1679794 - Assertion failure: aBlockSize >= 0 && aBlockSize != nscoord((1 << 30) - 1) (The caller shouldn't give us an unresolved or invalid block size), at /builds/worker/checkouts/gecko/layout/generic/ReflowInput.cpp:1480

Status: VERIFIED FIXED

(Core :: Layout, defect, P3)

Description

[Jason Kratzer [:jkratzer]]

Attachment: testcase.html

Testcase found while fuzzing mozilla-central rev b0865ea58462 (built with --enable-debug).

Assertion failure: aBlockSize >= 0 && aBlockSize != nscoord((1 << 30) - 1) (The caller shouldn't give us an unresolved or invalid block size), at /builds/worker/checkouts/gecko/layout/generic/ReflowInput.cpp:1480

    #0 0x7f8cdeeaea0d in mozilla::ReflowInput::IsInlineSizeComputableByBlockSizeAndAspectRatio(int) const /builds/worker/checkouts/gecko/layout/generic/ReflowInput.cpp:1478:3
    #1 0x7f8cdeeb0829 in mozilla::ReflowInput::InitAbsoluteConstraints(nsPresContext*, mozilla::ReflowInput const*, mozilla::LogicalSize const&, mozilla::LayoutFrameType) /builds/worker/checkouts/gecko/layout/generic/ReflowInput.cpp:1875:9
    #2 0x7f8cdeeab478 in mozilla::ReflowInput::InitConstraints(nsPresContext*, mozilla::Maybe<mozilla::LogicalSize> const&, mozilla::Maybe<mozilla::LogicalMargin> const&, mozilla::Maybe<mozilla::LogicalMargin> const&, mozilla::LayoutFrameType) /builds/worker/checkouts/gecko/layout/generic/ReflowInput.cpp:2357:7
    #3 0x7f8cdeea8c7f in mozilla::ReflowInput::Init(nsPresContext*, mozilla::Maybe<mozilla::LogicalSize> const&, mozilla::Maybe<mozilla::LogicalMargin> const&, mozilla::Maybe<mozilla::LogicalMargin> const&) /builds/worker/checkouts/gecko/layout/generic/ReflowInput.cpp:357:3
    #4 0x7f8cdeea945a in mozilla::ReflowInput::ReflowInput(nsPresContext*, mozilla::ReflowInput const&, nsIFrame*, mozilla::LogicalSize const&, mozilla::Maybe<mozilla::LogicalSize> const&, mozilla::EnumSet<mozilla::ReflowInput::InitFlag, unsigned char>, mozilla::EnumSet<mozilla::ComputeSizeFlag, unsigned char>) /builds/worker/checkouts/gecko/layout/generic/ReflowInput.cpp:216:5
    #5 0x7f8cdeec64b4 in nsAbsoluteContainingBlock::ReflowAbsoluteFrame(nsIFrame*, nsPresContext*, mozilla::ReflowInput const&, nsRect const&, nsAbsoluteContainingBlock::AbsPosReflowFlags, nsIFrame*, nsReflowStatus&, mozilla::OverflowAreas*) /builds/worker/checkouts/gecko/layout/generic/nsAbsoluteContainingBlock.cpp:715:15
    #6 0x7f8cdeec5004 in nsAbsoluteContainingBlock::Reflow(nsContainerFrame*, nsPresContext*, mozilla::ReflowInput const&, nsReflowStatus&, nsRect const&, nsAbsoluteContainingBlock::AbsPosReflowFlags, mozilla::OverflowAreas*) /builds/worker/checkouts/gecko/layout/generic/nsAbsoluteContainingBlock.cpp:220:7
    #7 0x7f8cdeecdb6d in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:1621:26
    #8 0x7f8cdef03030 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:1082:14
    #9 0x7f8cdeef1ddd in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsCanvasFrame.cpp:788:7
    #10 0x7f8cdef03030 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:1082:14
    #11 0x7f8cdef3c6b6 in nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput*, bool, bool, mozilla::ReflowOutput*) /builds/worker/checkouts/gecko/layout/generic/nsGfxScrollFrame.cpp:756:3
    #12 0x7f8cdef3d149 in nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput*, mozilla::ReflowOutput const&) /builds/worker/checkouts/gecko/layout/generic/nsGfxScrollFrame.cpp:880:3
    #13 0x7f8cdef41147 in nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsGfxScrollFrame.cpp:1278:3
    #14 0x7f8cdef03488 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:1122:14
    #15 0x7f8cdeec467b in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/ViewportFrame.cpp:339:7
    #16 0x7f8cdedcc376 in mozilla::PresShell::DoReflow(nsIFrame*, bool, mozilla::OverflowChangedTracker*) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:9671:11
    #17 0x7f8cdedd5c8e in mozilla::PresShell::ProcessReflowCommands(bool) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:9844:24
    #18 0x7f8cdedd521d in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4250:11
    #19 0x7f8cdee424d1 in FlushPendingNotifications /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:1400:5
    #20 0x7f8cdee424d1 in nsDocumentViewer::LoadComplete(nsresult) /builds/worker/checkouts/gecko/layout/base/nsDocumentViewer.cpp:957:16
    #21 0x7f8cdfdfe0f1 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:6404:20
    #22 0x7f8cdfdfdada in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:5757:7
    #23 0x7f8cdfdfe9cf in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp
    #24 0x7f8cdb7637cc in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:1348:3
    #25 0x7f8cdb762d7a in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:954:14
    #26 0x7f8cdb76110c in nsDocLoader::DocLoaderIsEmpty(bool, mozilla::Maybe<nsresult> const&) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:757:9
    #27 0x7f8cdb7621bd in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:640:5
    #28 0x7f8cdb76299c in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp
    #29 0x7f8cda6e4a76 in mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:616:22
    #30 0x7f8cda6e5f83 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:523:10
    #31 0x7f8cdc130381 in mozilla::dom::Document::DoUnblockOnload() /builds/worker/checkouts/gecko/dom/base/Document.cpp:11012:18
    #32 0x7f8cdc10f350 in mozilla::dom::Document::UnblockOnload(bool) /builds/worker/checkouts/gecko/dom/base/Document.cpp:10942:9
    #33 0x7f8cdc11f91d in mozilla::dom::Document::DispatchContentLoadedEvents() /builds/worker/checkouts/gecko/dom/base/Document.cpp:7505:3
    #34 0x7f8cdc190836 in applyImpl<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1188:12
    #35 0x7f8cdc190836 in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1194:12
    #36 0x7f8cdc190836 in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1240:13
    #37 0x7f8cda543232 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/checkouts/gecko/xpcom/threads/SchedulerGroup.cpp:146:20
    #38 0x7f8cda54924f in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:450:16
    #39 0x7f8cda5478ba in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:720:26
    #40 0x7f8cda546964 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:579:15
    #41 0x7f8cda546b17 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:373:36
    #42 0x7f8cda54cb26 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:120:37
    #43 0x7f8cda54cb26 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_3>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:577:5
    #44 0x7f8cda55e0a7 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1194:14
    #45 0x7f8cda56414a in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:513:10
    #46 0x7f8cdae62716 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:87:21
    #47 0x7f8cdadcfa53 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:334:10
    #48 0x7f8cdadcf96d in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:327:3
    #49 0x7f8cdadcf96d in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:309:3
    #50 0x7f8cdeaf93b8 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137:27
    #51 0x7f8ce02f7863 in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:913:20
    #52 0x7f8cdae634d9 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:237:9
    #53 0x7f8cdadcfa53 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:334:10
    #54 0x7f8cdadcf96d in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:327:3
    #55 0x7f8cdadcf96d in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:309:3
    #56 0x7f8ce02f7448 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:744:34
    #57 0x5630b3117a67 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
    #58 0x5630b3117a67 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:304:18
    #59 0x7f8ceee1a0b2 in __libc_start_main /build/glibc-ZN95T4/glibc-2.31/csu/../csu/libc-start.c:308:16

Comment 1

[Jason Kratzer [:jkratzer]]

Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20201130093031-b0865ea58462.
The bug appears to have been introduced in the following build range:

Start: fd1683e51ec5eae6a5c5b516492d6a81eb06e7ea (20201120163152)
End: 8d8561344299516728989604a0c7a14d2bff91e7 (20201121092754)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=fd1683e51ec5eae6a5c5b516492d6a81eb06e7ea&tochange=8d8561344299516728989604a0c7a14d2bff91e7

Comment 2

[Boris Chiou [:boris]]

The root cause is this line:

nscoord autoBSize = cbSize.BSize(cbwm) - margin.BStartEnd(cbwm) - borderPadding.BStartEnd(cbwm) - offsets.BStartEnd(cbwm);

when borderPadding.BStartEnd(cbwm) is 1073741823, and offsets.BStartEnd(cbwm) is -2147483646, the result is just equal to nscoord_MAX. Perhaps Bug 1602669 can fix all the related issues. For now, perhaps just make sure BStartEnd() returns the value in the range of [nscoord_MIN, nscoord_MAX], so we don't make autoBSize be equal to NS_UNCONSTRAINEDSIZE.

Comment 3

[Boris Chiou [:boris]]

Attachment: Bug 1679794 - Downgrade MOZ_ASSERT to NS_WARNING_ASSERTION for the resolved non-auto-insets block size on abs-positioned elements.

These two methods return nscoord, but the implementation of mMargin.LeftRight()
and mMargin.TopBottom() is just to add two values, so it may be out of
the range of nscoord. Clamp it for layout code.

Comment 4

[Pulsebot]

Pushed by bchiou@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/70e82d5603e7
Downgrade MOZ_ASSERT to NS_WARNING_ASSERTION for the resolved non-auto-insets block size on abs-positioned elements. r=dholbert

Comment 5

[Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)]

https://hg.mozilla.org/mozilla-central/rev/70e82d5603e7

Comment 6

[Bugmon [:jkratzer for issues]]

Bugmon Analysis
Verified bug as fixed on rev mozilla-central 20210721092353-d716918916ac.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.