Closed Bug 1679797 Opened 4 years ago Closed 2 years ago

Assertion failure: cbri (no containing block), at /builds/worker/checkouts/gecko/layout/generic/ReflowInput.cpp:2203

Categories

(Core :: Layout, defect, P2)

Product:
Core
Component:
Layout
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
108 Branch
Tracking Flags:
Tracking Status
firefox-esr91 --- wontfix
firefox-esr102 --- wontfix
firefox85 --- wontfix
firefox93 --- wontfix
firefox94 --- wontfix
firefox95 --- wontfix
firefox106 --- wontfix
firefox107 --- wontfix
firefox108 --- verified

People

(Reporter: jkratzer, Assigned: emilio)

References

(Blocks 1 open bug)

Details

(4 keywords, Whiteboard: [bugmon:bisected,confirmed], [wptsync upstream])

Crash Data

Attachments

(2 files)

testcase.html
368 bytes, text/html
Details
Bug 1679797 - The containing block of a subgridded item is the root grid container. r=dholbert
48 bytes, text/x-phabricator-request
Details | Review
Attached file testcase.html

Testcase found while fuzzing mozilla-central rev b0865ea58462 (built with --enable-debug).

Assertion failure: cbri (no containing block), at /builds/worker/checkouts/gecko/layout/generic/ReflowInput.cpp:2203

    #0 0x7f280ee8a86b in mozilla::ReflowInput::InitConstraints(nsPresContext*, mozilla::Maybe<mozilla::LogicalSize> const&, mozilla::Maybe<mozilla::LogicalMargin> const&, mozilla::Maybe<mozilla::LogicalMargin> const&, mozilla::LayoutFrameType) /builds/worker/checkouts/gecko/layout/generic/ReflowInput.cpp:2117:5
    #1 0x7f280ee8775f in mozilla::ReflowInput::Init(nsPresContext*, mozilla::Maybe<mozilla::LogicalSize> const&, mozilla::Maybe<mozilla::LogicalMargin> const&, mozilla::Maybe<mozilla::LogicalMargin> const&) /builds/worker/checkouts/gecko/layout/generic/ReflowInput.cpp:357:3
    #2 0x7f280ee87f3a in mozilla::ReflowInput::ReflowInput(nsPresContext*, mozilla::ReflowInput const&, nsIFrame*, mozilla::LogicalSize const&, mozilla::Maybe<mozilla::LogicalSize> const&, mozilla::EnumSet<mozilla::ReflowInput::InitFlag, unsigned char>, mozilla::EnumSet<mozilla::ComputeSizeFlag, unsigned char>) /builds/worker/checkouts/gecko/layout/generic/ReflowInput.cpp:216:5
    #3 0x7f280ef45911 in MeasuringReflow(nsIFrame*, mozilla::ReflowInput const*, gfxContext*, mozilla::LogicalSize const&, mozilla::LogicalSize const&, int, int) /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:4961:15
    #4 0x7f280ef49261 in ContentContribution(nsGridContainerFrame::GridItemInfo const&, nsGridContainerFrame::GridReflowInput const&, gfxContext*, mozilla::WritingMode, mozilla::LogicalAxis, mozilla::Maybe<mozilla::LogicalSize> const&, mozilla::IntrinsicISizeType, int, unsigned int) /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:5249:14
    #5 0x7f280ef44abb in MinContentContribution(nsGridContainerFrame::GridItemInfo const&, nsGridContainerFrame::GridReflowInput const&, gfxContext*, mozilla::WritingMode, mozilla::LogicalAxis, CachedIntrinsicSizes*) /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:5300:15
    #6 0x7f280ef44522 in nsGridContainerFrame::Tracks::ResolveIntrinsicSizeStep1(nsGridContainerFrame::GridReflowInput&, nsGridContainerFrame::TrackSizingFunctions const&, int, nsGridContainerFrame::SizingConstraint, nsGridContainerFrame::LineRange const&, nsGridContainerFrame::GridItemInfo const&) /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:5468:13
    #7 0x7f280ef424d2 in nsGridContainerFrame::Tracks::ResolveIntrinsicSize(nsGridContainerFrame::GridReflowInput&, nsTArray<nsGridContainerFrame::GridItemInfo>&, nsGridContainerFrame::TrackSizingFunctions const&, nsGridContainerFrame::LineRange nsGridContainerFrame::GridArea::*, int, nsGridContainerFrame::SizingConstraint) /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:6132:11
    #8 0x7f280ef38425 in CalculateSizes /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:5409:3
    #9 0x7f280ef38425 in nsGridContainerFrame::GridReflowInput::CalculateTrackSizesForAxis(mozilla::LogicalAxis, nsGridContainerFrame::Grid const&, int, nsGridContainerFrame::SizingConstraint) /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:3641:12
    #10 0x7f280ef537e0 in CalculateTrackSizes /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:3680:3
    #11 0x7f280ef537e0 in nsGridContainerFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:8511:21
    #12 0x7f280edab076 in mozilla::PresShell::DoReflow(nsIFrame*, bool, mozilla::OverflowChangedTracker*) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:9666:11
    #13 0x7f280edb498e in mozilla::PresShell::ProcessReflowCommands(bool) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:9839:24
    #14 0x7f280edb3f1d in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4250:11
    #15 0x7f280ed7cac9 in FlushPendingNotifications /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:1409:5
    #16 0x7f280ed7cac9 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2250:20
    #17 0x7f280ed84931 in TickDriver /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:374:13
    #18 0x7f280ed84931 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:353:7
    #19 0x7f280ed8481c in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:368:5
    #20 0x7f280ed83dc8 in RunRefreshDrivers /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:829:5
    #21 0x7f280ed83dc8 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:747:16
    #22 0x7f280ed836d0 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyParentProcessVsync() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:649:7
    #23 0x7f280ed83149 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:570:9
    #24 0x7f280f145597 in mozilla::layout::VsyncChild::RecvNotify(mozilla::VsyncEvent const&) /builds/worker/checkouts/gecko/layout/ipc/VsyncChild.cpp:55:16
    #25 0x7f280b3cf705 in mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:187:54
    #26 0x7f280b18242c in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundChild.cpp:6247:32
    #27 0x7f280ae4760e in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:2146:25
    #28 0x7f280ae43d2d in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:2070:9
    #29 0x7f280ae451d6 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1918:3
    #30 0x7f280ae45dfb in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1949:13
    #31 0x7f280a5358ff in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:450:16
    #32 0x7f280a533f6a in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:720:26
    #33 0x7f280a533014 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:579:15
    #34 0x7f280a5331c7 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:373:36
    #35 0x7f280a5391d6 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:120:37
    #36 0x7f280a5391d6 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_3>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:577:5
    #37 0x7f280a54a757 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1194:14
    #38 0x7f280a5507ea in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:513:10
    #39 0x7f280ae4cea6 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:87:21
    #40 0x7f280adba213 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:334:10
    #41 0x7f280adba12d in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:327:3
    #42 0x7f280adba12d in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:309:3
    #43 0x7f280ead8148 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137:27
    #44 0x7f28102d7d03 in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:913:20
    #45 0x7f280ae4dc69 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:237:9
    #46 0x7f280adba213 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:334:10
    #47 0x7f280adba12d in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:327:3
    #48 0x7f280adba12d in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:309:3
    #49 0x7f28102d78e8 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:744:34
    #50 0x564a4a5a0a27 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
    #51 0x564a4a5a0a27 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:304:18
    #52 0x7f281ff9f0b2 in __libc_start_main /build/glibc-ZN95T4/glibc-2.31/csu/../csu/libc-start.c:308:16
Flags: in-testsuite?

Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20201130093031-b0865ea58462.
Failed to bisect testcase (Start build crashes!):

Start: b8f3a97900e5148daed8c0aae87243b8ef4a2c31 (20191202091209)
End: b0865ea584621ce9e7f68833565e3d8ae117ce32 (20201130093031)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=False, coverage=False, valgrind=False)

Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]

I got a crash from the testcase
https://crash-stats.mozilla.org/report/index/544b55eb-cb50-4c6a-8465-547f50201201

Crash Signature: [@ mozilla::ReflowInput::Init ]
Keywords: crash, crashreportid

Subgrid + contain. Seems like a fairly reduced test-case, mats do you have cycles to take a look? Otherwise please return the ni? back and I can poke :)

Severity: -- → S2
Flags: needinfo?(mats)
Priority: -- → P2
QA Whiteboard: qa-not-actionable
Flags: needinfo?(emilio)
Blocks: subgrid
Flags: needinfo?(emilio)

(In reply to Emilio Cobos Álvarez (:emilio) from comment #3)

Subgrid + contain. Seems like a fairly reduced test-case

FWIW: looking at recent crash reports ( e.g. bp-4351227b-121e-451e-b6ed-a8e620220318 ), I'm not seeing nsGridContainerFrame anywhere in the backtrace. So, assuming the testcase is exposing a grid/subgrid-specific issue, it's probably a different root cause from what many users in the wild are hitting when they crash with this signature. :-/

Flags: needinfo?(MatsPalmgren_bugz)
Crash Signature: [@ mozilla::ReflowInput::Init ] → [@ mozilla::ReflowInput::Init ] [@ mozilla::ReflowInput::ReflowInput ]

Yeah, while the specific test-case is actionable (and related to subgrid), the crash stacks are indeed different.

We reflow subgrid items with a ParentReflowInput from the grid
container.

Note I'm not the most familiar with subgrid, thought his does fix the
crash. Maybe we should just build the right reflow input here for
subgrid items (by building a stack of them or so on)?

https://searchfox.org/mozilla-central/rev/c5c002f81f08a73e04868e0c2bf0eb113f200b03/layout/generic/nsGridContainerFrame.cpp#4981,5018-5026,5053-5054

Assignee: nobody → emilio
Status: NEW → ASSIGNED
Attachment #9299583 - Attachment description: Bug 1679797 - The containing block of a subgrid is the root grid container. r=dholbert → Bug 1679797 - The containing block of a subgridded item is the root grid container. r=dholbert
Pushed by ealvarez@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/ce7bd39cd8f8 The containing block of a subgridded item is the root grid container. r=dholbert
Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/36579 for changes under testing/web-platform/tests
Whiteboard: [bugmon:bisected,confirmed] → [bugmon:bisected,confirmed], [wptsync upstream]

https://hg.mozilla.org/mozilla-central/rev/ce7bd39cd8f8

Status: ASSIGNED → RESOLVED
Closed: 2 years ago
status-firefox108: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 108 Branch
Upstream PR merged by moz-wptsync-bot

Verified bug as fixed on rev mozilla-central 20221021083918-f5e4af37bbb0.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
status-firefox108: fixedverified
Keywords: bugmon
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: