Testcase found while fuzzing mozilla-central rev 190b827aaa2b. rax = 0x0000000000000000 rdx = 0x0000000000000000 rcx = 0x0000000000000b40 rbx = 0x00007ffcfa943398 rsi = 0x00007faa712928b0 rdi = 0x00007faa71291680 rbp = 0x00007ffcfa942710 rsp = 0x00007ffcfa9426e0 r8 = 0x00007faa712928b0 r9 = 0x00007faa7240a740 r10 = 0x00000000ffffffc7 r11 = 0x0000000000000000 r12 = 0x00007faa570d4068 r13 = 0x000000000000000d r14 = 0x0000000000000001 r15 = 0x000000000000000e rip = 0x00007faa61d97adc OS|Linux|0.0.0 Linux 4.15.0-32-generic #35-Ubuntu SMP Fri Aug 10 17:58:07 UTC 2018 x86_64 CPU|amd64|family 6 model 78 stepping 3|1 GPU||| Crash|SIGSEGV /SEGV_MAPERR|0x0|0 0|0|libxul.so|nsLineLayout::NotifyOptionalBreakPosition(nsIFrame*, int, bool, gfxBreakPriority)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsLineLayout.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|1538|0x18 0|1|libxul.so|nsTextFrame::ReflowText(nsLineLayout&, int, mozilla::gfx::DrawTarget*, mozilla::ReflowOutput&, nsReflowStatus&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsTextFrame.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|9609|0x17 0|2|libxul.so|nsLineLayout::ReflowFrame(nsIFrame*, nsReflowStatus&, mozilla::ReflowOutput*, bool&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsLineLayout.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|944|0x9 0|3|libxul.so|nsFirstLetterFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsFirstLetterFrame.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|242|0x24 0|4|libxul.so|nsLineLayout::ReflowFrame(nsIFrame*, nsReflowStatus&, mozilla::ReflowOutput*, bool&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsLineLayout.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|939|0x30 0|5|libxul.so|nsBlockFrame::ReflowInlineFrame(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsIFrame*, LineReflowStatus*)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsBlockFrame.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|4269|0x14 0|6|libxul.so|nsBlockFrame::DoReflowInlineFrames(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsBlockFrame.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|4069|0x29 0|7|libxul.so|nsBlockFrame::ReflowInlineFrames(mozilla::BlockReflowInput&, nsLineList_iterator, bool*)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsBlockFrame.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|3945|0x41 0|8|libxul.so|nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsBlockFrame.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|2924|0x1a 0|9|libxul.so|nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsBlockFrame.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|2458|0x20 0|10|libxul.so|nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsBlockFrame.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|1292|0xf 0|11|libxul.so|nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsBlockReflowContext.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|309|0x10 0|12|libxul.so|nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsBlockFrame.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|3573|0x1e 0|13|libxul.so|nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsBlockFrame.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|2921|0x13 0|14|libxul.so|nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsBlockFrame.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|2458|0x20 0|15|libxul.so|nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsBlockFrame.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|1292|0xf 0|16|libxul.so|nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsContainerFrame.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|951|0x1a 0|17|libxul.so|nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsCanvasFrame.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|804|0x4d 0|18|libxul.so|nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsContainerFrame.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|951|0x1a 0|19|libxul.so|nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput*, bool, bool, mozilla::ReflowOutput*, bool)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsGfxScrollFrame.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|608|0x5 0|20|libxul.so|nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput*, mozilla::ReflowOutput const&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsGfxScrollFrame.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|731|0x14 0|21|libxul.so|nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsGfxScrollFrame.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|1120|0x5 0|22|libxul.so|nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsContainerFrame.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|995|0x19 0|23|libxul.so|mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&)|hg:hg.mozilla.org/mozilla-central:layout/generic/ViewportFrame.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|339|0x2b 0|24|libxul.so|mozilla::PresShell::DoReflow(nsIFrame*, bool)|hg:hg.mozilla.org/mozilla-central:layout/base/PresShell.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|9022|0x25 0|25|libxul.so|mozilla::PresShell::ProcessReflowCommands(bool)|hg:hg.mozilla.org/mozilla-central:layout/base/PresShell.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|9195|0xe 0|26|libxul.so|mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush)|hg:hg.mozilla.org/mozilla-central:layout/base/PresShell.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|4347|0x15 0|27|libxul.so|nsRefreshDriver::Tick(mozilla::TimeStamp)|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|1926|0x5 0|28|libxul.so|mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&)|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|324|0x8 0|29|libxul.so|mozilla::RefreshDriverTimer::Tick(mozilla::TimeStamp)|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|317|0xc 0|30|libxul.so|mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::TimeStamp)|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|755|0xc 0|31|libxul.so|mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::TimeStamp)|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|571|0xc 0|32|libxul.so|mozilla::layout::VsyncChild::RecvNotify(mozilla::TimeStamp const&)|hg:hg.mozilla.org/mozilla-central:layout/ipc/VsyncChild.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|78|0x9 0|33|libxul.so|mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&)|s3:gecko-generated-sources:0c7cf777c2ff93c34ff1546f677320cb1229427e6947e87c6fa76720f9b9c5b6a4a4d036521ed9a643f4fa5e10a57d8748e2532d47fce8282aa653340c0c00ff/ipc/ipdl/PVsyncChild.cpp:|167|0xc 0|34|libxul.so|mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|2239|0x6 0|35|libxul.so|mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|2166|0xb 0|36|libxul.so|mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|2012|0xb 0|37|libxul.so|mozilla::ipc::MessageChannel::MessageTask::Run()|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|2045|0xc 0|38|libxul.so|nsThread::ProcessNextEvent(bool, bool*)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|1167|0x15 0|39|libxul.so|NS_ProcessNextEvent(nsIThread*, bool)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|519|0x11 0|40|libxul.so|mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|97|0xa 0|41|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|325|0x17 0|42|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|318|0x8 0|43|libxul.so|nsBaseAppShell::Run()|hg:hg.mozilla.org/mozilla-central:widget/nsBaseAppShell.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|158|0xd 0|44|libxul.so|XRE_RunAppShell()|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|944|0x11 0|45|libxul.so|mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|269|0x5 0|46|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|325|0x17 0|47|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|318|0x8 0|48|libxul.so|XRE_InitChildProcess(int, char**, XREChildData const*)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|770|0x8 0|49|firefox|content_process_main(mozilla::Bootstrap*, int, char**)|hg:hg.mozilla.org/mozilla-central:ipc/contentproc/plugin-container.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|50|0x14 0|50|firefox|main|hg:hg.mozilla.org/mozilla-central:browser/app/nsBrowserApp.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|287|0x11 0|51|libc-2.27.so||||0x21b97 0|52|firefox|MOZ_ReportAssertionFailure|hg:hg.mozilla.org/mozilla-central:mfbt/Assertions.h:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|164|0x5

This may or may not be a regression from my float / line layout changes. I'll 301 to Jonathan if it's not :)

Yeah, so this is a longstanding issue, I just upgraded it to a MOZ_ASSERT in bug 488725. Jonathan, looks like you're the one that introduced this assertion, and also the one that's more likely to know what's going on around. Is there any chance you could take a look? Otherwise I'm happy to downgrade the assertion again to NS_ASSERTION or something.

Yeah, so I don't totally understand what's getting confused here, but it seems to be related to bidi (note that there are some Arabic letters in the original testcase) together with the very large letter-spacing applied to the first-letter pseudo. Here's a slightly reduced testcase that hits the same assertion. In the original testcase, I think that in addition to hitting this assertion (and later the "WARNING: We shouldn't be backing up more than once! Someone must have set a break opportunity beyond the available width, even though there were better break opportunities before it" in nsBlockFrame::DoReflowInlineFrames), our rendering is probably incorrect: ISTM we should have taken a line-break somewhere in that random string of text (maybe adjacent to emoji?). So I suspect this assertion is pointing to a genuine bug that we should fix, but it doesn't look critical and I don't have cycles to analyse/debug further at the moment. If the stricter MOZ_ASSERT is causing problems, reverting it to NS_ASSERTION for now seems fine.

(In reply to Jonathan Kew (:jfkthame) from comment #3) > Created attachment 9004803 [details] > somewhat reduced testcase > > Yeah, so I don't totally understand what's getting confused here, but it > seems to be related to bidi (note that there are some Arabic letters in the > original testcase) together with the very large letter-spacing applied to > the first-letter pseudo. > > Here's a slightly reduced testcase that hits the same assertion. > > In the original testcase, I think that in addition to hitting this assertion > (and later the "WARNING: We shouldn't be backing up more than once! Someone > must have set a break opportunity beyond the available width, even though > there were better break opportunities before it" in > nsBlockFrame::DoReflowInlineFrames), our rendering is probably incorrect: > ISTM we should have taken a line-break somewhere in that random string of > text (maybe adjacent to emoji?). > > So I suspect this assertion is pointing to a genuine bug that we should fix, > but it doesn't look critical and I don't have cycles to analyse/debug > further at the moment. If the stricter MOZ_ASSERT is causing problems, > reverting it to NS_ASSERTION for now seems fine.

bughunter can reproduce on windows and linux at https://www.berliner-sparkasse.de/de/home/onlinebanking/finanzstatus.html?n=true and 14 other urls most from berliner-sparkasse.de. I don't see any opt crashes though.

Pushed by ealvarez@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/c87032ced936 Turn assertion back into a non-fatal assertion. r=jfkthame