Open Bug 1662822 Opened 4 years ago Updated 2 years ago

Assertion failure: line >= 1 (expected a 1-based line number), at /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:1825

Categories

(Core :: Layout: Grid, defect)

Product:
Core
Component:
Layout: Grid
Type:
defect

Tracking

()

Tracking Flags:
Tracking Status
firefox82 --- affected

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, testcase, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(1 file)

testcase.html
593 bytes, text/html
Details
Attached file testcase.html

Testcase found while fuzzing mozilla-central rev b74ab1682dea (built with --enable-debug).

Assertion failure: line >= 1 (expected a 1-based line number), at /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:1825

    #0 0x7f8d82d3d70d in AnnotateMozCrashReason /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:42:19
    #1 0x7f8d82d3d70d in nsGridContainerFrame::LineNameMap::Contains(unsigned int, nsAtom*) const /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:1825:7
    #2 0x7f8d82d3d3ae in nsGridContainerFrame::LineNameMap::FindLine(nsAtom*, int*, unsigned int, nsTArray<unsigned int> const&) const /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:1752:11
    #3 0x7f8d82cd1596 in nsGridContainerFrame::LineNameMap::FindNamedLine(nsAtom*, int*, unsigned int, nsTArray<unsigned int> const&) const /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:1608:14
    #4 0x7f8d82cd0c86 in nsGridContainerFrame::Grid::ResolveLine(mozilla::StyleGenericGridLine<int> const&, int, unsigned int, nsGridContainerFrame::LineNameMap const&, mozilla::LogicalSide, unsigned int, nsStylePosition const*) /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:3986:23
    #5 0x7f8d82cd1762 in nsGridContainerFrame::Grid::ResolveLineRangeHelper(mozilla::StyleGenericGridLine<int> const&, mozilla::StyleGenericGridLine<int> const&, nsGridContainerFrame::LineNameMap const&, mozilla::LogicalAxis, unsigned int, nsStylePosition const*) /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:4065:13
    #6 0x7f8d82cd1a6d in nsGridContainerFrame::Grid::ResolveLineRange(mozilla::StyleGenericGridLine<int> const&, mozilla::StyleGenericGridLine<int> const&, nsGridContainerFrame::LineNameMap const&, mozilla::LogicalAxis, unsigned int, nsStylePosition const*) /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:4109:16
    #7 0x7f8d82cd1cba in nsGridContainerFrame::Grid::PlaceDefinite(nsIFrame*, nsGridContainerFrame::LineNameMap const&, nsGridContainerFrame::LineNameMap const&, nsStylePosition const*) /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:4140:7
    #8 0x7f8d82cd4157 in nsGridContainerFrame::Grid::PlaceGridItems(nsGridContainerFrame::GridReflowInput&, RepeatTrackSizingInput const&) /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:4567:9
    #9 0x7f8d82cd31cb in nsGridContainerFrame::Grid::SubgridPlaceGridItems(nsGridContainerFrame::GridReflowInput&, nsGridContainerFrame::Grid*, nsGridContainerFrame::GridItemInfo const&) /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:4446:3
    #10 0x7f8d82cd52f6 in nsGridContainerFrame::Grid::PlaceGridItems(nsGridContainerFrame::GridReflowInput&, RepeatTrackSizingInput const&) /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:4813:14
    #11 0x7f8d82ce9add in nsGridContainerFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:8489:12
    #12 0x7f8d82c70890 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:1076:14
    #13 0x7f8d82cafaf5 in nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput*, bool, bool, mozilla::ReflowOutput*) /builds/worker/checkouts/gecko/layout/generic/nsGfxScrollFrame.cpp:753:3
    #14 0x7f8d82cb0577 in nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput*, mozilla::ReflowOutput const&) /builds/worker/checkouts/gecko/layout/generic/nsGfxScrollFrame.cpp:877:3
    #15 0x7f8d82cb432f in nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsGfxScrollFrame.cpp:1275:3
    #16 0x7f8d82c70890 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:1076:14
    #17 0x7f8d82cdbd7e in MeasuringReflow(nsIFrame*, mozilla::ReflowInput const*, gfxContext*, mozilla::LogicalSize const&, mozilla::LogicalSize const&, int, int) /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:4981:11
    #18 0x7f8d82cdf39e in ContentContribution(nsGridContainerFrame::GridItemInfo const&, nsGridContainerFrame::GridReflowInput const&, gfxContext*, mozilla::WritingMode, mozilla::LogicalAxis, mozilla::Maybe<mozilla::LogicalSize> const&, nsLayoutUtils::IntrinsicISizeType, int, unsigned int) /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:5249:14
    #19 0x7f8d82cdb11b in MaxContentContribution(nsGridContainerFrame::GridItemInfo const&, nsGridContainerFrame::GridReflowInput const&, gfxContext*, mozilla::WritingMode, mozilla::LogicalAxis, CachedIntrinsicSizes*) /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:5319:15
    #20 0x7f8d82cdab52 in nsGridContainerFrame::Tracks::ResolveIntrinsicSizeStep1(nsGridContainerFrame::GridReflowInput&, nsGridContainerFrame::TrackSizingFunctions const&, int, nsGridContainerFrame::SizingConstraint, nsGridContainerFrame::LineRange const&, nsGridContainerFrame::GridItemInfo const&) /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:5493:14
    #21 0x7f8d82cd8708 in nsGridContainerFrame::Tracks::ResolveIntrinsicSize(nsGridContainerFrame::GridReflowInput&, nsTArray<nsGridContainerFrame::GridItemInfo>&, nsGridContainerFrame::TrackSizingFunctions const&, nsGridContainerFrame::LineRange nsGridContainerFrame::GridArea::*, int, nsGridContainerFrame::SizingConstraint) /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:6132:11
    #22 0x7f8d82ccdaa5 in CalculateSizes /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:5409:3
    #23 0x7f8d82ccdaa5 in nsGridContainerFrame::GridReflowInput::CalculateTrackSizesForAxis(mozilla::LogicalAxis, nsGridContainerFrame::Grid const&, int, nsGridContainerFrame::SizingConstraint) /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:3642:12
    #24 0x7f8d82ce9b7d in CalculateTrackSizes /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:3681:3
    #25 0x7f8d82ce9b7d in nsGridContainerFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:8498:21
    #26 0x7f8d82c70890 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:1076:14
    #27 0x7f8d82c6fbe6 in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsCanvasFrame.cpp:749:5
    #28 0x7f8d82c70890 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:1076:14
    #29 0x7f8d82cafaf5 in nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput*, bool, bool, mozilla::ReflowOutput*) /builds/worker/checkouts/gecko/layout/generic/nsGfxScrollFrame.cpp:753:3
    #30 0x7f8d82cb0577 in nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput*, mozilla::ReflowOutput const&) /builds/worker/checkouts/gecko/layout/generic/nsGfxScrollFrame.cpp:877:3
    #31 0x7f8d82cb432f in nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsGfxScrollFrame.cpp:1275:3
    #32 0x7f8d82c3e348 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:1116:14
    #33 0x7f8d82c3dea9 in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/ViewportFrame.cpp:297:7
    #34 0x7f8d82b47e61 in mozilla::PresShell::DoReflow(nsIFrame*, bool, mozilla::OverflowChangedTracker*) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:9636:11
    #35 0x7f8d82b5181e in mozilla::PresShell::ProcessReflowCommands(bool) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:9809:24
    #36 0x7f8d82b50f86 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4239:11
    #37 0x7f8d82b1c237 in FlushPendingNotifications /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:1412:5
    #38 0x7f8d82b1c237 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2148:20
    #39 0x7f8d82b242c1 in TickDriver /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:372:13
    #40 0x7f8d82b242c1 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:351:7
    #41 0x7f8d82b241ac in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:366:5
    #42 0x7f8d82b297db in RunRefreshDrivers /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:818:5
    #43 0x7f8d82b297db in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:736:16
    #44 0x7f8d82b2909f in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyParentProcessVsync() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:638:7
    #45 0x7f8d82b2239d in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::ParentProcessVsyncNotifier::Run() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:537:20
    #46 0x7f8d7e1ceb54 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:242:16
    #47 0x7f8d7e1cc91d in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:512:26
    #48 0x7f8d7e1cba54 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:371:15
    #49 0x7f8d7e1cbc07 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:168:36
    #50 0x7f8d7e1d3596 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:83:37
    #51 0x7f8d7e1d3596 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_4>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:577:5
    #52 0x7f8d7e1e67a8 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1242:14
    #53 0x7f8d7e1ec17a in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:513:10
    #54 0x7f8d7eb1596f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:87:21
    #55 0x7f8d7ea868e3 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:334:10
    #56 0x7f8d7ea867fd in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:327:3
    #57 0x7f8d7ea867fd in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:309:3
    #58 0x7f8d8288c548 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137:27
    #59 0x7f8d840b6ac3 in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:913:20
    #60 0x7f8d7eb16737 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:237:9
    #61 0x7f8d7ea868e3 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:334:10
    #62 0x7f8d7ea867fd in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:327:3
    #63 0x7f8d7ea867fd in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:309:3
    #64 0x7f8d840b669c in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:744:34
    #65 0x55c0d235409f in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
    #66 0x55c0d235409f in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:303:18
    #67 0x7f8d947b10b2 in __libc_start_main /build/glibc-YYA7BZ/glibc-2.31/csu/../csu/libc-start.c:308:16
    #68 0x55c0d23320a9 in _start (/home/worker/builds/m-c-20200823093112-fuzzing-debug/firefox-bin+0x170a9)
Flags: in-testsuite?
Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]
Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20200902215721-85e7a3055098.
Failed to bisect testcase (Start build crashes!):
> Start: e8b7c48d4e7ed1b63aeedff379b51e566ea499d9 (20191107015224)
> End: 00a15ff99b87cc88718646c76b48a5ea54943c52 (20200902033114)
> BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=False, coverage=False, valgrind=False)

This testcase took a long time to load on Nightly. (I closed the page after 1 minute)

https://share.firefox.dev/3lOxocm

Keywords: bugmon

Bugmon Analysis
The bug appears to have been fixed in the following build range:

Start: aa032cbc94551a0f6e7e821d78aa0388f998e830 (20200903151816)
End: aa032cbc94551a0f6e7e821d78aa0388f998e830 (20200903151816)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=aa032cbc94551a0f6e7e821d78aa0388f998e830&tochange=aa032cbc94551a0f6e7e821d78aa0388f998e830
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: