1926745 - Hit MOZ_CRASH(ElementAt(aIndex = 9998, aLength = 2)) at /builds/worker/checkouts/gecko/mfbt/Assertions.cpp:51

Status: NEW

(Core :: Layout: Grid, defect, P3)

Description

[Tyson Smith [:tsmith]]

Attachment: testcase.html

Found while fuzzing m-c 20241018-6a2518f67e94 (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework --upgrade
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>

Hit MOZ_CRASH(ElementAt(aIndex = 9998, aLength = 2)) at /builds/worker/checkouts/gecko/mfbt/Assertions.cpp:51

#0 0x5c15b08db9ca in MOZ_Crash /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:317:3
#1 0x5c15b08db9ca in mozilla::detail::InvalidArrayIndex_CRASH(unsigned long, unsigned long) /builds/worker/checkouts/gecko/mfbt/Assertions.cpp:50:3
#2 0x79e1a8c86c6b in ElementAt /builds/worker/workspace/obj-build/dist/include/nsTArray.h:1207:7
#3 0x79e1a8c86c6b in operator[] /builds/worker/workspace/obj-build/dist/include/nsTArray.h:1238:12
#4 0x79e1a8c86c6b in nsGridContainerFrame::LineRange::ToLength(nsTArray<nsGridContainerFrame::TrackSize> const&) const /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:7311:25
#5 0x79e1a8c86028 in nsGridContainerFrame::UsedTrackSizes::ResolveTrackSizesForAxis(nsGridContainerFrame*, mozilla::LogicalAxis, gfxContext&) /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:3990:36
#6 0x79e1a8c9a306 in ContentContribution(nsGridContainerFrame::GridItemInfo const&, nsGridContainerFrame::GridReflowInput const&, gfxContext*, mozilla::WritingMode, mozilla::LogicalAxis, mozilla::Maybe<mozilla::LogicalSize> const&, mozilla::IntrinsicISizeType, int, unsigned int) /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:5718:12
#7 0x79e1a8c94ebf in MinContentContribution(nsGridContainerFrame::GridItemInfo const&, nsGridContainerFrame::GridReflowInput const&, gfxContext*, mozilla::WritingMode, mozilla::LogicalAxis, CachedIntrinsicSizes*) /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:5819:15
#8 0x79e1a8c94861 in nsGridContainerFrame::Tracks::ResolveIntrinsicSizeForNonSpanningItems(nsGridContainerFrame::GridReflowInput&, nsGridContainerFrame::TrackSizingFunctions const&, int, nsGridContainerFrame::SizingConstraint, nsGridContainerFrame::LineRange const&, nsGridContainerFrame::GridItemInfo const&) /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:6005:13
#9 0x79e1a8c926c8 in nsGridContainerFrame::Tracks::ResolveIntrinsicSize(nsGridContainerFrame::GridReflowInput&, nsTArray<nsGridContainerFrame::GridItemInfo>&, nsGridContainerFrame::TrackSizingFunctions const&, nsGridContainerFrame::LineRange nsGridContainerFrame::GridArea::*, int, nsGridContainerFrame::SizingConstraint) /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:6739:11
#10 0x79e1a8c86ffc in CalculateSizes /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:5939:3
#11 0x79e1a8c86ffc in nsGridContainerFrame::GridReflowInput::CalculateTrackSizesForAxis(mozilla::LogicalAxis, nsGridContainerFrame::Grid const&, int, nsGridContainerFrame::SizingConstraint) /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:4069:12
#12 0x79e1a8ca3345 in CalculateTrackSizes /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:4132:3
#13 0x79e1a8ca3345 in nsGridContainerFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:8955:21
#14 0x79e1a8c3fd74 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:892:14
#15 0x79e1a8c3329f in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsCanvasFrame.cpp:710:7
#16 0x79e1a8c3fd74 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:892:14
#17 0x79e1a8bd80d7 in mozilla::ScrollContainerFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput&, bool, bool, mozilla::ReflowOutput*) /builds/worker/checkouts/gecko/layout/generic/ScrollContainerFrame.cpp:914:3
#18 0x79e1a8bd8b80 in mozilla::ScrollContainerFrame::ReflowContents(mozilla::ScrollReflowInput&, mozilla::ReflowOutput const&) /builds/worker/checkouts/gecko/layout/generic/ScrollContainerFrame.cpp:1049:3
#19 0x79e1a8bdb02d in mozilla::ScrollContainerFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/ScrollContainerFrame.cpp:1509:3
#20 0x79e1a8c49ba1 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:933:14
#21 0x79e1a8c04d70 in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/ViewportFrame.cpp:358:7
#22 0x79e1a8ad6794 in mozilla::PresShell::DoReflow(nsIFrame*, bool, mozilla::OverflowChangedTracker*) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:9956:11
#23 0x79e1a8aff55f in mozilla::PresShell::ProcessReflowCommands(bool) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:10126:22
#24 0x79e1a8ae024f in DoFlushLayout /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:10173:10
#25 0x79e1a8ae024f in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4396:9
#26 0x79e1a4da876b in FlushPendingNotifications /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:1456:5
#27 0x79e1a4da876b in mozilla::dom::Document::FlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/dom/base/Document.cpp:11289:16
#28 0x79e1a3d89a8d in nsDocLoader::DocLoaderIsEmpty(bool, mozilla::Maybe<nsresult> const&) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:728:14
#29 0x79e1a3d8aed4 in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:666:5
#30 0x79e1a8ff51cf in nsDocShell::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:13740:23
#31 0x79e1a313a81f in mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:642:22
#32 0x79e1a313bb3e in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:536:10
#33 0x79e1a4dad9fc in mozilla::dom::Document::DoUnblockOnload() /builds/worker/checkouts/gecko/dom/base/Document.cpp:12079:18
#34 0x79e1a4d93889 in mozilla::dom::Document::DispatchContentLoadedEvents() /builds/worker/checkouts/gecko/dom/base/Document.cpp:8441:3
#35 0x79e1a4e4db99 in operator()<> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1085:18
#36 0x79e1a4e4db99 in __invoke_impl<void, (lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1084:9)> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/invoke.h:60:14
#37 0x79e1a4e4db99 in __invoke<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1084:9)> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/invoke.h:95:14
#38 0x79e1a4e4db99 in __apply_impl<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1084:9), std::tuple<> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/tuple:1678:14
#39 0x79e1a4e4db99 in apply<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1084:9), std::tuple<> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/tuple:1687:14
#40 0x79e1a4e4db99 in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1083:12
#41 0x79e1a4e4db99 in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1134:13
#42 0x79e1a2f0c5e7 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:618:16
#43 0x79e1a2f02076 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:945:26
#44 0x79e1a2f00a87 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:768:15
#45 0x79e1a2f00f05 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:554:36
#46 0x79e1a2f0ff56 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:268:37
#47 0x79e1a2f0ff56 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548:5
#48 0x79e1a2f2366b in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1155:16
#49 0x79e1a2f2a34f in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10
#50 0x79e1a3aa28b5 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#51 0x79e1a39f5a81 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:362:3
#52 0x79e1a39f5a81 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:344:3
#53 0x79e1a87171d8 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
#54 0x79e1a87c5018 in nsAppShell::Run() /builds/worker/checkouts/gecko/widget/gtk/nsAppShell.cpp:469:33
#55 0x79e1a969d47b in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:651:20
#56 0x79e1a3aa3706 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
#57 0x79e1a39f5a81 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:362:3
#58 0x79e1a39f5a81 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:344:3
#59 0x79e1a969c89a in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:586:34
#60 0x5c15b086806e in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:398:22

Comment 1

[Tyson Smith [:tsmith]]

Attachment: testcase.html

Comment 2

[Mayank Bansal]

Got this crash from the testcase; https://crash-stats.mozilla.org/report/index/190ee42e-2bbb-40cd-88f5-3b4ac0241024

Comment 3

[Bugmon [:jkratzer for issues]]

Verified bug as reproducible on mozilla-central 20241024094434-7936ca01a900.
Unable to bisect testcase (Testcase reproduces on start build!):

Start: 99f1297a102b4c1fc2156cbc8b49be4856cce481 (20231026091345)
End: 6a2518f67e940839b0172c9013b2bb3603093923 (20241018211452)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False, nyx=False)

Successfully recorded a pernosco session. A link to the pernosco session will be added here shortly.

Comment 4

[Bugmon [:jkratzer for issues]]

A pernosco session for this bug can be found here.

Comment 5

[BugBot [:suhaib / :marco/ :calixte]]

The severity field is not set for this bug.
:TYLin, could you have a look please?

For more information, please visit BugBot documentation.

Comment 6

[Zach Hoffman [:zrhoffman]]

In a default profile, the testcase first reproduces the crash on 2023-06-05 https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=b8f06acca6bf&tochange=03d635b2bdb2, which includes bug 1835066, enabling layout.css.nesting.enabled in Nightly.

In a profile with layout.css.nesting.enabled enabled, the testcase first reproduces the crash on 2023-05-18 https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=7085887b4a17&tochange=3a125a6b7c3a, which includes CSS nesting bug 1833536.

Comment 7

[BugBot [:suhaib / :marco/ :calixte]]

Set release status flags based on info from the regressing bug 1833536

:emilio, since you are the author of the regressor, bug 1833536, could you take a look?

For more information, please visit BugBot documentation.

Comment 8

[Emilio Cobos Álvarez (:emilio)]

That's because it happens to use nesting tho right?

If you un nest the selectors the test-case should reproduce a lot further back.

Comment 9

[Zach Hoffman [:zrhoffman]]

(In reply to Emilio Cobos Álvarez (:emilio) from comment #8)

That's because it happens to use nesting tho right?

If you un nest the selectors the test-case should reproduce a lot further back.

Hmm, do you mean like this?

<style>
* {
  display: inline-grid;
  grid-column: span 3835205967;
  grid-template: subgrid / masonry;
}

That does not reproduce the crash for me. But maybe another testcase might?

Comment 10

[Zach Hoffman [:zrhoffman]]

Attachment: Unnested testcase

You're right, it reproduces unnested. Sorry about the false regressed by.