Open Bug 1703567 Opened 3 years ago Updated 2 years ago

Assertion failure: aXOffset > 0 && aYOffset > 0 (must not pass nonpositives to CheckCorner), at /builds/worker/checkouts/gecko/layout/base/nsLayoutUtils.cpp:1954

Categories

(Core :: Web Painting, defect, P3)

Product:
Core
Component:
Web Painting
Type:
defect

Tracking

()

Tracking Flags:
Tracking Status
firefox89 --- affected

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: testcase, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(2 files)

testcase.html
682 bytes, text/html
Details
prefs.js needed to reproduce
13.10 KB, application/x-javascript
Details
Attached file testcase.html

Testcase found while fuzzing mozilla-central rev 8f7e11867d56 (built with --enable-debug).

Assertion failure: aXOffset > 0 && aYOffset > 0 (must not pass nonpositives to CheckCorner), at /builds/worker/checkouts/gecko/layout/base/nsLayoutUtils.cpp:1954

    #0 0x7fc271cc3e17 in CheckCorner(int, int, int, int) /builds/worker/checkouts/gecko/layout/base/nsLayoutUtils.cpp:1953:3
    #1 0x7fc271cc3d4e in nsLayoutUtils::RoundedRectIntersectsRect(nsRect const&, int const*, nsRect const&) /builds/worker/checkouts/gecko/layout/base/nsLayoutUtils.cpp:1990:10
    #2 0x7fc2720727ca in RoundedBorderIntersectsRect(nsIFrame*, nsPoint const&, nsRect const&) /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:3801:10
    #3 0x7fc272075c21 in nsDisplayBackgroundColor::HitTest(nsDisplayListBuilder*, nsRect const&, nsDisplayItem::HitTestState*, nsTArray<nsIFrame*>*) /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:4751:8
    #4 0x7fc27206ab63 in nsDisplayList::HitTest(nsDisplayListBuilder*, nsRect const&, nsDisplayItem::HitTestState*, nsTArray<nsIFrame*>*) const /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:2730:13
    #5 0x7fc27208cee5 in nsDisplayEffectsBase::HitTest(nsDisplayListBuilder*, nsRect const&, nsDisplayItem::HitTestState*, nsTArray<nsIFrame*>*) /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:9067:11
    #6 0x7fc27206ab63 in nsDisplayList::HitTest(nsDisplayListBuilder*, nsRect const&, nsDisplayItem::HitTestState*, nsTArray<nsIFrame*>*) const /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:2730:13
    #7 0x7fc27206ab63 in nsDisplayList::HitTest(nsDisplayListBuilder*, nsRect const&, nsDisplayItem::HitTestState*, nsTArray<nsIFrame*>*) const /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:2730:13
    #8 0x7fc27206ab63 in nsDisplayList::HitTest(nsDisplayListBuilder*, nsRect const&, nsDisplayItem::HitTestState*, nsTArray<nsIFrame*>*) const /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:2730:13
    #9 0x7fc271cc7de6 in nsLayoutUtils::GetFramesForArea(mozilla::RelativeTo, nsRect const&, nsTArray<nsIFrame*>&, nsLayoutUtils::FrameForPointOptions const&) /builds/worker/checkouts/gecko/layout/base/nsLayoutUtils.cpp:2759:8
    #10 0x7fc26ef2a480 in void mozilla::dom::(anonymous namespace)::QueryNodesFromRect<nsINode>(mozilla::dom::DocumentOrShadowRoot&, nsRect const&, nsLayoutUtils::FrameForPointOptions, mozilla::dom::(anonymous namespace)::FlushLayout, mozilla::dom::(anonymous namespace)::Multiple, mozilla::ViewportType, nsTArray<RefPtr<nsINode> >&) /builds/worker/checkouts/gecko/dom/base/DocumentOrShadowRoot.cpp:399:3
    #11 0x7fc26ef2a27c in mozilla::dom::DocumentOrShadowRoot::NodesFromRect(float, float, float, float, float, float, bool, bool, bool, float, nsTArray<RefPtr<nsINode> >&) /builds/worker/checkouts/gecko/dom/base/DocumentOrShadowRoot.cpp:529:3
    #12 0x7fc26edbc539 in nsDOMWindowUtils::NodesFromRect(float, float, float, float, float, float, bool, bool, bool, float, nsINodeList**) /builds/worker/checkouts/gecko/dom/base/nsDOMWindowUtils.cpp:1420:8
    #13 0x7fc26d342ab5 in NS_InvokeByIndex /builds/worker/checkouts/gecko/xpcom/reflect/xptcall/md/unix/xptcinvoke_asm_x86_64_unix.S:101
    #14 0x7fc26e43377d in Invoke /builds/worker/checkouts/gecko/js/xpconnect/src/XPCWrappedNative.cpp:1623:10
    #15 0x7fc26e43377d in CallMethodHelper::Call() /builds/worker/checkouts/gecko/js/xpconnect/src/XPCWrappedNative.cpp:1176:19
    #16 0x7fc26e4334c7 in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) /builds/worker/checkouts/gecko/js/xpconnect/src/XPCWrappedNative.cpp:1142:23
    #17 0x7fc26e434fe4 in XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:925:10
    #18 0x7fc2732efef0 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:435:13
    #19 0x7fc2732ef65c in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:520:12
    #20 0x7fc2732f0e59 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:580:10
    #21 0x7fc2732e5b25 in CallFromStack /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:584:10
    #22 0x7fc2732e5b25 in Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3244:16
    #23 0x7fc2732dd0e1 in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:405:13
    #24 0x7fc2732ef679 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:552:13
    #25 0x7fc2732f0e59 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:580:10
    #26 0x7fc2732f107f in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:597:8
    #27 0x7fc2738662db in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/jsapi.cpp:2856:10
    #28 0x7fc26fb9e67f in mozilla::dom::IdleRequestCallback::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::IdleDeadline&, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/WindowBinding.cpp:883:8
    #29 0x7fc26ee652da in mozilla::dom::IdleRequestCallback::Call(mozilla::dom::IdleDeadline&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/WindowBinding.h:782:12
    #30 0x7fc26ee64b02 in Call /builds/worker/workspace/obj-build/dist/include/mozilla/dom/WindowBinding.h:795:12
    #31 0x7fc26ee64b02 in mozilla::dom::(anonymous namespace)::IdleDispatchRunnable::Run() /builds/worker/checkouts/gecko/dom/base/ChromeUtils.cpp:426:17
    #32 0x7fc26d325853 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:470:16
    #33 0x7fc26d300123 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:754:26
    #34 0x7fc26d2ff105 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:632:15
    #35 0x7fc26d2ff203 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:393:36
    #36 0x7fc26d3292f6 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:133:37
    #37 0x7fc26d3292f6 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:534:5
    #38 0x7fc26d3128f0 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1159:16
    #39 0x7fc26d31959a in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:548:10
    #40 0x7fc26dc51bd6 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:87:21
    #41 0x7fc26dbbc923 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:335:10
    #42 0x7fc26dbbc83d in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:328:3
    #43 0x7fc26dbbc83d in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:310:3
    #44 0x7fc2719430f8 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137:27
    #45 0x7fc2731bbd33 in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:906:20
    #46 0x7fc26dc52abc in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:237:9
    #47 0x7fc26dbbc923 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:335:10
    #48 0x7fc26dbbc83d in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:328:3
    #49 0x7fc26dbbc83d in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:310:3
    #50 0x7fc2731bb90f in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:738:34
    #51 0x55b89d65ffb6 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
    #52 0x55b89d65ffb6 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:309:18
    #53 0x7fc2821f90b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
Flags: in-testsuite?

Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20210407094544-8f7e11867d56.
Failed to bisect testcase (Testcase reproduces on start build!):

Start: 6663d3dc883b6ad0d0dfa9346f9ceabf2b2c7967 (20200408033650)
End: e06c2941cdfc56de10e6b4fdd0ddfaff800e6b56 (20210407031944)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=False, coverage=False, valgrind=False)

Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]

Looks like an integer overflow during hit-testing.

Component: Layout → Web Painting
No longer blocks: domino
Depends on: domino
Blocks: domino
No longer depends on: domino
Severity: -- → S3
Priority: -- → P3

Bugmon Analysis
Unable to reproduce bug 1703567 using build mozilla-central 20210911095121-9cbf4fe3f852. Without a baseline, bugmon is unable to analyze this bug.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon

Weird, I can reproduce with my local build.

Flags: needinfo?(jkratzer)

I can still reproduce this as well. This looks to be a bug with bugmon. I'll re-enable it.

Flags: needinfo?(jkratzer)
Keywords: bugmon
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: