Closed Bug 1675777 Opened 4 years ago Closed 4 years ago

Assertion failure: foundOwnPushedChild || !items.IsEmpty() || mDidPushItemsBitMayLie (The state bit stored in didPushItemsBit lied!)

Categories

(Core :: Layout: Grid, defect)

Product:
Core
Component:
Layout: Grid
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1566690

People

(Reporter: hdir.yassine, Unassigned)

References

(Blocks 1 open bug)

Details

Attachments

(1 file)

testcase.zip
41.38 KB, application/zip
Details
Attached file testcase.zip

User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:82.0) Gecko/20100101 Firefox/82.0

Steps to reproduce:

Bug found when fuzzing DOM
build with --debug

[2020-11-06 15:28:09] Starting Grizzly Replay
[2020-11-06 15:28:09] Ignoring: log-limit, timeout
[2020-11-06 15:28:09] Repeat: 1, Minimum crashes: 1, Relaunch 1
[2020-11-06 15:28:09] Using prefs.js from testcase
[2020-11-06 15:28:13] Performing replay (1/1)...
[2020-11-06 15:28:13] Running test (1/1)...
[2020-11-06 15:28:17] Result: Assertion failure: foundOwnPushedChild || !items.IsEmpty() || mDidPushItemsBitMayLie (The state bit stored in didPushItemsBit lied!), at /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:1969 (94586c7e:82e4b4e1)
[2020-11-06 15:28:17] Result successfully reproduced
[2020-11-06 15:28:17] Shutting down...
[2020-11-06 15:28:17] Done.

Actual results:

==9368==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fe5e63d689f bp 0x7fffcb8d3f90 sp 0x7fffcb8d3ee0 T9368)
==9368==The signal is caused by a WRITE memory access.
==9368==Hint: address points to the zero page.
#0 0x7fe5e63d689f in nsContainerFrame::NormalizeChildLists() /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:1967:5
#1 0x7fe5e63efad4 in nsFlexContainerFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsFlexContainerFrame.cpp:4359:3
#2 0x7fe5e63ce5c0 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:1082:14
#3 0x7fe5e63f3e99 in nsFlexContainerFrame::ReflowFlexItem(nsFlexContainerFrame::FlexboxAxisTracker const&, mozilla::ReflowInput const&, nsFlexContainerFrame::FlexItem const&, mozilla::LogicalPoint&, mozilla::LogicalSize const&, nsSize const&, bool) /builds/worker/checkouts/gecko/layout/generic/nsFlexContainerFrame.cpp:5478:3
#4 0x7fe5e63f27e4 in nsFlexContainerFrame::ReflowChildren(mozilla::ReflowInput const&, int, int, mozilla::LogicalSize const&, mozilla::LogicalMargin const&, int, int&, nsTArray<nsFlexContainerFrame::FlexLine>&, nsTArray<nsIFrame*>&, nsFlexContainerFrame::FlexboxAxisTracker const&, bool) /builds/worker/checkouts/gecko/layout/generic/nsFlexContainerFrame.cpp:5152:13
#5 0x7fe5e63f044e in nsFlexContainerFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsFlexContainerFrame.cpp:4497:7
#6 0x7fe5e63b6070 in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) /builds/worker/checkouts/gecko/layout/generic/nsBlockReflowContext.cpp:288:11
#7 0x7fe5e63b20a9 in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:3845:11
#8 0x7fe5e63afe06 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:3181:5
#9 0x7fe5e63aac63 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:2718:7
#10 0x7fe5e63a69c3 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:1373:3
#11 0x7fe5e63b6070 in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) /builds/worker/checkouts/gecko/layout/generic/nsBlockReflowContext.cpp:288:11
#12 0x7fe5e63bf564 in nsBlockFrame::ReflowFloat(mozilla::BlockReflowInput&, mozilla::LogicalRect const&, nsIFrame*, mozilla::LogicalMargin&, mozilla::LogicalMargin&, bool, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:6625:9
#13 0x7fe5e6377faa in mozilla::BlockReflowInput::FlowAndPlaceFloat(nsIFrame*) /builds/worker/checkouts/gecko/layout/generic/BlockReflowInput.cpp:812:13
#14 0x7fe5e63a97c3 in nsBlockFrame::ReflowPushedFloats(mozilla::BlockReflowInput&, nsOverflowAreas&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:6745:12
#15 0x7fe5e63a6916 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:1353:3
#16 0x7fe5e63b6070 in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) /builds/worker/checkouts/gecko/layout/generic/nsBlockReflowContext.cpp:288:11
#17 0x7fe5e63bf564 in nsBlockFrame::ReflowFloat(mozilla::BlockReflowInput&, mozilla::LogicalRect const&, nsIFrame*, mozilla::LogicalMargin&, mozilla::LogicalMargin&, bool, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:6625:9
#18 0x7fe5e6377faa in mozilla::BlockReflowInput::FlowAndPlaceFloat(nsIFrame*) /builds/worker/checkouts/gecko/layout/generic/BlockReflowInput.cpp:812:13
#19 0x7fe5e63a97c3 in nsBlockFrame::ReflowPushedFloats(mozilla::BlockReflowInput&, nsOverflowAreas&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:6745:12
#20 0x7fe5e63a6916 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:1353:3
#21 0x7fe5e63b6070 in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) /builds/worker/checkouts/gecko/layout/generic/nsBlockReflowContext.cpp:288:11
#22 0x7fe5e63bf564 in nsBlockFrame::ReflowFloat(mozilla::BlockReflowInput&, mozilla::LogicalRect const&, nsIFrame*, mozilla::LogicalMargin&, mozilla::LogicalMargin&, bool, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:6625:9
#23 0x7fe5e6377faa in mozilla::BlockReflowInput::FlowAndPlaceFloat(nsIFrame*) /builds/worker/checkouts/gecko/layout/generic/BlockReflowInput.cpp:812:13
#24 0x7fe5e63a97c3 in nsBlockFrame::ReflowPushedFloats(mozilla::BlockReflowInput&, nsOverflowAreas&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:6745:12
#25 0x7fe5e63a6916 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:1353:3
#26 0x7fe5e63b6070 in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) /builds/worker/checkouts/gecko/layout/generic/nsBlockReflowContext.cpp:288:11
#27 0x7fe5e63b20a9 in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:3845:11
#28 0x7fe5e63afe06 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:3181:5
#29 0x7fe5e63aac63 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:2718:7
#30 0x7fe5e63a69c3 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:1373:3
#31 0x7fe5e63ce5c0 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:1082:14
#32 0x7fe5e63cfcd5 in nsColumnSetFrame::ReflowChildren(mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&, nsColumnSetFrame::ReflowConfig const&, bool) /builds/worker/checkouts/gecko/layout/generic/nsColumnSetFrame.cpp:692:7
#33 0x7fe5e63d1c5e in ReflowColumns /builds/worker/checkouts/gecko/layout/generic/nsColumnSetFrame.cpp:403:37
#34 0x7fe5e63d1c5e in nsColumnSetFrame::FindBestBalanceBSize(mozilla::ReflowInput const&, nsPresContext*, nsColumnSetFrame::ReflowConfig&, nsColumnSetFrame::ColumnBalanceData, mozilla::ReflowOutput&, bool, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsColumnSetFrame.cpp:1186:5
#35 0x7fe5e63d214a in nsColumnSetFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsColumnSetFrame.cpp:1241:5
#36 0x7fe5e63b6070 in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) /builds/worker/checkouts/gecko/layout/generic/nsBlockReflowContext.cpp:288:11
#37 0x7fe5e63b20a9 in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:3845:11
#38 0x7fe5e63afe06 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:3181:5
#39 0x7fe5e63aac63 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:2718:7
#40 0x7fe5e63a69c3 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:1373:3
#41 0x7fe5e62a6fec in mozilla::PresShell::DoReflow(nsIFrame*, bool, mozilla::OverflowChangedTracker*) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:9640:11
#42 0x7fe5e62b07ee in mozilla::PresShell::ProcessReflowCommands(bool) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:9813:24
#43 0x7fe5e62afeed in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4224:11
#44 0x7fe5e6278f31 in FlushPendingNotifications /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:1409:5
#45 0x7fe5e6278f31 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2243:20
#46 0x7fe5e6280d11 in TickDriver /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:374:13
#47 0x7fe5e6280d11 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:353:7
#48 0x7fe5e6280bfc in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:368:5
#49 0x7fe5e62801a8 in RunRefreshDrivers /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:829:5
#50 0x7fe5e62801a8 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:747:16
#51 0x7fe5e627fab0 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyParentProcessVsync() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:649:7
#52 0x7fe5e627f529 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:570:9
#53 0x7fe5e6644537 in mozilla::layout::VsyncChild::RecvNotify(mozilla::VsyncEvent const&) /builds/worker/checkouts/gecko/layout/ipc/VsyncChild.cpp:55:16
#54 0x7fe5e28f1095 in mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:187:54
#55 0x7fe5e26a352d in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundChild.cpp:6268:32
#56 0x7fe5e23614ae in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:2150:25
#57 0x7fe5e235dc6f in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:2074:9
#58 0x7fe5e235f076 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1922:3
#59 0x7fe5e235fc9b in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1953:13
#60 0x7fe5e1a607af in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:450:16
#61 0x7fe5e1a5ee1a in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:720:26
#62 0x7fe5e1a5dec4 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:579:15
#63 0x7fe5e1a5e077 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:373:36
#64 0x7fe5e1a64006 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:120:37
#65 0x7fe5e1a64006 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_3>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:577:5
#66 0x7fe5e1a75587 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1197:14
#67 0x7fe5e1a7b2ca in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:513:10
#68 0x7fe5e2366d96 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:87:21
#69 0x7fe5e22d8c83 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:334:10
#70 0x7fe5e22d8b9d in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:327:3
#71 0x7fe5e22d8b9d in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:309:3
#72 0x7fe5e5fd0038 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137:27
#73 0x7fe5e77da583 in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:913:20
#74 0x7fe5e2367b59 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:237:9
#75 0x7fe5e22d8c83 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:334:10
#76 0x7fe5e22d8b9d in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:327:3
#77 0x7fe5e22d8b9d in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:309:3
#78 0x7fe5e77da168 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:744:34
#79 0x55dff08db997 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
#80 0x55dff08db997 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:304:18
#81 0x7fe5f63c60b2 in __libc_start_main /build/glibc-ZN95T4/glibc-2.31/csu/../csu/libc-start.c:308:16
#82 0x55dff08b9749 in _start (/home/valentino/code/browsers/firefox/firefox-bin+0x14749)

UndefinedBehaviorSanitizer can not provide additional info.
SUMMARY: UndefinedBehaviorSanitizer: SEGV /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:1967:5 in nsContainerFrame::NormalizeChildLists()
==9368==ABORTING

Blocks: grizzly
Status: UNCONFIRMED → RESOLVED
Closed: 4 years ago
Component: Untriaged → Layout: Grid
Product: Firefox → Core
Resolution: --- → DUPLICATE
Version: other → unspecified
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: