1464095 - Crash in MergeState::AddNewNode

Reporter

Description

•

6 years ago

This bug was filed from the Socorro interface and is report bp-c1d8d141-8f53-4d3a-af3f-af9100180524. ============================================================= Top 10 frames of crashing thread: 0 xul.dll MergeState::AddNewNode layout/painting/RetainedDisplayListBuilder.cpp:371 1 xul.dll MergeState::ProcessOldNode layout/painting/RetainedDisplayListBuilder.cpp:404 2 xul.dll MergeState::Finalize layout/painting/RetainedDisplayListBuilder.cpp:318 3 xul.dll RetainedDisplayListBuilder::MergeDisplayLists layout/painting/RetainedDisplayListBuilder.cpp:509 4 xul.dll MergeState::ProcessOldNode layout/painting/RetainedDisplayListBuilder.cpp:393 5 xul.dll MergeState::Finalize layout/painting/RetainedDisplayListBuilder.cpp:318 6 xul.dll RetainedDisplayListBuilder::MergeDisplayLists layout/painting/RetainedDisplayListBuilder.cpp:509 7 xul.dll MergeState::ProcessOldNode layout/painting/RetainedDisplayListBuilder.cpp:393 8 xul.dll MergeState::ProcessPredecessorsOfOldNode layout/painting/RetainedDisplayListBuilder.cpp:441 9 xul.dll MergeState::ProcessItemFromNewList layout/painting/RetainedDisplayListBuilder.cpp:300 ============================================================= this is a new crash signature in 61/62 showing up with MOZ_RELEASE_ASSERT(!i->mMergedItem) that was added for diagnostics in bug 1459997.

Ryan VanderMeulen [:RyanVM]

Updated

•

6 years ago

Blocks: RDLbugs

tracking-firefox61: --- → +

tracking-firefox62: --- → +

Jet Villegas (inactive)

Updated

•

6 years ago

Assignee: nobody → matt.woodrow

Ryan VanderMeulen [:RyanVM]

Updated

•

6 years ago

Flags: needinfo?(matt.woodrow)

Matt Woodrow (:mattwoodrow)

Assignee

Comment 1

•

6 years ago

This errors suggests that the ordering of display items changed without an invalidation, and we ended up with a cycle in our DAG. Only a few URLs on the crash reports, and I haven't managed to reproduce this crash using any of them yet.

Matt Woodrow (:mattwoodrow)

Assignee

Comment 2

•

6 years ago

Low frequency, and no crashes in 61.0b9 as of yet.

Flags: needinfo?(matt.woodrow)

Jason Kratzer [:jkratzer]

Comment 3

•

6 years ago

Attached file trigger.html — Details

Testcase found while fuzzing mozilla-central rev e83a0d04ce6a. Testcase may take a while to trigger. ==23309==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f5f34777839 bp 0x7ffd594d5c30 sp 0x7ffd594d5bb0 T0) ==23309==The signal is caused by a WRITE memory access. ==23309==Hint: address points to the zero page. #0 0x7f5f34777838 in MergeState::AddNewNode(nsDisplayItem*, mozilla::Maybe<Index<OldListUnits> > const&, mozilla::Span<Index<MergedListUnits> const, 18446744073709551615ul>, mozilla::Maybe<Index<MergedListUnits> > const&) /builds/worker/workspace/build/src/layout/painting/RetainedDisplayListBuilder.cpp:377:9 #1 0x7f5f34778b81 in MergeState::ProcessOldNode(Index<OldListUnits>, nsTArray<Index<MergedListUnits> >&&) /builds/worker/workspace/build/src/layout/painting/RetainedDisplayListBuilder.cpp:411:9 #2 0x7f5f34669728 in MergeState::Finalize() /builds/worker/workspace/build/src/layout/painting/RetainedDisplayListBuilder.cpp:323:7 #3 0x7f5f34667a16 in RetainedDisplayListBuilder::MergeDisplayLists(nsDisplayList*, RetainedDisplayList*, RetainedDisplayList*, mozilla::Maybe<mozilla::ActiveScrolledRoot const*>&, unsigned int) /builds/worker/workspace/build/src/layout/painting/RetainedDisplayListBuilder.cpp:517:21 #4 0x7f5f34670a21 in RetainedDisplayListBuilder::AttemptPartialUpdate(unsigned int, mozilla::DisplayListChecker*) /builds/worker/workspace/build/src/layout/painting/RetainedDisplayListBuilder.cpp:1206:7 #5 0x7f5f33e1a28b in nsLayoutUtils::PaintFrame(gfxContext*, nsIFrame*, nsRegion const&, unsigned int, nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) /builds/worker/workspace/build/src/layout/base/nsLayoutUtils.cpp:3695:40 #6 0x7f5f33d0db87 in mozilla::PresShell::Paint(nsView*, nsRegion const&, unsigned int) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:6314:5 #7 0x7f5f336a060a in nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*) /builds/worker/workspace/build/src/view/nsViewManager.cpp:480:19 #8 0x7f5f3369f40c in nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) /builds/worker/workspace/build/src/view/nsViewManager.cpp:412:33 #9 0x7f5f336a4a66 in nsViewManager::ProcessPendingUpdates() /builds/worker/workspace/build/src/view/nsViewManager.cpp:1102:5 #10 0x7f5f33c874b5 in nsRefreshDriver::Tick(long, mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:2039:11 #11 0x7f5f33c9428b in TickDriver /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:328:13 #12 0x7f5f33c9428b in mozilla::RefreshDriverTimer::TickRefreshDrivers(long, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:301 #13 0x7f5f33c93e69 in mozilla::RefreshDriverTimer::Tick(long, mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:320:5 #14 0x7f5f33c969ae in RunRefreshDrivers /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:760:5 #15 0x7f5f33c969ae in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:673 #16 0x7f5f33c965ae in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:574:9 #17 0x7f5f34549f3f in mozilla::layout::VsyncChild::RecvNotify(mozilla::TimeStamp const&) /builds/worker/workspace/build/src/layout/ipc/VsyncChild.cpp:68:16 #18 0x7f5f2d1a70cd in mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PVsyncChild.cpp:167:20 #19 0x7f5f2d06b0cd in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PBackgroundChild.cpp:1988:28 #20 0x7f5f2cb8137e in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2134:25 #21 0x7f5f2cb7e2c2 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2064:17 #22 0x7f5f2cb7fafc in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1910:5 #23 0x7f5f2cb80158 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1943:15 #24 0x7f5f2bc86c26 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1088:14 #25 0x7f5f2bca2e40 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:519:10 #26 0x7f5f2cb89006 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:125:5 #27 0x7f5f2cadd159 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:325:10 #28 0x7f5f2cadd159 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:318 #29 0x7f5f2cadd159 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:298 #30 0x7f5f3372e25a in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:157:27 #31 0x7f5f379ace9b in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:893:22 #32 0x7f5f2cadd159 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:325:10 #33 0x7f5f2cadd159 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:318 #34 0x7f5f2cadd159 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:298 #35 0x7f5f379ac860 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:719:34 #36 0x4f4efc in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30 #37 0x4f4efc in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:282 #38 0x7f5f4bc3082f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291

Flags: needinfo?(matt.woodrow)

Jason Kratzer [:jkratzer]

Updated

•

6 years ago

Flags: in-testsuite?

Jason Kratzer [:jkratzer]

Comment 4

•

6 years ago

While reducing the attached testcase, I also came across the following stack. If you feel this is a separate issue let me know and I'll open a new bug for it. ==23278==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00000055fcf8 bp 0x7ffc66b23390 sp 0x7ffc66b23220 T0) ==23278==The signal is caused by a WRITE memory access. ==23278==Hint: address points to the zero page. #0 0x55fcf7 in MOZ_CrashPrintf /builds/worker/workspace/build/src/mfbt/Assertions.cpp:63:3 #1 0x7f9f622c724d in GetOldListIndex /builds/worker/workspace/build/src/layout/painting/nsDisplayList.h:2844:7 #2 0x7f9f622c724d in MergeState::HasMatchingItemInOldList(nsDisplayItem*, Index<OldListUnits>*) /builds/worker/workspace/build/src/layout/painting/RetainedDisplayListBuilder.cpp:339 #3 0x7f9f621b92fe in MergeState::ProcessItemFromNewList(nsDisplayItem*, mozilla::Maybe<Index<MergedListUnits> > const&) /builds/worker/workspace/build/src/layout/painting/RetainedDisplayListBuilder.cpp:285:9 #4 0x7f9f621b87f8 in RetainedDisplayListBuilder::MergeDisplayLists(nsDisplayList*, RetainedDisplayList*, RetainedDisplayList*, mozilla::Maybe<mozilla::ActiveScrolledRoot const*>&, unsigned int) /builds/worker/workspace/build/src/layout/painting/RetainedDisplayListBuilder.cpp:514:36 #5 0x7f9f621b974a in MergeState::ProcessItemFromNewList(nsDisplayItem*, mozilla::Maybe<Index<MergedListUnits> > const&) /builds/worker/workspace/build/src/layout/painting/RetainedDisplayListBuilder.cpp:293:25 #6 0x7f9f621b87f8 in RetainedDisplayListBuilder::MergeDisplayLists(nsDisplayList*, RetainedDisplayList*, RetainedDisplayList*, mozilla::Maybe<mozilla::ActiveScrolledRoot const*>&, unsigned int) /builds/worker/workspace/build/src/layout/painting/RetainedDisplayListBuilder.cpp:514:36 #7 0x7f9f621c1a21 in RetainedDisplayListBuilder::AttemptPartialUpdate(unsigned int, mozilla::DisplayListChecker*) /builds/worker/workspace/build/src/layout/painting/RetainedDisplayListBuilder.cpp:1206:7 #8 0x7f9f6196b28b in nsLayoutUtils::PaintFrame(gfxContext*, nsIFrame*, nsRegion const&, unsigned int, nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) /builds/worker/workspace/build/src/layout/base/nsLayoutUtils.cpp:3695:40 #9 0x7f9f6185eb87 in mozilla::PresShell::Paint(nsView*, nsRegion const&, unsigned int) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:6314:5 #10 0x7f9f611f160a in nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*) /builds/worker/workspace/build/src/view/nsViewManager.cpp:480:19 #11 0x7f9f611f040c in nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) /builds/worker/workspace/build/src/view/nsViewManager.cpp:412:33 #12 0x7f9f611f5a66 in nsViewManager::ProcessPendingUpdates() /builds/worker/workspace/build/src/view/nsViewManager.cpp:1102:5 #13 0x7f9f617d84b5 in nsRefreshDriver::Tick(long, mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:2039:11 #14 0x7f9f617e528b in TickDriver /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:328:13 #15 0x7f9f617e528b in mozilla::RefreshDriverTimer::TickRefreshDrivers(long, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:301 #16 0x7f9f617e4e69 in mozilla::RefreshDriverTimer::Tick(long, mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:320:5 #17 0x7f9f617e79ae in RunRefreshDrivers /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:760:5 #18 0x7f9f617e79ae in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:673 #19 0x7f9f617e75ae in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:574:9 #20 0x7f9f6209af3f in mozilla::layout::VsyncChild::RecvNotify(mozilla::TimeStamp const&) /builds/worker/workspace/build/src/layout/ipc/VsyncChild.cpp:68:16 #21 0x7f9f5acf80cd in mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PVsyncChild.cpp:167:20 #22 0x7f9f5abbc0cd in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PBackgroundChild.cpp:1988:28 #23 0x7f9f5a6d237e in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2134:25 #24 0x7f9f5a6cf2c2 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2064:17 #25 0x7f9f5a6d0afc in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1910:5 #26 0x7f9f5a6d1158 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1943:15 #27 0x7f9f597d7c26 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1088:14 #28 0x7f9f597f3e40 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:519:10 #29 0x7f9f5a6da006 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:125:5 #30 0x7f9f5a62e159 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:325:10 #31 0x7f9f5a62e159 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:318 #32 0x7f9f5a62e159 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:298 #33 0x7f9f6127f25a in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:157:27 #34 0x7f9f654fde9b in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:893:22 #35 0x7f9f5a62e159 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:325:10 #36 0x7f9f5a62e159 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:318 #37 0x7f9f5a62e159 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:298 #38 0x7f9f654fd860 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:719:34 #39 0x4f4efc in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30 #40 0x4f4efc in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:282 #41 0x7f9f7933d82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291

Tyson Smith [:tsmith]

Comment 5

•

6 years ago

Matt, RE: our chat on IRC. I can repro this crash consistently on Linux when the test is served via http:// Reproduced on m-c: BuildID=20180607130025 SourceStamp=199a085199815cc99daa658956a7c9436e1d436b

Tyson Smith [:tsmith]

Comment 6

•

6 years ago

Attached file release_assertion.txt — Details

I've also seen this assertion while running this testcase. Assertion failure: !i->mMergedItem, at src/layout/painting/RetainedDisplayListBuilder.cpp:377

Ryan VanderMeulen [:RyanVM]

Comment 7

•

6 years ago

I don't think this bug needs to track 61 at this point since it's just the diagnostic asserts being hit (which won't affect release users). That said, I'd still accept a low-risk patch to help stabilize RDL.

status-firefox61: affected → fix-optional

tracking-firefox61: + → -

Matt Woodrow (:mattwoodrow)

Assignee

Comment 8

•

6 years ago

The testcase here is adding perspective to the document element, so I think that's bug 1467688. Will keep this open though, since it's tracking an assertion for this class of bugs.

Flags: needinfo?(matt.woodrow)

Liz Henry (:lizzard) (relman/hg->git project)

Comment 9

•

6 years ago

Happy to take a patch in 62 but this is low volume enough on 62 beta that I don't think we need to track it.

status-firefox63: --- → affected

tracking-firefox62: + → -

Ryan VanderMeulen [:RyanVM]

Updated

•

6 years ago

status-firefox61: fix-optional → disabled

Darkspirit

Updated

•

6 years ago

Crash Signature: [@ MergeState::AddNewNode] → [@ MergeState::AddNewNode] [@ struct Index<T> MergeState::AddNewNode ]

Liz Henry (:lizzard) (relman/hg->git project)

Updated

•

6 years ago

status-firefox62: affected → wontfix

status-firefox63: affected → fix-optional

status-firefox64: --- → affected

Pascal Chevrel:pascalc

Updated

•

6 years ago

status-firefox63: fix-optional → wontfix

status-firefox64: affected → fix-optional

status-firefox65: --- → affected

Liz Henry (:lizzard) (relman/hg->git project)

Comment 10

•

6 years ago

Marking this fix-optional yet again so that it won't keep showing up in regression triage.

status-firefox64: fix-optional → wontfix

status-firefox65: affected → wontfix

status-firefox66: --- → fix-optional

Priority: -- → P5

Andrei Purice

Comment 11

•

3 years ago

Marking this as Resolved > Worksforme since no other crashes with this signature have been reported in the last 6 months.

Status: NEW → RESOLVED

Closed: 3 years ago

Resolution: --- → WORKSFORME

trigger.html 6 years ago Jason Kratzer [:jkratzer] 4.02 KB, text/html		Details
release_assertion.txt 6 years ago Tyson Smith [:tsmith] 4.17 KB, text/plain		Details