Closed Bug 1907238 Opened 1 year ago Closed 1 year ago

Assertion failure: IsInBounds(mStart, mLength, aRange) (Range out of bounds), at /builds/worker/checkouts/gecko/layout/generic/nsTextFrame.cpp:3906

Categories

(Core :: Layout: Text and Fonts, defect)

Product:
Core
Component:
Layout: Text and Fonts
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
130 Branch
Tracking Flags:
Tracking Status
firefox-esr115 --- unaffected
firefox-esr128 --- unaffected
firefox128 --- unaffected
firefox129 --- fixed
firefox130 --- verified

People

(Reporter: tsmith, Assigned: jfkthame)

References

(Blocks 1 open bug, Regression)

Details

(4 keywords, Whiteboard: [bugmon:bisected,confirmed], [wptsync upstream])

Attachments

(5 files)

testcase.html
333 bytes, text/html
Details
Bug 1907238 - Ensure nsFirstLetterFrame::CreateContinuationForFramesAfter does not mess up an existing fixed continuation boundary. r=#layout
48 bytes, text/x-phabricator-request
Details | Review
Bug 1907238 - Add testcase as a WPT crashtest. r=#layout
48 bytes, text/x-phabricator-request
Details | Review
Bug 1907238 - Ensure nsFirstLetterFrame::CreateContinuationForFramesAfter does not mess up an existing fixed continuation boundary.
48 bytes, text/x-phabricator-request
phab-bot
: approval-mozilla-beta+
Details | Review
Bug 1907238 - Add testcase as a WPT crashtest.
48 bytes, text/x-phabricator-request
phab-bot
: approval-mozilla-beta+
Details | Review
Attached file testcase.html

Found while fuzzing m-c 20240704-bfd90a9d6d64 (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework --upgrade
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>

Assertion failure: IsInBounds(mStart, mLength, aRange) (Range out of bounds), at /builds/worker/checkouts/gecko/layout/generic/nsTextFrame.cpp:3906

#0 0x7d93d26a2999 in nsTextFrame::PropertyProvider::GetHyphenationBreaks(gfxTextRun::Range, gfxTextRun::HyphenType*) const /builds/worker/checkouts/gecko/layout/generic/nsTextFrame.cpp:3906:3
#1 0x7d93d26b9795 in nsTextFrame::AddInlineMinISizeForFlow(gfxContext*, nsIFrame::InlineMinISizeData*, nsTextFrame::TextRunType) /builds/worker/checkouts/gecko/layout/generic/nsTextFrame.cpp:8678:16
#2 0x7d93d26bb403 in nsTextFrame::AddInlineMinISize(gfxContext*, nsIFrame::InlineMinISizeData*) /builds/worker/checkouts/gecko/layout/generic/nsTextFrame.cpp:8893:10
#3 0x7d93d25b59b2 in operator()<nsContainerFrame *, nsIFrame::InlineMinISizeData *> /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:795:12
#4 0x7d93d25b59b2 in DoInlineIntrinsicISize<nsIFrame::InlineMinISizeData, (lambda at /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:793:25)> /builds/worker/checkouts/gecko/layout/generic/nsContainerFrameInlines.h:75:5
#5 0x7d93d25b59b2 in nsContainerFrame::DoInlineMinISize(gfxContext*, nsIFrame::InlineMinISizeData*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:798:3
#6 0x7d93d24f2a28 in nsLayoutUtils::MinISizeFromInline(nsIFrame*, gfxContext*) /builds/worker/checkouts/gecko/layout/base/nsLayoutUtils.cpp:5294:11
#7 0x7d93d25b6041 in ShrinkISizeToFit /builds/worker/checkouts/gecko/layout/generic/nsIFrame.cpp:6718:22
#8 0x7d93d25b6041 in nsContainerFrame::ComputeAutoSize(gfxContext*, mozilla::WritingMode, mozilla::LogicalSize const&, int, mozilla::LogicalSize const&, mozilla::LogicalSize const&, mozilla::StyleSizeOverrides const&, mozilla::EnumSet<mozilla::ComputeSizeFlag, unsigned char>) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:828:11
#9 0x7d93d25c1db3 in nsIFrame::ComputeSize(gfxContext*, mozilla::WritingMode, mozilla::LogicalSize const&, int, mozilla::LogicalSize const&, mozilla::LogicalSize const&, mozilla::StyleSizeOverrides const&, mozilla::EnumSet<mozilla::ComputeSizeFlag, unsigned char>) /builds/worker/checkouts/gecko/layout/generic/nsIFrame.cpp:6303:7
#10 0x7d93d25c1cd9 in nsFirstLetterFrame::ComputeSize(gfxContext*, mozilla::WritingMode, mozilla::LogicalSize const&, int, mozilla::LogicalSize const&, mozilla::LogicalSize const&, mozilla::StyleSizeOverrides const&, mozilla::EnumSet<mozilla::ComputeSizeFlag, unsigned char>) /builds/worker/checkouts/gecko/layout/generic/nsFirstLetterFrame.cpp:149:28
#11 0x7d93d2532c1f in mozilla::ReflowInput::InitConstraints(nsPresContext*, mozilla::Maybe<mozilla::LogicalSize> const&, mozilla::Maybe<mozilla::LogicalMargin> const&, mozilla::Maybe<mozilla::LogicalMargin> const&, mozilla::LayoutFrameType) /builds/worker/checkouts/gecko/layout/generic/ReflowInput.cpp:2415:19
#12 0x7d93d252f511 in mozilla::ReflowInput::Init(nsPresContext*, mozilla::Maybe<mozilla::LogicalSize> const&, mozilla::Maybe<mozilla::LogicalMargin> const&, mozilla::Maybe<mozilla::LogicalMargin> const&) /builds/worker/checkouts/gecko/layout/generic/ReflowInput.cpp:386:3
#13 0x7d93d25301b0 in mozilla::ReflowInput::ReflowInput(nsPresContext*, mozilla::ReflowInput const&, nsIFrame*, mozilla::LogicalSize const&, mozilla::Maybe<mozilla::LogicalSize> const&, mozilla::EnumSet<mozilla::ReflowInput::InitFlag, unsigned char>, mozilla::StyleSizeOverrides const&, mozilla::EnumSet<mozilla::ComputeSizeFlag, unsigned char>) /builds/worker/checkouts/gecko/layout/generic/ReflowInput.cpp:254:5
#14 0x7d93d2527146 in void mozilla::Maybe<mozilla::ReflowInput>::emplace<nsPresContext*&, mozilla::ReflowInput const&, nsIFrame*&, mozilla::LogicalSize const&>(nsPresContext*&, mozilla::ReflowInput const&, nsIFrame*&, mozilla::LogicalSize const&) /builds/worker/workspace/obj-build/dist/include/mozilla/Maybe.h:1015:39
#15 0x7d93d266adc8 in nsLineLayout::ReflowFrame(nsIFrame*, nsReflowStatus&, mozilla::ReflowOutput*, bool&) /builds/worker/checkouts/gecko/layout/generic/nsLineLayout.cpp:840:23
#16 0x7d93d25908cf in nsBlockFrame::ReflowInlineFrame(mozilla::BlockReflowState&, nsLineLayout&, nsLineList_iterator, nsIFrame*, LineReflowStatus*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:5081:15
#17 0x7d93d258fb5d in nsBlockFrame::DoReflowInlineFrames(mozilla::BlockReflowState&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:4883:5
#18 0x7d93d258bb38 in nsBlockFrame::ReflowInlineFrames(mozilla::BlockReflowState&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:4741:9
#19 0x7d93d2587f88 in nsBlockFrame::ReflowLine(mozilla::BlockReflowState&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:3709:24
#20 0x7d93d2582222 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowState&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:3215:29
#21 0x7d93d257ecd2 in nsBlockFrame::TrialReflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsBlockFrame::TrialReflowState&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:1902:35
#22 0x7d93d257d1ab in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:1541:9
#23 0x7d93d258e7c0 in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowState&) /builds/worker/checkouts/gecko/layout/generic/nsBlockReflowContext.cpp:290:11
#24 0x7d93d258a674 in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowState&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:4376:11
#25 0x7d93d258803d in nsBlockFrame::ReflowLine(mozilla::BlockReflowState&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:3706:5
#26 0x7d93d2582222 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowState&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:3215:29
#27 0x7d93d257ecd2 in nsBlockFrame::TrialReflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsBlockFrame::TrialReflowState&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:1902:35
#28 0x7d93d257d1ab in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:1541:9
#29 0x7d93d25ad3d4 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:889:14
#30 0x7d93d25a0721 in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsCanvasFrame.cpp:717:7
#31 0x7d93d25ad3d4 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:889:14
#32 0x7d93d25464d2 in mozilla::ScrollContainerFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput&, bool, bool, mozilla::ReflowOutput*) /builds/worker/checkouts/gecko/layout/generic/ScrollContainerFrame.cpp:916:3
#33 0x7d93d2546fae in mozilla::ScrollContainerFrame::ReflowContents(mozilla::ScrollReflowInput&, mozilla::ReflowOutput const&) /builds/worker/checkouts/gecko/layout/generic/ScrollContainerFrame.cpp:1051:3
#34 0x7d93d2549394 in mozilla::ScrollContainerFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/ScrollContainerFrame.cpp:1519:3
#35 0x7d93d25b64d1 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:930:14
#36 0x7d93d257321b in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/ViewportFrame.cpp:365:7
#37 0x7d93d24473ef in mozilla::PresShell::DoReflow(nsIFrame*, bool, mozilla::OverflowChangedTracker*) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:9823:11
#38 0x7d93d246fd5f in mozilla::PresShell::ProcessReflowCommands(bool) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:9996:22
#39 0x7d93d2450db7 in DoFlushLayout /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:10043:10
#40 0x7d93d2450db7 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4358:9
#41 0x7d93cebf01c8 in FlushPendingNotifications /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:1455:5
#42 0x7d93cebf01c8 in mozilla::dom::Document::FlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/dom/base/Document.cpp:11055:16
#43 0x7d93cdc17dbd in nsDocLoader::DocLoaderIsEmpty(bool, mozilla::Maybe<nsresult> const&) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:729:14
#44 0x7d93cdc19201 in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:667:5
#45 0x7d93d2960ddf in nsDocShell::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:13786:23
#46 0x7d93ccffbcaf in mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:632:22
#47 0x7d93ccffcfce in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:536:10
#48 0x7d93cebf539c in mozilla::dom::Document::DoUnblockOnload() /builds/worker/checkouts/gecko/dom/base/Document.cpp:11845:18
#49 0x7d93cebdb670 in mozilla::dom::Document::DispatchContentLoadedEvents() /builds/worker/checkouts/gecko/dom/base/Document.cpp:8263:3
#50 0x7d93cec942a9 in operator()<> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1085:18
#51 0x7d93cec942a9 in __invoke_impl<void, (lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1084:9)> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/invoke.h:60:14
#52 0x7d93cec942a9 in __invoke<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1084:9)> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/invoke.h:95:14
#53 0x7d93cec942a9 in __apply_impl<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1084:9), std::tuple<> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/tuple:1678:14
#54 0x7d93cec942a9 in apply<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1084:9), std::tuple<> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/tuple:1687:14
#55 0x7d93cec942a9 in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1083:12
#56 0x7d93cec942a9 in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1134:13
#57 0x7d93ccdd4437 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:580:16
#58 0x7d93ccdc9ed6 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:907:26
#59 0x7d93ccdc8907 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:730:15
#60 0x7d93ccdc8d85 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:516:36
#61 0x7d93ccdd7e36 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:234:37
#62 0x7d93ccdd7e36 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548:5
#63 0x7d93ccdeb4fd in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1204:16
#64 0x7d93ccdf21df in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10
#65 0x7d93cd94cf75 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#66 0x7d93cd8a3c71 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#67 0x7d93cd8a3c71 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#68 0x7d93d20917b8 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
#69 0x7d93d214a5f4 in nsAppShell::Run() /builds/worker/checkouts/gecko/widget/gtk/nsAppShell.cpp:469:33
#70 0x7d93d30021cb in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:714:20
#71 0x7d93cd94ddc6 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
#72 0x7d93cd8a3c71 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#73 0x7d93cd8a3c71 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#74 0x7d93d3001a5b in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:649:34
#75 0x579574acbc9f in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#76 0x579574acbc9f in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:378:18
Flags: in-testsuite?

Verified bug as reproducible on mozilla-central 20240711042720-be6b3324bc2c.
The bug appears to have been introduced in the following build range:

Start: 90f074b25bea311c1becc74363be744dc8fe5683 (20240528091330)
End: e77b76a2a22df588531dad70811a755b46798779 (20240528101915)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=90f074b25bea311c1becc74363be744dc8fe5683&tochange=e77b76a2a22df588531dad70811a755b46798779

Keywords: regression
Whiteboard: [bugmon:bisected,confirmed]

Interestingly, I see a different assertion when I load the testcase in my local debug build:

[Child 59784, Main Thread] ###!!! ASSERTION: bad overflow list: 'mFrames.IsEmpty()', file /Users/jkew/mozdev/mozilla-unified/layout/generic/nsFirstLetterFrame.cpp:434

I wonder if that's related to whether the testcase loads as UTF-8 or Latin-1; I think we've sometimes seen such a difference between fuzzing vs directly loading. Either way, though, we should figure out the root cause.

Ah, yes: adding <meta charset=cp1252> to the testcase, I hit the "Range out of bounds" assertion.

It's also preceded by a (non-fatal) assertion

[Child 59882, Main Thread] ###!!! ASSERTION: frame crosses fixed continuation boundary: 'flowLength->mEndFlowOffset >= GetContentEnd()', file /Users/jkew/mozdev/mozilla-unified/layout/generic/nsTextFrame.cpp:691

that is probably related to the same underlying issue.

Severity: -- → S3
Keywords: pernosco-wanted

Successfully recorded a pernosco session. A link to the pernosco session will be added here shortly.

Keywords: pernosco-wantedpernosco

(In reply to Bugmon [:jkratzer for issues] from comment #4)

Successfully recorded a pernosco session. A link to the pernosco session will be added here shortly.

It's been several days, and I don't see a pernosco link yet.... did it slip through the cracks somewhere?

Flags: needinfo?(jkratzer)

:jfkthame, sorry - I was out on PTO. Looks like there's been an issue replaying the recorded rr traces. I'm investigating.

Thanks - no worries - I've just tried generating a trace locally, so will see if that works for me on pernosco.

A pernosco session for this bug can be found here.

This avoids the frame-tree inconsistency that is resulting in the
fuzzer assertion here.

Assignee: nobody → jfkthame
Status: NEW → ASSIGNED
Pushed by jkew@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/7abdb61284a7 Ensure nsFirstLetterFrame::CreateContinuationForFramesAfter does not mess up an existing fixed continuation boundary. r=TYLin https://hg.mozilla.org/integration/autoland/rev/b2b915f22fa9 Add testcase as a WPT crashtest. r=layout-reviewers,TYLin
Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/47225 for changes under testing/web-platform/tests
Whiteboard: [bugmon:bisected,confirmed] → [bugmon:bisected,confirmed], [wptsync upstream]

Based on comment #1, this bug contains a bisection range found by bugmon. However, the Regressed by field is still not filled.

:jfkthame, if possible, could you fill the Regressed by field and investigate this regression?

For more information, please visit BugBot documentation.

Flags: needinfo?(jfkthame)

This was a regression from bug 385615.

Flags: needinfo?(jfkthame)
Regressed by: 385615
Flags: needinfo?(jkratzer)

Set release status flags based on info from the regressing bug 385615

status-firefox128: --- → unaffected
status-firefox129: --- → affected
status-firefox-esr115: --- → unaffected
status-firefox-esr128: --- → unaffected

https://hg.mozilla.org/mozilla-central/rev/7abdb61284a7
https://hg.mozilla.org/mozilla-central/rev/b2b915f22fa9

Status: ASSIGNED → RESOLVED
Closed: 1 year ago
status-firefox130: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 130 Branch
Upstream PR merged by moz-wptsync-bot
Flags: in-testsuite? → in-testsuite+

Verified bug as fixed on rev mozilla-central 20240722214643-ac4a1f84adfa.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
status-firefox130: fixedverified
Keywords: bugmon

The patch landed in nightly and beta is affected.
:jfkthame, is this bug important enough to require an uplift?

  • If yes, please nominate the patch for beta approval.
  • If no, please set status-firefox129 to wontfix.

For more information, please visit BugBot documentation.

Flags: needinfo?(jfkthame)

This avoids the frame-tree inconsistency that is resulting in the
fuzzer assertion here.

Original Revision: https://phabricator.services.mozilla.com/D217122

Attachment #9414334 - Flags: approval-mozilla-beta?
Attachment #9414335 - Flags: approval-mozilla-beta?

beta Uplift Approval Request

  • User impact if declined: CSS ::first-letter used with bidi or preformatted text could result in frame-tree inconsistency
  • Code covered by automated testing: yes
  • Fix verified in Nightly: no
  • Needs manual QE test: no
  • Steps to reproduce for manual QE testing: n/a
  • Risk associated with taking this patch: low
  • Explanation of risk level: simple patch to ensure a fluid continuation is present when adjusting extent of first-letter
  • String changes made/needed: none
  • Is Android affected?: yes
Attachment #9414335 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Attachment #9414334 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Flags: needinfo?(jfkthame)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: