1700259 - Assertion failure: aMax >= aMin (clamped(): aMax must be greater than or equal to aMin), at /builds/worker/workspace/obj-build/dist/include/nsAlgorithm.h:37

Status: RESOLVED DUPLICATE of bug 1753105

(Core :: SVG, defect)

Description

[Tyson Smith [:tsmith]]

Attachment: testcase.html

Found while fuzzing m-c 20210212-6f7e9ff0c23e (--enable-debug --enable-fuzzing)

Assertion failure: aMax >= aMin (clamped(): aMax must be greater than or equal to aMin), at /builds/worker/workspace/obj-build/dist/include/nsAlgorithm.h:37

#0 0x7fdc566597f7 in mozilla::SVGTextFrame::TransformFramePointToTextChild(mozilla::gfx::PointTyped<mozilla::gfx::UnknownUnits, float> const&, nsIFrame const*) src/layout/svg/SVGTextFrame.cpp
#1 0x7fdc563c11e3 in nsLayoutUtils::TransformAncestorPointToFrame(mozilla::RelativeTo, nsPoint const&, mozilla::RelativeTo) src/layout/base/nsLayoutUtils.cpp:2504:20
#2 0x7fdc563bd272 in TransformRootPointToFrame src/layout/base/nsLayoutUtils.h:1017:12
#3 0x7fdc563bd272 in GetEventCoordinatesRelativeTo(nsIWidget*, mozilla::gfx::IntPointTyped<mozilla::LayoutDevicePixel> const&, mozilla::RelativeTo) src/layout/base/nsLayoutUtils.cpp:1716:12
#4 0x7fdc563bce22 in nsLayoutUtils::GetEventCoordinatesRelativeTo(nsIWidget*, mozilla::gfx::IntPointTyped<mozilla::LayoutDevicePixel> const&, mozilla::RelativeTo) src/layout/base/nsLayoutUtils.cpp:1728:20
#5 0x7fdc563bcd79 in GetEventCoordinatesRelativeTo src/layout/base/nsLayoutUtils.cpp:1654:10
#6 0x7fdc563bcd79 in nsLayoutUtils::GetEventCoordinatesRelativeTo(mozilla::WidgetEvent const*, mozilla::RelativeTo) src/layout/base/nsLayoutUtils.cpp:1638:10
#7 0x7fdc54c6d5a0 in mozilla::EventStateManager::UpdateCursor(nsPresContext*, mozilla::WidgetEvent*, nsIFrame*, nsEventStatus*) src/dom/events/EventStateManager.cpp:3974:18
#8 0x7fdc54c6b243 in mozilla::EventStateManager::PreHandleEvent(nsPresContext*, mozilla::WidgetEvent*, nsIFrame*, nsIContent*, nsEventStatus*, nsIContent*) src/dom/events/EventStateManager.cpp:694:7
#9 0x7fdc56346dc6 in mozilla::PresShell::EventHandler::DispatchEvent(mozilla::EventStateManager*, mozilla::WidgetEvent*, bool, nsEventStatus*, nsIContent*) src/layout/base/PresShell.cpp:8233:39
#10 0x7fdc563414c6 in mozilla::PresShell::EventHandler::HandleEventWithCurrentEventInfo(mozilla::WidgetEvent*, nsEventStatus*, bool, nsIContent*) src/layout/base/PresShell.cpp:8202:17
#11 0x7fdc56340d55 in mozilla::PresShell::EventHandler::HandleEventUsingCoordinates(nsIFrame*, mozilla::WidgetGUIEvent*, nsEventStatus*, bool) src/layout/base/PresShell.cpp:7113:30
#12 0x7fdc5633f912 in mozilla::PresShell::EventHandler::HandleEvent(nsIFrame*, mozilla::WidgetGUIEvent*, bool, nsEventStatus*) src/layout/base/PresShell.cpp:6916:12
#13 0x7fdc5633f132 in mozilla::PresShell::HandleEvent(nsIFrame*, mozilla::WidgetGUIEvent*, bool, nsEventStatus*) src/layout/base/PresShell.cpp:6841:23
#14 0x7fdc55ffb4c2 in nsViewManager::DispatchEvent(mozilla::WidgetGUIEvent*, nsView*, nsEventStatus*) src/view/nsViewManager.cpp:704:18
#15 0x7fdc55ffb1f8 in nsView::HandleEvent(mozilla::WidgetGUIEvent*, bool) src/view/nsView.cpp:1133:9
#16 0x7fdc56034791 in mozilla::widget::PuppetWidget::DispatchEvent(mozilla::WidgetGUIEvent*, nsEventStatus&) src/widget/PuppetWidget.cpp:379:37
#17 0x7fdc5302277d in mozilla::layers::APZCCallbackHelper::DispatchWidgetEvent(mozilla::WidgetGUIEvent&) src/gfx/layers/apz/util/APZCCallbackHelper.cpp:483:21
#18 0x7fdc55afb258 in DispatchWidgetEventViaAPZ src/dom/ipc/BrowserChild.cpp:1721:10
#19 0x7fdc55afb258 in mozilla::dom::BrowserChild::HandleRealMouseButtonEvent(mozilla::WidgetMouseEvent const&, mozilla::layers::ScrollableLayerGuid const&, unsigned long const&) src/dom/ipc/BrowserChild.cpp:1660:3
#20 0x7fdc55afc604 in mozilla::dom::BrowserChild::RecvRealMouseButtonEvent(mozilla::WidgetMouseEvent const&, mozilla::layers::ScrollableLayerGuid const&, unsigned long const&) src/dom/ipc/BrowserChild.cpp:1627:3
#21 0x7fdc55afc769 in mozilla::dom::BrowserChild::RecvSynthMouseMoveEvent(mozilla::WidgetMouseEvent const&, mozilla::layers::ScrollableLayerGuid const&, unsigned long const&) src/dom/ipc/BrowserChild.cpp:1592:8
#22 0x7fdc5299638c in mozilla::dom::PBrowserChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBrowserChild.cpp:5333:56
#23 0x7fdc524013dc in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PContentChild.cpp:8701:32
#24 0x7fdc52276a4e in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) src/ipc/glue/MessageChannel.cpp:2153:25
#25 0x7fdc5227300d in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) src/ipc/glue/MessageChannel.cpp:2077:9
#26 0x7fdc522744b6 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) src/ipc/glue/MessageChannel.cpp:1925:3
#27 0x7fdc522751fb in mozilla::ipc::MessageChannel::MessageTask::Run() src/ipc/glue/MessageChannel.cpp:1956:13
#28 0x7fdc519452ff in mozilla::RunnableTask::Run() src/xpcom/threads/TaskController.cpp:472:16
#29 0x7fdc51943870 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) src/xpcom/threads/TaskController.cpp:760:26
#30 0x7fdc51942634 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) src/xpcom/threads/TaskController.cpp:611:15
#31 0x7fdc519427e7 in mozilla::TaskController::ProcessPendingMTTask(bool) src/xpcom/threads/TaskController.cpp:395:36
#32 0x7fdc51949189 in operator() src/xpcom/threads/TaskController.cpp:136:37
#33 0x7fdc51949189 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_4>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:534:5
#34 0x7fdc5195a607 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1158:16
#35 0x7fdc51960c5a in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:548:10
#36 0x7fdc5227c2e4 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:109:5
#37 0x7fdc521e7783 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:335:10
#38 0x7fdc521e769d in RunHandler src/ipc/chromium/src/base/message_loop.cc:328:3
#39 0x7fdc521e769d in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:310:3
#40 0x7fdc5604a528 in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:137:27
#41 0x7fdc57899ab3 in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:902:20
#42 0x7fdc5227d21c in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:237:9
#43 0x7fdc521e7783 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:335:10
#44 0x7fdc521e769d in RunHandler src/ipc/chromium/src/base/message_loop.cc:328:3
#45 0x7fdc521e769d in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:310:3
#46 0x7fdc57899688 in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:733:34
#47 0x557a07240fa6 in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#48 0x557a07240fa6 in main src/browser/app/nsBrowserApp.cpp:309:18

Comment 1

[Tyson Smith [:tsmith]]

A Pernosco session is available here: https://pernos.co/debug/G1brl_sO24PGiegUvlzz8A/index.html

Comment 2

[Bugmon [:jkratzer for issues]]

Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20210323053948-2434210a7824.
Failed to bisect testcase (Testcase reproduces on start build!):

Start: 3d04f05b260424d489076cd74d4dd6cc13c3d02f (20200324030323)
End: 6f7e9ff0c23e3844b46ca31481027d5c29040638 (20210212215152)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=True, coverage=False, valgrind=False)

Comment 3

[Bugmon [:jkratzer for issues]]

Bugmon Analysis
Testcase crashes using the initial build (mozilla-central 20210212215152-6f7e9ff0c23e) but not with tip (mozilla-central 20220211164352-46048399bf0f.)
The bug appears to have been fixed in the following build range:

Start: dc3b64f069d453b689a3732479bcaa25de890b77 (20220204222451)
End: e240dde296a870934ff76c8c01d13f6b79ac6bf9 (20220205091402)
Pushlog: https://hg.mozilla.org/mozilla-unified/pushloghtml?fromchange=dc3b64f069d453b689a3732479bcaa25de890b77&tochange=e240dde296a870934ff76c8c01d13f6b79ac6bf9
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.