1663656 - Assertion failure: childStatus.IsFullyComplete() (We gave our child unconstrained available block-size, so it should be complete!), at /builds/worker/checkouts/gecko/layout/generic/nsVideoFrame.cpp:326

Status: NEW

(Core :: Layout, defect)

Description

[Jason Kratzer [:jkratzer]]

Attachment: testcase.zip

Testcase found while fuzzing mozilla-central rev fb9c01b719fa (built with --enable-debug).

Assertion failure: childStatus.IsFullyComplete() (We gave our child unconstrained available block-size, so it should be complete!), at /builds/worker/checkouts/gecko/layout/generic/nsVideoFrame.cpp:326

    #0 0x7f83a6db6972 in nsVideoFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsVideoFrame.cpp:324:7
    #1 0x7f83a6d6a405 in nsLineLayout::ReflowFrame(nsIFrame*, nsReflowStatus&, mozilla::ReflowOutput*, bool&) /builds/worker/checkouts/gecko/layout/generic/nsLineLayout.cpp:878:13
    #2 0x7f83a6c6974f in nsBlockFrame::ReflowInlineFrame(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsIFrame*, LineReflowStatus*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:4516:15
    #3 0x7f83a6c68d13 in nsBlockFrame::DoReflowInlineFrames(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:4318:5
    #4 0x7f83a6c64d30 in nsBlockFrame::ReflowInlineFrames(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:4203:9
    #5 0x7f83a6c61640 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:3172:5
    #6 0x7f83a6c5c453 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:2707:7
    #7 0x7f83a6c585d9 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:1368:3
    #8 0x7f83a6c80380 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:1075:14
    #9 0x7f83a6c7f6e8 in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsCanvasFrame.cpp:749:5
    #10 0x7f83a6c4dd68 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:1115:14
    #11 0x7f83a6d74eb3 in nsPageContentFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsPageContentFrame.cpp:63:5
    #12 0x7f83a6c4dd68 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:1115:14
    #13 0x7f83a6d75807 in nsPageFrame::ReflowPageContent(nsPresContext*, mozilla::ReflowInput const&) /builds/worker/checkouts/gecko/layout/generic/nsPageFrame.cpp:136:3
    #14 0x7f83a6d75a11 in nsPageFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsPageFrame.cpp:163:13
    #15 0x7f83a6c80380 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:1075:14
    #16 0x7f83a6c31159 in mozilla::PrintedSheetFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/PrintedSheetFrame.cpp:130:5
    #17 0x7f83a6c4dd68 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:1115:14
    #18 0x7f83a6d79712 in nsPageSequenceFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsPageSequenceFrame.cpp:287:5
    #19 0x7f83a6c80380 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:1075:14
    #20 0x7f83a6cbf259 in nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput*, bool, bool, mozilla::ReflowOutput*) /builds/worker/checkouts/gecko/layout/generic/nsGfxScrollFrame.cpp:755:3
    #21 0x7f83a6cbfd55 in nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput*, mozilla::ReflowOutput const&) /builds/worker/checkouts/gecko/layout/generic/nsGfxScrollFrame.cpp:879:3
    #22 0x7f83a6cc3aff in nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsGfxScrollFrame.cpp:1277:3
    #23 0x7f83a6c4dd68 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:1115:14
    #24 0x7f83a6c4d8c0 in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/ViewportFrame.cpp:297:7
    #25 0x7f83a6b58ab4 in mozilla::PresShell::DoReflow(nsIFrame*, bool, mozilla::OverflowChangedTracker*) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:9643:11
    #26 0x7f83a6b6216e in mozilla::PresShell::ProcessReflowCommands(bool) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:9816:24
    #27 0x7f83a6b61868 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4239:11
    #28 0x7f83a6fd6126 in nsPrintJob::ReflowPrintObject(mozilla::UniquePtr<nsPrintObject, mozilla::DefaultDelete<nsPrintObject> > const&) /builds/worker/checkouts/gecko/layout/printing/nsPrintJob.cpp:1888:14
    #29 0x7f83a6fd517d in nsPrintJob::ReflowDocList(mozilla::UniquePtr<nsPrintObject, mozilla::DefaultDelete<nsPrintObject> > const&, bool) /builds/worker/checkouts/gecko/layout/printing/nsPrintJob.cpp:1478:3
    #30 0x7f83a6fd1868 in nsPrintJob::InitPrintDocConstruction(bool) /builds/worker/checkouts/gecko/layout/printing/nsPrintJob.cpp:1510:3
    #31 0x7f83a6fd8282 in nsPrintJob::Observe(nsISupports*, char const*, char16_t const*) /builds/worker/checkouts/gecko/layout/printing/nsPrintJob.cpp:2646:17
    #32 0x7f83a8035968 in mozilla::embedding::PrintProgressDialogChild::RecvDialogOpened() /builds/worker/checkouts/gecko/toolkit/components/printingui/ipc/PrintProgressDialogChild.cpp:37:18
    #33 0x7f83a30b1e3b in mozilla::embedding::PPrintProgressDialogChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PPrintProgressDialogChild.cpp:228:28
    #34 0x7f83a2e04e8d in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PContentChild.cpp:8797:32
    #35 0x7f83a2c8c6fe in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:2150:25
    #36 0x7f83a2c88ebf in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:2074:9
    #37 0x7f83a2c8a2c6 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1922:3
    #38 0x7f83a2c8aeeb in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1953:13
    #39 0x7f83a237c4df in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:242:16
    #40 0x7f83a237a55a in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:512:26
    #41 0x7f83a23796b4 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:371:15
    #42 0x7f83a2379867 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:168:36
    #43 0x7f83a2381289 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:86:37
    #44 0x7f83a2381289 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_5>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:577:5
    #45 0x7f83a239461f in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1234:14
    #46 0x7f83a2399fca in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:513:10
    #47 0x7f83a2c91fa4 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:109:5
    #48 0x7f83a2c04c13 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:334:10
    #49 0x7f83a2c04b2d in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:327:3
    #50 0x7f83a2c04b2d in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:309:3
    #51 0x7f83a6896338 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137:27
    #52 0x7f83a806e373 in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:913:20
    #53 0x7f83a2c92db9 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:237:9
    #54 0x7f83a2c04c13 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:334:10
    #55 0x7f83a2c04b2d in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:327:3
    #56 0x7f83a2c04b2d in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:309:3
    #57 0x7f83a806df58 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:744:34
    #58 0x563c96ada957 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
    #59 0x563c96ada957 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:303:18
    #60 0x7f83b8afb0b2 in __libc_start_main /build/glibc-YYA7BZ/glibc-2.31/csu/../csu/libc-start.c:308:16
    #61 0x563c96ab8709 in _start (/home/worker/builds/m-c-20200906094118-fuzzing-debug/firefox-bin+0x17709)

Comment 1

[Jason Kratzer [:jkratzer]]

Bugmon Analysis:
Unable to reproduce bug using the following builds:
> mozilla-central 20200908161332-10fc7701db1b
> mozilla-central 20200908030802-80ac8d8c74d5
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.

Comment 2

[Bryce Seager van Dyk [:bryce] (he/him) - Not reading bugmail]

Moving to layout based on the stack.

Comment 3

[Daniel Holbert [:dholbert]]

jkratzer, can you still repro? (I wonder if pernosco-wanted will do the right thing if it's not reproducible; let's find out what happens.)

Comment 4

[Jason Kratzer [:jkratzer]]

Bugmon will only record a pernosco session using the original revision specified in comment 0 or via the origRev command in the whiteboard. I'll try and verify this manually.

Comment 5

[Jason Kratzer [:jkratzer]]

Attachment: testcase.html

Comment 6

[Bugmon [:jkratzer for issues]]

Successfully recorded a pernosco session. A link to the pernosco session will be added here shortly.

Comment 7

[Bugmon [:jkratzer for issues]]

A pernosco session for this bug can be found here.

Comment 8

[Daniel Holbert [:dholbert]]

Thanks! The assertion here is expecting that an child-frame with unconstrained available block-size should never return an incomplete reflow status. In this case, we've got a vertical writing mode, so our block-size is our width.

However, it looks like nsImageFrame has a snippet that assumes (incorrectly in this case) that the block axis is the vertical axis:
https://searchfox.org/mozilla-central/rev/31f5847a4494b3646edabbdd7ea39cb88509afe2/layout/generic/nsImageFrame.cpp#1571-1581

if (aPresContext->IsPaginated() &&
    ((loadStatus & imgIRequest::STATUS_SIZE_AVAILABLE) ||
     HasAnyStateBits(IMAGE_SIZECONSTRAINED)) &&
    NS_UNCONSTRAINEDSIZE != aReflowInput.AvailableHeight() &&
    aMetrics.Height() > aReflowInput.AvailableHeight()) {
  // our desired height was greater than 0, so to avoid infinite
  // splitting, use 1 pixel as the min
  aMetrics.Height() = std::max(nsPresContext::CSSPixelsToAppUnits(1),
                               aReflowInput.AvailableHeight());
  aStatus.SetIncomplete();
}

We reach that code and trigger the aStatus.SetIncomplete() call (requesting to be fragmented in the block axis) even though we have unconstrained block size.

The issue is the explicit references to Height there (and our height is not unconstrained, but also not relevant for aStatus's completeness). These seem to predate our introduction of vertical writing modes. They should all be converted to BSize.

Comment 9

[Bugmon [:jkratzer for issues]]

Bugmon was unable reproduce this issue.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Comment 10

[Jason Kratzer [:jkratzer]]

A change to the Taskcluster build definitions over the weekend caused Bugmon to fail when reproducing issues. This issue has been corrected. Re-enabling bugmon.

Comment 11

[Bugmon [:jkratzer for issues]]

Unable to reproduce bug 1663656 using build mozilla-central 20230413152644-5c9aa60ea6f4. Without a baseline, bugmon is unable to analyze this bug.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.