Closed Bug 1929457 Opened 7 months ago Closed 6 months ago

const _Tp &std::clamp(const _Tp &, const _Tp &, const _Tp &) [_Tp = int]: Assertion '!(__hi < __lo)' failed. [@ nsTextControlFrame::GetNaturalBaselineBOffset]

Categories

(Core :: Layout: Form Controls, defect)

Product:
Core
Component:
Layout: Form Controls
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1931933
Tracking Flags:
Tracking Status
firefox134 --- fix-optional

People

(Reporter: tsmith, Unassigned)

References

(Blocks 1 open bug)

Details

(4 keywords, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(1 file)

testcase.html
151 bytes, text/html
Details
Attached file testcase.html

Found while fuzzing m-c 20241031-5c7de47bcacb (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework --upgrade
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>

const _Tp &std::clamp(const _Tp &, const _Tp &, const _Tp &) [_Tp = int]: Assertion '!(__hi < __lo)' failed.

#0 0x7fe7324969fc in __pthread_kill_implementation nptl/pthread_kill.c:44:76
#1 0x7fe7324969fc in __pthread_kill_internal nptl/pthread_kill.c:78:10
#2 0x7fe7324969fc in pthread_kill nptl/pthread_kill.c:89:10
#3 0x7fe732442475 in gsignal signal/../sysdeps/posix/raise.c:26:13
#4 0x7fe7324287f2 in abort stdlib/abort.c:79:7
#5 0x7fe7287c8615 in __replacement_assert /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/x86_64-linux-gnu/c++/8/bits/c++config.h:447:5
#6 0x7fe7287c8615 in clamp<int> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/stl_algo.h:3721:7
#7 0x7fe7287c8615 in nsTextControlFrame::GetNaturalBaselineBOffset(mozilla::WritingMode, mozilla::BaselineSharingGroup, mozilla::BaselineExportContext) const /builds/worker/checkouts/gecko/layout/forms/nsTextControlFrame.cpp:1242:19
#8 0x7fe7286e983c in nsGridContainerFrame::SynthesizeBaseline(nsGridContainerFrame::FindItemInGridOrderResult const&, mozilla::LogicalAxis, mozilla::BaselineSharingGroup, nsSize const&, int, mozilla::WritingMode) /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:9834:24
#9 0x7fe7286e635c in nsGridContainerFrame::CalculateBaselines(nsGridContainerFrame::BaselineSet, mozilla::CSSOrderAwareFrameIteratorT<nsFrameList::Iterator<nsFrameList::ForwardFrameTraversal>>*, nsTArray<nsGridContainerFrame::GridItemInfo> const*, nsGridContainerFrame::Tracks const&, unsigned int, unsigned int, mozilla::WritingMode, nsSize const&, int, int, int) /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:9886:52
#10 0x7fe7286e2ec7 in nsGridContainerFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:9146:5
#11 0x7fe72867dd14 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:892:14
#12 0x7fe7286d4398 in MeasuringReflow(nsIFrame*, mozilla::ReflowInput const*, gfxContext*, mozilla::LogicalSize const&, mozilla::LogicalSize const&, int, int) /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:5520:11
#13 0x7fe7286d8634 in ContentContribution(nsGridContainerFrame::GridItemInfo const&, nsGridContainerFrame::GridReflowInput const&, gfxContext*, mozilla::WritingMode, mozilla::LogicalAxis, mozilla::Maybe<mozilla::LogicalSize> const&, mozilla::IntrinsicISizeType, int, unsigned int) /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:5756:12
#14 0x7fe7286d2fcf in MinContentContribution(nsGridContainerFrame::GridItemInfo const&, nsGridContainerFrame::GridReflowInput const&, gfxContext*, mozilla::WritingMode, mozilla::LogicalAxis, CachedIntrinsicSizes*) /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:5806:15
#15 0x7fe7286d2971 in nsGridContainerFrame::Tracks::ResolveIntrinsicSizeForNonSpanningItems(nsGridContainerFrame::GridReflowInput&, nsGridContainerFrame::TrackSizingFunctions const&, int, nsGridContainerFrame::SizingConstraint, nsGridContainerFrame::LineRange const&, nsGridContainerFrame::GridItemInfo const&) /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:5992:13
#16 0x7fe7286d07d8 in nsGridContainerFrame::Tracks::ResolveIntrinsicSize(nsGridContainerFrame::GridReflowInput&, nsTArray<nsGridContainerFrame::GridItemInfo>&, nsGridContainerFrame::TrackSizingFunctions const&, nsGridContainerFrame::LineRange nsGridContainerFrame::GridArea::*, int, nsGridContainerFrame::SizingConstraint) /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:6727:11
#17 0x7fe7286c510c in CalculateSizes /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:5926:3
#18 0x7fe7286c510c in nsGridContainerFrame::GridReflowInput::CalculateTrackSizesForAxis(mozilla::LogicalAxis, nsGridContainerFrame::Grid const&, int, nsGridContainerFrame::SizingConstraint) /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:4065:12
#19 0x7fe7286e1405 in nsGridContainerFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:8946:21
#20 0x7fe72867dd14 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:892:14
#21 0x7fe728670e8f in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsCanvasFrame.cpp:710:7
#22 0x7fe72867dd14 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:892:14
#23 0x7fe728616217 in mozilla::ScrollContainerFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput&, bool, bool, mozilla::ReflowOutput*) /builds/worker/checkouts/gecko/layout/generic/ScrollContainerFrame.cpp:914:3
#24 0x7fe728616cc0 in mozilla::ScrollContainerFrame::ReflowContents(mozilla::ScrollReflowInput&, mozilla::ReflowOutput const&) /builds/worker/checkouts/gecko/layout/generic/ScrollContainerFrame.cpp:1049:3
#25 0x7fe72861919d in mozilla::ScrollContainerFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/ScrollContainerFrame.cpp:1509:3
#26 0x7fe728687b41 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:933:14
#27 0x7fe728642960 in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/ViewportFrame.cpp:358:7
#28 0x7fe728514424 in mozilla::PresShell::DoReflow(nsIFrame*, bool, mozilla::OverflowChangedTracker*) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:9986:11
#29 0x7fe72853d3bf in mozilla::PresShell::ProcessReflowCommands(bool) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:10156:22
#30 0x7fe72851e0af in DoFlushLayout /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:10203:10
#31 0x7fe72851e0af in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4426:9
#32 0x7fe7247b36db in FlushPendingNotifications /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:1456:5
#33 0x7fe7247b36db in mozilla::dom::Document::FlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/dom/base/Document.cpp:11293:16
#34 0x7fe72377f0ad in nsDocLoader::DocLoaderIsEmpty(bool, mozilla::Maybe<nsresult> const&) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:728:14
#35 0x7fe7237804f4 in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:666:5
#36 0x7fe728a338bf in nsDocShell::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:13747:23
#37 0x7fe722b1f72f in mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:642:22
#38 0x7fe722b20a4e in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:536:10
#39 0x7fe7247b896c in mozilla::dom::Document::DoUnblockOnload() /builds/worker/checkouts/gecko/dom/base/Document.cpp:12083:18
#40 0x7fe72479e7f9 in mozilla::dom::Document::DispatchContentLoadedEvents() /builds/worker/checkouts/gecko/dom/base/Document.cpp:8445:3
#41 0x7fe724855749 in operator()<> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1085:18
#42 0x7fe724855749 in __invoke_impl<void, (lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1084:9)> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/invoke.h:60:14
#43 0x7fe724855749 in __invoke<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1084:9)> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/invoke.h:95:14
#44 0x7fe724855749 in __apply_impl<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1084:9), std::tuple<> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/tuple:1678:14
#45 0x7fe724855749 in apply<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1084:9), std::tuple<> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/tuple:1687:14
#46 0x7fe724855749 in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1083:12
#47 0x7fe724855749 in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1134:13
#48 0x7fe7228eff67 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:618:16
#49 0x7fe7228e57c9 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:945:26
#50 0x7fe7228e4207 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:768:15
#51 0x7fe7228e4685 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:554:36
#52 0x7fe7228f3946 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:268:37
#53 0x7fe7228f3946 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548:5
#54 0x7fe7229071fb in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1155:16
#55 0x7fe72290dedf in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10
#56 0x7fe7234948c5 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#57 0x7fe7233e6cc1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:362:3
#58 0x7fe7233e6cc1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:344:3
#59 0x7fe728153378 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
#60 0x7fe728205378 in nsAppShell::Run() /builds/worker/checkouts/gecko/widget/gtk/nsAppShell.cpp:469:33
#61 0x7fe7290e29bb in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:651:20
#62 0x7fe723495716 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
#63 0x7fe7233e6cc1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:362:3
#64 0x7fe7233e6cc1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:344:3
#65 0x7fe7290e1dda in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:586:34
#66 0x59d7f130ce9e in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:397:22
Flags: in-testsuite?
Severity: -- → S3

Verified bug as reproducible on mozilla-central 20241112214908-aef84d293121.
The bug appears to have been introduced in the following build range:

Start: 3b8b535b9bb0d8ab8cd08d970bc69f7cfe0f70b0 (20241031014759)
End: 2cc133b3c09973080c249c53419139bb94f2c3ae (20241031065618)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=3b8b535b9bb0d8ab8cd08d970bc69f7cfe0f70b0&tochange=2cc133b3c09973080c249c53419139bb94f2c3ae

Successfully recorded a pernosco session. A link to the pernosco session will be added here shortly.

Keywords: pernosco-wantedpernosco, regression
Whiteboard: [bugmon:bisected,confirmed]

A pernosco session for this bug can be found here.

:tsmith, since this bug is a regression, could you fill (if possible) the regressed_by field?
For more information, please visit BugBot documentation.

Flags: needinfo?(twsmith)

Found thanks to enabling debug mode for libstdc++ headers (bug 1270832).

Flags: needinfo?(twsmith)

Testcase crashes using the initial build (mozilla-central 20241031161750-5c7de47bcacb) but not with tip (mozilla-central 20241123090138-64d44f7a4817.)

The bug appears to have been fixed in the following build range:

Start: 3987a040f91e5a038f609c231546993ce292f51f (20241120204616)
End: 1692552157679723a748cd97b9e67aa5d4b613bf (20241120220300)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=3987a040f91e5a038f609c231546993ce292f51f&tochange=1692552157679723a748cd97b9e67aa5d4b613bf

tsmith, can you confirm that the above bisection range is responsible for fixing this issue?
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Flags: needinfo?(twsmith)
Keywords: bugmon

Probably fixed by bug 1931933.

Status: NEW → RESOLVED
Closed: 6 months ago
Duplicate of bug: 1931933
Resolution: --- → DUPLICATE
Flags: needinfo?(twsmith)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: