1996058 - Assertion failure: std::isnan(aSize) || aSize >= 0, at /builds/worker/checkouts/gecko/layout/base/nsLayoutUtils.cpp:1689

Status: VERIFIED FIXED

(Core :: SVG, defect)

Description

[Tyson Smith [:tsmith]]

Attachment: testcase.html

Found while fuzzing 20251022-26f7074eb15e (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework --upgrade
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>

Assertion failure: std::isnan(aSize) || aSize >= 0, at /builds/worker/checkouts/gecko/layout/base/nsLayoutUtils.cpp:1689

#0 0x7e6c6ccf7940 in MOZ_CrashSequence /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:237:3
#1 0x7e6c6ccf7940 in nsLayoutUtils::ConstrainToCoordValues(double&, double&) /builds/worker/checkouts/gecko/layout/base/nsLayoutUtils.cpp:1691:3
#2 0x7e6c6ccf80dd in nsRect nsLayoutUtils::RoundGfxRectToAppRect<mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, double>>(mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, double> const&, float) /builds/worker/checkouts/gecko/layout/base/nsLayoutUtils.h:3256:3
#3 0x7e6c6cf7a045 in mozilla::SVGImageFrame::CreateWebRenderCommands(mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, mozilla::layers::RenderRootStateManager*, mozilla::nsDisplayListBuilder*, mozilla::DisplaySVGImage*, bool) /builds/worker/checkouts/gecko/layout/svg/SVGImageFrame.cpp:506:9
#4 0x7e6c682627db in ShouldBeActive /builds/worker/workspace/obj-build/dist/include/mozilla/SVGImageFrame.h:152:19
#5 0x7e6c682627db in mozilla::layers::IsItemProbablyActive(mozilla::nsDisplayItem*, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, mozilla::layers::RenderRootStateManager*, mozilla::nsDisplayListBuilder*, bool, bool) /builds/worker/checkouts/gecko/gfx/layers/wr/WebRenderCommandBuilder.cpp:1237:20
#6 0x7e6c68261df1 in mozilla::layers::Grouper::ConstructGroups(mozilla::nsDisplayListBuilder*, mozilla::layers::WebRenderCommandBuilder*, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::DIGroup*, mozilla::nsDisplayList*, mozilla::nsDisplayItem*, mozilla::layers::StackingContextHelper const&) /builds/worker/checkouts/gecko/gfx/layers/wr/WebRenderCommandBuilder.cpp:1344:21
#7 0x7e6c68269c1c in mozilla::layers::WebRenderCommandBuilder::DoGroupingForDisplayList(mozilla::nsDisplayList*, mozilla::nsDisplayItem*, mozilla::nsDisplayListBuilder*, mozilla::layers::StackingContextHelper const&, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&) /builds/worker/checkouts/gecko/gfx/layers/wr/WebRenderCommandBuilder.cpp:1719:5
#8 0x7e6c6d08966e in CreateWebRenderCommandsNewClipListOption /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:4659:30
#9 0x7e6c6d08966e in mozilla::nsDisplaySVGWrapper::CreateWebRenderCommands(mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, mozilla::layers::RenderRootStateManager*, mozilla::nsDisplayListBuilder*) /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:8776:10
#10 0x7e6c6826dbb4 in mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommands(mozilla::nsDisplayItem*, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, mozilla::nsDisplayListBuilder*) /builds/worker/checkouts/gecko/gfx/layers/wr/WebRenderCommandBuilder.cpp:1866:41
#11 0x7e6c6826c2c9 in mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommandsFromDisplayList(mozilla::nsDisplayList*, mozilla::nsDisplayItem*, mozilla::nsDisplayListBuilder*, mozilla::layers::StackingContextHelper const&, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, bool) /builds/worker/checkouts/gecko/gfx/layers/wr/WebRenderCommandBuilder.cpp:2194:7
#12 0x7e6c6d07efaf in mozilla::nsDisplayTransform::CreateWebRenderCommands(mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, mozilla::layers::RenderRootStateManager*, mozilla::nsDisplayListBuilder*) /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:6944:30
#13 0x7e6c6826dbb4 in mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommands(mozilla::nsDisplayItem*, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, mozilla::nsDisplayListBuilder*) /builds/worker/checkouts/gecko/gfx/layers/wr/WebRenderCommandBuilder.cpp:1866:41
#14 0x7e6c6826c2c9 in mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommandsFromDisplayList(mozilla::nsDisplayList*, mozilla::nsDisplayItem*, mozilla::nsDisplayListBuilder*, mozilla::layers::StackingContextHelper const&, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, bool) /builds/worker/checkouts/gecko/gfx/layers/wr/WebRenderCommandBuilder.cpp:2194:7
#15 0x7e6c6d076cb5 in CreateWebRenderCommandsNewClipListOption /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:4659:30
#16 0x7e6c6d076cb5 in CreateWebRenderCommands /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.h:5070:12
#17 0x7e6c6d076cb5 in mozilla::nsDisplayOwnLayer::CreateWebRenderCommands(mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, mozilla::layers::RenderRootStateManager*, mozilla::nsDisplayListBuilder*, bool) /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:5333:22
#18 0x7e6c6d078f13 in mozilla::nsDisplayOwnLayer::CreateWebRenderCommands(mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, mozilla::layers::RenderRootStateManager*, mozilla::nsDisplayListBuilder*) /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.h:5583:12
#19 0x7e6c6826dbb4 in mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommands(mozilla::nsDisplayItem*, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, mozilla::nsDisplayListBuilder*) /builds/worker/checkouts/gecko/gfx/layers/wr/WebRenderCommandBuilder.cpp:1866:41
#20 0x7e6c6826c2c9 in mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommandsFromDisplayList(mozilla::nsDisplayList*, mozilla::nsDisplayItem*, mozilla::nsDisplayListBuilder*, mozilla::layers::StackingContextHelper const&, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, bool) /builds/worker/checkouts/gecko/gfx/layers/wr/WebRenderCommandBuilder.cpp:2194:7
#21 0x7e6c6826ab0e in mozilla::layers::WebRenderCommandBuilder::BuildWebRenderCommands(mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::nsDisplayList*, mozilla::nsDisplayListBuilder*, mozilla::layers::WebRenderScrollData&, WrFiltersHolder&&) /builds/worker/checkouts/gecko/gfx/layers/wr/WebRenderCommandBuilder.cpp:1787:5
#22 0x7e6c6829fe1f in mozilla::layers::WebRenderLayerManager::EndTransactionWithoutLayer(mozilla::nsDisplayList*, mozilla::nsDisplayListBuilder*, WrFiltersHolder&&, mozilla::layers::WebRenderBackgroundData*, double, bool) /builds/worker/checkouts/gecko/gfx/layers/wr/WebRenderLayerManager.cpp:388:30
#23 0x7e6c6d065e4b in mozilla::nsDisplayList::PaintRoot(mozilla::nsDisplayListBuilder*, gfxContext*, unsigned int, mozilla::Maybe<double>) /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:2300:18
#24 0x7e6c6ccfe4e6 in nsLayoutUtils::PaintFrame(gfxContext*, nsIFrame*, nsRegion const&, unsigned int, mozilla::nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) /builds/worker/checkouts/gecko/layout/base/nsLayoutUtils.cpp:3245:9
#25 0x7e6c6cc7d174 in mozilla::PresShell::PaintInternal(nsIFrame*, mozilla::WindowRenderer*, mozilla::PaintInternalFlags) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:6734:5
#26 0x7e6c6c7d973d in nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*) /builds/worker/checkouts/gecko/view/nsViewManager.cpp:383:18
#27 0x7e6c6c7d923e in nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) /builds/worker/checkouts/gecko/view/nsViewManager.cpp:318:22
#28 0x7e6c6c7da2ec in nsViewManager::ProcessPendingUpdates() /builds/worker/checkouts/gecko/view/nsViewManager.cpp:771:5
#29 0x7e6c6cc39ffd in nsRefreshDriver::PaintIfNeeded() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2639:9
#30 0x7e6c6cc39917 in operator() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2559:60
#31 0x7e6c6cc39917 in void nsRefreshDriver::RunRenderingPhaseLegacy<nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick)::$_13>(mozilla::RenderingPhase, nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick)::$_13&&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:1288:3
#32 0x7e6c6cc3469d in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2557:3
#33 0x7e6c6cc3df01 in TickDriver /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:370:13
#34 0x7e6c6cc3df01 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver>>&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:348:7
#35 0x7e6c6cc3de00 in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:364:5
#36 0x7e6c6cc3dcad in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:954:5
#37 0x7e6c6cc3d24a in mozilla::VsyncRefreshDriverTimer::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:864:5
#38 0x7e6c6cc3c746 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsyncTimerOnMainThread() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:595:14
#39 0x7e6c6c007d2b in mozilla::dom::VsyncMainChild::RecvNotify(mozilla::VsyncEvent const&, float const&) /builds/worker/checkouts/gecko/dom/ipc/VsyncMainChild.cpp:66:15
#40 0x7e6c6c288cb9 in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:229:78
#41 0x7e6c6c1aeb43 in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PContentChild.cpp:8477:32
#42 0x7e6c6794edde in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1797:25
#43 0x7e6c6794c360 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, std::unique_ptr<IPC::Message, std::default_delete<IPC::Message>>) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1723:9
#44 0x7e6c6794cd67 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1512:3
#45 0x7e6c6794dd49 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1614:14
#46 0x7e6c66d4ab07 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:705:16
#47 0x7e6c66d453e7 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:1325:20
#48 0x7e6c66d44087 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:1148:15
#49 0x7e6c66d44505 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:641:36
#50 0x7e6c66d519d9 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:336:37
#51 0x7e6c66d519d9 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_1>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:550:5
#52 0x7e6c66d639b3 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1161:16
#53 0x7e6c66d6a27f in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:462:10
#54 0x7e6c67954623 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:107:5
#55 0x7e6c678af0a1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:361:3
#56 0x7e6c678af0a1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:343:3
#57 0x7e6c6c83d158 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:152:27
#58 0x7e6c6c90ad14 in nsAppShell::Run() /builds/worker/checkouts/gecko/widget/gtk/nsAppShell.cpp:470:33
#59 0x7e6c6d936e4b in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:657:20
#60 0x7e6c67955514 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
#61 0x7e6c678af0a1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:361:3
#62 0x7e6c678af0a1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:343:3
#63 0x7e6c6d9365a1 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:595:34
#64 0x604a77075e7c in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:419:22

Comment 1

[Robert Longson [:longsonr]]

Attachment: Bug 1996058 - Fix crash when clipRect has a negative width or height r=emilio

Comment 2

[Bugmon [:jkratzer for issues]]

Verified bug as reproducible on mozilla-central 20251024094538-f9f643c6d608.
The bug appears to have been introduced in the following build range:

Start: 28553dbd41b69719386bc09fe09d84c3de72daa4 (20251022092305)
End: 9d2e5ef3d9ade5a02db277da7c4d666ef3030da7 (20251022013350)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=28553dbd41b69719386bc09fe09d84c3de72daa4&tochange=9d2e5ef3d9ade5a02db277da7c4d666ef3030da7

Comment 3

[BugBot [:suhaib / :marco/ :calixte]]

Based on comment #2, this bug contains a bisection range found by bugmon. However, the Regressed by field is still not filled.

:longsonr, if possible, could you fill the Regressed by field and investigate this regression?

For more information, please visit BugBot documentation.

Comment 4

[BugBot [:suhaib / :marco/ :calixte]]

Set release status flags based on info from the regressing bug 1995177

Comment 5

[Pulsebot]

Pushed by longsonr@gmail.com:
https://github.com/mozilla-firefox/firefox/commit/bf4ac99b5315
https://hg.mozilla.org/integration/autoland/rev/57b55833c94d
Fix crash when clipRect has a negative width or height r=emilio

Comment 6

[Web Platform Test Sync Bot [:wpt-sync] (Matrix: #interop:mozilla.org)]

Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/55717 for changes under testing/web-platform/tests

Comment 7

[amarc]

https://hg.mozilla.org/mozilla-central/rev/57b55833c94d

Comment 8

[Bugmon [:jkratzer for issues]]

Verified bug as fixed on rev mozilla-central 20251028215909-ebd252259b1b.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Comment 9

[Web Platform Test Sync Bot [:wpt-sync] (Matrix: #interop:mozilla.org)]

Upstream PR merged by moz-wptsync-bot

Comment 10

[Web Platform Test Sync Bot [:wpt-sync] (Matrix: #interop:mozilla.org)]

Upstream PR merged by moz-wptsync-bot