Open
Bug 1728410
Opened 3 years ago
Updated 11 months ago
Assertion failure: !prev->GetPrevContinuation() (Property should always be set on prev continuation if not the first continuation), at /layout/generic/nsSplittableFrame.cpp:216
Categories
(Core :: Layout: Columns, defect)
Tracking
()
NEW
People
(Reporter: jkratzer, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: assertion, testcase, Whiteboard: [bugmon:bisected,confirmed])
Attachments
(2 files, 1 obsolete file)
Testcase found while fuzzing mozilla-central rev b5acac258824 (built with: --enable-debug --enable-fuzzing).
Testcase can be reproduced using the following commands:
$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build b5acac258824 --debug --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html
Assertion failure: !prev->GetPrevContinuation() (Property should always be set on prev continuation if not the first continuation), at /layout/generic/nsSplittableFrame.cpp:216
==3364615==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fef55f6a9a1 bp 0x7fffe4deeb20 sp 0x7fffe4deeaf0 T3364615)
==3364615==The signal is caused by a WRITE memory access.
==3364615==Hint: address points to the zero page.
#0 0x7fef55f6a9a1 in nsSplittableFrame::CalcAndCacheConsumedBSize() /layout/generic/nsSplittableFrame.cpp:214:5
#1 0x7fef55e29fea in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/generic/nsBlockFrame.cpp:1263:27
#2 0x7fef55e4e7c0 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /layout/generic/nsContainerFrame.cpp:1000:14
#3 0x7fef55e504dd in nsColumnSetFrame::ReflowChildren(mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&, nsColumnSetFrame::ReflowConfig const&, bool) /layout/generic/nsColumnSetFrame.cpp:693:7
#4 0x7fef55e529b8 in ReflowColumns /layout/generic/nsColumnSetFrame.cpp:403:37
#5 0x7fef55e529b8 in nsColumnSetFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/generic/nsColumnSetFrame.cpp:1235:37
#6 0x7fef55e3aeec in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) /layout/generic/nsBlockReflowContext.cpp:288:11
#7 0x7fef55e36c7c in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /layout/generic/nsBlockFrame.cpp:3874:11
#8 0x7fef55e348c6 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /layout/generic/nsBlockFrame.cpp:3214:5
#9 0x7fef55e2f9df in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /layout/generic/nsBlockFrame.cpp:3039:11
#10 0x7fef55e2a92b in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/generic/nsBlockFrame.cpp:1382:3
#11 0x7fef55e3aeec in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) /layout/generic/nsBlockReflowContext.cpp:288:11
#12 0x7fef55e36c7c in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /layout/generic/nsBlockFrame.cpp:3874:11
#13 0x7fef55e348c6 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /layout/generic/nsBlockFrame.cpp:3214:5
#14 0x7fef55e2f9df in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /layout/generic/nsBlockFrame.cpp:3039:11
#15 0x7fef55e2a92b in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/generic/nsBlockFrame.cpp:1382:3
#16 0x7fef55e4e7c0 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /layout/generic/nsContainerFrame.cpp:1000:14
#17 0x7fef55e504dd in nsColumnSetFrame::ReflowChildren(mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&, nsColumnSetFrame::ReflowConfig const&, bool) /layout/generic/nsColumnSetFrame.cpp:693:7
#18 0x7fef55e5211d in ReflowColumns /layout/generic/nsColumnSetFrame.cpp:415:10
#19 0x7fef55e5211d in nsColumnSetFrame::FindBestBalanceBSize(mozilla::ReflowInput const&, nsPresContext*, nsColumnSetFrame::ReflowConfig&, nsColumnSetFrame::ColumnBalanceData, mozilla::ReflowOutput&, bool, nsReflowStatus&) /layout/generic/nsColumnSetFrame.cpp:1125:9
#20 0x7fef55e52a96 in nsColumnSetFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/generic/nsColumnSetFrame.cpp:1242:5
#21 0x7fef55e3aeec in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) /layout/generic/nsBlockReflowContext.cpp:288:11
#22 0x7fef55e36c7c in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /layout/generic/nsBlockFrame.cpp:3874:11
#23 0x7fef55e348c6 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /layout/generic/nsBlockFrame.cpp:3214:5
#24 0x7fef55e2ef8b in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /layout/generic/nsBlockFrame.cpp:2751:7
#25 0x7fef55e2a92b in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/generic/nsBlockFrame.cpp:1382:3
#26 0x7fef55e3aeec in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) /layout/generic/nsBlockReflowContext.cpp:288:11
#27 0x7fef55e36c7c in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /layout/generic/nsBlockFrame.cpp:3874:11
#28 0x7fef55e348c6 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /layout/generic/nsBlockFrame.cpp:3214:5
#29 0x7fef55e2ef8b in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /layout/generic/nsBlockFrame.cpp:2751:7
#30 0x7fef55e2a92b in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/generic/nsBlockFrame.cpp:1382:3
#31 0x7fef55e4e7c0 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /layout/generic/nsContainerFrame.cpp:1000:14
#32 0x7fef55e504dd in nsColumnSetFrame::ReflowChildren(mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&, nsColumnSetFrame::ReflowConfig const&, bool) /layout/generic/nsColumnSetFrame.cpp:693:7
#33 0x7fef55e529b8 in ReflowColumns /layout/generic/nsColumnSetFrame.cpp:403:37
#34 0x7fef55e529b8 in nsColumnSetFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/generic/nsColumnSetFrame.cpp:1235:37
#35 0x7fef55e3aeec in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) /layout/generic/nsBlockReflowContext.cpp:288:11
#36 0x7fef55e36c7c in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /layout/generic/nsBlockFrame.cpp:3874:11
#37 0x7fef55e348c6 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /layout/generic/nsBlockFrame.cpp:3214:5
#38 0x7fef55e2ef8b in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /layout/generic/nsBlockFrame.cpp:2751:7
#39 0x7fef55e2a92b in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/generic/nsBlockFrame.cpp:1382:3
#40 0x7fef55e4e7c0 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /layout/generic/nsContainerFrame.cpp:1000:14
#41 0x7fef55e4dbca in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/generic/nsCanvasFrame.cpp:787:7
#42 0x7fef55e4e7c0 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /layout/generic/nsContainerFrame.cpp:1000:14
#43 0x7fef55e9a565 in nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput*, bool, bool, mozilla::ReflowOutput*) /layout/generic/nsGfxScrollFrame.cpp:759:3
#44 0x7fef55e9b029 in nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput*, mozilla::ReflowOutput const&) /layout/generic/nsGfxScrollFrame.cpp:880:3
#45 0x7fef55e9f4c9 in nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/generic/nsGfxScrollFrame.cpp:1299:3
#46 0x7fef55e1f418 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /layout/generic/nsContainerFrame.cpp:1040:14
#47 0x7fef55e1ecbc in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/generic/ViewportFrame.cpp:374:7
#48 0x7fef55d2211b in mozilla::PresShell::DoReflow(nsIFrame*, bool, mozilla::OverflowChangedTracker*) /layout/base/PresShell.cpp:9597:11
#49 0x7fef55d2c2ee in mozilla::PresShell::ProcessReflowCommands(bool) /layout/base/PresShell.cpp:9768:24
#50 0x7fef55d2b7a9 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /layout/base/PresShell.cpp:4256:11
#51 0x7fef55cf26df in FlushPendingNotifications /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:1423:5
#52 0x7fef55cf26df in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) /layout/base/nsRefreshDriver.cpp:2357:20
#53 0x7fef55cfa7fa in TickDriver /layout/base/nsRefreshDriver.cpp:348:13
#54 0x7fef55cfa7fa in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /layout/base/nsRefreshDriver.cpp:326:7
#55 0x7fef55cfa713 in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /layout/base/nsRefreshDriver.cpp:342:5
#56 0x7fef55cfa5e0 in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /layout/base/nsRefreshDriver.cpp:771:5
#57 0x7fef55cf9c7a in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /layout/base/nsRefreshDriver.cpp:700:16
#58 0x7fef55cf9595 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyParentProcessVsync() /layout/base/nsRefreshDriver.cpp:617:7
#59 0x7fef55cf9019 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) /layout/base/nsRefreshDriver.cpp:538:9
#60 0x7fef554c42e6 in mozilla::dom::VsyncChild::RecvNotify(mozilla::VsyncEvent const&, float const&) /dom/ipc/VsyncChild.cpp:68:15
#61 0x7fef520e6064 in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:178:54
#62 0x7fef51eba8ac in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundChild.cpp:6091:32
#63 0x7fef51b3986f in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /ipc/glue/MessageChannel.cpp:2053:25
#64 0x7fef51b36381 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /ipc/glue/MessageChannel.cpp:1978:9
#65 0x7fef51b37805 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /ipc/glue/MessageChannel.cpp:1826:3
#66 0x7fef51b3839b in mozilla::ipc::MessageChannel::MessageTask::Run() /ipc/glue/MessageChannel.cpp:1857:13
#67 0x7fef510fe53e in mozilla::RunnableTask::Run() /xpcom/threads/TaskController.cpp:502:16
#68 0x7fef510da59f in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:805:26
#69 0x7fef510d9208 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:641:15
#70 0x7fef510d9483 in mozilla::TaskController::ProcessPendingMTTask(bool) /xpcom/threads/TaskController.cpp:425:36
#71 0x7fef51101b36 in operator() /xpcom/threads/TaskController.cpp:135:37
#72 0x7fef51101b36 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:532:5
#73 0x7fef510ecf3f in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1148:16
#74 0x7fef510f3d3a in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:466:10
#75 0x7fef51b3f6d6 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:85:21
#76 0x7fef51a5fdc7 in MessageLoop::RunInternal() /ipc/chromium/src/base/message_loop.cc:331:10
#77 0x7fef51a5fcd2 in RunHandler /ipc/chromium/src/base/message_loop.cc:324:3
#78 0x7fef51a5fcd2 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:306:3
#79 0x7fef559fca78 in nsBaseAppShell::Run() /widget/nsBaseAppShell.cpp:137:27
#80 0x7fef5787bf93 in XRE_RunAppShell() /toolkit/xre/nsEmbedFunctions.cpp:917:20
#81 0x7fef51b405ca in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:235:9
#82 0x7fef51a5fdc7 in MessageLoop::RunInternal() /ipc/chromium/src/base/message_loop.cc:331:10
#83 0x7fef51a5fcd2 in RunHandler /ipc/chromium/src/base/message_loop.cc:324:3
#84 0x7fef51a5fcd2 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:306:3
#85 0x7fef5787b5ce in XRE_InitChildProcess(int, char**, XREChildData const*) /toolkit/xre/nsEmbedFunctions.cpp:749:34
#86 0x5581c2b78ab6 in content_process_main /browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#87 0x5581c2b78ab6 in main /browser/app/nsBrowserApp.cpp:327:18
#88 0x7fef66dbf0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
#89 0x5581c2b558bc in _start (/home/jkratzer/builds/mc-debug/firefox-bin+0x158bc)
UndefinedBehaviorSanitizer can not provide additional info.
SUMMARY: UndefinedBehaviorSanitizer: SEGV /layout/generic/nsSplittableFrame.cpp:214:5 in nsSplittableFrame::CalcAndCacheConsumedBSize()
==3364615==ABORTING
|
Reporter | |
Comment 1•3 years ago
|
||
|
|
Reporter | |
Comment 2•3 years ago
|
||
|
||
Comment 3•3 years ago
|
||
Looks like column specific, but I am not 100% sure.
Severity: -- → S3
Component: Layout → Layout: Columns
|
||
Comment 4•3 years ago
|
||
Bugmon Analysis
Unable to reproduce bug 1728410 using build mozilla-central 20210831093704-b5acac258824. Without a baseline, bugmon is unable to analyze this bug.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Keywords: bugmon
|
|
Reporter | |
Comment 5•3 years ago
|
||
Attachment #9238769 -
Attachment is obsolete: true
|
|
Reporter | |
Comment 6•3 years ago
|
||
Looks like something happened to the unicode characters in the testcase during upload. I'll reset the bugmon status.
Keywords: bugmon
Whiteboard: [bugmon:confirm]
|
|
||
Comment 7•3 years ago
|
||
Bugmon Analysis
Verified bug as reproducible on mozilla-central 20210901155113-0ee7ea150df4.
The bug appears to have been introduced in the following build range:
Start: 2f08ec7e57c3b7968ce11a729bb563257173b70e (20201118160535)
End: 78ec198ed4f2698265a5f4c8d40cebcd52d34eb7 (20201118142551)
Pushlog: https://hg.mozilla.org/mozilla-unified/pushloghtml?fromchange=2f08ec7e57c3b7968ce11a729bb563257173b70e&tochange=78ec198ed4f2698265a5f4c8d40cebcd52d34eb7
Whiteboard: [bugmon:bisected,confirmed]
|
|
Reporter | |
Updated•3 years ago
|
|
||
Updated•3 years ago
|
status-firefox94:
--- → affected
status-firefox95:
--- → affected
|
|
||
Comment 8•2 years ago
|
||
Bugmon Analysis
Testcase crashes using the initial build (mozilla-central 20210831093704-b5acac258824) but not with tip (mozilla-central 20220218215229-b21fa00b5f33.)
The bug appears to have been fixed in the following build range:
Start: f5997aac798fefb6588d1a08459bebdeb40a9db2 (20220212011038)
End: 761755ec9388386f51e64fe52e9741f51a508041 (20220212055440)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=f5997aac798fefb6588d1a08459bebdeb40a9db2&tochange=761755ec9388386f51e64fe52e9741f51a508041
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Keywords: bugmon
|
||
Updated•2 years ago
|
Attachment #9238909 -
Attachment mime type: application/octet-stream → text/html
You need to log in
before you can comment on or make changes to this bug.
Description
•