Closed Bug 1929445 Opened 3 months ago Closed 3 months ago

const _Tp &std::clamp(const _Tp &, const _Tp &, const _Tp &) [_Tp = int]: Assertion '!(__hi < __lo)' failed. [@ mozilla::ScrollContainerFrame::GetNaturalBaselineBOffset]

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
134 Branch
Tracking Flags:
Tracking Status
firefox-esr115 --- wontfix
firefox-esr128 --- wontfix
firefox132 --- wontfix
firefox133 --- wontfix
firefox134 --- verified

People

(Reporter: tsmith, Assigned: jfkthame)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, pernosco, testcase)

Attachments

(2 files)

testcase.html
131 bytes, text/html
Details
Bug 1929445 - Use CSSMinMax rather than std::clamp to avoid assertion & undefined behavior on bad arguments. r=#layout
48 bytes, text/x-phabricator-request
Details | Review
Attached file testcase.html

Found while fuzzing m-c 20241031-5c7de47bcacb (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework --upgrade
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>

const _Tp &std::clamp(const _Tp &, const _Tp &, const _Tp &) [_Tp = int]: Assertion '!(__hi < __lo)' failed.

#0 0x7749530969fc in __pthread_kill_implementation nptl/pthread_kill.c:44:76
#1 0x7749530969fc in __pthread_kill_internal nptl/pthread_kill.c:78:10
#2 0x7749530969fc in pthread_kill nptl/pthread_kill.c:89:10
#3 0x774953042475 in gsignal signal/../sysdeps/posix/raise.c:26:13
#4 0x7749530287f2 in abort stdlib/abort.c:79:7
#5 0x774949218272 in __replacement_assert /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/x86_64-linux-gnu/c++/8/bits/c++config.h:447:5
#6 0x774949218272 in clamp<int> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/stl_algo.h:3721:7
#7 0x774949218272 in operator() /builds/worker/checkouts/gecko/layout/generic/ScrollContainerFrame.cpp:1456:16
#8 0x774949218272 in map<(lambda at /builds/worker/checkouts/gecko/layout/generic/ScrollContainerFrame.cpp:1449:12)> /builds/worker/workspace/obj-build/dist/include/mozilla/Maybe.h:684:19
#9 0x774949218272 in mozilla::ScrollContainerFrame::GetNaturalBaselineBOffset(mozilla::WritingMode, mozilla::BaselineSharingGroup, mozilla::BaselineExportContext) const /builds/worker/checkouts/gecko/layout/generic/ScrollContainerFrame.cpp:1449:8
#10 0x7749492e983c in nsGridContainerFrame::SynthesizeBaseline(nsGridContainerFrame::FindItemInGridOrderResult const&, mozilla::LogicalAxis, mozilla::BaselineSharingGroup, nsSize const&, int, mozilla::WritingMode) /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:9834:24
#11 0x7749492e635c in nsGridContainerFrame::CalculateBaselines(nsGridContainerFrame::BaselineSet, mozilla::CSSOrderAwareFrameIteratorT<nsFrameList::Iterator<nsFrameList::ForwardFrameTraversal>>*, nsTArray<nsGridContainerFrame::GridItemInfo> const*, nsGridContainerFrame::Tracks const&, unsigned int, unsigned int, mozilla::WritingMode, nsSize const&, int, int, int) /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:9886:52
#12 0x7749492e2ec7 in nsGridContainerFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:9146:5
#13 0x77494927dd14 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:892:14
#14 0x774949216217 in mozilla::ScrollContainerFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput&, bool, bool, mozilla::ReflowOutput*) /builds/worker/checkouts/gecko/layout/generic/ScrollContainerFrame.cpp:914:3
#15 0x774949216cc0 in mozilla::ScrollContainerFrame::ReflowContents(mozilla::ScrollReflowInput&, mozilla::ReflowOutput const&) /builds/worker/checkouts/gecko/layout/generic/ScrollContainerFrame.cpp:1049:3
#16 0x77494921919d in mozilla::ScrollContainerFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/ScrollContainerFrame.cpp:1509:3
#17 0x77494927dd14 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:892:14
#18 0x7749492d4398 in MeasuringReflow(nsIFrame*, mozilla::ReflowInput const*, gfxContext*, mozilla::LogicalSize const&, mozilla::LogicalSize const&, int, int) /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:5520:11
#19 0x7749492d8634 in ContentContribution(nsGridContainerFrame::GridItemInfo const&, nsGridContainerFrame::GridReflowInput const&, gfxContext*, mozilla::WritingMode, mozilla::LogicalAxis, mozilla::Maybe<mozilla::LogicalSize> const&, mozilla::IntrinsicISizeType, int, unsigned int) /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:5756:12
#20 0x7749492d30ef in MaxContentContribution(nsGridContainerFrame::GridItemInfo const&, nsGridContainerFrame::GridReflowInput const&, gfxContext*, mozilla::WritingMode, mozilla::LogicalAxis, CachedIntrinsicSizes*) /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:5825:15
#21 0x7749492d29bf in nsGridContainerFrame::Tracks::ResolveIntrinsicSizeForNonSpanningItems(nsGridContainerFrame::GridReflowInput&, nsGridContainerFrame::TrackSizingFunctions const&, int, nsGridContainerFrame::SizingConstraint, nsGridContainerFrame::LineRange const&, nsGridContainerFrame::GridItemInfo const&) /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:6018:14
#22 0x7749492d07d8 in nsGridContainerFrame::Tracks::ResolveIntrinsicSize(nsGridContainerFrame::GridReflowInput&, nsTArray<nsGridContainerFrame::GridItemInfo>&, nsGridContainerFrame::TrackSizingFunctions const&, nsGridContainerFrame::LineRange nsGridContainerFrame::GridArea::*, int, nsGridContainerFrame::SizingConstraint) /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:6727:11
#23 0x7749492c510c in CalculateSizes /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:5926:3
#24 0x7749492c510c in nsGridContainerFrame::GridReflowInput::CalculateTrackSizesForAxis(mozilla::LogicalAxis, nsGridContainerFrame::Grid const&, int, nsGridContainerFrame::SizingConstraint) /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:4065:12
#25 0x7749492e1405 in nsGridContainerFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:8946:21
#26 0x77494927dd14 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:892:14
#27 0x774949270e8f in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsCanvasFrame.cpp:710:7
#28 0x77494927dd14 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:892:14
#29 0x774949216217 in mozilla::ScrollContainerFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput&, bool, bool, mozilla::ReflowOutput*) /builds/worker/checkouts/gecko/layout/generic/ScrollContainerFrame.cpp:914:3
#30 0x774949216cc0 in mozilla::ScrollContainerFrame::ReflowContents(mozilla::ScrollReflowInput&, mozilla::ReflowOutput const&) /builds/worker/checkouts/gecko/layout/generic/ScrollContainerFrame.cpp:1049:3
#31 0x77494921919d in mozilla::ScrollContainerFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/ScrollContainerFrame.cpp:1509:3
#32 0x774949287b41 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:933:14
#33 0x774949242960 in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/ViewportFrame.cpp:358:7
#34 0x774949114424 in mozilla::PresShell::DoReflow(nsIFrame*, bool, mozilla::OverflowChangedTracker*) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:9986:11
#35 0x77494913d3bf in mozilla::PresShell::ProcessReflowCommands(bool) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:10156:22
#36 0x77494911e0af in DoFlushLayout /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:10203:10
#37 0x77494911e0af in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4426:9
#38 0x7749453b36db in FlushPendingNotifications /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:1456:5
#39 0x7749453b36db in mozilla::dom::Document::FlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/dom/base/Document.cpp:11293:16
#40 0x77494437f0ad in nsDocLoader::DocLoaderIsEmpty(bool, mozilla::Maybe<nsresult> const&) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:728:14
#41 0x7749443804f4 in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:666:5
#42 0x7749496338bf in nsDocShell::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:13747:23
#43 0x77494371f72f in mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:642:22
#44 0x774943720a4e in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:536:10
#45 0x7749453b896c in mozilla::dom::Document::DoUnblockOnload() /builds/worker/checkouts/gecko/dom/base/Document.cpp:12083:18
#46 0x77494544591e in mozilla::dom::nsUnblockOnloadEvent::Run() /builds/worker/checkouts/gecko/dom/base/Document.cpp:12045:11
#47 0x7749434eff67 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:618:16
#48 0x7749434e57c9 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:945:26
#49 0x7749434e4207 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:768:15
#50 0x7749434e4685 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:554:36
#51 0x7749434f3946 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:268:37
#52 0x7749434f3946 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548:5
#53 0x7749435071fb in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1155:16
#54 0x77494350dedf in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10
#55 0x7749440948c5 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#56 0x774943fe6cc1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:362:3
#57 0x774943fe6cc1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:344:3
#58 0x774948d53378 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
#59 0x774948e05378 in nsAppShell::Run() /builds/worker/checkouts/gecko/widget/gtk/nsAppShell.cpp:469:33
#60 0x774949ce29bb in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:651:20
#61 0x774944095716 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
#62 0x774943fe6cc1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:362:3
#63 0x774943fe6cc1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:344:3
#64 0x774949ce1dda in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:586:34
#65 0x62b75d1b0e9e in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:397:22
Flags: in-testsuite?

Loading the testcase in my debug build doesn't trigger the assertion, but from inspecting the testcase I'm assuming it involves coordinate overflow, and the exact values needed may depend on font metrics (as it includes ch units) and/or window dimensions (as it includes percentages).

A simple way to avoid the assertion would presumably be to replace std::clamp with CSSMinMax, which handles bad parameters in a predictable (if not necessarily "correct") way. But that might just kick the can down the road until we assert somewhere else thanks to the overflowing coords.

In practice this looks unlikely to be too serious, IMO; it probably just means we'll theoretically misplace some part of the rendering, but once coordinates are overflowing we basically have guaranteed-broken rendering anyhow.

Severity: -- → S3

This is just a band-aid to avoid the undefined behavior of std::clamp;
our CSSMinMax handles the case in a predictable way.

The real issue here must be that the frame has reported a "negative"
block-size, presumably due to integer overflow during nscoord arithmetic.
If we get a pernosco trace of the assertion, perhaps we can identify the
source of the overflow and correct/clamp it earlier to avoid this.

Assignee: nobody → jfkthame
Status: NEW → ASSIGNED

A Pernosco session is available here: https://pernos.co/debug/nlrTnQPx4SgnJfdarvToCg/index.html

Flags: needinfo?(jfkthame)
Keywords: pernosco-wantedpernosco
Pushed by jkew@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/defec5489353 Use CSSMinMax rather than std::clamp to avoid assertion & undefined behavior on bad arguments. r=dholbert

https://hg.mozilla.org/mozilla-central/rev/defec5489353

Status: ASSIGNED → RESOLVED
Closed: 3 months ago
status-firefox134: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 134 Branch

Verified bug as fixed on rev mozilla-central 20241112214908-aef84d293121.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
status-firefox134: fixedverified
Keywords: bugmon
status-firefox132: --- → wontfix
status-firefox133: --- → wontfix
status-firefox-esr115: --- → wontfix
status-firefox-esr128: --- → wontfix
Flags: needinfo?(jfkthame)
Flags: in-testsuite?
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: