Closed Bug 1715631 Opened 3 years ago Closed 3 years ago

Assertion failure: aBStart <= aBEnd (The band's block start is greater than its block end?), at /builds/worker/checkouts/gecko/layout/generic/nsFloatManager.cpp:1607

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
firefox-esr78 --- unaffected
firefox91 --- fixed

People

(Reporter: jkratzer, Assigned: dholbert)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:bisected,confirmed], [wptsync upstream])

Attachments

(2 files)

testcase.html
1.41 KB, text/html
Details
Bug 1715631: Add crashtest. r?#layout-reviewers
48 bytes, text/x-phabricator-request
Details | Review
Attached file testcase.html

Testcase found while fuzzing mozilla-central rev 007ed77b9cf0 (built with --enable-debug --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build 007ed77b9cf0 --debug --fuzzing -n mc-debug
$ python -m grizzly.replay ./mc-debug/firefox ./testcase.html

Assertion failure: aBStart <= aBEnd (The band's block start is greater than its block end?), at /builds/worker/checkouts/gecko/layout/generic/nsFloatManager.cpp:1607

    #0 0x7f9b358438e6 in nsFloatManager::PolygonShapeInfo::ComputeLineIntercept(int, int, int (*)(std::initializer_list<int>), int) const /builds/worker/checkouts/gecko/layout/generic/nsFloatManager.cpp:1606:3
    #1 0x7f9b358403a0 in LineRight /builds/worker/checkouts/gecko/layout/generic/nsFloatManager.cpp:2365:44
    #2 0x7f9b358403a0 in nsFloatManager::GetFlowArea(mozilla::WritingMode, int, int, nsFloatManager::BandInfoType, nsFloatManager::ShapeType, mozilla::LogicalRect, nsFloatManager::SavedState*, nsSize const&) const /builds/worker/checkouts/gecko/layout/generic/nsFloatManager.cpp:208:16
    #3 0x7f9b357b7735 in mozilla::BlockReflowInput::GetFloatAvailableSpaceForBSize(int, int, nsFloatManager::SavedState*) const /builds/worker/checkouts/gecko/layout/generic/BlockReflowInput.cpp:327:43
    #4 0x7f9b357f9b1d in nsBlockFrame::PlaceLine(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsFloatManager::SavedState*, nsFlowAreaRect&, int&, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:4899:12
    #5 0x7f9b357f8e8e in nsBlockFrame::DoReflowInlineFrames(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:4470:12
    #6 0x7f9b357f44b0 in nsBlockFrame::ReflowInlineFrames(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:4228:9
    #7 0x7f9b357f0a80 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:3208:5
    #8 0x7f9b357eb668 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:2742:7
    #9 0x7f9b357e7eaf in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:1373:3
    #10 0x7f9b357f745c in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) /builds/worker/checkouts/gecko/layout/generic/nsBlockReflowContext.cpp:288:11
    #11 0x7f9b357f310b in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:3864:11
    #12 0x7f9b357f0b26 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:3205:5
    #13 0x7f9b357eb668 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:2742:7
    #14 0x7f9b357e7eaf in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:1373:3
    #15 0x7f9b357f745c in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) /builds/worker/checkouts/gecko/layout/generic/nsBlockReflowContext.cpp:288:11
    #16 0x7f9b35800d41 in nsBlockFrame::ReflowFloat(mozilla::BlockReflowInput&, mozilla::LogicalRect const&, nsIFrame*, mozilla::LogicalMargin&, mozilla::LogicalMargin&, bool, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:6636:9
    #17 0x7f9b357b8f74 in mozilla::BlockReflowInput::FlowAndPlaceFloat(nsIFrame*) /builds/worker/checkouts/gecko/layout/generic/BlockReflowInput.cpp:744:13
    #18 0x7f9b357b83d6 in mozilla::BlockReflowInput::AddFloat(nsLineLayout*, nsIFrame*, int) /builds/worker/checkouts/gecko/layout/generic/BlockReflowInput.cpp:562:14
    #19 0x7f9b35909552 in nsLineLayout::ReflowFrame(nsIFrame*, nsReflowStatus&, mozilla::ReflowOutput*, bool&) /builds/worker/checkouts/gecko/layout/generic/nsLineLayout.cpp:919:25
    #20 0x7f9b357f92ff in nsBlockFrame::ReflowInlineFrame(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsIFrame*, LineReflowStatus*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:4541:15
    #21 0x7f9b357f8846 in nsBlockFrame::DoReflowInlineFrames(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:4343:5
    #22 0x7f9b357f44b0 in nsBlockFrame::ReflowInlineFrames(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:4228:9
    #23 0x7f9b357f0a80 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:3208:5
    #24 0x7f9b357eb668 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:2742:7
    #25 0x7f9b357e7eaf in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:1373:3
    #26 0x7f9b35820390 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:1001:14
    #27 0x7f9b3580e380 in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsCanvasFrame.cpp:818:7
    #28 0x7f9b35820390 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:1001:14
    #29 0x7f9b3585bb52 in nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput*, bool, bool, mozilla::ReflowOutput*) /builds/worker/checkouts/gecko/layout/generic/nsGfxScrollFrame.cpp:758:3
    #30 0x7f9b3585c4c9 in nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput*, mozilla::ReflowOutput const&) /builds/worker/checkouts/gecko/layout/generic/nsGfxScrollFrame.cpp:881:3
    #31 0x7f9b35860959 in nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsGfxScrollFrame.cpp:1300:3
    #32 0x7f9b358207a8 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:1041:14
    #33 0x7f9b357deb74 in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/ViewportFrame.cpp:374:7
    #34 0x7f9b356eb8b2 in mozilla::PresShell::DoReflow(nsIFrame*, bool, mozilla::OverflowChangedTracker*) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:9607:11
    #35 0x7f9b356f58ce in mozilla::PresShell::ProcessReflowCommands(bool) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:9778:24
    #36 0x7f9b356f4dcb in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4247:11
    #37 0x7f9b35763a9b in FlushPendingNotifications /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:1402:5
    #38 0x7f9b35763a9b in nsDocumentViewer::LoadComplete(nsresult) /builds/worker/checkouts/gecko/layout/base/nsDocumentViewer.cpp:946:16
    #39 0x7f9b3687cd15 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:6514:20
    #40 0x7f9b3687c80f in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:5904:7
    #41 0x7f9b3687d68f in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp
    #42 0x7f9b31fb697c in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:1362:3
    #43 0x7f9b31fb5f4a in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:968:14
    #44 0x7f9b31fb4357 in nsDocLoader::DocLoaderIsEmpty(bool, mozilla::Maybe<nsresult> const&) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:787:9
    #45 0x7f9b31fb553f in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:670:5
    #46 0x7f9b3689d608 in nsDocShell::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:13660:23
    #47 0x7f9b30f0a34a in mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:625:22
    #48 0x7f9b30f0b7c3 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:529:10
    #49 0x7f9b329b851d in mozilla::dom::Document::DoUnblockOnload() /builds/worker/checkouts/gecko/dom/base/Document.cpp:11325:18
    #50 0x7f9b32995a70 in mozilla::dom::Document::UnblockOnload(bool) /builds/worker/checkouts/gecko/dom/base/Document.cpp:11255:9
    #51 0x7f9b329a7a06 in mozilla::dom::Document::DispatchContentLoadedEvents() /builds/worker/checkouts/gecko/dom/base/Document.cpp:7790:3
    #52 0x7f9b32a17666 in applyImpl<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1150:12
    #53 0x7f9b32a17666 in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1156:12
    #54 0x7f9b32a17666 in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1203:13
    #55 0x7f9b30d51eb2 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/checkouts/gecko/xpcom/threads/SchedulerGroup.cpp:143:20
    #56 0x7f9b30d7cdae in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:482:16
    #57 0x7f9b30d5a8b9 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:766:26
    #58 0x7f9b30d59814 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:621:15
    #59 0x7f9b30d599a3 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:405:36
    #60 0x7f9b30d805a6 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:138:37
    #61 0x7f9b30d805a6 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:534:5
    #62 0x7f9b30d6c4cf in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1159:16
    #63 0x7f9b30d7315a in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:548:10
    #64 0x7f9b31659cd6 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
    #65 0x7f9b315c1ff7 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:335:10
    #66 0x7f9b315c1f12 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:328:3
    #67 0x7f9b315c1f12 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:310:3
    #68 0x7f9b353f5bb8 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137:27
    #69 0x7f9b36dc2393 in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:911:20
    #70 0x7f9b3165abca in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
    #71 0x7f9b315c1ff7 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:335:10
    #72 0x7f9b315c1f12 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:328:3
    #73 0x7f9b315c1f12 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:310:3
    #74 0x7f9b36dc1fae in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:743:34
    #75 0x55c2b3180c56 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
    #76 0x55c2b3180c56 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:313:18
    #77 0x7f9b45e500b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
Flags: in-testsuite?

Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20210609111307-662aa4502f55.
The bug appears to have been introduced in the following build range:

Start: ce45f7273cc0bf01e4432f6791d1588de5f17444 (20200622074626)
End: 7a13c77442451fdb9fd1032f605f1322a218702b (20200622094618)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=ce45f7273cc0bf01e4432f6791d1588de5f17444&tochange=7a13c77442451fdb9fd1032f605f1322a218702b

Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]

Given the numbers in the testcase, I suspect nscoord overflow is probably happening somewhere. But after trying several times using the commands in comment 0, this is failing to reproduce for me.

I can't reproduce any assertion failures, just loading the testcase in a debug build. (Not sure if that's expected to work or not, given the additional commands in comment 0.)

It's possible the bug is font-dependent, given this part of the testcase:

var_0.setAttribute("lang", "ko")

But yeah, this feels like it's just nscoord overflow causing a large coordinate (aBEnd in this case) to become negative. Probably the assertion just wants to be softened to be nonfatal.

Bugmon Analysis
The bug appears to have been fixed in the following build range:

Start: 57328f12e67aafad12fd1f062fddf48b41120a4f (20210614004220)
End: e77eb14241b9e712ddda1e8c1cc21ef455377e3c (20210614070416)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=57328f12e67aafad12fd1f062fddf48b41120a4f&tochange=e77eb14241b9e712ddda1e8c1cc21ef455377e3c
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon

Thanks. That explains why we weren't able to reproduce.

I confirmed that I can still reproduce, using an older debug build via this command:

mozregression --launch 2021-06-09 --build-type debug -a https://bug1715631.bmoattachments.org/attachment.cgi?id=9226199

Let's close this as fixed by Bug 1542807 then.

Status: NEW → RESOLVED
Closed: 3 years ago
Depends on: 1542807
Resolution: --- → FIXED
Assignee: nobody → dholbert
Assignee: dholbert → nobody
Assignee: nobody → dholbert

sorry for assignee-change-spam; apparently any action on phabricator re-triggers assignee-setting to the phabricator author.

I'll just leave this with assignee=me to avoid triggering more spam (though my only action here is just landing the test; the actual bug was fixed elsewhere in Bug 1542807 as noted above).

:dholbert, since this bug contains a bisection range, could you fill (if possible) the regressed_by field?
For more information, please visit auto_nag documentation.

Flags: needinfo?(dholbert)
Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/30073 for changes under testing/web-platform/tests
Whiteboard: [bugmon:bisected,confirmed] → [bugmon:bisected,confirmed], [wptsync upstream]

(In reply to Release mgmt bot [:sylvestre / :calixte / :marco for bugbug] from comment #8)

:dholbert, since this bug contains a bisection range, could you fill (if possible) the regressed_by field?
For more information, please visit auto_nag documentation.

Sure. Strictly speaking, this was probably a regression from bug 1646224, which changed how we store/return font-size. The testcase uses an absurdly-large numeric line-height, and that bug's commit did change the arithmetic inside the (lineHeight.IsNumber()) case:
https://hg.mozilla.org/integration/autoland/rev/7a13c77442451fdb9fd1032f605f1322a218702b#l22.8

(probably changing it in a way that was correct, but which lends itself more to this particular bit of nscoord overflow for whatever reason).

Anyway, seems to be fixed now.

Flags: needinfo?(dholbert)
Regressed by: 1646224
Has Regression Range: --- → yes
Upstream PR merged by moz-wptsync-bot
status-firefox-esr78: --- → unaffected
Flags: in-testsuite? → in-testsuite+

Set release status flags based on info from the regressing bug 1646224

status-firefox93: --- → affected
status-firefox94: --- → affected
status-firefox-esr91: --- → affected

Sorry for the noise, I was debugging the bot and wrongly run it.

status-firefox92: --- → fixed
status-firefox93: affectedfixed
status-firefox94: affectedfixed
status-firefox-esr91: affectedfixed
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: