Open
Bug 1633479
Opened 4 years ago
Updated 1 year ago
Assertion failure: !aFrame->IsBlockFrameOrSubclass() || !aFrame->IsBlockOutside() (unexpected block frame), at /builds/worker/checkouts/gecko/layout/generic/TextOverflow.cpp:76
Categories
(Core :: Layout, defect)
Core
Layout
Tracking
()
NEW
| Tracking | Status | |
|---|---|---|
| firefox77 | --- | fix-optional |
| firefox78 | --- | fix-optional |
People
(Reporter: jkratzer, Unassigned)
References
(Blocks 1 open bug, Regression)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:bisected,confirmed])
Attachments
(1 file)
|
(deleted),
text/html
|
Details |
Testcase found while fuzzing mozilla-central rev 17aa41e3cb7c (built with --enable-debug).
Assertion failure: !aFrame->IsBlockFrameOrSubclass() || !aFrame->IsBlockOutside() (unexpected block frame), at /builds/worker/checkouts/gecko/layout/generic/TextOverflow.cpp:76
rax = 0x00007fb99f2e73ed rdx = 0x0000000000000000
rcx = 0x000055eb8821aa48 rbx = 0x000055eb89d4f5d8
rsi = 0x00007fb9b01828b0 rdi = 0x00007fb9b0181680
rbp = 0x00007ffc43477290 rsp = 0x00007ffc43477270
r8 = 0x00007fb9b01828b0 r9 = 0x00007fb9b12e8780
r10 = 0x0000000000000000 r11 = 0x0000000000000000
r12 = 0x00007ffc434775c0 r13 = 0x0000000000000002
r14 = 0x0000000000000002 r15 = 0x000055eb89acb738
rip = 0x00007fb99a384ac9
OS|Linux|0.0.0 Linux 5.3.0-46-generic #38~18.04.1-Ubuntu SMP Tue Mar 31 04:17:56 UTC 2020 x86_64
CPU|amd64|family 6 model 94 stepping 3|8
GPU|||
Crash|SIGSEGV|0x0|0
0|0|libxul.so|mozilla::css::IsAtomicElement(nsIFrame*, mozilla::LayoutFrameType)|hg:hg.mozilla.org/mozilla-central:layout/generic/TextOverflow.cpp:17aa41e3cb7cdff3b94e26e351e29cc8b9bab18a|75|0x32
0|1|libxul.so|mozilla::css::TextOverflow::ExamineFrameSubtree(nsIFrame*, mozilla::LogicalRect const&, mozilla::LogicalRect const&, nsTHashtable<nsPtrHashKey<nsIFrame> >*, mozilla::css::TextOverflow::AlignmentEdges*, bool*, mozilla::css::TextOverflow::InnerClipEdges*)|hg:hg.mozilla.org/mozilla-central:layout/generic/TextOverflow.cpp:17aa41e3cb7cdff3b94e26e351e29cc8b9bab18a|384|0x13
0|2|libxul.so|mozilla::css::TextOverflow::ExamineFrameSubtree(nsIFrame*, mozilla::LogicalRect const&, mozilla::LogicalRect const&, nsTHashtable<nsPtrHashKey<nsIFrame> >*, mozilla::css::TextOverflow::AlignmentEdges*, bool*, mozilla::css::TextOverflow::InnerClipEdges*)|hg:hg.mozilla.org/mozilla-central:layout/generic/TextOverflow.cpp:17aa41e3cb7cdff3b94e26e351e29cc8b9bab18a|411|0x21
0|3|libxul.so|mozilla::css::TextOverflow::ExamineLineFrames(nsLineBox*, nsTHashtable<nsPtrHashKey<nsIFrame> >*, mozilla::css::TextOverflow::AlignmentEdges*)|hg:hg.mozilla.org/mozilla-central:layout/generic/TextOverflow.cpp:17aa41e3cb7cdff3b94e26e351e29cc8b9bab18a|623|0x23
0|4|libxul.so|mozilla::css::TextOverflow::ProcessLine(nsDisplayListSet const&, nsLineBox*, unsigned int)|hg:hg.mozilla.org/mozilla-central:layout/generic/TextOverflow.cpp:17aa41e3cb7cdff3b94e26e351e29cc8b9bab18a|719|0xe
0|5|libxul.so|DisplayLine(nsDisplayListBuilder*, nsLineList_iterator&, bool, nsDisplayListSet const&, nsBlockFrame*, mozilla::css::TextOverflow*, unsigned int, int, int&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsBlockFrame.cpp:17aa41e3cb7cdff3b94e26e351e29cc8b9bab18a|6868|0x1a
0|6|libxul.so|nsBlockFrame::BuildDisplayList(nsDisplayListBuilder*, nsDisplayListSet const&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsBlockFrame.cpp:17aa41e3cb7cdff3b94e26e351e29cc8b9bab18a|7012|0x3c
0|7|libxul.so|nsIFrame::BuildDisplayListForStackingContext(nsDisplayListBuilder*, nsDisplayList*, bool*)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsFrame.cpp:17aa41e3cb7cdff3b94e26e351e29cc8b9bab18a|3563|0x1a
0|8|libxul.so|nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*, nsIFrame*, nsDisplayListSet const&, unsigned int)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsFrame.cpp:17aa41e3cb7cdff3b94e26e351e29cc8b9bab18a|4344|0xb
0|9|libxul.so|nsCanvasFrame::BuildDisplayList(nsDisplayListBuilder*, nsDisplayListSet const&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsCanvasFrame.cpp:17aa41e3cb7cdff3b94e26e351e29cc8b9bab18a|615|0x14
0|10|libxul.so|nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*, nsIFrame*, nsDisplayListSet const&, unsigned int)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsFrame.cpp:17aa41e3cb7cdff3b94e26e351e29cc8b9bab18a|4383|0x16
0|11|libxul.so|mozilla::ScrollFrameHelper::BuildDisplayList(nsDisplayListBuilder*, nsDisplayListSet const&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsGfxScrollFrame.cpp:17aa41e3cb7cdff3b94e26e351e29cc8b9bab18a|3672|0x8
0|12|libxul.so|nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*, nsIFrame*, nsDisplayListSet const&, unsigned int)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsFrame.cpp:17aa41e3cb7cdff3b94e26e351e29cc8b9bab18a|4383|0x16
0|13|libxul.so|mozilla::ViewportFrame::BuildDisplayList(nsDisplayListBuilder*, nsDisplayListSet const&)|hg:hg.mozilla.org/mozilla-central:layout/generic/ViewportFrame.cpp:17aa41e3cb7cdff3b94e26e351e29cc8b9bab18a|62|0x11
0|14|libxul.so|nsIFrame::BuildDisplayListForStackingContext(nsDisplayListBuilder*, nsDisplayList*, bool*)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsFrame.cpp:17aa41e3cb7cdff3b94e26e351e29cc8b9bab18a|3563|0x1a
0|15|libxul.so|nsLayoutUtils::PaintFrame(gfxContext*, nsIFrame*, nsRegion const&, unsigned int, nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags)|hg:hg.mozilla.org/mozilla-central:layout/base/nsLayoutUtils.cpp:17aa41e3cb7cdff3b94e26e351e29cc8b9bab18a|4015|0x14
0|16|libxul.so|mozilla::PresShell::Paint(nsView*, nsRegion const&, mozilla::PaintFlags)|hg:hg.mozilla.org/mozilla-central:layout/base/PresShell.cpp:17aa41e3cb7cdff3b94e26e351e29cc8b9bab18a|6159|0x1d
0|17|libxul.so|nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*)|hg:hg.mozilla.org/mozilla-central:view/nsViewManager.cpp:17aa41e3cb7cdff3b94e26e351e29cc8b9bab18a|460|0x13
0|18|libxul.so|nsViewManager::ProcessPendingUpdatesForView(nsView*, bool)|hg:hg.mozilla.org/mozilla-central:view/nsViewManager.cpp:17aa41e3cb7cdff3b94e26e351e29cc8b9bab18a|395|0x13
0|19|libxul.so|nsViewManager::ProcessPendingUpdates()|hg:hg.mozilla.org/mozilla-central:view/nsViewManager.cpp:17aa41e3cb7cdff3b94e26e351e29cc8b9bab18a|1018|0x11
0|20|libxul.so|nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp)|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:17aa41e3cb7cdff3b94e26e351e29cc8b9bab18a|2204|0xd
0|21|libxul.so|mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&)|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:17aa41e3cb7cdff3b94e26e351e29cc8b9bab18a|374|0xb
0|22|libxul.so|mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp)|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:17aa41e3cb7cdff3b94e26e351e29cc8b9bab18a|368|0x12
0|23|libxul.so|mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp)|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:17aa41e3cb7cdff3b94e26e351e29cc8b9bab18a|746|0x17
0|24|libxul.so|mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&)|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:17aa41e3cb7cdff3b94e26e351e29cc8b9bab18a|645|0xf
0|25|libxul.so|mozilla::layout::VsyncChild::RecvNotify(mozilla::VsyncEvent const&)|hg:hg.mozilla.org/mozilla-central:layout/ipc/VsyncChild.cpp:17aa41e3cb7cdff3b94e26e351e29cc8b9bab18a|55|0x13
0|26|libxul.so|mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&)|s3:gecko-generated-sources:40b57a5f11db1f2975fc13c74f20fea3c72418dd5cc7be16b1724f135b6995163d22588c816f1fb7f6cdadad80e8ed2fcea1ccf234f0788643e6a5e4e1859c1e/ipc/ipdl/PVsyncChild.cpp:|187|0x8
0|27|libxul.so|mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&)|s3:gecko-generated-sources:1521fe5e4880bb37ab5dc5a7d9fd40ef3a119c31da52fb7b7c6fde229e424452545f0ee11c662cc0893995c6cf7b7b67f7e85bd7436ee2a85bbacc42d5a5a789/ipc/ipdl/PBackgroundChild.cpp:|5970|0x24
0|28|libxul.so|mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:17aa41e3cb7cdff3b94e26e351e29cc8b9bab18a|2186|0x1c
0|29|libxul.so|mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:17aa41e3cb7cdff3b94e26e351e29cc8b9bab18a|2110|0x12
0|30|libxul.so|mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:17aa41e3cb7cdff3b94e26e351e29cc8b9bab18a|1958|0xb
0|31|libxul.so|mozilla::ipc::MessageChannel::MessageTask::Run()|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:17aa41e3cb7cdff3b94e26e351e29cc8b9bab18a|1989|0x12
0|32|libxul.so|nsThread::ProcessNextEvent(bool, bool*)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:17aa41e3cb7cdff3b94e26e351e29cc8b9bab18a|1200|0x11
0|33|libxul.so|NS_ProcessNextEvent(nsIThread*, bool)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:17aa41e3cb7cdff3b94e26e351e29cc8b9bab18a|481|0xc
0|34|libxul.so|mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:17aa41e3cb7cdff3b94e26e351e29cc8b9bab18a|87|0x7
0|35|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:17aa41e3cb7cdff3b94e26e351e29cc8b9bab18a|315|0x17
0|36|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:17aa41e3cb7cdff3b94e26e351e29cc8b9bab18a|290|0x8
0|37|libxul.so|nsBaseAppShell::Run()|hg:hg.mozilla.org/mozilla-central:widget/nsBaseAppShell.cpp:17aa41e3cb7cdff3b94e26e351e29cc8b9bab18a|137|0xd
0|38|libxul.so|XRE_RunAppShell()|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:17aa41e3cb7cdff3b94e26e351e29cc8b9bab18a|909|0xe
0|39|libxul.so|mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:17aa41e3cb7cdff3b94e26e351e29cc8b9bab18a|237|0x5
0|40|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:17aa41e3cb7cdff3b94e26e351e29cc8b9bab18a|315|0x17
0|41|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:17aa41e3cb7cdff3b94e26e351e29cc8b9bab18a|290|0x8
0|42|libxul.so|XRE_InitChildProcess(int, char**, XREChildData const*)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:17aa41e3cb7cdff3b94e26e351e29cc8b9bab18a|740|0x5
0|43|firefox-bin|content_process_main(mozilla::Bootstrap*, int, char**)|hg:hg.mozilla.org/mozilla-central:ipc/contentproc/plugin-container.cpp:17aa41e3cb7cdff3b94e26e351e29cc8b9bab18a|56|0x11
0|44|firefox-bin|main|hg:hg.mozilla.org/mozilla-central:browser/app/nsBrowserApp.cpp:17aa41e3cb7cdff3b94e26e351e29cc8b9bab18a|303|0x20
Flags: in-testsuite?
|
Reporter | |
Updated•4 years ago
|
Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]
|
|
Reporter | |
Comment 1•4 years ago
|
||
Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20200428100141-a99c73301874.
The bug appears to have been introduced in the following build range:
> Start: 7c3489dfee6082bec00f05d0f02f502ec4686743 (20191008041542)
> End: 035f52aed4427b22facfa883067e298f10ef9e97 (20191008093420)
> Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=7c3489dfee6082bec00f05d0f02f502ec4686743&tochange=035f52aed4427b22facfa883067e298f10ef9e97
|
||
Comment 2•4 years ago
|
||
A local mozregression session reduces the range further down to bug 1506939.
Boris, could you take a look?
Flags: needinfo?(boris.chiou)
Regressed by: 1506939
|
||
Updated•4 years ago
|
Has Regression Range: --- → yes
|
||
Comment 3•4 years ago
|
||
I can take a look later. This is a general transform issue. We can reproduce this crash by replacing scale: 60280 with transform: scale(60280).
|
||
Updated•4 years ago
|
Keywords: regression
|
|
||
Comment 4•4 years ago
|
||
It seems this only happens on MathML element with some conditions (e.g. overflow: scroll). I may need more time to check what happens because I'm not familiar with this part.
Flags: needinfo?(boris.chiou)
|
|
||
Comment 5•4 years ago
|
||
I tried to dump the frame tree when this assertion happened:
Inline(math)(1)@10e8d8538 parent=10e8d8428 (0,-180,60480,1650) vis-overflow=(-536870911,-5398890,1073741823,10800000) scr-overflow=(-536870911,-5398890,1073741823,10800000) [state=0200000000000000] [content=111609030] [cs=10a8ae798]<
Block(m)(1)@10e8d8630 parent=10e8d8538 (0,1020,60480,180) vis-overflow=(-536870911,-5399910,1073741823,10800000) scr-overflow=(-536870911,-5399910,1073741823,10800000) [state=0000062000d10200] transformed [content=1116090e0] [cs=111c127a8]<
>
>
This assertion happened when we are checking the Block frame(m)(@10e8d8630). Both aFrame->IsBlockFrameOrSubclass() and aFrame->IsBlockOutside() are true in this case. The overflow looks pretty large. Perhaps it's int overflow or something like that. I'm not sure. Perhaps TYLin can take a look later? Thanks.
|
||
Updated•4 years ago
|
|
||
Comment 6•4 years ago
|
||
Because this bug's Severity has not been changed from the default since it was filed, and it's Priority is -- (non,) indicating it has has not been previously triaged, the bug's Severity is being updated to -- (default, untriaged.)
Severity: normal → --
|
|
||
Comment 7•4 years ago
|
||
The priority flag is not set for this bug.
:dholbert, could you have a look please?
For more information, please visit auto_nag documentation.
Flags: needinfo?(dholbert)
|
||
Updated•4 years ago
|
Severity: -- → S3
Flags: needinfo?(dholbert)
| Comment hidden (obsolete) |
|
|
||
Updated•4 years ago
|
Flags: needinfo?(dholbert)
|
||
Comment 9•1 year ago
|
||
Bugmon was unable reproduce this issue.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Keywords: bugmon
|
|
Reporter | |
Comment 10•1 year ago
|
||
A change to the Taskcluster build definitions over the weekend caused Bugmon to fail when reproducing issues. This issue has been corrected. Re-enabling bugmon.
|
|
||
Comment 11•1 year ago
|
||
Unable to reproduce bug 1633479 using build mozilla-central 20220723091444-f69015bf0e0a. Without a baseline, bugmon is unable to analyze this bug.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Keywords: bugmon
You need to log in
before you can comment on or make changes to this bug.
Description
•