Closed Bug 1748277 Opened 2 years ago Closed 2 years ago

Assertion failure: aStatus.IsEmpty() (Caller should pass a fresh reflow status!), at /layout/generic/nsPageFrame.cpp:719

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
98 Branch
Tracking Flags:
Tracking Status
firefox98 --- verified

People

(Reporter: jkratzer, Assigned: TYLin)

References

(Blocks 1 open bug)

Details

(Keywords: testcase, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(2 files)

Testcase
4.17 KB, application/octet-stream
Details
Bug 1748277 - Use fresh nsReflowStatus when reflowing nsMathMLTokenFrame's children.
48 bytes, text/x-phabricator-request
Details | Review

Testcase found while fuzzing mozilla-central rev 1cb2015e6fbc (built with: --enable-debug --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build 1cb2015e6fbc --debug --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.zip

Assertion failure: aStatus.IsEmpty() (Caller should pass a fresh reflow status!), at /layout/generic/nsPageFrame.cpp:719

    ==126027==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f39e6defd78 bp 0x7fff40f44c60 sp 0x7fff40f44c00 T126027)
    ==126027==The signal is caused by a WRITE memory access.
    ==126027==Hint: address points to the zero page.
        #0 0x7f39e6defd78 in nsPageBreakFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/generic/nsPageFrame.cpp:719:3
        #1 0x7f39e6cab586 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /layout/generic/nsContainerFrame.cpp:1040:14
        #2 0x7f39e6f87da9 in nsMathMLContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/mathml/nsMathMLContainerFrame.cpp:791:21
        #3 0x7f39e6f8ecb6 in nsMathMLTokenFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/mathml/nsMathMLTokenFrame.cpp:132:5
        #4 0x7f39e6cab586 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /layout/generic/nsContainerFrame.cpp:1040:14
        #5 0x7f39e6f87da9 in nsMathMLContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/mathml/nsMathMLContainerFrame.cpp:791:21
        #6 0x7f39e6f883ee in nsMathMLContainerFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/mathml/nsMathMLContainerFrame.cpp:847:5
        #7 0x7f39e6cab586 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /layout/generic/nsContainerFrame.cpp:1040:14
        #8 0x7f39e6f87da9 in nsMathMLContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/mathml/nsMathMLContainerFrame.cpp:791:21
        #9 0x7f39e6f883ee in nsMathMLContainerFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/mathml/nsMathMLContainerFrame.cpp:847:5
        #10 0x7f39e6ddeeab in nsLineLayout::ReflowFrame(nsIFrame*, nsReflowStatus&, mozilla::ReflowOutput*, bool&) /layout/generic/nsLineLayout.cpp:875:13
        #11 0x7f39e6daf61d in nsInlineFrame::ReflowInlineFrame(nsPresContext*, mozilla::ReflowInput const&, nsInlineFrame::InlineReflowInput&, nsIFrame*, nsReflowStatus&) /layout/generic/nsInlineFrame.cpp:671:15
        #12 0x7f39e6daed16 in nsInlineFrame::ReflowFrames(nsPresContext*, mozilla::ReflowInput const&, nsInlineFrame::InlineReflowInput&, mozilla::ReflowOutput&, nsReflowStatus&) /layout/generic/nsInlineFrame.cpp:545:7
        #13 0x7f39e6dae566 in nsInlineFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/generic/nsInlineFrame.cpp:359:3
        #14 0x7f39e6ddeeab in nsLineLayout::ReflowFrame(nsIFrame*, nsReflowStatus&, mozilla::ReflowOutput*, bool&) /layout/generic/nsLineLayout.cpp:875:13
        #15 0x7f39e6cc989f in nsBlockFrame::ReflowInlineFrame(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsIFrame*, LineReflowStatus*) /layout/generic/nsBlockFrame.cpp:4565:15
        #16 0x7f39e6cc8e66 in nsBlockFrame::DoReflowInlineFrames(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool) /layout/generic/nsBlockFrame.cpp:4367:5
        #17 0x7f39e6cc47e1 in nsBlockFrame::ReflowInlineFrames(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /layout/generic/nsBlockFrame.cpp:4252:9
        #18 0x7f39e6cc0db0 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /layout/generic/nsBlockFrame.cpp:3229:5
        #19 0x7f39e6cbb501 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /layout/generic/nsBlockFrame.cpp:2763:7
        #20 0x7f39e6cb6cfb in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/generic/nsBlockFrame.cpp:1394:3
        #21 0x7f39e6cc7a67 in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) /layout/generic/nsBlockReflowContext.cpp:288:11
        #22 0x7f39e6cc34d6 in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /layout/generic/nsBlockFrame.cpp:3886:11
        #23 0x7f39e6cc0e56 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /layout/generic/nsBlockFrame.cpp:3226:5
        #24 0x7f39e6cbb501 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /layout/generic/nsBlockFrame.cpp:2763:7
        #25 0x7f39e6cb6cfb in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/generic/nsBlockFrame.cpp:1394:3
        #26 0x7f39e6cdb8ce in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /layout/generic/nsContainerFrame.cpp:1000:14
        #27 0x7f39e6cdab2b in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/generic/nsCanvasFrame.cpp:787:7
        #28 0x7f39e6cab586 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /layout/generic/nsContainerFrame.cpp:1040:14
        #29 0x7f39e6deabe8 in nsPageContentFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/generic/nsPageContentFrame.cpp:73:5
        #30 0x7f39e6cab586 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /layout/generic/nsContainerFrame.cpp:1040:14
        #31 0x7f39e6ded0c7 in nsPageFrame::ReflowPageContent(nsPresContext*, mozilla::ReflowInput const&) /layout/generic/nsPageFrame.cpp:146:3
        #32 0x7f39e6ded708 in nsPageFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/generic/nsPageFrame.cpp:169:13
        #33 0x7f39e6cdb8ce in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /layout/generic/nsContainerFrame.cpp:1000:14
        #34 0x7f39e6c890fd in mozilla::PrintedSheetFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/generic/PrintedSheetFrame.cpp:132:5
        #35 0x7f39e6cab586 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /layout/generic/nsContainerFrame.cpp:1040:14
        #36 0x7f39e6df14ed in nsPageSequenceFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/generic/nsPageSequenceFrame.cpp:356:5
        #37 0x7f39e6cdb8ce in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /layout/generic/nsContainerFrame.cpp:1000:14
        #38 0x7f39e6cdab2b in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/generic/nsCanvasFrame.cpp:787:7
        #39 0x7f39e6cdb8ce in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /layout/generic/nsContainerFrame.cpp:1000:14
        #40 0x7f39e6d293a6 in nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput&, bool, bool, mozilla::ReflowOutput*) /layout/generic/nsGfxScrollFrame.cpp:839:3
        #41 0x7f39e6d29d6f in nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput&, mozilla::ReflowOutput const&) /layout/generic/nsGfxScrollFrame.cpp:974:3
        #42 0x7f39e6d2dd91 in nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/generic/nsGfxScrollFrame.cpp:1369:3
        #43 0x7f39e6cab586 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /layout/generic/nsContainerFrame.cpp:1040:14
        #44 0x7f39e6caad4d in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/generic/ViewportFrame.cpp:374:7
        #45 0x7f39e6babb4f in mozilla::PresShell::DoReflow(nsIFrame*, bool, mozilla::OverflowChangedTracker*) /layout/base/PresShell.cpp:9637:11
        #46 0x7f39e6bb5c2e in mozilla::PresShell::ProcessReflowCommands(bool) /layout/base/PresShell.cpp:9808:24
        #47 0x7f39e6bb50d3 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /layout/base/PresShell.cpp:4300:11
        #48 0x7f39e7037c1f in FlushPendingNotifications /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:1443:5
        #49 0x7f39e7037c1f in nsPrintJob::ReconstructAndReflow(bool) /layout/printing/nsPrintJob.cpp:1108:16
        #50 0x7f39e70368b4 in nsPrintJob::SetupToPrintContent() /layout/printing/nsPrintJob.cpp:1170:19
        #51 0x7f39e703a4e3 in DocumentReadyForPrinting /layout/printing/nsPrintJob.cpp:942:17
        #52 0x7f39e703a4e3 in nsPrintJob::FinishPrintPreview() /layout/printing/nsPrintJob.cpp:2467:8
        #53 0x7f39e703a061 in nsPrintJob::MaybeResumePrintAfterResourcesLoaded(bool) /layout/printing/nsPrintJob.cpp:1450:10
        #54 0x7f39e703a8a2 in nsPrintJob::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /layout/printing/nsPrintJob.cpp:1471:5
        #55 0x7f39e3094b0c in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /uriloader/base/nsDocLoader.cpp:1377:3
        #56 0x7f39e3093a0f in nsDocLoader::FireOnStateChange(nsIWebProgress*, nsIRequest*, int, nsresult) /uriloader/base/nsDocLoader.cpp:1340:14
        #57 0x7f39e3093be0 in nsDocLoader::doStopURLLoad(nsIRequest*, nsresult) /uriloader/base/nsDocLoader.cpp:936:3
        #58 0x7f39e30932c5 in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /uriloader/base/nsDocLoader.cpp:645:3
        #59 0x7f39e8244e8d in nsDocShell::OnStopRequest(nsIRequest*, nsresult) /docshell/base/nsDocShell.cpp:13540:23
        #60 0x7f39e1e0c83a in mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) /netwerk/base/nsLoadGroup.cpp:614:22
        #61 0x7f39e1e0de23 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /netwerk/base/nsLoadGroup.cpp:518:10
        #62 0x7f39e3717b1c in imgRequestProxy::RemoveFromLoadGroup() /image/imgRequestProxy.cpp:372:15
        #63 0x7f39e371dabf in imgRequestProxy::OnLoadComplete(bool) /image/imgRequestProxy.cpp:1005:7
        #64 0x7f39e36ec60a in operator() /image/ProgressTracker.cpp:351:13
        #65 0x7f39e36ec60a in void mozilla::image::ImageObserverNotifier<mozilla::image::ObserverTable const*>::operator()<void mozilla::image::SyncNotifyInternal<mozilla::image::ObserverTable const*>(mozilla::image::ObserverTable const* const&, bool, unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&)::'lambda5'(mozilla::image::IProgressObserver*)>(mozilla::image::ObserverTable const*) /image/ProgressTracker.cpp:281:9
        #66 0x7f39e36eada3 in void mozilla::image::SyncNotifyInternal<mozilla::image::ObserverTable const*>(mozilla::image::ObserverTable const* const&, bool, unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /image/ProgressTracker.cpp:350:5
        #67 0x7f39e36b1181 in operator() /image/ProgressTracker.cpp:369:5
        #68 0x7f39e36b1181 in Read<(lambda at /image/ProgressTracker.cpp:368:19)> /image/CopyOnWrite.h:155:12
        #69 0x7f39e36b1181 in mozilla::image::ProgressTracker::SyncNotifyProgress(unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /image/ProgressTracker.cpp:368:14
        #70 0x7f39e36b9f8c in mozilla::image::RasterImage::NotifyProgress(unsigned int, mozilla::gfx::IntRectTyped<mozilla::OrientedPixel> const&, mozilla::Maybe<unsigned int> const&, mozilla::image::DecoderFlags, mozilla::image::SurfaceFlags) /image/RasterImage.cpp:1580:28
        #71 0x7f39e36c090e in mozilla::image::RasterImage::NotifyForLoadEvent(unsigned int) /image/RasterImage.cpp:917:3
        #72 0x7f39e36c0578 in mozilla::image::RasterImage::OnImageDataComplete(nsIRequest*, nsresult, bool) /image/RasterImage.cpp:899:3
        #73 0x7f39e3712b12 in imgRequest::OnStopRequest(nsIRequest*, nsresult) /image/imgRequest.cpp:741:26
        #74 0x7f39e231b6af in mozilla::net::HttpChannelChild::DoOnStopRequest(nsIRequest*, nsresult) /netwerk/protocol/http/HttpChannelChild.cpp:1030:15
        #75 0x7f39e2319e0d in mozilla::net::HttpChannelChild::OnStopRequest(nsresult const&, mozilla::net::ResourceTimingStructArgs const&, mozilla::net::nsHttpHeaderArray const&) /netwerk/protocol/http/HttpChannelChild.cpp:907:5
        #76 0x7f39e2376d2d in operator() /netwerk/protocol/http/HttpChannelChild.cpp:791:15
        #77 0x7f39e2376d2d in std::_Function_handler<void (), mozilla::net::HttpChannelChild::ProcessOnStopRequest(nsresult const&, mozilla::net::ResourceTimingStructArgs const&, mozilla::net::nsHttpHeaderArray const&, nsTArray<mozilla::net::ConsoleReportCollected>&&, bool)::$_9>::_M_invoke(std::_Any_data const&) /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/std_function.h:316:2
        #78 0x7f39e24fc8bb in mozilla::net::ChannelEventQueue::FlushQueue() /netwerk/ipc/ChannelEventQueue.cpp:94:12
        #79 0x7f39e253111c in MaybeFlushQueue /builds/worker/workspace/obj-build/dist/include/mozilla/net/ChannelEventQueue.h:335:5
        #80 0x7f39e253111c in CompleteResume /builds/worker/workspace/obj-build/dist/include/mozilla/net/ChannelEventQueue.h:314:5
        #81 0x7f39e253111c in mozilla::net::ChannelEventQueue::ResumeInternal()::CompleteResumeRunnable::Run() /netwerk/ipc/ChannelEventQueue.cpp:152:17
        #82 0x7f39e1c13162 in mozilla::SchedulerGroup::Runnable::Run() /xpcom/threads/SchedulerGroup.cpp:144:20
        #83 0x7f39e1c42a7e in mozilla::RunnableTask::Run() /xpcom/threads/TaskController.cpp:468:16
        #84 0x7f39e1c1c716 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:771:26
        #85 0x7f39e1c1b3d8 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:607:15
        #86 0x7f39e1c1b653 in mozilla::TaskController::ProcessPendingMTTask(bool) /xpcom/threads/TaskController.cpp:391:36
        #87 0x7f39e1c460e6 in operator() /xpcom/threads/TaskController.cpp:124:37
        #88 0x7f39e1c460e6 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
        #89 0x7f39e1c31053 in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1183:16
        #90 0x7f39e1c382ba in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:467:10
        #91 0x7f39e26dabd6 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:85:21
        #92 0x7f39e25fa0b7 in MessageLoop::RunInternal() /ipc/chromium/src/base/message_loop.cc:331:10
        #93 0x7f39e25f9fc2 in RunHandler /ipc/chromium/src/base/message_loop.cc:324:3
        #94 0x7f39e25f9fc2 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:306:3
        #95 0x7f39e68775a8 in nsBaseAppShell::Run() /widget/nsBaseAppShell.cpp:137:27
        #96 0x7f39e889a333 in XRE_RunAppShell() /toolkit/xre/nsEmbedFunctions.cpp:864:20
        #97 0x7f39e26dbaca in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:235:9
        #98 0x7f39e25fa0b7 in MessageLoop::RunInternal() /ipc/chromium/src/base/message_loop.cc:331:10
        #99 0x7f39e25f9fc2 in RunHandler /ipc/chromium/src/base/message_loop.cc:324:3
        #100 0x7f39e25f9fc2 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:306:3
        #101 0x7f39e889996b in XRE_InitChildProcess(int, char**, XREChildData const*) /toolkit/xre/nsEmbedFunctions.cpp:701:34
        #102 0x561583b40029 in content_process_main /browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
        #103 0x561583b40029 in main /browser/app/nsBrowserApp.cpp:327:18
        #104 0x7f39f84fa0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
        #105 0x561583b1b7bc in _start (/home/jkratzer/builds/mc-debug/firefox-bin+0x157bc)
    
    UndefinedBehaviorSanitizer can not provide additional info.
    SUMMARY: UndefinedBehaviorSanitizer: SEGV /layout/generic/nsPageFrame.cpp:719:3 in nsPageBreakFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&)
    ==126027==ABORTING
Attached file Testcase 

    
    

    
  
Bugmon Analysis

Verified bug as reproducible on mozilla-central 20220104034109-8bc2581b2c7b.

Failed to bisect testcase (Testcase reproduces on start build!):




Start: 1d89f3cb5bb3e5a37b0249977838c4a98c162c80 (20210105043131)

End: 1cb2015e6fbc11f3a03137692fe60b111b94693a (20220103092929)

BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False)




Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]

    
    

    
  
The severity field is not set for this bug.

:TYLin, could you have a look please?


For more information, please visit auto_nag documentation.


Flags: needinfo?(aethanyc)

    
    

    
  


  
The soft assertion count is from the childStatus.IsComplete() added in this

patch.


Assignee: nobody → aethanyc
Status: NEW → ASSIGNED
Flags: needinfo?(aethanyc)

    
    

    
  
The severity field is not set for this bug.

:TYLin, could you have a look please?


For more information, please visit auto_nag documentation.


Flags: needinfo?(aethanyc)
Severity: -- → S3
Flags: needinfo?(aethanyc)

    
    

    
  
Pushed by aethanyc@gmail.com:
https://hg.mozilla.org/integration/autoland/rev/a2611136a2db
Use fresh nsReflowStatus when reflowing nsMathMLTokenFrame's children. r=dholbert

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/a2611136a2db


Status: ASSIGNED → RESOLVED
Closed: 2 years ago

          status-firefox98:
          --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 98 Branch

    
    

    
  
Bugmon Analysis

Verified bug as fixed on rev mozilla-central 20220121092745-6ca2ae7f6668.

Removing bugmon keyword as no further action possible.  Please review the bug and re-add the keyword for further analysis.


Status: RESOLVED → VERIFIED

          status-firefox98:
          fixedverified
Keywords: bugmon

    
    

    
  
:TYLin, since this bug contains a bisection range, could you fill (if possible) the regressed_by field?

For more information, please visit auto_nag documentation.


Flags: needinfo?(aethanyc)

    
    

    
  
Sorry, wrong needinfo because of a bug in the bot.


Flags: needinfo?(aethanyc)

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: