Open Bug 1710127 Opened 3 years ago Updated 2 years ago

Assertion failure: !parent->GetPrevInFlow() (Col group should always be in a first-in-flow table frame), at /builds/worker/checkouts/gecko/layout/tables/nsTableColGroupFrame.h:51

Categories

(Core :: Layout: Tables, defect)

defect

Tracking

()

Tracking Status
firefox-esr91 --- affected
firefox90 --- wontfix
firefox93 --- wontfix
firefox94 --- wontfix
firefox95 --- wontfix
firefox96 --- wontfix
firefox97 --- wontfix
firefox98 --- affected

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, testcase, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(1 file, 1 obsolete file)

Attached file testcase.html (obsolete) —

Testcase found while fuzzing mozilla-central rev 1a24ffb3930b (built with --enable-debug --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build 1a24ffb3930b --debug --fuzzing -n mc-debug
$ python -m grizzly.replay ./mc-debug/firefox ./testcase.html
Assertion failure: !parent->GetPrevInFlow() (Col group should always be in a first-in-flow table frame), at /builds/worker/checkouts/gecko/layout/tables/nsTableColGroupFrame.h:51

    #0 0x7f02dd82b5d8 in GetTableFrame /builds/worker/checkouts/gecko/layout/tables/nsTableColGroupFrame.h:50:5
    #1 0x7f02dd82b5d8 in nsTableColGroupFrame::Init(nsIContent*, nsContainerFrame*, nsIFrame*) /builds/worker/checkouts/gecko/layout/tables/nsTableColGroupFrame.h:43:22
    #2 0x7f02dd82b4c1 in nsTableFrame::CreateSyntheticColGroupFrame() /builds/worker/checkouts/gecko/layout/tables/nsTableFrame.cpp:666:13
    #3 0x7f02dd82b376 in nsTableFrame::AppendAnonymousColFrames(int) /builds/worker/checkouts/gecko/layout/tables/nsTableFrame.cpp:680:21
    #4 0x7f02dd82a626 in MatchCellMapToColCache /builds/worker/checkouts/gecko/layout/tables/nsTableFrame.cpp:750:5
    #5 0x7f02dd82a626 in nsTableFrame::InsertCells(nsTArray<nsTableCellFrame*>&, int, int) /builds/worker/checkouts/gecko/layout/tables/nsTableFrame.cpp:789:5
    #6 0x7f02dd842c27 in nsTableRowFrame::InsertFrames(mozilla::layout::FrameChildListID, nsIFrame*, nsLineList_iterator const*, nsFrameList&) /builds/worker/checkouts/gecko/layout/tables/nsTableRowFrame.cpp:265:15
    #7 0x7f02dd5d71de in nsCSSFrameConstructor::ContentRangeInserted(nsIContent*, nsIContent*, nsCSSFrameConstructor::InsertionKind) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:7213:7
    #8 0x7f02dd59a9c4 in mozilla::RestyleManager::ProcessRestyledFrames(nsStyleChangeList&) /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:1503:25
    #9 0x7f02dd5a16bb in mozilla::RestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:3048:9
    #10 0x7f02dd57b59c in ProcessPendingRestyles /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:3127:3
    #11 0x7f02dd57b59c in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4203:39
    #12 0x7f02dd544327 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2183:22
    #13 0x7f02dd54c2c8 in TickDriver /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:346:13
    #14 0x7f02dd54c2c8 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:324:7
    #15 0x7f02dd54c1c3 in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:340:5
    #16 0x7f02dd54b7d8 in RunRefreshDrivers /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:773:5
    #17 0x7f02dd54b7d8 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:702:16
    #18 0x7f02dd54b0be in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyParentProcessVsync() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:615:7
    #19 0x7f02dd54ab39 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:536:9
    #20 0x7f02dcd5dab6 in mozilla::dom::VsyncChild::RecvNotify(mozilla::VsyncEvent const&, float const&) /builds/worker/checkouts/gecko/dom/ipc/VsyncChild.cpp:68:15
    #21 0x7f02d9ad5680 in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:178:54
    #22 0x7f02d98d955c in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundChild.cpp:6008:32
    #23 0x7f02d959629e in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:2152:25
    #24 0x7f02d959271d in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:2076:9
    #25 0x7f02d9593c42 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1924:3
    #26 0x7f02d95949bb in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1955:13
    #27 0x7f02d8cc533e in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:482:16
    #28 0x7f02d8ca2cd9 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:766:26
    #29 0x7f02d8ca1c34 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:621:15
    #30 0x7f02d8ca1dc3 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:405:36
    #31 0x7f02d8cc89f6 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:138:37
    #32 0x7f02d8cc89f6 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:534:5
    #33 0x7f02d8cb49ef in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1159:16
    #34 0x7f02d8cbb67a in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:548:10
    #35 0x7f02d959bba6 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
    #36 0x7f02d9505bf7 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:335:10
    #37 0x7f02d9505b12 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:328:3
    #38 0x7f02d9505b12 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:310:3
    #39 0x7f02dd285bf8 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137:27
    #40 0x7f02dec24983 in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:911:20
    #41 0x7f02d959ca9a in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
    #42 0x7f02d9505bf7 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:335:10
    #43 0x7f02d9505b12 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:328:3
    #44 0x7f02d9505b12 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:310:3
    #45 0x7f02dec2459e in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:743:34
    #46 0x55934d0f0b36 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
    #47 0x55934d0f0b36 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:313:18
    #48 0x7f02edbe00b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
Flags: in-testsuite?

Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20210507214625-950445712e58.
The bug appears to have been introduced in the following build range:

Start: a25601920fab8afe0b399e3750c53cf411e3c8ec (20200827201039)
End: ae59b435ba7e86aca38535e07e7b12609bb9a9b1 (20200827225009)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=a25601920fab8afe0b399e3750c53cf411e3c8ec&tochange=ae59b435ba7e86aca38535e07e7b12609bb9a9b1

Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]

The testcase has a huge border on all sides, 32768px in size, which is 341in tall (at 96 DPI), much taller than a printed page.

I'll bet that border is at least part of what's confusing our table-printing-code here.

Severity: -- → S3
No longer blocks: domino
Depends on: domino
Blocks: domino
No longer depends on: domino

The fuzzers have been tripping over this for a while and it is triggered frequently. Marking as fuzzblocker.

Whiteboard: [bugmon:bisected,confirmed] → [bugmon:bisected,confirmed][fuzzblocker]

Removing fuzzblocker tag. The spike in reports was due to a bug in the reducer scheduler.

Whiteboard: [bugmon:bisected,confirmed][fuzzblocker] → [bugmon:bisected,confirmed]

Bugmon Analysis
Testcase crashes using the initial build (mozilla-central 20210911095121-9cbf4fe3f852) but not with tip (mozilla-central 20220909212835-b84775bfccf2.)

The bug appears to have been fixed in the following build range:

Start: 90cedc744caaa336fc944da270c6c4a4e7b44ed1 (20220902090626)
End: f29b50d37b8b44da60afb52885a3dfecd96ecfba (20220902095153)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=90cedc744caaa336fc944da270c6c4a4e7b44ed1&tochange=f29b50d37b8b44da60afb52885a3dfecd96ecfba

jkratzer, can you confirm that the above bisection range is responsible for fixing this issue?
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Flags: needinfo?(jkratzer)
Keywords: bugmon
Attached file testcase.zip

It looks like the original testcase stopped working but the issue persists. I've uploaded a new testcase that still triggers this assertion.

Flags: needinfo?(jkratzer)
Keywords: bugmon

Bugmon Analysis
Unable to reproduce bug 1710127 using build mozilla-central 20210925213743-a3f0791a87fd. Without a baseline, bugmon is unable to analyze this bug.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon
Attachment #9220871 - Attachment is obsolete: true

(In reply to Bugmon [:jkratzer for issues] from comment #8)

Bugmon Analysis
Unable to reproduce bug 1710127 using build mozilla-central 20210925213743-a3f0791a87fd. Without a baseline, bugmon is unable to analyze this bug.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

The testcase works but it must be triggered via:
python -m grizzly.replay --xvfb ~/builds/debug/firefox --repeat 10 --relaunch 1

I'll investigate why bugmon is unable to reproduce this issue.

You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: