Closed Bug 1682929 Opened 4 years ago Closed 2 years ago

Assertion failure: aComputedISize >= 0 (Invalid computed inline-size!), at /builds/worker/checkouts/gecko/layout/generic/ReflowInput.cpp:281

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1463977
Tracking Flags:
Tracking Status
firefox-esr78 --- wontfix
firefox84 --- wontfix
firefox85 --- wontfix
firefox86 --- fix-optional

People

(Reporter: jkratzer, Assigned: emilio)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(2 files, 1 obsolete file)

Bug 1682929 - Properly prevent overflow from nsLayoutUtils::AddIntrinsicSizeOffset. r=#layout-reviewers
48 bytes, text/x-phabricator-request
Details | Review
testcase.zip
4.42 KB, application/zip
Details
Attached file testcase.html (obsolete) —

Testcase found while fuzzing mozilla-central rev 5e25722bcc7c (built with --enable-debug).

Assertion failure: aComputedISize >= 0 (Invalid computed inline-size!), at /builds/worker/checkouts/gecko/layout/generic/ReflowInput.cpp:281

    #0 0x7fb2a8f4d6e5 in mozilla::ReflowInput::SetComputedISize(int) /builds/worker/checkouts/gecko/layout/generic/ReflowInput.cpp:281:3
    #1 0x7fb2a8fc4359 in nsFlexContainerFrame::DoFlexLayout(mozilla::ReflowInput const&, int&, int&, int&, nsTArray<nsFlexContainerFrame::FlexLine>&, nsTArray<nsFlexContainerFrame::StrutInfo>&, nsTArray<nsIFrame*>&, nsFlexContainerFrame::FlexboxAxisTracker const&, int, int, int, bool, ComputedFlexContainerInfo*) /builds/worker/checkouts/gecko/layout/generic/nsFlexContainerFrame.cpp:4999:30
    #2 0x7fb2a8fc2bca in nsFlexContainerFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsFlexContainerFrame.cpp:4430:5
    #3 0x7fb2a8fa8f70 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:1082:14
    #4 0x7fb2a8fbb1b5 in nsFlexContainerFrame::MeasureAscentAndBSizeForFlexItem(nsFlexContainerFrame::FlexItem&, mozilla::ReflowInput&) /builds/worker/checkouts/gecko/layout/generic/nsFlexContainerFrame.cpp:1915:3
    #5 0x7fb2a8fc22c5 in nsFlexContainerFrame::SizeItemInCrossAxis(mozilla::ReflowInput&, nsFlexContainerFrame::FlexItem&) /builds/worker/checkouts/gecko/layout/generic/nsFlexContainerFrame.cpp:4305:7
    #6 0x7fb2a8fc43a8 in nsFlexContainerFrame::DoFlexLayout(mozilla::ReflowInput const&, int&, int&, int&, nsTArray<nsFlexContainerFrame::FlexLine>&, nsTArray<nsFlexContainerFrame::StrutInfo>&, nsTArray<nsIFrame*>&, nsFlexContainerFrame::FlexboxAxisTracker const&, int, int, int, bool, ComputedFlexContainerInfo*) /builds/worker/checkouts/gecko/layout/generic/nsFlexContainerFrame.cpp:5008:9
    #7 0x7fb2a8fc2bca in nsFlexContainerFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsFlexContainerFrame.cpp:4430:5
    #8 0x7fb2a8fa8f70 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:1082:14
    #9 0x7fb2a8f97a45 in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsCanvasFrame.cpp:789:7
    #10 0x7fb2a8fa8f70 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:1082:14
    #11 0x7fb2a8fe2ec5 in nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput*, bool, bool, mozilla::ReflowOutput*) /builds/worker/checkouts/gecko/layout/generic/nsGfxScrollFrame.cpp:758:3
    #12 0x7fb2a8fe39a9 in nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput*, mozilla::ReflowOutput const&) /builds/worker/checkouts/gecko/layout/generic/nsGfxScrollFrame.cpp:882:3
    #13 0x7fb2a8fe7987 in nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsGfxScrollFrame.cpp:1280:3
    #14 0x7fb2a8fa93c8 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:1122:14
    #15 0x7fb2a8f6945d in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/ViewportFrame.cpp:337:7
    #16 0x7fb2a8e704eb in mozilla::PresShell::DoReflow(nsIFrame*, bool, mozilla::OverflowChangedTracker*) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:9676:11
    #17 0x7fb2a8e79bee in mozilla::PresShell::ProcessReflowCommands(bool) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:9849:24
    #18 0x7fb2a8e791b4 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4248:11
    #19 0x7fb2a8e42999 in FlushPendingNotifications /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:1412:5
    #20 0x7fb2a8e42999 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2205:20
    #21 0x7fb2a8e4a421 in TickDriver /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:357:13
    #22 0x7fb2a8e4a421 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:336:7
    #23 0x7fb2a8e4a30c in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:351:5
    #24 0x7fb2a8e498b8 in RunRefreshDrivers /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:799:5
    #25 0x7fb2a8e498b8 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:722:16
    #26 0x7fb2a8e491d0 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyParentProcessVsync() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:624:7
    #27 0x7fb2a8e48c49 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:545:9
    #28 0x7fb2a865707f in mozilla::dom::VsyncChild::RecvNotify(mozilla::VsyncEvent const&, float const&) /builds/worker/checkouts/gecko/dom/ipc/VsyncChild.cpp:69:15
    #29 0x7fb2a544f6e0 in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:178:54
    #30 0x7fb2a51f9aac in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundChild.cpp:6286:32
    #31 0x7fb2a4ebdbee in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:2153:25
    #32 0x7fb2a4eba1ed in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:2077:9
    #33 0x7fb2a4ebb696 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1925:3
    #34 0x7fb2a4ebc3db in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1956:13
    #35 0x7fb2a45a215f in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:459:16
    #36 0x7fb2a45a075a in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:739:26
    #37 0x7fb2a459f804 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:598:15
    #38 0x7fb2a459f9b7 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:382:36
    #39 0x7fb2a45a5a06 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:123:37
    #40 0x7fb2a45a5a06 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_3>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:534:5
    #41 0x7fb2a45b6ff5 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1200:14
    #42 0x7fb2a45bd0aa in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:548:10
    #43 0x7fb2a4ec34c6 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:87:21
    #44 0x7fb2a4e2f9b3 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:334:10
    #45 0x7fb2a4e2f8cd in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:327:3
    #46 0x7fb2a4e2f8cd in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:309:3
    #47 0x7fb2a8b9d968 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137:27
    #48 0x7fb2aa3a3ac3 in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:902:20
    #49 0x7fb2a4ec43a9 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:237:9
    #50 0x7fb2a4e2f9b3 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:334:10
    #51 0x7fb2a4e2f8cd in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:327:3
    #52 0x7fb2a4e2f8cd in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:309:3
    #53 0x7fb2aa3a36a8 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:733:34
    #54 0x55fb85d52e07 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
    #55 0x55fb85d52e07 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:305:18
    #56 0x7fb2b91ce0b2 in __libc_start_main /build/glibc-ZN95T4/glibc-2.31/csu/../csu/libc-start.c:308:16
Flags: in-testsuite?

Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20201216214834-5feb91adec85.
The bug appears to have been introduced in the following build range:

Start: c644dd16e2ccf8bb78268202f60c767a569d9d77 (20200326213652)
End: 33869dd6c77528e912a1b59d3db38723ba0d0c0d (20200326164936)
Pushlog: https://hg.mozilla.org/mozilla-unified/pushloghtml?fromchange=c644dd16e2ccf8bb78268202f60c767a569d9d77&tochange=33869dd6c77528e912a1b59d3db38723ba0d0c0d

Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]

May be introduced by:
Bug 1624080 - Simplify the implementation of HasAuthorSpecifiedRules.

Severity: -- → S3
Flags: needinfo?(emilio)
Assignee: nobody → emilio
Flags: needinfo?(emilio)

Even though this particular test-case is regressed by bug 1624080, this
is really a pre-existing bug.

The reason why we didn't crash before that bug is that we were
incorrectly not accounting for logical border-radius properties (like
border-end-end-radius) in has_author_specified_rules, which caused us to
not disable native appearance. This in turn ended up fixing up our value
returned from AddIntrinsicSizeOffset, which covered the bug.

Use saturating math properly to prevent returning negative sizes
incorrectly from that function, which causes deeper bugs down the
pipeline.

Given the crashtest relies on our particular nscoord represenation it
doesn't seem to be worth putting in WPT, but let me know if you
disagree.

Pushed by ealvarez@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/e514b3f35198 Properly prevent overflow from nsLayoutUtils::AddIntrinsicSizeOffset. r=hiro

:emilio, since this bug contains a bisection range, could you fill (if possible) the regressed_by field?
For more information, please visit auto_nag documentation.

Flags: needinfo?(emilio)
Flags: needinfo?(emilio)
Regressed by: 1624080
Has Regression Range: --- → yes

Note: this is effectively a dupe of bug 1502094 (just as bug 1682575 is a dupe of bug 1463977), because the assertion text changed on Dec 15th 2020 (around when this bug was filed) with s/Width/ISize/ and s/Height/BSize/.

(I'll dupe bug 1502094 forward to this bug, since there's been patch-writing activity here on this bug & not on its older version; so there's more useful history to preserve here for when this can be eventually closed as fixed.)

See Also: → 1463977
Flags: needinfo?(emilio)

Bugmon Analysis
The bug appears to have been fixed in the following build range:

Start: 954440d77ac4698cadc5906af95ceac5495188b8 (20210126061141)
End: 6316c4e1f46eae2ce81e9c9375d69c6d6a692e5a (20210126063550)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=954440d77ac4698cadc5906af95ceac5495188b8&tochange=6316c4e1f46eae2ce81e9c9375d69c6d6a692e5a
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon

:tylin, is it possible that bug 1686603 fixes this?

Flags: needinfo?(aethanyc)

(In reply to Jason Kratzer [:jkratzer] from comment #10)

:tylin, is it possible that bug 1686603 fixes this?

I doubt bug 1686603 fixed the testcase. When I load the testcase in my local debug build, I still see the following assertions.

[Child 198916, Main Thread] ###!!! ASSERTION: inline-size less than zero: 'result >= 0', file /home/aethanyc/Projects/gecko/layout/generic/nsIFrame.cpp:6557
[Child 198916, Main Thread] ###!!! ASSERTION: inline-size less than zero: 'result >= 0', file /home/aethanyc/Projects/gecko/layout/generic/nsIFrame.cpp:6550
...
[Child 198916, Main Thread] ###!!! ASSERTION: reflow input computed incorrect inline size: 'reflowInput.ComputedISize() == size.ISize(wm) - reflowInput.ComputedLogicalBorderPadding(wm).IStartEnd(wm)', file /home/aethanyc/Projects/gecko/layout/base/PresShell.cpp:9656
[Child 198916, Main Thread] ###!!! ASSERTION: non-root frame's desired size changed during an incremental reflow: '(isRoot && size.BSize(wm) == NS_UNCONSTRAINEDSIZE) || (desiredSize.ISize(wm) == size.ISize(wm) && desiredSize.BSize(wm) == size.BSize(wm))', file /home/aethanyc/Projects/gecko/layout/base/PresShell.cpp:9675
[Child 198916, Main Thread] ###!!! ASSERTION: Scroll area should be inside client rect: 'r.width >= 0', file /home/aethanyc/Projects/gecko/layout/generic/nsGfxScrollFrame.cpp:6851

Does bugmon only verify the fix of the assertion in this bug? Does it look for other assertion signatures?

Flags: needinfo?(aethanyc) → needinfo?(jkratzer)

:tylin, Bugmon does not look at the signature at all but rather, only checks for the existence of a crash or fatal assertion. This is by design as the assertion or crash stack may change over time without fixing the underlying issue. However, it looks like we're still seeing this assertion in our fuzzing instances. I will attach a new testcase that continues to trigger the same assertion.

Flags: needinfo?(jkratzer)
Attached file testcase.zip

Testcase found while fuzzing mozilla-central rev 659f053820bf (built with --enable-debug --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build 659f053820bf --debug --fuzzing -n mc-debug
$ python -m grizzly.replay ./mc-debug/firefox ./testcase.zip
Attachment #9193580 - Attachment is obsolete: true
No longer blocks: domino
Depends on: domino
Blocks: domino
No longer depends on: domino

I've downgraded this assertion in bug 1463977 to NS_WARNING_ASSERTION, so this bug shouldn't block the fuzzer anymore.

Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: