Closed Bug 1533885 Opened 6 years ago Closed 6 years ago

Assertion failure: !IsFramePartOfIBSplit(aParentFrame) (We should have wiped aParentFrame in WipeContainingBlock if it's part of IB split!), at /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:10885

Categories

(Core :: Layout: Columns, defect, P3)

Product:
Core
Component:
Layout: Columns
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla68
Tracking Flags:
Tracking Status
firefox-esr60 --- unaffected
firefox66 --- unaffected
firefox67 --- disabled
firefox68 --- fixed

People

(Reporter: jkratzer, Assigned: TYLin)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, crash)

Attachments

(2 files)

testcase.html
(deleted), text/html
Details
Bug 1533885 - Bail out from MaybeRecreateForColumnSpan if aFrameList is empty.
(deleted), text/x-phabricator-request
Details
Attached file testcase.html (deleted) —

Testcase found while fuzzing mozilla-central rev 54ed5eac2abc.

Assertion failure: !IsFramePartOfIBSplit(aParentFrame) (We should have wiped aParentFrame in WipeContainingBlock if it's part of IB split!), at /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:10885

rax = 0x000056447d5d4e40 rdx = 0x0000000000000000
rcx = 0x00007f5449ab00c7 rbx = 0x00007f543e197428
rsi = 0x00007f54564ee8b0 rdi = 0x00007f54564ed680
rbp = 0x00007ffe65ebb740 rsp = 0x00007ffe65ebb6b0
r8 = 0x00007f54564ee8b0 r9 = 0x00007f5457670740
r10 = 0x0000000000000000 r11 = 0x0000000000000000
r12 = 0x00007ffe65ebb7d8 r13 = 0x00007f543e197288
r14 = 0x00007f543c97d200 r15 = 0x0000000000000000
rip = 0x00007f54463d19e7
OS|Linux|0.0.0 Linux 4.15.0-45-generic #48-Ubuntu SMP Tue Jan 29 16:28:13 UTC 2019 x86_64
CPU|amd64|family 6 model 60 stepping 3|1
GPU|||
Crash|SIGSEGV|0x0|0
0|0|libxul.so|nsCSSFrameConstructor::MaybeRecreateForColumnSpan(nsFrameConstructorState&, nsContainerFrame*, nsFrameList&, nsIFrame*)|hg:hg.mozilla.org/mozilla-central:layout/base/nsCSSFrameConstructor.cpp:13db12a097dfdcf56704ddc1845403207891b013|10883|0x0
0|1|libxul.so|nsCSSFrameConstructor::ContentRangeInserted(nsIContent*, nsIContent*, nsILayoutHistoryState*, nsCSSFrameConstructor::InsertionKind)|hg:hg.mozilla.org/mozilla-central:layout/base/nsCSSFrameConstructor.cpp:13db12a097dfdcf56704ddc1845403207891b013|7333|0x24
0|2|libxul.so|nsCSSFrameConstructor::RecreateFramesForContent(nsIContent*, nsCSSFrameConstructor::InsertionKind)|hg:hg.mozilla.org/mozilla-central:layout/base/nsCSSFrameConstructor.cpp:13db12a097dfdcf56704ddc1845403207891b013|8689|0x19
0|3|libxul.so|mozilla::RestyleManager::ProcessRestyledFrames(nsStyleChangeList&)|hg:hg.mozilla.org/mozilla-central:layout/base/RestyleManager.cpp:13db12a097dfdcf56704ddc1845403207891b013|1583|0x12
0|4|libxul.so|mozilla::RestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags)|hg:hg.mozilla.org/mozilla-central:layout/base/RestyleManager.cpp:13db12a097dfdcf56704ddc1845403207891b013|3107|0xb
0|5|libxul.so|mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush)|hg:hg.mozilla.org/mozilla-central:layout/base/PresShell.cpp:13db12a097dfdcf56704ddc1845403207891b013|4122|0x19
0|6|libxul.so|nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp)|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:13db12a097dfdcf56704ddc1845403207891b013|1888|0x5
0|7|libxul.so|mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&)|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:13db12a097dfdcf56704ddc1845403207891b013|342|0xb
0|8|libxul.so|mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp)|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:13db12a097dfdcf56704ddc1845403207891b013|336|0xf
0|9|libxul.so|mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp)|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:13db12a097dfdcf56704ddc1845403207891b013|777|0xf
0|10|libxul.so|mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&)|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:13db12a097dfdcf56704ddc1845403207891b013|592|0x11
0|11|libxul.so|mozilla::layout::VsyncChild::RecvNotify(mozilla::VsyncEvent const&)|hg:hg.mozilla.org/mozilla-central:layout/ipc/VsyncChild.cpp:13db12a097dfdcf56704ddc1845403207891b013|65|0x8
0|12|libxul.so|mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&)|s3:gecko-generated-sources:77ce59d8b2c7052469c47c063657e9de1ccc8108986d35814c718a6919e13f00c69b96f485bc73c2590f51f3ea688a95fac179d8497a06fdf9265adfe5cefbb3/ipc/ipdl/PVsyncChild.cpp:|168|0xb
0|13|libxul.so|mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:13db12a097dfdcf56704ddc1845403207891b013|2151|0x6
0|14|libxul.so|mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:13db12a097dfdcf56704ddc1845403207891b013|2078|0xb
0|15|libxul.so|mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:13db12a097dfdcf56704ddc1845403207891b013|1937|0xb
0|16|libxul.so|mozilla::ipc::MessageChannel::MessageTask::Run()|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:13db12a097dfdcf56704ddc1845403207891b013|1968|0xc
0|17|libxul.so|nsThread::ProcessNextEvent(bool, bool*)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:13db12a097dfdcf56704ddc1845403207891b013|1179|0x15
0|18|libxul.so|NS_ProcessNextEvent(nsIThread*, bool)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:13db12a097dfdcf56704ddc1845403207891b013|482|0x11
0|19|libxul.so|mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:13db12a097dfdcf56704ddc1845403207891b013|88|0xa
0|20|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:13db12a097dfdcf56704ddc1845403207891b013|315|0x17
0|21|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:13db12a097dfdcf56704ddc1845403207891b013|308|0x8
0|22|libxul.so|nsBaseAppShell::Run()|hg:hg.mozilla.org/mozilla-central:widget/nsBaseAppShell.cpp:13db12a097dfdcf56704ddc1845403207891b013|137|0xd
0|23|libxul.so|XRE_RunAppShell()|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:13db12a097dfdcf56704ddc1845403207891b013|911|0x11
0|24|libxul.so|mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:13db12a097dfdcf56704ddc1845403207891b013|238|0x5
0|25|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:13db12a097dfdcf56704ddc1845403207891b013|315|0x17
0|26|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:13db12a097dfdcf56704ddc1845403207891b013|308|0x8
0|27|libxul.so|XRE_InitChildProcess(int, char**, XREChildData const*)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:13db12a097dfdcf56704ddc1845403207891b013|749|0xc
0|28|firefox-bin|content_process_main(mozilla::Bootstrap*, int, char**)|hg:hg.mozilla.org/mozilla-central:ipc/contentproc/plugin-container.cpp:13db12a097dfdcf56704ddc1845403207891b013|49|0x14
0|29|firefox-bin|main|hg:hg.mozilla.org/mozilla-central:browser/app/nsBrowserApp.cpp:13db12a097dfdcf56704ddc1845403207891b013|265|0x11
0|30|libc-2.27.so||||0x21b97
0|31|firefox-bin|MOZ_ReportCrash|hg:hg.mozilla.org/mozilla-central:mfbt/Assertions.h:13db12a097dfdcf56704ddc1845403207891b013|184|0x5

Flags: in-testsuite?
Component: Layout → Layout: Columns
Priority: -- → P3

To reproduce the assertion, we need to enable layout.css.column-span.enabled.

Assignee: nobody → aethanyc
Blocks: fuzzing-column-span
Status: NEW → ASSIGNED

The test case triggers MOZ_ASSERT(!IsFramePartOfIBSplit(aParentFrame))
in MaybeRecreateForColumnSpan() because WipeContainingBlock() returns
early when the FrameConstructionItemList is empty. Thus, it doesn't wipe
the aParentFrame even if it's part of an IB split.

Similarly, MaybeRecreateForColumnSpan() doesn't need to do anything if
the frame list is empty because it's no way it can contain a
column-span. (Empty frame construction item list construct no frames.)

Pushed by aethanyc@gmail.com: https://hg.mozilla.org/integration/autoland/rev/7b5a7b0be77d Bail out from MaybeRecreateForColumnSpan if aFrameList is empty. r=dbaron

https://hg.mozilla.org/mozilla-central/rev/7b5a7b0be77d

Status: ASSIGNED → RESOLVED
Closed: 6 years ago
status-firefox68: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla68
Blocks: 1504053
status-firefox66: --- → unaffected
status-firefox67: --- → disabled
status-firefox-esr60: --- → unaffected
Flags: in-testsuite? → in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: