Closed Bug 1571849 Opened 5 years ago Closed 5 years ago

Assertion failure: aReflowInput.AvailableBSize() != nscoord((1 << 30) - 1) (Available block-size should be constrained because it's restricted by the computed block-size when our reflow input is created in nsBlockFrame::ReflowBlockFrame()!)

Categories

(Core :: Layout: Columns, defect, P3)

Product:
Core
Component:
Layout: Columns
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla70
Tracking Flags:
Tracking Status
firefox-esr60 --- unaffected
firefox-esr68 --- disabled
firefox68 --- disabled
firefox69 --- disabled
firefox70 --- fixed

People

(Reporter: tsmith, Assigned: TYLin)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [fuzzblocker])

Attachments

(2 files)

testcase.html
(deleted), text/html
Details
Bug 1571849 - In ColumnSetFrame, use mParentReflowInput to get the ColumnSetWrapperFrame's reflow input.
(deleted), text/x-phabricator-request
Details
Attached file testcase.html (deleted) —

First found by fuzzers with m-c: 20190802-5ced3811411e

This issue is hit frequently by the fuzzers and can limiting their effectiveness.

Assertion failure: aReflowInput.AvailableBSize() != nscoord((1 << 30) - 1) (Available block-size should be constrained because it's restricted by the computed block-size when our reflow input is created in nsBlockFrame::ReflowBlockFrame()!), at src/layout/generic/nsColumnSetFrame.cpp:929

rax = 0x00005592a8d701a0   rdx = 0x0000000000000000
rcx = 0x0000000000000b40   rbx = 0x00007fa146b2d372
rsi = 0x00007fa1522b18b0   rdi = 0x00007fa1522b0680
rbp = 0x00007ffc1f3b07e0   rsp = 0x00007ffc1f3b0510
r8 = 0x00007fa1522b18b0    r9 = 0x00007fa153433780
r10 = 0x0000000000000000   r11 = 0x0000000000000000
r12 = 0x00007fa1378eaec0   r13 = 0x00007ffc1f3b060c
r14 = 0x00007ffc1f3b065c   r15 = 0x00007ffc1f3b06a8
rip = 0x00007fa14332a8e2
OS|Linux|0.0.0 Linux 4.19.34-coreos #1 SMP Mon Apr 22 20:32:34 -00 2019 x86_64
CPU|amd64|family 6 model 62 stepping 4|32
GPU|||
Crash|SIGSEGV|0x0|0
0|0|libxul.so|nsColumnSetFrame::ReflowChildren(mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&, nsColumnSetFrame::ReflowConfig const&, bool)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsColumnSetFrame.cpp:8ac0a35be0d35f9f5aba38ed841cb3d03a2ae3c8|926|0x3c
0|1|libxul.so|nsColumnSetFrame::ReflowColumns(mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&, nsColumnSetFrame::ReflowConfig&, bool)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsColumnSetFrame.cpp:8ac0a35be0d35f9f5aba38ed841cb3d03a2ae3c8|449|0x7
0|2|libxul.so|nsColumnSetFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsColumnSetFrame.cpp:8ac0a35be0d35f9f5aba38ed841cb3d03a2ae3c8|1263|0x29
0|3|libxul.so|nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsBlockReflowContext.cpp:8ac0a35be0d35f9f5aba38ed841cb3d03a2ae3c8|297|0x10
0|4|libxul.so|nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsBlockFrame.cpp:8ac0a35be0d35f9f5aba38ed841cb3d03a2ae3c8|3649|0x1e
0|5|libxul.so|nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsBlockFrame.cpp:8ac0a35be0d35f9f5aba38ed841cb3d03a2ae3c8|3000|0x19
0|6|libxul.so|nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsBlockFrame.cpp:8ac0a35be0d35f9f5aba38ed841cb3d03a2ae3c8|2543|0x20
0|7|libxul.so|nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsBlockFrame.cpp:8ac0a35be0d35f9f5aba38ed841cb3d03a2ae3c8|1283|0xf
0|8|libxul.so|nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsContainerFrame.cpp:8ac0a35be0d35f9f5aba38ed841cb3d03a2ae3c8|895|0x1d
0|9|libxul.so|nsHTMLButtonControlFrame::ReflowButtonContents(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsIFrame*)|hg:hg.mozilla.org/mozilla-central:layout/forms/nsHTMLButtonControlFrame.cpp:8ac0a35be0d35f9f5aba38ed841cb3d03a2ae3c8|239|0x5
0|10|libxul.so|nsHTMLButtonControlFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&)|hg:hg.mozilla.org/mozilla-central:layout/forms/nsHTMLButtonControlFrame.cpp:8ac0a35be0d35f9f5aba38ed841cb3d03a2ae3c8|184|0x18
0|11|libxul.so|nsLineLayout::ReflowFrame(nsIFrame*, nsReflowStatus&, mozilla::ReflowOutput*, bool&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsLineLayout.cpp:8ac0a35be0d35f9f5aba38ed841cb3d03a2ae3c8|878|0x21
0|12|libxul.so|nsBlockFrame::ReflowInlineFrame(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsIFrame*, LineReflowStatus*)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsBlockFrame.cpp:8ac0a35be0d35f9f5aba38ed841cb3d03a2ae3c8|4329|0x14
0|13|libxul.so|nsBlockFrame::DoReflowInlineFrames(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsBlockFrame.cpp:8ac0a35be0d35f9f5aba38ed841cb3d03a2ae3c8|4131|0x2d
0|14|libxul.so|nsBlockFrame::ReflowInlineFrames(mozilla::BlockReflowInput&, nsLineList_iterator, bool*)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsBlockFrame.cpp:8ac0a35be0d35f9f5aba38ed841cb3d03a2ae3c8|4018|0x41
0|15|libxul.so|nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsBlockFrame.cpp:8ac0a35be0d35f9f5aba38ed841cb3d03a2ae3c8|3003|0x20
0|16|libxul.so|nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsBlockFrame.cpp:8ac0a35be0d35f9f5aba38ed841cb3d03a2ae3c8|2543|0x20
0|17|libxul.so|nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsBlockFrame.cpp:8ac0a35be0d35f9f5aba38ed841cb3d03a2ae3c8|1283|0xf
0|18|libxul.so|nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsBlockReflowContext.cpp:8ac0a35be0d35f9f5aba38ed841cb3d03a2ae3c8|297|0x10
0|19|libxul.so|nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsBlockFrame.cpp:8ac0a35be0d35f9f5aba38ed841cb3d03a2ae3c8|3649|0x1e
0|20|libxul.so|nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsBlockFrame.cpp:8ac0a35be0d35f9f5aba38ed841cb3d03a2ae3c8|3000|0x19
0|21|libxul.so|nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsBlockFrame.cpp:8ac0a35be0d35f9f5aba38ed841cb3d03a2ae3c8|2543|0x20
