Assertion failure: point == p || (Style()->IsTextCombined() && std::abs(point.x - p.value.x) < AppUnitsPerCSSPixel() && point.y == p.value.y) (character position error!), at /builds/worker/checkouts/gecko/layout/generic/nsTextFrame.cpp:7485
Categories
(Core :: Layout: Text and Fonts, defect)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr102 | --- | unaffected |
| firefox-esr115 | --- | unaffected |
| firefox115 | --- | unaffected |
| firefox116 | --- | unaffected |
| firefox117 | --- | verified |
People
(Reporter: tsmith, Assigned: jfkthame)
References
(Blocks 1 open bug, Regression)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:bisected,confirmed])
Attachments
(3 files)
Found while fuzzing m-c 20230718-35e42e5979da (--enable-debug --enable-fuzzing)
To reproduce via Grizzly Replay:
$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html
Assertion failure: point == p || (Style()->IsTextCombined() && std::abs(point.x - p.value.x) < AppUnitsPerCSSPixel() && point.y == p.value.y) (character position error!), at /builds/worker/checkouts/gecko/layout/generic/nsTextFrame.cpp:7485
#0 0x7fb1a8562dd6 in nsTextFrame::GetCharacterRectsInRange(int, int, nsTArray<nsRect>&) /builds/worker/checkouts/gecko/layout/generic/nsTextFrame.cpp:7481:5
#1 0x7fb1a9b79b69 in mozilla::a11y::LocalAccessible::BundleFieldsForCache(unsigned long, mozilla::a11y::CacheUpdateType) /builds/worker/checkouts/gecko/accessible/generic/LocalAccessible.cpp:3528:28
#2 0x7fb1a9baa3c4 in mozilla::a11y::DocAccessibleChild::SerializeTree(nsTArray<mozilla::a11y::LocalAccessible*>&, nsTArray<mozilla::a11y::AccessibleData>&) /builds/worker/checkouts/gecko/accessible/ipc/DocAccessibleChild.cpp:69:16
#3 0x7fb1a9baa812 in mozilla::a11y::DocAccessibleChild::InsertIntoIpcTree(mozilla::a11y::LocalAccessible*, mozilla::a11y::LocalAccessible*, unsigned int, bool) /builds/worker/checkouts/gecko/accessible/ipc/DocAccessibleChild.cpp:93:3
#4 0x7fb1a9b7e9c8 in mozilla::a11y::DocAccessible::DoInitialUpdate() /builds/worker/checkouts/gecko/accessible/generic/DocAccessible.cpp:1632:17
#5 0x7fb1a9b34bcb in mozilla::a11y::NotificationController::WillRefresh(mozilla::TimeStamp) /builds/worker/checkouts/gecko/accessible/base/NotificationController.cpp:726:16
#6 0x7fb1a829ebf4 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2580:12
#7 0x7fb1a82a8501 in TickDriver /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:373:13
#8 0x7fb1a82a8501 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver>>&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:351:7
#9 0x7fb1a82a8400 in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:367:5
#10 0x7fb1a82a829d in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:911:5
#11 0x7fb1a82a7616 in mozilla::VsyncRefreshDriverTimer::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:825:5
#12 0x7fb1a82a6949 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsyncTimerOnMainThread() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:592:14
#13 0x7fb1a75f023b in mozilla::dom::VsyncMainChild::RecvNotify(mozilla::VsyncEvent const&, float const&) /builds/worker/checkouts/gecko/dom/ipc/VsyncMainChild.cpp:66:15
#14 0x7fb1a78e6f0d in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:220:78
#15 0x7fb1a77c9310 in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PContentChild.cpp:8671:32
#16 0x7fb1a359d59f in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1811:25
#17 0x7fb1a359a2f2 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1736:9
#18 0x7fb1a359af72 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1536:3
#19 0x7fb1a359c0bf in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1634:14
#20 0x7fb1a28d9cd7 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:555:16
#21 0x7fb1a28d1863 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:880:26
#22 0x7fb1a28d00b7 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:704:15
#23 0x7fb1a28d0515 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:491:36
#24 0x7fb1a28dd9f6 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:218:37
#25 0x7fb1a28dd9f6 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548:5
#26 0x7fb1a28f420a in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1199:16
#27 0x7fb1a28fb06d in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10
#28 0x7fb1a35a3505 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#29 0x7fb1a34be3d1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#30 0x7fb1a34be3d1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#31 0x7fb1a7ef5188 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
#32 0x7fb1aa2259ab in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:717:20
#33 0x7fb1a35a43e6 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
#34 0x7fb1a34be3d1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#35 0x7fb1a34be3d1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#36 0x7fb1aa2251fc in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:652:34
#37 0x562d84c97566 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#38 0x562d84c97566 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:375:18
#39 0x7fb1b7229d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#40 0x7fb1b7229e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#41 0x562d84c6e808 in _start (/home/user/workspace/browsers/m-c-20230724160807-fuzzing-debug/firefox-bin+0x58808) (BuildId: eb265df4a615b60c9ab0623b656a711ed09203ed)
|
||
Comment 1•1 year ago
|
||
Unable to reproduce bug 1845203 using build mozilla-central 20230718092538-35e42e5979da. Without a baseline, bugmon is unable to analyze this bug.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
|
Reporter | |
Comment 2•1 year ago
|
||
prefs.js for bugmon
|
Assignee | |
Comment 3•1 year ago
|
||
The testcase includes letter-spacing: 7e357vmax, which I think means layout calculations are going to vastly overflow -- even computations done in double-precision floating point will probably break, let alone those using integer appUnits. So I suppose it's unsurprising if the assertion here fires, as it's trying to check the position arrived at via two different calculation paths.
Probably we should just drop the assertion. It's not firing for "normal" content, and with out-of-range dimensions involved we can't expect sensible layout anyhow.
|
|
||
Comment 4•1 year ago
|
||
Verified bug as reproducible on mozilla-central 20230724215726-12931a93e28c.
The bug appears to have been introduced in the following build range:
Start: 3170f4f57d01091d2a74fe40ee6f4ab8efa7351a (20230713082037)
End: 1bfb25414a090700f286cd06319e91cb9ac6e336 (20230713114710)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=3170f4f57d01091d2a74fe40ee6f4ab8efa7351a&tochange=1bfb25414a090700f286cd06319e91cb9ac6e336
|
|
Assignee | |
Comment 5•1 year ago
|
||
|
||
Updated•1 year ago
|
|
||
Comment 7•1 year ago
|
||
Based on comment #4, this bug contains a bisection range found by bugmon. However, the Regressed by field is still not filled.
:jfkthame, if possible, could you fill the Regressed by field and investigate this regression?
For more information, please visit BugBot documentation.
|
|
||
Comment 8•1 year ago
|
||
Set release status flags based on info from the regressing bug 1838250
|
||
Comment 9•1 year ago
|
||
| bugherder | ||
|
|
||
Comment 10•1 year ago
|
||
Verified bug as fixed on rev mozilla-central 20230725160236-45a52966f964.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Description
•