Closed Bug 1648577 Opened 5 years ago Closed 5 years ago

crash in [@ InvalidArrayIndex_CRASH | @ nsFlexContainerFrame::GenerateFlexLines]

Categories

(Core :: Layout: Flexbox, defect, P1)

Product:
Core
Component:
Layout: Flexbox
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla80
Tracking Flags:
Tracking Status
firefox-esr68 --- unaffected
firefox-esr78 --- wontfix
firefox77 --- unaffected
firefox78 --- wontfix
firefox79 --- wontfix
firefox80 --- verified

People

(Reporter: tsmith, Assigned: TYLin)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: crash, regression, testcase, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(2 files)

testcase.html
237 bytes, text/html
Details
Bug 1648577 - Fix a condition that checks whether to create a new FlexLine with break-after.
47 bytes, text/x-phabricator-request
Details | Review
Attached file testcase.html

Found with m-c 20200608-63dc5e9b1b02

#0 0x7f7632e6868f in MOZ_Crash /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:332:3
#1 0x7f7632e6868f in InvalidArrayIndex_CRASH(unsigned long, unsigned long) /gecko/xpcom/ds/nsTArray.cpp:27:3
#2 0x7f763bd1f87c in nsTArray_Impl<nsFlexContainerFrame::FlexItem, nsTArrayInfallibleAllocator>::ElementAt(unsigned long) const /builds/worker/workspace/obj-build/dist/include/nsTArray.h:1152:7
#3 0x7f763bd0b73e in operator-> /builds/worker/workspace/obj-build/dist/include/mozilla/ArrayIterator.h:104:45
#4 0x7f763bd0b73e in operator-> /gecko/layout/generic/nsFlexContainerFrame.cpp:1138:22
#5 0x7f763bd0b73e in nsFlexContainerFrame::GenerateFlexLines(nsFlexContainerFrame::SharedFlexData const&, nsTArray<nsFlexContainerFrame::FlexLine>&) /gecko/layout/generic/nsFlexContainerFrame.cpp:3974:11
#6 0x7f763bd0e903 in nsFlexContainerFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /gecko/layout/generic/nsFlexContainerFrame.cpp:4381:5
#7 0x7f763bcaf7c5 in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) /gecko/layout/generic/nsBlockReflowContext.cpp:293:11
#8 0x7f763bcbf76e in nsBlockFrame::ReflowFloat(mozilla::BlockReflowInput&, mozilla::LogicalRect const&, nsIFrame*, mozilla::LogicalMargin&, mozilla::LogicalMargin&, bool, nsReflowStatus&) /gecko/layout/generic/nsBlockFrame.cpp:6573:9
#9 0x7f763bc39b37 in mozilla::BlockReflowInput::FlowAndPlaceFloat(nsIFrame*) /gecko/layout/generic/BlockReflowInput.cpp:881:13
#10 0x7f763bc9810d in nsBlockFrame::ReflowPushedFloats(mozilla::BlockReflowInput&, nsOverflowAreas&, nsReflowStatus&) /gecko/layout/generic/nsBlockFrame.cpp:6693:12
#11 0x7f763bc92638 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /gecko/layout/generic/nsBlockFrame.cpp:1355:3
#12 0x7f763bcdcf24 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /gecko/layout/generic/nsContainerFrame.cpp:1074:14
#13 0x7f763bce12e8 in nsColumnSetFrame::ReflowChildren(mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&, nsColumnSetFrame::ReflowConfig const&, bool) /gecko/layout/generic/nsColumnSetFrame.cpp:704:7
#14 0x7f763bce00f2 in nsColumnSetFrame::ReflowColumns(mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&, nsColumnSetFrame::ReflowConfig&, bool) /gecko/layout/generic/nsColumnSetFrame.cpp:414:37
#15 0x7f763bce5062 in nsColumnSetFrame::FindBestBalanceBSize(mozilla::ReflowInput const&, nsPresContext*, nsColumnSetFrame::ReflowConfig&, nsColumnSetFrame::ColumnBalanceData, mozilla::ReflowOutput&, bool, nsReflowStatus&) /gecko/layout/generic/nsColumnSetFrame.cpp:1097:9
#16 0x7f763bce6007 in nsColumnSetFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /gecko/layout/generic/nsColumnSetFrame.cpp:1222:5
#17 0x7f763bcaf7c5 in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) /gecko/layout/generic/nsBlockReflowContext.cpp:293:11
#18 0x7f763bca67aa in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /gecko/layout/generic/nsBlockFrame.cpp:3771:11
#19 0x7f763bca2f8b in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /gecko/layout/generic/nsBlockFrame.cpp:3120:5
#20 0x7f763bc99d26 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /gecko/layout/generic/nsBlockFrame.cpp:2658:7
#21 0x7f763bc927ad in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /gecko/layout/generic/nsBlockFrame.cpp:1375:3
#22 0x7f763bcaf7c5 in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) /gecko/layout/generic/nsBlockReflowContext.cpp:293:11
#23 0x7f763bca67aa in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /gecko/layout/generic/nsBlockFrame.cpp:3771:11
#24 0x7f763bca2f8b in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /gecko/layout/generic/nsBlockFrame.cpp:3120:5
#25 0x7f763bc99d26 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /gecko/layout/generic/nsBlockFrame.cpp:2658:7
#26 0x7f763bc927ad in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /gecko/layout/generic/nsBlockFrame.cpp:1375:3
#27 0x7f763bcdcf24 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /gecko/layout/generic/nsContainerFrame.cpp:1074:14
#28 0x7f763bcdbd0d in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /gecko/layout/generic/nsCanvasFrame.cpp:750:5
#29 0x7f763bcdcf24 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /gecko/layout/generic/nsContainerFrame.cpp:1074:14
#30 0x7f763bdc35d1 in nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput*, bool, bool, mozilla::ReflowOutput*) /gecko/layout/generic/nsGfxScrollFrame.cpp:666:3
#31 0x7f763bdc4e05 in nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput*, mozilla::ReflowOutput const&) /gecko/layout/generic/nsGfxScrollFrame.cpp:780:3
#32 0x7f763bdc8fea in nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /gecko/layout/generic/nsGfxScrollFrame.cpp:1166:3
#33 0x7f763bc824a1 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /gecko/layout/generic/nsContainerFrame.cpp:1114:14
#34 0x7f763bc81b0b in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /gecko/layout/generic/ViewportFrame.cpp:297:7
#35 0x7f763ba9e3fe in mozilla::PresShell::DoReflow(nsIFrame*, bool, mozilla::OverflowChangedTracker*) /gecko/layout/base/PresShell.cpp:9612:11
#36 0x7f763bab0cb7 in mozilla::PresShell::ProcessReflowCommands(bool) /gecko/layout/base/PresShell.cpp:9785:24
#37 0x7f763baaf72d in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /gecko/layout/base/PresShell.cpp:4250:11
#38 0x7f763ba3c997 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /gecko/layout/base/nsRefreshDriver.cpp:2064:20
#39 0x7f763ba49e06 in TickDriver /gecko/layout/base/nsRefreshDriver.cpp:373:13
#40 0x7f763ba49e06 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /gecko/layout/base/nsRefreshDriver.cpp:350:7
#41 0x7f763ba49a05 in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /gecko/layout/base/nsRefreshDriver.cpp:367:5
#42 0x7f763ba58e82 in RunRefreshDrivers /gecko/layout/base/nsRefreshDriver.cpp:819:5
#43 0x7f763ba58e82 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /gecko/layout/base/nsRefreshDriver.cpp:737:16
#44 0x7f763ba5845f in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyParentProcessVsync() /gecko/layout/base/nsRefreshDriver.cpp:639:7
#45 0x7f763ba46df2 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::ParentProcessVsyncNotifier::Run() /gecko/layout/base/nsRefreshDriver.cpp:538:20
#46 0x7f7632f96a1e in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1234:14
#47 0x7f7632fa1a0c in NS_ProcessNextEvent(nsIThread*, bool) /gecko/xpcom/threads/nsThreadUtils.cpp:501:10
#48 0x7f763432820f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /gecko/ipc/glue/MessagePump.cpp:87:21
#49 0x7f76342045a7 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:315:10
#50 0x7f76342045a7 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:308:3
#51 0x7f76342045a7 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:290:3
#52 0x7f763b596d28 in nsBaseAppShell::Run() /gecko/widget/nsBaseAppShell.cpp:137:27
#53 0x7f763f154356 in XRE_RunAppShell() /gecko/toolkit/xre/nsEmbedFunctions.cpp:913:20
#54 0x7f76342045a7 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:315:10
#55 0x7f76342045a7 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:308:3
#56 0x7f76342045a7 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:290:3
#57 0x7f763f15393f in XRE_InitChildProcess(int, char**, XREChildData const*) /gecko/toolkit/xre/nsEmbedFunctions.cpp:744:34
#58 0x559d6eb46b43 in content_process_main /gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
#59 0x559d6eb46b43 in main /gecko/browser/app/nsBrowserApp.cpp:303:18
Flags: in-testsuite?

A Pernosco session is available here: https://pernos.co/debug/XrNecyf_INsndREzsS1eww/index.html

Whiteboard: [bugmon:bisected,confirmed]
Bugmon Analysis: Verified bug as reproducible on mozilla-central 20200625161839-324d5257f6f7. The bug appears to have been introduced in the following build range: > Start: bd3a170fc984a92ff6478480b16e3d8ce9cb2f68 (20200520021814) > End: 2924b52f3b3f620863d49f521b4a17d5b49be56b (20200520021928) > Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=bd3a170fc984a92ff6478480b16e3d8ce9cb2f68&tochange=2924b52f3b3f620863d49f521b4a17d5b49be56b
Keywords: regression
Regressed by: 1637145
Has Regression Range: --- → yes

I'll take a look.

Assignee: nobody → aethanyc
Status: NEW → ASSIGNED
Severity: -- → S3
Priority: -- → P1

We cannot use childFrame's sibling to determine whether we have more
children because we iterate children in CSS 'order'-awared order, not
the order in principal child list. Instead, we should check whether the
iterator is at end.

Set release status flags based on info from the regressing bug 1637145

status-firefox77: --- → unaffected
status-firefox78: --- → affected
status-firefox-esr68: --- → unaffected
Attachment #9159599 - Attachment description: Bug 1648577 - Fix the condition checking whether there's more FlexItems to be generated. → Bug 1648577 - Fix a condition that checks whether to create a new FlexLine with break-after.
Pushed by aethanyc@gmail.com: https://hg.mozilla.org/integration/autoland/rev/067f4c0eb51b Fix a condition that checks whether to create a new FlexLine with break-after. r=dholbert
Backout by abutkovits@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/42cc535d354d Backed out changeset 067f4c0eb51b for crashtest failures at nsFlexContainerFrame.cpp. CLOSED TREE

I develop this patch on top of bug 1645549, but decided to land it independently without realizing the crashtest in this bug can also trigger the assertion that bug 1645549 is trying to fix.

Depends on: 1645549
Flags: needinfo?(aethanyc)
Pushed by aethanyc@gmail.com: https://hg.mozilla.org/integration/autoland/rev/49b012117823 Fix a condition that checks whether to create a new FlexLine with break-after. r=dholbert

https://hg.mozilla.org/mozilla-central/rev/49b012117823

Status: ASSIGNED → RESOLVED
Closed: 5 years ago
status-firefox80: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla80
Status: RESOLVED → VERIFIED
status-firefox80: fixedverified
Keywords: bugmon
Bugmon Analysis: Verified bug as fixed on rev mozilla-central 20200702094606-6e29c02e7e5f. Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Is there a user impact which justifies Beta and ESR78 backport consideration here?

Flags: needinfo?(aethanyc)

Thanks for the ping! Yes, the testcase can crash on release build. However, to fix this on ESR78, backport this patch might not be sufficient. It may require at least several other bugs related to frame fragmentation such as bug 1645549, bug 1640051, bug 1405813.

Luckily, real webpages shouldn't go to the extreme code path like the testcase does. Let's just let the patch ride the train.

status-firefox79: affectedwontfix
status-firefox-esr78: affectedwontfix
Flags: needinfo?(aethanyc)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: