Closed
Bug 1764919
Opened 3 years ago
Closed 2 years ago
Assertion failure: aStatus.IsEmpty() (Caller should pass a fresh reflow status!), at /layout/generic/nsPageFrame.cpp:722
Categories
(Core :: MathML, defect)
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: jkratzer, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: testcase, Whiteboard: [bugmon:bisected,confirmed])
Attachments
(1 file)
|
6.82 KB,
application/octet-stream
|
Details |
Testcase found while fuzzing mozilla-central rev 7f6fc25d231f (built with: --enable-debug --enable-fuzzing).
Testcase can be reproduced using the following commands:
$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build 7f6fc25d231f --debug --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.zip
Assertion failure: aStatus.IsEmpty() (Caller should pass a fresh reflow status!), at /layout/generic/nsPageFrame.cpp:722
==2101437==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f17c16fdd98 bp 0x7ffc26fbfd60 sp 0x7ffc26fbfd00 T2101437)
==2101437==The signal is caused by a WRITE memory access.
==2101437==Hint: address points to the zero page.
#0 0x7f17c16fdd98 in nsPageBreakFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/generic/nsPageFrame.cpp:722:3
#1 0x7f17c15bac36 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /layout/generic/nsContainerFrame.cpp:1045:14
#2 0x7f17c188d8d9 in nsMathMLContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/mathml/nsMathMLContainerFrame.cpp:791:21
#3 0x7f17c188df1e in nsMathMLContainerFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/mathml/nsMathMLContainerFrame.cpp:847:5
#4 0x7f17c15bac36 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /layout/generic/nsContainerFrame.cpp:1045:14
#5 0x7f17c188d8d9 in nsMathMLContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/mathml/nsMathMLContainerFrame.cpp:791:21
#6 0x7f17c188df1e in nsMathMLContainerFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/mathml/nsMathMLContainerFrame.cpp:847:5
#7 0x7f17c16ed1db in nsLineLayout::ReflowFrame(nsIFrame*, nsReflowStatus&, mozilla::ReflowOutput*, bool&) /layout/generic/nsLineLayout.cpp:870:13
#8 0x7f17c16be59d in nsInlineFrame::ReflowInlineFrame(nsPresContext*, mozilla::ReflowInput const&, nsInlineFrame::InlineReflowInput&, nsIFrame*, nsReflowStatus&) /layout/generic/nsInlineFrame.cpp:671:15
#9 0x7f17c16bdc96 in nsInlineFrame::ReflowFrames(nsPresContext*, mozilla::ReflowInput const&, nsInlineFrame::InlineReflowInput&, mozilla::ReflowOutput&, nsReflowStatus&) /layout/generic/nsInlineFrame.cpp:545:7
#10 0x7f17c16bd4e6 in nsInlineFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/generic/nsInlineFrame.cpp:359:3
#11 0x7f17c16ed1db in nsLineLayout::ReflowFrame(nsIFrame*, nsReflowStatus&, mozilla::ReflowOutput*, bool&) /layout/generic/nsLineLayout.cpp:870:13
#12 0x7f17c15d8d8f in nsBlockFrame::ReflowInlineFrame(mozilla::BlockReflowState&, nsLineLayout&, nsLineList_iterator, nsIFrame*, LineReflowStatus*) /layout/generic/nsBlockFrame.cpp:4553:15
#13 0x7f17c15d8356 in nsBlockFrame::DoReflowInlineFrames(mozilla::BlockReflowState&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool) /layout/generic/nsBlockFrame.cpp:4355:5
#14 0x7f17c15d3cd1 in nsBlockFrame::ReflowInlineFrames(mozilla::BlockReflowState&, nsLineList_iterator, bool*) /layout/generic/nsBlockFrame.cpp:4240:9
#15 0x7f17c15d02c0 in nsBlockFrame::ReflowLine(mozilla::BlockReflowState&, nsLineList_iterator, bool*) /layout/generic/nsBlockFrame.cpp:3227:5
#16 0x7f17c15ca851 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowState&) /layout/generic/nsBlockFrame.cpp:2761:7
#17 0x7f17c15c6147 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/generic/nsBlockFrame.cpp:1394:3
#18 0x7f17c15eabde in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /layout/generic/nsContainerFrame.cpp:1005:14
#19 0x7f17c15e9e3b in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/generic/nsCanvasFrame.cpp:791:7
#20 0x7f17c15bac36 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /layout/generic/nsContainerFrame.cpp:1045:14
#21 0x7f17c16f8e48 in nsPageContentFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/generic/nsPageContentFrame.cpp:73:5
#22 0x7f17c15bac36 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /layout/generic/nsContainerFrame.cpp:1045:14
#23 0x7f17c16fb267 in nsPageFrame::ReflowPageContent(nsPresContext*, mozilla::ReflowInput const&) /layout/generic/nsPageFrame.cpp:146:3
#24 0x7f17c16fb8a8 in nsPageFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/generic/nsPageFrame.cpp:169:13
#25 0x7f17c15eabde in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /layout/generic/nsContainerFrame.cpp:1005:14
#26 0x7f17c159810d in mozilla::PrintedSheetFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/generic/PrintedSheetFrame.cpp:132:5
#27 0x7f17c15bac36 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /layout/generic/nsContainerFrame.cpp:1045:14
#28 0x7f17c16ff41d in nsPageSequenceFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/generic/nsPageSequenceFrame.cpp:370:5
#29 0x7f17c15eabde in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /layout/generic/nsContainerFrame.cpp:1005:14
#30 0x7f17c15e9e3b in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/generic/nsCanvasFrame.cpp:791:7
#31 0x7f17c15bac36 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /layout/generic/nsContainerFrame.cpp:1045:14
#32 0x7f17c15ba3fd in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/generic/ViewportFrame.cpp:374:7
#33 0x7f17c14b8542 in mozilla::PresShell::DoReflow(nsIFrame*, bool, mozilla::OverflowChangedTracker*) /layout/base/PresShell.cpp:9603:11
#34 0x7f17c14c28ce in mozilla::PresShell::ProcessReflowCommands(bool) /layout/base/PresShell.cpp:9774:24
#35 0x7f17c14c1b75 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /layout/base/PresShell.cpp:4352:11
#36 0x7f17c193bd4f in FlushPendingNotifications /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:1439:5
#37 0x7f17c193bd4f in nsPrintJob::ReconstructAndReflow(bool) /layout/printing/nsPrintJob.cpp:919:16
#38 0x7f17c193a9a4 in nsPrintJob::SetupToPrintContent() /layout/printing/nsPrintJob.cpp:981:19
#39 0x7f17c193e142 in DocumentReadyForPrinting /layout/printing/nsPrintJob.cpp:753:17
#40 0x7f17c193e142 in nsPrintJob::MaybeResumePrintAfterResourcesLoaded(bool) /layout/printing/nsPrintJob.cpp:1258:10
#41 0x7f17c193e9d2 in nsPrintJob::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /layout/printing/nsPrintJob.cpp:1281:5
#42 0x7f17bd392bcc in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /uriloader/base/nsDocLoader.cpp:1377:3
#43 0x7f17bd39196f in nsDocLoader::FireOnStateChange(nsIWebProgress*, nsIRequest*, int, nsresult) /uriloader/base/nsDocLoader.cpp:1340:14
#44 0x7f17bd391b40 in nsDocLoader::doStopURLLoad(nsIRequest*, nsresult) /uriloader/base/nsDocLoader.cpp:936:3
#45 0x7f17bd391225 in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /uriloader/base/nsDocLoader.cpp:645:3
#46 0x7f17c2b847cd in nsDocShell::OnStopRequest(nsIRequest*, nsresult) /docshell/base/nsDocShell.cpp:13854:23
#47 0x7f17bc6c7d0a in mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) /netwerk/base/nsLoadGroup.cpp:614:22
#48 0x7f17bc6c92f3 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /netwerk/base/nsLoadGroup.cpp:518:10
#49 0x7f17bdafd24c in imgRequestProxy::RemoveFromLoadGroup() /image/imgRequestProxy.cpp:372:15
#50 0x7f17bdb031ef in imgRequestProxy::OnLoadComplete(bool) /image/imgRequestProxy.cpp:1005:7
#51 0x7f17bdad1a7a in operator() /image/ProgressTracker.cpp:351:13
#52 0x7f17bdad1a7a in void mozilla::image::ImageObserverNotifier<mozilla::image::ObserverTable const*>::operator()<void mozilla::image::SyncNotifyInternal<mozilla::image::ObserverTable const*>(mozilla::image::ObserverTable const* const&, bool, unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&)::'lambda5'(mozilla::image::IProgressObserver*)>(mozilla::image::ObserverTable const*) /image/ProgressTracker.cpp:281:9
#53 0x7f17bdad0213 in void mozilla::image::SyncNotifyInternal<mozilla::image::ObserverTable const*>(mozilla::image::ObserverTable const* const&, bool, unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /image/ProgressTracker.cpp:350:5
#54 0x7f17bda965e1 in operator() /image/ProgressTracker.cpp:369:5
#55 0x7f17bda965e1 in Read<(lambda at /image/ProgressTracker.cpp:368:19)> /image/CopyOnWrite.h:155:12
#56 0x7f17bda965e1 in mozilla::image::ProgressTracker::SyncNotifyProgress(unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /image/ProgressTracker.cpp:368:14
#57 0x7f17bda9f3ec in mozilla::image::RasterImage::NotifyProgress(unsigned int, mozilla::gfx::IntRectTyped<mozilla::OrientedPixel> const&, mozilla::Maybe<unsigned int> const&, mozilla::image::DecoderFlags, mozilla::image::SurfaceFlags) /image/RasterImage.cpp:1580:28
#58 0x7f17bdaa5d6e in mozilla::image::RasterImage::NotifyForLoadEvent(unsigned int) /image/RasterImage.cpp:917:3
#59 0x7f17bdaa59d8 in mozilla::image::RasterImage::OnImageDataComplete(nsIRequest*, nsresult, bool) /image/RasterImage.cpp:899:3
#60 0x7f17bdaf8212 in imgRequest::OnStopRequest(nsIRequest*, nsresult) /image/imgRequest.cpp:749:26
#61 0x7f17bcbf2e20 in mozilla::net::HttpChannelChild::DoOnStopRequest(nsIRequest*, nsresult) /netwerk/protocol/http/HttpChannelChild.cpp:1033:15
#62 0x7f17bcbf15ce in mozilla::net::HttpChannelChild::OnStopRequest(nsresult const&, mozilla::net::ResourceTimingStructArgs const&, mozilla::net::nsHttpHeaderArray const&) /netwerk/protocol/http/HttpChannelChild.cpp:910:5
#63 0x7f17bcc50b9d in operator() /netwerk/protocol/http/HttpChannelChild.cpp:792:15
#64 0x7f17bcc50b9d in std::_Function_handler<void (), mozilla::net::HttpChannelChild::ProcessOnStopRequest(nsresult const&, mozilla::net::ResourceTimingStructArgs const&, mozilla::net::nsHttpHeaderArray const&, nsTArray<mozilla::net::ConsoleReportCollected>&&, bool)::$_12>::_M_invoke(std::_Any_data const&) /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/std_function.h:316:2
#65 0x7f17bce08a0b in mozilla::net::ChannelEventQueue::FlushQueue() /netwerk/ipc/ChannelEventQueue.cpp:94:12
#66 0x7f17bce3daac in MaybeFlushQueue /builds/worker/workspace/obj-build/dist/include/mozilla/net/ChannelEventQueue.h:337:5
#67 0x7f17bce3daac in CompleteResume /builds/worker/workspace/obj-build/dist/include/mozilla/net/ChannelEventQueue.h:316:5
#68 0x7f17bce3daac in mozilla::net::ChannelEventQueue::ResumeInternal()::CompleteResumeRunnable::Run() /netwerk/ipc/ChannelEventQueue.cpp:152:17
#69 0x7f17bc4c8e42 in mozilla::SchedulerGroup::Runnable::Run() /xpcom/threads/SchedulerGroup.cpp:140:20
#70 0x7f17bc4f867e in mozilla::RunnableTask::Run() /xpcom/threads/TaskController.cpp:467:16
#71 0x7f17bc4d2e66 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:780:26
#72 0x7f17bc4d1b03 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:612:15
#73 0x7f17bc4d1d73 in mozilla::TaskController::ProcessPendingMTTask(bool) /xpcom/threads/TaskController.cpp:390:36
#74 0x7f17bc4fd819 in operator() /xpcom/threads/TaskController.cpp:127:37
#75 0x7f17bc4fd819 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_1>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
#76 0x7f17bc4e7453 in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1180:16
#77 0x7f17bc4edc9d in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:465:10
#78 0x7f17bdce739c in bool mozilla::SpinEventLoopUntil<(mozilla::ProcessFailureBehavior)1, nsGlobalWindowOuter::Print(nsIPrintSettings*, nsIWebProgressListener*, nsIDocShell*, nsGlobalWindowOuter::IsPreview, nsGlobalWindowOuter::IsForWindowDotPrint, std::function<void (mozilla::dom::PrintPreviewResultInfo const&)>&&, mozilla::ErrorResult&)::$_3>(nsTSubstring<char> const&, nsGlobalWindowOuter::Print(nsIPrintSettings*, nsIWebProgressListener*, nsIDocShell*, nsGlobalWindowOuter::IsPreview, nsGlobalWindowOuter::IsForWindowDotPrint, std::function<void (mozilla::dom::PrintPreviewResultInfo const&)>&&, mozilla::ErrorResult&)::$_3&&, nsIThread*) /builds/worker/workspace/obj-build/dist/include/mozilla/SpinEventLoopUntil.h:176:25
#79 0x7f17bdce4ea6 in nsGlobalWindowOuter::Print(nsIPrintSettings*, nsIWebProgressListener*, nsIDocShell*, nsGlobalWindowOuter::IsPreview, nsGlobalWindowOuter::IsForWindowDotPrint, std::function<void (mozilla::dom::PrintPreviewResultInfo const&)>&&, mozilla::ErrorResult&) /dom/base/nsGlobalWindowOuter.cpp:5337:5
#80 0x7f17bdce3702 in nsGlobalWindowOuter::PrintOuter(mozilla::ErrorResult&) /dom/base/nsGlobalWindowOuter.cpp:5136:3
#81 0x7f17c15368d6 in nsDocumentViewer::LoadComplete(nsresult) /layout/base/nsDocumentViewer.cpp:1171:43
#82 0x7f17c2b62c24 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /docshell/base/nsDocShell.cpp:6454:20
#83 0x7f17c2b62713 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /docshell/base/nsDocShell.cpp:5843:7
#84 0x7f17c2b635af in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /docshell/base/nsDocShell.cpp
#85 0x7f17bd392bcc in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /uriloader/base/nsDocLoader.cpp:1377:3
#86 0x7f17bd391ffa in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /uriloader/base/nsDocLoader.cpp:975:14
#87 0x7f17bd390380 in nsDocLoader::DocLoaderIsEmpty(bool, mozilla::Maybe<nsresult> const&) /uriloader/base/nsDocLoader.cpp:794:9
#88 0x7f17bd39153d in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /uriloader/base/nsDocLoader.cpp:677:5
#89 0x7f17c2b847cd in nsDocShell::OnStopRequest(nsIRequest*, nsresult) /docshell/base/nsDocShell.cpp:13854:23
#90 0x7f17bc6c7d0a in mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) /netwerk/base/nsLoadGroup.cpp:614:22
#91 0x7f17bc6c92f3 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /netwerk/base/nsLoadGroup.cpp:518:10
#92 0x7f17bde56bee in mozilla::dom::Document::DoUnblockOnload() /dom/base/Document.cpp:11663:18
#93 0x7f17bde2152f in mozilla::dom::Document::UnblockOnload(bool) /dom/base/Document.cpp:11601:9
#94 0x7f17bde3d51b in mozilla::dom::Document::DispatchContentLoadedEvents() /dom/base/Document.cpp:8136:3
#95 0x7f17bdef12cb in applyImpl<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1147:12
#96 0x7f17bdef12cb in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1153:12
#97 0x7f17bdef12cb in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1200:13
#98 0x7f17bc4c8e42 in mozilla::SchedulerGroup::Runnable::Run() /xpcom/threads/SchedulerGroup.cpp:140:20
#99 0x7f17bc4f867e in mozilla::RunnableTask::Run() /xpcom/threads/TaskController.cpp:467:16
#100 0x7f17bc4d2e66 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:780:26
#101 0x7f17bc4d1b03 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:612:15
#102 0x7f17bc4d1d73 in mozilla::TaskController::ProcessPendingMTTask(bool) /xpcom/threads/TaskController.cpp:390:36
#103 0x7f17bc4fd7a6 in operator() /xpcom/threads/TaskController.cpp:124:37
#104 0x7f17bc4fd7a6 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
#105 0x7f17bc4e7453 in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1180:16
#106 0x7f17bc4edc9d in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:465:10
#107 0x7f17bd096536 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:85:21
#108 0x7f17bcfb3d17 in MessageLoop::RunInternal() /ipc/chromium/src/base/message_loop.cc:380:10
#109 0x7f17bcfb3c22 in RunHandler /ipc/chromium/src/base/message_loop.cc:373:3
#110 0x7f17bcfb3c22 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:355:3
#111 0x7f17c1184688 in nsBaseAppShell::Run() /widget/nsBaseAppShell.cpp:137:27
#112 0x7f17c328ef73 in XRE_RunAppShell() /toolkit/xre/nsEmbedFunctions.cpp:870:20
#113 0x7f17bd09742a in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:235:9
#114 0x7f17bcfb3d17 in MessageLoop::RunInternal() /ipc/chromium/src/base/message_loop.cc:380:10
#115 0x7f17bcfb3c22 in RunHandler /ipc/chromium/src/base/message_loop.cc:373:3
#116 0x7f17bcfb3c22 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:355:3
#117 0x7f17c328e5a9 in XRE_InitChildProcess(int, char**, XREChildData const*) /toolkit/xre/nsEmbedFunctions.cpp:729:34
#118 0x55b2a452c2f7 in content_process_main /browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#119 0x55b2a452c2f7 in main /browser/app/nsBrowserApp.cpp:327:18
#120 0x7f17d373a0b2 in __libc_start_main /build/glibc-sMfBJT/glibc-2.31/csu/../csu/libc-start.c:308:16
#121 0x55b2a4507a7c in _start (/home/jkratzer/builds/mc-debug/firefox-bin+0x15a7c)
UndefinedBehaviorSanitizer can not provide additional info.
SUMMARY: UndefinedBehaviorSanitizer: SEGV /layout/generic/nsPageFrame.cpp:722:3 in nsPageBreakFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&)
==2101437==ABORTING
|
Reporter | |
Comment 1•3 years ago
|
||
|
||
Comment 2•3 years ago
|
||
Bugmon Analysis
Verified bug as reproducible on mozilla-central 20220415092909-7f6fc25d231f.
Unable to bisect testcase (Testcase reproduces on start build!):
Start: d26e6241a27381f7d94a055d1dc8297a9d7a7fc2 (20210416030733)
End: 7f6fc25d231faac14b0174d1f701b7488988bc3a (20220415092909)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False)
Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]
|
|
||
Comment 3•2 years ago
|
||
Bugmon Analysis
Testcase crashes using the initial build (mozilla-central 20220415092909-7f6fc25d231f) but not with tip (mozilla-central 20220916213956-e9fe2912339b.)
The bug appears to have been fixed in the following build range:
Start: 5936168c80d1f6b8a55f7f528b0851e75e90660d (20220906092501)
End: d1b399bcd0474869d29804c13b2145a6a8b645da (20220906120315)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=5936168c80d1f6b8a55f7f528b0851e75e90660d&tochange=d1b399bcd0474869d29804c13b2145a6a8b645da
jkratzer, can you confirm that the above bisection range is responsible for fixing this issue?
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Flags: needinfo?(jkratzer)
Keywords: bugmon
|
|
Reporter | |
Comment 4•2 years ago
|
||
This issue hasn't been seen by the fuzzers since 2022/04/15. Frédéric, is it possible that this was fixed via bug 1583037?
Flags: needinfo?(jkratzer) → needinfo?(fwang)
|
||
Comment 5•2 years ago
|
||
Yes, the testcase generates a MathML tree like
<math>
<merror>
<msub>
<malignmark>
<msub>
</merror>
</math>
which Firefox used to render as an "invalid-markup" message [1] before bug 1583037 because <msub> expects 2 elements [2].
I just tested with [3] and mathml.error_message_layout_for_invalid_markup.disabled turned off and I can see the assertion failure.
Note that the plan is to remove that preference in the future (bug 1788223).
[1] https://searchfox.org/mozilla-central/source/layout/mathml/nsMathMLContainerFrame.cpp#42
[2] https://developer.mozilla.org/en-US/docs/Web/MathML/Element/msub
[3] https://hg.mozilla.org/mozilla-central/rev/e9fe2912339b
Flags: needinfo?(fwang)
|
|
Reporter | |
Updated•2 years ago
|
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•