Closed
Bug 1679471
Opened 4 years ago
Closed 4 years ago
Assertion failure: !mFrame->IsFrameOfType(nsIFrame::eReplaced) (Replaced element shouldn't have the unconstrained block size), at src/layout/generic/ReflowInput.cpp:1517
Categories
(Core :: Layout, defect)
Core
Layout
Tracking
()
VERIFIED
FIXED
85 Branch
| Tracking | Status | |
|---|---|---|
| firefox-esr78 | --- | unaffected |
| firefox83 | --- | unaffected |
| firefox84 | --- | unaffected |
| firefox85 | --- | verified |
People
(Reporter: tsmith, Assigned: MatsPalmgren_bugz)
References
(Blocks 1 open bug, Regression)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [fuzzblocker][bugmon:bisected,confirmed])
Attachments
(2 files)
Assertion failure: !mFrame->IsFrameOfType(nsIFrame::eReplaced) (Replaced element shouldn't have the unconstrained block size), at src/layout/generic/ReflowInput.cpp:1517
#0 0x7f4e1eead621 in mozilla::ReflowInput::CalculateAbsoluteSizeWithResolvedAutoBlockSize(int, bool, mozilla::LogicalSize const&) src/layout/generic/ReflowInput.cpp:1516:3
#1 0x7f4e1eeaf1bd in mozilla::ReflowInput::InitAbsoluteConstraints(nsPresContext*, mozilla::ReflowInput const*, mozilla::LogicalSize const&, mozilla::LayoutFrameType) src/layout/generic/ReflowInput.cpp:1886:11
#2 0x7f4e1eea9d78 in mozilla::ReflowInput::InitConstraints(nsPresContext*, mozilla::Maybe<mozilla::LogicalSize> const&, mozilla::Maybe<mozilla::LogicalMargin> const&, mozilla::Maybe<mozilla::LogicalMargin> const&, mozilla::LayoutFrameType) src/layout/generic/ReflowInput.cpp:2357:7
#3 0x7f4e1eea757f in mozilla::ReflowInput::Init(nsPresContext*, mozilla::Maybe<mozilla::LogicalSize> const&, mozilla::Maybe<mozilla::LogicalMargin> const&, mozilla::Maybe<mozilla::LogicalMargin> const&) src/layout/generic/ReflowInput.cpp:357:3
#4 0x7f4e1eea7d5a in mozilla::ReflowInput::ReflowInput(nsPresContext*, mozilla::ReflowInput const&, nsIFrame*, mozilla::LogicalSize const&, mozilla::Maybe<mozilla::LogicalSize> const&, mozilla::EnumSet<mozilla::ReflowInput::InitFlag, unsigned char>, mozilla::EnumSet<mozilla::ComputeSizeFlag, unsigned char>) src/layout/generic/ReflowInput.cpp:216:5
#5 0x7f4e1eec4d84 in nsAbsoluteContainingBlock::ReflowAbsoluteFrame(nsIFrame*, nsPresContext*, mozilla::ReflowInput const&, nsRect const&, nsAbsoluteContainingBlock::AbsPosReflowFlags, nsIFrame*, nsReflowStatus&, mozilla::OverflowAreas*) src/layout/generic/nsAbsoluteContainingBlock.cpp:715:15
#6 0x7f4e1eec38d4 in nsAbsoluteContainingBlock::Reflow(nsContainerFrame*, nsPresContext*, mozilla::ReflowInput const&, nsReflowStatus&, nsRect const&, nsAbsoluteContainingBlock::AbsPosReflowFlags, mozilla::OverflowAreas*) src/layout/generic/nsAbsoluteContainingBlock.cpp:220:7
#7 0x7f4e1eec3374 in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/ViewportFrame.cpp:380:35
#8 0x7f4e1edcbbf6 in mozilla::PresShell::DoReflow(nsIFrame*, bool, mozilla::OverflowChangedTracker*) src/layout/base/PresShell.cpp:9673:11
#9 0x7f4e1edd53ce in mozilla::PresShell::ProcessReflowCommands(bool) src/layout/base/PresShell.cpp:9846:24
#10 0x7f4e1edd4994 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) src/layout/base/PresShell.cpp:4252:11
#11 0x7f4e1c12597b in FlushPendingNotifications /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:1413:5
#12 0x7f4e1c12597b in mozilla::dom::Document::FlushPendingNotifications(mozilla::ChangesToFlush) src/dom/base/Document.cpp:10344:16
#13 0x7f4e1edbb1fe in GetFrameForNode src/layout/base/GeometryUtils.cpp:44:8
#14 0x7f4e1edbb1fe in mozilla::GetFrameForNode(nsINode*, bool) src/layout/base/GeometryUtils.cpp:97:12
#15 0x7f4e1edbaceb in mozilla::GetBoxQuads(nsINode*, mozilla::dom::BoxQuadOptions const&, nsTArray<RefPtr<mozilla::dom::DOMQuad> >&, mozilla::dom::CallerType, mozilla::ErrorResult&) src/layout/base/GeometryUtils.cpp:265:7
#16 0x7f4e1d18095f in mozilla::dom::Element_Binding::getBoxQuads(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/ElementBinding.cpp:9171:24
#17 0x7f4e1d47888a in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) src/dom/bindings/BindingUtils.cpp:3230:13
#18 0x7f4e2042dc61 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) src/js/src/vm/Interpreter.cpp:498:13
#19 0x7f4e2042d4c4 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) src/js/src/vm/Interpreter.cpp:590:12
#20 0x7f4e2042ec13 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) src/js/src/vm/Interpreter.cpp:643:10
#21 0x7f4e20da65d4 in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) src/js/src/jit/BaselineIC.cpp:1923:10
Flags: in-testsuite?
|
Reporter | |
Comment 1•4 years ago
|
||
This issue is hit frequently by fuzzers and has been marker as a fuzzblocker.
Whiteboard: [fuzzblocker]
|
|
Reporter | |
Comment 2•4 years ago
|
||
A Pernosco session is available here: https://pernos.co/debug/V8kEcuOeWusKLcOrPbM4_g/index.html
|
||
Comment 3•4 years ago
|
||
Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20201126212448-3636cdf0b487.
The bug appears to have been introduced in the following build range:
Start: fd1683e51ec5eae6a5c5b516492d6a81eb06e7ea (20201120163152)
End: 8d8561344299516728989604a0c7a14d2bff91e7 (20201121092754)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=fd1683e51ec5eae6a5c5b516492d6a81eb06e7ea&tochange=8d8561344299516728989604a0c7a14d2bff91e7
Whiteboard: [fuzzblocker] → [fuzzblocker][bugmon:bisected,confirmed]
|
Assignee | |
Comment 4•4 years ago
|
||
|
||
Updated•4 years ago
|
Assignee: nobody → mats
Status: NEW → ASSIGNED
|
||
Updated•4 years ago
|
Has Regression Range: --- → yes
Pushed by mpalmgren@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/3af1d67e6a60 Demote fatal assertions to warnings since they depend on calculated nscoord values. r=TYLin
|
||
Comment 7•4 years ago
|
||
| bugherder | ||
Status: ASSIGNED → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → 85 Branch
|
||
Updated•4 years ago
|
Keywords: regression
|
|
||
Comment 8•4 years ago
|
||
Set release status flags based on info from the regressing bug 1651776
status-firefox83:
--- → unaffected
status-firefox84:
--- → unaffected
status-firefox-esr78:
--- → unaffected
|
|
||
Comment 9•4 years ago
|
||
Bugmon Analysis:
Verified bug as fixed on rev mozilla-central 20201201093815-abafe6c923eb.
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.
You need to log in
before you can comment on or make changes to this bug.
Description
•