Closed Bug 1700789 Opened 4 years ago Closed 7 months ago

Assertion failure: aStatus.IsEmpty() (Caller should pass a fresh reflow status!), at src/layout/forms/nsListControlFrame.cpp:338

Categories

(Core :: Layout: Form Controls, defect)

Product:
Core
Component:
Layout: Form Controls
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1410243
Tracking Flags:
Tracking Status
firefox88 --- affected
firefox89 --- affected

People

(Reporter: tsmith, Assigned: emilio, NeedInfo)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, testcase, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(2 files)

testcase.html
344 bytes, text/html
Details
Bug 1700789 - Call ReflowInFlowChild with a fresh status. r=mats
48 bytes, text/x-phabricator-request
Details | Review
Attached file testcase.html

Found while fuzzing m-c 20210214-fb5a1a49ca4a (--enable-debug --enable-fuzzing)

Assertion failure: aStatus.IsEmpty() (Caller should pass a fresh reflow status!), at src/layout/forms/nsListControlFrame.cpp:338

#0 0x7fdaf62ad8ea in nsListControlFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/forms/nsListControlFrame.cpp:338:3
#1 0x7fdaf61594c0 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:1078:14
#2 0x7fdaf61c9d78 in nsGridContainerFrame::ReflowInFlowChild(nsIFrame*, nsGridContainerFrame::GridItemInfo const*, nsSize, mozilla::Maybe<int> const&, nsGridContainerFrame::Fragmentainer const*, nsGridContainerFrame::GridReflowInput const&, mozilla::LogicalRect const&, mozilla::ReflowOutput&, nsReflowStatus&) src/layout/generic/nsGridContainerFrame.cpp:7307:3
#3 0x7fdaf61cfb7f in nsGridContainerFrame::ReflowChildren(nsGridContainerFrame::GridReflowInput&, mozilla::LogicalRect const&, nsSize const&, mozilla::ReflowOutput&, nsReflowStatus&) src/layout/generic/nsGridContainerFrame.cpp:8400:7
#4 0x7fdaf61d0e0d in nsGridContainerFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsGridContainerFrame.cpp:8620:11
#5 0x7fdaf6130c6c in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) src/layout/generic/nsBlockReflowContext.cpp:288:11
#6 0x7fdaf612c639 in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:3854:11
#7 0x7fdaf612a286 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:3187:5
#8 0x7fdaf612586c in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) src/layout/generic/nsBlockFrame.cpp:3012:11
#9 0x7fdaf612159e in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsBlockFrame.cpp:1375:3
#10 0x7fdaf61594c0 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:1078:14
#11 0x7fdaf614980f in nsColumnSetFrame::ReflowChildren(mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&, nsColumnSetFrame::ReflowConfig const&, bool) src/layout/generic/nsColumnSetFrame.cpp:692:7
#12 0x7fdaf614b9a7 in ReflowColumns src/layout/generic/nsColumnSetFrame.cpp:403:37
#13 0x7fdaf614b9a7 in nsColumnSetFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsColumnSetFrame.cpp:1234:37
#14 0x7fdaf6130c6c in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) src/layout/generic/nsBlockReflowContext.cpp:288:11
#15 0x7fdaf612c639 in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:3854:11
#16 0x7fdaf612a286 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:3187:5
#17 0x7fdaf6124fd7 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) src/layout/generic/nsBlockFrame.cpp:2724:7
#18 0x7fdaf612159e in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsBlockFrame.cpp:1375:3
#19 0x7fdaf611b094 in nsAbsoluteContainingBlock::ReflowAbsoluteFrame(nsIFrame*, nsPresContext*, mozilla::ReflowInput const&, nsRect const&, nsAbsoluteContainingBlock::AbsPosReflowFlags, nsIFrame*, nsReflowStatus&, mozilla::OverflowAreas*) src/layout/generic/nsAbsoluteContainingBlock.cpp:761:14
#20 0x7fdaf61195e4 in nsAbsoluteContainingBlock::Reflow(nsContainerFrame*, nsPresContext*, mozilla::ReflowInput const&, nsReflowStatus&, nsRect const&, nsAbsoluteContainingBlock::AbsPosReflowFlags, mozilla::OverflowAreas*) src/layout/generic/nsAbsoluteContainingBlock.cpp:220:7
#21 0x7fdaf6119026 in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/ViewportFrame.cpp:415:35
#22 0x7fdaf6024e70 in mozilla::PresShell::DoReflow(nsIFrame*, bool, mozilla::OverflowChangedTracker*) src/layout/base/PresShell.cpp:9644:11
#23 0x7fdaf602ea0e in mozilla::PresShell::ProcessReflowCommands(bool) src/layout/base/PresShell.cpp:9817:24
#24 0x7fdaf602dfb4 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) src/layout/base/PresShell.cpp:4258:11
#25 0x7fdaf5ff6a69 in FlushPendingNotifications /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:1422:5
#26 0x7fdaf5ff6a69 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:2229:20
#27 0x7fdaf5ffe691 in TickDriver src/layout/base/nsRefreshDriver.cpp:357:13
#28 0x7fdaf5ffe691 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) src/layout/base/nsRefreshDriver.cpp:336:7
#29 0x7fdaf5ffe56f in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:351:5
#30 0x7fdaf5ffdb18 in RunRefreshDrivers src/layout/base/nsRefreshDriver.cpp:799:5
#31 0x7fdaf5ffdb18 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:722:16
#32 0x7fdaf5ffd430 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyParentProcessVsync() src/layout/base/nsRefreshDriver.cpp:624:7
#33 0x7fdaf5ffcea9 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) src/layout/base/nsRefreshDriver.cpp:545:9
#34 0x7fdaf57e3f26 in mozilla::dom::VsyncChild::RecvNotify(mozilla::VsyncEvent const&, float const&) src/dom/ipc/VsyncChild.cpp:68:15
#35 0x7fdaf2528490 in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:178:54
#36 0x7fdaf22be01c in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundChild.cpp:6243:32
#37 0x7fdaf1f7865e in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) src/ipc/glue/MessageChannel.cpp:2153:25
#38 0x7fdaf1f74bdd in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) src/ipc/glue/MessageChannel.cpp:2077:9
#39 0x7fdaf1f76086 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) src/ipc/glue/MessageChannel.cpp:1925:3
#40 0x7fdaf1f76dcb in mozilla::ipc::MessageChannel::MessageTask::Run() src/ipc/glue/MessageChannel.cpp:1956:13
#41 0x7fdaf164c30f in mozilla::RunnableTask::Run() src/xpcom/threads/TaskController.cpp:472:16
#42 0x7fdaf164a886 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) src/xpcom/threads/TaskController.cpp:753:26
#43 0x7fdaf16496e4 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) src/xpcom/threads/TaskController.cpp:611:15
#44 0x7fdaf1649897 in mozilla::TaskController::ProcessPendingMTTask(bool) src/xpcom/threads/TaskController.cpp:395:36
#45 0x7fdaf1650199 in operator() src/xpcom/threads/TaskController.cpp:136:37
#46 0x7fdaf1650199 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_4>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:534:5
#47 0x7fdaf1661617 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1158:16
#48 0x7fdaf1667a6a in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:548:10
#49 0x7fdaf1f7def4 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:109:5
#50 0x7fdaf1ee9563 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:335:10
#51 0x7fdaf1ee947d in RunHandler src/ipc/chromium/src/base/message_loop.cc:328:3
#52 0x7fdaf1ee947d in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:310:3
#53 0x7fdaf5d48858 in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:137:27
#54 0x7fdaf75895d3 in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:902:20
#55 0x7fdaf1f7ee2c in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:237:9
#56 0x7fdaf1ee9563 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:335:10
#57 0x7fdaf1ee947d in RunHandler src/ipc/chromium/src/base/message_loop.cc:328:3
#58 0x7fdaf1ee947d in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:310:3
#59 0x7fdaf75891a8 in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:733:34
#60 0x561570934f86 in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#61 0x561570934f86 in main src/browser/app/nsBrowserApp.cpp:306:18
Flags: in-testsuite?

A Pernosco session is available here: https://pernos.co/debug/lBcx48QXZCuR1FsVuIB05Q/index.html

Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20210324160546-3afbfb073c46.
Failed to bisect testcase (Testcase reproduces on start build!):

Start: 85bae8580dde1e86c3d11582474ff4af9f92b768 (20200326040415)
End: fb5a1a49ca4a4681b91a545ce49bbb7ca15bbe8c (20210214094209)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=True, coverage=False, valgrind=False)

Whiteboard: [bugmon:bisected,confirmed]

So the nsGridContainerFrame::ReflowChildren has a for loop and in the loop we repeatedly call ReflowInFlowChild with aStatus. That's the reason of the assertion. I am assuming it's harmless. CCing Mats just in case.

Severity: -- → S3
Assignee: nobody → emilio
Status: NEW → ASSIGNED

:emilio, since this bug contains a bisection range, could you fill (if possible) the regressed_by field?
For more information, please visit auto_nag documentation.

Flags: needinfo?(emilio)

Sorry, bug in the bot.

Flags: needinfo?(emilio)

Bugmon was unable reproduce this issue.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon
Keywords: bugmon

A change to the Taskcluster build definitions over the weekend caused Bugmon to fail when reproducing issues. This issue has been corrected. Re-enabling bugmon.

Testcase crashes using the initial build (mozilla-central 20230513092159-d36ba840f6ab) but not with tip (mozilla-central 20240511090435-d2559b875116.)

The bug appears to have been fixed in the following build range:

Start: 4b196ac64ccbf1061ee2c2835e31fe8b071b9099 (20240419144808)
End: 5c89fd8ba4e0909981732b7880bbb7984eb8cb0b (20240419160912)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=4b196ac64ccbf1061ee2c2835e31fe8b071b9099&tochange=5c89fd8ba4e0909981732b7880bbb7984eb8cb0b

emilio, can you confirm that the above bisection range is responsible for fixing this issue?
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Flags: needinfo?(emilio)
Keywords: bugmon

Yeah, so bug 1410243 basically landed my proposed patch, so it also fixed this.

But Daniel, I think Mats' comment in https://phabricator.services.mozilla.com/D116045#3803914 is still relevant. If you think so, mind filing a follow-up bug for this?

Status: ASSIGNED → RESOLVED
Closed: 7 months ago
Duplicate of bug: 1410243
Flags: needinfo?(emilio) → needinfo?(dholbert)
Resolution: --- → DUPLICATE
See Also: → 1901041
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: