1670320 - Assertion failure: aCanBreakBefore <= 2 (Bogus break-before value!), at src/gfx/thebes/gfxFont.h:856

Status: REOPENED

(Core :: Graphics: Text, defect, P3)

Description

[Tyson Smith [:tsmith]]

Attachment: testcase.html

Assertion failure: aCanBreakBefore <= 2 (Bogus break-before value!), at src/gfx/thebes/gfxFont.h:856

#0 0x7f9beb9c7e0b in SetCanBreakBefore src/gfx/thebes/gfxFont.h:856:7
#1 0x7f9beb9c7e0b in gfxTextRun::SetPotentialLineBreaks(gfxTextRun::Range, unsigned char const*) src/gfx/thebes/gfxTextRun.cpp:261:20
#2 0x7f9beebe6a2d in nsTransformedTextRun::SetPotentialLineBreaks(gfxTextRun::Range, unsigned char const*) src/layout/generic/nsTextRunTransformations.cpp:74:30
#3 0x7f9beebe4c58 in BuildTextRunsScanner::BreakSink::SetBreaks(unsigned int, unsigned int, unsigned char*) src/layout/generic/nsTextFrame.cpp:1090:21
#4 0x7f9bebee00fe in nsLineBreaker::FlushCurrentWord() src/dom/base/nsLineBreaker.cpp:126:18
#5 0x7f9bebee0a50 in nsLineBreaker::AppendText(nsAtom*, char16_t const*, unsigned int, unsigned int, nsILineBreakSink*) src/dom/base/nsLineBreaker.cpp:190:19
#6 0x7f9beebc41b5 in BuildTextRunsScanner::SetupBreakSinksForTextRun(gfxTextRun*, void const*) src/layout/generic/nsTextFrame.cpp:2788:22
#7 0x7f9beebc1c91 in BuildTextRunsScanner::BuildTextRunForFrames(void*) src/layout/generic/nsTextFrame.cpp:2574:3
#8 0x7f9beebbf5fb in BuildTextRunsScanner::FlushFrames(bool, bool) src/layout/generic/nsTextFrame.cpp:1657:17
#9 0x7f9beebc5c52 in BuildTextRuns src/layout/generic/nsTextFrame.cpp:1581:11
#10 0x7f9beebc5c52 in nsTextFrame::EnsureTextRun(nsTextFrame::TextRunType, mozilla::gfx::DrawTarget*, nsIFrame*, nsLineList_iterator const*, unsigned int*) src/layout/generic/nsTextFrame.cpp:2998:7
#11 0x7f9beeba041b in nsTextFrame::ReflowText(nsLineLayout&, int, mozilla::gfx::DrawTarget*, mozilla::ReflowOutput&, nsReflowStatus&) src/layout/generic/nsTextFrame.cpp:9180:7
#12 0x7f9beeb9e870 in nsLineLayout::ReflowFrame(nsIFrame*, nsReflowStatus&, mozilla::ReflowOutput*, bool&) src/layout/generic/nsLineLayout.cpp:881:40
#13 0x7f9beea9c5af in nsBlockFrame::ReflowInlineFrame(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsIFrame*, LineReflowStatus*) src/layout/generic/nsBlockFrame.cpp:4515:15
#14 0x7f9beea9bb73 in nsBlockFrame::DoReflowInlineFrames(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool) src/layout/generic/nsBlockFrame.cpp:4317:5
#15 0x7f9beea97b80 in nsBlockFrame::ReflowInlineFrames(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:4202:9
#16 0x7f9beea94450 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:3177:5
#17 0x7f9beea8f283 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) src/layout/generic/nsBlockFrame.cpp:2711:7
#18 0x7f9beea8b41b in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsBlockFrame.cpp:1371:3
#19 0x7f9beea9a92a in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) src/layout/generic/nsBlockReflowContext.cpp:294:11
#20 0x7f9beea96799 in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:3838:11
#21 0x7f9beea944f6 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:3174:5
#22 0x7f9beea8f283 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) src/layout/generic/nsBlockFrame.cpp:2711:7
#23 0x7f9beea8b41b in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsBlockFrame.cpp:1371:3
#24 0x7f9beeab32c0 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:1084:14
#25 0x7f9beeab2656 in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsCanvasFrame.cpp:757:5
#26 0x7f9beeab32c0 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:1084:14
#27 0x7f9beeaf54b8 in nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput*, bool, bool, mozilla::ReflowOutput*) src/layout/generic/nsGfxScrollFrame.cpp:756:3
#28 0x7f9beeaf5de5 in nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput*, mozilla::ReflowOutput const&) src/layout/generic/nsGfxScrollFrame.cpp:880:3
#29 0x7f9beeaf9c57 in nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsGfxScrollFrame.cpp:1278:3
#30 0x7f9beea80cf8 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:1124:14
#31 0x7f9beea8079a in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/ViewportFrame.cpp:297:7
#32 0x7f9bee98da24 in mozilla::PresShell::DoReflow(nsIFrame*, bool, mozilla::OverflowChangedTracker*) src/layout/base/PresShell.cpp:9627:11
#33 0x7f9bee996e2e in mozilla::PresShell::ProcessReflowCommands(bool) src/layout/base/PresShell.cpp:9800:24
#34 0x7f9bee99652d in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) src/layout/base/PresShell.cpp:4213:11
#35 0x7f9bed3c30eb in FlushPendingNotifications /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:1397:5
#36 0x7f9bed3c30eb in mozilla::EventStateManager::FlushLayout(nsPresContext*) src/dom/events/EventStateManager.cpp:5701:16
#37 0x7f9bed3bfa72 in mozilla::EventStateManager::PreHandleEvent(nsPresContext*, mozilla::WidgetEvent*, nsIFrame*, nsIContent*, nsEventStatus*, nsIContent*) src/dom/events/EventStateManager.cpp:703:7
#38 0x7f9bee9aa57d in mozilla::PresShell::EventHandler::DispatchEvent(mozilla::EventStateManager*, mozilla::WidgetEvent*, bool, nsEventStatus*, nsIContent*) src/layout/base/PresShell.cpp:8168:39
#39 0x7f9bee9a4a7b in mozilla::PresShell::EventHandler::HandleEventWithCurrentEventInfo(mozilla::WidgetEvent*, nsEventStatus*, bool, nsIContent*) src/layout/base/PresShell.cpp:8137:17
#40 0x7f9bee9a42b8 in mozilla::PresShell::EventHandler::HandleEventUsingCoordinates(nsIFrame*, mozilla::WidgetGUIEvent*, nsEventStatus*, bool) src/layout/base/PresShell.cpp:7051:30
#41 0x7f9bee9a2ea2 in mozilla::PresShell::EventHandler::HandleEvent(nsIFrame*, mozilla::WidgetGUIEvent*, bool, nsEventStatus*) src/layout/base/PresShell.cpp:6854:12
#42 0x7f9bee9a2682 in mozilla::PresShell::HandleEvent(nsIFrame*, mozilla::WidgetGUIEvent*, bool, nsEventStatus*) src/layout/base/PresShell.cpp:6779:23
#43 0x7f9bee673552 in nsViewManager::DispatchEvent(mozilla::WidgetGUIEvent*, nsView*, nsEventStatus*) src/view/nsViewManager.cpp:750:18
#44 0x7f9bee673278 in nsView::HandleEvent(mozilla::WidgetGUIEvent*, bool) src/view/nsView.cpp:1133:9
#45 0x7f9bee6a9152 in mozilla::widget::PuppetWidget::DispatchEvent(mozilla::WidgetGUIEvent*, nsEventStatus&) src/widget/PuppetWidget.cpp:381:37
#46 0x7f9beb7fc74d in mozilla::layers::APZCCallbackHelper::DispatchWidgetEvent(mozilla::WidgetGUIEvent&) src/gfx/layers/apz/util/APZCCallbackHelper.cpp:463:21
#47 0x7f9bee1b5448 in DispatchWidgetEventViaAPZ src/dom/ipc/BrowserChild.cpp:1715:10
#48 0x7f9bee1b5448 in mozilla::dom::BrowserChild::HandleRealMouseButtonEvent(mozilla::WidgetMouseEvent const&, mozilla::layers::ScrollableLayerGuid const&, unsigned long const&) src/dom/ipc/BrowserChild.cpp:1654:3
#49 0x7f9bee1b66e1 in mozilla::dom::BrowserChild::RecvRealMouseButtonEvent(mozilla::WidgetMouseEvent const&, mozilla::layers::ScrollableLayerGuid const&, unsigned long const&) src/dom/ipc/BrowserChild.cpp:1621:3
#50 0x7f9bee1b67e9 in mozilla::dom::BrowserChild::RecvSynthMouseMoveEvent(mozilla::WidgetMouseEvent const&, mozilla::layers::ScrollableLayerGuid const&, unsigned long const&) src/dom/ipc/BrowserChild.cpp:1586:8
#51 0x7f9beb1735f8 in mozilla::dom::PBrowserChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBrowserChild.cpp:5092:56
#52 0x7f9beabfdd5d in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PContentChild.cpp:8622:32
#53 0x7f9beaa8134e in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) src/ipc/glue/MessageChannel.cpp:2150:25
#54 0x7f9beaa7db0f in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) src/ipc/glue/MessageChannel.cpp:2074:9
#55 0x7f9beaa7ef16 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) src/ipc/glue/MessageChannel.cpp:1922:3
#56 0x7f9beaa7fb3b in mozilla::ipc::MessageChannel::MessageTask::Run() src/ipc/glue/MessageChannel.cpp:1953:13
#57 0x7f9bea17c5ef in mozilla::RunnableTask::Run() src/xpcom/threads/TaskController.cpp:245:16
#58 0x7f9bea179a4a in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) src/xpcom/threads/TaskController.cpp:515:26
#59 0x7f9bea178924 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) src/xpcom/threads/TaskController.cpp:374:15
#60 0x7f9bea178ad7 in mozilla::TaskController::ProcessPendingMTTask(bool) src/xpcom/threads/TaskController.cpp:171:36
#61 0x7f9bea17fd39 in operator() src/xpcom/threads/TaskController.cpp:88:37
#62 0x7f9bea17fd39 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_4>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:577:5
#63 0x7f9bea191d2f in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1234:14
#64 0x7f9bea1977ea in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:513:10
#65 0x7f9beaa86b54 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:109:5
#66 0x7f9bea9f8d63 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:334:10
#67 0x7f9bea9f8c7d in RunHandler src/ipc/chromium/src/base/message_loop.cc:327:3
#68 0x7f9bea9f8c7d in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:309:3
#69 0x7f9bee6bad68 in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:137:27
#70 0x7f9befeaebe3 in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:913:20
#71 0x7f9beaa87969 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:237:9
#72 0x7f9bea9f8d63 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:334:10
#73 0x7f9bea9f8c7d in RunHandler src/ipc/chromium/src/base/message_loop.cc:327:3
#74 0x7f9bea9f8c7d in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:309:3
#75 0x7f9befeae7c8 in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:744:34
#76 0x5644dad4e917 in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
#77 0x5644dad4e917 in main src/browser/app/nsBrowserApp.cpp:304:18
#78 0x7f9bfed240b2 in __libc_start_main /build/glibc-ZN95T4/glibc-2.31/csu/../csu/libc-start.c:308:16
#79 0x5644dad2c6c9 in _start (/home/worker/builds/m-c-20201009153554-fuzzing-debug/firefox-bin+0x176c9)

Comment 1

[Tyson Smith [:tsmith]]

A Pernosco session is available here: https://pernos.co/debug/jkSseW72GoVmTQ4tWmtYLA/index.html

Comment 2

[Jason Kratzer [:jkratzer]]

Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20201009214545-cad2c1678593.
Failed to bisect testcase (Unable to launch the end build!):

Start: e8b7c48d4e7ed1b63aeedff379b51e566ea499d9 (20191107015224)
End: 600f47bbfeb2b8dd8feb52dc9b0df0c72e01da9e (20201009041754)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=False, coverage=False, valgrind=False)

Comment 3

[Bugmon [:jkratzer for issues]]

Testcase crashes using the initial build (mozilla-central 20220813214044-f3931b6a6402) but not with tip (mozilla-central 20230811213712-16838b515ded.)

The bug appears to have been fixed in the following build range:

Start: 6d877fdb9a1e892fe6528a26aab81b53cfae55c5 (20230807061947)
End: 2f07664dbc304adeae1029ead0f4ab014aaa02a8 (20230807091755)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=6d877fdb9a1e892fe6528a26aab81b53cfae55c5&tochange=2f07664dbc304adeae1029ead0f4ab014aaa02a8

tsmith, can you confirm that the above bisection range is responsible for fixing this issue?
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Comment 4

[Tyson Smith [:tsmith]]

I am unable to reproduce the issue. It was last reported by fuzzers running m-c 20230807-06273ebf279a.

Comment 5

[Jonathan Kew [:jfkthame]]

FWIW, I suspect it'd still reproduce if you set intl.icu4x.segmenter.enabled to false. Which means that (currently) it is resolved only on Nightly, as we haven't yet enabled that for other channels.

Comment 6

[Tyson Smith [:tsmith]]

(In reply to Jonathan Kew [:jfkthame] from comment #5)

FWIW, I suspect it'd still reproduce if you set intl.icu4x.segmenter.enabled to false.

Yes I can confirm this is correct.