0|22|libxul.so|nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsBlockFrame.cpp:8ac0a35be0d35f9f5aba38ed841cb3d03a2ae3c8|1283|0xf
0|23|libxul.so|nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsContainerFrame.cpp:8ac0a35be0d35f9f5aba38ed841cb3d03a2ae3c8|895|0x1d
0|24|libxul.so|nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsCanvasFrame.cpp:8ac0a35be0d35f9f5aba38ed841cb3d03a2ae3c8|732|0x4d
0|25|libxul.so|nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsContainerFrame.cpp:8ac0a35be0d35f9f5aba38ed841cb3d03a2ae3c8|895|0x1d
0|26|libxul.so|nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput*, bool, bool, mozilla::ReflowOutput*)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsGfxScrollFrame.cpp:8ac0a35be0d35f9f5aba38ed841cb3d03a2ae3c8|630|0x5
0|27|libxul.so|nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput*, mozilla::ReflowOutput const&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsGfxScrollFrame.cpp:8ac0a35be0d35f9f5aba38ed841cb3d03a2ae3c8|742|0xe
0|28|libxul.so|nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsGfxScrollFrame.cpp:8ac0a35be0d35f9f5aba38ed841cb3d03a2ae3c8|1143|0x5
0|29|libxul.so|nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsContainerFrame.cpp:8ac0a35be0d35f9f5aba38ed841cb3d03a2ae3c8|934|0x19
0|30|libxul.so|mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&)|hg:hg.mozilla.org/mozilla-central:layout/generic/ViewportFrame.cpp:8ac0a35be0d35f9f5aba38ed841cb3d03a2ae3c8|310|0x2b
0|31|libxul.so|mozilla::PresShell::DoReflow(nsIFrame*, bool, mozilla::OverflowChangedTracker*)|hg:hg.mozilla.org/mozilla-central:layout/base/PresShell.cpp:8ac0a35be0d35f9f5aba38ed841cb3d03a2ae3c8|9294|0x21
0|32|libxul.so|mozilla::PresShell::ProcessReflowCommands(bool)|hg:hg.mozilla.org/mozilla-central:layout/base/PresShell.cpp:8ac0a35be0d35f9f5aba38ed841cb3d03a2ae3c8|9464|0x11
0|33|libxul.so|mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush)|hg:hg.mozilla.org/mozilla-central:layout/base/PresShell.cpp:8ac0a35be0d35f9f5aba38ed841cb3d03a2ae3c8|4231|0x15
0|34|libxul.so|mozilla::PresShell::DoFlushPendingNotifications(mozilla::FlushType)|hg:hg.mozilla.org/mozilla-central:layout/base/PresShell.cpp:8ac0a35be0d35f9f5aba38ed841cb3d03a2ae3c8|4009|0x7
0|35|libxul.so|mozilla::EventStateManager::FlushPendingEvents(nsPresContext*)|hg:hg.mozilla.org/mozilla-central:dom/events/EventStateManager.cpp:8ac0a35be0d35f9f5aba38ed841cb3d03a2ae3c8|5606|0xb
0|36|libxul.so|mozilla::EventStateManager::PreHandleEvent(nsPresContext*, mozilla::WidgetEvent*, nsIFrame*, nsIContent*, nsEventStatus*, nsIContent*)|hg:hg.mozilla.org/mozilla-central:dom/events/EventStateManager.cpp:8ac0a35be0d35f9f5aba38ed841cb3d03a2ae3c8|642|0xb
0|37|libxul.so|mozilla::PresShell::EventHandler::DispatchEvent(mozilla::EventStateManager*, mozilla::WidgetEvent*, bool, nsEventStatus*, nsIContent*)|hg:hg.mozilla.org/mozilla-central:layout/base/PresShell.cpp:8ac0a35be0d35f9f5aba38ed841cb3d03a2ae3c8|7875|0x24
0|38|libxul.so|mozilla::PresShell::EventHandler::HandleEventWithCurrentEventInfo(mozilla::WidgetEvent*, nsEventStatus*, bool, nsIContent*)|hg:hg.mozilla.org/mozilla-central:layout/base/PresShell.cpp:8ac0a35be0d35f9f5aba38ed841cb3d03a2ae3c8|7843|0x19
0|39|libxul.so|mozilla::PresShell::EventHandler::HandleEventUsingCoordinates(nsIFrame*, mozilla::WidgetGUIEvent*, nsEventStatus*, bool)|hg:hg.mozilla.org/mozilla-central:layout/base/PresShell.cpp:8ac0a35be0d35f9f5aba38ed841cb3d03a2ae3c8|6803|0x17
0|40|libxul.so|mozilla::PresShell::EventHandler::HandleEvent(nsIFrame*, mozilla::WidgetGUIEvent*, bool, nsEventStatus*)|hg:hg.mozilla.org/mozilla-central:layout/base/PresShell.cpp:8ac0a35be0d35f9f5aba38ed841cb3d03a2ae3c8|6607|0x15
0|41|libxul.so|mozilla::PresShell::HandleEvent(nsIFrame*, mozilla::WidgetGUIEvent*, bool, nsEventStatus*)|hg:hg.mozilla.org/mozilla-central:layout/base/PresShell.cpp:8ac0a35be0d35f9f5aba38ed841cb3d03a2ae3c8|6533|0x5
0|42|libxul.so|nsViewManager::DispatchEvent(mozilla::WidgetGUIEvent*, nsView*, nsEventStatus*)|hg:hg.mozilla.org/mozilla-central:view/nsViewManager.cpp:8ac0a35be0d35f9f5aba38ed841cb3d03a2ae3c8|751|0x19
0|43|libxul.so|nsView::HandleEvent(mozilla::WidgetGUIEvent*, bool)|hg:hg.mozilla.org/mozilla-central:view/nsView.cpp:8ac0a35be0d35f9f5aba38ed841cb3d03a2ae3c8|1064|0x1a
0|44|libxul.so|mozilla::widget::PuppetWidget::DispatchEvent(mozilla::WidgetGUIEvent*, nsEventStatus&)|hg:hg.mozilla.org/mozilla-central:widget/PuppetWidget.cpp:8ac0a35be0d35f9f5aba38ed841cb3d03a2ae3c8|389|0x20
0|45|libxul.so|mozilla::layers::APZCCallbackHelper::DispatchWidgetEvent(mozilla::WidgetGUIEvent&)|hg:hg.mozilla.org/mozilla-central:gfx/layers/apz/util/APZCCallbackHelper.cpp:8ac0a35be0d35f9f5aba38ed841cb3d03a2ae3c8|544|0xd
0|46|libxul.so|mozilla::dom::BrowserChild::HandleRealMouseButtonEvent(mozilla::WidgetMouseEvent const&, mozilla::layers::ScrollableLayerGuid const&, unsigned long const&)|hg:hg.mozilla.org/mozilla-central:dom/ipc/BrowserChild.cpp:8ac0a35be0d35f9f5aba38ed841cb3d03a2ae3c8|1657|0x8
0|47|libxul.so|mozilla::dom::BrowserChild::RecvRealMouseButtonEvent(mozilla::WidgetMouseEvent const&, mozilla::layers::ScrollableLayerGuid const&, unsigned long const&)|hg:hg.mozilla.org/mozilla-central:dom/ipc/BrowserChild.cpp:8ac0a35be0d35f9f5aba38ed841cb3d03a2ae3c8|1630|0x8
0|48|libxul.so|mozilla::dom::BrowserChild::RecvSynthMouseMoveEvent(mozilla::WidgetMouseEvent const&, mozilla::layers::ScrollableLayerGuid const&, unsigned long const&)|hg:hg.mozilla.org/mozilla-central:dom/ipc/BrowserChild.cpp:8ac0a35be0d35f9f5aba38ed841cb3d03a2ae3c8|1595|0x5
0|49|libxul.so|mozilla::dom::PBrowserChild::OnMessageReceived(IPC::Message const&)|s3:gecko-generated-sources:13f303a3b9ecc64042a22004f82da9aec4ddb3dff9f0bdf1838c7561c56f64ac45a2533a9226e9acf6d2d6d74b63697ab31d8b00c77cb145ec3d4d967d0553c0/ipc/ipdl/PBrowserChild.cpp:|5001|0x1a
0|50|libxul.so|mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&)|s3:gecko-generated-sources:12bd08af6fb015839a51a7a3119282f2a1b73f5d072ea3a332b788e34f656deba3ab1a1ce1c83023d9cde2fa70ecf29677ebf6c644bd10068575b5d48d80061e/ipc/ipdl/PContentChild.cpp:|7713|0x15
0|51|libxul.so|mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:8ac0a35be0d35f9f5aba38ed841cb3d03a2ae3c8|2184|0x6
0|52|libxul.so|mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:8ac0a35be0d35f9f5aba38ed841cb3d03a2ae3c8|2108|0xb
0|53|libxul.so|mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:8ac0a35be0d35f9f5aba38ed841cb3d03a2ae3c8|1955|0xb
0|54|libxul.so|mozilla::ipc::MessageChannel::MessageTask::Run()|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:8ac0a35be0d35f9f5aba38ed841cb3d03a2ae3c8|1986|0xc
0|55|libxul.so|mozilla::SchedulerGroup::Runnable::Run()|hg:hg.mozilla.org/mozilla-central:xpcom/threads/SchedulerGroup.cpp:8ac0a35be0d35f9f5aba38ed841cb3d03a2ae3c8|295|0x15
0|56|libxul.so|nsThread::ProcessNextEvent(bool, bool*)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:8ac0a35be0d35f9f5aba38ed841cb3d03a2ae3c8|1224|0x15
0|57|libxul.so|NS_ProcessNextEvent(nsIThread*, bool)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:8ac0a35be0d35f9f5aba38ed841cb3d03a2ae3c8|486|0x11
0|58|libxul.so|mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:8ac0a35be0d35f9f5aba38ed841cb3d03a2ae3c8|88|0xa
0|59|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:8ac0a35be0d35f9f5aba38ed841cb3d03a2ae3c8|315|0x17
0|60|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:8ac0a35be0d35f9f5aba38ed841cb3d03a2ae3c8|290|0x8
0|61|libxul.so|nsBaseAppShell::Run()|hg:hg.mozilla.org/mozilla-central:widget/nsBaseAppShell.cpp:8ac0a35be0d35f9f5aba38ed841cb3d03a2ae3c8|137|0xd
0|62|libxul.so|XRE_RunAppShell()|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:8ac0a35be0d35f9f5aba38ed841cb3d03a2ae3c8|919|0x11
0|63|libxul.so|mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:8ac0a35be0d35f9f5aba38ed841cb3d03a2ae3c8|238|0x5
0|64|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:8ac0a35be0d35f9f5aba38ed841cb3d03a2ae3c8|315|0x17
0|65|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:8ac0a35be0d35f9f5aba38ed841cb3d03a2ae3c8|290|0x8
0|66|libxul.so|XRE_InitChildProcess(int, char**, XREChildData const*)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:8ac0a35be0d35f9f5aba38ed841cb3d03a2ae3c8|754|0xc
0|67|firefox-bin|content_process_main(mozilla::Bootstrap*, int, char**)|hg:hg.mozilla.org/mozilla-central:ipc/contentproc/plugin-container.cpp:8ac0a35be0d35f9f5aba38ed841cb3d03a2ae3c8|56|0x14
0|68|firefox-bin|main|hg:hg.mozilla.org/mozilla-central:browser/app/nsBrowserApp.cpp:8ac0a35be0d35f9f5aba38ed841cb3d03a2ae3c8|267|0x12
0|69|libc-2.27.so||||0x21b97
0|70|firefox-bin|MOZ_ReportCrash|hg:hg.mozilla.org/mozilla-central:mfbt/Assertions.h:8ac0a35be0d35f9f5aba38ed841cb3d03a2ae3c8|184|0x5
Flags: in-testsuite?

Looks like this assertion was added recently in bug 1548100. TYLin, mind taking a look? Note that this is a fuzzblocker (i.e. fuzzers are hitting this frequently and less able to explore the space of possibilities).

At a minimum, it seems this assertion should be changed to a non-fatal assertion, because NS_UNCONSTRAINEDSIZE is just a number and it's entirely possible for web content to come up with a length that precisely matches NS_UNCONSTRAINEDSIZE (and that might produce incorrect behavior due to matching the sentinel value, but it should not produce an abort/crash).

Interestingly, the fuzzer testcase in this bug doesn't seem to use a ridiculous large length -- it's simply this:

 <button style="columns: 49px; height: 1vh">

So it appears that it's possible to violate the assertion without even needing specially-crafted/large lengths.

Flags: needinfo?(aethanyc)
Priority: -- → P2
Regressed by: 1548100

At a minimum, it seems this assertion should be changed to a non-fatal assertion, because NS_UNCONSTRAINEDSIZE is just a number and it's entirely possible for web content to come up with a length that precisely matches NS_UNCONSTRAINEDSIZE (and that might produce incorrect behavior due to matching the sentinel value, but it should not produce an abort/crash

I agree. I've filed bug 1571930 to change this assertion to a non-fatal one to unblock fuzzers and I'll investigate this bug afterwards.

Flags: needinfo?(aethanyc)
Priority: P2 → P3
See Also: → https://bugzilla.mozilla.org/show_bug.cgi?id=1571930
Assignee: nobody → aethanyc
Status: NEW → ASSIGNED

In ColumnSetFrame's reflow methods, mCBReflowInput is equal to
mParentReflowInput in most of the case.

However, a multicol <button> has the HTMLButtonControl as the outermost
frame, where ColumnSetWrapper is its -moz-button-content anonymous
child. In this case, mCBReflowInput is HTMLButtonControl's reflow input.

To get the correct computedBSize of ColumnSetWrapper, we need to use
mParentReflowInput.

Pushed by aethanyc@gmail.com: https://hg.mozilla.org/integration/autoland/rev/6760ce3f266d In ColumnSetFrame, use mParentReflowInput to get the ColumnSetWrapperFrame's reflow input. r=dbaron

https://hg.mozilla.org/mozilla-central/rev/6760ce3f266d

Status: ASSIGNED → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla70
Has Regression Range: --- → yes
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: