Open Bug 1759515 Opened 2 years ago Updated 11 months ago

Assertion failure: mListLink == aOther.mListLink (comparing iterators over different lists), at /layout/generic/nsLineBox.h:833

Categories

(Core :: Layout: Block and Inline, defect)

x86_64
Linux
defect

Tracking

()

People

(Reporter: jkratzer, Unassigned, NeedInfo)

References

(Blocks 1 open bug)

Details

(Keywords: bugmon, testcase, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(1 file)

Testcase found while fuzzing mozilla-central rev 7e01ab125e4c (built with: --enable-debug --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build 7e01ab125e4c --debug --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html
Assertion failure: mListLink == aOther.mListLink (comparing iterators over different lists), at /layout/generic/nsLineBox.h:833

    ==2548504==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f97f92d5615 bp 0x7ffc6b546440 sp 0x7ffc6b5463a0 T2548504)
    ==2548504==The signal is caused by a WRITE memory access.
    ==2548504==Hint: address points to the zero page.
        #0 0x7f97f92d5615 in nsBlockFrame::AddFrames(nsFrameList&, nsIFrame*, nsLineList_iterator const*) /layout/generic/nsBlockFrame.cpp
        #1 0x7f97f92d5942 in nsBlockFrame::InsertFrames(mozilla::layout::FrameChildListID, nsIFrame*, nsLineList_iterator const*, nsFrameList&) /layout/generic/nsBlockFrame.cpp:5621:3
        #2 0x7f97f91fa11f in SplitInlineAncestors(nsContainerFrame*, nsLineList_iterator, nsIFrame*) /layout/base/nsBidiPresUtils.cpp:670:20
        #3 0x7f97f91f96f9 in nsBidiPresUtils::ResolveParagraph(BidiParagraphData*) /layout/base/nsBidiPresUtils.cpp:1135:13
        #4 0x7f97f91f7f34 in ResolveParagraphWithinBlock /layout/base/nsBidiPresUtils.cpp:1476:3
        #5 0x7f97f91f7f34 in nsBidiPresUtils::TraverseFrames(nsIFrame*, BidiParagraphData*) /layout/base/nsBidiPresUtils.cpp:1386:11
        #6 0x7f97f91f6eff in nsBidiPresUtils::Resolve(nsBlockFrame*) /layout/base/nsBidiPresUtils.cpp:855:5
        #7 0x7f97f92bb975 in nsBlockFrame::GetMinISize(gfxContext*) /layout/generic/nsBlockFrame.cpp:795:5
        #8 0x7f97f92e6642 in nsColumnSetFrame::GetMinISize(gfxContext*) /layout/generic/nsColumnSetFrame.cpp:430:35
        #9 0x7f97f928d44e in mozilla::ColumnSetWrapperFrame::GetMinISize(gfxContext*) /layout/generic/ColumnSetWrapperFrame.cpp:181:34
        #10 0x7f97f92563bd in nsLayoutUtils::IntrinsicForAxis(mozilla::PhysicalAxis, gfxContext*, nsIFrame*, mozilla::IntrinsicISizeType, mozilla::Maybe<mozilla::LogicalSize> const&, unsigned int, int) /layout/base/nsLayoutUtils.cpp
        #11 0x7f97f9257efc in nsLayoutUtils::IntrinsicForContainer(gfxContext*, nsIFrame*, mozilla::IntrinsicISizeType, unsigned int) /layout/base/nsLayoutUtils.cpp:5126:10
        #12 0x7f97f92bbcdb in nsBlockFrame::GetMinISize(gfxContext*) /layout/generic/nsBlockFrame.cpp:815:29
        #13 0x7f97f92e6642 in nsColumnSetFrame::GetMinISize(gfxContext*) /layout/generic/nsColumnSetFrame.cpp:430:35
        #14 0x7f97f928d44e in mozilla::ColumnSetWrapperFrame::GetMinISize(gfxContext*) /layout/generic/ColumnSetWrapperFrame.cpp:181:34
        #15 0x7f97f92f62fd in nsIFrame::ComputeSize(gfxContext*, mozilla::WritingMode, mozilla::LogicalSize const&, int, mozilla::LogicalSize const&, mozilla::LogicalSize const&, mozilla::StyleSizeOverrides const&, mozilla::EnumSet<mozilla::ComputeSizeFlag, unsigned char>) /layout/generic/nsIFrame.cpp:6504:16
        #16 0x7f97f929627b in mozilla::ReflowInput::InitConstraints(nsPresContext*, mozilla::Maybe<mozilla::LogicalSize> const&, mozilla::Maybe<mozilla::LogicalMargin> const&, mozilla::Maybe<mozilla::LogicalMargin> const&, mozilla::LayoutFrameType) /layout/generic/ReflowInput.cpp:2369:19
        #17 0x7f97f9292b75 in mozilla::ReflowInput::Init(nsPresContext*, mozilla::Maybe<mozilla::LogicalSize> const&, mozilla::Maybe<mozilla::LogicalMargin> const&, mozilla::Maybe<mozilla::LogicalMargin> const&) /layout/generic/ReflowInput.cpp:356:3
        #18 0x7f97f9293565 in mozilla::ReflowInput::ReflowInput(nsPresContext*, mozilla::ReflowInput const&, nsIFrame*, mozilla::LogicalSize const&, mozilla::Maybe<mozilla::LogicalSize> const&, mozilla::EnumSet<mozilla::ReflowInput::InitFlag, unsigned char>, mozilla::StyleSizeOverrides const&, mozilla::EnumSet<mozilla::ComputeSizeFlag, unsigned char>) /layout/generic/ReflowInput.cpp:216:5
        #19 0x7f97f92e21a7 in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/generic/nsCanvasFrame.cpp:775:19
        #20 0x7f97f92e325e in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /layout/generic/nsContainerFrame.cpp:1005:14
        #21 0x7f97f9331026 in nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput&, bool, bool, mozilla::ReflowOutput*) /layout/generic/nsGfxScrollFrame.cpp:838:3
        #22 0x7f97f93319ef in nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput&, mozilla::ReflowOutput const&) /layout/generic/nsGfxScrollFrame.cpp:973:3
        #23 0x7f97f9335a81 in nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/generic/nsGfxScrollFrame.cpp:1395:3
        #24 0x7f97f92b3036 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /layout/generic/nsContainerFrame.cpp:1045:14
        #25 0x7f97f92b27fd in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/generic/ViewportFrame.cpp:374:7
        #26 0x7f97f91b0592 in mozilla::PresShell::DoReflow(nsIFrame*, bool, mozilla::OverflowChangedTracker*) /layout/base/PresShell.cpp:9553:11
        #27 0x7f97f91ba7fe in mozilla::PresShell::ProcessReflowCommands(bool) /layout/base/PresShell.cpp:9724:24
        #28 0x7f97f91b9aa5 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /layout/base/PresShell.cpp:4302:11
        #29 0x7f97f5b85200 in FlushPendingNotifications /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:1448:5
        #30 0x7f97f5b85200 in mozilla::dom::Document::FlushPendingNotifications(mozilla::ChangesToFlush) /dom/base/Document.cpp:10765:16
        #31 0x7f97f91af7ad in mozilla::PresShell::SimpleResizeReflow(int, int, mozilla::ResizeReflowOptions) /layout/base/PresShell.cpp:2010:16
        #32 0x7f97f919e38f in mozilla::PresShell::ResizeReflowIgnoreOverride(int, int, mozilla::ResizeReflowOptions) /layout/base/PresShell.cpp:2043:5
        #33 0x7f97f8e1eb63 in nsViewManager::DoSetWindowDimensions(int, int, bool) /view/nsViewManager.cpp:183:16
        #34 0x7f97f92322ca in nsDocumentViewer::SetBoundsWithFlags(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, unsigned int) /layout/base/nsDocumentViewer.cpp:2009:19
        #35 0x7f97fa870246 in nsDocShell::SetPositionAndSize(int, int, int, int, unsigned int) /docshell/base/nsDocShell.cpp:4700:27
        #36 0x7f97fac4767f in nsWebBrowser::SetPositionAndSize(int, int, int, int, unsigned int) /toolkit/components/browser/nsWebBrowser.cpp:934:3
        #37 0x7f97f86fbf61 in mozilla::dom::BrowserChild::RecvUpdateDimensions(mozilla::dom::DimensionInfo const&) /dom/ipc/BrowserChild.cpp:1289:12
        #38 0x7f97f880bda5 in mozilla::dom::PBrowserChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBrowserChild.cpp:5056:56
        #39 0x7f97f886afbb in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PContentChild.cpp:8857:32
        #40 0x7f97f4ddd431 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /ipc/glue/MessageChannel.cpp:1674:25
        #41 0x7f97f4dda7e7 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message&&) /ipc/glue/MessageChannel.cpp:1599:9
        #42 0x7f97f4ddb2da in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /ipc/glue/MessageChannel.cpp:1462:3
        #43 0x7f97f4ddbe43 in mozilla::ipc::MessageChannel::MessageTask::Run() /ipc/glue/MessageChannel.cpp:1496:14
        #44 0x7f97f424bcfe in mozilla::RunnableTask::Run() /xpcom/threads/TaskController.cpp:467:16
        #45 0x7f97f4224ce6 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:775:26
        #46 0x7f97f4223978 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:611:15
        #47 0x7f97f4223bf3 in mozilla::TaskController::ProcessPendingMTTask(bool) /xpcom/threads/TaskController.cpp:390:36
        #48 0x7f97f424f359 in operator() /xpcom/threads/TaskController.cpp:127:37
        #49 0x7f97f424f359 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_1>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
        #50 0x7f97f4239c73 in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1173:16
        #51 0x7f97f424118a in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:467:10
        #52 0x7f97f4de2784 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:107:5
        #53 0x7f97f4d02247 in MessageLoop::RunInternal() /ipc/chromium/src/base/message_loop.cc:331:10
        #54 0x7f97f4d02152 in RunHandler /ipc/chromium/src/base/message_loop.cc:324:3
        #55 0x7f97f4d02152 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:306:3
        #56 0x7f97f8e82378 in nsBaseAppShell::Run() /widget/nsBaseAppShell.cpp:137:27
        #57 0x7f97faf94c83 in XRE_RunAppShell() /toolkit/xre/nsEmbedFunctions.cpp:870:20
        #58 0x7f97f4de36ca in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:235:9
        #59 0x7f97f4d02247 in MessageLoop::RunInternal() /ipc/chromium/src/base/message_loop.cc:331:10
        #60 0x7f97f4d02152 in RunHandler /ipc/chromium/src/base/message_loop.cc:324:3
        #61 0x7f97f4d02152 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:306:3
        #62 0x7f97faf942b9 in XRE_InitChildProcess(int, char**, XREChildData const*) /toolkit/xre/nsEmbedFunctions.cpp:729:34
        #63 0x564cb4d392f7 in content_process_main /browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
        #64 0x564cb4d392f7 in main /browser/app/nsBrowserApp.cpp:327:18
        #65 0x7f980a5210b2 in __libc_start_main /build/glibc-sMfBJT/glibc-2.31/csu/../csu/libc-start.c:308:16
        #66 0x564cb4d14a7c in _start (/home/jkratzer/builds/mc-debug/firefox-bin+0x15a7c)
    
    UndefinedBehaviorSanitizer can not provide additional info.
    SUMMARY: UndefinedBehaviorSanitizer: SEGV /layout/generic/nsBlockFrame.cpp in nsBlockFrame::AddFrames(nsFrameList&, nsIFrame*, nsLineList_iterator const*)
    ==2548504==ABORTING
Attached file Testcase

Bugmon Analysis
Verified bug as reproducible on mozilla-central 20220314154526-b3eceffcdc4e.
Unable to bisect testcase (Testcase reproduces on start build!):

Start: 29ed711969d6dfc9d0f74f0a1cfed57b5e580788 (20210315091836)
End: 7e01ab125e4caeeeb7bdb0a58471f502063b1e19 (20220314094248)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False)

Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]

The severity field is not set for this bug.
:alaskanemily, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(emcdonough)

Bugmon was unable reproduce this issue.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon
Keywords: bugmon

A change to the Taskcluster build definitions over the weekend caused Bugmon to fail when reproducing issues. This issue has been corrected. Re-enabling bugmon.

You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: