Open Bug 1741488 Opened 1 year ago Updated 4 months ago

Assertion failure: aStatus.IsEmpty() (Caller should pass a fresh reflow status!), at /layout/generic/nsBlockFrame.cpp:1248

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Tracking Flags:
Tracking Status
firefox109 --- affected

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, testcase, Whiteboard: [bugmon:bisected])

Attachments

(1 file, 1 obsolete file)

testcase.html
343 bytes, text/html
Details

Testcase found while fuzzing mozilla-central rev 3890e2f0b025 (built with: --enable-debug --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build 3890e2f0b025 --debug --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.zip

Assertion failure: aStatus.IsEmpty() (Caller should pass a fresh reflow status!), at /layout/generic/nsBlockFrame.cpp:1248

    ==761473==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f072d9620c5 bp 0x7fffbd4cc410 sp 0x7fffbd4cbdd0 T761473)
    ==761473==The signal is caused by a WRITE memory access.
    ==761473==Hint: address points to the zero page.
        #0 0x7f072d9620c5 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/generic/nsBlockFrame.cpp:1248:3
        #1 0x7f072d9553b6 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /layout/generic/nsContainerFrame.cpp:1044:14
        #2 0x7f072dc2ea59 in nsMathMLContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/mathml/nsMathMLContainerFrame.cpp:791:21
        #3 0x7f072dc35b16 in nsMathMLTokenFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/mathml/nsMathMLTokenFrame.cpp:132:5
        #4 0x7f072d971897 in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) /layout/generic/nsBlockReflowContext.cpp:288:11
        #5 0x7f072d96d306 in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /layout/generic/nsBlockFrame.cpp:3886:11
        #6 0x7f072d96ac86 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /layout/generic/nsBlockFrame.cpp:3226:5
        #7 0x7f072d965331 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /layout/generic/nsBlockFrame.cpp:2763:7
        #8 0x7f072d960b2b in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/generic/nsBlockFrame.cpp:1394:3
        #9 0x7f072d957a38 in nsAbsoluteContainingBlock::ReflowAbsoluteFrame(nsIFrame*, nsPresContext*, mozilla::ReflowInput const&, nsRect const&, nsAbsoluteContainingBlock::AbsPosReflowFlags, nsIFrame*, nsReflowStatus&, mozilla::OverflowAreas*) /layout/generic/nsAbsoluteContainingBlock.cpp:813:14
        #10 0x7f072d955b20 in nsAbsoluteContainingBlock::Reflow(nsContainerFrame*, nsPresContext*, mozilla::ReflowInput const&, nsReflowStatus&, nsRect const&, nsAbsoluteContainingBlock::AbsPosReflowFlags, mozilla::OverflowAreas*) /layout/generic/nsAbsoluteContainingBlock.cpp:221:7
        #11 0x7f072da30c4d in nsIFrame::ReflowAbsoluteFrames(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&, bool) /layout/generic/nsIFrame.cpp:6749:24
        #12 0x7f072d9acd6a in nsIFrame::FinishReflowWithAbsoluteFrames(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&, bool) /layout/generic/nsIFrame.cpp:6716:3
        #13 0x7f072d9850fd in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/generic/nsCanvasFrame.cpp:881:3
        #14 0x7f072d9553b6 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /layout/generic/nsContainerFrame.cpp:1044:14
        #15 0x7f072da92338 in nsPageContentFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/generic/nsPageContentFrame.cpp:73:5
        #16 0x7f072d9553b6 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /layout/generic/nsContainerFrame.cpp:1044:14
        #17 0x7f072da94817 in nsPageFrame::ReflowPageContent(nsPresContext*, mozilla::ReflowInput const&) /layout/generic/nsPageFrame.cpp:146:3
        #18 0x7f072da94e58 in nsPageFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/generic/nsPageFrame.cpp:169:13
        #19 0x7f072d9856ae in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /layout/generic/nsContainerFrame.cpp:1004:14
        #20 0x7f072d932fdd in mozilla::PrintedSheetFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/generic/PrintedSheetFrame.cpp:132:5
        #21 0x7f072d9553b6 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /layout/generic/nsContainerFrame.cpp:1044:14
        #22 0x7f072da98e6d in nsPageSequenceFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/generic/nsPageSequenceFrame.cpp:356:5
        #23 0x7f072d9856ae in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /layout/generic/nsContainerFrame.cpp:1004:14
        #24 0x7f072d98490b in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/generic/nsCanvasFrame.cpp:787:7
        #25 0x7f072d9856ae in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /layout/generic/nsContainerFrame.cpp:1004:14
        #26 0x7f072d9d22e9 in nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput*, bool, bool, mozilla::ReflowOutput*) /layout/generic/nsGfxScrollFrame.cpp:773:3
        #27 0x7f072d9d2ecf in nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput*, mozilla::ReflowOutput const&) /layout/generic/nsGfxScrollFrame.cpp:907:3
        #28 0x7f072d9d71ac in nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/generic/nsGfxScrollFrame.cpp:1328:3
        #29 0x7f072d9553b6 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /layout/generic/nsContainerFrame.cpp:1044:14
        #30 0x7f072d954b7d in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/generic/ViewportFrame.cpp:374:7
        #31 0x7f072d8569b6 in mozilla::PresShell::DoReflow(nsIFrame*, bool, mozilla::OverflowChangedTracker*) /layout/base/PresShell.cpp:9605:11
        #32 0x7f072d8609ee in mozilla::PresShell::ProcessReflowCommands(bool) /layout/base/PresShell.cpp:9776:24
        #33 0x7f072d85fe97 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /layout/base/PresShell.cpp:4264:11
        #34 0x7f072dce095b in nsPrintJob::ReflowPrintObject(mozilla::UniquePtr<nsPrintObject, mozilla::DefaultDelete<nsPrintObject> > const&) /layout/printing/nsPrintJob.cpp:1900:14
        #35 0x7f072dcdfe4d in nsPrintJob::ReflowDocList(mozilla::UniquePtr<nsPrintObject, mozilla::DefaultDelete<nsPrintObject> > const&, bool) /layout/printing/nsPrintJob.cpp:1462:3
        #36 0x7f072dcdc52e in nsPrintJob::InitPrintDocConstruction(bool) /layout/printing/nsPrintJob.cpp:1502:5
        #37 0x7f072dce38c5 in nsPrintJob::Observe(nsISupports*, char const*, char16_t const*) /layout/printing/nsPrintJob.cpp:2733:17
        #38 0x7f072f4a2058 in mozilla::embedding::PrintProgressDialogChild::RecvDialogOpened() /toolkit/components/printingui/ipc/PrintProgressDialogChild.cpp:37:18
        #39 0x7f0729aaebc7 in mozilla::embedding::PPrintProgressDialogChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PPrintProgressDialogChild.cpp:256:28
        #40 0x7f07297ef09b in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PContentChild.cpp:8238:32
        #41 0x7f07296732ef in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /ipc/glue/MessageChannel.cpp:2043:25
        #42 0x7f072966fbe1 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /ipc/glue/MessageChannel.cpp:1968:9
        #43 0x7f0729671065 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /ipc/glue/MessageChannel.cpp:1827:3
        #44 0x7f0729671c9d in mozilla::ipc::MessageChannel::MessageTask::Run() /ipc/glue/MessageChannel.cpp:1855:14
        #45 0x7f0728bf6a4e in mozilla::RunnableTask::Run() /xpcom/threads/TaskController.cpp:468:16
        #46 0x7f0728bd0366 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:771:26
        #47 0x7f0728bcf028 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:607:15
        #48 0x7f0728bcf2a3 in mozilla::TaskController::ProcessPendingMTTask(bool) /xpcom/threads/TaskController.cpp:391:36
        #49 0x7f0728bfa046 in operator() /xpcom/threads/TaskController.cpp:124:37
        #50 0x7f0728bfa046 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
        #51 0x7f0728be4d53 in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1175:16
        #52 0x7f0728bebf3a in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:467:10
        #53 0x7f0729679106 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:85:21
        #54 0x7f0729598747 in MessageLoop::RunInternal() /ipc/chromium/src/base/message_loop.cc:331:10
        #55 0x7f0729598652 in RunHandler /ipc/chromium/src/base/message_loop.cc:324:3
        #56 0x7f0729598652 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:306:3
        #57 0x7f072d528458 in nsBaseAppShell::Run() /widget/nsBaseAppShell.cpp:137:27
        #58 0x7f072f4e3013 in XRE_RunAppShell() /toolkit/xre/nsEmbedFunctions.cpp:917:20
        #59 0x7f0729679ffa in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:235:9
        #60 0x7f0729598747 in MessageLoop::RunInternal() /ipc/chromium/src/base/message_loop.cc:331:10
        #61 0x7f0729598652 in RunHandler /ipc/chromium/src/base/message_loop.cc:324:3
        #62 0x7f0729598652 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:306:3
        #63 0x7f072f4e264b in XRE_InitChildProcess(int, char**, XREChildData const*) /toolkit/xre/nsEmbedFunctions.cpp:749:34
        #64 0x5602c4aefe49 in content_process_main /browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
        #65 0x5602c4aefe49 in main /browser/app/nsBrowserApp.cpp:327:18
        #66 0x7f073e5b90b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
        #67 0x5602c4acb5dc in _start (/home/jkratzer/builds/mc-debug/firefox-bin+0x155dc)
    
    UndefinedBehaviorSanitizer can not provide additional info.
    SUMMARY: UndefinedBehaviorSanitizer: SEGV /layout/generic/nsBlockFrame.cpp:1248:3 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&)
    ==761473==ABORTING
Attached file Testcase (obsolete) — 

    
    

    
  
Bugmon Analysis

Verified bug as reproducible on mozilla-central 20211116212601-0799fad6d9ec.

Failed to bisect testcase (Testcase reproduces on start build!):




Start: 42e7e98c701d3e8c8c66a5acca0f0aeeb5076661 (20201118041908)

End: 3890e2f0b0250c7d13367b969f483996ac1c2e81 (20211116093425)

BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False)




Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]
Severity: -- → S3

    
    

    
  
Bugmon Analysis

Testcase crashes using the initial build (mozilla-central 20211116093425-3890e2f0b025) but not with tip (mozilla-central 20220205014840-e8991d00a1d1.)

The bug appears to have been fixed in the following build range:




Start: fee49db0bb715b3ce0f63fa0d8c1bcf65c0a0f74 (20220120210506)

End: 491a8943e259ce00edaa01e9d977e3bba541977b (20220120224849)

Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=fee49db0bb715b3ce0f63fa0d8c1bcf65c0a0f74&tochange=491a8943e259ce00edaa01e9d977e3bba541977b

Removing bugmon keyword as no further action possible.  Please review the bug and re-add the keyword for further analysis.




Keywords: bugmon

    
    

    
  

      
      
      
      

        Attached file
          
        testcase.html
      

    


  

        Attachment #9250991 -
        Attachment is obsolete: true

          status-firefox109:
          --- → affected
Keywords: assertion, 
          
            bugmon
Whiteboard: [bugmon:bisected,confirmed] → [bugmon:bisected]

    
    

    
  
Unable to reproduce bug 1741488 using build mozilla-central 20211126050650-422457edff03.  Without a baseline, bugmon is unable to analyze this bug.

Removing bugmon keyword as no further action possible.  Please review the bug and re-add the keyword for further analysis.


Keywords: bugmon

          You need to log in
          before you can comment on or make changes to this bug.