Open Bug 1652990 Opened 4 years ago Updated 2 years ago

Assertion failure: !frame->GetChildList(nsIFrame::kOverflowList).FirstChild() (should have drained the overflow list above), at /builds/worker/checkouts/gecko/layout/base/nsBidiPresUtils.cpp:1380

Categories

(Core :: Layout: Text and Fonts, defect)

Product:
Core
Component:
Layout: Text and Fonts
Type:
defect

Tracking

()

Tracking Flags:
Tracking Status
firefox-esr91 --- affected
firefox80 --- wontfix
firefox91 --- wontfix
firefox92 --- affected
firefox93 --- affected

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, testcase, Whiteboard: [bugmon:confirm])

Attachments

(1 file)

testcase.html
690 bytes, text/html
Details
Attached file testcase.html

Testcase found while fuzzing mozilla-central rev 2aa3b889d603 (built with --enable-debug).

Assertion failure: !frame->GetChildList(nsIFrame::kOverflowList).FirstChild() (should have drained the overflow list above), at /builds/worker/checkouts/gecko/layout/base/nsBidiPresUtils.cpp:1380

rax = 0x00007f38479a4e85   rdx = 0x0000000000000000
rcx = 0x00005561d017aa58   rbx = 0x00005561d1b51698
rsi = 0x00007f385898e8b0   rdi = 0x00007f385898d680
rbp = 0x00007ffc663c6c40   rsp = 0x00007ffc663c6b10
r8 = 0x00007f385898e8b0    r9 = 0x00007f3859af4780
r10 = 0x0000000000000002   r11 = 0x0000000000000000
r12 = 0x00005561d1b56c88   r13 = 0x00007ffc663c6f00
r14 = 0x000000000000004b   r15 = 0x00005561d1b512c0
rip = 0x00007f384217174a
OS|Linux|0.0.0 Linux 5.3.0-51-generic #44~18.04.2-Ubuntu SMP Thu Apr 23 14:27:18 UTC 2020 x86_64
CPU|amd64|family 6 model 94 stepping 3|8
GPU|||
Crash|SIGSEGV|0x0|0
0|0|libxul.so|nsBidiPresUtils::TraverseFrames(nsIFrame*, BidiParagraphData*)|hg:hg.mozilla.org/mozilla-central:layout/base/nsBidiPresUtils.cpp:2aa3b889d60386ac20e2a7ab7f315a742a2eea87|1379|0x0
0|1|libxul.so|nsBidiPresUtils::TraverseFrames(nsIFrame*, BidiParagraphData*)|hg:hg.mozilla.org/mozilla-central:layout/base/nsBidiPresUtils.cpp:2aa3b889d60386ac20e2a7ab7f315a742a2eea87|1382|0xb
0|2|libxul.so|nsBidiPresUtils::TraverseFrames(nsIFrame*, BidiParagraphData*)|hg:hg.mozilla.org/mozilla-central:layout/base/nsBidiPresUtils.cpp:2aa3b889d60386ac20e2a7ab7f315a742a2eea87|1382|0xb
0|3|libxul.so|nsBidiPresUtils::Resolve(nsBlockFrame*)|hg:hg.mozilla.org/mozilla-central:layout/base/nsBidiPresUtils.cpp:2aa3b889d60386ac20e2a7ab7f315a742a2eea87|842|0x8
0|4|libxul.so|nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsBlockFrame.cpp:2aa3b889d60386ac20e2a7ab7f315a742a2eea87|1337|0x10
0|5|libxul.so|nsAbsoluteContainingBlock::ReflowAbsoluteFrame(nsIFrame*, nsPresContext*, mozilla::ReflowInput const&, nsRect const&, nsAbsoluteContainingBlock::AbsPosReflowFlags, nsIFrame*, nsReflowStatus&, nsOverflowAreas*)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsAbsoluteContainingBlock.cpp:2aa3b889d60386ac20e2a7ab7f315a742a2eea87|760|0x1d
0|6|libxul.so|nsAbsoluteContainingBlock::Reflow(nsContainerFrame*, nsPresContext*, mozilla::ReflowInput const&, nsReflowStatus&, nsRect const&, nsAbsoluteContainingBlock::AbsPosReflowFlags, nsOverflowAreas*)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsAbsoluteContainingBlock.cpp:2aa3b889d60386ac20e2a7ab7f315a742a2eea87|212|0x38
0|7|libxul.so|mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&)|hg:hg.mozilla.org/mozilla-central:layout/generic/ViewportFrame.cpp:2aa3b889d60386ac20e2a7ab7f315a742a2eea87|340|0x2e
0|8|libxul.so|mozilla::PresShell::DoReflow(nsIFrame*, bool, mozilla::OverflowChangedTracker*)|hg:hg.mozilla.org/mozilla-central:layout/base/PresShell.cpp:2aa3b889d60386ac20e2a7ab7f315a742a2eea87|9608|0x1c
0|9|libxul.so|mozilla::PresShell::ProcessReflowCommands(bool)|hg:hg.mozilla.org/mozilla-central:layout/base/PresShell.cpp:2aa3b889d60386ac20e2a7ab7f315a742a2eea87|9781|0x12
0|10|libxul.so|mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush)|hg:hg.mozilla.org/mozilla-central:layout/base/PresShell.cpp:2aa3b889d60386ac20e2a7ab7f315a742a2eea87|4240|0x12
0|11|libxul.so|mozilla::dom::Document::FlushPendingNotifications(mozilla::ChangesToFlush)|hg:hg.mozilla.org/mozilla-central:dom/base/Document.cpp:2aa3b889d60386ac20e2a7ab7f315a742a2eea87|10036|0x23
0|12|libxul.so|mozilla::PresShell::SimpleResizeReflow(int, int, mozilla::ResizeReflowOptions)|hg:hg.mozilla.org/mozilla-central:layout/base/PresShell.cpp:2aa3b889d60386ac20e2a7ab7f315a742a2eea87|1985|0x1c
0|13|libxul.so|mozilla::PresShell::ResizeReflowIgnoreOverride(int, int, mozilla::ResizeReflowOptions)|hg:hg.mozilla.org/mozilla-central:layout/base/PresShell.cpp:2aa3b889d60386ac20e2a7ab7f315a742a2eea87|2018|0xe
0|14|libxul.so|nsViewManager::DoSetWindowDimensions(int, int, bool)|hg:hg.mozilla.org/mozilla-central:view/nsViewManager.cpp:2aa3b889d60386ac20e2a7ab7f315a742a2eea87|188|0x18
0|15|libxul.so|nsViewManager::SetWindowDimensions(int, int, bool)|hg:hg.mozilla.org/mozilla-central:view/nsViewManager.cpp:2aa3b889d60386ac20e2a7ab7f315a742a2eea87|221|0x13
0|16|libxul.so|nsDocumentViewer::SetBoundsWithFlags(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, unsigned int)|hg:hg.mozilla.org/mozilla-central:layout/base/nsDocumentViewer.cpp:2aa3b889d60386ac20e2a7ab7f315a742a2eea87|2056|0xe
0|17|libxul.so|nsDocShell::SetPositionAndSize(int, int, int, int, unsigned int)|hg:hg.mozilla.org/mozilla-central:docshell/base/nsDocShell.cpp:2aa3b889d60386ac20e2a7ab7f315a742a2eea87|4337|0x17
0|18|libxul.so|nsWebBrowser::SetPositionAndSize(int, int, int, int, unsigned int)|hg:hg.mozilla.org/mozilla-central:toolkit/components/browser/nsWebBrowser.cpp:2aa3b889d60386ac20e2a7ab7f315a742a2eea87|951|0x25
0|19|libxul.so|mozilla::dom::BrowserChild::RecvUpdateDimensions(mozilla::dom::DimensionInfo const&)|hg:hg.mozilla.org/mozilla-central:dom/ipc/BrowserChild.cpp:2aa3b889d60386ac20e2a7ab7f315a742a2eea87|1152|0x33
0|20|libxul.so|mozilla::dom::PBrowserChild::OnMessageReceived(IPC::Message const&)|s3:gecko-generated-sources:5715fc358421aba9756d3019ac3899727be13732d933dcebc72577f557c75eabb1c7839eb4475dd3893a05e9329d6612759437fa0ad7b27c33b355b0321d95b4/ipc/ipdl/PBrowserChild.cpp:|4385|0x13
0|21|libxul.so|mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&)|s3:gecko-generated-sources:2d869f00bce2e94af62e44cafd96668649c73518dd6379ea31e8af9d91a5f5da02cc1c068feb735651ddefe87d4be50782ae251265e04b6874e08da865b90e0d/ipc/ipdl/PContentChild.cpp:|8319|0x24
0|22|libxul.so|mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:2aa3b889d60386ac20e2a7ab7f315a742a2eea87|2150|0x1c
0|23|libxul.so|mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:2aa3b889d60386ac20e2a7ab7f315a742a2eea87|2074|0x12
0|24|libxul.so|mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:2aa3b889d60386ac20e2a7ab7f315a742a2eea87|1922|0xb
0|25|libxul.so|mozilla::ipc::MessageChannel::MessageTask::Run()|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:2aa3b889d60386ac20e2a7ab7f315a742a2eea87|1953|0x12
0|26|libxul.so|mozilla::RunnableTask::Run()|hg:hg.mozilla.org/mozilla-central:xpcom/threads/TaskController.cpp:2aa3b889d60386ac20e2a7ab7f315a742a2eea87|209|0x11
0|27|libxul.so|mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/TaskController.cpp:2aa3b889d60386ac20e2a7ab7f315a742a2eea87|459|0xa
0|28|libxul.so|mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/TaskController.cpp:2aa3b889d60386ac20e2a7ab7f315a742a2eea87|337|0x5
0|29|libxul.so|mozilla::TaskController::ProcessPendingMTTask()|hg:hg.mozilla.org/mozilla-central:xpcom/threads/TaskController.cpp:2aa3b889d60386ac20e2a7ab7f315a742a2eea87|152|0x8
0|30|libxul.so|mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_4>::Run()|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.h:2aa3b889d60386ac20e2a7ab7f315a742a2eea87|577|0xd
0|31|libxul.so|nsThread::ProcessNextEvent(bool, bool*)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:2aa3b889d60386ac20e2a7ab7f315a742a2eea87|1234|0xe
0|32|libxul.so|NS_ProcessNextEvent(nsIThread*, bool)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:2aa3b889d60386ac20e2a7ab7f315a742a2eea87|513|0xc
0|33|libxul.so|mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:2aa3b889d60386ac20e2a7ab7f315a742a2eea87|109|0x14
0|34|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:2aa3b889d60386ac20e2a7ab7f315a742a2eea87|334|0x17
0|35|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:2aa3b889d60386ac20e2a7ab7f315a742a2eea87|309|0x8
0|36|libxul.so|nsBaseAppShell::Run()|hg:hg.mozilla.org/mozilla-central:widget/nsBaseAppShell.cpp:2aa3b889d60386ac20e2a7ab7f315a742a2eea87|137|0xd
0|37|libxul.so|XRE_RunAppShell()|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:2aa3b889d60386ac20e2a7ab7f315a742a2eea87|913|0xe
0|38|libxul.so|mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:2aa3b889d60386ac20e2a7ab7f315a742a2eea87|237|0x5
0|39|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:2aa3b889d60386ac20e2a7ab7f315a742a2eea87|334|0x17
0|40|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:2aa3b889d60386ac20e2a7ab7f315a742a2eea87|309|0x8
0|41|libxul.so|XRE_InitChildProcess(int, char**, XREChildData const*)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:2aa3b889d60386ac20e2a7ab7f315a742a2eea87|744|0x5
0|42|firefox-bin|content_process_main(mozilla::Bootstrap*, int, char**)|hg:hg.mozilla.org/mozilla-central:ipc/contentproc/plugin-container.cpp:2aa3b889d60386ac20e2a7ab7f315a742a2eea87|56|0x11
0|43|firefox-bin|main|hg:hg.mozilla.org/mozilla-central:browser/app/nsBrowserApp.cpp:2aa3b889d60386ac20e2a7ab7f315a742a2eea87|303|0x20
0|44|libc.so.6||||0x21b97
0|45|firefox-bin|<name omitted>|hg:hg.mozilla.org/mozilla-central:mfbt/UniquePtr.h:2aa3b889d60386ac20e2a7ab7f315a742a2eea87|253|0x17
Flags: in-testsuite?
Keywords: bugmon
Whiteboard: [bugmon:confirm] → [bugmon:confirmed]
Bugmon Analysis: Unable to reproduce bug using the following builds: > mozilla-central 20200715093718-d4c6cd2e13bb > mozilla-central 20200715093718-d4c6cd2e13bb Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
status-firefox80: affectedwontfix
status-firefox91: --- → wontfix
status-firefox92: --- → affected
status-firefox93: --- → affected
status-firefox-esr91: --- → affected
Whiteboard: [bugmon:confirmed] → [bugmon:confirm]
Severity: normal → S3
See Also: → 1800476
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: