Open Bug 1808806 Opened 3 months ago Updated 25 days ago

Assertion failure: !startFrame->mNext, at /builds/worker/checkouts/gecko/layout/generic/nsLineLayout.cpp:3182

Categories

(Core :: Layout: Block and Inline, defect)

Product:
Core
Component:
Layout: Block and Inline
Type:
defect

Tracking

()

Tracking Flags:
Tracking Status
firefox-esr102 --- unaffected
firefox108 --- unaffected
firefox109 --- unaffected
firefox110 --- wontfix
firefox111 --- wontfix

People

(Reporter: tsmith, Assigned: dshin)

References

(Depends on 1 open bug, Blocks 1 open bug, Regression)

Details

(4 keywords, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(2 files)

testcase.html
117 bytes, text/html
Details
Reduced Test Case
207 bytes, text/html
Details
Attached file testcase.html

Found while fuzzing m-c 20230104-9d96d2c96d8f (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

Assertion failure: !startFrame->mNext, at /builds/worker/checkouts/gecko/layout/generic/nsLineLayout.cpp:3182

#0 0x7f139448a590 in nsLineLayout::TextAlignLine(nsLineBox*, bool) /builds/worker/checkouts/gecko/layout/generic/nsLineLayout.cpp:3182:5
#1 0x7f139436ddc3 in nsBlockFrame::PlaceLine(mozilla::BlockReflowState&, nsLineLayout&, nsLineList_iterator, nsFloatManager::SavedState*, nsFlowAreaRect&, int&, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:5150:15
#2 0x7f139436c62f in nsBlockFrame::DoReflowInlineFrames(mozilla::BlockReflowState&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:4648:12
#3 0x7f1394368381 in nsBlockFrame::ReflowInlineFrames(mozilla::BlockReflowState&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:4395:9
#4 0x7f1394364817 in nsBlockFrame::ReflowLine(mozilla::BlockReflowState&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:3381:5
#5 0x7f139435ed04 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowState&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:2895:9
#6 0x7f139435a49b in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:1470:3
#7 0x7f139436adf1 in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowState&) /builds/worker/checkouts/gecko/layout/generic/nsBlockReflowContext.cpp:290:11
#8 0x7f1394367164 in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowState&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:4032:11
#9 0x7f13943648d1 in nsBlockFrame::ReflowLine(mozilla::BlockReflowState&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:3378:5
#10 0x7f139435ed04 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowState&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:2895:9
#11 0x7f139435a49b in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:1470:3
#12 0x7f139436adf1 in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowState&) /builds/worker/checkouts/gecko/layout/generic/nsBlockReflowContext.cpp:290:11
#13 0x7f1394367164 in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowState&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:4032:11
#14 0x7f13943648d1 in nsBlockFrame::ReflowLine(mozilla::BlockReflowState&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:3378:5
#15 0x7f139435ed04 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowState&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:2895:9
#16 0x7f139435a49b in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:1470:3
#17 0x7f139437e0a9 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:1029:14
#18 0x7f139437d609 in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsCanvasFrame.cpp:755:7
#19 0x7f139437e0a9 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:1029:14
#20 0x7f13943c6730 in nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput&, bool, bool, mozilla::ReflowOutput*) /builds/worker/checkouts/gecko/layout/generic/nsGfxScrollFrame.cpp:841:3
#21 0x7f13943c74bf in nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput&, mozilla::ReflowOutput const&) /builds/worker/checkouts/gecko/layout/generic/nsGfxScrollFrame.cpp:977:3
#22 0x7f13943cbfcd in nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsGfxScrollFrame.cpp:1404:3
#23 0x7f139434edc6 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:1069:14
#24 0x7f139434e514 in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/ViewportFrame.cpp:385:7
#25 0x7f1394249b8f in mozilla::PresShell::DoReflow(nsIFrame*, bool, mozilla::OverflowChangedTracker*) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:9652:11
#26 0x7f139426da9f in mozilla::PresShell::ProcessReflowCommands(bool) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:9829:22
#27 0x7f1394253505 in DoFlushLayout /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:9900:10
#28 0x7f1394253505 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4385:11
#29 0x7f13908bf1fb in FlushPendingNotifications /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:1463:5
#30 0x7f13908bf1fb in mozilla::dom::Document::FlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/dom/base/Document.cpp:10770:16
#31 0x7f138fd64a54 in nsDocLoader::DocLoaderIsEmpty(bool, mozilla::Maybe<nsresult> const&) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:742:14
#32 0x7f138fd65e85 in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:680:5
#33 0x7f1395933a3e in nsDocShell::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:13864:23
#34 0x7f138f054c7f in mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:628:22
#35 0x7f138f0561a3 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:532:10
#36 0x7f13908c4129 in mozilla::dom::Document::DoUnblockOnload() /builds/worker/checkouts/gecko/dom/base/Document.cpp:11551:18
#37 0x7f13908901ab in mozilla::dom::Document::UnblockOnload(bool) /builds/worker/checkouts/gecko/dom/base/Document.cpp:11489:9
#38 0x7f13908aaec8 in mozilla::dom::Document::DispatchContentLoadedEvents() /builds/worker/checkouts/gecko/dom/base/Document.cpp:8016:3
#39 0x7f139095b498 in applyImpl<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1162:12
#40 0x7f139095b498 in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1168:12
#41 0x7f139095b498 in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1215:13
#42 0x7f138ee420a2 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/checkouts/gecko/xpcom/threads/SchedulerGroup.cpp:140:20
#43 0x7f138ee4c335 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:539:16
#44 0x7f138ee4790c in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:852:26
#45 0x7f138ee464da in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:684:15
#46 0x7f138ee46835 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:462:36
#47 0x7f138ee4fc36 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:188:37
#48 0x7f138ee4fc36 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_2>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:546:5
#49 0x7f138ee654d5 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1197:16
#50 0x7f138ee6ba1d in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:476:10
#51 0x7f138fa5c363 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#52 0x7f138f97fe28 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
#53 0x7f138f97fd31 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
#54 0x7f138f97fd31 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
#55 0x7f1393ebc3d8 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
#56 0x7f13960ecadb in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:743:20
#57 0x7f138fa5d229 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
#58 0x7f138f97fe28 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
#59 0x7f138f97fd31 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
#60 0x7f138f97fd31 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
#61 0x7f13960ec638 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:676:34
#62 0x55db181fdca0 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#63 0x55db181fdca0 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:359:18
#64 0x7f13a2445d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#65 0x7f13a2445e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#66 0x55db181d4308 in _start (/home/user/workspace/browsers/m-c-20230105213109-fuzzing-debug/firefox-bin+0x5b308) (BuildId: 2bd152c3a9c8aaaf10fc5d2286bb7e421fb9027f)
Flags: in-testsuite?
Severity: -- → S3

Verified bug as reproducible on mozilla-central 20230106214742-7968ae37c117.
The bug appears to have been introduced in the following build range:

Start: 5d8dcdf3ed62db885e90ad5f5069519c0c03b8d1 (20230103205908)
End: 616a6f1689dc99810e5d7e6465b781a49b6430c8 (20230103213543)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=5d8dcdf3ed62db885e90ad5f5069519c0c03b8d1&tochange=616a6f1689dc99810e5d7e6465b781a49b6430c8

Keywords: regression
Whiteboard: [bugmon:bisected,confirmed]

Based on comment #1, this bug contains a bisection range found by bugmon. However, the Regressed by field is still not filled.

:dshin, since you are the author of the changes in the range, if possible, could you fill the Regressed by field and investigate this regression?

For more information, please visit auto_nag documentation.

Flags: needinfo?(dshin)
Assignee: nobody → dshin
Flags: needinfo?(dshin)
Attached file Reduced Test Case

Interesting. It seems that if we cause the first line to be broken up, we can run into trouble. When padding-left is 100%:

Block(p)(0)@7f3452103cc8 parent=7f3452103bb0 (x=0, y=0, w=0, h=0) [content=7f3452804c10] [cs=7f34588e37a8] <
  line@7f3452104210 count=1 state=inline,clean,prevmarginclean,not-impacted,wrapped,no-break,clear-before:none,clear-after:none(x=0, y=0, w=60480, h=1140) <
    Line(p)(0)@7f3452104168 parent=7f3452103cc8 next=7f34521044d0 next-in-flow=7f34521044d0 (x=0, y=0, w=60480, h=1140) [content=7f3452804c10] [cs=7f34588e3b68:first-line] <
      Inline(span)(0)@7f3452103d90 parent=7f3452104168 next-in-flow=7f3452104418 (x=0, y=0, w=60480, h=1140) [content=7f3452804ca0] [cs=7f34521064d8] <
        Text(0)"\n"@7f3452103e38 parent=7f3452103d90 (x=60480, y=900, w=0, h=0) [content=7f3452807380] [cs=7f34521065c8:-moz-text] [run=7f34567b9e00][0,1,T] 
      >
    >
  >
  line@7f3452104578 count=2 state=inline,clean,prevmarginclean,not-impacted,wrapped,no-break,clear-before:none,clear-after:none(x=0, y=1140, w=2597, h=1140) <
    Line(p)(0)@7f34521044d0 parent=7f3452103cc8 next=7f3452104728 prev-in-flow=7f3452104168 next-in-flow=7f3452104728 (x=0, y=1140, w=0, h=1140) [content=7f3452804c10] [cs=7f3452106a78:-moz-line-frame] <
      Inline(span)(0)@7f3452104418 parent=7f34521044d0 prev-in-flow=7f3452103d90 next-in-flow=7f3452104670 (x=0, y=0, w=0, h=1140) [content=7f3452804ca0] [cs=7f3452106b68] <
        Inline(span)(1)@7f3452103ed8 parent=7f3452104418 next-in-flow=7f34521045c8 (x=0, y=0, w=0, h=1140) [content=7f3452804d30] [cs=7f3452106c58] <
          Letter(span)(1)@7f34521040c0 parent=7f3452103ed8 next-in-flow=7f3452104370 (x=0, y=0, w=0, h=1140) [content=7f3452804d30] [cs=7f34521066b8:first-letter] <
            Text(0)""@7f3452104020 parent=7f34521040c0 next-in-flow=7f34521042b0 (x=0, y=900, w=0, h=0) [content=7f3452807400] [cs=7f3452106988:-moz-text] [run=7f34588f6a60][0,0,F] 
          >
        >
      >
    >
    Line(p)(0)@7f3452104728 parent=7f3452103cc8 prev-in-flow=7f34521044d0 (x=0, y=1140, w=2597, h=1140) [content=7f3452804c10] [cs=7f3452106a78:-moz-line-frame] <
      Inline(span)(0)@7f3452104670 parent=7f3452104728 prev-in-flow=7f3452104418 (x=0, y=0, w=2597, h=1140) [content=7f3452804ca0] [cs=7f34521067a8] <
        Inline(span)(1)@7f34521045c8 parent=7f3452104670 prev-in-flow=7f3452103ed8 (x=0, y=0, w=2597, h=1140) [content=7f3452804d30] [cs=7f3452106d48] <
          Letter(span)(1)@7f3452104370 parent=7f34521045c8 prev-in-flow=7f34521040c0 (x=0, y=0, w=2597, h=1140) [content=7f3452804d30] [cs=7f3452106e38:-moz-first-letter-continuation] <
            Text(0)"Hello\n"@7f34521042b0 parent=7f3452104370 prev-in-flow=7f3452104020 (x=0, y=0, w=2597, h=1140) [content=7f3452807400] [cs=7f34521062f8:-moz-text] [run=7f34588f6a60][0,6,T] 
          >
        >
      >
    >
  >
>
  1. The newline is considered the first-line in terms of computed style.
  2. The second line does not receive the first-line styling, but internally still is of type nsFirstLineFrame.
  3. The second line consists of two lines: The first line is empty text with first-letter in terms of style. The second line contains the actual text.

This situation can be avoided by either removing the newline between <span>s, or reducing padding-left so that the line doesn't get broken up.

On the release build, "Hello" is rendered a line below where it's supposed to, and lacks first-(letter|line) styling.

Comparatively, when padding-left is 10%:

Line(p)(0)@7f9c5e4f8168 parent=7f9c5e4f7cc8 (x=51835, y=0, w=8645, h=1140) ink-overflow=(x=0, y=0, w=8950, h=1140) scr-overflow=(x=0, y=0, w=8645, h=1140) [content=7f9c35a04550] [cs=7f9c3bbe6978:first-line] <
  Inline(span)(0)@7f9c5e4f7d90 parent=7f9c5e4f8168 (x=0, y=0, w=8645, h=1140) ink-overflow=(x=0, y=0, w=8950, h=1140) [content=7f9c35a045e0] [cs=7f9c399a7118] <
    Text(0)"\n"@7f9c5e4f7e38 parent=7f9c5e4f7d90 next=7f9c5e4f7ed8 (x=6048, y=900, w=0, h=0) [content=7f9c35a07180] [cs=7f9c399a7208:-moz-text] [run=7f9c39976980][0,1,T] 
    Inline(span)(1)@7f9c5e4f7ed8 parent=7f9c5e4f7d90 (x=6048, y=0, w=2597, h=1140) ink-overflow=(x=0, y=0, w=2902, h=1140) scr-overflow=(x=0, y=0, w=2597, h=1140) [content=7f9c35a04670] [cs=7f9c399a72f8] <
      Letter(span)(1)@7f9c5e4f80c0 parent=7f9c5e4f7ed8 next=7f9c5e4f8370 next-in-flow=7f9c5e4f8370 (x=0, y=0, w=837, h=1140) [content=7f9c35a04670] [cs=7f9c399a73e8:first-letter] <
        Text(0)"H"@7f9c5e4f8020 parent=7f9c5e4f80c0 next-in-flow=7f9c5e4f82b0 (x=0, y=0, w=837, h=1140) [content=7f9c35a07200] [cs=7f9c399a75c8:-moz-text] [run=7f9c39976980][0,1,F] 
      >
      Letter(span)(1)@7f9c5e4f8370 parent=7f9c5e4f7ed8 prev-in-flow=7f9c5e4f80c0 (x=837, y=0, w=1760, h=1140) ink-overflow=(x=0, y=0, w=2065, h=1140) scr-overflow=(x=0, y=0, w=1760, h=1140) [content=7f9c35a04670] [cs=7f9c399a74d8:-moz-first-letter-continuation] <
        Text(0)"ello\n"@7f9c5e4f82b0 parent=7f9c5e4f8370 prev-in-flow=7f9c5e4f8020 (x=0, y=0, w=1760, h=1140) ink-overflow=(x=0, y=0, w=2065, h=1140) [content=7f9c35a07200] [cs=7f9c399a76b8:-moz-text] [run=7f9c39976980][1,5,T] 
      >
    >
  >
>

Set release status flags based on info from the regressing bug 1805603

status-firefox111: --- → affected
Depends on: 1809675
You need to log in before you can comment on or make changes to this bug.