Open
Bug 1996080
Opened 8 hours ago
Updated 1 hour ago
Assertion failure: std::isnan(aSize) || aSize >= 0, at /builds/worker/checkouts/gecko/layout/base/nsLayoutUtils.cpp:1691
Categories
(Core :: SVG, defect)
Core
SVG
Tracking
()
ASSIGNED
| Tracking | Status | |
|---|---|---|
| firefox146 | --- | affected |
People
(Reporter: tsmith, Assigned: longsonr)
References
(Blocks 1 open bug)
Details
(Keywords: assertion, bugmon, testcase)
Attachments
(2 files)
Found while fuzzing 20251023-426d0bb3c451 (--enable-debug --enable-fuzzing)
To reproduce via Grizzly Replay:
$ pip install fuzzfetch grizzly-framework --upgrade
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>
Assertion failure: std::isnan(aSize) || aSize >= 0, at /builds/worker/checkouts/gecko/layout/base/nsLayoutUtils.cpp:1691
#0 0x71bedb2f7940 in MOZ_CrashSequence /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:237:3
#1 0x71bedb2f7940 in nsLayoutUtils::ConstrainToCoordValues(double&, double&) /builds/worker/checkouts/gecko/layout/base/nsLayoutUtils.cpp:1691:3
#2 0x71bedb2f810b in nsRect nsLayoutUtils::RoundGfxRectToAppRect<mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, double>>(mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, double> const&, float) /builds/worker/checkouts/gecko/layout/base/nsLayoutUtils.h:3263:3
#3 0x71bedb44519d in ComputeClipForMaskItem /builds/worker/checkouts/gecko/layout/generic/nsIFrame.cpp:3073:9
#4 0x71bedb44519d in nsIFrame::BuildDisplayListForStackingContext(mozilla::nsDisplayListBuilder*, mozilla::nsDisplayList*, bool*) /builds/worker/checkouts/gecko/layout/generic/nsIFrame.cpp:3491:21
#5 0x71bedb3c6dbf in nsIFrame::BuildDisplayListForChild(mozilla::nsDisplayListBuilder*, nsIFrame*, mozilla::nsDisplayListSet const&, mozilla::EnumSet<nsIFrame::DisplayChildFlag, unsigned int>) /builds/worker/checkouts/gecko/layout/generic/nsIFrame.cpp:4454:12
#6 0x71bedb3b2e7c in DisplayLine(mozilla::nsDisplayListBuilder*, GenericLineListIterator<nsLineLink, false>&, bool, mozilla::nsDisplayListSet const&, nsBlockFrame*, mozilla::css::TextOverflow*, unsigned int, int, int&, bool&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:7870:13
#7 0x71bedb3b18b4 in nsBlockFrame::BuildDisplayList(mozilla::nsDisplayListBuilder*, mozilla::nsDisplayListSet const&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:8063:9
#8 0x71bedb445ae1 in nsIFrame::BuildDisplayListForStackingContext(mozilla::nsDisplayListBuilder*, mozilla::nsDisplayList*, bool*) /builds/worker/checkouts/gecko/layout/generic/nsIFrame.cpp:3513:5
#9 0x71bedb3c6dbf in nsIFrame::BuildDisplayListForChild(mozilla::nsDisplayListBuilder*, nsIFrame*, mozilla::nsDisplayListSet const&, mozilla::EnumSet<nsIFrame::DisplayChildFlag, unsigned int>) /builds/worker/checkouts/gecko/layout/generic/nsIFrame.cpp:4454:12
#10 0x71bedb3b2e7c in DisplayLine(mozilla::nsDisplayListBuilder*, GenericLineListIterator<nsLineLink, false>&, bool, mozilla::nsDisplayListSet const&, nsBlockFrame*, mozilla::css::TextOverflow*, unsigned int, int, int&, bool&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:7870:13
#11 0x71bedb3b18b4 in nsBlockFrame::BuildDisplayList(mozilla::nsDisplayListBuilder*, mozilla::nsDisplayListSet const&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:8063:9
#12 0x71bedb445ae1 in nsIFrame::BuildDisplayListForStackingContext(mozilla::nsDisplayListBuilder*, mozilla::nsDisplayList*, bool*) /builds/worker/checkouts/gecko/layout/generic/nsIFrame.cpp:3513:5
#13 0x71bedb3c6dbf in nsIFrame::BuildDisplayListForChild(mozilla::nsDisplayListBuilder*, nsIFrame*, mozilla::nsDisplayListSet const&, mozilla::EnumSet<nsIFrame::DisplayChildFlag, unsigned int>) /builds/worker/checkouts/gecko/layout/generic/nsIFrame.cpp:4454:12
#14 0x71bedb3b6718 in nsCanvasFrame::BuildDisplayList(mozilla::nsDisplayListBuilder*, mozilla::nsDisplayListSet const&) /builds/worker/checkouts/gecko/layout/generic/nsCanvasFrame.cpp:387:5
#15 0x71bedb3c7262 in nsIFrame::BuildDisplayListForChild(mozilla::nsDisplayListBuilder*, nsIFrame*, mozilla::nsDisplayListSet const&, mozilla::EnumSet<nsIFrame::DisplayChildFlag, unsigned int>) /builds/worker/checkouts/gecko/layout/generic/nsIFrame.cpp:4488:14
#16 0x71bedb37282c in mozilla::ScrollContainerFrame::BuildDisplayList(mozilla::nsDisplayListBuilder*, mozilla::nsDisplayListSet const&) /builds/worker/checkouts/gecko/layout/generic/ScrollContainerFrame.cpp:4089:7
#17 0x71bedb3c7262 in nsIFrame::BuildDisplayListForChild(mozilla::nsDisplayListBuilder*, nsIFrame*, mozilla::nsDisplayListSet const&, mozilla::EnumSet<nsIFrame::DisplayChildFlag, unsigned int>) /builds/worker/checkouts/gecko/layout/generic/nsIFrame.cpp:4488:14
#18 0x71bedb38a2b9 in mozilla::ViewportFrame::BuildDisplayList(mozilla::nsDisplayListBuilder*, mozilla::nsDisplayListSet const&) /builds/worker/checkouts/gecko/layout/generic/ViewportFrame.cpp:79:3
#19 0x71bedb445ae1 in nsIFrame::BuildDisplayListForStackingContext(mozilla::nsDisplayListBuilder*, mozilla::nsDisplayList*, bool*) /builds/worker/checkouts/gecko/layout/generic/nsIFrame.cpp:3513:5
#20 0x71bedb2fde3d in nsLayoutUtils::PaintFrame(gfxContext*, nsIFrame*, nsRegion const&, unsigned int, mozilla::nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) /builds/worker/checkouts/gecko/layout/base/nsLayoutUtils.cpp:3178:15
#21 0x71bedb27d174 in mozilla::PresShell::PaintInternal(nsIFrame*, mozilla::WindowRenderer*, mozilla::PaintInternalFlags) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:6734:5
#22 0x71bedadd973d in nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*) /builds/worker/checkouts/gecko/view/nsViewManager.cpp:383:18
#23 0x71bedadd923e in nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) /builds/worker/checkouts/gecko/view/nsViewManager.cpp:318:22
#24 0x71bedadda2ec in nsViewManager::ProcessPendingUpdates() /builds/worker/checkouts/gecko/view/nsViewManager.cpp:771:5
#25 0x71bedb239ffd in nsRefreshDriver::PaintIfNeeded() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2639:9
#26 0x71bedb239917 in operator() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2559:60
#27 0x71bedb239917 in void nsRefreshDriver::RunRenderingPhaseLegacy<nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick)::$_13>(mozilla::RenderingPhase, nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick)::$_13&&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:1288:3
#28 0x71bedb23469d in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2557:3
#29 0x71bedb23df01 in TickDriver /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:370:13
#30 0x71bedb23df01 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver>>&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:348:7
#31 0x71bedb23de00 in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:364:5
#32 0x71bedb23dcad in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:954:5
#33 0x71bedb23d24a in mozilla::VsyncRefreshDriverTimer::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:864:5
#34 0x71bedb23c746 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsyncTimerOnMainThread() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:595:14
#35 0x71beda607d2b in mozilla::dom::VsyncMainChild::RecvNotify(mozilla::VsyncEvent const&, float const&) /builds/worker/checkouts/gecko/dom/ipc/VsyncMainChild.cpp:66:15
#36 0x71beda888cb9 in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:229:78
#37 0x71beda7aeb43 in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PContentChild.cpp:8477:32
#38 0x71bed5f4edde in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1797:25
#39 0x71bed5f4c360 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, std::unique_ptr<IPC::Message, std::default_delete<IPC::Message>>) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1723:9
#40 0x71bed5f4cd67 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1512:3
#41 0x71bed5f4dd49 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1614:14
#42 0x71bed534ab07 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:705:16
#43 0x71bed53453e7 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:1325:20
#44 0x71bed5344087 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:1148:15
#45 0x71bed5344505 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:641:36
#46 0x71bed53519d9 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:336:37
#47 0x71bed53519d9 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_1>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:550:5
#48 0x71bed53639b3 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1161:16
#49 0x71bed536a27f in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:462:10
#50 0x71bed5f54623 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:107:5
#51 0x71bed5eaf0a1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:361:3
#52 0x71bed5eaf0a1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:343:3
#53 0x71bedae3d158 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:152:27
#54 0x71bedaf0ad14 in nsAppShell::Run() /builds/worker/checkouts/gecko/widget/gtk/nsAppShell.cpp:470:33
#55 0x71bedbf36e4b in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:657:20
#56 0x71bed5f55514 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
#57 0x71bed5eaf0a1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:361:3
#58 0x71bed5eaf0a1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:343:3
#59 0x71bedbf365a1 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:595:34
#60 0x5aeb5a3efe7c in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:419:22
Flags: in-testsuite?
|
Assignee | |
Comment 1•1 hour ago
|
||
|
||
Updated•1 hour ago
|
Assignee: nobody → longsonr
Status: NEW → ASSIGNED
|
|
Assignee | |
Comment 2•1 hour ago
|
||
You need to log in
before you can comment on or make changes to this bug.
Description
•