1652897 - Assertion failure: aPos && !HasAnyStateBits(NS_FRAME_IS_DIRTY), at src/layout/generic/nsIFrame.cpp:8635

Status: VERIFIED FIXED

(Core :: Layout, defect)

Description

[Tyson Smith [:tsmith]]

Attachment: testcase.html

Assertion failure: aPos && !HasAnyStateBits(NS_FRAME_IS_DIRTY), at src/layout/generic/nsIFrame.cpp:8635

#0 0x7fb5dd2a0583 in AnnotateMozCrashReason /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:42:19
#1 0x7fb5dd2a0583 in nsIFrame::PeekOffset(nsPeekOffsetStruct*) src/layout/generic/nsIFrame.cpp:8635:3
#2 0x7fb5dd22abbb in nsFrameSelection::PeekOffsetForCaretMove(nsDirection, bool, nsSelectionAmount, nsFrameSelection::CaretMovementStyle, nsPoint const&) const src/layout/generic/nsFrameSelection.cpp:929:24
#3 0x7fb5dd22a08f in nsFrameSelection::MoveCaret(nsDirection, bool, nsSelectionAmount, nsFrameSelection::CaretMovementStyle) src/layout/generic/nsFrameSelection.cpp:806:49
#4 0x7fb5da587323 in mozilla::dom::Selection::Modify(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, mozilla::ErrorResult&) src/dom/base/Selection.cpp:3300:24
#5 0x7fb5daf4d3ca in mozilla::dom::Selection_Binding::modify(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/SelectionBinding.cpp:1109:24
#6 0x7fb5db93b631 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) src/dom/bindings/BindingUtils.cpp:3219:13
#7 0x7fb5de775af1 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) src/js/src/vm/Interpreter.cpp:484:13
#8 0x7fb5de775369 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) src/js/src/vm/Interpreter.cpp:576:12
#9 0x7fb5de776e2f in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) src/js/src/vm/Interpreter.cpp:639:10
#10 0x7fb5de76a38b in CallFromStack src/js/src/vm/Interpreter.cpp:643:10
#11 0x7fb5de76a38b in Interpret(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:3332:16
#12 0x7fb5de760a16 in js::RunScript(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:456:10
#13 0x7fb5de7752c6 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) src/js/src/vm/Interpreter.cpp:611:13
#14 0x7fb5de776e2f in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) src/js/src/vm/Interpreter.cpp:639:10
#15 0x7fb5de77700f in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) src/js/src/vm/Interpreter.cpp:656:8
#16 0x7fb5de88ab67 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) src/js/src/jsapi.cpp:2846:10
#17 0x7fb5db1d410e in mozilla::dom::IdleRequestCallback::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::IdleDeadline&, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/WindowBinding.cpp:861:8
#18 0x7fb5da42b96a in mozilla::dom::IdleRequestCallback::Call(mozilla::dom::IdleDeadline&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/WindowBinding.h:784:12
#19 0x7fb5da516839 in Call /builds/worker/workspace/obj-build/dist/include/mozilla/dom/WindowBinding.h:797:12
#20 0x7fb5da516839 in mozilla::dom::IdleRequest::IdleRun(nsPIDOMWindowInner*, double, bool) src/dom/base/IdleRequest.cpp:62:13
#21 0x7fb5da39ce20 in nsGlobalWindowInner::RunIdleRequest(mozilla::dom::IdleRequest*, double, bool) src/dom/base/nsGlobalWindowInner.cpp:662:12
#22 0x7fb5da39c295 in nsGlobalWindowInner::ExecuteIdleRequest(mozilla::TimeStamp) src/dom/base/nsGlobalWindowInner.cpp:690:3
#23 0x7fb5da39c0c4 in IdleRequestExecutor::Run() src/dom/base/nsGlobalWindowInner.cpp:531:13
#24 0x7fb5d84c61d4 in mozilla::RunnableTask::Run() src/xpcom/threads/TaskController.cpp:242:16
#25 0x7fb5d84c4048 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) src/xpcom/threads/TaskController.cpp:495:24
#26 0x7fb5d84c2f0d in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) src/xpcom/threads/TaskController.cpp:394:15
#27 0x7fb5d84c3036 in mozilla::TaskController::ProcessPendingMTTask(bool) src/xpcom/threads/TaskController.cpp:162:36
#28 0x7fb5d84cab96 in operator() src/xpcom/threads/TaskController.cpp:83:37
#29 0x7fb5d84cab96 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_4>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:577:5
#30 0x7fb5d84de939 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1234:14
#31 0x7fb5d84e431a in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:513:10
#32 0x7fb5d8de759f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:87:21
#33 0x7fb5d8d56553 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:334:10
#34 0x7fb5d8d5646d in RunHandler src/ipc/chromium/src/base/message_loop.cc:327:3
#35 0x7fb5d8d5646d in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:309:3
#36 0x7fb5dce34678 in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:137:27
#37 0x7fb5de632b83 in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:913:20
#38 0x7fb5d8de8367 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:237:9
#39 0x7fb5d8d56553 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:334:10
#40 0x7fb5d8d5646d in RunHandler src/ipc/chromium/src/base/message_loop.cc:327:3
#41 0x7fb5d8d5646d in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:309:3
#42 0x7fb5de632677 in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:744:34
#43 0x55c69aafafb8 in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
#44 0x55c69aafafb8 in main src/browser/app/nsBrowserApp.cpp:303:18
#45 0x7fb5f3afdb96 in __libc_start_main /build/glibc-2ORdQG/glibc-2.27/csu/../csu/libc-start.c:310
#46 0x55c69aad8fa9 in _start (/home/worker/builds/m-c-20200713155948-fuzzing-debug/firefox-bin+0x16fa9)

Comment 1

[Tyson Smith [:tsmith]]

A Pernosco session is available here: https://pernos.co/debug/9MmPu2_yDGg6qwDz7lxlpw/index.html

Comment 2

[Jason Kratzer [:jkratzer]]

Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20200714214702-d080e46635d3.
The bug appears to have been introduced in the following build range:
> Start: 7a138231bcdf9f223d26f40da5f29b53d9deffbc (20200710230542)
> End: af91f317d081edb4bd9059e4334ae0ddcfe79bb2 (20200710230726)
> Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=7a138231bcdf9f223d26f40da5f29b53d9deffbc&tochange=af91f317d081edb4bd9059e4334ae0ddcfe79bb2

Comment 3

[Kagami Rosylight [:saschanaz] (they/them)]

It's https://phabricator.services.mozilla.com/D83092. Probably just uncovered by that assertion rather than a regression?

Comment 4

[Emilio Cobos Álvarez (:emilio)]

Well, sure, but if it can happen then we shouldn't assert it.

Comment 5

[BugBot [:suhaib / :marco/ :calixte]]

Set release status flags based on info from the regressing bug 1637624

Comment 6

[Kagami Rosylight [:saschanaz] (they/them)]

I guess this really is a bug in <caption> processing, as the caption frame has NS_FRAME_FIRST_REFLOW | NS_FRAME_IS_DIRTY and they disappear when retrying with the second <caption> removed or a closing tag </table> added. (Edit: Ah no, the closing tag only changes the target frame but the dirtiness tag remains in the second caption.)

Not an expert here, do you have an idea why the frame remains dirty here?

Comment 7

[Emilio Cobos Álvarez (:emilio)]

Not really, it seems there's a table layout bug when multiple captions are involved.

We should probably at least file it referencing this test-case, and paper over the bug for now as it was papered over before (unless you want to dig and fix it of course, that's also fine).

Comment 8

[Kagami Rosylight [:saschanaz] (they/them)]

Okay, I'll file one and revert the assertion to return NS_ERROR_UNEXPECTED as it did before.

Comment 9

[Kagami Rosylight [:saschanaz] (they/them)]

Attachment: Bug 1652897 - Remove IS_DIRTY assertion as it currently happens r=emilio

Comment 10

[Pulsebot]

Pushed by krosylight@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/064d1e5fe3eb
Remove IS_DIRTY assertion as it currently happens r=emilio

Comment 11

[Narcis Beleuzu [:NarcisB]]

https://hg.mozilla.org/mozilla-central/rev/064d1e5fe3eb

Comment 12

[Jason Kratzer [:jkratzer]]

Bugmon Analysis:
Verified bug as fixed on rev mozilla-central 20200723032025-de6e53cc7889.
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.

Comment 13

[Jason Kratzer [:jkratzer]]

Bugmon Analysis:
Verified bug as fixed on rev mozilla-central 20200723032025-de6e53cc7889.
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.