Open Bug 1763275 Opened 3 years ago Updated 6 months ago

Assertion failure: firstWrappedChild (anonymous item shouldn't be empty), at src/layout/base/nsCSSFrameConstructor.cpp:9395

Categories

(Core :: Layout: Grid, defect)

Product:
Core
Component:
Layout: Grid
Type:
defect

Tracking

()

Tracking Flags:
Tracking Status
firefox101 --- affected

People

(Reporter: tsmith, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, testcase, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(1 file)

testcase.html
201 bytes, text/html
Details
Attached file testcase.html

Found while fuzzing m-c 20220405-7fac8607d414 (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

Assertion failure: firstWrappedChild (anonymous item shouldn't be empty), at src/layout/base/nsCSSFrameConstructor.cpp:9395

#0 0x7f47215b1833 in VerifyGridFlexContainerChildren src/layout/base/nsCSSFrameConstructor.cpp:9395:7
#1 0x7f47215b1833 in nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsContainerFrame*, bool, nsFrameList&) src/layout/base/nsCSSFrameConstructor.cpp:9477:3
#2 0x7f47215b2217 in nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, mozilla::ComputedStyle*, nsContainerFrame*, bool, nsFrameList&, bool, nsIFrame*) src/layout/base/nsCSSFrameConstructor.cpp:9634:3
#3 0x7f47215bc499 in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameList&) src/layout/base/nsCSSFrameConstructor.cpp:3791:9
#4 0x7f47215c0a4d in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameList&) src/layout/base/nsCSSFrameConstructor.cpp:5614:3
#5 0x7f47215b1536 in nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsContainerFrame*, bool, nsFrameList&) src/layout/base/nsCSSFrameConstructor.cpp:9474:5
#6 0x7f47215b2217 in nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, mozilla::ComputedStyle*, nsContainerFrame*, bool, nsFrameList&, bool, nsIFrame*) src/layout/base/nsCSSFrameConstructor.cpp:9634:3
#7 0x7f47215b6142 in nsCSSFrameConstructor::ConstructBlock(nsFrameConstructorState&, nsIContent*, nsContainerFrame*, nsContainerFrame*, mozilla::ComputedStyle*, nsContainerFrame**, nsFrameList&, nsIFrame*) src/layout/base/nsCSSFrameConstructor.cpp:10523:3
#8 0x7f47215bcd09 in ConstructNonScrollableBlockWithConstructor src/layout/base/nsCSSFrameConstructor.cpp:4580:3
#9 0x7f47215bcd09 in nsCSSFrameConstructor::ConstructNonScrollableBlock(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItem&, nsContainerFrame*, nsStyleDisplay const*, nsFrameList&) src/layout/base/nsCSSFrameConstructor.cpp:4551:10
#10 0x7f47215bbbdd in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameList&) src/layout/base/nsCSSFrameConstructor.cpp:3651:16
#11 0x7f47215c0a4d in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameList&) src/layout/base/nsCSSFrameConstructor.cpp:5614:3
#12 0x7f47215b1536 in nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsContainerFrame*, bool, nsFrameList&) src/layout/base/nsCSSFrameConstructor.cpp:9474:5
#13 0x7f47215cd13d in nsCSSFrameConstructor::ReplicateFixedFrames(nsPageContentFrame*) src/layout/base/nsCSSFrameConstructor.cpp:8160:7
#14 0x7f472179e41b in nsPageContentFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsPageContentFrame.cpp:41:56
#15 0x7f472165f086 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:1045:14
#16 0x7f47217a0db7 in nsPageFrame::ReflowPageContent(nsPresContext*, mozilla::ReflowInput const&) src/layout/generic/nsPageFrame.cpp:146:3
#17 0x7f47217a13f8 in nsPageFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsPageFrame.cpp:169:13
#18 0x7f472168f2ce in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:1005:14
#19 0x7f472163c44d in mozilla::PrintedSheetFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/PrintedSheetFrame.cpp:132:5
#20 0x7f472165f086 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:1045:14
#21 0x7f47217a51ad in nsPageSequenceFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsPageSequenceFrame.cpp:370:5
#22 0x7f472168f2ce in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:1005:14
#23 0x7f472168e52b in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsCanvasFrame.cpp:791:7
#24 0x7f472168f2ce in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:1005:14
#25 0x7f47216dcc86 in nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput&, bool, bool, mozilla::ReflowOutput*) src/layout/generic/nsGfxScrollFrame.cpp:838:3
#26 0x7f47216dd64f in nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput&, mozilla::ReflowOutput const&) src/layout/generic/nsGfxScrollFrame.cpp:973:3
#27 0x7f47216e1821 in nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsGfxScrollFrame.cpp:1395:3
#28 0x7f472165f086 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:1045:14
#29 0x7f472165e84d in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/ViewportFrame.cpp:374:7
#30 0x7f472155c2a2 in mozilla::PresShell::DoReflow(nsIFrame*, bool, mozilla::OverflowChangedTracker*) src/layout/base/PresShell.cpp:9598:11
#31 0x7f472156676e in mozilla::PresShell::ProcessReflowCommands(bool) src/layout/base/PresShell.cpp:9769:24
#32 0x7f4721565a15 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) src/layout/base/PresShell.cpp:4347:11
#33 0x7f47219eabcb in nsPrintJob::ReflowPrintObject(mozilla::UniquePtr<nsPrintObject, mozilla::DefaultDelete<nsPrintObject> > const&) src/layout/printing/nsPrintJob.cpp:1607:14
#34 0x7f47219ea0bf in nsPrintJob::ReflowDocList(mozilla::UniquePtr<nsPrintObject, mozilla::DefaultDelete<nsPrintObject> > const&, bool) src/layout/printing/nsPrintJob.cpp:1169:3
#35 0x7f47219e6bbc in nsPrintJob::InitPrintDocConstruction(bool) src/layout/printing/nsPrintJob.cpp:1209:5
#36 0x7f47219e4c35 in nsPrintJob::DoCommonPrint(bool, nsIPrintSettings*, nsIWebProgressListener*, mozilla::dom::Document*) src/layout/printing/nsPrintJob.cpp:613:3
#37 0x7f47219e6f38 in CommonPrint src/layout/printing/nsPrintJob.cpp:457:17
#38 0x7f47219e6f38 in nsPrintJob::PrintPreview(mozilla::dom::Document*, nsIPrintSettings*, nsIWebProgressListener*, std::function<void (mozilla::dom::PrintPreviewResultInfo const&)>&&) src/layout/printing/nsPrintJob.cpp:641:7
#39 0x7f47215e2907 in nsDocumentViewer::PrintPreview(nsIPrintSettings*, nsIWebProgressListener*, std::function<void (mozilla::dom::PrintPreviewResultInfo const&)>&&) src/layout/base/nsDocumentViewer.cpp:2979:18
#40 0x7f471dd97bc5 in nsGlobalWindowOuter::Print(nsIPrintSettings*, nsIWebProgressListener*, nsIDocShell*, nsGlobalWindowOuter::IsPreview, nsGlobalWindowOuter::IsForWindowDotPrint, std::function<void (mozilla::dom::PrintPreviewResultInfo const&)>&&, mozilla::ErrorResult&) src/dom/base/nsGlobalWindowOuter.cpp:5308:33
#41 0x7f471dd4fe77 in nsGlobalWindowInner::PrintPreview(nsIPrintSettings*, nsIWebProgressListener*, nsIDocShell*, mozilla::ErrorResult&) src/dom/base/nsGlobalWindowInner.cpp:3852:3
#42 0x7f471ef223f1 in mozilla::dom::Window_Binding::printPreview(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/WindowBinding.cpp:3216:59
#43 0x7f471f4fcc74 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::MaybeCrossOriginObjectThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) src/dom/bindings/BindingUtils.cpp:3303:13
#44 0x7f472492f6af in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) src/js/src/vm/Interpreter.cpp:420:13
#45 0x7f472492ef1d in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) src/js/src/vm/Interpreter.cpp:507:12
#46 0x7f472493035e in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) src/js/src/vm/Interpreter.cpp:567:10
#47 0x7f47249264d6 in CallFromStack src/js/src/vm/Interpreter.cpp:571:10
#48 0x7f47249264d6 in Interpret(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:3293:16
#49 0x7f472491d323 in js::RunScript(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:389:13
#50 0x7f472492ee18 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) src/js/src/vm/Interpreter.cpp:539:13
#51 0x7f472493035e in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) src/js/src/vm/Interpreter.cpp:567:10
#52 0x7f4724930561 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) src/js/src/vm/Interpreter.cpp:584:8
#53 0x7f47235c1141 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) src/js/src/vm/CallAndConstruct.cpp:117:10
#54 0x7f471edb8619 in mozilla::dom::IdleRequestCallback::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::IdleDeadline&, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/WindowBinding.cpp:852:8
#55 0x7f471de4b599 in mozilla::dom::IdleRequestCallback::Call(mozilla::dom::IdleDeadline&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/WindowBinding.h:695:12
#56 0x7f471dfc1fd6 in Call /builds/worker/workspace/obj-build/dist/include/mozilla/dom/WindowBinding.h:708:12
#57 0x7f471dfc1fd6 in mozilla::dom::IdleRequest::IdleRun(nsPIDOMWindowInner*, double, bool) src/dom/base/IdleRequest.cpp:61:13
#58 0x7f471dd32e36 in nsGlobalWindowInner::RunIdleRequest(mozilla::dom::IdleRequest*, double, bool) src/dom/base/nsGlobalWindowInner.cpp:739:12
#59 0x7f471dd31bed in nsGlobalWindowInner::ExecuteIdleRequest(mozilla::TimeStamp) src/dom/base/nsGlobalWindowInner.cpp:767:3
#60 0x7f471dd318f3 in IdleRequestExecutor::Run() src/dom/base/nsGlobalWindowInner.cpp:608:13
#61 0x7f471c5bbfde in mozilla::RunnableTask::Run() src/xpcom/threads/TaskController.cpp:467:16
#62 0x7f471c596526 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) src/xpcom/threads/TaskController.cpp:778:26
#63 0x7f471c5952e9 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) src/xpcom/threads/TaskController.cpp:654:15
#64 0x7f471c595433 in mozilla::TaskController::ProcessPendingMTTask(bool) src/xpcom/threads/TaskController.cpp:390:36
#65 0x7f471c5c1006 in operator() src/xpcom/threads/TaskController.cpp:124:37
#66 0x7f471c5c1006 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
#67 0x7f471c5aacd3 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1187:16
#68 0x7f471c5b16fd in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:465:10
#69 0x7f471d155996 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:85:21
#70 0x7f471d073697 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:380:10
#71 0x7f471d0735a2 in RunHandler src/ipc/chromium/src/base/message_loop.cc:373:3
#72 0x7f471d0735a2 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:355:3
#73 0x7f4721229b68 in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:137:27
#74 0x7f472333ade3 in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:870:20
#75 0x7f471d15688a in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:235:9
#76 0x7f471d073697 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:380:10
#77 0x7f471d0735a2 in RunHandler src/ipc/chromium/src/base/message_loop.cc:373:3
#78 0x7f471d0735a2 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:355:3
#79 0x7f472333a419 in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:729:34
#80 0x556b378662f7 in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#81 0x556b378662f7 in main src/browser/app/nsBrowserApp.cpp:327:18
#82 0x7f4732c790b2 in __libc_start_main /build/glibc-sMfBJT/glibc-2.31/csu/../csu/libc-start.c:308:16
#83 0x556b37841a7c in _start (/home/worker/builds/m-c-20220405212313-fuzzing-debug/firefox-bin+0x15a7c)
Flags: in-testsuite?

A Pernosco session is available here: https://pernos.co/debug/ne1yR3IfkBx7QehgJM8tJw/index.html

Bugmon Analysis
Verified bug as reproducible on mozilla-central 20220406043513-678264f22280.
Unable to bisect testcase (Testcase reproduces on start build!):

Start: e06c2941cdfc56de10e6b4fdd0ddfaff800e6b56 (20210407031944)
End: 7fac8607d414d792f4530b726f68ad36afb3c545 (20220405212313)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False)

Whiteboard: [bugmon:bisected,confirmed]

The severity field is not set for this bug.
:jwatt, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(jwatt)
Severity: -- → S3
Component: CSS Parsing and Computation → Layout: Grid

This one doesn't seem to be grid related.

Flags: needinfo?(jwatt)

Bugmon was unable reproduce this issue.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon

A change to the Taskcluster build definitions over the weekend caused Bugmon to fail when reproducing issues. This issue has been corrected. Re-enabling bugmon.

Keywords: bugmon

Testcase crashes using the initial build (mozilla-central 20230819093323-981402028450) but not with tip (mozilla-central 20240816213455-b41fe1000a45.)

Unable to bisect testcase (End build crashes!):

Start: 9814020284505cbc4a6075b3b7aba216be0632f8 (20230819093323)
End: b41fe1000a45a5b44b87406a5f2f4f9392356d36 (20240816213455)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False, nyx=False)

Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: