Open Bug 1808807 Opened 1 year ago Updated 11 months ago

Assertion failure: !(mCols.mIsMasonry && mRows.mIsMasonry) (can't have masonry layout in both axes)

Categories

(Core :: Layout: Grid, defect)

Product:
Core
Component:
Layout: Grid
Type:
defect

Tracking

()

Tracking Flags:
Tracking Status
firefox110 --- wontfix
firefox115 --- affected

People

(Reporter: tsmith, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, bugmon, testcase, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(1 file)

testcase.html
208 bytes, text/html
Details
Attached file testcase.html

Found while fuzzing m-c 20230103-764c051fe1d4 (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

Assertion failure: !(mCols.mIsMasonry && mRows.mIsMasonry) (can't have masonry layout in both axes), at /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:3078

#0 0x7f6fec9365da in nsGridContainerFrame::GridReflowInput::GridReflowInput(nsGridContainerFrame*, gfxContext&, mozilla::ReflowInput const*, nsStylePosition const*, mozilla::WritingMode const&) /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:3077:5
#1 0x7f6fec8e6208 in GridReflowInput /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:2753:9
#2 0x7f6fec8e6208 in nsGridContainerFrame::IntrinsicISize(gfxContext*, mozilla::IntrinsicISizeType) /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:9351:19
#3 0x7f6fec8e6938 in nsGridContainerFrame::GetMinISize(gfxContext*) /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:9423:29
#4 0x7f6fec900f0b in nsIFrame::ComputeISizeValue(gfxContext*, mozilla::WritingMode, mozilla::LogicalSize const&, mozilla::LogicalSize const&, int, nsIFrame::ExtremumLength, mozilla::Maybe<int>, mozilla::StyleSizeOverrides const&, mozilla::EnumSet<mozilla::ComputeSizeFlag, unsigned char>) /builds/worker/checkouts/gecko/layout/generic/nsIFrame.cpp:6708:47
#5 0x7f6fec815396 in nsIFrame::ISizeComputationResult nsIFrame::ComputeISizeValue<mozilla::StyleGenericSize<mozilla::StyleLengthPercentageUnion>>(gfxContext*, mozilla::WritingMode, mozilla::LogicalSize const&, mozilla::LogicalSize const&, int, mozilla::StyleGenericSize<mozilla::StyleLengthPercentageUnion> const&, mozilla::StyleSizeOverrides const&, mozilla::EnumSet<mozilla::ComputeSizeFlag, unsigned char>) /builds/worker/checkouts/gecko/layout/generic/nsIFrame.h:4876:12
#6 0x7f6fec8fedfd in nsIFrame::ComputeSize(gfxContext*, mozilla::WritingMode, mozilla::LogicalSize const&, int, mozilla::LogicalSize const&, mozilla::LogicalSize const&, mozilla::StyleSizeOverrides const&, mozilla::EnumSet<mozilla::ComputeSizeFlag, unsigned char>) /builds/worker/checkouts/gecko/layout/generic/nsIFrame.cpp:6319:24
#7 0x7f6fec80461b in mozilla::ReflowInput::InitConstraints(nsPresContext*, mozilla::Maybe<mozilla::LogicalSize> const&, mozilla::Maybe<mozilla::LogicalMargin> const&, mozilla::Maybe<mozilla::LogicalMargin> const&, mozilla::LayoutFrameType) /builds/worker/checkouts/gecko/layout/generic/ReflowInput.cpp:2410:19
#8 0x7f6fec801224 in mozilla::ReflowInput::Init(nsPresContext*, mozilla::Maybe<mozilla::LogicalSize> const&, mozilla::Maybe<mozilla::LogicalMargin> const&, mozilla::Maybe<mozilla::LogicalMargin> const&) /builds/worker/checkouts/gecko/layout/generic/ReflowInput.cpp:360:3
#9 0x7f6fec801bea in mozilla::ReflowInput::ReflowInput(nsPresContext*, mozilla::ReflowInput const&, nsIFrame*, mozilla::LogicalSize const&, mozilla::Maybe<mozilla::LogicalSize> const&, mozilla::EnumSet<mozilla::ReflowInput::InitFlag, unsigned char>, mozilla::StyleSizeOverrides const&, mozilla::EnumSet<mozilla::ComputeSizeFlag, unsigned char>) /builds/worker/checkouts/gecko/layout/generic/ReflowInput.cpp:219:5
#10 0x7f6fec8cf68a in MeasuringReflow(nsIFrame*, mozilla::ReflowInput const*, gfxContext*, mozilla::LogicalSize const&, mozilla::LogicalSize const&, int, int) /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:5029:15
#11 0x7f6fec8d3a9c in ContentContribution(nsGridContainerFrame::GridItemInfo const&, nsGridContainerFrame::GridReflowInput const&, gfxContext*, mozilla::WritingMode, mozilla::LogicalAxis, mozilla::Maybe<mozilla::LogicalSize> const&, mozilla::IntrinsicISizeType, int, unsigned int) /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:5368:14
#12 0x7f6fec8dc112 in nsGridContainerFrame::MasonryLayout(nsGridContainerFrame::GridReflowInput&, mozilla::LogicalRect const&, nsGridContainerFrame::SizingConstraint, mozilla::ReflowOutput&, nsReflowStatus&, nsGridContainerFrame::Fragmentainer*, nsSize const&) /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:8381:13
#13 0x7f6fec8e6537 in nsGridContainerFrame::IntrinsicISize(gfxContext*, mozilla::IntrinsicISizeType) /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:9394:12
#14 0x7f6fec8e6a6b in nsGridContainerFrame::GetPrefISize(gfxContext*) /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:9439:30
#15 0x7f6fec7c6a21 in GetIntrinsicCoord /builds/worker/checkouts/gecko/layout/base/nsLayoutUtils.cpp
#16 0x7f6fec7c6a21 in GetIntrinsicCoord<mozilla::StyleGenericSize<mozilla::StyleLengthPercentageUnion> > /builds/worker/checkouts/gecko/layout/base/nsLayoutUtils.cpp:4556:10
#17 0x7f6fec7c6a21 in AddIntrinsicSizeOffset(gfxContext*, nsIFrame*, nsIFrame::IntrinsicSizeOffsetData const&, mozilla::IntrinsicISizeType, mozilla::StyleBoxSizing, int, int, mozilla::StyleGenericSize<mozilla::StyleLengthPercentageUnion> const&, int const*, mozilla::StyleGenericSize<mozilla::StyleLengthPercentageUnion> const&, int const*, mozilla::StyleGenericMaxSize<mozilla::StyleLengthPercentageUnion> const&, mozilla::Maybe<int>, unsigned int, mozilla::PhysicalAxis) /builds/worker/checkouts/gecko/layout/base/nsLayoutUtils.cpp:4677:14
#18 0x7f6fec7c5de3 in nsLayoutUtils::IntrinsicForAxis(mozilla::PhysicalAxis, gfxContext*, nsIFrame*, mozilla::IntrinsicISizeType, mozilla::Maybe<mozilla::LogicalSize> const&, unsigned int, int) /builds/worker/checkouts/gecko/layout/base/nsLayoutUtils.cpp:5136:12
#19 0x7f6fec8d35b0 in ContentContribution(nsGridContainerFrame::GridItemInfo const&, nsGridContainerFrame::GridReflowInput const&, gfxContext*, mozilla::WritingMode, mozilla::LogicalAxis, mozilla::Maybe<mozilla::LogicalSize> const&, mozilla::IntrinsicISizeType, int, unsigned int) /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:5265:18
#20 0x7f6fec8dc112 in nsGridContainerFrame::MasonryLayout(nsGridContainerFrame::GridReflowInput&, mozilla::LogicalRect const&, nsGridContainerFrame::SizingConstraint, mozilla::ReflowOutput&, nsReflowStatus&, nsGridContainerFrame::Fragmentainer*, nsSize const&) /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:8381:13
#21 0x7f6fec8e6537 in nsGridContainerFrame::IntrinsicISize(gfxContext*, mozilla::IntrinsicISizeType) /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:9394:12
#22 0x7f6fec8e6a6b in nsGridContainerFrame::GetPrefISize(gfxContext*) /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:9439:30
#23 0x7f6fec900eae in nsIFrame::ComputeISizeValue(gfxContext*, mozilla::WritingMode, mozilla::LogicalSize const&, mozilla::LogicalSize const&, int, nsIFrame::ExtremumLength, mozilla::Maybe<int>, mozilla::StyleSizeOverrides const&, mozilla::EnumSet<mozilla::ComputeSizeFlag, unsigned char>) /builds/worker/checkouts/gecko/layout/generic/nsIFrame.cpp:6701:47
#24 0x7f6fec815396 in nsIFrame::ISizeComputationResult nsIFrame::ComputeISizeValue<mozilla::StyleGenericSize<mozilla::StyleLengthPercentageUnion>>(gfxContext*, mozilla::WritingMode, mozilla::LogicalSize const&, mozilla::LogicalSize const&, int, mozilla::StyleGenericSize<mozilla::StyleLengthPercentageUnion> const&, mozilla::StyleSizeOverrides const&, mozilla::EnumSet<mozilla::ComputeSizeFlag, unsigned char>) /builds/worker/checkouts/gecko/layout/generic/nsIFrame.h:4876:12
#25 0x7f6fec8fedfd in nsIFrame::ComputeSize(gfxContext*, mozilla::WritingMode, mozilla::LogicalSize const&, int, mozilla::LogicalSize const&, mozilla::LogicalSize const&, mozilla::StyleSizeOverrides const&, mozilla::EnumSet<mozilla::ComputeSizeFlag, unsigned char>) /builds/worker/checkouts/gecko/layout/generic/nsIFrame.cpp:6319:24
#26 0x7f6fec80461b in mozilla::ReflowInput::InitConstraints(nsPresContext*, mozilla::Maybe<mozilla::LogicalSize> const&, mozilla::Maybe<mozilla::LogicalMargin> const&, mozilla::Maybe<mozilla::LogicalMargin> const&, mozilla::LayoutFrameType) /builds/worker/checkouts/gecko/layout/generic/ReflowInput.cpp:2410:19
#27 0x7f6fec801224 in mozilla::ReflowInput::Init(nsPresContext*, mozilla::Maybe<mozilla::LogicalSize> const&, mozilla::Maybe<mozilla::LogicalMargin> const&, mozilla::Maybe<mozilla::LogicalMargin> const&) /builds/worker/checkouts/gecko/layout/generic/ReflowInput.cpp:360:3
#28 0x7f6fec801bea in mozilla::ReflowInput::ReflowInput(nsPresContext*, mozilla::ReflowInput const&, nsIFrame*, mozilla::LogicalSize const&, mozilla::Maybe<mozilla::LogicalSize> const&, mozilla::EnumSet<mozilla::ReflowInput::InitFlag, unsigned char>, mozilla::StyleSizeOverrides const&, mozilla::EnumSet<mozilla::ComputeSizeFlag, unsigned char>) /builds/worker/checkouts/gecko/layout/generic/ReflowInput.cpp:219:5
#29 0x7f6fec8522fe in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsCanvasFrame.cpp:739:19
#30 0x7f6fec8530a9 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:1029:14
#31 0x7f6fec89b730 in nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput&, bool, bool, mozilla::ReflowOutput*) /builds/worker/checkouts/gecko/layout/generic/nsGfxScrollFrame.cpp:841:3
#32 0x7f6fec89c4bf in nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput&, mozilla::ReflowOutput const&) /builds/worker/checkouts/gecko/layout/generic/nsGfxScrollFrame.cpp:977:3
#33 0x7f6fec8a0fcd in nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsGfxScrollFrame.cpp:1404:3
#34 0x7f6fec823dc6 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:1069:14
#35 0x7f6fec823514 in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/ViewportFrame.cpp:385:7
#36 0x7f6fec71eb8f in mozilla::PresShell::DoReflow(nsIFrame*, bool, mozilla::OverflowChangedTracker*) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:9652:11
#37 0x7f6fec742a9f in mozilla::PresShell::ProcessReflowCommands(bool) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:9829:22
#38 0x7f6fec728505 in DoFlushLayout /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:9900:10
#39 0x7f6fec728505 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4385:11
#40 0x7f6fe8d941fb in FlushPendingNotifications /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:1463:5
#41 0x7f6fe8d941fb in mozilla::dom::Document::FlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/dom/base/Document.cpp:10770:16
#42 0x7f6fe8239a54 in nsDocLoader::DocLoaderIsEmpty(bool, mozilla::Maybe<nsresult> const&) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:742:14
#43 0x7f6fe823ae85 in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:680:5
#44 0x7f6fede08a3e in nsDocShell::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:13864:23
#45 0x7f6fe7529c7f in mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:628:22
#46 0x7f6fe752b1a3 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:532:10
#47 0x7f6fe8d99129 in mozilla::dom::Document::DoUnblockOnload() /builds/worker/checkouts/gecko/dom/base/Document.cpp:11551:18
#48 0x7f6fe8d651ab in mozilla::dom::Document::UnblockOnload(bool) /builds/worker/checkouts/gecko/dom/base/Document.cpp:11489:9
#49 0x7f6fe8d7fec8 in mozilla::dom::Document::DispatchContentLoadedEvents() /builds/worker/checkouts/gecko/dom/base/Document.cpp:8016:3
#50 0x7f6fe8e30498 in applyImpl<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1162:12
#51 0x7f6fe8e30498 in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1168:12
#52 0x7f6fe8e30498 in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1215:13
#53 0x7f6fe73170a2 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/checkouts/gecko/xpcom/threads/SchedulerGroup.cpp:140:20
#54 0x7f6fe7321335 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:539:16
#55 0x7f6fe731c90c in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:852:26
#56 0x7f6fe731b4da in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:684:15
#57 0x7f6fe731b835 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:462:36
#58 0x7f6fe7324c36 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:188:37
#59 0x7f6fe7324c36 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_2>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:546:5
#60 0x7f6fe733a4d5 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1197:16
#61 0x7f6fe7340a1d in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:476:10
#62 0x7f6fe7f31363 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#63 0x7f6fe7e54e28 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
#64 0x7f6fe7e54d31 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
#65 0x7f6fe7e54d31 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
#66 0x7f6fec3913d8 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
#67 0x7f6fee5c1adb in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:743:20
#68 0x7f6fe7f32229 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
#69 0x7f6fe7e54e28 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
#70 0x7f6fe7e54d31 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
#71 0x7f6fe7e54d31 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
#72 0x7f6fee5c1638 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:676:34
#73 0x55842beadca0 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#74 0x55842beadca0 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:359:18
#75 0x7f6ffb6efd8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#76 0x7f6ffb6efe3f in __libc_start_main csu/../csu/libc-start.c:392:3
#77 0x55842be84308 in _start (/home/user/workspace/browsers/m-c-20230105213109-fuzzing-debug/firefox-bin+0x5b308) (BuildId: 2bd152c3a9c8aaaf10fc5d2286bb7e421fb9027f)
Flags: in-testsuite?
Severity: -- → S3

Verified bug as reproducible on mozilla-central 20230107093442-7272e73dca36.
Unable to bisect testcase (Testcase reproduces on start build!):

Start: b442a7921285ec569a5676f2aa02e4097ddef6b5 (20220108005127)
End: 764c051fe1d40356b1a565c163159afa7730cfd9 (20230103094636)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False, nyx=False)

Whiteboard: [bugmon:bisected,confirmed]

Bugmon was unable reproduce this issue.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon
Keywords: bugmon

A change to the Taskcluster build definitions over the weekend caused Bugmon to fail when reproducing issues. This issue has been corrected. Re-enabling bugmon.

You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: