Closed Bug 1807958 Opened 2 years ago Closed 2 years ago

Assertion failure: kidReflowInput.ComputedLogicalMargin(wm).IsAllZero() (-moz-column-content has no margin!), at /layout/generic/nsColumnSetFrame.cpp:662

Categories

(Core :: Layout: Columns, defect)

Product:
Core
Component:
Layout: Columns
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
110 Branch
Tracking Flags:
Tracking Status
firefox110 --- verified

People

(Reporter: jkratzer, Assigned: TYLin)

References

(Blocks 1 open bug)

Details

(Keywords: testcase, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(2 files)

Testcase (note: requires content-visibility about:config pref to be set to true)
805 bytes, text/plain
Details
Bug 1807958 - Exclude -moz-column-content from the block side margin calculation.
48 bytes, text/x-phabricator-request
Details | Review

Testcase found while fuzzing mozilla-central rev c5ddc463e9f8 (built with: --enable-debug --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build c5ddc463e9f8 --debug --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

Assertion failure: kidReflowInput.ComputedLogicalMargin(wm).IsAllZero() (-moz-column-content has no margin!), at /layout/generic/nsColumnSetFrame.cpp:662

    ==93278==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f442c821332 bp 0x7fff704e2790 sp 0x7fff704e2450 T93278)
    ==93278==The signal is caused by a WRITE memory access.
    ==93278==Hint: address points to the zero page.
        #0 0x7f442c821332 in nsColumnSetFrame::ReflowColumns(mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&, nsColumnSetFrame::ReflowConfig const&, bool) /layout/generic/nsColumnSetFrame.cpp:661:7
        #1 0x7f442c8220d1 in nsColumnSetFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/generic/nsColumnSetFrame.cpp:1202:37
        #2 0x7f442c80ade1 in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowState&) /layout/generic/nsBlockReflowContext.cpp:290:11
        #3 0x7f442c807154 in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowState&, nsLineList_iterator, bool*) /layout/generic/nsBlockFrame.cpp:4032:11
        #4 0x7f442c8048c1 in nsBlockFrame::ReflowLine(mozilla::BlockReflowState&, nsLineList_iterator, bool*) /layout/generic/nsBlockFrame.cpp:3378:5
        #5 0x7f442c7fecf4 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowState&) /layout/generic/nsBlockFrame.cpp:2895:9
        #6 0x7f442c7fa48b in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/generic/nsBlockFrame.cpp:1470:3
        #7 0x7f442c81e099 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /layout/generic/nsContainerFrame.cpp:1029:14
        #8 0x7f442c8667a0 in nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput&, bool, bool, mozilla::ReflowOutput*) /layout/generic/nsGfxScrollFrame.cpp:841:3
        #9 0x7f442c86752f in nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput&, mozilla::ReflowOutput const&) /layout/generic/nsGfxScrollFrame.cpp:977:3
        #10 0x7f442c86c03d in nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/generic/nsGfxScrollFrame.cpp:1404:3
        #11 0x7f442c91fcf1 in nsLineLayout::ReflowFrame(nsIFrame*, nsReflowStatus&, mozilla::ReflowOutput*, bool&) /layout/generic/nsLineLayout.cpp:870:13
        #12 0x7f442c80ce9e in nsBlockFrame::ReflowInlineFrame(mozilla::BlockReflowState&, nsLineLayout&, nsLineList_iterator, nsIFrame*, LineReflowStatus*) /layout/generic/nsBlockFrame.cpp:4719:15
        #13 0x7f442c80c13a in nsBlockFrame::DoReflowInlineFrames(mozilla::BlockReflowState&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool) /layout/generic/nsBlockFrame.cpp:4521:5
        #14 0x7f442c808371 in nsBlockFrame::ReflowInlineFrames(mozilla::BlockReflowState&, nsLineList_iterator, bool*) /layout/generic/nsBlockFrame.cpp:4395:9
        #15 0x7f442c804807 in nsBlockFrame::ReflowLine(mozilla::BlockReflowState&, nsLineList_iterator, bool*) /layout/generic/nsBlockFrame.cpp:3381:5
        #16 0x7f442c7fecf4 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowState&) /layout/generic/nsBlockFrame.cpp:2895:9
        #17 0x7f442c7fa48b in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/generic/nsBlockFrame.cpp:1470:3
        #18 0x7f442c81e099 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /layout/generic/nsContainerFrame.cpp:1029:14
        #19 0x7f442c8667a0 in nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput&, bool, bool, mozilla::ReflowOutput*) /layout/generic/nsGfxScrollFrame.cpp:841:3
        #20 0x7f442c86752f in nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput&, mozilla::ReflowOutput const&) /layout/generic/nsGfxScrollFrame.cpp:977:3
        #21 0x7f442c86c03d in nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/generic/nsGfxScrollFrame.cpp:1404:3
        #22 0x7f442c81e099 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /layout/generic/nsContainerFrame.cpp:1029:14
        #23 0x7f442c82f06a in nsFlexContainerFrame::MeasureBSizeForFlexItem(nsFlexContainerFrame::FlexItem&, mozilla::ReflowInput&) /layout/generic/nsFlexContainerFrame.cpp:1944:3
        #24 0x7f442c835df8 in nsFlexContainerFrame::SizeItemInCrossAxis(mozilla::ReflowInput&, nsFlexContainerFrame::FlexItem&) /layout/generic/nsFlexContainerFrame.cpp:4382:7
        #25 0x7f442c8383fc in nsFlexContainerFrame::DoFlexLayout(mozilla::ReflowInput const&, int, int, nsFlexContainerFrame::FlexboxAxisTracker const&, int, int, nsTArray<nsFlexContainerFrame::StrutInfo>&, ComputedFlexContainerInfo*) /layout/generic/nsFlexContainerFrame.cpp:5089:9
        #26 0x7f442c83663a in nsFlexContainerFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/generic/nsFlexContainerFrame.cpp:4502:11
        #27 0x7f442c6e944a in mozilla::PresShell::DoReflow(nsIFrame*, bool, mozilla::OverflowChangedTracker*) /layout/base/PresShell.cpp:9696:11
        #28 0x7f442c70d6ff in mozilla::PresShell::ProcessReflowCommands(bool) /layout/base/PresShell.cpp:9868:24
        #29 0x7f442c6f2ea9 in DoFlushLayout /layout/base/PresShell.cpp:9938:10
        #30 0x7f442c6f2ea9 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /layout/base/PresShell.cpp:4440:11
        #31 0x7f4428d68692 in FlushPendingNotifications /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:1462:5
        #32 0x7f4428d68692 in mozilla::dom::Document::FlushPendingNotifications(mozilla::ChangesToFlush) /dom/base/Document.cpp:10770:16
        #33 0x7f442820dbd2 in nsDocLoader::DocLoaderIsEmpty(bool, mozilla::Maybe<nsresult> const&) /uriloader/base/nsDocLoader.cpp:742:14
        #34 0x7f442820f005 in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /uriloader/base/nsDocLoader.cpp:680:5
        #35 0x7f442ddd9aee in nsDocShell::OnStopRequest(nsIRequest*, nsresult) /docshell/base/nsDocShell.cpp:13864:23
        #36 0x7f44274ffd4f in mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) /netwerk/base/nsLoadGroup.cpp:628:22
        #37 0x7f4427501273 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /netwerk/base/nsLoadGroup.cpp:532:10
        #38 0x7f4428d6d5a9 in mozilla::dom::Document::DoUnblockOnload() /dom/base/Document.cpp:11551:18
        #39 0x7f4428d3976b in mozilla::dom::Document::UnblockOnload(bool) /dom/base/Document.cpp:11489:9
        #40 0x7f4428d543b8 in mozilla::dom::Document::DispatchContentLoadedEvents() /dom/base/Document.cpp:8016:3
        #41 0x7f4428e04998 in applyImpl<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1162:12
        #42 0x7f4428e04998 in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1168:12
        #43 0x7f4428e04998 in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1215:13
        #44 0x7f44272ed522 in mozilla::SchedulerGroup::Runnable::Run() /xpcom/threads/SchedulerGroup.cpp:140:20
        #45 0x7f44272f77b5 in mozilla::RunnableTask::Run() /xpcom/threads/TaskController.cpp:539:16
        #46 0x7f44272f2d8c in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:852:26
        #47 0x7f44272f195a in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:684:15
        #48 0x7f44272f1cb5 in mozilla::TaskController::ProcessPendingMTTask(bool) /xpcom/threads/TaskController.cpp:462:36
        #49 0x7f44272fb0b6 in operator() /xpcom/threads/TaskController.cpp:188:37
        #50 0x7f44272fb0b6 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_2>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:546:5
        #51 0x7f4427310955 in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1197:16
        #52 0x7f4427316e9d in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:476:10
        #53 0x7f4427f05493 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:85:21
        #54 0x7f4427e28f58 in MessageLoop::RunInternal() /ipc/chromium/src/base/message_loop.cc:381:10
        #55 0x7f4427e28e61 in RunHandler /ipc/chromium/src/base/message_loop.cc:374:3
        #56 0x7f4427e28e61 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:356:3
        #57 0x7f442c35e568 in nsBaseAppShell::Run() /widget/nsBaseAppShell.cpp:148:27
        #58 0x7f442e592b6b in XRE_RunAppShell() /toolkit/xre/nsEmbedFunctions.cpp:743:20
        #59 0x7f4427f06359 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:235:9
        #60 0x7f4427e28f58 in MessageLoop::RunInternal() /ipc/chromium/src/base/message_loop.cc:381:10
        #61 0x7f4427e28e61 in RunHandler /ipc/chromium/src/base/message_loop.cc:374:3
        #62 0x7f4427e28e61 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:356:3
        #63 0x7f442e5926c8 in XRE_InitChildProcess(int, char**, XREChildData const*) /toolkit/xre/nsEmbedFunctions.cpp:676:34
        #64 0x55b5bde48ca0 in content_process_main /browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
        #65 0x55b5bde48ca0 in main /browser/app/nsBrowserApp.cpp:359:18
        #66 0x7f443a960d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
        #67 0x7f443a960e3f in __libc_start_main csu/../csu/libc-start.c:392:3
        #68 0x55b5bde1f308 in _start (/home/jkratzer/builds/m-c-20221229092636-fuzzing-debug/firefox-bin+0x5b308) (BuildId: 57d0e68973c298505724f6ed9f82c1dea3cdb0d1)
    
    UndefinedBehaviorSanitizer can not provide additional info.
    SUMMARY: UndefinedBehaviorSanitizer: SEGV /layout/generic/nsColumnSetFrame.cpp:661:7 in nsColumnSetFrame::ReflowColumns(mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&, nsColumnSetFrame::ReflowConfig const&, bool)
    ==93278==ABORTING

Note: you need to set layout.css.content-visibility.enabled in order to trigger the assertion-failure.

The assertion itself doesn't seem particularly concerning; it's just expecting that a margin should have nonzero values. Seems like the sort of thing that produces broken-layout if it it fails. Hence, classifying as S3.

Additional notes:

  • Assertion was added in bug 1782602 --> Adding dependency.
  • The testcase uses extremely large values in several CSS properties, which makes me suspect we might be hitting integer overflow or special cases with saturated and/or precise nscoord_MAX sentinel values somewhere, and taking an unexpected route as a result.

ni=TYLin to take a look when possible to see how we get here & if downgrading the assertion seems appropriate, or if it seems like there's a real logic bug hiding here.

Severity: -- → S3
Depends on: 1782602
Flags: needinfo?(aethanyc)
Attachment #9310144 - Attachment description: Testcase → Testcase (note: requires content-visibility about:config pref to be set to true)

Verified bug as reproducible on mozilla-central 20221229092636-c5ddc463e9f8.
Unable to bisect testcase (Unable to launch the start build!):

Start: e633666f5eb7b690880f34066169852abc7a189c (20211231035203)
End: c5ddc463e9f84902a198e1f14dc97fea3bd4fbef (20221229092636)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False, nyx=False)

Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]

-moz-column-content is the anonymous block under nsColumnSetFrame, and it
doesn't have any margin in UA stylesheet, so we don't need to call
CalculateBlockSideMargins() to compute its auto margin.

The assertion added in Bug 1782602 is triggered by the testcase because bogus
size leads to negative available inline-size, and CalculateBlockSideMargins()
can compute non-zero margin.

Assignee: nobody → aethanyc
Status: NEW → ASSIGNED
Flags: needinfo?(aethanyc)
Pushed by aethanyc@gmail.com:
https://hg.mozilla.org/integration/autoland/rev/477f67acf1f3
Exclude -moz-column-content from the block side margin calculation. r=emilio

https://hg.mozilla.org/mozilla-central/rev/477f67acf1f3

Status: ASSIGNED → RESOLVED
Closed: 2 years ago
status-firefox110: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 110 Branch

Verified bug as fixed on rev mozilla-central 20230105034049-8e6dd71c4ece.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
status-firefox110: fixedverified
Keywords: bugmon
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: