Assertion failure: false (MOZ_ASSERT_UNREACHABLE: There's at least one candidate on either axis), at /builds/worker/checkouts/gecko/layout/generic/ScrollSnap.cpp:270
Categories
(Core :: Layout: Scrolling and Overflow, defect)
Tracking
()
Tracking | Status | |
---|---|---|
firefox134 | --- | affected |
People
(Reporter: tsmith, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: assertion, testcase, Whiteboard: [bugmon:bisected,confirmed])
Attachments
(1 file)
445 bytes,
text/html
|
Details |
Found while fuzzing m-c 20241031-ea780f8940f5 (--enable-debug --enable-fuzzing)
To reproduce via Grizzly Replay:
$ pip install fuzzfetch grizzly-framework --upgrade
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>
Assertion failure: false (MOZ_ASSERT_UNREACHABLE: There's at least one candidate on either axis), at /builds/worker/checkouts/gecko/layout/generic/ScrollSnap.cpp:270
#0 0x75d60243dc49 in mozilla::CalcSnapPoints::GetBestEdge(nsSize const&) const /builds/worker/checkouts/gecko/layout/generic/ScrollSnap.cpp:270:5
#1 0x75d60243ae4e in mozilla::ScrollSnapUtils::GetSnapPointForDestination(mozilla::ScrollSnapInfo const&, mozilla::ScrollUnit, mozilla::ScrollSnapFlags, nsRect const&, nsPoint const&, nsPoint const&) /builds/worker/checkouts/gecko/layout/generic/ScrollSnap.cpp:522:34
#2 0x75d602423b80 in GetSnapPointForDestination /builds/worker/checkouts/gecko/layout/generic/ScrollContainerFrame.cpp:7642:10
#3 0x75d602423b80 in mozilla::ScrollContainerFrame::ScrollToWithOrigin(nsPoint, nsRect const*, mozilla::ScrollContainerFrame::ScrollOperationParams&&) /builds/worker/checkouts/gecko/layout/generic/ScrollContainerFrame.cpp:2442:23
#4 0x75d60242858c in mozilla::ScrollContainerFrame::ScrollByCSSPixelsInternal(mozilla::gfx::IntPointTyped<mozilla::CSSPixel> const&, mozilla::ScrollMode, mozilla::ScrollSnapFlags) /builds/worker/checkouts/gecko/layout/generic/ScrollContainerFrame.cpp:4988:3
#5 0x75d5fe3d089a in ScrollByCSSPixels /builds/worker/workspace/obj-build/dist/include/mozilla/ScrollContainerFrame.h:484:12
#6 0x75d5fe3d089a in nsGlobalWindowInner::ScrollBy(mozilla::dom::ScrollToOptions const&) /builds/worker/checkouts/gecko/dom/base/nsGlobalWindowInner.cpp:3897:7
#7 0x75d5ff3fa1b9 in mozilla::dom::Window_Binding::scrollBy(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/./WindowBinding.cpp:4593:28
#8 0x75d5ff91e4b2 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::MaybeCrossOriginObjectThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3290:13
#9 0x75d60309aff4 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:532:13
#10 0x75d60309a7d8 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:628:12
#11 0x75d603be552f in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICFallbackStub*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/jit/BaselineIC.cpp:1683:10
#12 0x34db932cad5e ([anon:js-executable-memory]+0x1bd5e)
Comment 1•28 days ago
|
||
Testcase crashes using the initial build (mozilla-central 20241031210134-ea780f8940f5) but not with tip (mozilla-central 20241112214908-aef84d293121.)
Unable to bisect testcase (End build crashes!):
Start: ea780f8940f5bf01498e5ca5895e37a5ffc97d5a (20241031210134)
End: aef84d293121c3b43a61790c76e125f4fec9209f (20241112214908)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False, nyx=False)
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Reporter | ||
Comment 2•20 days ago
|
||
I am able to reproduce this with m-c 20241120-2db7b3567f79. Not sure what happened with bugmon.
Comment 3•14 days ago
|
||
The severity field is not set for this bug.
:hiro, could you have a look please?
For more information, please visit BugBot documentation.
Comment 4•6 days ago
|
||
Hello Tyson,
Given that our bug bot hasn't commented this bug is a fuzz blocker just like bug 1858798 comment 11, we can assume this doesn't need to be addressed urgently, right?
Reporter | ||
Comment 5•6 days ago
|
||
That is correct, this is being reported by fuzzers at a low volume. Thanks for checking!
Description
•