2007025 - Assertion failure: false (should have already reflowed the anonymous block child), at /builds/worker/checkouts/gecko/layout/svg/SVGTextFrame.cpp:338

Status: NEW

(Core :: SVG, defect)

Description

[Tyson Smith [:tsmith]]

Attachment: testcase.html

Found while fuzzing m-c 20251018-b6ebc19c013f (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework --upgrade
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>

Assertion failure: false (should have already reflowed the anonymous block child), at /builds/worker/checkouts/gecko/layout/svg/SVGTextFrame.cpp:338

#0 0x7cf5161525fc in MOZ_CrashSequence /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:237:3
#1 0x7cf5161525fc in FrameIfAnonymousChildReflowed /builds/worker/checkouts/gecko/layout/svg/SVGTextFrame.cpp:338:5
#2 0x7cf5161525fc in TextRenderedRunIterator /builds/worker/checkouts/gecko/layout/svg/SVGTextFrame.cpp:1746:24
#3 0x7cf5161525fc in mozilla::SVGTextFrame::TransformFrameRectFromTextChild(nsRect const&, nsIFrame const*) /builds/worker/checkouts/gecko/layout/svg/SVGTextFrame.cpp:5395:27
#4 0x7cf5161527de in mozilla::SVGTextFrame::TransformFrameRectFromTextChild(mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> const&, nsIFrame const*) /builds/worker/checkouts/gecko/layout/svg/SVGTextFrame.cpp:5434:28
#5 0x7cf515ea348d in TransformGfxRectToAncestor(mozilla::RelativeTo, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> const&, mozilla::RelativeTo, bool*, mozilla::Maybe<mozilla::gfx::Matrix4x4TypedFlagged<mozilla::gfx::UnknownUnits, mozilla::gfx::UnknownUnits>>*, bool, nsIFrame**) /builds/worker/checkouts/gecko/layout/base/nsLayoutUtils.cpp:2162:20
#6 0x7cf515ea2ade in nsLayoutUtils::TransformFrameRectToAncestor(nsIFrame const*, nsRect const&, mozilla::RelativeTo, bool*, mozilla::Maybe<mozilla::gfx::Matrix4x4TypedFlagged<mozilla::gfx::UnknownUnits, mozilla::gfx::UnknownUnits>>*, bool, nsIFrame**) /builds/worker/checkouts/gecko/layout/base/nsLayoutUtils.cpp:2401:12
#7 0x7cf515ed1d1a in TransformFrameRectToAncestor /builds/worker/checkouts/gecko/layout/base/nsLayoutUtils.h:859:12
#8 0x7cf515ed1d1a in BoxToRect::AddBox(nsIFrame*) /builds/worker/checkouts/gecko/layout/base/nsLayoutUtils.cpp:3474:15
#9 0x7cf515ed2171 in BoxToRectAndText::AddBox(nsIFrame*) /builds/worker/checkouts/gecko/layout/base/nsLayoutUtils.cpp:3524:16
#10 0x7cf515ea8acf in GetAllInFlowBoxes /builds/worker/checkouts/gecko/layout/base/nsLayoutUtils.cpp:3378:5
#11 0x7cf515ea8acf in nsLayoutUtils::GetAllInFlowRectsAndTexts(nsIFrame*, nsIFrame const*, mozilla::RectCallback*, mozilla::dom::Sequence<nsTString<char16_t>>*, mozilla::EnumSet<nsLayoutUtils::GetAllInFlowRectsFlag, unsigned char>) /builds/worker/checkouts/gecko/layout/base/nsLayoutUtils.cpp:3548:3
#12 0x7cf511caf88e in CollectClientRectsForSubtree(nsINode*, mozilla::RectCallback*, mozilla::dom::Sequence<nsTString<char16_t>>*, nsINode*, unsigned int, nsINode*, unsigned int, bool, bool, bool) /builds/worker/checkouts/gecko/dom/base/nsRange.cpp:3076:7
#13 0x7cf511caf94c in CollectClientRectsForSubtree(nsINode*, mozilla::RectCallback*, mozilla::dom::Sequence<nsTString<char16_t>>*, nsINode*, unsigned int, nsINode*, unsigned int, bool, bool, bool) /builds/worker/checkouts/gecko/dom/base/nsRange.cpp:3096:5
#14 0x7cf511caf94c in CollectClientRectsForSubtree(nsINode*, mozilla::RectCallback*, mozilla::dom::Sequence<nsTString<char16_t>>*, nsINode*, unsigned int, nsINode*, unsigned int, bool, bool, bool) /builds/worker/checkouts/gecko/dom/base/nsRange.cpp:3096:5
#15 0x7cf511caf94c in CollectClientRectsForSubtree(nsINode*, mozilla::RectCallback*, mozilla::dom::Sequence<nsTString<char16_t>>*, nsINode*, unsigned int, nsINode*, unsigned int, bool, bool, bool) /builds/worker/checkouts/gecko/dom/base/nsRange.cpp:3096:5
#16 0x7cf511caf94c in CollectClientRectsForSubtree(nsINode*, mozilla::RectCallback*, mozilla::dom::Sequence<nsTString<char16_t>>*, nsINode*, unsigned int, nsINode*, unsigned int, bool, bool, bool) /builds/worker/checkouts/gecko/dom/base/nsRange.cpp:3096:5
#17 0x7cf511caf94c in CollectClientRectsForSubtree(nsINode*, mozilla::RectCallback*, mozilla::dom::Sequence<nsTString<char16_t>>*, nsINode*, unsigned int, nsINode*, unsigned int, bool, bool, bool) /builds/worker/checkouts/gecko/dom/base/nsRange.cpp:3096:5
#18 0x7cf511caeb72 in nsRange::CollectClientRectsAndText(mozilla::RectCallback*, mozilla::dom::Sequence<nsTString<char16_t>>*, nsRange*, nsINode*, unsigned int, nsINode*, unsigned int, bool, bool) /builds/worker/checkouts/gecko/dom/base/nsRange.cpp:3168:5
#19 0x7cf515ebc62e in nsLayoutUtils::GetSelectionBoundingRect(mozilla::dom::Selection const*) /builds/worker/checkouts/gecko/layout/base/nsLayoutUtils.cpp:9089:7
#20 0x7cf515df1b00 in mozilla::AccessibleCaretManager::DispatchCaretStateChangedEvent(mozilla::dom::CaretChangedReason, nsPoint const*) /builds/worker/checkouts/gecko/layout/base/AccessibleCaretManager.cpp:1561:17
#21 0x7cf515ded3e0 in mozilla::AccessibleCaretManager::UpdateCaretsForSelectionMode(mozilla::EnumSet<mozilla::AccessibleCaretManager::UpdateCaretsHint, unsigned char> const&) /builds/worker/checkouts/gecko/layout/base/AccessibleCaretManager.cpp:395:5
#22 0x7cf515defeff in UpdateCarets /builds/worker/checkouts/gecko/layout/base/AccessibleCaretManager.cpp:215:7
#23 0x7cf515defeff in mozilla::AccessibleCaretManager::OnReflow() /builds/worker/checkouts/gecko/layout/base/AccessibleCaretManager.cpp:806:5
#24 0x7cf515dec3cf in mozilla::AccessibleCaretEventHub::Reflow(double, double) /builds/worker/checkouts/gecko/layout/base/AccessibleCaretEventHub.cpp:606:11
#25 0x7cf5162deb87 in nsDocShell::NotifyReflowObservers(bool, double, double) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:0:0
#26 0x7cf5162decf6 in non-virtual thunk to nsDocShell::NotifyReflowObservers(bool, double, double) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:0:0
#27 0x7cf515e10148 in mozilla::PresShell::DidDoReflow(bool) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:10372:17
#28 0x7cf515e361b0 in mozilla::PresShell::ProcessReflowCommands(bool) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:10681:5
#29 0x7cf515e19682 in DoFlushLayout /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:10701:10
#30 0x7cf515e19682 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4481:9
#31 0x7cf511d59875 in FlushPendingNotifications /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:1526:5
#32 0x7cf511d59875 in mozilla::dom::Document::FlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/dom/base/Document.cpp:11677:16
#33 0x7cf515decf1e in MaybeFlush /builds/worker/checkouts/gecko/layout/base/AccessibleCaretManager.cpp:1058:12
#34 0x7cf515decf1e in mozilla::AccessibleCaretManager::MaybeFlushLayout() /builds/worker/checkouts/gecko/layout/base/AccessibleCaretManager.cpp:194:20
#35 0x7cf515ded34a in mozilla::AccessibleCaretManager::UpdateCaretsForSelectionMode(mozilla::EnumSet<mozilla::AccessibleCaretManager::UpdateCaretsHint, unsigned char> const&) /builds/worker/checkouts/gecko/layout/base/AccessibleCaretManager.cpp:377:9
#36 0x7cf515decd3c in mozilla::AccessibleCaretManager::UpdateCarets(mozilla::EnumSet<mozilla::AccessibleCaretManager::UpdateCaretsHint, unsigned char> const&) /builds/worker/checkouts/gecko/layout/base/AccessibleCaretManager.cpp:215:7
#37 0x7cf515decaed in mozilla::AccessibleCaretManager::OnSelectionChanged(mozilla::dom::Document*, mozilla::dom::Selection*, short) /builds/worker/checkouts/gecko/layout/base/AccessibleCaretManager.cpp:175:3
#38 0x7cf511ec351b in mozilla::dom::Selection::NotifySelectionListeners() /builds/worker/checkouts/gecko/dom/base/Selection.cpp:4060:12
#39 0x7cf515fb0ea9 in nsFrameSelection::NotifySelectionListeners(mozilla::SelectionType, nsFrameSelection::IsBatchingEnd) /builds/worker/checkouts/gecko/layout/generic/nsFrameSelection.cpp:2164:16
#40 0x7cf515fb2cbb in nsFrameSelection::EndBatchChanges(char const*, short) /builds/worker/checkouts/gecko/layout/generic/nsFrameSelection.cpp:2152:13
#41 0x7cf511ec9e73 in EndBatchChanges /builds/worker/checkouts/gecko/dom/base/Selection.cpp:4089:21
#42 0x7cf511ec9e73 in ~SelectionBatcher /builds/worker/workspace/obj-build/dist/include/mozilla/dom/Selection.h:1200:34
#43 0x7cf511ec9e73 in mozilla::dom::Selection::SetStartAndEndInternal(mozilla::dom::Selection::InLimiter, mozilla::RangeBoundaryBase<nsINode*, nsIContent*> const&, mozilla::RangeBoundaryBase<nsINode*, nsIContent*> const&, nsDirection, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/Selection.cpp:4487:1
#44 0x7cf511ec98dd in mozilla::dom::Selection::SelectAllChildren(nsINode&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/Selection.cpp:3543:3
#45 0x7cf515e8aef7 in nsDocumentViewer::SelectAll() /builds/worker/checkouts/gecko/layout/base/nsDocumentViewer.cpp:2283:14
#46 0x7cf5120007dd in nsSelectionCommand::DoCommand(nsTSubstring<char> const&, nsICommandParams*, nsISupports*) /builds/worker/checkouts/gecko/dom/base/nsGlobalWindowCommands.cpp:542:10
#47 0x7cf5139efa4b in nsBaseCommandController::DoCommand(char const*) /builds/worker/checkouts/gecko/dom/commandhandler/nsBaseCommandController.cpp:56:21
#48 0x7cf5139f1d33 in nsCommandManager::DoCommand(char const*, nsICommandParams*, mozIDOMWindowProxy*) /builds/worker/checkouts/gecko/dom/commandhandler/nsCommandManager.cpp:189:22
#49 0x7cf511d2f41f in mozilla::dom::Document::ExecCommand(nsTSubstring<char16_t> const&, bool, mozilla::dom::TrustedHTMLOrString const&, nsIPrincipal&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/Document.cpp:5915:25
#50 0x7cf512fd935c in mozilla::dom::Document_Binding::execCommand(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/./DocumentBinding.cpp:4663:36
#51 0x7cf5131fccdd in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3306:13
#52 0x7cf516c92bd4 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:490:13
#53 0x7cf516c9242f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:586:12
#54 0x7cf516ca34c2 in CallFromStack /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:658:10
...

Comment 1

[Tyson Smith [:tsmith]]

This has also been detected by live site testing.

Comment 2

[Bugmon [:jkratzer for issues]]

Verified bug as reproducible on mozilla-central 20251218095601-5223c4218ee6.
Unable to bisect testcase (Testcase reproduces on start build!):

Start: 92dd3425067a91fb007ba63e3facfb2a26b690dd (20241220214556)
End: b6ebc19c013f8176cf701d9af1c5cf549b234307 (20251018210849)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False, nyx=False, searchfox=False, afl=False)

Comment 3

[Bugmon [:jkratzer for issues]]

Unable to reproduce bug 2007025 using build mozilla-central 20251018210849-b6ebc19c013f. Without a baseline, bugmon is unable to analyze this bug.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.