*, nsLayoutUtils::IntrinsicISizeType)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsGridContainerFrame.cpp:10ad7868f3ca27cb90db9bd1d392ff4d7852a0cd|9132|0x5
0|4|libxul.so|nsGridContainerFrame::GetMinISize(gfxContext*)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsGridContainerFrame.cpp:10ad7868f3ca27cb90db9bd1d392ff4d7852a0cd|9184|0xd
0|5|libxul.so|nsLayoutUtils::IntrinsicForAxis(mozilla::PhysicalAxis, gfxContext*, nsIFrame*, nsLayoutUtils::IntrinsicISizeType, mozilla::Maybe<mozilla::LogicalSize> const&, unsigned int, int)|hg:hg.mozilla.org/mozilla-central:layout/base/nsLayoutUtils.cpp:10ad7868f3ca27cb90db9bd1d392ff4d7852a0cd|5548|0x6
0|6|libxul.so|ContentContribution(nsGridContainerFrame::GridItemInfo const&, nsGridContainerFrame::GridReflowInput const&, gfxContext*, mozilla::WritingMode, mozilla::LogicalAxis, mozilla::Maybe<mozilla::LogicalSize> const&, nsLayoutUtils::IntrinsicISizeType, int, unsigned int)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsGridContainerFrame.cpp:10ad7868f3ca27cb90db9bd1d392ff4d7852a0cd|5115|0x22
0|7|libxul.so|MinContentContribution(nsGridContainerFrame::GridItemInfo const&, nsGridContainerFrame::GridReflowInput const&, gfxContext*, mozilla::WritingMode, mozilla::LogicalAxis, CachedIntrinsicSizes*)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsGridContainerFrame.cpp:10ad7868f3ca27cb90db9bd1d392ff4d7852a0cd|5269|0x18
0|8|libxul.so|nsGridContainerFrame::Tracks::ResolveIntrinsicSizeStep1(nsGridContainerFrame::GridReflowInput&, nsGridContainerFrame::TrackSizingFunctions const&, int, nsGridContainerFrame::SizingConstraint, nsGridContainerFrame::LineRange const&, nsGridContainerFrame::GridItemInfo const&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsGridContainerFrame.cpp:10ad7868f3ca27cb90db9bd1d392ff4d7852a0cd|5437|0x21
0|9|libxul.so|nsGridContainerFrame::Tracks::ResolveIntrinsicSize(nsGridContainerFrame::GridReflowInput&, nsTArray<nsGridContainerFrame::GridItemInfo>&, nsGridContainerFrame::TrackSizingFunctions const&, nsGridContainerFrame::LineRange nsGridContainerFrame::GridArea::*, int, nsGridContainerFrame::SizingConstraint)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsGridContainerFrame.cpp:10ad7868f3ca27cb90db9bd1d392ff4d7852a0cd|6101|0x29
0|10|libxul.so|nsGridContainerFrame::Tracks::CalculateSizes(nsGridContainerFrame::GridReflowInput&, nsTArray<nsGridContainerFrame::GridItemInfo>&, nsGridContainerFrame::TrackSizingFunctions const&, int, nsGridContainerFrame::LineRange nsGridContainerFrame::GridArea::*, nsGridContainerFrame::SizingConstraint)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsGridContainerFrame.cpp:10ad7868f3ca27cb90db9bd1d392ff4d7852a0cd|5378|0x8
0|11|libxul.so|nsGridContainerFrame::GridReflowInput::CalculateTrackSizesForAxis(mozilla::LogicalAxis, nsGridContainerFrame::Grid const&, int, nsGridContainerFrame::SizingConstraint)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsGridContainerFrame.cpp:10ad7868f3ca27cb90db9bd1d392ff4d7852a0cd|3611|0x1d
0|12|libxul.so|nsGridContainerFrame::GridReflowInput::CalculateTrackSizes(nsGridContainerFrame::Grid const&, mozilla::LogicalSize const&, nsGridContainerFrame::SizingConstraint)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsGridContainerFrame.cpp:10ad7868f3ca27cb90db9bd1d392ff4d7852a0cd|3648|0x49
0|13|libxul.so|nsGridContainerFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsGridContainerFrame.cpp:10ad7868f3ca27cb90db9bd1d392ff4d7852a0cd|8467|0xa
0|14|libxul.so|nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsContainerFrame.cpp:10ad7868f3ca27cb90db9bd1d392ff4d7852a0cd|1074|0x1a
0|15|libxul.so|nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsCanvasFrame.cpp:10ad7868f3ca27cb90db9bd1d392ff4d7852a0cd|750|0x22
0|16|libxul.so|nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsContainerFrame.cpp:10ad7868f3ca27cb90db9bd1d392ff4d7852a0cd|1074|0x1a
0|17|libxul.so|nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput*, bool, bool, mozilla::ReflowOutput*)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsGfxScrollFrame.cpp:10ad7868f3ca27cb90db9bd1d392ff4d7852a0cd|661|0x3a
0|18|libxul.so|nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput*, mozilla::ReflowOutput const&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsGfxScrollFrame.cpp:10ad7868f3ca27cb90db9bd1d392ff4d7852a0cd|775|0x15
0|19|libxul.so|nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsGfxScrollFrame.cpp:10ad7868f3ca27cb90db9bd1d392ff4d7852a0cd|1161|0x15
0|20|libxul.so|nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsContainerFrame.cpp:10ad7868f3ca27cb90db9bd1d392ff4d7852a0cd|1114|0x18
0|21|libxul.so|mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&)|hg:hg.mozilla.org/mozilla-central:layout/generic/ViewportFrame.cpp:10ad7868f3ca27cb90db9bd1d392ff4d7852a0cd|296|0x2b
0|22|libxul.so|mozilla::PresShell::DoReflow(nsIFrame*, bool, mozilla::OverflowChangedTracker*)|hg:hg.mozilla.org/mozilla-central:layout/base/PresShell.cpp:10ad7868f3ca27cb90db9bd1d392ff4d7852a0cd|9576|0x1c
0|23|libxul.so|mozilla::PresShell::ProcessReflowCommands(bool)|hg:hg.mozilla.org/mozilla-central:layout/base/PresShell.cpp:10ad7868f3ca27cb90db9bd1d392ff4d7852a0cd|9749|0x12
0|24|libxul.so|mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush)|hg:hg.mozilla.org/mozilla-central:layout/base/PresShell.cpp:10ad7868f3ca27cb90db9bd1d392ff4d7852a0cd|4229|0x12
0|25|libxul.so|nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp)|hg:hg.mozilla.org/mozilla-central:layout/base/PresShell.h:10ad7868f3ca27cb90db9bd1d392ff4d7852a0cd|1440|0xb
0|26|libxul.so|mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&)|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:10ad7868f3ca27cb90db9bd1d392ff4d7852a0cd|373|0xb
0|27|libxul.so|mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp)|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:10ad7868f3ca27cb90db9bd1d392ff4d7852a0cd|367|0x12
0|28|libxul.so|mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp)|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:10ad7868f3ca27cb90db9bd1d392ff4d7852a0cd|737|0x17
0|29|libxul.so|mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyParentProcessVsync()|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:10ad7868f3ca27cb90db9bd1d392ff4d7852a0cd|639|0x10
0|30|libxul.so|mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::ParentProcessVsyncNotifier::Run()|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:10ad7868f3ca27cb90db9bd1d392ff4d7852a0cd|538|0x14
0|31|libxul.so|nsThread::ProcessNextEvent(bool, bool*)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:10ad7868f3ca27cb90db9bd1d392ff4d7852a0cd|1236|0xe
0|32|libxul.so|NS_ProcessNextEvent(nsIThread*, bool)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:10ad7868f3ca27cb90db9bd1d392ff4d7852a0cd|501|0xc
0|33|libxul.so|mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:10ad7868f3ca27cb90db9bd1d392ff4d7852a0cd|87|0x7
0|34|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:10ad7868f3ca27cb90db9bd1d392ff4d7852a0cd|315|0x17
0|35|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:10ad7868f3ca27cb90db9bd1d392ff4d7852a0cd|290|0x8
0|36|libxul.so|nsBaseAppShell::Run()|hg:hg.mozilla.org/mozilla-central:widget/nsBaseAppShell.cpp:10ad7868f3ca27cb90db9bd1d392ff4d7852a0cd|137|0xd
0|37|libxul.so|XRE_RunAppShell()|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:10ad7868f3ca27cb90db9bd1d392ff4d7852a0cd|913|0xe
0|38|libxul.so|mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:10ad7868f3ca27cb90db9bd1d392ff4d7852a0cd|237|0x5
0|39|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:10ad7868f3ca27cb90db9bd1d392ff4d7852a0cd|315|0x17
0|40|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:10ad7868f3ca27cb90db9bd1d392ff4d7852a0cd|290|0x8
0|41|libxul.so|XRE_InitChildProcess(int, char**, XREChildData const*)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:10ad7868f3ca27cb90db9bd1d392ff4d7852a0cd|744|0x5
0|42|firefox-bin|content_process_main(mozilla::Bootstrap*, int, char**)|hg:hg.mozilla.org/mozilla-central:ipc/contentproc/plugin-container.cpp:10ad7868f3ca27cb90db9bd1d392ff4d7852a0cd|56|0x11
0|43|firefox-bin|main|hg:hg.mozilla.org/mozilla-central:browser/app/nsBrowserApp.cpp:10ad7868f3ca27cb90db9bd1d392ff4d7852a0cd|303|0x20
0|44|libc.so.6||||0x21b97
0|45|firefox-bin|<name omitted>|hg:hg.mozilla.org/mozilla-central:mfbt/UniquePtr.h:10ad7868f3ca27cb90db9bd1d392ff4d7852a0cd|253|0x17
Flags: in-testsuite?
Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]
Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20200611093454-10ad7868f3ca.
The bug appears to have been introduced in the following build range:
> Start: 6506806b3bf81cf5093c9ce63aec76075bebf58e (20191008012105)
> End: bb30c0d750556c4db5163efe7f00c3067b1d955c (20191008012250)
> Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=6506806b3bf81cf5093c9ce63aec76075bebf58e&tochange=bb30c0d750556c4db5163efe7f00c3067b1d955c
Crash Signature: [@ InvalidArrayIndex_CRASH | CopyUsedTrackSizes ]
Keywords: crash
Regressed by: 1506939
Has Regression Range: --- → yes

I suspect it's not really regressed by bug 1506939. The test case uses the rotate property, which bug 1506939 turned on, but you could probably replace it with transform and get the same effect.

(In reply to Cameron McCormack (:heycam) from comment #2)

I suspect it's not really regressed by bug 1506939. The test case uses the rotate property, which bug 1506939 turned on, but you could probably replace it with transform and get the same effect.

So this may be a general transform issue together with grid.

See Also: → 1680184
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → DUPLICATE

Actually, the underlying bug here is fixed by bug 1638860. Bug 1680184 is about removed auto-fit tracks specifically. I'll add the test here as a crashtest in that bug.

Bugmon Analysis
No valid actions for resolution (DUPLICATE)
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: