Closed
Bug 1555757
Opened 5 years ago
Closed 5 years ago
Assertion failure: cbri (no containing block), at /builds/worker/workspace/build/src/layout/generic/ReflowInput.cpp:2251
Categories
(Core :: Layout, defect, P3)
Core
Layout
Tracking
()
RESOLVED
FIXED
mozilla69
| Tracking | Status | |
|---|---|---|
| firefox-esr60 | --- | unaffected |
| firefox67 | --- | unaffected |
| firefox68 | --- | unaffected |
| firefox69 | --- | fixed |
People
(Reporter: jkratzer, Assigned: dholbert)
References
(Blocks 1 open bug, Regression)
Details
(4 keywords)
Attachments
(4 files)
Testcase found while fuzzing mozilla-central rev 462fc9264901.
Assertion failure: cbri (no containing block), at /builds/worker/workspace/build/src/layout/generic/ReflowInput.cpp:2251
rax = 0x000055a1d8881e40 rdx = 0x0000000000000000
rcx = 0x00007f632138174f rbx = 0x00007ffe4eef7220
rsi = 0x00007f632c1ff8b0 rdi = 0x00007f632c1fe680
rbp = 0x00007ffe4eef6ce0 rsp = 0x00007ffe4eef6b80
r8 = 0x00007f632c1ff8b0 r9 = 0x00007f632d369740
r10 = 0x0000000000000000 r11 = 0x0000000000000000
r12 = 0x00007ffe4eef6c3c r13 = 0x0000000000000000
r14 = 0x0000000000000000 r15 = 0x00007ffe4eef6dd8
rip = 0x00007f631daa9e3a
OS|Linux|0.0.0 Linux 4.18.0-17-generic #18~18.04.1-Ubuntu SMP Fri Mar 15 15:27:12 UTC 2019 x86_64
CPU|amd64|family 6 model 94 stepping 3|1
GPU|||
Crash|SIGSEGV|0x0|0
0|0|libxul.so|mozilla::ReflowInput::InitConstraints(nsPresContext*, mozilla::Maybe<mozilla::LogicalSize> const&, nsMargin const*, nsMargin const*, mozilla::LayoutFrameType)|hg:hg.mozilla.org/mozilla-central:layout/generic/ReflowInput.cpp:462fc926490158a7609e7a6ff6a8a0c9a6e01a48|2252|0x33
0|1|libxul.so|mozilla::ReflowInput::Init(nsPresContext*, mozilla::Maybe<mozilla::LogicalSize> const&, nsMargin const*, nsMargin const*)|hg:hg.mozilla.org/mozilla-central:layout/generic/ReflowInput.cpp:462fc926490158a7609e7a6ff6a8a0c9a6e01a48|380|0x1a
0|2|libxul.so|nsTableWrapperFrame::InitChildReflowInput(nsPresContext&, mozilla::ReflowInput const&, mozilla::ReflowInput&)|hg:hg.mozilla.org/mozilla-central:layout/tables/nsTableWrapperFrame.cpp:462fc926490158a7609e7a6ff6a8a0c9a6e01a48|257|0x18
0|3|libxul.so|nsTableWrapperFrame::OuterBeginReflowChild(nsPresContext*, nsIFrame*, mozilla::ReflowInput const&, mozilla::Maybe<mozilla::ReflowInput>&, int)|hg:hg.mozilla.org/mozilla-central:layout/tables/nsTableWrapperFrame.cpp:462fc926490158a7609e7a6ff6a8a0c9a6e01a48|742|0x1e
0|4|libxul.so|nsTableWrapperFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&)|hg:hg.mozilla.org/mozilla-central:layout/tables/nsTableWrapperFrame.cpp:462fc926490158a7609e7a6ff6a8a0c9a6e01a48|877|0x56
0|5|libxul.so|nsMathMLmtableWrapperFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&)|hg:hg.mozilla.org/mozilla-central:layout/mathml/nsMathMLmtableFrame.cpp:462fc926490158a7609e7a6ff6a8a0c9a6e01a48|782|0x1c
0|6|libxul.so|mozilla::PresShell::DoReflow(nsIFrame*, bool, mozilla::OverflowChangedTracker*)|hg:hg.mozilla.org/mozilla-central:layout/base/PresShell.cpp:462fc926490158a7609e7a6ff6a8a0c9a6e01a48|9292|0x21
0|7|libxul.so|mozilla::PresShell::ProcessReflowCommands(bool)|hg:hg.mozilla.org/mozilla-central:layout/base/PresShell.cpp:462fc926490158a7609e7a6ff6a8a0c9a6e01a48|9462|0x11
0|8|libxul.so|mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush)|hg:hg.mozilla.org/mozilla-central:layout/base/PresShell.cpp:462fc926490158a7609e7a6ff6a8a0c9a6e01a48|4231|0x15
0|9|libxul.so|mozilla::PresShell::DoFlushPendingNotifications(mozilla::FlushType)|hg:hg.mozilla.org/mozilla-central:layout/base/PresShell.cpp:462fc926490158a7609e7a6ff6a8a0c9a6e01a48|4011|0x7
0|10|libxul.so|mozilla::PresShell::DidDoReflow(bool)|hg:hg.mozilla.org/mozilla-central:layout/base/PresShell.cpp:462fc926490158a7609e7a6ff6a8a0c9a6e01a48|9104|0x5
0|11|libxul.so|mozilla::PresShell::ProcessReflowCommands(bool)|hg:hg.mozilla.org/mozilla-central:layout/base/PresShell.cpp:462fc926490158a7609e7a6ff6a8a0c9a6e01a48|9476|0xb
0|12|libxul.so|mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush)|hg:hg.mozilla.org/mozilla-central:layout/base/PresShell.cpp:462fc926490158a7609e7a6ff6a8a0c9a6e01a48|4231|0x15
0|13|libxul.so|nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp)|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:462fc926490158a7609e7a6ff6a8a0c9a6e01a48|1979|0x13
0|14|libxul.so|mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&)|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:462fc926490158a7609e7a6ff6a8a0c9a6e01a48|326|0xb
0|15|libxul.so|mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp)|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:462fc926490158a7609e7a6ff6a8a0c9a6e01a48|343|0xf
0|16|libxul.so|mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp)|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:462fc926490158a7609e7a6ff6a8a0c9a6e01a48|709|0xf
0|17|libxul.so|mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&)|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:462fc926490158a7609e7a6ff6a8a0c9a6e01a48|604|0xf
0|18|libxul.so|mozilla::layout::VsyncChild::RecvNotify(mozilla::VsyncEvent const&)|hg:hg.mozilla.org/mozilla-central:layout/ipc/VsyncChild.cpp:462fc926490158a7609e7a6ff6a8a0c9a6e01a48|65|0x8
0|19|libxul.so|mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&)|s3:gecko-generated-sources:2047bdaf2a694e3463df7896963e9b0d74983159d44b6e623cf60f1a09a88c1c366e8276ef8fbe21dbd2274df73c144ea8b86af789141e2b0ade921419f7bde0/ipc/ipdl/PVsyncChild.cpp:|187|0xb
0|20|libxul.so|mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&)|s3:gecko-generated-sources:276632bb583d23c5a3325bf600a0aa917cfb44253339a725992cd0aac949fa0e9951253f93b3309e476b44af0591f67d265a013d57732bb560089dc240fdd03b/ipc/ipdl/PBackgroundChild.cpp:|4717|0x19
0|21|libxul.so|mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:462fc926490158a7609e7a6ff6a8a0c9a6e01a48|2158|0x6
0|22|libxul.so|mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:462fc926490158a7609e7a6ff6a8a0c9a6e01a48|2082|0xb
0|23|libxul.so|mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:462fc926490158a7609e7a6ff6a8a0c9a6e01a48|1939|0xb
0|24|libxul.so|mozilla::ipc::MessageChannel::MessageTask::Run()|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:462fc926490158a7609e7a6ff6a8a0c9a6e01a48|1970|0xc
0|25|libxul.so|nsThread::ProcessNextEvent(bool, bool*)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:462fc926490158a7609e7a6ff6a8a0c9a6e01a48|1176|0x15
0|26|libxul.so|NS_ProcessNextEvent(nsIThread*, bool)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:462fc926490158a7609e7a6ff6a8a0c9a6e01a48|486|0x11
0|27|libxul.so|mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:462fc926490158a7609e7a6ff6a8a0c9a6e01a48|88|0xa
0|28|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:462fc926490158a7609e7a6ff6a8a0c9a6e01a48|315|0x17
0|29|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:462fc926490158a7609e7a6ff6a8a0c9a6e01a48|290|0x8
0|30|libxul.so|nsBaseAppShell::Run()|hg:hg.mozilla.org/mozilla-central:widget/nsBaseAppShell.cpp:462fc926490158a7609e7a6ff6a8a0c9a6e01a48|137|0xd
0|31|libxul.so|XRE_RunAppShell()|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:462fc926490158a7609e7a6ff6a8a0c9a6e01a48|911|0x11
0|32|libxul.so|mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:462fc926490158a7609e7a6ff6a8a0c9a6e01a48|238|0x5
0|33|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:462fc926490158a7609e7a6ff6a8a0c9a6e01a48|315|0x17
0|34|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:462fc926490158a7609e7a6ff6a8a0c9a6e01a48|290|0x8
0|35|libxul.so|XRE_InitChildProcess(int, char**, XREChildData const*)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:462fc926490158a7609e7a6ff6a8a0c9a6e01a48|749|0xc
0|36|firefox-bin|content_process_main(mozilla::Bootstrap*, int, char**)|hg:hg.mozilla.org/mozilla-central:ipc/contentproc/plugin-container.cpp:462fc926490158a7609e7a6ff6a8a0c9a6e01a48|56|0x14
0|37|firefox-bin|main|hg:hg.mozilla.org/mozilla-central:browser/app/nsBrowserApp.cpp:462fc926490158a7609e7a6ff6a8a0c9a6e01a48|263|0x11
0|38|libc-2.27.so||||0x21b97
0|39|firefox-bin|MOZ_ReportCrash|hg:hg.mozilla.org/mozilla-central:mfbt/Assertions.h:462fc926490158a7609e7a6ff6a8a0c9a6e01a48|184|0x5
Flags: in-testsuite?
|
||
Comment 1•5 years ago
|
||
Looks contain-related, and crashes in opt builds.
Flags: needinfo?(dholbert)
|
Assignee | |
Comment 2•5 years ago
|
||
Thanks - I'll take a look.
Assignee: nobody → dholbert
Blocks: css-contain-1
Status: NEW → ASSIGNED
Flags: needinfo?(dholbert)
Keywords: crash
|
|
Assignee | |
Comment 3•5 years ago
|
||
So this is a case where we've made nsMathMLmtableWrapperFrame be a reflow root via bug 1497414, because it has contain:layout size (which is implied by strict). (Though this probably only started crashing once we made table wrappers inherit contain styling via bug 1553548)
The code in question (ReflowInput::InitConstraints) has:
- one codepath for reflow roots (conditioned on having a null parent ReflowInput-pointer)
- the "normal" codepath for non-reflow-roots (which assumes we have a non-null containing block ReflowInput-pointer).
When this testcase hits that code for its nsTableFrame, it's in a weird intermediate state where we have a non-null parent ReflowInput (which is our wrapper), but a null containing block reflow input. So we take the second "normal" codepath but then assert when we discover we've got a null CB ReflowInput-pointer.
|
|
Assignee | |
Comment 4•5 years ago
|
||
|
|
Assignee | |
Comment 5•5 years ago
|
||
I'm kind of uneasy about letting table wrapper frames be reflow roots, due to their inner table frame wanting to have a CB ReflowInput pointer as described in comment 3.
I'm tempted to just fix this bug by exempting them from being promoted to reflow roots (via a tweak to the codepath added in bug 1497414).
|
|
Assignee | |
Comment 6•5 years ago
|
||
For reference, here's what the backtrace looks like when the assertion fails here (on the initial testcase), going up to the PresShell::DoReflow call for the incremental reflow (starting at the table-wrapper-promoted-to-a-reflow-root):
#0 0x00007feafbd12c3e in mozilla::ReflowInput::InitConstraints (this=0x7ffd79ba61e8, aPresContext=0x7feaecdde400, aContainingBlockSize=..., aBorder=0x0, aPadding=0x0,
aFrameType=mozilla::LayoutFrameType::Table) at $SRC/layout/generic/ReflowInput.cpp:2251
#1 0x00007feafbd0fb4e in mozilla::ReflowInput::Init (this=0x7ffd79ba61e8, aPresContext=0x7feaecdde400, aContainingBlockSize=..., aBorder=0x0, aPadding=0x0)
at $SRC/layout/generic/ReflowInput.cpp:380
#2 0x00007feafbf89414 in nsTableWrapperFrame::InitChildReflowInput (this=0x7feaea080f00, aPresContext=..., aOuterRI=..., aReflowInput=...)
at $SRC/layout/tables/nsTableWrapperFrame.cpp:257
#3 0x00007feafbf8c51f in nsTableWrapperFrame::OuterBeginReflowChild (this=0x7feaea080f00, aPresContext=0x7feaecdde400, aChildFrame=0x7feaea080ff8, aOuterRI=..., aChildRI=..., aAvailISize=18120)
at $SRC/layout/tables/nsTableWrapperFrame.cpp:742
#4 0x00007feafbf8cafe in nsTableWrapperFrame::Reflow (this=0x7feaea080f00, aPresContext=0x7feaecdde400, aDesiredSize=..., aOuterRI=..., aStatus=...)
at $SRC/layout/tables/nsTableWrapperFrame.cpp:831
#5 0x00007feafc0bed7b in nsMathMLmtableWrapperFrame::Reflow (this=0x7feaea080f00, aPresContext=0x7feaecdde400, aDesiredSize=..., aReflowInput=..., aStatus=...)
at $SRC/layout/mathml/nsMathMLmtableFrame.cpp:781
#6 0x00007feafbbe367a in mozilla::PresShell::DoReflow (this=0x7feaea082000, target=0x7feaea080f00, aInterruptible=true, aOverflowTracker=0x7ffd79ba6dd0)
at $SRC/layout/base/PresShell.cpp:9292
|
||
Comment 7•5 years ago
|
||
I can confirm this bug by removing contain: inherit; from *|*::-moz-table-wrapper{} in ua.css, the test no longer crashes. Set the regression fields accordingly.
Priority: -- → P3
Regressed by: 1553548
|
||
Updated•5 years ago
|
Keywords: regression
|
||
Comment 9•5 years ago
|
||
Hi dholbert, any updates on this one? (checking since we're getting close to 69 beta)
Flags: needinfo?(dholbert)
|
|
Assignee | |
Comment 10•5 years ago
|
||
Yes, this is on my radar to fix this week.
Flags: needinfo?(dholbert)
|
|
Assignee | |
Comment 11•5 years ago
|
||
|
|
Assignee | |
Updated•5 years ago
|
Attachment #9074287 -
Attachment description: testcase 3 (no MathML, reduced from dupe bug) → testcase 3 (no MathML, reduced from dupe bug. crashes when loaded.)
|
|
Assignee | |
Comment 12•5 years ago
|
||
So I think bottom-line here is that table wrappers (at least in our implementation) do not make for a good reflow root candidate at the moment, and we should exempt them from the contain:layout size reflow-root promotion.
It might be possible to make them work later on, but it may require a bit more thought than I can dedicate to this bug at the moment.
The core issue is that:
(a) the table-wrapper-frame becomes a reflow root (for now)
(b) it reflows its child (the table frame) and sets up a ReflowInput for that child with
mParentReflowInput== the table-wrapper's reflow inputmCBReflowInput= the table-wrapper's reflow input's own mCBReflowInput, which is null since the table-wrapper is a reflow root
(c) So when we get to InitConstraints for the table frame, we find ourselves in the unexpected position of having a non-null mParentReflowInput but having a null mCBReflowInput, which triggers this assertion failure.
We probably could add some fallback code to handle this, but for now it's simplest to just exempt tables from being containment-promoted reflow roots.
|
|
Assignee | |
Comment 13•5 years ago
|
||
|
||
Comment 14•5 years ago
|
||
Pushed by dholbert@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/01c3e71304c6
Exempt table-wrapper frames from becoming css-containment-promoted reflow roots. r=TYLin
|
||
Comment 15•5 years ago
|
||
| bugherder | ||
Status: ASSIGNED → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla69
|
||
Updated•5 years ago
|
status-firefox67:
--- → unaffected
status-firefox68:
--- → unaffected
status-firefox-esr60:
--- → unaffected
Flags: in-testsuite? → in-testsuite+
|
|
||
Updated•3 years ago
|
Has Regression Range: --- → yes
You need to log in
before you can comment on or make changes to this bug.
Description
•