Closed Bug 1821177 Opened 2 years ago Closed 2 years ago

Assertion failure: ContainsFrame(aFrame) (aFrame is not on this list!), at /builds/worker/checkouts/gecko/layout/generic/nsFrameList.cpp:86

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
115 Branch
Tracking Flags:
Tracking Status
firefox-esr102 --- wontfix
firefox112 --- wontfix
firefox113 --- wontfix
firefox114 --- wontfix
firefox115 --- verified

People

(Reporter: tsmith, Assigned: dshin)

References

(Blocks 1 open bug)

Details

(4 keywords, Whiteboard: [bugmon:bisected,confirmed])

Crash Data

Attachments

(3 files)

testcase.html
583 bytes, text/html
Details
testcase.html
588 bytes, text/html
Details
Bug 1821177: Ensure `nsTableRowGroupFrame`'s `CreateContinuingRowFrame` and `UndoContinuedRow` push and pull from overflow lists. r=#layout-reviewers
48 bytes, text/x-phabricator-request
Details | Review
Attached file testcase.html

Found while fuzzing m-c 20230308-9fa6f54ca6d9 (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

Assertion failure: ContainsFrame(aFrame) (aFrame is not on this list!), at /builds/worker/checkouts/gecko/layout/generic/nsFrameList.cpp:86

#0 0x7fc2aabd3a61 in nsFrameList::TakeFramesAfter(nsIFrame*) /builds/worker/checkouts/gecko/layout/generic/nsFrameList.cpp:86:3
#1 0x7fc2aababe66 in nsContainerFrame::PushChildren(nsIFrame*, nsIFrame*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:1420:30
#2 0x7fc2aad6aa23 in CreateContinuingRowFrame /builds/worker/checkouts/gecko/layout/tables/nsTableRowGroupFrame.cpp:943:3
#3 0x7fc2aad6aa23 in nsTableRowGroupFrame::SplitSpanningCells(nsPresContext&, mozilla::ReflowInput const&, nsTableFrame&, nsTableRowFrame&, nsTableRowFrame&, bool, int, nsTableRowFrame*&, nsTableRowFrame*&, int&) /builds/worker/checkouts/gecko/layout/tables/nsTableRowGroupFrame.cpp:1015:13
#4 0x7fc2aad6c4ef in nsTableRowGroupFrame::SplitRowGroup(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsTableFrame*, nsReflowStatus&, bool) /builds/worker/checkouts/gecko/layout/tables/nsTableRowGroupFrame.cpp:1282:15
#5 0x7fc2aad6c93f in nsTableRowGroupFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/tables/nsTableRowGroupFrame.cpp:1386:5
#6 0x7fc2aaba4f8a in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:890:14
#7 0x7fc2aad511f4 in nsTableFrame::ReflowChildren(mozilla::TableReflowInput&, nsReflowStatus&, nsIFrame*&, mozilla::OverflowAreas&) /builds/worker/checkouts/gecko/layout/tables/nsTableFrame.cpp:2882:7
#8 0x7fc2aad4f17f in nsTableFrame::ReflowTable(mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, nsIFrame*&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/tables/nsTableFrame.cpp:1946:3
#9 0x7fc2aad4e1f7 in nsTableFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/tables/nsTableFrame.cpp:1734:5
#10 0x7fc2aaba4f8a in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:890:14
#11 0x7fc2aad72542 in nsTableWrapperFrame::ReflowChild(nsPresContext*, nsIFrame*, mozilla::ReflowInput const&, mozilla::ReflowOutput&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/tables/nsTableWrapperFrame.cpp:685:21
#12 0x7fc2aad72e6e in nsTableWrapperFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/tables/nsTableWrapperFrame.cpp:786:3
#13 0x7fc2aae4c9c0 in nsMathMLmtableWrapperFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/mathml/nsMathMLmtableFrame.cpp:773:24
#14 0x7fc2aab91c51 in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowState&) /builds/worker/checkouts/gecko/layout/generic/nsBlockReflowContext.cpp:290:11
#15 0x7fc2aab8dfc4 in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowState&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:4057:11
#16 0x7fc2aab8b731 in nsBlockFrame::ReflowLine(mozilla::BlockReflowState&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:3403:5
#17 0x7fc2aab85a54 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowState&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:2920:9
#18 0x7fc2aab80dfb in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:1484:3
#19 0x7fc2aab91c51 in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowState&) /builds/worker/checkouts/gecko/layout/generic/nsBlockReflowContext.cpp:290:11
#20 0x7fc2aab8dfc4 in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowState&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:4057:11
#21 0x7fc2aab8b731 in nsBlockFrame::ReflowLine(mozilla::BlockReflowState&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:3403:5
#22 0x7fc2aab85a54 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowState&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:2920:9
#23 0x7fc2aab80dfb in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:1484:3
#24 0x7fc2aab91c51 in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowState&) /builds/worker/checkouts/gecko/layout/generic/nsBlockReflowContext.cpp:290:11
#25 0x7fc2aab8dfc4 in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowState&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:4057:11
#26 0x7fc2aab8b731 in nsBlockFrame::ReflowLine(mozilla::BlockReflowState&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:3403:5
#27 0x7fc2aab85a54 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowState&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:2920:9
#28 0x7fc2aab80dfb in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:1484:3
#29 0x7fc2aaba4f8a in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:890:14
#30 0x7fc2aaba4449 in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsCanvasFrame.cpp:755:7
#31 0x7fc2aab756f7 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:930:14
#32 0x7fc2aacb3d5e in nsPageContentFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsPageContentFrame.cpp:76:5
#33 0x7fc2aab756f7 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:930:14
#34 0x7fc2aacb68d6 in nsPageFrame::ReflowPageContent(nsPresContext*, mozilla::ReflowInput const&) /builds/worker/checkouts/gecko/layout/generic/nsPageFrame.cpp:194:3
#35 0x7fc2aacb7180 in nsPageFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsPageFrame.cpp:217:13
#36 0x7fc2aaba4f8a in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:890:14
#37 0x7fc2aab50049 in mozilla::PrintedSheetFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/PrintedSheetFrame.cpp:132:5
#38 0x7fc2aab756f7 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:930:14
#39 0x7fc2aacbb06d in nsPageSequenceFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsPageSequenceFrame.cpp:370:5
#40 0x7fc2aaba4f8a in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:890:14
#41 0x7fc2aaba4449 in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsCanvasFrame.cpp:755:7
#42 0x7fc2aab756f7 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:930:14
#43 0x7fc2aab74e54 in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/ViewportFrame.cpp:385:7
#44 0x7fc2aaa6f393 in mozilla::PresShell::DoReflow(nsIFrame*, bool, mozilla::OverflowChangedTracker*) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:9621:11
#45 0x7fc2aaa933df in mozilla::PresShell::ProcessReflowCommands(bool) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:9799:22
#46 0x7fc2aaa78875 in DoFlushLayout /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:9870:10
#47 0x7fc2aaa78875 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4352:11
#48 0x7fc2aaedc0eb in nsPrintJob::ReflowPrintObject(mozilla::UniquePtr<nsPrintObject, mozilla::DefaultDelete<nsPrintObject>> const&) /builds/worker/checkouts/gecko/layout/printing/nsPrintJob.cpp:1420:14
#49 0x7fc2aaedb48a in nsPrintJob::ReflowDocList(mozilla::UniquePtr<nsPrintObject, mozilla::DefaultDelete<nsPrintObject>> const&) /builds/worker/checkouts/gecko/layout/printing/nsPrintJob.cpp:957:3
#50 0x7fc2aaed8777 in nsPrintJob::InitPrintDocConstruction(bool) /builds/worker/checkouts/gecko/layout/printing/nsPrintJob.cpp:996:5
#51 0x7fc2aaed76c0 in nsPrintJob::DoCommonPrint(bool, nsIPrintSettings*, nsIWebProgressListener*, mozilla::dom::Document&) /builds/worker/checkouts/gecko/layout/printing/nsPrintJob.cpp:445:3
#52 0x7fc2aaed8975 in CommonPrint /builds/worker/checkouts/gecko/layout/printing/nsPrintJob.cpp:334:17
#53 0x7fc2aaed8975 in nsPrintJob::Print(mozilla::dom::Document&, nsIPrintSettings*, mozilla::layout::RemotePrintJobChild*, nsIWebProgressListener*) /builds/worker/checkouts/gecko/layout/printing/nsPrintJob.cpp:455:10
#54 0x7fc2aaaf5cca in nsDocumentViewer::Print(nsIPrintSettings*, mozilla::layout::RemotePrintJobChild*, nsIWebProgressListener*) /builds/worker/checkouts/gecko/layout/base/nsDocumentViewer.cpp:2932:27
#55 0x7fc2a6d3a0dc in nsGlobalWindowOuter::Print(nsIPrintSettings*, mozilla::layout::RemotePrintJobChild*, nsIWebProgressListener*, nsIDocShell*, nsGlobalWindowOuter::IsPreview, nsGlobalWindowOuter::IsForWindowDotPrint, std::function<void (mozilla::dom::PrintPreviewResultInfo const&)>&&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/nsGlobalWindowOuter.cpp:5303:24
#56 0x7fc2a9e20f62 in mozilla::dom::BrowserChild::RecvPrint(mozilla::dom::MaybeDiscarded<mozilla::dom::BrowsingContext> const&, mozilla::embedding::PrintData const&) /builds/worker/checkouts/gecko/dom/ipc/BrowserChild.cpp:2417:18
#57 0x7fc2a9f464f6 in mozilla::dom::PBrowserChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBrowserChild.cpp:8012:80
#58 0x7fc2a9fd33a6 in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PContentChild.cpp:8785:32
#59 0x7fc2a5fec90a in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1800:25
#60 0x7fc2a5fe9587 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1725:9
#61 0x7fc2a5fea0b5 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1525:3
#62 0x7fc2a5feb3ef in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1623:14
#63 0x7fc2a537f9f5 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:553:16
#64 0x7fc2a537ab48 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:867:26
#65 0x7fc2a537974a in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:698:15
#66 0x7fc2a5379aa5 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:464:36
#67 0x7fc2a5383469 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:191:37
#68 0x7fc2a5383469 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_4>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:547:5
#69 0x7fc2a53995d7 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1239:16
#70 0x7fc2a539fa8d in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:477:10
#71 0x7fc2a6d3ca6c in bool mozilla::SpinEventLoopUntil<(mozilla::ProcessFailureBehavior)1, nsGlobalWindowOuter::Print(nsIPrintSettings*, mozilla::layout::RemotePrintJobChild*, nsIWebProgressListener*, nsIDocShell*, nsGlobalWindowOuter::IsPreview, nsGlobalWindowOuter::IsForWindowDotPrint, std::function<void (mozilla::dom::PrintPreviewResultInfo const&)>&&, mozilla::ErrorResult&)::$_3>(nsTSubstring<char> const&, nsGlobalWindowOuter::Print(nsIPrintSettings*, mozilla::layout::RemotePrintJobChild*, nsIWebProgressListener*, nsIDocShell*, nsGlobalWindowOuter::IsPreview, nsGlobalWindowOuter::IsForWindowDotPrint, std::function<void (mozilla::dom::PrintPreviewResultInfo const&)>&&, mozilla::ErrorResult&)::$_3&&, nsIThread*) /builds/worker/workspace/obj-build/dist/include/mozilla/SpinEventLoopUntil.h:176:25
#72 0x7fc2a6d3a160 in nsGlobalWindowOuter::Print(nsIPrintSettings*, mozilla::layout::RemotePrintJobChild*, nsIWebProgressListener*, nsIDocShell*, nsGlobalWindowOuter::IsPreview, nsGlobalWindowOuter::IsForWindowDotPrint, std::function<void (mozilla::dom::PrintPreviewResultInfo const&)>&&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/nsGlobalWindowOuter.cpp:5325:5
#73 0x7fc2a6d389c6 in nsGlobalWindowOuter::PrintOuter(mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/nsGlobalWindowOuter.cpp:5124:3
#74 0x7fc2a6cf28b9 in nsGlobalWindowInner::Print(mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/nsGlobalWindowInner.cpp:3934:3
#75 0x7fc2a80022bf in mozilla::dom::Window_Binding::print(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/WindowBinding.cpp:3686:24
#76 0x7fc2a861025c in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::MaybeCrossOriginObjectThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3318:13
#77 0x7fc2acb732d6 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:459:13
#78 0x7fc2acb72bff in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:553:12
#79 0x7fc2acb6485f in CallFromStack /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:625:10
#80 0x7fc2acb6485f in Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3368:16
#81 0x7fc2acb57f1e in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:431:13
#82 0x7fc2acb72afb in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:585:13
#83 0x7fc2acb7402c in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:652:8
#84 0x7fc2acc342bc in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/CallAndConstruct.cpp:117:10
#85 0x7fc2a7eb9271 in mozilla::dom::IdleRequestCallback::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::IdleDeadline&, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/WindowBinding.cpp:827:8
#86 0x7fc2a6df05d5 in mozilla::dom::IdleRequestCallback::Call(mozilla::dom::IdleDeadline&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/WindowBinding.h:691:12
#87 0x7fc2a6f91536 in Call /builds/worker/workspace/obj-build/dist/include/mozilla/dom/WindowBinding.h:704:12
#88 0x7fc2a6f91536 in mozilla::dom::IdleRequest::IdleRun(nsPIDOMWindowInner*, double, bool) /builds/worker/checkouts/gecko/dom/base/IdleRequest.cpp:58:13
#89 0x7fc2a6cd60a4 in nsGlobalWindowInner::RunIdleRequest(mozilla::dom::IdleRequest*, double, bool) /builds/worker/checkouts/gecko/dom/base/nsGlobalWindowInner.cpp:730:12
#90 0x7fc2a6cd4ebb in nsGlobalWindowInner::ExecuteIdleRequest(mozilla::TimeStamp) /builds/worker/checkouts/gecko/dom/base/nsGlobalWindowInner.cpp:758:3
#91 0x7fc2a6cd4bd1 in IdleRequestExecutor::Run() /builds/worker/checkouts/gecko/dom/base/nsGlobalWindowInner.cpp:599:13
#92 0x7fc2a537f9f5 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:553:16
#93 0x7fc2a537ab48 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:867:26
#94 0x7fc2a53798ae in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:740:15
#95 0x7fc2a5379aa5 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:464:36
#96 0x7fc2a53833f6 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:188:37
#97 0x7fc2a53833f6 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_3>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:547:5
#98 0x7fc2a53995d7 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1239:16
#99 0x7fc2a539fa8d in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:477:10
#100 0x7fc2a5ff2853 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#101 0x7fc2a5f14218 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
#102 0x7fc2a5f14121 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
#103 0x7fc2a5f14121 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
#104 0x7fc2aa6c2da8 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
#105 0x7fc2ac92853b in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:738:20
#106 0x7fc2a5ff3719 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
#107 0x7fc2a5f14218 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
#108 0x7fc2a5f14121 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
#109 0x7fc2a5f14121 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
#110 0x7fc2ac928098 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:671:34
#111 0x5638fa8d2df0 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#112 0x5638fa8d2df0 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:353:18
#113 0x7fc2b8db7d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#114 0x7fc2b8db7e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#115 0x5638fa8a9458 in _start (/home/user/workspace/browsers/m-c-20230308094825-fuzzing-debug/firefox-bin+0x5b458) (BuildId: f7ea1ee45272be95005714a4364acde5f7231cca)
Flags: in-testsuite?

Verified bug as reproducible on mozilla-central 20230308094825-64b0a4a734ea.
The bug appears to have been introduced in the following build range:

Start: 5936168c80d1f6b8a55f7f528b0851e75e90660d (20220906092501)
End: d1b399bcd0474869d29804c13b2145a6a8b645da (20220906120315)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=5936168c80d1f6b8a55f7f528b0851e75e90660d&tochange=d1b399bcd0474869d29804c13b2145a6a8b645da

Keywords: regression
Whiteboard: [bugmon:bisected,confirmed]

looks like this might have been caused in fx106 by bug 1583037 based on the bugmon regression range above

status-firefox110: --- → wontfix
status-firefox111: --- → wontfix
Flags: needinfo?(fwang)
Attached file testcase.html

As I explained in other fuzzing bugs, before bug 1583037 Gecko would just shortcut the layout of invalid MathML elements (i.e. that don't have the expected number of children) and replace it with an "invalid markup" message. This behavior can be enabled again via the mathml.error_message_layout_for_invalid_markup.disabled flag. After bug 1583037 these invalid MathML elements are laid out as an mrow, and so MathML layout is properly performed on their descendants. This means some fuzzing bugs that were previously hidden inside an invalid subtree can be revealed.

Unfortunately, I'm not able to reproduce the assertion failure (the print dialog does not show up in Grizzly replay and running firefox directly does not help). However, there are two elements causing invalid markup in this testcase (namely msub and mrow). I'm attaching a tweaked version, hopefully it allows to reproduce the problem with error_message_layout_for_invalid_markup disabled, and so before 69aab0d556424c65172360f3c2f02c2809e6522c.

Flags: needinfo?(fwang)

thank you for taking a look! removing flags for further triage

status-firefox110: wontfix → ---
status-firefox111: wontfix → ---

The severity field is not set for this bug.
:jfkthame, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(jfkthame)

Confirming testcase in comment 3 as reproducing the crash with mozregression -B debug --launch 2023-04-12.

Severity: -- → S3
Flags: needinfo?(jfkthame)

Let's get a pernosco trace from bugmon. I can take a look for any obvious ways forward after we've got that.

Flags: needinfo?(dholbert)
Keywords: pernosco-wanted

Successfully recorded a pernosco session. A link to the pernosco session will be added here shortly.

Keywords: pernosco-wantedpernosco

A pernosco session for this bug can be found here.

No longer regressed by: 1583037
Assignee: nobody → dshin
Status: NEW → ASSIGNED
Pushed by dshin@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/342fb7f151d0 Ensure `nsTableRowGroupFrame`'s `CreateContinuingRowFrame` and `UndoContinuedRow` push and pull from overflow lists. r=dholbert

https://hg.mozilla.org/mozilla-central/rev/342fb7f151d0

Status: ASSIGNED → RESOLVED
Closed: 2 years ago
status-firefox115: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 115 Branch

Bug appears to be fixed on mozilla-central 20230511213213-375c5940c253 but BugMon was unable to find a usable build for 9fa6f54ca6d9.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

status-firefox115: fixedverified
Keywords: bugmon
status-firefox114: fix-optionalwontfix
Flags: needinfo?(dholbert)
Flags: in-testsuite? → in-testsuite+
Duplicate of this bug: 1774450

Copying crash signatures from duplicate bugs.

Crash Signature: [@ nsTableRowGroupFrame::SplitSpanningCells]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: