Assertion failure: !parent->GetPrevInFlow() (Col group should always be in a first-in-flow table frame), at /builds/worker/checkouts/gecko/layout/tables/nsTableColGroupFrame.h:51
Categories
(Core :: Layout: Tables, defect)
Tracking
()
People
(Reporter: jkratzer, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: assertion, testcase, Whiteboard: [bugmon:bisected,confirmed])
Attachments
(1 file, 1 obsolete file)
6.61 KB,
application/zip
|
Details |
Testcase found while fuzzing mozilla-central rev 1a24ffb3930b (built with --enable-debug --enable-fuzzing).
Testcase can be reproduced using the following commands:
$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build 1a24ffb3930b --debug --fuzzing -n mc-debug
$ python -m grizzly.replay ./mc-debug/firefox ./testcase.html
Assertion failure: !parent->GetPrevInFlow() (Col group should always be in a first-in-flow table frame), at /builds/worker/checkouts/gecko/layout/tables/nsTableColGroupFrame.h:51
#0 0x7f02dd82b5d8 in GetTableFrame /builds/worker/checkouts/gecko/layout/tables/nsTableColGroupFrame.h:50:5
#1 0x7f02dd82b5d8 in nsTableColGroupFrame::Init(nsIContent*, nsContainerFrame*, nsIFrame*) /builds/worker/checkouts/gecko/layout/tables/nsTableColGroupFrame.h:43:22
#2 0x7f02dd82b4c1 in nsTableFrame::CreateSyntheticColGroupFrame() /builds/worker/checkouts/gecko/layout/tables/nsTableFrame.cpp:666:13
#3 0x7f02dd82b376 in nsTableFrame::AppendAnonymousColFrames(int) /builds/worker/checkouts/gecko/layout/tables/nsTableFrame.cpp:680:21
#4 0x7f02dd82a626 in MatchCellMapToColCache /builds/worker/checkouts/gecko/layout/tables/nsTableFrame.cpp:750:5
#5 0x7f02dd82a626 in nsTableFrame::InsertCells(nsTArray<nsTableCellFrame*>&, int, int) /builds/worker/checkouts/gecko/layout/tables/nsTableFrame.cpp:789:5
#6 0x7f02dd842c27 in nsTableRowFrame::InsertFrames(mozilla::layout::FrameChildListID, nsIFrame*, nsLineList_iterator const*, nsFrameList&) /builds/worker/checkouts/gecko/layout/tables/nsTableRowFrame.cpp:265:15
#7 0x7f02dd5d71de in nsCSSFrameConstructor::ContentRangeInserted(nsIContent*, nsIContent*, nsCSSFrameConstructor::InsertionKind) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:7213:7
#8 0x7f02dd59a9c4 in mozilla::RestyleManager::ProcessRestyledFrames(nsStyleChangeList&) /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:1503:25
#9 0x7f02dd5a16bb in mozilla::RestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:3048:9
#10 0x7f02dd57b59c in ProcessPendingRestyles /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:3127:3
#11 0x7f02dd57b59c in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4203:39
#12 0x7f02dd544327 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2183:22
#13 0x7f02dd54c2c8 in TickDriver /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:346:13
#14 0x7f02dd54c2c8 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:324:7
#15 0x7f02dd54c1c3 in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:340:5
#16 0x7f02dd54b7d8 in RunRefreshDrivers /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:773:5
#17 0x7f02dd54b7d8 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:702:16
#18 0x7f02dd54b0be in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyParentProcessVsync() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:615:7
#19 0x7f02dd54ab39 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:536:9
#20 0x7f02dcd5dab6 in mozilla::dom::VsyncChild::RecvNotify(mozilla::VsyncEvent const&, float const&) /builds/worker/checkouts/gecko/dom/ipc/VsyncChild.cpp:68:15
#21 0x7f02d9ad5680 in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:178:54
#22 0x7f02d98d955c in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundChild.cpp:6008:32
#23 0x7f02d959629e in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:2152:25
#24 0x7f02d959271d in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:2076:9
#25 0x7f02d9593c42 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1924:3
#26 0x7f02d95949bb in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1955:13
#27 0x7f02d8cc533e in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:482:16
#28 0x7f02d8ca2cd9 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:766:26
#29 0x7f02d8ca1c34 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:621:15
#30 0x7f02d8ca1dc3 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:405:36
#31 0x7f02d8cc89f6 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:138:37
#32 0x7f02d8cc89f6 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:534:5
#33 0x7f02d8cb49ef in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1159:16
#34 0x7f02d8cbb67a in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:548:10
#35 0x7f02d959bba6 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#36 0x7f02d9505bf7 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:335:10
#37 0x7f02d9505b12 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:328:3
#38 0x7f02d9505b12 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:310:3
#39 0x7f02dd285bf8 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137:27
#40 0x7f02dec24983 in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:911:20
#41 0x7f02d959ca9a in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
#42 0x7f02d9505bf7 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:335:10
#43 0x7f02d9505b12 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:328:3
#44 0x7f02d9505b12 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:310:3
#45 0x7f02dec2459e in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:743:34
#46 0x55934d0f0b36 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#47 0x55934d0f0b36 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:313:18
#48 0x7f02edbe00b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
Comment 1•3 years ago
|
||
Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20210507214625-950445712e58.
The bug appears to have been introduced in the following build range:
Start: a25601920fab8afe0b399e3750c53cf411e3c8ec (20200827201039)
End: ae59b435ba7e86aca38535e07e7b12609bb9a9b1 (20200827225009)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=a25601920fab8afe0b399e3750c53cf411e3c8ec&tochange=ae59b435ba7e86aca38535e07e7b12609bb9a9b1
Comment 2•3 years ago
|
||
The testcase has a huge border on all sides, 32768px
in size, which is 341in tall (at 96 DPI), much taller than a printed page.
I'll bet that border is at least part of what's confusing our table-printing-code here.
Reporter | ||
Updated•3 years ago
|
Reporter | ||
Updated•3 years ago
|
Comment 3•3 years ago
|
||
A Pernosco session is available here: https://pernos.co/debug/WjlbeKtWIlg2XJ6-DZaEPw/index.html
Comment 4•3 years ago
|
||
The fuzzers have been tripping over this for a while and it is triggered frequently. Marking as fuzzblocker.
Comment 5•2 years ago
|
||
Removing fuzzblocker tag. The spike in reports was due to a bug in the reducer scheduler.
Comment 6•2 years ago
|
||
Bugmon Analysis
Testcase crashes using the initial build (mozilla-central 20210911095121-9cbf4fe3f852) but not with tip (mozilla-central 20220909212835-b84775bfccf2.)
The bug appears to have been fixed in the following build range:
Start: 90cedc744caaa336fc944da270c6c4a4e7b44ed1 (20220902090626)
End: f29b50d37b8b44da60afb52885a3dfecd96ecfba (20220902095153)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=90cedc744caaa336fc944da270c6c4a4e7b44ed1&tochange=f29b50d37b8b44da60afb52885a3dfecd96ecfba
jkratzer, can you confirm that the above bisection range is responsible for fixing this issue?
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Reporter | ||
Comment 7•2 years ago
|
||
It looks like the original testcase stopped working but the issue persists. I've uploaded a new testcase that still triggers this assertion.
Comment 8•2 years ago
|
||
Bugmon Analysis
Unable to reproduce bug 1710127 using build mozilla-central 20210925213743-a3f0791a87fd. Without a baseline, bugmon is unable to analyze this bug.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Reporter | ||
Updated•2 years ago
|
Reporter | ||
Comment 9•2 years ago
|
||
(In reply to Bugmon [:jkratzer for issues] from comment #8)
Bugmon Analysis
Unable to reproduce bug 1710127 using build mozilla-central 20210925213743-a3f0791a87fd. Without a baseline, bugmon is unable to analyze this bug.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
The testcase works but it must be triggered via:
python -m grizzly.replay --xvfb ~/builds/debug/firefox --repeat 10 --relaunch 1
I'll investigate why bugmon is unable to reproduce this issue.
Description
•