Open
Bug 1873808
Opened 2 years ago
Updated 1 year ago
Assertion failure: aMax >= aMin (clamped(): aMax must be greater than or equal to aMin), at /builds/worker/workspace/obj-build/dist/include/nsAlgorithm.h:37
Categories
(Core :: Layout, defect)
Tracking
()
NEW
People
(Reporter: tsmith, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: assertion, testcase)
Attachments
(1 file, 1 obsolete file)
|
445 bytes,
text/html
|
Details |
Found while fuzzing m-c 20231207-d6000f1e4ebb (--enable-debug --enable-fuzzing)
This only reproduces on 32-bit builds.
To reproduce via Grizzly Replay:
$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --cpu x86 -d --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>
Assertion failure: aMax >= aMin (clamped(): aMax must be greater than or equal to aMin), at /builds/worker/workspace/obj-build/dist/include/nsAlgorithm.h:37
#0 0xea3ca0db in clamped<int> /builds/worker/workspace/obj-build/dist/include/nsAlgorithm.h:36:3
#1 0xea3ca0db in ClampAndAlignWithPixels(int, int, int, int, int, int, double, int) /builds/worker/checkouts/gecko/layout/generic/nsGfxScrollFrame.cpp:2830:23
#2 0xea344dd8 in ClampAndAlignWithLayerPixels /builds/worker/checkouts/gecko/layout/generic/nsGfxScrollFrame.cpp:2896:7
#3 0xea344dd8 in nsHTMLScrollFrame::ScrollToImpl(nsPoint, nsRect const&, mozilla::ScrollOrigin, mozilla::ScrollTriggeredByScript) /builds/worker/checkouts/gecko/layout/generic/nsGfxScrollFrame.cpp:3047:16
#4 0xea359147 in nsHTMLScrollFrame::ReflowFinished() /builds/worker/checkouts/gecko/layout/generic/nsGfxScrollFrame.cpp:6280:5
#5 0xea359b1e in non-virtual thunk to nsHTMLScrollFrame::ReflowFinished() /builds/worker/checkouts/gecko/layout/generic/nsGfxScrollFrame.cpp
#6 0xea18fcec in HandlePostedReflowCallbacks /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4109:33
#7 0xea18fcec in mozilla::PresShell::DidDoReflow(bool) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:9515:3
#8 0xea1b9235 in mozilla::PresShell::ProcessReflowCommands(bool) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:9892:5
#9 0xea199b9d in DoFlushLayout /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:9941:10
#10 0xea199b9d in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4351:11
#11 0xe641a9a0 in FlushPendingNotifications /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:1474:5
#12 0xe641a9a0 in mozilla::dom::Document::FlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/dom/base/Document.cpp:10891:16
#13 0xe63f1885 in mozilla::dom::Document::FlushPendingNotifications(mozilla::FlushType) /builds/worker/checkouts/gecko/dom/base/Document.cpp:10823:3
#14 0xe5786158 in nsDocLoader::DocLoaderIsEmpty(bool, mozilla::Maybe<nsresult> const&) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:740:14
#15 0xe5787581 in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:678:5
#16 0xeb467c00 in nsDocShell::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:13822:23
#17 0xeb467d8b in non-virtual thunk to nsDocShell::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp
#18 0xe49592c6 in mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:631:22
#19 0xe495a6b1 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:535:10
#20 0xe641fd92 in mozilla::dom::Document::DoUnblockOnload() /builds/worker/checkouts/gecko/dom/base/Document.cpp:11680:18
#21 0xe63eaba6 in mozilla::dom::Document::UnblockOnload(bool) /builds/worker/checkouts/gecko/dom/base/Document.cpp:11618:9
#22 0xe62b46a6 in mozilla::LoadBlockingAsyncEventDispatcher::~LoadBlockingAsyncEventDispatcher() /builds/worker/workspace/obj-build/dist/include/mozilla/AsyncEventDispatcher.h:202:54
#23 0xe62b47e2 in mozilla::LoadBlockingAsyncEventDispatcher::~LoadBlockingAsyncEventDispatcher() /builds/worker/workspace/obj-build/dist/include/mozilla/AsyncEventDispatcher.h:202:39
#24 0xe4712fbb in mozilla::Runnable::Release() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:66:1
#25 0xea0ea0b2 in Release /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:49:40
#26 0xea0ea0b2 in Release /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:409:36
#27 0xea0ea0b2 in ~RefPtr /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:80:7
#28 0xea0ea0b2 in mozilla::css::Loader::NotifyObservers(mozilla::css::SheetLoadData&, nsresult) /builds/worker/checkouts/gecko/layout/style/Loader.cpp:1680:1
#29 0xea107241 in mozilla::SharedStyleSheetCache::LoadCompleted(mozilla::SharedStyleSheetCache*, mozilla::css::SheetLoadData&, nsresult) /builds/worker/checkouts/gecko/layout/style/SharedStyleSheetCache.cpp:68:20
#30 0xea0f878a in SheetComplete /builds/worker/checkouts/gecko/layout/style/Loader.cpp:1693:3
#31 0xea0f878a in mozilla::css::SheetLoadData::SheetFinishedParsingAsync() /builds/worker/workspace/obj-build/dist/include/mozilla/css/SheetLoadData.h:252:16
#32 0xea0f8505 in operator() /builds/worker/checkouts/gecko/layout/style/Loader.cpp:1626:23
#33 0xea0f8505 in InvokeMethod<(lambda at /builds/worker/checkouts/gecko/layout/style/Loader.cpp:1624:11), void ((lambda at /builds/worker/checkouts/gecko/layout/style/Loader.cpp:1624:11)::*)(bool) const, bool> /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:654:12
#34 0xea0f8505 in InvokeCallbackMethod<false, (lambda at /builds/worker/checkouts/gecko/layout/style/Loader.cpp:1624:11), void ((lambda at /builds/worker/checkouts/gecko/layout/style/Loader.cpp:1624:11)::*)(bool) const, bool, RefPtr<mozilla::MozPromise<bool, bool, true>::Private> > /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:685:5
#35 0xea0f8505 in mozilla::MozPromise<bool, bool, true>::ThenValue<mozilla::css::Loader::ParseSheet(nsTSubstring<char> const&, mozilla::css::SheetLoadData&, mozilla::css::Loader::AllowAsyncParse)::$_0, mozilla::css::Loader::ParseSheet(nsTSubstring<char> const&, mozilla::css::SheetLoadData&, mozilla::css::Loader::AllowAsyncParse)::$_1>::DoResolveOrRejectInternal(mozilla::MozPromise<bool, bool, true>::ResolveOrRejectValue&) /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:870:9
#36 0xe64cea09 in mozilla::MozPromise<bool, bool, true>::ThenValueBase::DoResolveOrReject(mozilla::MozPromise<bool, bool, true>::ResolveOrRejectValue&) /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:623:7
#37 0xe64ce283 in mozilla::MozPromise<bool, bool, true>::ThenValueBase::ResolveOrRejectRunnable::Run() /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:490:21
#38 0xe4709955 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:568:16
#39 0xe46fed70 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:895:26
#40 0xe46fd40f in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:718:15
#41 0xe46fd8f2 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:504:36
#42 0xe470dadc in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:222:37
#43 0xe470dadc in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548:5
#44 0xe4724207 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1199:16
#45 0xe472b782 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10
#46 0xe543f2b3 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#47 0xe5353e1e in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:370:10
#48 0xe5353d1a in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#49 0xe5353d1a in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#50 0xe9d88be6 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
#51 0xe9e4c4a8 in nsAppShell::Run() /builds/worker/checkouts/gecko/widget/gtk/nsAppShell.cpp:470:33
#52 0xebc2b304 in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:721:20
#53 0xe5440320 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
#54 0xe5353e1e in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:370:10
#55 0xe5353d1a in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#56 0xe5353d1a in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#57 0xebc2ab3d in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:656:34
#58 0xebc3a351 in mozilla::BootstrapImpl::XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/Bootstrap.cpp:67:12
#59 0x5667cb5f in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#60 0x5667cb5f in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:375:18
#61 0xf7821518 (/lib/i386-linux-gnu/libc.so.6+0x21518) (BuildId: 7f64b917aaa97b9680d8e44931bf7611c5a1f036)
#62 0xf78215f2 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x215f2) (BuildId: 7f64b917aaa97b9680d8e44931bf7611c5a1f036)
#63 0x5664da00 in _start (/home/user/workspace/browsers/linux32-m-c-20240109162901-fuzzing-debug/firefox-bin+0x5ca00) (BuildId: 19e9bdacf5934831614198726ce70e83de1b8578)
Flags: in-testsuite?
|
||
Comment 1•2 years ago
|
||
This only reproduces on 32-bit builds.
I see large numbers in the testcase, so it is likely some integer overflow is involved.
Severity: -- → S4
|
Reporter | |
Comment 2•1 year ago
|
||
This test case also triggers the issue on 64-bit builds (found by crash-explorer).
Attachment #9371912 -
Attachment is obsolete: true
|
|
Reporter | |
Updated•1 year ago
|
status-firefox135:
--- → affected
You need to log in
before you can comment on or make changes to this bug.
Description
•