Open Bug 1930025 Opened 1 month ago Updated 6 days ago

Assertion failure: false (MOZ_ASSERT_UNREACHABLE: There's at least one candidate on either axis), at /builds/worker/checkouts/gecko/layout/generic/ScrollSnap.cpp:270

Categories

(Core :: Layout: Scrolling and Overflow, defect)

defect

Tracking

()

Tracking Status
firefox134 --- affected

People

(Reporter: tsmith, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, testcase, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(1 file)

Attached file testcase.html

Found while fuzzing m-c 20241031-ea780f8940f5 (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework --upgrade
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>

Assertion failure: false (MOZ_ASSERT_UNREACHABLE: There's at least one candidate on either axis), at /builds/worker/checkouts/gecko/layout/generic/ScrollSnap.cpp:270

#0 0x75d60243dc49 in mozilla::CalcSnapPoints::GetBestEdge(nsSize const&) const /builds/worker/checkouts/gecko/layout/generic/ScrollSnap.cpp:270:5
#1 0x75d60243ae4e in mozilla::ScrollSnapUtils::GetSnapPointForDestination(mozilla::ScrollSnapInfo const&, mozilla::ScrollUnit, mozilla::ScrollSnapFlags, nsRect const&, nsPoint const&, nsPoint const&) /builds/worker/checkouts/gecko/layout/generic/ScrollSnap.cpp:522:34
#2 0x75d602423b80 in GetSnapPointForDestination /builds/worker/checkouts/gecko/layout/generic/ScrollContainerFrame.cpp:7642:10
#3 0x75d602423b80 in mozilla::ScrollContainerFrame::ScrollToWithOrigin(nsPoint, nsRect const*, mozilla::ScrollContainerFrame::ScrollOperationParams&&) /builds/worker/checkouts/gecko/layout/generic/ScrollContainerFrame.cpp:2442:23
#4 0x75d60242858c in mozilla::ScrollContainerFrame::ScrollByCSSPixelsInternal(mozilla::gfx::IntPointTyped<mozilla::CSSPixel> const&, mozilla::ScrollMode, mozilla::ScrollSnapFlags) /builds/worker/checkouts/gecko/layout/generic/ScrollContainerFrame.cpp:4988:3
#5 0x75d5fe3d089a in ScrollByCSSPixels /builds/worker/workspace/obj-build/dist/include/mozilla/ScrollContainerFrame.h:484:12
#6 0x75d5fe3d089a in nsGlobalWindowInner::ScrollBy(mozilla::dom::ScrollToOptions const&) /builds/worker/checkouts/gecko/dom/base/nsGlobalWindowInner.cpp:3897:7
#7 0x75d5ff3fa1b9 in mozilla::dom::Window_Binding::scrollBy(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/./WindowBinding.cpp:4593:28
#8 0x75d5ff91e4b2 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::MaybeCrossOriginObjectThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3290:13
#9 0x75d60309aff4 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:532:13
#10 0x75d60309a7d8 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:628:12
#11 0x75d603be552f in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICFallbackStub*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/jit/BaselineIC.cpp:1683:10
#12 0x34db932cad5e  ([anon:js-executable-memory]+0x1bd5e)
Flags: in-testsuite?

Testcase crashes using the initial build (mozilla-central 20241031210134-ea780f8940f5) but not with tip (mozilla-central 20241112214908-aef84d293121.)

Unable to bisect testcase (End build crashes!):

Start: ea780f8940f5bf01498e5ca5895e37a5ffc97d5a (20241031210134)
End: aef84d293121c3b43a61790c76e125f4fec9209f (20241112214908)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False, nyx=False)

Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon
Whiteboard: [bugmon:bisected,confirmed]

I am able to reproduce this with m-c 20241120-2db7b3567f79. Not sure what happened with bugmon.

The severity field is not set for this bug.
:hiro, could you have a look please?

For more information, please visit BugBot documentation.

Flags: needinfo?(hikezoe.birchill)

Hello Tyson,

Given that our bug bot hasn't commented this bug is a fuzz blocker just like bug 1858798 comment 11, we can assume this doesn't need to be addressed urgently, right?

Flags: needinfo?(hikezoe.birchill) → needinfo?(twsmith)

That is correct, this is being reported by fuzzers at a low volume. Thanks for checking!

Flags: needinfo?(twsmith)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: