1683675 - Assertion failure: mEnd >= 1 && mEnd < uint32_t(kMaxLine) (invalid span), at /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:410

Status: NEW

(Core :: Layout: Grid, defect, P3)

Description

[Jason Kratzer [:jkratzer]]

Attachment: testcase.html

Testcase found while fuzzing mozilla-central rev 8d8d3ecf368f (built with --enable-debug).

Assertion failure: mEnd >= 1 && mEnd < uint32_t(kMaxLine) (invalid span), at /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:410

    #0 0x7f614a868e18 in Extent /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:410:7
    #1 0x7f614a868e18 in nsGridContainerFrame::Grid::PlaceAutoAutoInRowOrder(unsigned int, unsigned int, nsGridContainerFrame::GridArea*, unsigned int, unsigned int) const /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:4301:43
    #2 0x7f614a86aeb2 in nsGridContainerFrame::Grid::PlaceGridItems(nsGridContainerFrame::GridReflowInput&, RepeatTrackSizingInput const&) /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:4713:11
    #3 0x7f614a86954e in nsGridContainerFrame::Grid::SubgridPlaceGridItems(nsGridContainerFrame::GridReflowInput&, nsGridContainerFrame::Grid*, nsGridContainerFrame::GridItemInfo const&) /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:4455:3
    #4 0x7f614a86b243 in nsGridContainerFrame::Grid::PlaceGridItems(nsGridContainerFrame::GridReflowInput&, RepeatTrackSizingInput const&) /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:4838:14
    #5 0x7f614a87fe9d in nsGridContainerFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:8528:12
    #6 0x7f614a7ccbc1 in nsAbsoluteContainingBlock::ReflowAbsoluteFrame(nsIFrame*, nsPresContext*, mozilla::ReflowInput const&, nsRect const&, nsAbsoluteContainingBlock::AbsPosReflowFlags, nsIFrame*, nsReflowStatus&, mozilla::OverflowAreas*) /builds/worker/checkouts/gecko/layout/generic/nsAbsoluteContainingBlock.cpp:761:14
    #7 0x7f614a7cb204 in nsAbsoluteContainingBlock::Reflow(nsContainerFrame*, nsPresContext*, mozilla::ReflowInput const&, nsReflowStatus&, nsRect const&, nsAbsoluteContainingBlock::AbsPosReflowFlags, mozilla::OverflowAreas*) /builds/worker/checkouts/gecko/layout/generic/nsAbsoluteContainingBlock.cpp:220:7
    #8 0x7f614a87f85e in nsGridContainerFrame::ReflowChildren(nsGridContainerFrame::GridReflowInput&, mozilla::LogicalRect const&, nsSize const&, mozilla::ReflowOutput&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:8458:37
    #9 0x7f614a8804ad in nsGridContainerFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:8632:11
    #10 0x7f614a7ccbc1 in nsAbsoluteContainingBlock::ReflowAbsoluteFrame(nsIFrame*, nsPresContext*, mozilla::ReflowInput const&, nsRect const&, nsAbsoluteContainingBlock::AbsPosReflowFlags, nsIFrame*, nsReflowStatus&, mozilla::OverflowAreas*) /builds/worker/checkouts/gecko/layout/generic/nsAbsoluteContainingBlock.cpp:761:14
    #11 0x7f614a7cb204 in nsAbsoluteContainingBlock::Reflow(nsContainerFrame*, nsPresContext*, mozilla::ReflowInput const&, nsReflowStatus&, nsRect const&, nsAbsoluteContainingBlock::AbsPosReflowFlags, mozilla::OverflowAreas*) /builds/worker/checkouts/gecko/layout/generic/nsAbsoluteContainingBlock.cpp:220:7
    #12 0x7f614a87f85e in nsGridContainerFrame::ReflowChildren(nsGridContainerFrame::GridReflowInput&, mozilla::LogicalRect const&, nsSize const&, mozilla::ReflowOutput&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:8458:37
    #13 0x7f614a8804ad in nsGridContainerFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:8632:11
    #14 0x7f614a7ccbc1 in nsAbsoluteContainingBlock::ReflowAbsoluteFrame(nsIFrame*, nsPresContext*, mozilla::ReflowInput const&, nsRect const&, nsAbsoluteContainingBlock::AbsPosReflowFlags, nsIFrame*, nsReflowStatus&, mozilla::OverflowAreas*) /builds/worker/checkouts/gecko/layout/generic/nsAbsoluteContainingBlock.cpp:761:14
    #15 0x7f614a7cb204 in nsAbsoluteContainingBlock::Reflow(nsContainerFrame*, nsPresContext*, mozilla::ReflowInput const&, nsReflowStatus&, nsRect const&, nsAbsoluteContainingBlock::AbsPosReflowFlags, mozilla::OverflowAreas*) /builds/worker/checkouts/gecko/layout/generic/nsAbsoluteContainingBlock.cpp:220:7
    #16 0x7f614a7caca5 in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/ViewportFrame.cpp:380:35
    #17 0x7f614a6d16cb in mozilla::PresShell::DoReflow(nsIFrame*, bool, mozilla::OverflowChangedTracker*) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:9687:11
    #18 0x7f614a6dae2e in mozilla::PresShell::ProcessReflowCommands(bool) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:9860:24
    #19 0x7f614a6da3f4 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4249:11
    #20 0x7f614a6a3b59 in FlushPendingNotifications /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:1421:5
    #21 0x7f614a6a3b59 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2205:20
    #22 0x7f614a6ab5e1 in TickDriver /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:357:13
    #23 0x7f614a6ab5e1 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:336:7
    #24 0x7f614a6ab4cc in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:351:5
    #25 0x7f614a6aaa78 in RunRefreshDrivers /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:799:5
    #26 0x7f614a6aaa78 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:722:16
    #27 0x7f614a6aa390 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyParentProcessVsync() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:624:7
    #28 0x7f614a6a9e09 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:545:9
    #29 0x7f6149eb58c6 in mozilla::dom::VsyncChild::RecvNotify(mozilla::VsyncEvent const&, float const&) /builds/worker/checkouts/gecko/dom/ipc/VsyncChild.cpp:69:15
    #30 0x7f6146cacc10 in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:178:54
    #31 0x7f6146a575cc in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundChild.cpp:6286:32
    #32 0x7f6146715cfe in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:2153:25
    #33 0x7f61467122fd in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:2077:9
    #34 0x7f61467137a6 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1925:3
    #35 0x7f61467144eb in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1956:13
    #36 0x7f6145df919f in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:459:16
    #37 0x7f6145df779a in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:739:26
    #38 0x7f6145df6844 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:598:15
    #39 0x7f6145df69f7 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:382:36
    #40 0x7f6145dfca46 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:123:37
    #41 0x7f6145dfca46 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_3>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:534:5
    #42 0x7f6145e0e035 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1200:14
    #43 0x7f6145e140ea in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:548:10
    #44 0x7f614671b5d6 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:87:21
    #45 0x7f6146687a93 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:334:10
    #46 0x7f61466879ad in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:327:3
    #47 0x7f61466879ad in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:309:3
    #48 0x7f614a3fe458 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137:27
    #49 0x7f614bc06033 in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:902:20
    #50 0x7f614671c4b9 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:237:9
    #51 0x7f6146687a93 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:334:10
    #52 0x7f61466879ad in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:327:3
    #53 0x7f61466879ad in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:309:3
    #54 0x7f614bc05c18 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:733:34
    #55 0x5570685ebe07 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
    #56 0x5570685ebe07 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:305:18
    #57 0x7f615b2a70b2 in __libc_start_main /build/glibc-ZN95T4/glibc-2.31/csu/../csu/libc-start.c:308:16

Comment 1

[Bugmon [:jkratzer for issues]]

Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20201221093813-8d8d3ecf368f.
Failed to bisect testcase (Testcase reproduces on start build!):

Start: 6d2e33d632e7d209b99ec48e6d34e2c39adeae10 (20191223162752)
End: 8d8d3ecf368ff94d44fe2a0bd07a2729b50c4cf8 (20201221093813)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=False, coverage=False, valgrind=False)

Comment 2

[Mayank Bansal]

Got a crash from the testcase on my Wintel x64 nightly :
https://crash-stats.mozilla.org/report/index/88cf5469-a7e1-4260-9b7a-8eb560201221

Comment 3

[Emilio Cobos Álvarez (:emilio)]

Seems subgrid related, crashes a release build too. Mats can you look?

Comment 4

[Daniel Holbert [:dholbert]]

I just tested this in release 95 (out-of-date) and then 98 (up-to-date); it still crashes, though with a slightly different signature from what we've got here.

My crash reports are:
bp-d071bfdc-4fcf-43da-a14f-cb4f50220319
bp-f730fed2-dbd2-4787-9e16-4f8a40220319
[@ mozilla::detail::InvalidArrayIndex_CRASH | nsGridContainerFrame::GridReflowInput::PercentageBasisFor]

Comment 5

[Daniel Holbert [:dholbert]]

With that crash-signature-update, I'm still only seeing 3 crashes (all mine from today) with this signature, in the past year. (And 0 crashes with the other signature that we had set here, the one without mozilla::detail.)

So, users aren't actually hitting this in-the-wild, so dropping to S3.

Comment 7

[Bugmon [:jkratzer for issues]]

Bugmon was unable reproduce this issue.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Comment 8

[Jason Kratzer [:jkratzer]]

A change to the Taskcluster build definitions over the weekend caused Bugmon to fail when reproducing issues. This issue has been corrected. Re-enabling bugmon.

Comment 9

[Bugmon [:jkratzer for issues]]

Testcase crashes using the initial build (mozilla-central 20220723091444-f69015bf0e0a) but not with tip (mozilla-central 20230721193917-f691cde9edaf.)

The bug appears to have been fixed in the following build range:

Start: 45769d7ff3c64d7abfcfedd8f05bb7dcb442270c (20230622214511)
End: 096fdcd3868552d94f9918381ec8b49735d231c3 (20230622092058)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=45769d7ff3c64d7abfcfedd8f05bb7dcb442270c&tochange=096fdcd3868552d94f9918381ec8b49735d231c3

jkratzer, can you confirm that the above bisection range is responsible for fixing this issue?
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Comment 10

[Jason Kratzer [:jkratzer]]

Attachment: testcase.html

Although the original testcase no longer triggers the issue, the fuzzers are still reporting it. I've attached a new testcase that triggers the original issue.