Closed
Bug 1730506
Opened 3 years ago
Closed 3 years ago
Assertion failure: !(mTotalOuterHypotheticalMainSize >= 0 && mTotalItemMBP >= 0) || (isUsingFlexGrow && availableFreeSpace >= 0) || (!isUsingFlexGrow && availableFreeSpace <= 0) (availableFreeSpace's sign should match isUsingFlexGrow), at /builds/worker/c
Categories
(Core :: Layout: Flexbox, defect)
Tracking
()
VERIFIED
FIXED
94 Branch
| Tracking | Status | |
|---|---|---|
| firefox-esr78 | --- | unaffected |
| firefox-esr91 | --- | unaffected |
| firefox92 | --- | unaffected |
| firefox93 | --- | wontfix |
| firefox94 | --- | verified |
People
(Reporter: jkratzer, Assigned: TYLin)
References
(Blocks 1 open bug, Regression)
Details
(Keywords: regression, testcase, Whiteboard: [bugmon:bisected,confirmed])
Attachments
(2 files)
Testcase found while fuzzing mozilla-central rev e8a29c8f1e09 (built with: --enable-debug --enable-fuzzing).
Testcase can be reproduced using the following commands:
$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build e8a29c8f1e09 --debug --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html
Assertion failure: !(mTotalOuterHypotheticalMainSize >= 0 && mTotalItemMBP >= 0) || (isUsingFlexGrow && availableFreeSpace >= 0) || (!isUsingFlexGrow && availableFreeSpace <= 0) (availableFreeSpace's sign should match isUsingFlexGrow), at /builds/worker/c
==3633719==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7ff465e675f4 bp 0x7ffdb1a2e7b0 sp 0x7ffdb1a2e710 T3633719)
==3633719==The signal is caused by a WRITE memory access.
==3633719==Hint: address points to the zero page.
#0 0x7ff465e675f4 in nsFlexContainerFrame::FlexLine::ResolveFlexibleLengths(int, ComputedFlexLineInfo*) /layout/generic/nsFlexContainerFrame.cpp:3079:5
#1 0x7ff465e6d365 in nsFlexContainerFrame::DoFlexLayout(mozilla::ReflowInput const&, int&, int&, int&, nsTArray<nsFlexContainerFrame::FlexLine>&, nsTArray<nsFlexContainerFrame::StrutInfo>&, nsTArray<nsIFrame*>&, nsFlexContainerFrame::FlexboxAxisTracker const&, int, int, int, bool, ComputedFlexContainerInfo*) /layout/generic/nsFlexContainerFrame.cpp:5085:10
#2 0x7ff465e6b7be in nsFlexContainerFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/generic/nsFlexContainerFrame.cpp:4545:5
#3 0x7ff465e48fa0 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /layout/generic/nsContainerFrame.cpp:1001:14
#4 0x7ff465e61341 in nsFlexContainerFrame::MeasureBSizeForFlexItem(nsFlexContainerFrame::FlexItem&, mozilla::ReflowInput&) /layout/generic/nsFlexContainerFrame.cpp:1971:3
#5 0x7ff465e6af78 in nsFlexContainerFrame::SizeItemInCrossAxis(mozilla::ReflowInput&, nsFlexContainerFrame::FlexItem&) /layout/generic/nsFlexContainerFrame.cpp:4418:7
#6 0x7ff465e6d7cf in nsFlexContainerFrame::DoFlexLayout(mozilla::ReflowInput const&, int&, int&, int&, nsTArray<nsFlexContainerFrame::FlexLine>&, nsTArray<nsFlexContainerFrame::StrutInfo>&, nsTArray<nsIFrame*>&, nsFlexContainerFrame::FlexboxAxisTracker const&, int, int, int, bool, ComputedFlexContainerInfo*) /layout/generic/nsFlexContainerFrame.cpp:5122:9
#7 0x7ff465e6b7be in nsFlexContainerFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/generic/nsFlexContainerFrame.cpp:4545:5
#8 0x7ff465e48fa0 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /layout/generic/nsContainerFrame.cpp:1001:14
#9 0x7ff465e483aa in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/generic/nsCanvasFrame.cpp:787:7
#10 0x7ff465e48fa0 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /layout/generic/nsContainerFrame.cpp:1001:14
#11 0x7ff465e94b85 in nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput*, bool, bool, mozilla::ReflowOutput*) /layout/generic/nsGfxScrollFrame.cpp:762:3
#12 0x7ff465e95659 in nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput*, mozilla::ReflowOutput const&) /layout/generic/nsGfxScrollFrame.cpp:883:3
#13 0x7ff465e99af9 in nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/generic/nsGfxScrollFrame.cpp:1302:3
#14 0x7ff465e19b98 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /layout/generic/nsContainerFrame.cpp:1041:14
#15 0x7ff465e1943c in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/generic/ViewportFrame.cpp:374:7
#16 0x7ff465d1cfcb in mozilla::PresShell::DoReflow(nsIFrame*, bool, mozilla::OverflowChangedTracker*) /layout/base/PresShell.cpp:9576:11
#17 0x7ff465d270be in mozilla::PresShell::ProcessReflowCommands(bool) /layout/base/PresShell.cpp:9747:24
#18 0x7ff465d265b9 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /layout/base/PresShell.cpp:4235:11
#19 0x7ff462da9fde in FlushPendingNotifications /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:1423:5
#20 0x7ff462da9fde in mozilla::dom::Document::FlushPendingNotifications(mozilla::ChangesToFlush) /dom/base/Document.cpp:10697:16
#21 0x7ff4624a0882 in nsDocLoader::DocLoaderIsEmpty(bool, mozilla::Maybe<nsresult> const&) /uriloader/base/nsDocLoader.cpp:738:14
#22 0x7ff4624a1c9f in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /uriloader/base/nsDocLoader.cpp:676:5
#23 0x7ff467251298 in nsDocShell::OnStopRequest(nsIRequest*, nsresult) /docshell/base/nsDocShell.cpp:13468:23
#24 0x7ff46128d69a in mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) /netwerk/base/nsLoadGroup.cpp:614:22
#25 0x7ff46128ec23 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /netwerk/base/nsLoadGroup.cpp:518:10
#26 0x7ff462dad13d in mozilla::dom::Document::DoUnblockOnload() /dom/base/Document.cpp:11450:18
#27 0x7ff462d89b90 in mozilla::dom::Document::UnblockOnload(bool) /dom/base/Document.cpp:11380:9
#28 0x7ff465c819a5 in UnblockOnload /layout/style/Loader.cpp:2289:16
#29 0x7ff465c819a5 in mozilla::css::SheetLoadData::FireLoadEvent(nsIThreadInternal*) /layout/style/Loader.cpp:459:12
#30 0x7ff465c81b1c in AfterProcessNextEvent /layout/style/Loader.cpp:428:3
#31 0x7ff465c81b1c in non-virtual thunk to mozilla::css::SheetLoadData::AfterProcessNextEvent(nsIThreadInternal*, bool) /layout/style/Loader.cpp
#32 0x7ff4610da1d8 in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1172:3
#33 0x7ff4610e0c4a in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:466:10
#34 0x7ff461b3c756 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:85:21
#35 0x7ff461a5cc87 in MessageLoop::RunInternal() /ipc/chromium/src/base/message_loop.cc:331:10
#36 0x7ff461a5cb92 in RunHandler /ipc/chromium/src/base/message_loop.cc:324:3
#37 0x7ff461a5cb92 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:306:3
#38 0x7ff4659f1138 in nsBaseAppShell::Run() /widget/nsBaseAppShell.cpp:137:27
#39 0x7ff4678764c3 in XRE_RunAppShell() /toolkit/xre/nsEmbedFunctions.cpp:917:20
#40 0x7ff461b3d64a in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:235:9
#41 0x7ff461a5cc87 in MessageLoop::RunInternal() /ipc/chromium/src/base/message_loop.cc:331:10
#42 0x7ff461a5cb92 in RunHandler /ipc/chromium/src/base/message_loop.cc:324:3
#43 0x7ff461a5cb92 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:306:3
#44 0x7ff467875afe in XRE_InitChildProcess(int, char**, XREChildData const*) /toolkit/xre/nsEmbedFunctions.cpp:749:34
#45 0x556d8fec1b46 in content_process_main /browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#46 0x556d8fec1b46 in main /browser/app/nsBrowserApp.cpp:327:18
#47 0x7ff476d250b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
#48 0x556d8fe9e94c in _start (/home/jkratzer/builds/mc-debug/firefox-bin+0x1594c)
UndefinedBehaviorSanitizer can not provide additional info.
SUMMARY: UndefinedBehaviorSanitizer: SEGV /layout/generic/nsFlexContainerFrame.cpp:3079:5 in nsFlexContainerFrame::FlexLine::ResolveFlexibleLengths(int, ComputedFlexLineInfo*)
==3633719==ABORTING
|
Reporter | |
Comment 1•3 years ago
|
||
|
|
Reporter | |
Updated•3 years ago
|
|
||
Comment 2•3 years ago
|
||
Bugmon Analysis
Verified bug as reproducible on mozilla-central 20210913213224-b50ef8e31c4c.
The bug appears to have been introduced in the following build range:
Start: 4e0dafb873bd3b45c0cecf4a8e64f7e324211f7c (20210825095400)
End: 9a8bac0b93fdeb3e66fc1ab5814854b4cc377697 (20210825092302)
Pushlog: https://hg.mozilla.org/mozilla-unified/pushloghtml?fromchange=4e0dafb873bd3b45c0cecf4a8e64f7e324211f7c&tochange=9a8bac0b93fdeb3e66fc1ab5814854b4cc377697
Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]
|
|
Reporter | |
Updated•3 years ago
|
Component: DOM: Core & HTML → Layout
|
Assignee | |
Comment 3•3 years ago
|
||
It seems bug 1728319 doesn't fix this completely.
|
||
Updated•3 years ago
|
Has Regression Range: --- → yes
|
||
Comment 4•3 years ago
|
||
Set release status flags based on info from the regressing bug 1469649
status-firefox92:
--- → unaffected
status-firefox93:
--- → affected
status-firefox94:
--- → affected
status-firefox-esr78:
--- → unaffected
status-firefox-esr91:
--- → unaffected
|
|
Assignee | |
Comment 5•3 years ago
|
||
Similar to bug 1728319, a huge main gap size can also make SumOfGaps()
negative due to integer overflow. This patch is to recognize that
scenario.
We still need to annotate the crashtest because it still triggers the
following assertion in nsIFrame.
ASSERTION: inline-size less than zero: 'result >= 0'
|
||
Updated•3 years ago
|
Assignee: nobody → aethanyc
Status: NEW → ASSIGNED
|
|
Assignee | |
Comment 6•3 years ago
|
||
(In reply to Ting-Yu Lin [:TYLin] (UTC-7) from comment #3)
It seems bug 1728319 doesn't fix this completely.
The huge main gap size can lead to integer overflow, which is not considered in bug 1728319.
Flags: needinfo?(aethanyc)
Pushed by aethanyc@gmail.com:
https://hg.mozilla.org/integration/autoland/rev/e007ff572840
Tweak the assertion again to recognize integer overflow due to huge main gap size. r=dholbert
|
||
Comment 8•3 years ago
|
||
| bugherder | ||
Status: ASSIGNED → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → 94 Branch
|
|
||
Comment 9•3 years ago
|
||
Bugmon Analysis
Verified bug as fixed on rev mozilla-central 20210917033617-149a7c7573f2.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
|
|
||
Comment 10•3 years ago
|
||
The patch landed in nightly and beta is affected.
:TYLin, is this bug important enough to require an uplift?
If not please set status_beta to wontfix.
For more information, please visit auto_nag documentation.
Flags: needinfo?(aethanyc)
|
|
Assignee | |
Comment 11•3 years ago
|
||
This bug fixed a debug assertion that doesn't affect real sites.
Flags: needinfo?(aethanyc)
|
|
||
Updated•3 years ago
|
Keywords: regression
You need to log in
before you can comment on or make changes to this bug.
Description
•