Open
Bug 1708084
Opened 4 years ago
Updated 2 years ago
Assertion failure: i < aState.mAbsPosItems.Length(), at src/layout/generic/nsGridContainerFrame.cpp:8422
Categories
(Core :: Layout: Grid, defect, P2)
Core
Layout: Grid
Tracking
()
NEW
| Tracking | Status | |
|---|---|---|
| firefox90 | --- | affected |
People
(Reporter: tsmith, Unassigned, NeedInfo)
References
(Blocks 1 open bug)
Details
(Keywords: assertion, crash, testcase, Whiteboard: [bugmon:bisected,confirmed])
Crash Data
Attachments
(1 file)
|
(deleted),
text/html
|
Details |
Found while fuzzing m-c 20210413-67318cc7d1cc (--enable-debug --enable-fuzzing)
Assertion failure: i < aState.mAbsPosItems.Length(), at src/layout/generic/nsGridContainerFrame.cpp:8422
#0 0x28c44b1faf81 in nsGridContainerFrame::ReflowChildren(nsGridContainerFrame::GridReflowInput&, mozilla::LogicalRect const&, nsSize const&, mozilla::ReflowOutput&, nsReflowStatus&) src/layout/generic/nsGridContainerFrame.cpp:8422:9
#1 0x28c44b1fc393 in nsGridContainerFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsGridContainerFrame.cpp:8617:11
#2 0x28c44b108828 in nsAbsoluteContainingBlock::ReflowAbsoluteFrame(nsIFrame*, nsPresContext*, mozilla::ReflowInput const&, nsRect const&, nsAbsoluteContainingBlock::AbsPosReflowFlags, nsIFrame*, nsReflowStatus&, mozilla::OverflowAreas*) src/layout/generic/nsAbsoluteContainingBlock.cpp:812:14
#3 0x28c44b106975 in nsAbsoluteContainingBlock::Reflow(nsContainerFrame*, nsPresContext*, mozilla::ReflowInput const&, nsReflowStatus&, nsRect const&, nsAbsoluteContainingBlock::AbsPosReflowFlags, mozilla::OverflowAreas*) src/layout/generic/nsAbsoluteContainingBlock.cpp:220:7
#4 0x28c44b218b84 in nsIFrame::ReflowAbsoluteFrames(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&, bool) src/layout/generic/nsIFrame.cpp:6663:24
#5 0x28c44b184eff in nsIFrame::FinishReflowWithAbsoluteFrames(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&, bool) src/layout/generic/nsIFrame.cpp:6630:3
#6 0x28c44b13a417 in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsCanvasFrame.cpp:912:3
#7 0x28c44b162ae8 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:1041:14
#8 0x28c44b2e442f in nsPageContentFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsPageContentFrame.cpp:69:5
#9 0x28c44b162ae8 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:1041:14
#10 0x28c44b2e593c in nsPageFrame::ReflowPageContent(nsPresContext*, mozilla::ReflowInput const&) src/layout/generic/nsPageFrame.cpp:149:3
#11 0x28c44b2e5c6f in nsPageFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsPageFrame.cpp:176:13
#12 0x28c44b1625be in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:1001:14
#13 0x28c44b0d7380 in mozilla::PrintedSheetFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/PrintedSheetFrame.cpp:206:5
#14 0x28c44b162ae8 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:1041:14
#15 0x28c44b2eae19 in nsPageSequenceFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsPageSequenceFrame.cpp:354:5
#16 0x28c44b1625be in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:1001:14
#17 0x28c44b139a77 in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsCanvasFrame.cpp:818:7
#18 0x28c44b162ae8 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:1041:14
#19 0x28c44b105d5e in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/ViewportFrame.cpp:372:7
#20 0x28c44af827ad in mozilla::PresShell::DoReflow(nsIFrame*, bool, mozilla::OverflowChangedTracker*) src/layout/base/PresShell.cpp:9597:11
#21 0x28c44af8ce20 in mozilla::PresShell::ProcessReflowCommands(bool) src/layout/base/PresShell.cpp:9768:24
#22 0x28c44af8c7c0 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) src/layout/base/PresShell.cpp:4245:11
#23 0x28c4466ad4a2 in mozilla::PresShell::FlushPendingNotifications(mozilla::ChangesToFlush) src/objdir-ff-debug/dist/include/mozilla/PresShell.h:1406:5
#24 0x28c44af8b89c in mozilla::PresShell::DoFlushPendingNotifications(mozilla::FlushType) src/layout/base/PresShell.cpp:4038:3
#25 0x28c446a08f6d in mozilla::PresShell::FlushPendingNotifications(mozilla::FlushType) src/objdir-ff-debug/dist/include/mozilla/PresShell.h:1397:5
#26 0x28c44b6388d1 in nsPrintJob::ReflowPrintObject(mozilla::UniquePtr<nsPrintObject, mozilla::DefaultDelete<nsPrintObject> > const&) src/layout/printing/nsPrintJob.cpp:1867:14
#27 0x28c44b6378cf in nsPrintJob::ReflowDocList(mozilla::UniquePtr<nsPrintObject, mozilla::DefaultDelete<nsPrintObject> > const&, bool) src/layout/printing/nsPrintJob.cpp:1448:3
#28 0x28c44b6334c6 in nsPrintJob::InitPrintDocConstruction(bool) src/layout/printing/nsPrintJob.cpp:1488:5
#29 0x28c44b63b7d8 in nsPrintJob::Observe(nsISupports*, char const*, char16_t const*) src/layout/printing/nsPrintJob.cpp:2688:17
#30 0x28c44dfbf7dd in mozilla::embedding::PrintProgressDialogChild::RecvDialogOpened() src/toolkit/components/printingui/ipc/PrintProgressDialogChild.cpp:37:18
#31 0x28c444c7846b in mozilla::embedding::PPrintProgressDialogChild::OnMessageReceived(IPC::Message const&) src/objdir-ff-debug/ipc/ipdl/PPrintProgressDialogChild.cpp:234:28
#32 0x28c444753da1 in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) src/objdir-ff-debug/ipc/ipdl/PContentChild.cpp:8415:32
#33 0x28c44a1fc2cc in mozilla::dom::ContentChild::OnMessageReceived(IPC::Message const&) src/dom/ipc/ContentChild.cpp:3542:25
#34 0x28c4443fe08c in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) src/ipc/glue/MessageChannel.cpp:2152:25
#35 0x28c4443fa67d in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) src/ipc/glue/MessageChannel.cpp:2076:9
#36 0x28c4443fb9a4 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) src/ipc/glue/MessageChannel.cpp:1924:3
#37 0x28c4443fca48 in mozilla::ipc::MessageChannel::MessageTask::Run() src/ipc/glue/MessageChannel.cpp:1955:13
#38 0x28c443202bae in mozilla::RunnableTask::Run() src/xpcom/threads/TaskController.cpp:473:16
#39 0x28c4431d31f0 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) src/xpcom/threads/TaskController.cpp:757:26
#40 0x28c4431d1939 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) src/xpcom/threads/TaskController.cpp:612:15
#41 0x28c4431d1bc1 in mozilla::TaskController::ProcessPendingMTTask(bool) src/xpcom/threads/TaskController.cpp:396:36
#42 0x28c4431f21ed in mozilla::TaskController::InitializeInternal()::$_1::operator()() const src/xpcom/threads/TaskController.cpp:138:37
#43 0x28c4431f215d in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_1>::Run() src/objdir-ff-debug/dist/include/nsThreadUtils.h:534:5
#44 0x28c4431e3d8c in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1159:16
#45 0x28c4431ea146 in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:548:10
#46 0x28c4467429c2 in bool mozilla::SpinEventLoopUntil<(mozilla::ProcessFailureBehavior)1, nsGlobalWindowOuter::Print(nsIPrintSettings*, nsIWebProgressListener*, nsIDocShell*, nsGlobalWindowOuter::IsPreview, nsGlobalWindowOuter::IsForWindowDotPrint, std::function<void (mozilla::dom::PrintPreviewResultInfo const&)>&&, mozilla::ErrorResult&)::$_4>(nsGlobalWindowOuter::Print(nsIPrintSettings*, nsIWebProgressListener*, nsIDocShell*, nsGlobalWindowOuter::IsPreview, nsGlobalWindowOuter::IsForWindowDotPrint, std::function<void (mozilla::dom::PrintPreviewResultInfo const&)>&&, mozilla::ErrorResult&)::$_4&&, nsIThread*) src/objdir-ff-debug/dist/include/mozilla/SpinEventLoopUntil.h:93:25
#47 0x28c446740e85 in nsGlobalWindowOuter::Print(nsIPrintSettings*, nsIWebProgressListener*, nsIDocShell*, nsGlobalWindowOuter::IsPreview, nsGlobalWindowOuter::IsForWindowDotPrint, std::function<void (mozilla::dom::PrintPreviewResultInfo const&)>&&, mozilla::ErrorResult&) src/dom/base/nsGlobalWindowOuter.cpp:5414:5
#48 0x28c44673fd16 in nsGlobalWindowOuter::PrintOuter(mozilla::ErrorResult&) src/dom/base/nsGlobalWindowOuter.cpp:5237:3
#49 0x28c4466ee46f in nsGlobalWindowInner::Print(mozilla::ErrorResult&) src/dom/base/nsGlobalWindowInner.cpp:3753:3
#50 0x28c44b033a7f in nsDocumentViewer::LoadComplete(nsresult) src/layout/base/nsDocumentViewer.cpp:1172:43
#51 0x28c44d5e6a98 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) src/docshell/base/nsDocShell.cpp:6540:20
#52 0x28c44d5e6520 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) src/docshell/base/nsDocShell.cpp:5909:7
#53 0x28c4455ffef1 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) src/uriloader/base/nsDocLoader.cpp:1348:3
#54 0x28c4455ff6e3 in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) src/uriloader/base/nsDocLoader.cpp:954:14
#55 0x28c4455fd781 in nsDocLoader::DocLoaderIsEmpty(bool, mozilla::Maybe<nsresult> const&) src/uriloader/base/nsDocLoader.cpp:773:9
#56 0x28c4455fef1e in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) src/uriloader/base/nsDocLoader.cpp:656:5
#57 0x28c44d60a862 in nsDocShell::OnStopRequest(nsIRequest*, nsresult) src/docshell/base/nsDocShell.cpp:13692:23
#58 0x28c4434e8475 in mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) src/netwerk/base/nsLoadGroup.cpp:625:22
#59 0x28c4434e9b95 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) src/netwerk/base/nsLoadGroup.cpp:529:10
#60 0x28c4468865fa in mozilla::dom::Document::DoUnblockOnload() src/dom/base/Document.cpp:11313:18
#61 0x28c4468627be in mozilla::dom::Document::UnblockOnload(bool) src/dom/base/Document.cpp:11243:9
#62 0x28c446873d8e in mozilla::dom::Document::DispatchContentLoadedEvents() src/dom/base/Document.cpp:7791:3
#63 0x28c4469461e3 in decltype(*(fp).*fp0()) mozilla::detail::RunnableMethodArguments<>::applyImpl<mozilla::dom::Document, void (mozilla::dom::Document::*)()>(mozilla::dom::Document*, void (mozilla::dom::Document::*)(), mozilla::Tuple<>&, std::integer_sequence<unsigned long>) src/objdir-ff-debug/dist/include/nsThreadUtils.h:1148:12
#64 0x28c44694614c in _ZN7mozilla6detail23RunnableMethodArgumentsIJEE5applyINS_3dom8DocumentEMS5_FvvEEEDTcl9applyImplfp_fp0_dtdefpT10mArgumentstlSt16integer_sequenceImJEEEEEPT_T0_ src/objdir-ff-debug/dist/include/nsThreadUtils.h:1154:12
#65 0x28c446945fbf in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() src/objdir-ff-debug/dist/include/nsThreadUtils.h:1201:13
#66 0x28c4431b4cd7 in mozilla::SchedulerGroup::Runnable::Run() src/xpcom/threads/SchedulerGroup.cpp:143:20
#67 0x28c443202bae in mozilla::RunnableTask::Run() src/xpcom/threads/TaskController.cpp:473:16
#68 0x28c4431d31f0 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) src/xpcom/threads/TaskController.cpp:757:26
#69 0x28c4431d1939 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) src/xpcom/threads/TaskController.cpp:612:15
#70 0x28c4431d1bc1 in mozilla::TaskController::ProcessPendingMTTask(bool) src/xpcom/threads/TaskController.cpp:396:36
#71 0x28c4431f1d5a in mozilla::TaskController::InitializeInternal()::$_0::operator()() const src/xpcom/threads/TaskController.cpp:135:37
#72 0x28c4431f1ccd in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() src/objdir-ff-debug/dist/include/nsThreadUtils.h:534:5
#73 0x28c4431e3d8c in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1159:16
#74 0x28c4431ea146 in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:548:10
#75 0x28c444405bce in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:85:21
#76 0x28c4444075e0 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:268:30
#77 0x28c44428a936 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:335:10
#78 0x28c44428a8b4 in MessageLoop::RunHandler() src/ipc/chromium/src/base/message_loop.cc:328:3
#79 0x28c44428a872 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:310:3
#80 0x28c44aaf05a0 in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:137:27
#81 0x28c44e021756 in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:906:20
#82 0x28c444407359 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:235:9
#83 0x28c44428a936 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:335:10
#84 0x28c44428a8b4 in MessageLoop::RunHandler() src/ipc/chromium/src/base/message_loop.cc:328:3
#85 0x28c44428a872 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:310:3
#86 0x28c44e020dd7 in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:738:34
#87 0x28c44e0315f6 in mozilla::BootstrapImpl::XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/Bootstrap.cpp:67:12
#88 0x55a89360a567 in content_process_main(mozilla::Bootstrap*, int, char**) src/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#89 0x55a89360a77e in main src/browser/app/nsBrowserApp.cpp:309:18
#90 0x7f252fa59bf6 in __libc_start_main /build/glibc-S9d2JN/glibc-2.27/csu/../csu/libc-start.c:310
#91 0x55a8935e8739 in _start (src/objdir-ff-debug/dist/bin/firefox+0xcd739)
Flags: in-testsuite?
|
Reporter | |
Updated•4 years ago
|
Crash Signature: [@ InvalidArrayIndex_CRASH | nsGridContainerFrame::Reflow]
|
|
Reporter | |
Comment 1•4 years ago
|
||
A Pernosco session is available here: https://pernos.co/debug/inKN5_KnntSBUv0Kst0kqw/index.html
|
||
Comment 2•4 years ago
|
||
Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20210428033208-3c313de2c7d5.
Failed to bisect testcase (Testcase reproduces on start build!):
Start: 6bb8423186c1bb8c1229249454de46efb7d4d584 (20200429030514)
End: 67318cc7d1ccd4b06422dc07342ec07ee79b3b6c (20210413093459)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=True, coverage=False, valgrind=False)
Whiteboard: [bugmon:bisected,confirmed]
|
||
Comment 3•3 years ago
|
||
Grid fragmentation, crashes in release. Mats, can you take a look?
Severity: -- → S2
Flags: needinfo?(mats)
Priority: -- → P2
|
|
||
Comment 4•3 years ago
|
||
Bugmon Analysis
Testcase crashes using the initial build (mozilla-central 20210413093459-67318cc7d1cc) but not with tip (mozilla-central 20211204095400-04183e5ab506.)
The bug appears to have been fixed in the following build range:
Start: f5cb6b2465f3042f3ec5bb096a75fbe24f71465e (20211116073345)
End: 5d32dbafda59a62fba936250375782a4cc9c6300 (20211116082732)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=f5cb6b2465f3042f3ec5bb096a75fbe24f71465e&tochange=5d32dbafda59a62fba936250375782a4cc9c6300
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Keywords: bugmon
|
||
Comment 5•3 years ago
|
||
Not actually fixed, unfortunately; I think that fix-range is where bug 1741698 was introduced, and that's probably just preventing us from triggering the print codepath and hitting the assertion here.
|
||
Comment 6•2 years ago
|
||
Redirect a needinfo that is pending on an inactive user to the triage owner.
:dholbert, since the bug has high priority and high severity, could you have a look please?
For more information, please visit auto_nag documentation.
Flags: needinfo?(MatsPalmgren_bugz) → needinfo?(dholbert)
|
|
||
Comment 7•2 years ago
|
||
Since the crash volume is low (less than 5 per week), the severity is downgraded to S3. Feel free to change it back if you think the bug is still critical.
For more information, please visit auto_nag documentation.
Severity: S2 → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•