Closed Bug 1535945 Opened 5 years ago Closed 5 years ago

crash at null in [@ MergeState::ProcessItemFromNewList]

Categories

(Core :: Web Painting, defect, P1)

Product:
Core
Component:
Web Painting
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla68
Tracking Flags:
Tracking Status
firefox-esr60 --- unaffected
firefox67 --- wontfix
firefox68 --- verified

People

(Reporter: tsmith, Assigned: mattwoodrow)

References

(Blocks 1 open bug)

Details

(Keywords: crash, regression, testcase)

Attachments

(2 files)

testcase.html
342 bytes, text/html
Details
Bug 1535945 - Don't skip invalidating frames when creating displayports for async scrollable ancestors. r?tnikkel
47 bytes, text/x-phabricator-request
Details | Review
Attached file testcase.html 
==22371==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f5e092df18b bp 0x7ffe23ebb5f0 sp 0x7ffe23ebb400 T0)
==22371==The signal is caused by a READ memory access.
==22371==Hint: address points to the zero page.
    #0 0x7f5e092df18a in MergeState::ProcessItemFromNewList(nsDisplayItem*, mozilla::Maybe<Index<MergedListUnits> > const&) src/layout/painting/RetainedDisplayListBuilder.cpp:345:7
    #1 0x7f5e092ddb25 in RetainedDisplayListBuilder::MergeDisplayLists(nsDisplayList*, RetainedDisplayList*, RetainedDisplayList*, mozilla::Maybe<mozilla::ActiveScrolledRoot const*>&, nsDisplayItem*) src/layout/painting/RetainedDisplayListBuilder.cpp:675:31
    #2 0x7f5e092e9dbb in RetainedDisplayListBuilder::AttemptPartialUpdate(unsigned int, mozilla::DisplayListChecker*) src/layout/painting/RetainedDisplayListBuilder.cpp:1348:7
    #3 0x7f5e088a901f in nsLayoutUtils::PaintFrame(gfxContext*, nsIFrame*, nsRegion const&, unsigned int, nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) src/layout/base/nsLayoutUtils.cpp:3707:40
    #4 0x7f5e08741cf2 in mozilla::PresShell::Paint(nsView*, nsRegion const&, unsigned int) src/layout/base/PresShell.cpp:6057:5
    #5 0x7f5e07ebe30f in nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*) src/view/nsViewManager.cpp:461:19
    #6 0x7f5e07ebd10c in nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) src/view/nsViewManager.cpp:396:33
    #7 0x7f5e07ec2ba6 in nsViewManager::ProcessPendingUpdates() src/view/nsViewManager.cpp:1022:5
    #8 0x7f5e0868959b in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:2031:11
    #9 0x7f5e0869bb29 in TickDriver src/layout/base/nsRefreshDriver.cpp:342:13
    #10 0x7f5e0869bb29 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) src/layout/base/nsRefreshDriver.cpp:319
    #11 0x7f5e0869b418 in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:336:5
    #12 0x7f5e0869f65f in RunRefreshDrivers src/layout/base/nsRefreshDriver.cpp:777:5
    #13 0x7f5e0869f65f in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:697
    #14 0x7f5e0869efc7 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NormalPriorityNotify() src/layout/base/nsRefreshDriver.cpp:614:9
    #15 0x7f5e0869f9db in applyImpl<mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver, void (mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::*)()> src/obj-firefox/dist/include/nsThreadUtils.h:1122:12
    #16 0x7f5e0869f9db in apply<mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver, void (mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::*)()> src/obj-firefox/dist/include/nsThreadUtils.h:1128
    #17 0x7f5e0869f9db in mozilla::detail::RunnableMethodImpl<mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver*, void (mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::*)(), true, (mozilla::RunnableKind)0>::Run() src/obj-firefox/dist/include/nsThreadUtils.h:1174
    #18 0x7f5dfd9e4092 in IdleRunnableWrapper::Run() src/xpcom/threads/nsThreadUtils.cpp:327:22
    #19 0x7f5dfd9c0591 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1179:14
    #20 0x7f5dfd9c899d in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:482:10
    #21 0x7f5dfec7820f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:88:21
    #22 0x7f5dfeb4e55e in RunInternal src/ipc/chromium/src/base/message_loop.cc:315:10
    #23 0x7f5dfeb4e55e in RunHandler src/ipc/chromium/src/base/message_loop.cc:308
    #24 0x7f5dfeb4e55e in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:290
    #25 0x7f5e07fb4493 in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:137:27
    #26 0x7f5e0c5792ce in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:933:20
    #27 0x7f5dfeb4e55e in RunInternal src/ipc/chromium/src/base/message_loop.cc:315:10
    #28 0x7f5dfeb4e55e in RunHandler src/ipc/chromium/src/base/message_loop.cc:308
    #29 0x7f5dfeb4e55e in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:290
    #30 0x7f5e0c57845c in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:771:34
    #31 0x55586b269834 in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
    #32 0x55586b269834 in main src/browser/app/nsBrowserApp.cpp:265
Flags: in-testsuite?
Assignee: nobody → matt.woodrow
Priority: -- → P1

This is caused by the scroll-behaviour:smooth causing us to hit this code: https://searchfox.org/mozilla-central/rev/4763b8d576ce52625d245d1ab6d9404ea025b026/layout/generic/nsGfxScrollFrame.cpp#2327

That creates new displayports on ancestors, but doesn't mark the frame modified.

When we do a partial DL build with RDL some of the contents of the ancestors has changed (the crashing item is the nsDisplayCompositorHitTestInfo, which isn't given an override z-index when a displayport is present), without an invalidation.

Merging detects that the item has changed location (due to different z-index), and doesn't know which one to use, and crashes.

Pushed by mwoodrow@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/0e259884f052
Don't skip invalidating frames when creating displayports for async scrollable ancestors. r=tnikkel

https://hg.mozilla.org/mozilla-central/rev/0e259884f052

Status: NEW → RESOLVED
Closed: 5 years ago
status-firefox68: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla68
Regressions: 1548483

Reproduced: Fx 67.0a1 (2019-03-18) - Windows 10 x64
Verified fixed: Fx 69.0a1 (2019-06-05) and Fx 68.0b7 - Windows 10 x64, Ubuntu 18.04 x64, macOS 10.13

Status: RESOLVED → VERIFIED
status-firefox68: fixedverified
Flags: qe-verify+
status-firefox-esr60: --- → unaffected
Flags: in-testsuite? → in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: