Closed Bug 1717688 Opened 3 years ago Closed 2 years ago

Assertion failure: aStatus.IsEmpty() (Caller should pass a fresh reflow status!), at /builds/worker/checkouts/gecko/layout/mathml/nsMathMLmspaceFrame.cpp:92

Categories

(Core :: MathML, defect)

Product:
Core
Component:
MathML
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 847368
Tracking Flags:
Tracking Status
firefox91 --- affected

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, testcase, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(1 file, 1 obsolete file)

testcase.zip
4.08 KB, application/zip
Details
Attached file testcase.zip (obsolete) —

Testcase found while fuzzing mozilla-central rev 997f00815e6b (built with --enable-debug --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build 997f00815e6b --debug --fuzzing -n mc-debug
$ python -m grizzly.replay ./mc-debug/firefox ./testcase.html

Assertion failure: aStatus.IsEmpty() (Caller should pass a fresh reflow status!), at /builds/worker/checkouts/gecko/layout/mathml/nsMathMLmspaceFrame.cpp:92

    #0 0x7fe9be5f2165 in nsMathMLmspaceFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/mathml/nsMathMLmspaceFrame.cpp:92:3
    #1 0x7fe9be323cf8 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:1040:14
    #2 0x7fe9be5d8d29 in nsMathMLContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/mathml/nsMathMLContainerFrame.cpp:787:21
    #3 0x7fe9be5d911c in nsMathMLContainerFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/mathml/nsMathMLContainerFrame.cpp:843:5
    #4 0x7fe9be4466bc in nsLineLayout::ReflowFrame(nsIFrame*, nsReflowStatus&, mozilla::ReflowOutput*, bool&) /builds/worker/checkouts/gecko/layout/generic/nsLineLayout.cpp:875:13
    #5 0x7fe9be419e4d in nsInlineFrame::ReflowInlineFrame(nsPresContext*, mozilla::ReflowInput const&, nsInlineFrame::InlineReflowInput&, nsIFrame*, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsInlineFrame.cpp:671:15
    #6 0x7fe9be419535 in nsInlineFrame::ReflowFrames(nsPresContext*, mozilla::ReflowInput const&, nsInlineFrame::InlineReflowInput&, mozilla::ReflowOutput&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsInlineFrame.cpp:545:7
    #7 0x7fe9be418d86 in nsInlineFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsInlineFrame.cpp:359:3
    #8 0x7fe9be4466bc in nsLineLayout::ReflowFrame(nsIFrame*, nsReflowStatus&, mozilla::ReflowOutput*, bool&) /builds/worker/checkouts/gecko/layout/generic/nsLineLayout.cpp:875:13
    #9 0x7fe9be340adf in nsBlockFrame::ReflowInlineFrame(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsIFrame*, LineReflowStatus*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:4541:15
    #10 0x7fe9be340026 in nsBlockFrame::DoReflowInlineFrames(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:4343:5
    #11 0x7fe9be33c0b0 in nsBlockFrame::ReflowInlineFrames(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:4228:9
    #12 0x7fe9be3387d0 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:3208:5
    #13 0x7fe9be33319b in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:2742:7
    #14 0x7fe9be32eceb in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:1373:3
    #15 0x7fe9be33ed7c in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) /builds/worker/checkouts/gecko/layout/generic/nsBlockReflowContext.cpp:288:11
    #16 0x7fe9be33ab1c in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:3864:11
    #17 0x7fe9be338876 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:3205:5
    #18 0x7fe9be33319b in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:2742:7
    #19 0x7fe9be32eceb in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:1373:3
    #20 0x7fe9be352410 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:1000:14
    #21 0x7fe9be35181a in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsCanvasFrame.cpp:819:7
    #22 0x7fe9be352410 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:1000:14
    #23 0x7fe9be396b79 in nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput*, bool, bool, mozilla::ReflowOutput*) /builds/worker/checkouts/gecko/layout/generic/nsGfxScrollFrame.cpp:758:3
    #24 0x7fe9be3974f9 in nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput*, mozilla::ReflowOutput const&) /builds/worker/checkouts/gecko/layout/generic/nsGfxScrollFrame.cpp:881:3
    #25 0x7fe9be39b999 in nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsGfxScrollFrame.cpp:1300:3
    #26 0x7fe9be323cf8 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:1040:14
    #27 0x7fe9be32359c in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/ViewportFrame.cpp:374:7
    #28 0x7fe9be22edec in mozilla::PresShell::DoReflow(nsIFrame*, bool, mozilla::OverflowChangedTracker*) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:9570:11
    #29 0x7fe9be238c6e in mozilla::PresShell::ProcessReflowCommands(bool) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:9741:24
    #30 0x7fe9be23816b in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4229:11
    #31 0x7fe9be20074f in FlushPendingNotifications /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:1411:5
    #32 0x7fe9be20074f in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2328:20
    #33 0x7fe9be2088ba in TickDriver /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:348:13
    #34 0x7fe9be2088ba in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:326:7
    #35 0x7fe9be2087d3 in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:342:5
    #36 0x7fe9be2086a0 in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:775:5
    #37 0x7fe9be207d08 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:704:16
    #38 0x7fe9be2075f0 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyParentProcessVsync() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:617:7
    #39 0x7fe9be207069 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:538:9
    #40 0x7fe9bda28446 in mozilla::dom::VsyncChild::RecvNotify(mozilla::VsyncEvent const&, float const&) /builds/worker/checkouts/gecko/dom/ipc/VsyncChild.cpp:68:15
    #41 0x7fe9ba72d300 in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:178:54
    #42 0x7fe9ba4f731c in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundChild.cpp:6091:32
    #43 0x7fe9ba179ec1 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:2148:25
    #44 0x7fe9ba176271 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:2075:9
    #45 0x7fe9ba1777ad in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1923:3
    #46 0x7fe9ba17852b in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1954:13
    #47 0x7fe9b98803ee in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:502:16
    #48 0x7fe9b985e109 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:805:26
    #49 0x7fe9b985cf78 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:641:15
    #50 0x7fe9b985d1f3 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:425:36
    #51 0x7fe9b9883c59 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:138:37
    #52 0x7fe9b9883c59 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_1>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:534:5
    #53 0x7fe9b986fb5f in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1152:16
    #54 0x7fe9b987679a in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:548:10
    #55 0x7fe9ba17f784 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:107:5
    #56 0x7fe9ba0e7527 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:331:10
    #57 0x7fe9ba0e7442 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:324:3
    #58 0x7fe9ba0e7442 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:306:3
    #59 0x7fe9bdf36cf8 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137:27
    #60 0x7fe9bf8dbc03 in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:910:20
    #61 0x7fe9ba1806ca in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
    #62 0x7fe9ba0e7527 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:331:10
    #63 0x7fe9ba0e7442 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:324:3
    #64 0x7fe9ba0e7442 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:306:3
    #65 0x7fe9bf8db81e in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:742:34
    #66 0x55d4f07c9c56 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
    #67 0x55d4f07c9c56 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:327:18
    #68 0x7fe9cfc920b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
Flags: in-testsuite?
Whiteboard: [bugmon:bisected,confirmed]

Bugmon Analysis
The bug appears to have been fixed in the following build range:

Start: 346e2204b8cb88896f3c9aaf9792508967f9bdd0 (20210719172340)
End: 0244529dcf99f9bb266e96c81531faca6cd1a3a2 (20210719202020)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=346e2204b8cb88896f3c9aaf9792508967f9bdd0&tochange=0244529dcf99f9bb266e96c81531faca6cd1a3a2
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon
Whiteboard: [bugmon:bisected,confirmed]

(In reply to Bugmon [:jkratzer for issues] from comment #2)

Bugmon Analysis
The bug appears to have been fixed in the following build range:

Start: 346e2204b8cb88896f3c9aaf9792508967f9bdd0 (20210719172340)
End: 0244529dcf99f9bb266e96c81531faca6cd1a3a2 (20210719202020)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=346e2204b8cb88896f3c9aaf9792508967f9bdd0&tochange=0244529dcf99f9bb266e96c81531faca6cd1a3a2
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Bugmon is confused here. There was a pref change in bug 1720221 that caused it to believe the bug had been fixed. I'll reset the flags.

Keywords: bugmon
Whiteboard: [bugmon:bisected,confirmed]
Attached file testcase.zip
Attachment #9228419 - Attachment is obsolete: true
Keywords: bugmon
Whiteboard: [bugmon:bisected,confirmed]

Bugmon Analysis
Verified bug as reproducible on mozilla-central 20210726093430-0c272222c17b.
Failed to bisect testcase (Testcase reproduces on start build!):

Start: 56082fc4acfacba40993e47ef8302993c59e264e (20200727033000)
End: 997f00815e6bc28806b75448c8829f0259d2cb28 (20210621213500)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False)

Whiteboard: [bugmon:bisected,confirmed]
No longer blocks: domino
Depends on: domino
Blocks: domino
No longer depends on: domino

Bugmon Analysis
Testcase crashes using the initial build (mozilla-central 20210626094654-a1125ca12e80) but not with tip (mozilla-central 20220624214101-340fab1c7c24.)
The bug appears to have been fixed in the following build range:

Start: 848d45e8ea116000db5465119e27195c439a7189 (20220620213304)
End: 5c5e1891414c06272cd11e31751c0cebd6350c5a (20220620230714)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=848d45e8ea116000db5465119e27195c439a7189&tochange=5c5e1891414c06272cd11e31751c0cebd6350c5a
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: