Open Bug 1699195 Opened 3 years ago Updated 4 months ago

Assertion failure: cursorMajor <= gridMajorEnd (we shouldn't need to place items further than 1 track past the current end of the grid, in major dimension), at /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:4723

Categories

(Core :: Layout: Grid, defect)

Product:
Core
Component:
Layout: Grid
Type:
defect

Tracking

()

Tracking Flags:
Tracking Status
firefox88 --- affected

People

(Reporter: jkratzer, Unassigned, NeedInfo)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, crash, testcase, Whiteboard: [bugmon:bisected,confirmed])

Crash Data

Attachments

(1 file)

testcase.html
604 bytes, text/html
Details
Attached file testcase.html

Testcase found while fuzzing mozilla-central rev 9ad67cd4d216 (built with --enable-debug).

Assertion failure: cursorMajor <= gridMajorEnd (we shouldn't need to place items further than 1 track past the current end of the grid, in major dimension), at /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:4723

    #0 0x7f40087aeb22 in nsGridContainerFrame::Grid::PlaceGridItems(nsGridContainerFrame::GridReflowInput&, RepeatTrackSizingInput const&) /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:4721:11
    #1 0x7f40087abc5e in nsGridContainerFrame::Grid::SubgridPlaceGridItems(nsGridContainerFrame::GridReflowInput&, nsGridContainerFrame::Grid*, nsGridContainerFrame::GridItemInfo const&) /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:4454:3
    #2 0x7f40087ad983 in nsGridContainerFrame::Grid::PlaceGridItems(nsGridContainerFrame::GridReflowInput&, RepeatTrackSizingInput const&) /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:4834:14
    #3 0x7f40087c9b09 in nsGridContainerFrame::IntrinsicISize(gfxContext*, mozilla::IntrinsicISizeType) /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:9183:10
    #4 0x7f40087ca015 in nsGridContainerFrame::GetMinISize(gfxContext*) /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:9235:29
    #5 0x7f400874ab49 in ShrinkWidthToFit /builds/worker/checkouts/gecko/layout/generic/nsIFrame.cpp:6368:22
    #6 0x7f400874ab49 in nsContainerFrame::ComputeAutoSize(gfxContext*, mozilla::WritingMode, mozilla::LogicalSize const&, int, mozilla::LogicalSize const&, mozilla::LogicalSize const&, mozilla::StyleSizeOverrides const&, mozilla::EnumSet<mozilla::ComputeSizeFlag, unsigned char>) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:994:11
    #7 0x7f4008756b54 in nsIFrame::ComputeSize(gfxContext*, mozilla::WritingMode, mozilla::LogicalSize const&, int, mozilla::LogicalSize const&, mozilla::LogicalSize const&, mozilla::StyleSizeOverrides const&, mozilla::EnumSet<mozilla::ComputeSizeFlag, unsigned char>) /builds/worker/checkouts/gecko/layout/generic/nsIFrame.cpp:6038:7
    #8 0x7f40086f42c5 in mozilla::ReflowInput::InitAbsoluteConstraints(nsPresContext*, mozilla::ReflowInput const*, mozilla::LogicalSize const&, mozilla::LayoutFrameType) /builds/worker/checkouts/gecko/layout/generic/ReflowInput.cpp:1693:26
    #9 0x7f40086f02f0 in mozilla::ReflowInput::InitConstraints(nsPresContext*, mozilla::Maybe<mozilla::LogicalSize> const&, mozilla::Maybe<mozilla::LogicalMargin> const&, mozilla::Maybe<mozilla::LogicalMargin> const&, mozilla::LayoutFrameType) /builds/worker/checkouts/gecko/layout/generic/ReflowInput.cpp:2293:7
    #10 0x7f40086eca9a in mozilla::ReflowInput::Init(nsPresContext*, mozilla::Maybe<mozilla::LogicalSize> const&, mozilla::Maybe<mozilla::LogicalMargin> const&, mozilla::Maybe<mozilla::LogicalMargin> const&) /builds/worker/checkouts/gecko/layout/generic/ReflowInput.cpp:357:3
    #11 0x7f40086ed462 in mozilla::ReflowInput::ReflowInput(nsPresContext*, mozilla::ReflowInput const&, nsIFrame*, mozilla::LogicalSize const&, mozilla::Maybe<mozilla::LogicalSize> const&, mozilla::EnumSet<mozilla::ReflowInput::InitFlag, unsigned char>, mozilla::StyleSizeOverrides const&, mozilla::EnumSet<mozilla::ComputeSizeFlag, unsigned char>) /builds/worker/checkouts/gecko/layout/generic/ReflowInput.cpp:217:5
    #12 0x7f400870c3fe in nsAbsoluteContainingBlock::ReflowAbsoluteFrame(nsIFrame*, nsPresContext*, mozilla::ReflowInput const&, nsRect const&, nsAbsoluteContainingBlock::AbsPosReflowFlags, nsIFrame*, nsReflowStatus&, mozilla::OverflowAreas*) /builds/worker/checkouts/gecko/layout/generic/nsAbsoluteContainingBlock.cpp:795:15
    #13 0x7f400870ab84 in nsAbsoluteContainingBlock::Reflow(nsContainerFrame*, nsPresContext*, mozilla::ReflowInput const&, nsReflowStatus&, nsRect const&, nsAbsoluteContainingBlock::AbsPosReflowFlags, mozilla::OverflowAreas*) /builds/worker/checkouts/gecko/layout/generic/nsAbsoluteContainingBlock.cpp:220:7
    #14 0x7f40087c243e in nsGridContainerFrame::ReflowChildren(nsGridContainerFrame::GridReflowInput&, mozilla::LogicalRect const&, nsSize const&, mozilla::ReflowOutput&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:8443:37
    #15 0x7f40087c308d in nsGridContainerFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:8617:11
    #16 0x7f400870c63b in nsAbsoluteContainingBlock::ReflowAbsoluteFrame(nsIFrame*, nsPresContext*, mozilla::ReflowInput const&, nsRect const&, nsAbsoluteContainingBlock::AbsPosReflowFlags, nsIFrame*, nsReflowStatus&, mozilla::OverflowAreas*) /builds/worker/checkouts/gecko/layout/generic/nsAbsoluteContainingBlock.cpp:812:14
    #17 0x7f400870ab84 in nsAbsoluteContainingBlock::Reflow(nsContainerFrame*, nsPresContext*, mozilla::ReflowInput const&, nsReflowStatus&, nsRect const&, nsAbsoluteContainingBlock::AbsPosReflowFlags, mozilla::OverflowAreas*) /builds/worker/checkouts/gecko/layout/generic/nsAbsoluteContainingBlock.cpp:220:7
    #18 0x7f40087c243e in nsGridContainerFrame::ReflowChildren(nsGridContainerFrame::GridReflowInput&, mozilla::LogicalRect const&, nsSize const&, mozilla::ReflowOutput&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:8443:37
    #19 0x7f40087c308d in nsGridContainerFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:8617:11
    #20 0x7f400870c63b in nsAbsoluteContainingBlock::ReflowAbsoluteFrame(nsIFrame*, nsPresContext*, mozilla::ReflowInput const&, nsRect const&, nsAbsoluteContainingBlock::AbsPosReflowFlags, nsIFrame*, nsReflowStatus&, mozilla::OverflowAreas*) /builds/worker/checkouts/gecko/layout/generic/nsAbsoluteContainingBlock.cpp:812:14
    #21 0x7f400870ab84 in nsAbsoluteContainingBlock::Reflow(nsContainerFrame*, nsPresContext*, mozilla::ReflowInput const&, nsReflowStatus&, nsRect const&, nsAbsoluteContainingBlock::AbsPosReflowFlags, mozilla::OverflowAreas*) /builds/worker/checkouts/gecko/layout/generic/nsAbsoluteContainingBlock.cpp:220:7
    #22 0x7f40087e1a03 in nsIFrame::ReflowAbsoluteFrames(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&, bool) /builds/worker/checkouts/gecko/layout/generic/nsIFrame.cpp:6563:24
    #23 0x7f4008767eaa in nsIFrame::FinishReflowWithAbsoluteFrames(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&, bool) /builds/worker/checkouts/gecko/layout/generic/nsIFrame.cpp:6530:3
    #24 0x7f4008739ba5 in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsCanvasFrame.cpp:911:3
    #25 0x7f400874b000 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:1078:14
    #26 0x7f4008785be5 in nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput*, bool, bool, mozilla::ReflowOutput*) /builds/worker/checkouts/gecko/layout/generic/nsGfxScrollFrame.cpp:758:3
    #27 0x7f4008786729 in nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput*, mozilla::ReflowOutput const&) /builds/worker/checkouts/gecko/layout/generic/nsGfxScrollFrame.cpp:882:3
    #28 0x7f400878ac46 in nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsGfxScrollFrame.cpp:1301:3
    #29 0x7f400874b458 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:1118:14
    #30 0x7f4008709fb7 in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/ViewportFrame.cpp:372:7
    #31 0x7f4008616240 in mozilla::PresShell::DoReflow(nsIFrame*, bool, mozilla::OverflowChangedTracker*) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:9610:11
    #32 0x7f400861fffe in mozilla::PresShell::ProcessReflowCommands(bool) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:9783:24
    #33 0x7f400861f509 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4255:11
    #34 0x7f400868dd11 in FlushPendingNotifications /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:1402:5
    #35 0x7f400868dd11 in nsDocumentViewer::LoadComplete(nsresult) /builds/worker/checkouts/gecko/layout/base/nsDocumentViewer.cpp:965:16
    #36 0x7f400965911f in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:6555:20
    #37 0x7f4009658af2 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:5910:7
    #38 0x7f4009659a3f in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp
    #39 0x7f4004ecd09c in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:1332:3
    #40 0x7f4004ecc64a in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:938:14
    #41 0x7f4004ecab97 in nsDocLoader::DocLoaderIsEmpty(bool, mozilla::Maybe<nsresult> const&) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:757:9
    #42 0x7f4004ecbacd in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:640:5
    #43 0x7f4004ecc26c in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp
    #44 0x7f4003e10f36 in mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:616:22
    #45 0x7f4003e12443 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:523:10
    #46 0x7f400589a691 in mozilla::dom::Document::DoUnblockOnload() /builds/worker/checkouts/gecko/dom/base/Document.cpp:11095:18
    #47 0x7f4005879170 in mozilla::dom::Document::UnblockOnload(bool) /builds/worker/checkouts/gecko/dom/base/Document.cpp:11025:9
    #48 0x7f40085814f5 in UnblockOnload /builds/worker/checkouts/gecko/layout/style/Loader.cpp:2267:16
    #49 0x7f40085814f5 in mozilla::css::SheetLoadData::FireLoadEvent(nsIThreadInternal*) /builds/worker/checkouts/gecko/layout/style/Loader.cpp:459:12
    #50 0x7f400858166c in AfterProcessNextEvent /builds/worker/checkouts/gecko/layout/style/Loader.cpp:428:3
    #51 0x7f400858166c in non-virtual thunk to mozilla::css::SheetLoadData::AfterProcessNextEvent(nsIThreadInternal*, bool) /builds/worker/checkouts/gecko/layout/style/Loader.cpp
    #52 0x7f4003c814f8 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1182:3
    #53 0x7f4003c87c8a in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:548:10
    #54 0x7f40045b0d26 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:87:21
    #55 0x7f400451be03 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:335:10
    #56 0x7f400451bd1d in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:328:3
    #57 0x7f400451bd1d in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:310:3
    #58 0x7f4008331b18 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137:27
    #59 0x7f4009b8fac3 in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:901:20
    #60 0x7f40045b1c0c in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:237:9
    #61 0x7f400451be03 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:335:10
    #62 0x7f400451bd1d in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:328:3
    #63 0x7f400451bd1d in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:310:3
    #64 0x7f4009b8f698 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:733:34
    #65 0x563030021fb6 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
    #66 0x563030021fb6 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:309:18
    #67 0x7f4018d6d0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
Flags: in-testsuite?

Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20210317212527-4d4bc56f77a1.
Failed to bisect testcase (Testcase reproduces on start build!):

Start: c63d5667aa2cd56657b55269769628ad813f40d4 (20200319035334)
End: 7ed193fb34e39d12d6a1dd9a88aab03e2fff786c (20210317083359)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=False, coverage=False, valgrind=False)

Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]

I got a crash from the testcase : https://crash-stats.mozilla.org/report/index/988b60c9-ccca-460a-bb9f-e0e720210318#tab-bugzilla

Crash Signature: [@ InvalidArrayIndex_CRASH | nsGridContainerFrame::ReflowInFlowChild ]
Keywords: crash
Severity: -- → S3
No longer blocks: domino
Depends on: domino
Blocks: domino
No longer depends on: domino
Crash Signature: [@ InvalidArrayIndex_CRASH | nsGridContainerFrame::ReflowInFlowChild ] → [@ InvalidArrayIndex_CRASH | nsGridContainerFrame::ReflowInFlowChild ] [@ mozilla::detail::InvalidArrayIndex_CRASH | nsTArray_Impl<T>::ElementAt | nsTArray_Impl<T>::operator[] | nsGridContainerFrame::LineRange::ToPositionAndLength ]

Bugmon was unable reproduce this issue.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon

A change to the Taskcluster build definitions over the weekend caused Bugmon to fail when reproducing issues. This issue has been corrected. Re-enabling bugmon.

Keywords: bugmon

Testcase crashes using the initial build (mozilla-central 20221224090645-dfbd00b278b0) but not with tip (mozilla-central 20231222213932-8989af6649bf.)

The bug appears to have been fixed in the following build range:

Start: a63bafb44df0811c56c57b1fadd1c10261fd8c3e (20231219233048)
End: 9ac6d461916454c17cd8c7dfc7f73401ef3da12a (20231220020601)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=a63bafb44df0811c56c57b1fadd1c10261fd8c3e&tochange=9ac6d461916454c17cd8c7dfc7f73401ef3da12a

jkratzer, can you confirm that the above bisection range is responsible for fixing this issue?
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Flags: needinfo?(jkratzer)
Keywords: bugmon

:dholbert, can you confirm if this was fixed via bug 1800563 or bug 1870906?

Flags: needinfo?(jkratzer) → needinfo?(dholbert)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: