Assertion failure: mEnd >= 1 && mEnd < uint32_t(kMaxLine) (invalid span), at /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:412
Categories
(Core :: Layout: Grid, defect)
Tracking
()
People
(Reporter: jkratzer, Assigned: MatsPalmgren_bugz)
References
(Blocks 1 open bug)
Details
(Keywords: assertion, crash, testcase, Whiteboard: [bugmon:bisected,confirmed], [wptsync upstream])
Crash Data
Attachments
(2 files)
(deleted),
text/html
|
Details | |
Bug 1638860 - Inhibit subgridding for abs.pos. subgrids that doesn't span a parent track. r=dholbert
(deleted),
text/x-phabricator-request
|
Details |
Testcase found while fuzzing mozilla-central rev 8acda9da4ae7 (built with --enable-debug).
Assertion failure: mEnd >= 1 && mEnd < uint32_t(kMaxLine) (invalid span), at /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:412
rax = 0x00007fa2b1cb360a rdx = 0x0000000000000000
rcx = 0x000055f45de69a78 rbx = 0x0000000000000000
rsi = 0x00007fa2c2be08b0 rdi = 0x00007fa2c2bdf680
rbp = 0x00007ffffa2453e0 rsp = 0x00007ffffa2453e0
r8 = 0x00007fa2c2be08b0 r9 = 0x00007fa2c3d46780
r10 = 0x0000000000000002 r11 = 0x0000000000000000
r12 = 0x000055f460222f50 r13 = 0x0000000000000000
r14 = 0x000055f460222f50 r15 = 0x000055f460222f48
rip = 0x00007fa2ac9a9586
OS|Linux|0.0.0 Linux 5.3.0-51-generic #44~18.04.2-Ubuntu SMP Thu Apr 23 14:27:18 UTC 2020 x86_64
CPU|amd64|family 6 model 94 stepping 3|8
GPU|||
Crash|SIGSEGV|0x0|0
0|0|libxul.so|nsGridContainerFrame::LineRange::Extent() const|hg:hg.mozilla.org/mozilla-central:layout/generic/nsGridContainerFrame.cpp:8acda9da4ae71f0b6561cb2021bcb370e18ce80c|412|0x34
0|1|libxul.so|nsGridContainerFrame::Grid::PlaceAutoAutoInRowOrder(unsigned int, unsigned int, nsGridContainerFrame::GridArea*, unsigned int, unsigned int) const|hg:hg.mozilla.org/mozilla-central:layout/generic/nsGridContainerFrame.cpp:8acda9da4ae71f0b6561cb2021bcb370e18ce80c|4281|0x8
0|2|libxul.so|nsGridContainerFrame::Grid::PlaceGridItems(nsGridContainerFrame::GridReflowInput&, RepeatTrackSizingInput const&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsGridContainerFrame.cpp:8acda9da4ae71f0b6561cb2021bcb370e18ce80c|4691|0x16
0|3|libxul.so|nsGridContainerFrame::Grid::SubgridPlaceGridItems(nsGridContainerFrame::GridReflowInput&, nsGridContainerFrame::Grid*, nsGridContainerFrame::GridItemInfo const&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsGridContainerFrame.cpp:8acda9da4ae71f0b6561cb2021bcb370e18ce80c|4433|0xb
0|4|libxul.so|nsGridContainerFrame::Grid::PlaceGridItems(nsGridContainerFrame::GridReflowInput&, RepeatTrackSizingInput const&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsGridContainerFrame.cpp:8acda9da4ae71f0b6561cb2021bcb370e18ce80c|4800|0x12
0|5|libxul.so|nsGridContainerFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsGridContainerFrame.cpp:8acda9da4ae71f0b6561cb2021bcb370e18ce80c|8477|0x5
0|6|libxul.so|nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsContainerFrame.cpp:8acda9da4ae71f0b6561cb2021bcb370e18ce80c|927|0x1a
0|7|libxul.so|nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsCanvasFrame.cpp:8acda9da4ae71f0b6561cb2021bcb370e18ce80c|750|0x2a
0|8|libxul.so|nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsContainerFrame.cpp:8acda9da4ae71f0b6561cb2021bcb370e18ce80c|927|0x1a
0|9|libxul.so|nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput*, bool, bool, mozilla::ReflowOutput*)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsGfxScrollFrame.cpp:8acda9da4ae71f0b6561cb2021bcb370e18ce80c|661|0x3a
0|10|libxul.so|nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput*, mozilla::ReflowOutput const&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsGfxScrollFrame.cpp:8acda9da4ae71f0b6561cb2021bcb370e18ce80c|775|0x15
0|11|libxul.so|nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsGfxScrollFrame.cpp:8acda9da4ae71f0b6561cb2021bcb370e18ce80c|1161|0x15
0|12|libxul.so|nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsContainerFrame.cpp:8acda9da4ae71f0b6561cb2021bcb370e18ce80c|967|0x18
0|13|libxul.so|mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&)|hg:hg.mozilla.org/mozilla-central:layout/generic/ViewportFrame.cpp:8acda9da4ae71f0b6561cb2021bcb370e18ce80c|296|0x2b
0|14|libxul.so|mozilla::PresShell::DoReflow(nsIFrame*, bool, mozilla::OverflowChangedTracker*)|hg:hg.mozilla.org/mozilla-central:layout/base/PresShell.cpp:8acda9da4ae71f0b6561cb2021bcb370e18ce80c|9332|0x1c
0|15|libxul.so|mozilla::PresShell::ProcessReflowCommands(bool)|hg:hg.mozilla.org/mozilla-central:layout/base/PresShell.cpp:8acda9da4ae71f0b6561cb2021bcb370e18ce80c|9505|0x12
0|16|libxul.so|mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush)|hg:hg.mozilla.org/mozilla-central:layout/base/PresShell.cpp:8acda9da4ae71f0b6561cb2021bcb370e18ce80c|4204|0x12
0|17|libxul.so|nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp)|hg:hg.mozilla.org/mozilla-central:layout/base/PresShell.h:8acda9da4ae71f0b6561cb2021bcb370e18ce80c|1434|0xb
0|18|libxul.so|mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&)|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:8acda9da4ae71f0b6561cb2021bcb370e18ce80c|373|0xb
0|19|libxul.so|mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp)|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:8acda9da4ae71f0b6561cb2021bcb370e18ce80c|367|0x12
0|20|libxul.so|mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp)|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:8acda9da4ae71f0b6561cb2021bcb370e18ce80c|745|0x17
0|21|libxul.so|mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&)|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:8acda9da4ae71f0b6561cb2021bcb370e18ce80c|644|0xf
0|22|libxul.so|mozilla::layout::VsyncChild::RecvNotify(mozilla::VsyncEvent const&)|hg:hg.mozilla.org/mozilla-central:layout/ipc/VsyncChild.cpp:8acda9da4ae71f0b6561cb2021bcb370e18ce80c|55|0x13
0|23|libxul.so|mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&)|s3:gecko-generated-sources:27495909b8eb16a2f6224f9af7a0c052f58ac4a1f37ddd12d240b8b6a62795d131a51db23214bbde8ed61a33c6a97d727ae972f588d3f35141a1a66f3aadceeb/ipc/ipdl/PVsyncChild.cpp:|187|0x8
0|24|libxul.so|mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&)|s3:gecko-generated-sources:75695bbbf1ec93aad4718f03c359901f1be9ae34cba79945a5c42f3e8a2da054cc4ed1a56d373be9953080b82b366a6cd792a7b5323cd7f0d62bfa3c3b040098/ipc/ipdl/PBackgroundChild.cpp:|6083|0x24
0|25|libxul.so|mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:8acda9da4ae71f0b6561cb2021bcb370e18ce80c|2186|0x1c
0|26|libxul.so|mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:8acda9da4ae71f0b6561cb2021bcb370e18ce80c|2110|0x18
0|27|libxul.so|mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:8acda9da4ae71f0b6561cb2021bcb370e18ce80c|1958|0xb
0|28|libxul.so|mozilla::ipc::MessageChannel::MessageTask::Run()|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:8acda9da4ae71f0b6561cb2021bcb370e18ce80c|1989|0x12
0|29|libxul.so|nsThread::ProcessNextEvent(bool, bool*)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:8acda9da4ae71f0b6561cb2021bcb370e18ce80c|1211|0x11
0|30|libxul.so|NS_ProcessNextEvent(nsIThread*, bool)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:8acda9da4ae71f0b6561cb2021bcb370e18ce80c|501|0xc
0|31|libxul.so|mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:8acda9da4ae71f0b6561cb2021bcb370e18ce80c|109|0x14
0|32|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:8acda9da4ae71f0b6561cb2021bcb370e18ce80c|315|0x17
0|33|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:8acda9da4ae71f0b6561cb2021bcb370e18ce80c|290|0x8
0|34|libxul.so|nsBaseAppShell::Run()|hg:hg.mozilla.org/mozilla-central:widget/nsBaseAppShell.cpp:8acda9da4ae71f0b6561cb2021bcb370e18ce80c|137|0xd
0|35|libxul.so|XRE_RunAppShell()|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:8acda9da4ae71f0b6561cb2021bcb370e18ce80c|909|0xe
0|36|libxul.so|mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:8acda9da4ae71f0b6561cb2021bcb370e18ce80c|237|0x5
0|37|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:8acda9da4ae71f0b6561cb2021bcb370e18ce80c|315|0x17
0|38|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:8acda9da4ae71f0b6561cb2021bcb370e18ce80c|290|0x8
0|39|libxul.so|XRE_InitChildProcess(int, char**, XREChildData const*)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:8acda9da4ae71f0b6561cb2021bcb370e18ce80c|740|0x5
0|40|firefox-bin|content_process_main(mozilla::Bootstrap*, int, char**)|hg:hg.mozilla.org/mozilla-central:ipc/contentproc/plugin-container.cpp:8acda9da4ae71f0b6561cb2021bcb370e18ce80c|56|0x11
0|41|firefox-bin|main|hg:hg.mozilla.org/mozilla-central:browser/app/nsBrowserApp.cpp:8acda9da4ae71f0b6561cb2021bcb370e18ce80c|303|0x20
0|42|libc.so.6||||0x21b97
0|43|firefox-bin|<name omitted>|hg:hg.mozilla.org/mozilla-central:mfbt/UniquePtr.h:8acda9da4ae71f0b6561cb2021bcb370e18ce80c|253|0x1d
Assignee | ||
Updated•4 years ago
|
Reporter | ||
Updated•4 years ago
|
Reporter | ||
Comment 1•4 years ago
|
||
Updated•4 years ago
|
Assignee | ||
Comment 2•4 years ago
|
||
I'm fixing three bugs, in the order they appear in the patch:
- when inhibiting subgridding we remove the frame bit on the wrong frame
when the item has an anonymous frame (e.g. a scroll frame) - we used
mFrame instead of the correct SubgridFrame() - an abs.pos. subgrid using 'auto' lines should span all parent tracks,
not just explicit tracks (i.e. it should behave the same as the non-
abs.pos. case) - when spanning from the first/last line to the padding edge using 'auto'
then the subgrid technically doesn't span any parent tracks, so we
need to inhibit subgridding in this case. The subgrid itself will still
span that area though so the layout inside will behave as if it were
"subgridded" to a hypothetical track corresponding to that area. IOW,
inhibitting subgridding in this case should do what the author expects
anyway.
Comment 3•4 years ago
|
||
There's a r+ patch which didn't land and no activity in this bug for 2 weeks.
:mats, could you have a look please?
For more information, please visit auto_nag documentation.
Updated•4 years ago
|
Assignee | ||
Updated•4 years ago
|
Updated•4 years ago
|
Comment 7•4 years ago
|
||
bugherder |
Updated•4 years ago
|
Comment 9•4 years ago
|
||
:mats, since this bug contains a bisection range, could you fill (if possible) the regressed_by field?
For more information, please visit auto_nag documentation.
Reporter | ||
Comment 10•3 years ago
|
||
Bugmon Analysis
Verified bug as fixed on rev mozilla-central 20201204033450-ee7cd95a414c.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Updated•3 years ago
|
Comment 12•2 years ago
|
||
(Removing old ni?s from Mats' solved bugs, hopefully it's fine for you Mats)
Description
•