Assertion failure: mListLink == aOther.mListLink (comparing iterators over different lists), at /layout/generic/nsLineBox.h:833
Categories
(Core :: Layout: Block and Inline, defect)
Tracking
()
People
(Reporter: jkratzer, Unassigned, NeedInfo)
References
(Blocks 1 open bug)
Details
(Keywords: bugmon, testcase, Whiteboard: [bugmon:bisected,confirmed])
Attachments
(1 file)
1.61 KB,
text/plain
|
Details |
Testcase found while fuzzing mozilla-central rev 7e01ab125e4c (built with: --enable-debug --enable-fuzzing).
Testcase can be reproduced using the following commands:
$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build 7e01ab125e4c --debug --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html
Assertion failure: mListLink == aOther.mListLink (comparing iterators over different lists), at /layout/generic/nsLineBox.h:833
==2548504==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f97f92d5615 bp 0x7ffc6b546440 sp 0x7ffc6b5463a0 T2548504)
==2548504==The signal is caused by a WRITE memory access.
==2548504==Hint: address points to the zero page.
#0 0x7f97f92d5615 in nsBlockFrame::AddFrames(nsFrameList&, nsIFrame*, nsLineList_iterator const*) /layout/generic/nsBlockFrame.cpp
#1 0x7f97f92d5942 in nsBlockFrame::InsertFrames(mozilla::layout::FrameChildListID, nsIFrame*, nsLineList_iterator const*, nsFrameList&) /layout/generic/nsBlockFrame.cpp:5621:3
#2 0x7f97f91fa11f in SplitInlineAncestors(nsContainerFrame*, nsLineList_iterator, nsIFrame*) /layout/base/nsBidiPresUtils.cpp:670:20
#3 0x7f97f91f96f9 in nsBidiPresUtils::ResolveParagraph(BidiParagraphData*) /layout/base/nsBidiPresUtils.cpp:1135:13
#4 0x7f97f91f7f34 in ResolveParagraphWithinBlock /layout/base/nsBidiPresUtils.cpp:1476:3
#5 0x7f97f91f7f34 in nsBidiPresUtils::TraverseFrames(nsIFrame*, BidiParagraphData*) /layout/base/nsBidiPresUtils.cpp:1386:11
#6 0x7f97f91f6eff in nsBidiPresUtils::Resolve(nsBlockFrame*) /layout/base/nsBidiPresUtils.cpp:855:5
#7 0x7f97f92bb975 in nsBlockFrame::GetMinISize(gfxContext*) /layout/generic/nsBlockFrame.cpp:795:5
#8 0x7f97f92e6642 in nsColumnSetFrame::GetMinISize(gfxContext*) /layout/generic/nsColumnSetFrame.cpp:430:35
#9 0x7f97f928d44e in mozilla::ColumnSetWrapperFrame::GetMinISize(gfxContext*) /layout/generic/ColumnSetWrapperFrame.cpp:181:34
#10 0x7f97f92563bd in nsLayoutUtils::IntrinsicForAxis(mozilla::PhysicalAxis, gfxContext*, nsIFrame*, mozilla::IntrinsicISizeType, mozilla::Maybe<mozilla::LogicalSize> const&, unsigned int, int) /layout/base/nsLayoutUtils.cpp
#11 0x7f97f9257efc in nsLayoutUtils::IntrinsicForContainer(gfxContext*, nsIFrame*, mozilla::IntrinsicISizeType, unsigned int) /layout/base/nsLayoutUtils.cpp:5126:10
#12 0x7f97f92bbcdb in nsBlockFrame::GetMinISize(gfxContext*) /layout/generic/nsBlockFrame.cpp:815:29
#13 0x7f97f92e6642 in nsColumnSetFrame::GetMinISize(gfxContext*) /layout/generic/nsColumnSetFrame.cpp:430:35
#14 0x7f97f928d44e in mozilla::ColumnSetWrapperFrame::GetMinISize(gfxContext*) /layout/generic/ColumnSetWrapperFrame.cpp:181:34
#15 0x7f97f92f62fd in nsIFrame::ComputeSize(gfxContext*, mozilla::WritingMode, mozilla::LogicalSize const&, int, mozilla::LogicalSize const&, mozilla::LogicalSize const&, mozilla::StyleSizeOverrides const&, mozilla::EnumSet<mozilla::ComputeSizeFlag, unsigned char>) /layout/generic/nsIFrame.cpp:6504:16
#16 0x7f97f929627b in mozilla::ReflowInput::InitConstraints(nsPresContext*, mozilla::Maybe<mozilla::LogicalSize> const&, mozilla::Maybe<mozilla::LogicalMargin> const&, mozilla::Maybe<mozilla::LogicalMargin> const&, mozilla::LayoutFrameType) /layout/generic/ReflowInput.cpp:2369:19
#17 0x7f97f9292b75 in mozilla::ReflowInput::Init(nsPresContext*, mozilla::Maybe<mozilla::LogicalSize> const&, mozilla::Maybe<mozilla::LogicalMargin> const&, mozilla::Maybe<mozilla::LogicalMargin> const&) /layout/generic/ReflowInput.cpp:356:3
#18 0x7f97f9293565 in mozilla::ReflowInput::ReflowInput(nsPresContext*, mozilla::ReflowInput const&, nsIFrame*, mozilla::LogicalSize const&, mozilla::Maybe<mozilla::LogicalSize> const&, mozilla::EnumSet<mozilla::ReflowInput::InitFlag, unsigned char>, mozilla::StyleSizeOverrides const&, mozilla::EnumSet<mozilla::ComputeSizeFlag, unsigned char>) /layout/generic/ReflowInput.cpp:216:5
#19 0x7f97f92e21a7 in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/generic/nsCanvasFrame.cpp:775:19
#20 0x7f97f92e325e in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /layout/generic/nsContainerFrame.cpp:1005:14
#21 0x7f97f9331026 in nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput&, bool, bool, mozilla::ReflowOutput*) /layout/generic/nsGfxScrollFrame.cpp:838:3
#22 0x7f97f93319ef in nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput&, mozilla::ReflowOutput const&) /layout/generic/nsGfxScrollFrame.cpp:973:3
#23 0x7f97f9335a81 in nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/generic/nsGfxScrollFrame.cpp:1395:3
#24 0x7f97f92b3036 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /layout/generic/nsContainerFrame.cpp:1045:14
#25 0x7f97f92b27fd in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/generic/ViewportFrame.cpp:374:7
#26 0x7f97f91b0592 in mozilla::PresShell::DoReflow(nsIFrame*, bool, mozilla::OverflowChangedTracker*) /layout/base/PresShell.cpp:9553:11
#27 0x7f97f91ba7fe in mozilla::PresShell::ProcessReflowCommands(bool) /layout/base/PresShell.cpp:9724:24
#28 0x7f97f91b9aa5 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /layout/base/PresShell.cpp:4302:11
#29 0x7f97f5b85200 in FlushPendingNotifications /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:1448:5
#30 0x7f97f5b85200 in mozilla::dom::Document::FlushPendingNotifications(mozilla::ChangesToFlush) /dom/base/Document.cpp:10765:16
#31 0x7f97f91af7ad in mozilla::PresShell::SimpleResizeReflow(int, int, mozilla::ResizeReflowOptions) /layout/base/PresShell.cpp:2010:16
#32 0x7f97f919e38f in mozilla::PresShell::ResizeReflowIgnoreOverride(int, int, mozilla::ResizeReflowOptions) /layout/base/PresShell.cpp:2043:5
#33 0x7f97f8e1eb63 in nsViewManager::DoSetWindowDimensions(int, int, bool) /view/nsViewManager.cpp:183:16
#34 0x7f97f92322ca in nsDocumentViewer::SetBoundsWithFlags(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, unsigned int) /layout/base/nsDocumentViewer.cpp:2009:19
#35 0x7f97fa870246 in nsDocShell::SetPositionAndSize(int, int, int, int, unsigned int) /docshell/base/nsDocShell.cpp:4700:27
#36 0x7f97fac4767f in nsWebBrowser::SetPositionAndSize(int, int, int, int, unsigned int) /toolkit/components/browser/nsWebBrowser.cpp:934:3
#37 0x7f97f86fbf61 in mozilla::dom::BrowserChild::RecvUpdateDimensions(mozilla::dom::DimensionInfo const&) /dom/ipc/BrowserChild.cpp:1289:12
#38 0x7f97f880bda5 in mozilla::dom::PBrowserChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBrowserChild.cpp:5056:56
#39 0x7f97f886afbb in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PContentChild.cpp:8857:32
#40 0x7f97f4ddd431 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /ipc/glue/MessageChannel.cpp:1674:25
#41 0x7f97f4dda7e7 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message&&) /ipc/glue/MessageChannel.cpp:1599:9
#42 0x7f97f4ddb2da in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /ipc/glue/MessageChannel.cpp:1462:3
#43 0x7f97f4ddbe43 in mozilla::ipc::MessageChannel::MessageTask::Run() /ipc/glue/MessageChannel.cpp:1496:14
#44 0x7f97f424bcfe in mozilla::RunnableTask::Run() /xpcom/threads/TaskController.cpp:467:16
#45 0x7f97f4224ce6 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:775:26
#46 0x7f97f4223978 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:611:15
#47 0x7f97f4223bf3 in mozilla::TaskController::ProcessPendingMTTask(bool) /xpcom/threads/TaskController.cpp:390:36
#48 0x7f97f424f359 in operator() /xpcom/threads/TaskController.cpp:127:37
#49 0x7f97f424f359 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_1>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
#50 0x7f97f4239c73 in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1173:16
#51 0x7f97f424118a in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:467:10
#52 0x7f97f4de2784 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:107:5
#53 0x7f97f4d02247 in MessageLoop::RunInternal() /ipc/chromium/src/base/message_loop.cc:331:10
#54 0x7f97f4d02152 in RunHandler /ipc/chromium/src/base/message_loop.cc:324:3
#55 0x7f97f4d02152 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:306:3
#56 0x7f97f8e82378 in nsBaseAppShell::Run() /widget/nsBaseAppShell.cpp:137:27
#57 0x7f97faf94c83 in XRE_RunAppShell() /toolkit/xre/nsEmbedFunctions.cpp:870:20
#58 0x7f97f4de36ca in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:235:9
#59 0x7f97f4d02247 in MessageLoop::RunInternal() /ipc/chromium/src/base/message_loop.cc:331:10
#60 0x7f97f4d02152 in RunHandler /ipc/chromium/src/base/message_loop.cc:324:3
#61 0x7f97f4d02152 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:306:3
#62 0x7f97faf942b9 in XRE_InitChildProcess(int, char**, XREChildData const*) /toolkit/xre/nsEmbedFunctions.cpp:729:34
#63 0x564cb4d392f7 in content_process_main /browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#64 0x564cb4d392f7 in main /browser/app/nsBrowserApp.cpp:327:18
#65 0x7f980a5210b2 in __libc_start_main /build/glibc-sMfBJT/glibc-2.31/csu/../csu/libc-start.c:308:16
#66 0x564cb4d14a7c in _start (/home/jkratzer/builds/mc-debug/firefox-bin+0x15a7c)
UndefinedBehaviorSanitizer can not provide additional info.
SUMMARY: UndefinedBehaviorSanitizer: SEGV /layout/generic/nsBlockFrame.cpp in nsBlockFrame::AddFrames(nsFrameList&, nsIFrame*, nsLineList_iterator const*)
==2548504==ABORTING
Reporter | ||
Comment 1•3 years ago
|
||
Comment 2•3 years ago
|
||
Bugmon Analysis
Verified bug as reproducible on mozilla-central 20220314154526-b3eceffcdc4e.
Unable to bisect testcase (Testcase reproduces on start build!):
Start: 29ed711969d6dfc9d0f74f0a1cfed57b5e580788 (20210315091836)
End: 7e01ab125e4caeeeb7bdb0a58471f502063b1e19 (20220314094248)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False)
Comment 3•3 years ago
|
||
The severity field is not set for this bug.
:alaskanemily, could you have a look please?
For more information, please visit auto_nag documentation.
Comment 4•1 year ago
|
||
Bugmon was unable reproduce this issue.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Reporter | ||
Comment 5•1 year ago
|
||
A change to the Taskcluster build definitions over the weekend caused Bugmon to fail when reproducing issues. This issue has been corrected. Re-enabling bugmon.
Description
•