Closed
Bug 1515124
Opened 5 years ago
Closed 5 years ago
Crash in InvalidArrayIndex_CRASH | nsGridContainerFrame::ReflowInFragmentainer
Categories
(Core :: Layout: Block and Inline, defect)
Core
Layout: Block and Inline
Tracking
()
RESOLVED
FIXED
mozilla68
People
(Reporter: tsmith, Assigned: MatsPalmgren_bugz)
References
(Blocks 1 open bug)
Details
(4 keywords)
Attachments
(1 file)
|
(deleted),
text/html
|
Details |
#0 0x55c368e8d4d8 in MOZ_CrashOOL(char const*, int, char const*) src/obj-firefox/dist/include/mozilla/Assertions.h:314:3 #1 0x55c368e8d3ed in MOZ_CrashPrintf src/mfbt/Assertions.cpp:55:3 #2 0x7f9a2ec905ca in InvalidArrayIndex_CRASH(unsigned long, unsigned long) src/xpcom/ds/nsTArray.cpp:24:3 #3 0x7f9a39913392 in nsGridContainerFrame::ReflowInFragmentainer(nsGridContainerFrame::GridReflowInput&, mozilla::LogicalRect const&, mozilla::ReflowOutput&, nsReflowStatus&, nsGridContainerFrame::Fragmentainer&, nsSize const&) src/obj-firefox/dist/include/nsTArray.h #4 0x7f9a39919ede in nsGridContainerFrame::ReflowChildren(nsGridContainerFrame::GridReflowInput&, mozilla::LogicalRect const&, mozilla::ReflowOutput&, nsReflowStatus&) src/layout/generic/nsGridContainerFrame.cpp:5449:13 #5 0x7f9a3991ee0e in nsGridContainerFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsGridContainerFrame.cpp:5806:11 #6 0x7f9a396fc0ee in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) src/layout/generic/nsBlockReflowContext.cpp:297:11 #7 0x7f9a396ee5ea in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:3408:11 #8 0x7f9a396eb6a5 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:2788:5 #9 0x7f9a396dc9c3 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) src/layout/generic/nsBlockFrame.cpp:2334:7 #10 0x7f9a396d080b in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsBlockFrame.cpp:1207:3 #11 0x7f9a396fc0ee in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) src/layout/generic/nsBlockReflowContext.cpp:297:11 #12 0x7f9a396ee5ea in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:3408:11 #13 0x7f9a396eb6a5 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:2788:5 #14 0x7f9a396dc9c3 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) src/layout/generic/nsBlockFrame.cpp:2334:7 #15 0x7f9a396d080b in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsBlockFrame.cpp:1207:3 #16 0x7f9a3974f3d0 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:883:14 #17 0x7f9a397566db in nsColumnSetFrame::ReflowChildren(mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&, nsColumnSetFrame::ReflowConfig const&, bool, nsColumnSetFrame::ColumnBalanceData&) src/layout/generic/nsColumnSetFrame.cpp:752:7 #18 0x7f9a3975f23d in ReflowColumns src/layout/generic/nsColumnSetFrame.cpp:452:19 #19 0x7f9a3975f23d in nsColumnSetFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsColumnSetFrame.cpp:1189 #20 0x7f9a396fc0ee in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) src/layout/generic/nsBlockReflowContext.cpp:297:11 #21 0x7f9a396ee5ea in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:3408:11 #22 0x7f9a396eb6a5 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:2788:5 #23 0x7f9a396dc9c3 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) src/layout/generic/nsBlockFrame.cpp:2334:7 #24 0x7f9a396d080b in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsBlockFrame.cpp:1207:3 #25 0x7f9a3974f3d0 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:883:14 #26 0x7f9a397566db in nsColumnSetFrame::ReflowChildren(mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&, nsColumnSetFrame::ReflowConfig const&, bool, nsColumnSetFrame::ColumnBalanceData&) src/layout/generic/nsColumnSetFrame.cpp:752:7 #27 0x7f9a3975f23d in ReflowColumns src/layout/generic/nsColumnSetFrame.cpp:452:19 #28 0x7f9a3975f23d in nsColumnSetFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsColumnSetFrame.cpp:1189 #29 0x7f9a396fc0ee in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) src/layout/generic/nsBlockReflowContext.cpp:297:11 #30 0x7f9a396ee5ea in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:3408:11 #31 0x7f9a396eb6a5 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:2788:5 #32 0x7f9a396dc9c3 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) src/layout/generic/nsBlockFrame.cpp:2334:7 #33 0x7f9a396d080b in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsBlockFrame.cpp:1207:3 #34 0x7f9a3974f3d0 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:883:14 #35 0x7f9a397566db in nsColumnSetFrame::ReflowChildren(mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&, nsColumnSetFrame::ReflowConfig const&, bool, nsColumnSetFrame::ColumnBalanceData&) src/layout/generic/nsColumnSetFrame.cpp:752:7 #36 0x7f9a3975f23d in ReflowColumns src/layout/generic/nsColumnSetFrame.cpp:452:19 #37 0x7f9a3975f23d in nsColumnSetFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsColumnSetFrame.cpp:1189 #38 0x7f9a3974f3d0 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:883:14 #39 0x7f9a3974cb5f in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsCanvasFrame.cpp:731:5 #40 0x7f9a3974f3d0 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:883:14 #41 0x7f9a3988cc5d in nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput*, bool, bool, mozilla::ReflowOutput*, bool) src/layout/generic/nsGfxScrollFrame.cpp:573:3 #42 0x7f9a3988e7ce in nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput*, mozilla::ReflowOutput const&) src/layout/generic/nsGfxScrollFrame.cpp:686:3 #43 0x7f9a39893fe4 in nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsGfxScrollFrame.cpp:1052:3 #44 0x7f9a396aa966 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:922:14 #45 0x7f9a396a9226 in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/ViewportFrame.cpp:314:7 #46 0x7f9a393e15db in mozilla::PresShell::DoReflow(nsIFrame*, bool) src/layout/base/PresShell.cpp:8486:11 #47 0x7f9a3940000c in mozilla::PresShell::ProcessReflowCommands(bool) src/layout/base/PresShell.cpp:8655:24 #48 0x7f9a393fd8be in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) src/layout/base/PresShell.cpp:4081:11 #49 0x7f9a39369f32 in FlushPendingNotifications src/layout/base/nsIPresShell.h:575:5 #50 0x7f9a39369f32 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:1783 #51 0x7f9a3937cbca in TickDriver src/layout/base/nsRefreshDriver.cpp:327:13 #52 0x7f9a3937cbca in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) src/layout/base/nsRefreshDriver.cpp:304 #53 0x7f9a3937c36f in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:321:5 #54 0x7f9a3937fd1e in RunRefreshDrivers src/layout/base/nsRefreshDriver.cpp:726:5 #55 0x7f9a3937fd1e in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:646 #56 0x7f9a3937f680 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) src/layout/base/nsRefreshDriver.cpp:546:9 #57 0x7f9a39e74655 in mozilla::layout::VsyncChild::RecvNotify(mozilla::VsyncEvent const&) src/layout/ipc/VsyncChild.cpp:65:16 #58 0x7f9a30b8146b in mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) src/obj-firefox/ipc/ipdl/PVsyncChild.cpp:167:20 #59 0x7f9a30792d0a in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) src/obj-firefox/ipc/ipdl/PBackgroundChild.cpp:2788:28 #60 0x7f9a300261a9 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) src/ipc/glue/MessageChannel.cpp:2159:21 #61 0x7f9a30021dc9 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) src/ipc/glue/MessageChannel.cpp:2086:9 #62 0x7f9a30023ea1 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) src/ipc/glue/MessageChannel.cpp:1935:3 #63 0x7f9a30024bf7 in mozilla::ipc::MessageChannel::MessageTask::Run() src/ipc/glue/MessageChannel.cpp:1966:13 #64 0x7f9a2edd627c in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1157:14 #65 0x7f9a2edde984 in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:468:10 #66 0x7f9a3002f22f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:88:21 #67 0x7f9a2ff27fae in RunInternal src/ipc/chromium/src/base/message_loop.cc:314:10 #68 0x7f9a2ff27fae in RunHandler src/ipc/chromium/src/base/message_loop.cc:307 #69 0x7f9a2ff27fae in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:289 #70 0x7f9a38c84143 in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:137:27 #71 0x7f9a3d5a145e in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:915:20 #72 0x7f9a2ff27fae in RunInternal src/ipc/chromium/src/base/message_loop.cc:314:10 #73 0x7f9a2ff27fae in RunHandler src/ipc/chromium/src/base/message_loop.cc:307 #74 0x7f9a2ff27fae in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:289 #75 0x7f9a3d5a052e in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:753:34 #76 0x55c368e1a864 in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:49:28 #77 0x55c368e1a864 in main src/browser/app/nsBrowserApp.cpp:265 #78 0x7f9a51b25b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310 #79 0x55c368d3feec in _start (firefox+0x2deec) The same testcase also triggers: Assertion failure: mGridItems.Length() == len + 1 (can't find GridItemInfo), at src/layout/generic/nsGridContainerFrame.cpp:1815 #0 nsGridContainerFrame::GridReflowInput::InitializeForContinuation(nsGridContainerFrame*, int) src/layout/generic/nsGridContainerFrame.cpp:1800:43 #1 nsGridContainerFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsGridContainerFrame.cpp:5774:21 #2 nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) src/layout/generic/nsBlockReflowContext.cpp:297:11 #3 nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:3408:11 #4 nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:2788:5 #5 nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) src/layout/generic/nsBlockFrame.cpp:2334:7 #6 nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsBlockFrame.cpp:1207:3 ...
Flags: in-testsuite?
|
Assignee | |
Comment 1•5 years ago
|
||
The bug is actually not in the Grid layout code, but in RenumberList(). We call RenumberList() for every block fragment here: https://searchfox.org/mozilla-central/rev/9528360768d81b1fc84258b5fb3601b5d4f40076/layout/generic/nsBlockFrame.cpp#1164 but RenumberList() is actually just processing the FirstInFlow(): https://searchfox.org/mozilla-central/source/layout/generic/nsContainerFrame.cpp#1731,1734 so what happens here is that we called RenumberList() on a continuation that left some NS_FRAME_HAS_DIRTY_CHILDREN around in the FIF subtree. This means that we can get into a frame tree state like so: <reflow-root frame that does not have NS_FRAME_HAS_DIRTY_CHILDREN> <non-reflow-root frame without NS_FRAME_HAS_DIRTY_CHILDREN> ... <A1: first-in-flow block with a counter scope, without NS_FRAME_HAS_DIRTY_CHILDREN> <B1: block with NS_FRAME_HAS_DIRTY_CHILDREN> ... <C1: first-in-flow grid container frame> ... <A2: next-in-flow of A1> <B2: next-in-flow of B1> ... <C2: next-in-flow of C1> after reflowing A2 (the RenumberList() call added the bits on B1). Now, an unsuspecting nsGridContainerFrame (with pushed grid items) comes along and calls FrameNeedsReflow because a child was inserted in it: https://searchfox.org/mozilla-central/rev/9528360768d81b1fc84258b5fb3601b5d4f40076/layout/generic/nsGridContainerFrame.cpp#6520 The PresShell::FrameNeedsReflow call on C1 then bails out when it sees NS_FRAME_HAS_DIRTY_CHILDREN on B1: https://searchfox.org/mozilla-central/rev/9528360768d81b1fc84258b5fb3601b5d4f40076/layout/base/PresShell.cpp#2707,2711,2716 so we never actually add C1's reflow root to mDirtyRoots. This eventually leads to a reflow of C2 without reflowing C1, which violates nsGridContainerFrame invariants.
Assignee: nobody → mats
Severity: normal → critical
Component: Layout: Grid → Layout: Block and Inline
OS: Unspecified → All
Hardware: Unspecified → All
|
||
Comment 2•5 years ago
|
||
Is this a regression from the dirty roots change?
|
|
Assignee | |
Comment 3•5 years ago
|
||
What is "the dirty roots change"?
|
|
||
Comment 4•5 years ago
|
||
I meant bug 1159042 and co.
|
|
Assignee | |
Comment 5•5 years ago
|
||
The crash also occurs in rev 0bb1f2417265 just before that bug landed. (also, the testcase contains no specified width/height)
|
||
Comment 6•5 years ago
|
||
Would you be able to set a priority for this to get it off the triage queue, Mats?
Flags: needinfo?(mats)
Pushed by mpalmgren@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/29d75123cf56 Add a crashtest. r=me
|
|
Assignee | |
Comment 8•5 years ago
|
||
I removed RenumberList() and all related code in bug 288704,
so this should be fixed now. I pushed the crashtest.
Status: NEW → RESOLVED
Closed: 5 years ago
Depends on: 288704
Flags: needinfo?(mats)
Flags: in-testsuite?
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla68
|
||
Updated•5 years ago
|
Keywords: regression
|
||
Comment 9•5 years ago
|
||
| bugherder | ||
|
||
Comment 10•5 years ago
|
||
https://hg.mozilla.org/projects/ash/rev/29d75123cf561c928295b528fb6a3a6e12ee8485 Bug 1515124 - Add a crashtest. r=me
|
||
Updated•5 years ago
|
You need to log in
before you can comment on or make changes to this bug.
Description
•