Closed
Bug 1805522
Opened 2 years ago
Closed 2 years ago
Assertion failure: data (SharedFlexData should be set by our first-in-flow!), at /builds/worker/checkouts/gecko/layout/generic/nsFlexContainerFrame.cpp:4133
Categories
(Core :: Layout: Flexbox, defect)
Core
Layout: Flexbox
Tracking
()
VERIFIED
FIXED
110 Branch
| Tracking | Status | |
|---|---|---|
| firefox-esr102 | --- | unaffected |
| firefox108 | --- | unaffected |
| firefox109 | --- | verified |
| firefox110 | --- | verified |
People
(Reporter: tsmith, Assigned: TYLin)
References
(Blocks 1 open bug, Regression)
Details
(4 keywords, Whiteboard: [bugmon:bisected,confirmed], [wptsync upstream])
Crash Data
Attachments
(3 files)
|
614 bytes,
text/html
|
Details | |
|
9.22 KB,
application/x-javascript
|
Details | |
|
48 bytes,
text/x-phabricator-request
|
RyanVM
:
approval-mozilla-beta+
|
Details | Review |
Found while fuzzing m-c 20221213-300b0ac8eb7b (--enable-debug --enable-fuzzing)
To reproduce via Grizzly Replay:
$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html
Assertion failure: data (SharedFlexData should be set by our first-in-flow!), at /builds/worker/checkouts/gecko/layout/generic/nsFlexContainerFrame.cpp:4133
#0 0x7f8bb46e9659 in nsFlexContainerFrame::GenerateFlexLayoutResult() /builds/worker/checkouts/gecko/layout/generic/nsFlexContainerFrame.cpp:4133:3
#1 0x7f8bb46eab69 in nsFlexContainerFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsFlexContainerFrame.cpp:4535:11
#2 0x7f8bb47d4541 in nsLineLayout::ReflowFrame(nsIFrame*, nsReflowStatus&, mozilla::ReflowOutput*, bool&) /builds/worker/checkouts/gecko/layout/generic/nsLineLayout.cpp:870:13
#3 0x7f8bb46c170e in nsBlockFrame::ReflowInlineFrame(mozilla::BlockReflowState&, nsLineLayout&, nsLineList_iterator, nsIFrame*, LineReflowStatus*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:4719:15
#4 0x7f8bb46c09aa in nsBlockFrame::DoReflowInlineFrames(mozilla::BlockReflowState&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:4521:5
#5 0x7f8bb46bcbe1 in nsBlockFrame::ReflowInlineFrames(mozilla::BlockReflowState&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:4395:9
#6 0x7f8bb46b9077 in nsBlockFrame::ReflowLine(mozilla::BlockReflowState&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:3381:5
#7 0x7f8bb46b3564 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowState&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:2895:9
#8 0x7f8bb46aecfb in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:1470:3
#9 0x7f8bb46bf651 in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowState&) /builds/worker/checkouts/gecko/layout/generic/nsBlockReflowContext.cpp:290:11
#10 0x7f8bb46bb9c4 in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowState&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:4032:11
#11 0x7f8bb46b9131 in nsBlockFrame::ReflowLine(mozilla::BlockReflowState&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:3378:5
#12 0x7f8bb46b3564 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowState&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:2895:9
#13 0x7f8bb46aecfb in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:1470:3
#14 0x7f8bb46d28b9 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:1029:14
#15 0x7f8bb46d1e19 in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsCanvasFrame.cpp:754:7
#16 0x7f8bb46a3626 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:1069:14
#17 0x7f8bb47e074e in nsPageContentFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsPageContentFrame.cpp:76:5
#18 0x7f8bb46a3626 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:1069:14
#19 0x7f8bb47e32e6 in nsPageFrame::ReflowPageContent(nsPresContext*, mozilla::ReflowInput const&) /builds/worker/checkouts/gecko/layout/generic/nsPageFrame.cpp:194:3
#20 0x7f8bb47e3b80 in nsPageFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsPageFrame.cpp:217:13
#21 0x7f8bb46d28b9 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:1029:14
#22 0x7f8bb467e379 in mozilla::PrintedSheetFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/PrintedSheetFrame.cpp:132:5
#23 0x7f8bb46a3626 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:1069:14
#24 0x7f8bb47e766d in nsPageSequenceFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsPageSequenceFrame.cpp:370:5
#25 0x7f8bb46d28b9 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:1029:14
#26 0x7f8bb46d1e19 in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsCanvasFrame.cpp:754:7
#27 0x7f8bb46d28b9 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:1029:14
#28 0x7f8bb471af30 in nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput&, bool, bool, mozilla::ReflowOutput*) /builds/worker/checkouts/gecko/layout/generic/nsGfxScrollFrame.cpp:841:3
#29 0x7f8bb471bcbf in nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput&, mozilla::ReflowOutput const&) /builds/worker/checkouts/gecko/layout/generic/nsGfxScrollFrame.cpp:977:3
#30 0x7f8bb47207cd in nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsGfxScrollFrame.cpp:1404:3
#31 0x7f8bb46a3626 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:1069:14
#32 0x7f8bb46a2d74 in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/ViewportFrame.cpp:384:7
#33 0x7f8bb459d90a in mozilla::PresShell::DoReflow(nsIFrame*, bool, mozilla::OverflowChangedTracker*) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:9696:11
#34 0x7f8bb45c1bbf in mozilla::PresShell::ProcessReflowCommands(bool) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:9868:24
#35 0x7f8bb45a7369 in DoFlushLayout /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:9938:10
#36 0x7f8bb45a7369 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4440:11
#37 0x7f8bb4a15b00 in nsPrintJob::ReflowPrintObject(mozilla::UniquePtr<nsPrintObject, mozilla::DefaultDelete<nsPrintObject>> const&) /builds/worker/checkouts/gecko/layout/printing/nsPrintJob.cpp:1400:14
#38 0x7f8bb4a14f6a in nsPrintJob::ReflowDocList(mozilla::UniquePtr<nsPrintObject, mozilla::DefaultDelete<nsPrintObject>> const&) /builds/worker/checkouts/gecko/layout/printing/nsPrintJob.cpp:957:3
#39 0x7f8bb4a12137 in nsPrintJob::InitPrintDocConstruction(bool) /builds/worker/checkouts/gecko/layout/printing/nsPrintJob.cpp:996:5
#40 0x7f8bb4a1108c in nsPrintJob::DoCommonPrint(bool, nsIPrintSettings*, nsIWebProgressListener*, mozilla::dom::Document&) /builds/worker/checkouts/gecko/layout/printing/nsPrintJob.cpp:445:3
#41 0x7f8bb4a1243a in CommonPrint /builds/worker/checkouts/gecko/layout/printing/nsPrintJob.cpp:334:17
#42 0x7f8bb4a1243a in nsPrintJob::PrintPreview(mozilla::dom::Document&, nsIPrintSettings*, nsIWebProgressListener*, std::function<void (mozilla::dom::PrintPreviewResultInfo const&)>&&) /builds/worker/checkouts/gecko/layout/printing/nsPrintJob.cpp:466:17
#43 0x7f8bb4624d9c in nsDocumentViewer::PrintPreview(nsIPrintSettings*, nsIWebProgressListener*, std::function<void (mozilla::dom::PrintPreviewResultInfo const&)>&&) /builds/worker/checkouts/gecko/layout/base/nsDocumentViewer.cpp:2966:27
#44 0x7f8bb0aeb2b1 in nsGlobalWindowOuter::Print(nsIPrintSettings*, mozilla::layout::RemotePrintJobChild*, nsIWebProgressListener*, nsIDocShell*, nsGlobalWindowOuter::IsPreview, nsGlobalWindowOuter::IsForWindowDotPrint, std::function<void (mozilla::dom::PrintPreviewResultInfo const&)>&&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/nsGlobalWindowOuter.cpp:5281:33
#45 0x7f8bb0aa2759 in nsGlobalWindowInner::PrintPreview(nsIPrintSettings*, nsIWebProgressListener*, nsIDocShell*, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/nsGlobalWindowInner.cpp:3933:3
#46 0x7f8bb1d74c8b in mozilla::dom::Window_Binding::printPreview(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/WindowBinding.cpp:3784:59
#47 0x7f8bb2379a5c in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::MaybeCrossOriginObjectThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3287:13
#48 0x7f8bb668c3a6 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:459:13
#49 0x7f8bb668bccf in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:547:12
#50 0x7f8bb667d90f in CallFromStack /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:619:10
#51 0x7f8bb667d90f in Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3379:16
#52 0x7f8bb6670fce in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:431:13
#53 0x7f8bb668bbcb in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:579:13
#54 0x7f8bb668d0fc in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:646:8
#55 0x7f8bb674796c in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/CallAndConstruct.cpp:117:10
#56 0x7f8bb2075641 in mozilla::dom::EventHandlerNonNull::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventHandlerBinding.cpp:65:37
#57 0x7f8bb295cc89 in void mozilla::dom::EventHandlerNonNull::Call<nsCOMPtr<mozilla::dom::EventTarget>>(nsCOMPtr<mozilla::dom::EventTarget> const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventHandlerBinding.h:82:12
#58 0x7f8bb295bea4 in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) /builds/worker/checkouts/gecko/dom/events/JSEventHandler.cpp:201:12
#59 0x7f8bb293cb1d in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1317:22
#60 0x7f8bb293d789 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1507:17
#61 0x7f8bb2932736 in HandleEvent /builds/worker/checkouts/gecko/dom/events/EventListenerManager.h:395:5
#62 0x7f8bb2932736 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:347:17
#63 0x7f8bb2931c6b in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:549:16
#64 0x7f8bb293442b in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:1122:11
#65 0x7f8bb461d2c4 in nsDocumentViewer::LoadComplete(nsresult) /builds/worker/checkouts/gecko/layout/base/nsDocumentViewer.cpp:1079:7
#66 0x7f8bb5c5d670 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:6452:20
#67 0x7f8bb5c5cc1b in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:5845:7
#68 0x7f8bb5c5e546 in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp
#69 0x7f8bb0103bd8 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:1380:3
#70 0x7f8bb01031c2 in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:978:14
#71 0x7f8bb0101453 in nsDocLoader::DocLoaderIsEmpty(bool, mozilla::Maybe<nsresult> const&) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:797:9
#72 0x7f8bb0102655 in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:680:5
#73 0x7f8bb5c9052e in nsDocShell::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:13864:23
#74 0x7f8baf3f3e4f in mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:628:22
#75 0x7f8baf3f5373 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:532:10
#76 0x7f8bb090539f in imgRequestProxy::RemoveFromLoadGroup() /builds/worker/checkouts/gecko/image/imgRequestProxy.cpp:394:15
#77 0x7f8bb090be4d in imgRequestProxy::OnLoadComplete(bool) /builds/worker/checkouts/gecko/image/imgRequestProxy.cpp:1066:7
#78 0x7f8bb08da618 in operator() /builds/worker/checkouts/gecko/image/ProgressTracker.cpp:356:13
#79 0x7f8bb08da618 in void mozilla::image::ImageObserverNotifier<mozilla::image::ObserverTable const*>::operator()<void mozilla::image::SyncNotifyInternal<mozilla::image::ObserverTable const*>(mozilla::image::ObserverTable const* const&, bool, unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&)::'lambda5'(mozilla::image::IProgressObserver*)>(mozilla::image::ObserverTable const*) /builds/worker/checkouts/gecko/image/ProgressTracker.cpp:286:9
#80 0x7f8bb08d8df8 in void mozilla::image::SyncNotifyInternal<mozilla::image::ObserverTable const*>(mozilla::image::ObserverTable const* const&, bool, unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /builds/worker/checkouts/gecko/image/ProgressTracker.cpp:355:5
#81 0x7f8bb089f350 in operator() /builds/worker/checkouts/gecko/image/ProgressTracker.cpp:374:5
#82 0x7f8bb089f350 in Read<(lambda at /builds/worker/checkouts/gecko/image/ProgressTracker.cpp:373:19)> /builds/worker/checkouts/gecko/image/CopyOnWrite.h:155:12
#83 0x7f8bb089f350 in mozilla::image::ProgressTracker::SyncNotifyProgress(unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /builds/worker/checkouts/gecko/image/ProgressTracker.cpp:373:14
#84 0x7f8bb08a7da7 in mozilla::image::RasterImage::NotifyProgress(unsigned int, mozilla::gfx::IntRectTyped<mozilla::OrientedPixel> const&, mozilla::Maybe<unsigned int> const&, mozilla::image::DecoderFlags, mozilla::image::SurfaceFlags) /builds/worker/checkouts/gecko/image/RasterImage.cpp:1611:28
#85 0x7f8bb08ae3a8 in mozilla::image::RasterImage::NotifyForLoadEvent(unsigned int) /builds/worker/checkouts/gecko/image/RasterImage.cpp:933:3
#86 0x7f8bb08ae014 in mozilla::image::RasterImage::OnImageDataComplete(nsIRequest*, nsresult, bool) /builds/worker/checkouts/gecko/image/RasterImage.cpp:915:3
#87 0x7f8bb09005fa in imgRequest::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/image/imgRequest.cpp:780:26
#88 0x7f8bb001a418 in nsJARChannel::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/modules/libjar/nsJARChannel.cpp:1269:16
#89 0x7f8bb001d81c in non-virtual thunk to nsJARChannel::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/modules/libjar/nsJARChannel.cpp
#90 0x7f8baf3f16ba in nsInputStreamPump::OnStateStop() /builds/worker/checkouts/gecko/netwerk/base/nsInputStreamPump.cpp:694:15
#91 0x7f8baf3f09be in nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream*) /builds/worker/checkouts/gecko/netwerk/base/nsInputStreamPump.cpp:414:21
#92 0x7f8baf3f18fc in non-virtual thunk to nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream*) /builds/worker/checkouts/gecko/netwerk/base/nsInputStreamPump.cpp
#93 0x7f8baf1abf3f in operator() /builds/worker/checkouts/gecko/xpcom/io/nsPipe3.cpp:73:47
#94 0x7f8baf1abf3f in already_AddRefed<mozilla::CancelableRunnable> NS_NewCancelableRunnableFunction<CallbackHolder::CallbackHolder(nsIAsyncInputStream*, nsIInputStreamCallback*, unsigned int, nsIEventTarget*)::'lambda'()>(char const*, CallbackHolder::CallbackHolder(nsIAsyncInputStream*, nsIInputStreamCallback*, unsigned int, nsIEventTarget*)::'lambda'()&&)::FuncCancelableRunnable::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:665:9
#95 0x7f8baf1ec9a5 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:539:16
#96 0x7f8baf1e7f7c in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:852:26
#97 0x7f8baf1e6b4a in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:684:15
#98 0x7f8baf1e6ea5 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:462:36
#99 0x7f8baf1f02a6 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:188:37
#100 0x7f8baf1f02a6 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_2>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:546:5
#101 0x7f8baf205c58 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1204:16
#102 0x7f8baf20c49d in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:474:10
#103 0x7f8bafdfdfa3 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#104 0x7f8bafd22f38 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
#105 0x7f8bafd22e41 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
#106 0x7f8bafd22e41 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
#107 0x7f8bb4219348 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:150:27
#108 0x7f8bb644709b in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:884:20
#109 0x7f8bafdfee69 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
#110 0x7f8bafd22f38 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
#111 0x7f8bafd22e41 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
#112 0x7f8bafd22e41 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
#113 0x7f8bb644662c in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:743:34
#114 0x560db34faca0 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#115 0x560db34faca0 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:359:18
#116 0x7f8bc36d8d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#117 0x7f8bc36d8e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#118 0x560db34d1308 in _start (/home/user/workspace/browsers/m-c-20221213165020-fuzzing-debug/firefox-bin+0x5b308) (BuildId: 632b23276e3228be633d34f1ac3c66957e03ca4b)
Flags: in-testsuite?
|
Reporter | |
Comment 1•2 years ago
|
||
pref.js for bugmon.
|
|
Reporter | |
Comment 2•2 years ago
|
||
A Pernosco session is available here: https://pernos.co/debug/5RSZxTSjAZ9eaW9xSm0qWw/index.html
|
||
Comment 3•2 years ago
|
||
Verified bug as reproducible on mozilla-central 20221213165020-300b0ac8eb7b.
The bug appears to have been introduced in the following build range:
Start: 6d023758cb323b04b39eca4cfb2e7d0aa3c746d4 (20221201193955)
End: 42352136c03cf1675da8887d9c803d10df9206d3 (20221201234742)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=6d023758cb323b04b39eca4cfb2e7d0aa3c746d4&tochange=42352136c03cf1675da8887d9c803d10df9206d3
Keywords: regression
Whiteboard: [bugmon:bisected,confirmed]
|
||
Comment 4•2 years ago
|
||
I get a crash from the attached testcase on latest Winx64 Nightly: https://crash-stats.mozilla.org/report/index/7c108e2f-c4c1-42be-a6f7-c8fb90221214
Crash Signature: [@ nsTArray_base<T>::Length | nsTArray_Impl<T>::end | nsFlexContainerFrame::FlexItemIterator::FlexItemIterator ]
Keywords: crash
|
||
Comment 5•2 years ago
|
||
Set release status flags based on info from the regressing bug 1803486
status-firefox108:
--- → unaffected
status-firefox109:
--- → affected
status-firefox-esr102:
--- → unaffected
|
Assignee | |
Comment 6•2 years ago
|
||
Bug 1803486 Part 1 causes this crash, but the root cause is that image frame doesn't use logical coordinate (bug 1751260).
When I load the testcase in layout debugger's paged mode (with Bug 1803486 Part 1 reverted), I see the following frame tree. That is, the image flex item is being fragmented. However, the inline flex container was given unconstrained block size from nsLineLayout here, so the image really shouldn't be fragmented at all.
Block(body)(1)@7f1187c0af90 parent=7f1187c0aec8 (x=480, y=480, w=22080, h=3420) ink-overflow=(x=-960, y=0, w=23040, h=5178) scr-overflow=(x=-960, y=0, w=23040, h=5178) [content=7f1187b04160] [cs=7f1187c324d8] <
line@7f1187c0b208 count=1 state=inline,clean,prevmarginclean,not-impacted,wrapped,no-break,clear-before:none,clear-after:none(x=0, y=0, w=2880, h=1140) ink-overflow=(x=0, y=0, w=2880, h=3300) scr-overflow=(x=0, y=0, w=2880, h=3300) <
FlexContainer(dl id=a)(0)@7f1187c0b058 parent=7f1187c0af90 next=7f1187c0b3c0 next-in-flow=7f1187c0b3c0 (x=960, y=446, w=960, h=454) wm=v-rl-ltr logical-size=((454 x 960)) ink-overflow=(x=0, y=0, w=960, h=2854) scr-overflow=(x=0, y=0, w=960, h=2854) [content=7f1187b04670] [cs=7f1187c325c8] <
ImageFrame(dd id=b)(1)@7f1187c0b110 parent=7f1187c0b058 next-in-flow=7f1187c0b2b8 (x=0, y=2400, w=960, h=454) wm=v-rl-ltr logical-size=((454 x 960)) parent-wm=v-rl-ltr cs=((960 x 454)) logical-rect=(2400,0,454,960) [content=7f1187b04700] [cs=7f1187c326b8] [src=data:image/gif;base64,R0lGODlhEAAQAMQAAORHHOVSKudfOulrSOp3WOyDZu6QdvCchPGolfO0o/XBs/fNwfjZ0frl3/zy7////wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACH5BAkAABAALAAAAAAQABAAAAVVICSOZGlCQAosJ6mu7fiyZeKqNKToQGDsM8hBADgUXoGAiqhSvp5QAnQKGIgUhwFUYLCVDFCrKUE1lBavAViFIDlTImbKC5Gm2hB0SlBCBMQiB0UjIQA7]
>
>
line@7f1187c0b478 count=1 state=inline,clean,prevmarginclean,not-impacted,wrapped,no-break,clear-before:none,clear-after:none(x=0, y=1140, w=960, h=1140) ink-overflow=(x=-960, y=1140, w=1920, h=3300) scr-overflow=(x=-960, y=1140, w=1920, h=3300) <
FlexContainer(dl id=a)(0)@7f1187c0b3c0 parent=7f1187c0af90 next=7f1187c0b5d0 prev-in-flow=7f1187c0b058 next-in-flow=7f1187c0b5d0 (x=0, y=1586, w=0, h=454) wm=v-rl-ltr logical-size=((454 x 0)) ink-overflow=(x=-960, y=0, w=960, h=2854) scr-overflow=(x=-960, y=0, w=960, h=2854) [content=7f1187b04670] [cs=7f1187c325c8] <
ImageFrame(dd id=b)(1)@7f1187c0b2b8 parent=7f1187c0b3c0 prev-in-flow=7f1187c0b110 next-in-flow=7f1187c0b4d8 (x=-960, y=2400, w=960, h=454) wm=v-rl-ltr logical-size=((454 x 960)) parent-wm=v-rl-ltr cs=((0 x 454)) logical-rect=(2400,0,454,960) [content=7f1187b04700] [cs=7f1187c326b8] [src=data:image/gif;base64,R0lGODlhEAAQAMQAAORHHOVSKudfOulrSOp3WOyDZu6QdvCchPGolfO0o/XBs/fNwfjZ0frl3/zy7////wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACH5BAkAABAALAAAAAAQABAAAAVVICSOZGlCQAosJ6mu7fiyZeKqNKToQGDsM8hBADgUXoGAiqhSvp5QAnQKGIgUhwFUYLCVDFCrKUE1lBavAViFIDlTImbKC5Gm2hB0SlBCBMQiB0UjIQA7]
>
>
line@7f1187c0b688 count=1 state=inline,clean,prevmarginclean,not-impacted,not-wrapped,no-break,clear-before:none,clear-after:none(x=0, y=2280, w=960, h=1140) ink-overflow=(x=-960, y=2280, w=1920, h=2898) scr-overflow=(x=-960, y=2280, w=1920, h=2898) <
FlexContainer(dl id=a)(0)@7f1187c0b5d0 parent=7f1187c0af90 prev-in-flow=7f1187c0b3c0 (x=0, y=2726, w=0, h=454) wm=v-rl-ltr logical-size=((454 x 0)) ink-overflow=(x=-960, y=0, w=960, h=2452) scr-overflow=(x=-960, y=0, w=960, h=2452) [content=7f1187b04670] [cs=7f1187c325c8] <
ImageFrame(dd id=b)(1)@7f1187c0b4d8 parent=7f1187c0b5d0 prev-in-flow=7f1187c0b2b8 (x=-960, y=2400, w=960, h=52) wm=v-rl-ltr logical-size=((52 x 960)) parent-wm=v-rl-ltr cs=((0 x 454)) logical-rect=(2400,0,52,960) [content=7f1187b04700] [cs=7f1187c326b8] [src=data:image/gif;base64,R0lGODlhEAAQAMQAAORHHOVSKudfOulrSOp3WOyDZu6QdvCchPGolfO0o/XBs/fNwfjZ0frl3/zy7////wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACH5BAkAABAALAAAAAAQABAAAAVVICSOZGlCQAosJ6mu7fiyZeKqNKToQGDsM8hBADgUXoGAiqhSvp5QAnQKGIgUhwFUYLCVDFCrKUE1lBavAViFIDlTImbKC5Gm2hB0SlBCBMQiB0UjIQA7]
>
>
|
|
Assignee | |
Comment 7•2 years ago
|
||
The crashtest was adapted from bug 1803486 comment 1. I use "reftest-paged"
since window.print() doesn't work in crashtest or wpt crashtest.
|
||
Updated•2 years ago
|
Attachment #9308189 -
Attachment description: Bug 1805522 - Revert part of Bug 1803486 Part 1 regarding creation/destruction of SharedFlexData. → Bug 1805522 - Construct SharedFlexData for incomplete flex containers, regardless of whether they have constrained BSize.
Pushed by aethanyc@gmail.com: https://hg.mozilla.org/integration/autoland/rev/42ed600d09bb Construct SharedFlexData for incomplete flex containers, regardless of whether they have constrained BSize. r=dholbert
Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/37514 for changes under testing/web-platform/tests
Whiteboard: [bugmon:bisected,confirmed] → [bugmon:bisected,confirmed], [wptsync upstream]
|
||
Comment 10•2 years ago
|
||
| bugherder | ||
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → 110 Branch
Upstream PR merged by moz-wptsync-bot
|
|
||
Comment 12•2 years ago
|
||
The patch landed in nightly and beta is affected.
:TYLin, is this bug important enough to require an uplift?
- If yes, please nominate the patch for beta approval.
- If no, please set
status-firefox109towontfix.
For more information, please visit auto_nag documentation.
Flags: needinfo?(aethanyc)
|
|
Assignee | |
Comment 13•2 years ago
|
||
Comment on attachment 9308189 [details]
Bug 1805522 - Construct SharedFlexData for incomplete flex containers, regardless of whether they have constrained BSize.
Beta/Release Uplift Approval Request
- User impact if declined: Crash the release build browser if loading the testcase
- Is this code covered by automated tests?: Yes
- Has the fix been verified in Nightly?: Yes
- Needs manual test from QE?: No
- If yes, steps to reproduce:
- List of other uplifts needed: None
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): The patch reverts part of behavior to the old way before bug 1803486.
- String changes made/needed: None
- Is Android affected?: Yes
Flags: needinfo?(aethanyc)
Attachment #9308189 -
Flags: approval-mozilla-beta?
|
||
Comment 14•2 years ago
|
||
Comment on attachment 9308189 [details]
Bug 1805522 - Construct SharedFlexData for incomplete flex containers, regardless of whether they have constrained BSize.
Approved for 109.0b4.
Attachment #9308189 -
Flags: approval-mozilla-beta? → approval-mozilla-beta+
|
|
||
Comment 15•2 years ago
|
||
| bugherder uplift | ||
Flags: in-testsuite? → in-testsuite+
|
|
||
Comment 16•2 years ago
|
||
Verified bug as fixed on rev mozilla-central 20221215092759-061ba69417eb.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Status: RESOLVED → VERIFIED
Keywords: bugmon
You need to log in
before you can comment on or make changes to this bug.
Description
•