Open Bug 1709122 Opened 3 years ago Updated 10 months ago

Assertion failure: curWeight >= 0.0f (weights are non-negative), at layout/generic/nsFlexContainerFrame.cpp:3124

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Type:
defect

Tracking

()

Tracking Flags:
Tracking Status
firefox90 --- affected

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, bugmon, testcase, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(1 file)

testcase.html
580 bytes, text/html
Details
Attached file testcase.html

Testcase found while fuzzing mozilla-central rev fc83d6916396 (built with --enable-debug --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build fc83d6916396 --debug --fuzzing -n mc-debug
$ python -m grizzly.replay --xvfb ./mc-debug/firefox ./testcase.html

Assertion failure: curWeight >= 0.0f (weights are non-negative), at /builds/worker/checkouts/gecko/layout/generic/nsFlexContainerFrame.cpp:3124    #0 0x7fcc3244ddb5 in nsFlexContainerFrame::FlexLine::ResolveFlexibleLengths(int, ComputedFlexLineInfo*) /builds/worker/checkouts/gecko/layout/generic/nsFlexContainerFrame.cpp:3124:11
    #1 0x7fcc32453755 in nsFlexContainerFrame::DoFlexLayout(mozilla::ReflowInput const&, int&, int&, int&, nsTArray<nsFlexContainerFrame::FlexLine>&, nsTArray<nsFlexContainerFrame::StrutInfo>&, nsTArray<nsIFrame*>&, nsFlexContainerFrame::FlexboxAxisTracker const&, int, int, int, bool, ComputedFlexContainerInfo*) /builds/worker/checkouts/gecko/layout/generic/nsFlexContainerFrame.cpp:5058:10
    #2 0x7fcc32451f71 in nsFlexContainerFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsFlexContainerFrame.cpp:4541:5
    #3 0x7fcc32438250 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:1001:14
    #4 0x7fcc3244a505 in nsFlexContainerFrame::MeasureAscentAndBSizeForFlexItem(nsFlexContainerFrame::FlexItem&, mozilla::ReflowInput&) /builds/worker/checkouts/gecko/layout/generic/nsFlexContainerFrame.cpp:1981:3
    #5 0x7fcc324516c7 in nsFlexContainerFrame::SizeItemInCrossAxis(mozilla::ReflowInput&, nsFlexContainerFrame::FlexItem&) /builds/worker/checkouts/gecko/layout/generic/nsFlexContainerFrame.cpp:4413:7
    #6 0x7fcc32453bdc in nsFlexContainerFrame::DoFlexLayout(mozilla::ReflowInput const&, int&, int&, int&, nsTArray<nsFlexContainerFrame::FlexLine>&, nsTArray<nsFlexContainerFrame::StrutInfo>&, nsTArray<nsIFrame*>&, nsFlexContainerFrame::FlexboxAxisTracker const&, int, int, int, bool, ComputedFlexContainerInfo*) /builds/worker/checkouts/gecko/layout/generic/nsFlexContainerFrame.cpp:5095:9
    #7 0x7fcc32451f71 in nsFlexContainerFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsFlexContainerFrame.cpp:4541:5
    #8 0x7fcc32438250 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:1001:14
    #9 0x7fcc3244a505 in nsFlexContainerFrame::MeasureAscentAndBSizeForFlexItem(nsFlexContainerFrame::FlexItem&, mozilla::ReflowInput&) /builds/worker/checkouts/gecko/layout/generic/nsFlexContainerFrame.cpp:1981:3
    #10 0x7fcc324516c7 in nsFlexContainerFrame::SizeItemInCrossAxis(mozilla::ReflowInput&, nsFlexContainerFrame::FlexItem&) /builds/worker/checkouts/gecko/layout/generic/nsFlexContainerFrame.cpp:4413:7
    #11 0x7fcc32453bdc in nsFlexContainerFrame::DoFlexLayout(mozilla::ReflowInput const&, int&, int&, int&, nsTArray<nsFlexContainerFrame::FlexLine>&, nsTArray<nsFlexContainerFrame::StrutInfo>&, nsTArray<nsIFrame*>&, nsFlexContainerFrame::FlexboxAxisTracker const&, int, int, int, bool, ComputedFlexContainerInfo*) /builds/worker/checkouts/gecko/layout/generic/nsFlexContainerFrame.cpp:5095:9
    #12 0x7fcc32451f71 in nsFlexContainerFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsFlexContainerFrame.cpp:4541:5
    #13 0x7fcc32438250 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:1001:14
    #14 0x7fcc3244a505 in nsFlexContainerFrame::MeasureAscentAndBSizeForFlexItem(nsFlexContainerFrame::FlexItem&, mozilla::ReflowInput&) /builds/worker/checkouts/gecko/layout/generic/nsFlexContainerFrame.cpp:1981:3
    #15 0x7fcc324516c7 in nsFlexContainerFrame::SizeItemInCrossAxis(mozilla::ReflowInput&, nsFlexContainerFrame::FlexItem&) /builds/worker/checkouts/gecko/layout/generic/nsFlexContainerFrame.cpp:4413:7
    #16 0x7fcc32453bdc in nsFlexContainerFrame::DoFlexLayout(mozilla::ReflowInput const&, int&, int&, int&, nsTArray<nsFlexContainerFrame::FlexLine>&, nsTArray<nsFlexContainerFrame::StrutInfo>&, nsTArray<nsIFrame*>&, nsFlexContainerFrame::FlexboxAxisTracker const&, int, int, int, bool, ComputedFlexContainerInfo*) /builds/worker/checkouts/gecko/layout/generic/nsFlexContainerFrame.cpp:5095:9
    #17 0x7fcc32451f71 in nsFlexContainerFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsFlexContainerFrame.cpp:4541:5
    #18 0x7fcc32438250 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:1001:14
    #19 0x7fcc324261d0 in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsCanvasFrame.cpp:818:7
    #20 0x7fcc32438250 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:1001:14
    #21 0x7fcc324738b2 in nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput*, bool, bool, mozilla::ReflowOutput*) /builds/worker/checkouts/gecko/layout/generic/nsGfxScrollFrame.cpp:758:3
    #22 0x7fcc32474229 in nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput*, mozilla::ReflowOutput const&) /builds/worker/checkouts/gecko/layout/generic/nsGfxScrollFrame.cpp:881:3
    #23 0x7fcc32478719 in nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsGfxScrollFrame.cpp:1300:3
    #24 0x7fcc324386a8 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:1041:14
    #25 0x7fcc323f66e4 in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/ViewportFrame.cpp:372:7
    #26 0x7fcc32302f60 in mozilla::PresShell::DoReflow(nsIFrame*, bool, mozilla::OverflowChangedTracker*) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:9603:11
    #27 0x7fcc3230cece in mozilla::PresShell::ProcessReflowCommands(bool) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:9774:24
    #28 0x7fcc3230c3ce in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4245:11
    #29 0x7fcc322d4f0b in FlushPendingNotifications /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:1406:5
    #30 0x7fcc322d4f0b in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2216:20
    #31 0x7fcc322dcd98 in TickDriver /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:346:13
    #32 0x7fcc322dcd98 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:324:7
    #33 0x7fcc322dcc93 in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:340:5
    #34 0x7fcc322dc2a8 in RunRefreshDrivers /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:773:5
    #35 0x7fcc322dc2a8 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:702:16
    #36 0x7fcc322dbb8e in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyParentProcessVsync() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:615:7
    #37 0x7fcc322db609 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:536:9
    #38 0x7fcc31aeec16 in mozilla::dom::VsyncChild::RecvNotify(mozilla::VsyncEvent const&, float const&) /builds/worker/checkouts/gecko/dom/ipc/VsyncChild.cpp:68:15
    #39 0x7fcc2e865810 in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:178:54
    #40 0x7fcc2e66985c in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundChild.cpp:6008:32
    #41 0x7fcc2e32682e in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:2152:25
    #42 0x7fcc2e322cad in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:2076:9
    #43 0x7fcc2e3241d2 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1924:3
    #44 0x7fcc2e324f4b in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1955:13
    #45 0x7fcc2da562ce in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:482:16
    #46 0x7fcc2da33c19 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:766:26
    #47 0x7fcc2da32b74 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:621:15
    #48 0x7fcc2da32d03 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:405:36
    #49 0x7fcc2da59986 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:138:37
    #50 0x7fcc2da59986 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:534:5
    #51 0x7fcc2da4599f in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1159:16
    #52 0x7fcc2da4c65a in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:548:10
    #53 0x7fcc2e32c136 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
    #54 0x7fcc2e296187 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:335:10
    #55 0x7fcc2e2960a2 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:328:3
    #56 0x7fcc2e2960a2 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:310:3
    #57 0x7fcc32016c38 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137:27
    #58 0x7fcc338eec63 in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:911:20
    #59 0x7fcc2e32d02a in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
    #60 0x7fcc2e296187 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:335:10
    #61 0x7fcc2e2960a2 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:328:3
    #62 0x7fcc2e2960a2 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:310:3
    #63 0x7fcc338ee87e in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:743:34
    #64 0x560075883b36 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
    #65 0x560075883b36 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:313:18
    #66 0x7fcc447070b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
Flags: in-testsuite?

Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20210503153234-cdcfe2f59d26.
The bug appears to have been introduced in the following build range:

Start: f6245e3daf6604d1aaf6b84d56f998600da1ea02 (20210216235608)
End: d5975841c32631cf46f2aaf18f7e6b9d1dc6538d (20210217024348)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=f6245e3daf6604d1aaf6b84d56f998600da1ea02&tochange=d5975841c32631cf46f2aaf18f7e6b9d1dc6538d

Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]

Looks like there's some numeric overflow happening here. The testcase uses a handful of giant numbers:

* {
    aspect-ratio: 2693017212.8915734 / 1017076296.1288451 ! important;
    block-size: 1376809234%;
    border-radius: 2977814775% 715080387.6545275cm 2752852364.8023996mm 2246313461% / 3601498558% 4059404538% ! important;
    display: inline-flex;
    margin: 18915em 15% 73% 128ch;
    min-inline-size: max-content;
    padding-block: 1868532158.9078612px;
}

Also: just before the fatal assertion failure, I see six copies of this warning:

WARNING: Unconstrained inline size; this should only result from huge sizes (not intrinsic sizing w/ orthogonal flows): 'aReflowInput.ComputedISize() != NS_UNCONSTRAINEDSIZE', file layout/generic/nsFlexContainerFrame.cpp:4213

...and one copy of this non-fatal assertion:

###!!! ASSERTION: inline-size less than zero: 'result >= 0', file layout/generic/nsIFrame.cpp:6553

That last one is the issue here. flex-shrink weights are produced by multiplying the element's flex-base-size by the flex-shrink value (both of which are expected to be nonnegative). But in this case, we've got a negative flex-base-size from the element giving us a negative desired inline-size.

So: we need to either soften the assertion (downgrade it to be non-fatal), or add a not-expected-to-be-useful-for-real-content std::max(0,....) clamp to the spot where we store mFlexBaseSize (to ensure we don't end up storing a negative size there).

Severity: -- → S3
Summary: Assertion failure: curWeight >= 0.0f (weights are non-negative), at /builds/worker/checkouts/gecko/layout/generic/nsFlexContainerFrame.cpp:3124 → Assertion failure: curWeight >= 0.0f (weights are non-negative), at layout/generic/nsFlexContainerFrame.cpp:3124
No longer blocks: domino
Depends on: domino
Blocks: domino
No longer depends on: domino

Bugmon was unable reproduce this issue.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon
Keywords: bugmon

A change to the Taskcluster build definitions over the weekend caused Bugmon to fail when reproducing issues. This issue has been corrected. Re-enabling bugmon.

You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: