Open Bug 1736487 Opened 3 years ago Updated 2 years ago

Assertion failure: aStatus.IsEmpty() (Caller should pass a fresh reflow status!), at /layout/mathml/nsMathMLContainerFrame.cpp:827

Categories

(Core :: MathML, defect)

Product:
Core
Component:
MathML
Platform:
x86_64
Linux
Type:
defect

Tracking

()

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: testcase, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(1 file, 1 obsolete file)

Testcase
4.10 KB, application/zip
Details

Testcase found while fuzzing mozilla-central rev ee8efced380b (built with: --enable-debug --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build ee8efced380b --debug --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.zip

Assertion failure: aStatus.IsEmpty() (Caller should pass a fresh reflow status!), at /layout/mathml/nsMathMLContainerFrame.cpp:827

    ==667758==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7ffaf167a444 bp 0x7ffe0bd8fec0 sp 0x7ffe0bd8fc10 T667758)
    ==667758==The signal is caused by a WRITE memory access.
    ==667758==Hint: address points to the zero page.
        #0 0x7ffaf167a444 in nsMathMLContainerFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/mathml/nsMathMLContainerFrame.cpp:827:3
        #1 0x7ffaf13a53d8 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /layout/generic/nsContainerFrame.cpp:1044:14
        #2 0x7ffaf1679cd9 in nsMathMLContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/mathml/nsMathMLContainerFrame.cpp:791:21
        #3 0x7ffaf16807dc in nsMathMLTokenFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/mathml/nsMathMLTokenFrame.cpp:132:5
        #4 0x7ffaf13c0d5c in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) /layout/generic/nsBlockReflowContext.cpp:288:11
        #5 0x7ffaf13bcb0c in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /layout/generic/nsBlockFrame.cpp:3886:11
        #6 0x7ffaf13ba766 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /layout/generic/nsBlockFrame.cpp:3226:5
        #7 0x7ffaf13b4e3b in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /layout/generic/nsBlockFrame.cpp:2763:7
        #8 0x7ffaf13b0846 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/generic/nsBlockFrame.cpp:1394:3
        #9 0x7ffaf13a79a9 in nsAbsoluteContainingBlock::ReflowAbsoluteFrame(nsIFrame*, nsPresContext*, mozilla::ReflowInput const&, nsRect const&, nsAbsoluteContainingBlock::AbsPosReflowFlags, nsIFrame*, nsReflowStatus&, mozilla::OverflowAreas*) /layout/generic/nsAbsoluteContainingBlock.cpp:813:14
        #10 0x7ffaf13a5b4c in nsAbsoluteContainingBlock::Reflow(nsContainerFrame*, nsPresContext*, mozilla::ReflowInput const&, nsReflowStatus&, nsRect const&, nsAbsoluteContainingBlock::AbsPosReflowFlags, mozilla::OverflowAreas*) /layout/generic/nsAbsoluteContainingBlock.cpp:221:7
        #11 0x7ffaf147ec7d in nsIFrame::ReflowAbsoluteFrames(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&, bool) /layout/generic/nsIFrame.cpp:6751:24
        #12 0x7ffaf13fb59a in nsIFrame::FinishReflowWithAbsoluteFrames(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&, bool) /layout/generic/nsIFrame.cpp:6718:3
        #13 0x7ffaf13d3fba in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/generic/nsCanvasFrame.cpp:881:3
        #14 0x7ffaf13a53d8 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /layout/generic/nsContainerFrame.cpp:1044:14
        #15 0x7ffaf14dfc63 in nsPageContentFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/generic/nsPageContentFrame.cpp:73:5
        #16 0x7ffaf13a53d8 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /layout/generic/nsContainerFrame.cpp:1044:14
        #17 0x7ffaf14e214d in nsPageFrame::ReflowPageContent(nsPresContext*, mozilla::ReflowInput const&) /layout/generic/nsPageFrame.cpp:146:3
        #18 0x7ffaf14e2718 in nsPageFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/generic/nsPageFrame.cpp:169:13
        #19 0x7ffaf13d4560 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /layout/generic/nsContainerFrame.cpp:1004:14
        #20 0x7ffaf1383f8f in mozilla::PrintedSheetFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/generic/PrintedSheetFrame.cpp:132:5
        #21 0x7ffaf13a53d8 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /layout/generic/nsContainerFrame.cpp:1044:14
        #22 0x7ffaf14e672d in nsPageSequenceFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/generic/nsPageSequenceFrame.cpp:356:5
        #23 0x7ffaf13d4560 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /layout/generic/nsContainerFrame.cpp:1004:14
        #24 0x7ffaf13d396a in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/generic/nsCanvasFrame.cpp:787:7
        #25 0x7ffaf13d4560 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /layout/generic/nsContainerFrame.cpp:1004:14
        #26 0x7ffaf1420872 in nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput*, bool, bool, mozilla::ReflowOutput*) /layout/generic/nsGfxScrollFrame.cpp:764:3
        #27 0x7ffaf14212f7 in nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput*, mozilla::ReflowOutput const&) /layout/generic/nsGfxScrollFrame.cpp:885:3
        #28 0x7ffaf142577e in nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/generic/nsGfxScrollFrame.cpp:1306:3
        #29 0x7ffaf13a53d8 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /layout/generic/nsContainerFrame.cpp:1044:14
        #30 0x7ffaf13a4c7c in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/generic/ViewportFrame.cpp:374:7
        #31 0x7ffaf12a7d2b in mozilla::PresShell::DoReflow(nsIFrame*, bool, mozilla::OverflowChangedTracker*) /layout/base/PresShell.cpp:9598:11
        #32 0x7ffaf12b1dee in mozilla::PresShell::ProcessReflowCommands(bool) /layout/base/PresShell.cpp:9769:24
        #33 0x7ffaf12b12e9 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /layout/base/PresShell.cpp:4259:11
        #34 0x7ffaf172c471 in nsPrintJob::ReflowPrintObject(mozilla::UniquePtr<nsPrintObject, mozilla::DefaultDelete<nsPrintObject> > const&) /layout/printing/nsPrintJob.cpp:1900:14
        #35 0x7ffaf172b98d in nsPrintJob::ReflowDocList(mozilla::UniquePtr<nsPrintObject, mozilla::DefaultDelete<nsPrintObject> > const&, bool) /layout/printing/nsPrintJob.cpp:1462:3
        #36 0x7ffaf172807e in nsPrintJob::InitPrintDocConstruction(bool) /layout/printing/nsPrintJob.cpp:1502:5
        #37 0x7ffaf172f455 in nsPrintJob::Observe(nsISupports*, char const*, char16_t const*) /layout/printing/nsPrintJob.cpp:2733:17
        #38 0x7ffaf2deea78 in mozilla::embedding::PrintProgressDialogChild::RecvDialogOpened() /toolkit/components/printingui/ipc/PrintProgressDialogChild.cpp:37:18
        #39 0x7ffaed4c100b in mozilla::embedding::PPrintProgressDialogChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PPrintProgressDialogChild.cpp:234:28
        #40 0x7ffaed22f94b in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PContentChild.cpp:8377:32
        #41 0x7ffaed0b092f in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /ipc/glue/MessageChannel.cpp:2043:25
        #42 0x7ffaed0ad211 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /ipc/glue/MessageChannel.cpp:1968:9
        #43 0x7ffaed0ae695 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /ipc/glue/MessageChannel.cpp:1827:3
        #44 0x7ffaed0af2dd in mozilla::ipc::MessageChannel::MessageTask::Run() /ipc/glue/MessageChannel.cpp:1855:14
        #45 0x7ffaec65025e in mozilla::RunnableTask::Run() /xpcom/threads/TaskController.cpp:467:16
        #46 0x7ffaec62a7df in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:770:26
        #47 0x7ffaec629448 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:606:15
        #48 0x7ffaec6296c3 in mozilla::TaskController::ProcessPendingMTTask(bool) /xpcom/threads/TaskController.cpp:390:36
        #49 0x7ffaec653989 in operator() /xpcom/threads/TaskController.cpp:126:37
        #50 0x7ffaec653989 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_1>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
        #51 0x7ffaec63e66f in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1151:16
        #52 0x7ffaec64576a in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:467:10
        #53 0x7ffaed0b6754 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:107:5
        #54 0x7ffaecfd6bf7 in MessageLoop::RunInternal() /ipc/chromium/src/base/message_loop.cc:331:10
        #55 0x7ffaecfd6b02 in RunHandler /ipc/chromium/src/base/message_loop.cc:324:3
        #56 0x7ffaecfd6b02 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:306:3
        #57 0x7ffaf0f7b9d8 in nsBaseAppShell::Run() /widget/nsBaseAppShell.cpp:137:27
        #58 0x7ffaf2e301d3 in XRE_RunAppShell() /toolkit/xre/nsEmbedFunctions.cpp:917:20
        #59 0x7ffaed0b769a in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:235:9
        #60 0x7ffaecfd6bf7 in MessageLoop::RunInternal() /ipc/chromium/src/base/message_loop.cc:331:10
        #61 0x7ffaecfd6b02 in RunHandler /ipc/chromium/src/base/message_loop.cc:324:3
        #62 0x7ffaecfd6b02 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:306:3
        #63 0x7ffaf2e2f80e in XRE_InitChildProcess(int, char**, XREChildData const*) /toolkit/xre/nsEmbedFunctions.cpp:749:34
        #64 0x56425b49db96 in content_process_main /browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
        #65 0x56425b49db96 in main /browser/app/nsBrowserApp.cpp:327:18
        #66 0x7ffb01f5a0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
        #67 0x56425b47a99c in _start (/home/jkratzer/builds/mc-debug/firefox-bin+0x1599c)
    
    UndefinedBehaviorSanitizer can not provide additional info.
    SUMMARY: UndefinedBehaviorSanitizer: SEGV /layout/mathml/nsMathMLContainerFrame.cpp:827:3 in nsMathMLContainerFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&)
    ==667758==ABORTING
Attached file Testcase (obsolete) — 

    
    

    
  
Bugmon Analysis

Unable to reproduce bug 1736487 using build mozilla-central 20211018160929-ee8efced380b.  Without a baseline, bugmon is unable to analyze this bug.

Removing bugmon keyword as no further action possible.  Please review the bug and re-add the keyword for further analysis.


Keywords: bugmon

    
    

    
  

      
      
      
      

        Attached file
          
        Testcase
      

    


  
Updated testcase includes previously missing image file.



        Attachment #9246556 -
        Attachment is obsolete: true

    
  
Keywords: bugmon

    
    

    
  
Bugmon Analysis

Verified bug as reproducible on mozilla-central 20211019095357-4185629111d3.

Failed to bisect testcase (Testcase reproduces on start build!):




Start: 0139ef8538bfc77f897d22c8fd3b55da7d542ebc (20201020094032)

End: ee8efced380b871deac4fba285955953a4a89ef5 (20211018160929)

BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False)




Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]

    
    

    
  
Bugmon Analysis

Testcase crashes using the initial build (mozilla-central 20211018160929-ee8efced380b) but not with tip (mozilla-central 20220121214138-00753e705770.)

The bug appears to have been fixed in the following build range:




Start: d3a989967dd3775b1b08ec6d3fe046ae7d48c215 (20220120214317)

End: 6ca2ae7f66684fae2b65257496074d7f2b0510b3 (20220121092745)

Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=d3a989967dd3775b1b08ec6d3fe046ae7d48c215&tochange=6ca2ae7f66684fae2b65257496074d7f2b0510b3

Removing bugmon keyword as no further action possible.  Please review the bug and re-add the keyword for further analysis.




Keywords: bugmon

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: