Open
Bug 1805581
Opened 2 years ago
Updated 1 years ago
Assertion failure: mGridItems.Length() == len + 1 (can't find GridItemInfo), at /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:2852
Categories
(Core :: Layout: Grid, defect)
Core
Layout: Grid
Tracking
()
NEW
| Tracking | Status | |
|---|---|---|
| firefox110 | --- | fix-optional |
People
(Reporter: tsmith, Unassigned)
References
(Blocks 1 open bug)
Details
(5 keywords, Whiteboard: [bugmon:bisected,confirmed])
Crash Data
Attachments
(1 file)
|
(deleted),
text/html
|
Details |
Found while fuzzing m-c 20221213-300b0ac8eb7b (--enable-debug --enable-fuzzing)
To reproduce via Grizzly Replay:
$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html
Assertion failure: mGridItems.Length() == len + 1 (can't find GridItemInfo), at /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:2852
#0 0x7f93fc762f13 in nsGridContainerFrame::GridReflowInput::InitializeForContinuation(nsGridContainerFrame*, int) /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:2852:7
#1 0x7f93fc76215d in nsGridContainerFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:8680:21
#2 0x7f93fc6d28b9 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:1029:14
#3 0x7f93fc6b1672 in nsContainerFrame::ReflowOverflowContainerChildren(nsPresContext*, mozilla::ReflowInput const&, mozilla::OverflowAreas&, nsIFrame::ReflowChildFlags, nsReflowStatus&, void (*)(nsFrameList&, nsFrameList&, nsContainerFrame*), mozilla::Maybe<nsSize>) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:1296:7
#4 0x7f93fc75d13e in nsGridContainerFrame::ReflowChildren(nsGridContainerFrame::GridReflowInput&, mozilla::LogicalRect const&, nsSize const&, mozilla::ReflowOutput&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:8472:5
#5 0x7f93fc75e9f0 in nsGridContainerFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:8758:11
#6 0x7f93fc6d28b9 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:1029:14
#7 0x7f93fc6b1672 in nsContainerFrame::ReflowOverflowContainerChildren(nsPresContext*, mozilla::ReflowInput const&, mozilla::OverflowAreas&, nsIFrame::ReflowChildFlags, nsReflowStatus&, void (*)(nsFrameList&, nsFrameList&, nsContainerFrame*), mozilla::Maybe<nsSize>) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:1296:7
#8 0x7f93fc6aea69 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:1437:5
#9 0x7f93fc6d28b9 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:1029:14
#10 0x7f93fc6d4771 in nsColumnSetFrame::ReflowColumns(mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&, nsColumnSetFrame::ReflowConfig const&, bool) /builds/worker/checkouts/gecko/layout/generic/nsColumnSetFrame.cpp:664:7
#11 0x7f93fc6d68f1 in nsColumnSetFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsColumnSetFrame.cpp:1202:37
#12 0x7f93fc6bf651 in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowState&) /builds/worker/checkouts/gecko/layout/generic/nsBlockReflowContext.cpp:290:11
#13 0x7f93fc6bb9c4 in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowState&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:4032:11
#14 0x7f93fc6b9131 in nsBlockFrame::ReflowLine(mozilla::BlockReflowState&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:3378:5
#15 0x7f93fc6b3564 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowState&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:2895:9
#16 0x7f93fc6aecfb in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:1470:3
#17 0x7f93fc6d28b9 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:1029:14
#18 0x7f93fc6d1e19 in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsCanvasFrame.cpp:754:7
#19 0x7f93fc6d28b9 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:1029:14
#20 0x7f93fc71af30 in nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput&, bool, bool, mozilla::ReflowOutput*) /builds/worker/checkouts/gecko/layout/generic/nsGfxScrollFrame.cpp:841:3
#21 0x7f93fc71bcbf in nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput&, mozilla::ReflowOutput const&) /builds/worker/checkouts/gecko/layout/generic/nsGfxScrollFrame.cpp:977:3
#22 0x7f93fc7207cd in nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsGfxScrollFrame.cpp:1404:3
#23 0x7f93fc6a3626 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:1069:14
#24 0x7f93fc6a2d74 in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/ViewportFrame.cpp:384:7
#25 0x7f93fc59d90a in mozilla::PresShell::DoReflow(nsIFrame*, bool, mozilla::OverflowChangedTracker*) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:9696:11
#26 0x7f93fc5c1bbf in mozilla::PresShell::ProcessReflowCommands(bool) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:9868:24
#27 0x7f93fc5a7369 in DoFlushLayout /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:9938:10
#28 0x7f93fc5a7369 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4440:11
#29 0x7f93f8c56212 in FlushPendingNotifications /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:1462:5
#30 0x7f93f8c56212 in mozilla::dom::Document::FlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/dom/base/Document.cpp:10737:16
#31 0x7f93f8101222 in nsDocLoader::DocLoaderIsEmpty(bool, mozilla::Maybe<nsresult> const&) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:742:14
#32 0x7f93f8102655 in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:680:5
#33 0x7f93fdc9052e in nsDocShell::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:13864:23
#34 0x7f93f73f3e4f in mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:628:22
#35 0x7f93f73f5373 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:532:10
#36 0x7f93f7baa4ca in operator() /builds/worker/checkouts/gecko/netwerk/ipc/DocumentChannel.cpp:118:22
#37 0x7f93f7baa4ca in mozilla::detail::RunnableFunction<mozilla::net::DocumentChannel::ShutdownListeners(nsresult)::$_0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:546:5
#38 0x7f93f71ec9a5 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:539:16
#39 0x7f93f71e7f7c in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:852:26
#40 0x7f93f71e6b4a in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:684:15
#41 0x7f93f71e6ea5 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:462:36
#42 0x7f93f71f02a6 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:188:37
#43 0x7f93f71f02a6 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_2>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:546:5
#44 0x7f93f7205c58 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1204:16
#45 0x7f93f720c49d in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:474:10
#46 0x7f93f7dfdfa3 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#47 0x7f93f7d22f38 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
#48 0x7f93f7d22e41 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
#49 0x7f93f7d22e41 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
#50 0x7f93fc219348 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:150:27
#51 0x7f93fe44709b in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:884:20
#52 0x7f93f7dfee69 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
#53 0x7f93f7d22f38 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
#54 0x7f93f7d22e41 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
#55 0x7f93f7d22e41 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
#56 0x7f93fe44662c in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:743:34
#57 0x558996f80ca0 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#58 0x558996f80ca0 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:359:18
#59 0x7f940c6fcd8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#60 0x7f940c6fce3f in __libc_start_main csu/../csu/libc-start.c:392:3
#61 0x558996f57308 in _start (/home/user/workspace/browsers/m-c-20221213165020-fuzzing-debug/firefox-bin+0x5b308) (BuildId: 632b23276e3228be633d34f1ac3c66957e03ca4b)
Flags: in-testsuite?
|
||
Comment 1•2 years ago
|
||
Verified bug as reproducible on mozilla-central 20221213165020-300b0ac8eb7b.
The bug appears to have been introduced in the following build range:
Start: bdb42cfe62138374343d5be83ac208826812cd2d (20220810161147)
End: a5ef26cc165936d1c01c42c0e5d2c597ebcc5a8f (20220810181917)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=bdb42cfe62138374343d5be83ac208826812cd2d&tochange=a5ef26cc165936d1c01c42c0e5d2c597ebcc5a8f
Keywords: regression
Whiteboard: [bugmon:bisected,confirmed]
|
||
Comment 2•2 years ago
|
||
I get a crash with the attached testcase on latest Winx64 nightly: https://crash-stats.mozilla.org/report/index/e89819b6-09cd-4cf6-929c-9f6df0221214
Crash Signature: [@ mozilla::detail::InvalidArrayIndex_CRASH | ClampToCSSMaxBSize ]
|
||
Comment 3•2 years ago
|
||
The severity field is not set for this bug.
:dholbert, could you have a look please?
For more information, please visit auto_nag documentation.
Flags: needinfo?(dholbert)
|
||
Comment 4•2 years ago
|
||
Calling this S3, given that it's a safe crash (InvalidArrayIndex_CRASH per comment 2) with negligible crash volume.
(Still great to fix! Possibly a good one for someone to look at when spinning up on grid code. CC'ing some folks who are interested in grid bugs.)
Severity: -- → S3
Flags: needinfo?(dholbert)
|
||
Updated•2 years ago
|
|
|
||
Comment 5•1 years ago
|
||
Bugmon was unable reproduce this issue.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Keywords: bugmon
|
||
Comment 6•1 years ago
|
||
A change to the Taskcluster build definitions over the weekend caused Bugmon to fail when reproducing issues. This issue has been corrected. Re-enabling bugmon.
Keywords: bugmon
You need to log in
before you can comment on or make changes to this bug.
Description
•