Assertion failure: IsLengthPercentage(), at /builds/worker/workspace/obj-build/dist/include/mozilla/ServoStyleConsts.h:13997
Categories
(Core :: Layout, defect)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr140 | --- | unaffected |
| firefox143 | --- | unaffected |
| firefox144 | --- | unaffected |
| firefox145 | --- | disabled |
| firefox146 | --- | verified |
| firefox147 | --- | verified |
People
(Reporter: tsmith, Assigned: dholbert)
References
(Blocks 1 open bug, Regression, )
Details
(4 keywords)
Crash Data
Attachments
(3 files)
Found with m-c 20250918-e5f1e4c59507 (--enable-debug)
This was found by visiting a live website with a debug build.
STR:
- Launch browser and visit site
This issue was triggered by visiting http://kgmi.com/.
Assertion failure: IsLengthPercentage(), at /builds/worker/workspace/obj-build/dist/include/mozilla/ServoStyleConsts.h:13997
#0 0x7ffea8483233 in mozilla::StyleGenericSize<mozilla::StyleLengthPercentageUnion>::AsLengthPercentage /builds/worker/workspace/obj-build/dist/include/mozilla/ServoStyleConsts.h:13997
#1 0x7ffea8479426 in mozilla::ReflowInput::InitConstraints /builds/worker/checkouts/gecko/layout/generic/ReflowInput.cpp:2397
#2 0x7ffea84727af in mozilla::ReflowInput::Init /builds/worker/checkouts/gecko/layout/generic/ReflowInput.cpp:490
#3 0x7ffea890783e in nsTableRowFrame::InitChildReflowInput /builds/worker/checkouts/gecko/layout/tables/nsTableRowFrame.cpp:87
#4 0x7ffea890e254 in nsTableRowFrame::ReflowChildren /builds/worker/checkouts/gecko/layout/tables/nsTableRowFrame.cpp:764
#5 0x7ffea8910fd5 in nsTableRowFrame::Reflow /builds/worker/checkouts/gecko/layout/tables/nsTableRowFrame.cpp:975
#6 0x7ffea8593b62 in nsContainerFrame::ReflowChild /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:906
#7 0x7ffea891730e in nsTableRowGroupFrame::ReflowChildren /builds/worker/checkouts/gecko/layout/tables/nsTableRowGroupFrame.cpp:385
#8 0x7ffea89207cc in nsTableRowGroupFrame::Reflow /builds/worker/checkouts/gecko/layout/tables/nsTableRowGroupFrame.cpp:1346
#9 0x7ffea8593b62 in nsContainerFrame::ReflowChild /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:906
#10 0x7ffea88e6051 in nsTableFrame::ReflowChildren /builds/worker/checkouts/gecko/layout/tables/nsTableFrame.cpp:2760
#11 0x7ffea88e1737 in nsTableFrame::Reflow /builds/worker/checkouts/gecko/layout/tables/nsTableFrame.cpp:1708
#12 0x7ffea8593b62 in nsContainerFrame::ReflowChild /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:906
#13 0x7ffea892a635 in nsTableWrapperFrame::Reflow /builds/worker/checkouts/gecko/layout/tables/nsTableWrapperFrame.cpp:715
#14 0x7ffea854d6ed in nsBlockReflowContext::ReflowBlock /builds/worker/checkouts/gecko/layout/generic/nsBlockReflowContext.cpp:291
#15 0x7ffea85450c7 in nsBlockFrame::ReflowBlockFrame /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:4556
#16 0x7ffea85426c5 in nsBlockFrame::ReflowLine /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:3880
#17 0x7ffea853545d in nsBlockFrame::ReflowDirtyLines /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:3387
#18 0x7ffea852d469 in nsBlockFrame::TrialReflow /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:1954
#19 0x7ffea85299b5 in nsBlockFrame::Reflow /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:1589
#20 0x7ffea8593b62 in nsContainerFrame::ReflowChild /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:906
#21 0x7ffea886b35d in nsFieldSetFrame::Reflow /builds/worker/checkouts/gecko/layout/forms/nsFieldSetFrame.cpp:604
#22 0x7ffea854d6ed in nsBlockReflowContext::ReflowBlock /builds/worker/checkouts/gecko/layout/generic/nsBlockReflowContext.cpp:291
#23 0x7ffea85450c7 in nsBlockFrame::ReflowBlockFrame /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:4556
#24 0x7ffea85426c5 in nsBlockFrame::ReflowLine /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:3880
#25 0x7ffea853545d in nsBlockFrame::ReflowDirtyLines /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:3387
#26 0x7ffea852d469 in nsBlockFrame::TrialReflow /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:1954
#27 0x7ffea85299b5 in nsBlockFrame::Reflow /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:1589
#28 0x7ffea8593b62 in nsContainerFrame::ReflowChild /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:906
#29 0x7ffea84a70ff in mozilla::ScrollContainerFrame::ReflowScrolledFrame /builds/worker/checkouts/gecko/layout/generic/ScrollContainerFrame.cpp:913
#30 0x7ffea84a8391 in mozilla::ScrollContainerFrame::ReflowContents /builds/worker/checkouts/gecko/layout/generic/ScrollContainerFrame.cpp:1029
#31 0x7ffea84ad6d8 in mozilla::ScrollContainerFrame::Reflow /builds/worker/checkouts/gecko/layout/generic/ScrollContainerFrame.cpp:1491
#32 0x7ffea851827d in nsAbsoluteContainingBlock::ReflowAbsoluteFrame /builds/worker/checkouts/gecko/layout/generic/nsAbsoluteContainingBlock.cpp:977
#33 0x7ffea8514263 in nsAbsoluteContainingBlock::Reflow /builds/worker/checkouts/gecko/layout/generic/nsAbsoluteContainingBlock.cpp:247
#34 0x7ffea86e2d9d in nsIFrame::ReflowAbsoluteFrames /builds/worker/checkouts/gecko/layout/generic/nsIFrame.cpp:7490
#35 0x7ffea85f68c7 in nsIFrame::FinishReflowWithAbsoluteFrames /builds/worker/checkouts/gecko/layout/generic/nsIFrame.cpp:7461
#36 0x7ffea892abb8 in nsTableWrapperFrame::Reflow /builds/worker/checkouts/gecko/layout/tables/nsTableWrapperFrame.cpp:767
#37 0x7ffea85d2fbd in nsFlexContainerFrame::MeasureBSizeForFlexItem /builds/worker/checkouts/gecko/layout/generic/nsFlexContainerFrame.cpp:2082
#38 0x7ffea85ee25e in nsFlexContainerFrame::DoFlexLayout /builds/worker/checkouts/gecko/layout/generic/nsFlexContainerFrame.cpp:5389
#39 0x7ffea85e9190 in nsFlexContainerFrame::Reflow /builds/worker/checkouts/gecko/layout/generic/nsFlexContainerFrame.cpp:4720
#40 0x7ffea854d6ed in nsBlockReflowContext::ReflowBlock /builds/worker/checkouts/gecko/layout/generic/nsBlockReflowContext.cpp:291
#41 0x7ffea85450c7 in nsBlockFrame::ReflowBlockFrame /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:4556
...
|
Reporter | |
Comment 1•5 months ago
|
||
A Pernosco session is available here: https://pernos.co/debug/FoBa1PoGNCNfPkUVXcgfSQ/index.html
|
||
Comment 2•5 months ago
•
|
||
Hi Daniel, this bug reproduces after setting layout.css.webkit-fill-available.enabled to true. Could you take a look?
|
||
Comment 3•5 months ago
|
||
Set release status flags based on info from the regressing bug 1988938
|
Assignee | |
Comment 4•5 months ago
|
||
I'll take a look, yup - thanks!
|
|
Assignee | |
Comment 5•4 months ago
|
||
Here's a reduced testcase.
Crash report from this testcase: bp-d80144d2-6c78-4475-aa1b-f8b7c0250922
|
|
Assignee | |
Updated•4 months ago
|
|
|
Assignee | |
Updated•4 months ago
|
|
|
Assignee | |
Comment 6•4 months ago
|
||
Side note, there are 3 other crashes from the past week with the same crash-signature, but none of them have table layout in the backtrace, so I think they're different - I filed bug 1990034 on those.
|
|
Assignee | |
Updated•4 months ago
|
|
||
Updated•4 months ago
|
|
|
Assignee | |
Comment 7•4 months ago
|
||
[Tracking Requested - why for this release]: crash, regression in 145, likely not hard to fix. (I was hoping to fix during this Nightly cycle but here we are at soft-freeze). Want to be sure we don't ship to release, so I want to fix early in the next cycle and uplift to beta.
(Note this is the same signature as bug 1990034 but we're hitting it a different way.)
|
|
||
Updated•4 months ago
|
|
|
||
Comment 8•4 months ago
|
||
The bug is marked as tracked for firefox145 (nightly). However, the bug still has low severity.
:fgriffith, could you please increase the severity for this tracked bug? If you disagree with the tracking decision, please talk with the release managers.
For more information, please visit BugBot documentation.
|
|
Assignee | |
Updated•4 months ago
|
|
|
||
Comment 9•4 months ago
|
||
The bug is linked to a topcrash signature, which matches the following criterion:
- Top 10 content process crashes on beta
For more information, please visit BugBot documentation.
|
|
Assignee | |
Comment 10•3 months ago
|
||
We switched this feature off on beta145 (bug 1988938 comment 18), so there's no need to track for that release anymore.
|
|
||
Comment 11•3 months ago
|
||
Based on the topcrash criteria, the crash signature linked to this bug is not a topcrash signature anymore.
For more information, please visit BugBot documentation.
|
|
Assignee | |
Comment 12•3 months ago
|
||
|
|
Assignee | |
Comment 13•3 months ago
•
|
||
There are a series of recent crashes (many of which are probably the same user attempting to access the same site) that look like they're this specific crash (in InitConstraints, with table layout in the backtrace).
They should be addressed by the WIP attached here.
One such crash: bp-779b4d51-5439-4c87-9d00-29f930251113
Another earlier one for a different site: bp-d11f644f-57f9-4474-858a-7d6c70251028
|
|
Assignee | |
Comment 14•3 months ago
•
|
||
This bug's WIP patch fixes another pattern-of-crashing (i.e. a set of crashes with a a somewhat different backtrace from the ones in comment 13).
This other set of crash reports have ComputeBSizeValueHandlingStretch called by ComputeMinMaxValues). Here's one sample:
bp-60930434-fd34-4fac-9703-e6e2e0251116
The (privately-shared) URL in this crash report URL does crash for me in Nightly & beta (including in a Nightly build with bug 1990034's patch), but it doesn't crash in my local build with this bug's patch also applied.
|
||
Updated•3 months ago
|
|
||
Comment 15•3 months ago
|
||
|
||
Comment 17•3 months ago
|
||
| bugherder | ||
|
|
||
Comment 18•3 months ago
|
||
firefox-beta Uplift Approval Request
- User impact if declined: Similar to bug 1990034 comment 19: this is a fix for a crash that we're seeing users hitting in the wild (in builds with support for -webkit-fill-available enabled, which right now is 146 and 147).
- Code covered by automated testing: yes
- Fix verified in Nightly: yes
- Needs manual QE test: yes
- Steps to reproduce for manual QE testing: Load attached testcase https://bugzilla.mozilla.org/attachment.cgi?id=9514779 and http://kgmi.com/ . (If the bug is fixed, then neither should crash your tab.)
- Risk associated with taking this patch: low
- Explanation of risk level: The patch is small and narrowly targeted to only affect situations where a site is using this newly-supported feature and where we would have been at-risk-of-crashing.
- String changes made/needed: None.
- Is Android affected?: yes
|
|
Assignee | |
Comment 19•3 months ago
|
||
This is needed for certain cases with table layout that happen to bypass our
codepaths that would otherwise resolve 'stretch' closer to the point-of-use.
So, this patch makes us resolve 'stretch' a bit more eagerly here.
I'm including a testcase (expanded from the testcase in the bug report)
that has 'stretch' applied to various table parts, to give us code-coverage
for these scenarioos.
The correctness checks in the testcase are kinda trivial (and would generally
pass whether or not the 'stertch' keyword is supported), since table layout
already forces table-parts to stretch, generally. So, the point of the test is
mostly to give us some basic code coverage to ensure that we behave reasonably
when this keyword (and its aliases like -webkit-fill-available) are used in
this context.
Original Revision: https://phabricator.services.mozilla.com/D272732
|
||
Updated•3 months ago
|
|
||
Updated•3 months ago
|
|
|
||
Comment 21•3 months ago
•
|
||
I have reproduced the crash with the test cases from comment 18 using an affected Nightly debug build on Win 11.
The issue is verified as fixed on latest debug Nightly build with Win 11.
|
|
||
Updated•3 months ago
|
|
||
Updated•3 months ago
|
|
|
||
Comment 22•3 months ago
|
||
| uplift | ||
|
||
Comment 23•2 months ago
|
||
Verified fixed using Firefox Beta 146.0 (20251201213807) on MacOS 15.5, Windows 10 and Ubuntu 24.04.
Description
•