1694794 - Assertion failure: aWM == GetWritingMode() (aWM should be the same as our writing mode!), at /builds/worker/checkouts/gecko/layout/tables/nsTableFrame.cpp:1530

Status: RESOLVED WORKSFORME

(Core :: Layout: Tables, defect)

Description

[Jason Kratzer [:jkratzer]]

Attachment: testcase.html

Testcase found while fuzzing mozilla-central rev b3eb91f0b5a7 (built with --enable-debug).

Assertion failure: aWM == GetWritingMode() (aWM should be the same as our writing mode!), at /builds/worker/checkouts/gecko/layout/tables/nsTableFrame.cpp:1530

    #0 0x7f9a89186f2b in nsTableFrame::ComputeSize(gfxContext*, mozilla::WritingMode, mozilla::LogicalSize const&, int, mozilla::LogicalSize const&, mozilla::LogicalSize const&, mozilla::StyleSizeOverrides const&, mozilla::EnumSet<mozilla::ComputeSizeFlag, unsigned char>) /builds/worker/checkouts/gecko/layout/tables/nsTableFrame.cpp:1529:3
    #1 0x7f9a891a7656 in nsTableWrapperFrame::InnerTableShrinkWrapISize(gfxContext*, nsTableFrame*, mozilla::WritingMode, mozilla::LogicalSize const&, int, mozilla::StyleSizeOverrides const&, mozilla::EnumSet<mozilla::ComputeSizeFlag, unsigned char>) const /builds/worker/checkouts/gecko/layout/tables/nsTableWrapperFrame.cpp:333:20
    #2 0x7f9a891a858a in nsTableWrapperFrame::ComputeAutoSize(gfxContext*, mozilla::WritingMode, mozilla::LogicalSize const&, int, mozilla::LogicalSize const&, mozilla::LogicalSize const&, mozilla::StyleSizeOverrides const&, mozilla::EnumSet<mozilla::ComputeSizeFlag, unsigned char>) /builds/worker/checkouts/gecko/layout/tables/nsTableWrapperFrame.cpp:476:18
    #3 0x7f9a89007891 in nsIFrame::ComputeSize(gfxContext*, mozilla::WritingMode, mozilla::LogicalSize const&, int, mozilla::LogicalSize const&, mozilla::LogicalSize const&, mozilla::StyleSizeOverrides const&, mozilla::EnumSet<mozilla::ComputeSizeFlag, unsigned char>) /builds/worker/checkouts/gecko/layout/generic/nsIFrame.cpp:6055:7
    #4 0x7f9a891a825a in nsTableWrapperFrame::ComputeSize(gfxContext*, mozilla::WritingMode, mozilla::LogicalSize const&, int, mozilla::LogicalSize const&, mozilla::LogicalSize const&, mozilla::StyleSizeOverrides const&, mozilla::EnumSet<mozilla::ComputeSizeFlag, unsigned char>) /builds/worker/checkouts/gecko/layout/tables/nsTableWrapperFrame.cpp:416:35
    #5 0x7f9a8927ffbb in nsMathMLSelectedFrame::ComputeSize(gfxContext*, mozilla::WritingMode, mozilla::LogicalSize const&, int, mozilla::LogicalSize const&, mozilla::LogicalSize const&, mozilla::StyleSizeOverrides const&, mozilla::EnumSet<mozilla::ComputeSizeFlag, unsigned char>) /builds/worker/checkouts/gecko/layout/mathml/nsMathMLSelectedFrame.cpp:96:29
    #6 0x7f9a88fa0e81 in mozilla::ReflowInput::InitConstraints(nsPresContext*, mozilla::Maybe<mozilla::LogicalSize> const&, mozilla::Maybe<mozilla::LogicalMargin> const&, mozilla::Maybe<mozilla::LogicalMargin> const&, mozilla::LayoutFrameType) /builds/worker/checkouts/gecko/layout/generic/ReflowInput.cpp:2346:19
    #7 0x7f9a88f9d9b5 in mozilla::ReflowInput::Init(nsPresContext*, mozilla::Maybe<mozilla::LogicalSize> const&, mozilla::Maybe<mozilla::LogicalMargin> const&, mozilla::Maybe<mozilla::LogicalMargin> const&) /builds/worker/checkouts/gecko/layout/generic/ReflowInput.cpp:358:3
    #8 0x7f9a88f9e391 in mozilla::ReflowInput::ReflowInput(nsPresContext*, mozilla::ReflowInput const&, nsIFrame*, mozilla::LogicalSize const&, mozilla::Maybe<mozilla::LogicalSize> const&, mozilla::EnumSet<mozilla::ReflowInput::InitFlag, unsigned char>, mozilla::StyleSizeOverrides const&, mozilla::EnumSet<mozilla::ComputeSizeFlag, unsigned char>) /builds/worker/checkouts/gecko/layout/generic/ReflowInput.cpp:218:5
    #9 0x7f9a890e5396 in void mozilla::Maybe<mozilla::ReflowInput>::emplace<nsPresContext*&, mozilla::ReflowInput const&, nsIFrame*&, mozilla::LogicalSize&>(nsPresContext*&, mozilla::ReflowInput const&, nsIFrame*&, mozilla::LogicalSize&) /builds/worker/workspace/obj-build/dist/include/mozilla/Maybe.h:864:39
    #10 0x7f9a890e3950 in nsLineLayout::ReflowFrame(nsIFrame*, nsReflowStatus&, mozilla::ReflowOutput*, bool&) /builds/worker/checkouts/gecko/layout/generic/nsLineLayout.cpp:820:23
    #11 0x7f9a88fd508f in nsBlockFrame::ReflowInlineFrame(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsIFrame*, LineReflowStatus*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:4531:15
    #12 0x7f9a88fd45f6 in nsBlockFrame::DoReflowInlineFrames(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:4333:5
    #13 0x7f9a88fd0210 in nsBlockFrame::ReflowInlineFrames(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:4218:9
    #14 0x7f9a88fcc7e0 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:3190:5
    #15 0x7f9a88fc75d7 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:2724:7
    #16 0x7f9a88fc3b9b in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:1375:3
    #17 0x7f9a88ffbd10 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:1078:14
    #18 0x7f9a88fe9d59 in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsCanvasFrame.cpp:817:7
    #19 0x7f9a88ffbd10 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:1078:14
    #20 0x7f9a89036993 in nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput*, bool, bool, mozilla::ReflowOutput*) /builds/worker/checkouts/gecko/layout/generic/nsGfxScrollFrame.cpp:758:3
    #21 0x7f9a890374c9 in nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput*, mozilla::ReflowOutput const&) /builds/worker/checkouts/gecko/layout/generic/nsGfxScrollFrame.cpp:882:3
    #22 0x7f9a8903b586 in nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsGfxScrollFrame.cpp:1301:3
    #23 0x7f9a88ffc168 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:1118:14
    #24 0x7f9a88fbb00c in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/ViewportFrame.cpp:372:7
    #25 0x7f9a88ec7010 in mozilla::PresShell::DoReflow(nsIFrame*, bool, mozilla::OverflowChangedTracker*) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:9648:11
    #26 0x7f9a88ed0c3e in mozilla::PresShell::ProcessReflowCommands(bool) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:9821:24
    #27 0x7f9a88ed0154 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4258:11
    #28 0x7f9a88e98b59 in FlushPendingNotifications /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:1425:5
    #29 0x7f9a88e98b59 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2229:20
    #30 0x7f9a88ea0831 in TickDriver /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:357:13
    #31 0x7f9a88ea0831 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:336:7
    #32 0x7f9a88ea070f in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:351:5
    #33 0x7f9a88e9fcb8 in RunRefreshDrivers /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:799:5
    #34 0x7f9a88e9fcb8 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:722:16
    #35 0x7f9a88e9f5d0 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyParentProcessVsync() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:624:7
    #36 0x7f9a88e9f049 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:545:9
    #37 0x7f9a886836a6 in mozilla::dom::VsyncChild::RecvNotify(mozilla::VsyncEvent const&, float const&) /builds/worker/checkouts/gecko/dom/ipc/VsyncChild.cpp:68:15
    #38 0x7f9a853c5da0 in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:178:54
    #39 0x7f9a8515b5fc in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundChild.cpp:6243:32
    #40 0x7f9a84e15b5e in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:2153:25
    #41 0x7f9a84e1211d in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:2077:9
    #42 0x7f9a84e135c6 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1925:3
    #43 0x7f9a84e1430b in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1956:13
    #44 0x7f9a844e447f in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:472:16
    #45 0x7f9a844e29f0 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:760:26
    #46 0x7f9a844e17b4 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:611:15
    #47 0x7f9a844e1967 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:395:36
    #48 0x7f9a844e8296 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:133:37
    #49 0x7f9a844e8296 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_3>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:534:5
    #50 0x7f9a844f9787 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1158:16
    #51 0x7f9a844ffdda in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:548:10
    #52 0x7f9a84e1b446 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:87:21
    #53 0x7f9a84d86893 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:335:10
    #54 0x7f9a84d867ad in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:328:3
    #55 0x7f9a84d867ad in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:310:3
    #56 0x7f9a88be7948 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137:27
    #57 0x7f9a8a433e53 in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:902:20
    #58 0x7f9a84e1c32c in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:237:9
    #59 0x7f9a84d86893 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:335:10
    #60 0x7f9a84d867ad in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:328:3
    #61 0x7f9a84d867ad in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:310:3
    #62 0x7f9a8a433a28 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:733:34
    #63 0x55dd9dbf1fa6 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
    #64 0x55dd9dbf1fa6 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:309:18
    #65 0x7f9a995ba0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16

Comment 1

[Bugmon [:jkratzer for issues]]

Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20210226035547-b556a43111af.
The bug appears to have been introduced in the following build range:

Start: 640d8d3f3540386be847160f0e6c959e6e0d5e10 (20210219212535)
End: ffe056c7c496395708f643aeb00910622d689f64 (20210221094821)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=640d8d3f3540386be847160f0e6c959e6e0d5e10&tochange=ffe056c7c496395708f643aeb00910622d689f64

Comment 2

[Ting-Yu Lin [:TYLin] (PST, UTC-8)]

This assertion is added by bug 1693409.

Comment 3

[BugBot [:suhaib / :marco/ :calixte]]

Set release status flags based on info from the regressing bug 1693409

Comment 4

[Ting-Yu Lin [:TYLin] (PST, UTC-8)]

The problem lies in nsMathMLSelectedFrame::ComputeSize(), which passes the aWM parameter from the caller directly to its child. If the child is a <table> and have a writing-mode other than aWM, the assertion fires.

The document of nsIFrame::ComputeSize() is clear about that aWM doesn't need to match the frame's writing-mode, so perhaps we shouldn't enforce the assertion in nsTableFrame::ComputeSize(). https://searchfox.org/mozilla-central/rev/26330a08b1f9d06938faa0aa5e0f8c7a58064aa2/layout/generic/nsIFrame.h#2730-2732

Comment 5

[Bugmon [:jkratzer for issues]]

Bugmon Analysis
Testcase crashes using the initial build (mozilla-central 20210911095121-9cbf4fe3f852) but not with tip (mozilla-central 20220909212835-b84775bfccf2.)

The bug appears to have been fixed in the following build range:

Start: c50f1e4efd0c34d1d9bc3fec8876b22e9026fbf3 (20220906035332)
End: f8e8c96064386b2f3405adefc512f7fbc2808ff8 (20220906043616)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=c50f1e4efd0c34d1d9bc3fec8876b22e9026fbf3&tochange=f8e8c96064386b2f3405adefc512f7fbc2808ff8

jkratzer, can you confirm that the above bisection range is responsible for fixing this issue?
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Comment 6

[Jason Kratzer [:jkratzer]]

:fwang, can you confirm that this issue was fixed via bug 1588733?

Comment 7

[Frédéric Wang (:fredw)]

I can only reproduce the crash by forcing mathml.legacy_maction_and_semantics_implementation.disabled set to false. And the testcase indeed uses a <semantics> element. Also comment 4 mentioned nsMathMLSelectedFrame was indeed the culprit, but that class is no longer used with the new implementation of semantics done in bug 1588733.