Closed Bug 1547250 Opened 1 year ago Closed 1 year ago

Assertion failure: aDebugFromA11y || (list && !list->IsDirty()), at /builds/worker/workspace/build/src/layout/generic/nsBulletFrame.cpp:831

Categories

(Core :: Layout: Block and Inline, defect)

defect
Not set

Tracking

()

RESOLVED DUPLICATE of bug 1543551
Tracking Status
firefox68 --- affected

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, testcase)

Attachments

(1 file)

Attached file testcase.html

Testcase found while fuzzing mozilla-central rev 0ec836eceb96. Testcase requires a build with --enable-fuzzing and may take a few seconds to trigger. On linux, the env variable GNOME_ACCESSIBILITY=1 must be set.

Assertion failure: aDebugFromA11y || (list && !list->IsDirty()), at /builds/worker/workspace/build/src/layout/generic/nsBulletFrame.cpp:831

rax = 0x00005653a765ce40 rdx = 0x0000000000000000
rcx = 0x0000000000000b40 rbx = 0x00007f82b984ce80
rsi = 0x00007f82c8bbb2db rdi = 0x00007f82d3a89680
rbp = 0x00007fff99bfa260 rsp = 0x00007fff99bfa240
r8 = 0x00007f82d3a8a8b0 r9 = 0x00007f82d4bf4740
r10 = 0x0000000000000000 r11 = 0x0000000000000000
r12 = 0x00007f82b94dbec8 r13 = 0x0000000000000000
r14 = 0x00007fff99bfa3a0 r15 = 0x00007fff99bfa2d8
rip = 0x00007f82c53db514
OS|Linux|0.0.0 Linux 4.18.0-17-generic #18~18.04.1-Ubuntu SMP Fri Mar 15 15:27:12 UTC 2019 x86_64
CPU|amd64|family 6 model 94 stepping 3|1
GPU|||
Crash|SIGSEGV /SEGV_MAPERR|0x0|0
0|0|libxul.so|nsBulletFrame::Ordinal(bool) const|hg:hg.mozilla.org/mozilla-central:layout/generic/nsBulletFrame.cpp:0ec836eceb969c548067cee6de2ea213513a43d5|831|0x36
0|1|libxul.so|nsDisplayBullet::AllocateGeometry(nsDisplayListBuilder*)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsBulletFrame.cpp:0ec836eceb969c548067cee6de2ea213513a43d5|584|0x76
0|2|libxul.so|mozilla::FrameLayerBuilder::ComputeGeometryChangeForItem(mozilla::DisplayItemData*)|hg:hg.mozilla.org/mozilla-central:layout/painting/FrameLayerBuilder.cpp:0ec836eceb969c548067cee6de2ea213513a43d5|5157|0x6
0|3|libxul.so|mozilla::FrameLayerBuilder::WillEndTransaction()|hg:hg.mozilla.org/mozilla-central:layout/painting/FrameLayerBuilder.cpp:0ec836eceb969c548067cee6de2ea213513a43d5|2285|0x5
0|4|libxul.so|nsDisplayList::BuildLayers(nsDisplayListBuilder*, mozilla::layers::LayerManager*, unsigned int, bool)|hg:hg.mozilla.org/mozilla-central:layout/painting/nsDisplayList.cpp:0ec836eceb969c548067cee6de2ea213513a43d5|2673|0xc
0|5|libxul.so|nsDisplayList::PaintRoot(nsDisplayListBuilder*, gfxContext*, unsigned int)|hg:hg.mozilla.org/mozilla-central:layout/painting/nsDisplayList.cpp:0ec836eceb969c548067cee6de2ea213513a43d5|2840|0x27
0|6|libxul.so|nsLayoutUtils::PaintFrame(gfxContext*, nsIFrame*, nsRegion const&, unsigned int, nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags)|hg:hg.mozilla.org/mozilla-central:layout/base/nsLayoutUtils.cpp:0ec836eceb969c548067cee6de2ea213513a43d5|3988|0x5
0|7|libxul.so|mozilla::PresShell::Paint(nsView*, nsRegion const&, mozilla::PaintFlags)|hg:hg.mozilla.org/mozilla-central:layout/base/PresShell.cpp:0ec836eceb969c548067cee6de2ea213513a43d5|6086|0x1b
0|8|libxul.so|mozilla::dom::BrowserChild::RecvRenderLayers(bool const&, bool const&, mozilla::layers::LayersObserverEpoch const&)|hg:hg.mozilla.org/mozilla-central:dom/ipc/BrowserChild.cpp:0ec836eceb969c548067cee6de2ea213513a43d5|2499|0x18
0|9|libxul.so|mozilla::dom::BrowserChild::PaintWhileInterruptingJS(mozilla::layers::LayersObserverEpoch const&, bool)|hg:hg.mozilla.org/mozilla-central:dom/ipc/BrowserChild.cpp:0ec836eceb969c548067cee6de2ea213513a43d5|3303|0x16
0|10|libxul.so|InterruptCallback|hg:hg.mozilla.org/mozilla-central:dom/ipc/ProcessHangMonitor.cpp:0ec836eceb969c548067cee6de2ea213513a43d5|1051|0xd1
0|11|libxul.so|HandleInterrupt|hg:hg.mozilla.org/mozilla-central:js/src/vm/Runtime.cpp:0ec836eceb969c548067cee6de2ea213513a43d5|427|0x6
0|12|libxul.so|Interpret|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:0ec836eceb969c548067cee6de2ea213513a43d5|2076|0xe
0|13|libxul.so|js::RunScript(JSContext*, js::RunState&)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:0ec836eceb969c548067cee6de2ea213513a43d5|423|0xb
0|14|libxul.so|js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:0ec836eceb969c548067cee6de2ea213513a43d5|563|0xf
0|15|libxul.so|InternalCall|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:0ec836eceb969c548067cee6de2ea213513a43d5|590|0xd
0|16|libxul.so|js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:0ec836eceb969c548067cee6de2ea213513a43d5|606|0x5
0|17|libxul.so|js::CallGetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:0ec836eceb969c548067cee6de2ea213513a43d5|730|0x5
0|18|libxul.so|GetExistingProperty<(js::AllowGC)1u>|hg:hg.mozilla.org/mozilla-central:js/src/vm/NativeObject.cpp:0ec836eceb969c548067cee6de2ea213513a43d5|2271|0x50
0|19|libxul.so|NativeGetPropertyInline<(js::AllowGC)1u>|hg:hg.mozilla.org/mozilla-central:js/src/vm/NativeObject.cpp:0ec836eceb969c548067cee6de2ea213513a43d5|2517|0xf
0|20|libxul.so|js::GetProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JS::Value>)|hg:hg.mozilla.org/mozilla-central:js/src/vm/ObjectOperations-inl.h:0ec836eceb969c548067cee6de2ea213513a43d5|117|0x2c
0|21|libxul.so|js::GetProperty(JSContext*, JS::Handle<JS::Value>, JS::Handle<js::PropertyName*>, JS::MutableHandle<JS::Value>)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:0ec836eceb969c548067cee6de2ea213513a43d5|4487|0x52
0|22|libxul.so|Interpret|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:0ec836eceb969c548067cee6de2ea213513a43d5|2767|0xe7
0|23|libxul.so|js::RunScript(JSContext*, js::RunState&)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:0ec836eceb969c548067cee6de2ea213513a43d5|423|0xb
0|24|libxul.so|js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:0ec836eceb969c548067cee6de2ea213513a43d5|563|0xf
0|25|libxul.so|InternalCall|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:0ec836eceb969c548067cee6de2ea213513a43d5|590|0xd
0|26|libxul.so|js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:0ec836eceb969c548067cee6de2ea213513a43d5|606|0x5
0|27|libxul.so|JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>)|hg:hg.mozilla.org/mozilla-central:js/src/jsapi.cpp:0ec836eceb969c548067cee6de2ea213513a43d5|2573|0x1d
0|28|libxul.so|nsXPCWrappedJS::CallMethod(unsigned short, nsXPTMethodInfo const*, nsXPTCMiniVariant*)|hg:hg.mozilla.org/mozilla-central:js/xpconnect/src/XPCWrappedJSClass.cpp:0ec836eceb969c548067cee6de2ea213513a43d5|965|0x13
0|29|libxul.so|PrepareAndDispatch|hg:hg.mozilla.org/mozilla-central:xpcom/reflect/xptcall/md/unix/xptcstubs_x86_64_linux.cpp:0ec836eceb969c548067cee6de2ea213513a43d5|128|0xf
0|30|libxul.so|SharedStub|||0x5b
0|31|libxul.so|nsSHistory::NotifyOnHistoryReload(bool*)|hg:hg.mozilla.org/mozilla-central:docshell/shistory/nsSHistory.cpp:0ec836eceb969c548067cee6de2ea213513a43d5|783|0x2f
0|32|libxul.so|nsDocShell::Reload(unsigned int)|hg:hg.mozilla.org/mozilla-central:docshell/base/nsDocShell.cpp:0ec836eceb969c548067cee6de2ea213513a43d5|4584|0x23
0|33|libxul.so|mozilla::dom::Location::Reload(bool)|hg:hg.mozilla.org/mozilla-central:dom/base/Location.cpp:0ec836eceb969c548067cee6de2ea213513a43d5|793|0x6
0|34|libxul.so|mozilla::dom::Location_Binding::reload|s3:gecko-generated-sources:88d2a71b9a7ed822cdf8e91bdc0848777388ead935c35293ef1d004fd70e359202a1dc7c37f7b3192fa4094a7be19186178ceacc3b4d31b7f5be95d8f4b30c5e/dom/bindings/LocationBinding.cpp:|1136|0x45
0|35|libxul.so|bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*)|hg:hg.mozilla.org/mozilla-central:dom/bindings/BindingUtils.cpp:0ec836eceb969c548067cee6de2ea213513a43d5|3153|0x24
0|36|libxul.so|CallJSNative(JSContext*, bool ()(JSContext, unsigned int, JS::Value*), JS::CallArgs const&)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:0ec836eceb969c548067cee6de2ea213513a43d5|443|0x13
0|37|libxul.so|js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:0ec836eceb969c548067cee6de2ea213513a43d5|535|0x12
0|38|libxul.so|InternalCall|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:0ec836eceb969c548067cee6de2ea213513a43d5|590|0xd
0|39|libxul.so|Interpret|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:0ec836eceb969c548067cee6de2ea213513a43d5|594|0xf
0|40|libxul.so|js::RunScript(JSContext*, js::RunState&)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:0ec836eceb969c548067cee6de2ea213513a43d5|423|0xb
0|41|libxul.so|js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:0ec836eceb969c548067cee6de2ea213513a43d5|563|0xf
0|42|libxul.so|InternalCall|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:0ec836eceb969c548067cee6de2ea213513a43d5|590|0xd
0|43|libxul.so|js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:0ec836eceb969c548067cee6de2ea213513a43d5|606|0x5
0|44|libxul.so|JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>)|hg:hg.mozilla.org/mozilla-central:js/src/jsapi.cpp:0ec836eceb969c548067cee6de2ea213513a43d5|2636|0x1c
0|45|libxul.so|mozilla::dom::EventListener::HandleEvent(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&)|s3:gecko-generated-sources:9ca8646d8042e9b4b76d2e1b358b984be17743b71b832c0897d61bb500e0fecbe38fa54273dc522878c87fcb2c9bfd274a8190c7bc56fbbb58cb3ca68462e527/dom/bindings/EventListenerBinding.cpp:|52|0x5
0|46|libxul.so|void mozilla::dom::EventListener::HandleEvent<mozilla::dom::EventTarget*>(mozilla::dom::EventTarget* const&, mozilla::dom::Event&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*)|s3:gecko-generated-sources:f3d9c01258576daaac3afc4fb3b283652e7f1168abb5287eff6775451ebd0ab6a0e4c8d88d3a67f7147042501bc091c6dfed25b4b8ccf4e4f420897b8d0ba906/dist/include/mozilla/dom/EventListenerBinding.h:|66|0x1c
0|47|libxul.so|mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*)|hg:hg.mozilla.org/mozilla-central:dom/events/EventListenerManager.cpp:0ec836eceb969c548067cee6de2ea213513a43d5|1040|0x1e
0|48|libxul.so|mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool)|hg:hg.mozilla.org/mozilla-central:dom/events/EventListenerManager.cpp:0ec836eceb969c548067cee6de2ea213513a43d5|1240|0x19
0|49|libxul.so|mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:0ec836eceb969c548067cee6de2ea213513a43d5|351|0x6
0|50|libxul.so|mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:0ec836eceb969c548067cee6de2ea213513a43d5|551|0x12
0|51|libxul.so|mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:0ec836eceb969c548067cee6de2ea213513a43d5|1047|0x1a
0|52|libxul.so|mozilla::EventDispatcher::DispatchDOMEvent(nsISupports
, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:0ec836eceb969c548067cee6de2ea213513a43d5|1147|0x19
0|53|libxul.so|nsINode::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&)|hg:hg.mozilla.org/mozilla-central:dom/base/nsINode.cpp:0ec836eceb969c548067cee6de2ea213513a43d5|1028|0x5
0|54|libxul.so|nsContentUtils::DispatchEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, mozilla::Trusted, bool*, mozilla::ChromeOnlyDispatch)|hg:hg.mozilla.org/mozilla-central:dom/base/nsContentUtils.cpp:0ec836eceb969c548067cee6de2ea213513a43d5|4062|0x30
0|55|libxul.so|nsContentUtils::DispatchTrustedEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, bool*)|hg:hg.mozilla.org/mozilla-central:dom/base/nsContentUtils.cpp:0ec836eceb969c548067cee6de2ea213513a43d5|4033|0x19
0|56|libxul.so|mozilla::dom::Document::DispatchContentLoadedEvents()|hg:hg.mozilla.org/mozilla-central:dom/base/Document.cpp:0ec836eceb969c548067cee6de2ea213513a43d5|4981|0x40
0|57|libxul.so|mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::)(), true, (mozilla::RunnableKind)0>::Run()|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.h:0ec836eceb969c548067cee6de2ea213513a43d5|1174|0x13
0|58|libxul.so|mozilla::SchedulerGroup::Runnable::Run()|hg:hg.mozilla.org/mozilla-central:xpcom/threads/SchedulerGroup.cpp:0ec836eceb969c548067cee6de2ea213513a43d5|295|0x15
0|59|libxul.so|nsThread::ProcessNextEvent(bool, bool
)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:0ec836eceb969c548067cee6de2ea213513a43d5|1180|0x15
0|60|libxul.so|NS_ProcessNextEvent(nsIThread*, bool)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:0ec836eceb969c548067cee6de2ea213513a43d5|486|0x11
0|61|libxul.so|mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:0ec836eceb969c548067cee6de2ea213513a43d5|88|0xa
0|62|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:0ec836eceb969c548067cee6de2ea213513a43d5|315|0x17
0|63|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:0ec836eceb969c548067cee6de2ea213513a43d5|290|0x8
0|64|libxul.so|nsBaseAppShell::Run()|hg:hg.mozilla.org/mozilla-central:widget/nsBaseAppShell.cpp:0ec836eceb969c548067cee6de2ea213513a43d5|137|0xd
0|65|libxul.so|XRE_RunAppShell()|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:0ec836eceb969c548067cee6de2ea213513a43d5|919|0x11
0|66|libxul.so|mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:0ec836eceb969c548067cee6de2ea213513a43d5|238|0x5
0|67|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:0ec836eceb969c548067cee6de2ea213513a43d5|315|0x17
0|68|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:0ec836eceb969c548067cee6de2ea213513a43d5|290|0x8
0|69|libxul.so|XRE_InitChildProcess(int, char**, XREChildData const*)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:0ec836eceb969c548067cee6de2ea213513a43d5|757|0xc
0|70|libxul.so|_fini|||0xd56992
0|71|libxul.so|_fini|||0x26b2814
0|72|firefox-bin|RedBlackTree<arena_chunk_map_t, ArenaRunTreeTrait>::Insert(RedBlackTree<arena_chunk_map_t, ArenaRunTreeTrait>::TreeNode)|hg:hg.mozilla.org/mozilla-central:memory/build/rb.h:0ec836eceb969c548067cee6de2ea213513a43d5|377|0x5

Flags: in-testsuite?

Same root cause as bug 1543551. Probably we should just downgrade that assertion when called from painting as well since painting can happen off a JS interrupt..

Status: NEW → RESOLVED
Closed: 1 year ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1543551
You need to log in before you can comment on or make changes to this bug.