Closed Bug 1681777 Opened 4 years ago Closed 4 years ago

Assertion failure: aBStart <= aBEnd (The band's block start is greater than its block end?), at /builds/worker/checkouts/gecko/layout/generic/nsFloatManager.cpp:2894

Categories

(Core :: Layout: Floats, defect)

defect

Tracking

()

RESOLVED DUPLICATE of bug 1685796
Tracking Status
firefox85 --- affected

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: testcase, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(1 file)

Attached file testcase.zip

Testcase found while fuzzing mozilla-central rev 73f050da7d20 (built with --enable-debug).

Assertion failure: aBStart <= aBEnd (The band's block start is greater than its block end?), at /builds/worker/checkouts/gecko/layout/generic/nsFloatManager.cpp:2894

    #0 0x7f9abaf028e5 in nsFloatManager::ShapeInfo::LineEdge(nsTArray<nsRect> const&, int, int, bool) /builds/worker/checkouts/gecko/layout/generic/nsFloatManager.cpp:2893:3
    #1 0x7f9abaeff2ab in LineLeft /builds/worker/checkouts/gecko/layout/generic/nsFloatManager.cpp:2350:43
    #2 0x7f9abaeff2ab in nsFloatManager::GetFlowArea(mozilla::WritingMode, int, int, nsFloatManager::BandInfoType, nsFloatManager::ShapeType, mozilla::LogicalRect, nsFloatManager::SavedState*, nsSize const&) const /builds/worker/checkouts/gecko/layout/generic/nsFloatManager.cpp:224:16
    #3 0x7f9abae7c925 in mozilla::BlockReflowInput::GetFloatAvailableSpaceForBSize(int, int, nsFloatManager::SavedState*) const /builds/worker/checkouts/gecko/layout/generic/BlockReflowInput.cpp:327:43
    #4 0x7f9abaebadcb in nsBlockFrame::PlaceLine(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsFloatManager::SavedState*, nsFlowAreaRect&, int&, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:4884:12
    #5 0x7f9abaeba196 in nsBlockFrame::DoReflowInlineFrames(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:4455:12
    #6 0x7f9abaeb5fb0 in nsBlockFrame::ReflowInlineFrames(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:4213:9
    #7 0x7f9abaeb2840 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:3185:5
    #8 0x7f9abaead94f in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:2719:7
    #9 0x7f9abaeaa0dd in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:1376:3
    #10 0x7f9abaee0770 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:1082:14
    #11 0x7f9abaecf517 in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsCanvasFrame.cpp:789:7
    #12 0x7f9abaee0770 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:1082:14
    #13 0x7f9abaf19eb6 in nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput*, bool, bool, mozilla::ReflowOutput*) /builds/worker/checkouts/gecko/layout/generic/nsGfxScrollFrame.cpp:757:3
    #14 0x7f9abaf1a949 in nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput*, mozilla::ReflowOutput const&) /builds/worker/checkouts/gecko/layout/generic/nsGfxScrollFrame.cpp:881:3
    #15 0x7f9abaf1e947 in nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsGfxScrollFrame.cpp:1279:3
    #16 0x7f9abaee0bc8 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:1122:14
    #17 0x7f9abaea1dbb in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/ViewportFrame.cpp:337:7
    #18 0x7f9abadaad96 in mozilla::PresShell::DoReflow(nsIFrame*, bool, mozilla::OverflowChangedTracker*) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:9667:11
    #19 0x7f9abadb448e in mozilla::PresShell::ProcessReflowCommands(bool) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:9840:24
    #20 0x7f9abadb3a54 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4246:11
    #21 0x7f9abad7cf39 in FlushPendingNotifications /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:1412:5
    #22 0x7f9abad7cf39 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2199:20
    #23 0x7f9abad84a71 in TickDriver /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:356:13
    #24 0x7f9abad84a71 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:335:7
    #25 0x7f9abad8495c in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:350:5
    #26 0x7f9abad83f08 in RunRefreshDrivers /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:798:5
    #27 0x7f9abad83f08 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:721:16
    #28 0x7f9abad83810 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyParentProcessVsync() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:623:7
    #29 0x7f9abad83289 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:544:9
    #30 0x7f9aba5928d6 in mozilla::dom::VsyncChild::RecvNotify(mozilla::VsyncEvent const&, float const&) /builds/worker/checkouts/gecko/dom/ipc/VsyncChild.cpp:69:15
    #31 0x7f9ab7392cb0 in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:178:54
    #32 0x7f9ab713d1ac in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundChild.cpp:6256:32
    #33 0x7f9ab6e0144e in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:2153:25
    #34 0x7f9ab6dfda4d in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:2077:9
    #35 0x7f9ab6dfeef6 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1925:3
    #36 0x7f9ab6dffc3b in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1956:13
    #37 0x7f9ab64ea14f in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:452:16
    #38 0x7f9ab64e87ba in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:722:26
    #39 0x7f9ab64e7864 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:581:15
    #40 0x7f9ab64e7a17 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:375:36
    #41 0x7f9ab64eda99 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:125:37
    #42 0x7f9ab64eda99 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_4>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:534:5
    #43 0x7f9ab64fefc7 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1196:14
    #44 0x7f9ab650506a in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:526:10
    #45 0x7f9ab6e06cd4 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:109:5
    #46 0x7f9ab6d734e3 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:334:10
    #47 0x7f9ab6d733fd in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:327:3
    #48 0x7f9ab6d733fd in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:309:3
    #49 0x7f9abaad8278 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137:27
    #50 0x7f9abc2d15d3 in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:901:20
    #51 0x7f9ab6e07c09 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:237:9
    #52 0x7f9ab6d734e3 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:334:10
    #53 0x7f9ab6d733fd in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:327:3
    #54 0x7f9ab6d733fd in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:309:3
    #55 0x7f9abc2d11b8 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:732:34
    #56 0x558ddf4a9a67 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
    #57 0x558ddf4a9a67 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:305:18
    #58 0x7f9acbdbc0b2 in __libc_start_main /build/glibc-ZN95T4/glibc-2.31/csu/../csu/libc-start.c:308:16
    #59 0x558ddf487819 in _start (/home/worker/builds/m-c-20201203094726-fuzzing-debug/firefox-bin+0x14819)
Flags: in-testsuite?

Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20201210155912-7a6d6b986a1e.
Failed to bisect testcase (Testcase reproduces on start build!):

Start: 61ec58edfd13861591d5cd4b6387de92b35f23e3 (20191213040758)
End: 7b5facb4df3a77bd60d21045be212161c91cea12 (20201210034702)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=False, coverage=False, valgrind=False)

Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]

The testcase includes some huge dimension values; we're probably overflowing nscoord arithmetic somewhere. This looks pretty harmless, it'll just not find any relevant bands AFAICS.

It'd be good to avoid the assertion, though, so it doesn't trip the fuzzer unnecessarily. Maybe we can/should clamp values somewhere earlier.

Severity: -- → S4
Whiteboard: [bugmon:bisected,confirmed] → [bugmon:confirm]

Bugmon Analysis:
The bug appears to have been fixed in the following build range:

Start: 25721bcfc1d77d0d7de7ec03a17c6868c2222d83 (20210112100519)
End: 6da943baaccf738a40f52a3c481801668371d34c (20210112100619)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=25721bcfc1d77d0d7de7ec03a17c6868c2222d83&tochange=6da943baaccf738a40f52a3c481801668371d34c
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon
Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: