Open Bug 1653009 Opened 4 years ago Updated 2 years ago

Assertion failure: aFrame->HasImageRequest() (why call me?), at /builds/worker/checkouts/gecko/layout/style/ImageLoader.cpp:306

Categories

(Core :: CSS Parsing and Computation, defect)

Product:
Core
Component:
CSS Parsing and Computation
Type:
defect

Tracking

()

Tracking Flags:
Tracking Status
firefox80 --- affected

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, testcase, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(1 file)

testcase.zip
1.59 KB, application/zip
Details
Attached file testcase.zip

Testcase found while fuzzing mozilla-central rev 2aa3b889d603 (built with --enable-debug --enable-fuzzing).

Assertion failure: aFrame->HasImageRequest() (why call me?), at /builds/worker/checkouts/gecko/layout/style/ImageLoader.cpp:306

rax = 0x00007fa63e3af3ee   rdx = 0x0000000000000000
rcx = 0x000055fd8e47aa58   rbx = 0x000055fd8f6e6288
rsi = 0x00007fa64f3b58b0   rdi = 0x00007fa64f3b4680
rbp = 0x00007ffc97b52950   rsp = 0x00007ffc97b52930
r8 = 0x00007fa64f3b58b0    r9 = 0x00007fa65051b780
r10 = 0x0000000000000002   r11 = 0x0000000000000000
r12 = 0x000055fd8f738700   r13 = 0xffffffffffffffb8
r14 = 0x000055fd8f738760   r15 = 0x000055fd8f3bf740
rip = 0x00007fa638afa68e
OS|Linux|0.0.0 Linux 5.3.0-51-generic #44~18.04.2-Ubuntu SMP Thu Apr 23 14:27:18 UTC 2020 x86_64
CPU|amd64|family 6 model 94 stepping 3|8
GPU|||
Crash|SIGSEGV|0x0|0
0|0|libxul.so|mozilla::css::ImageLoader::DisassociateRequestFromFrame(imgIRequest*, nsIFrame*)|hg:hg.mozilla.org/mozilla-central:layout/style/ImageLoader.cpp:2aa3b889d60386ac20e2a7ab7f315a742a2eea87|306|0x29
0|1|libxul.so|CompareLayers(nsStyleImageLayers const*, nsStyleImageLayers const*, std::function<void (imgRequestProxy*)> const&)|/builds/worker/fetches/clang/include/c++/7.4.0/bits/std_function.h|706|0x7
0|2|libxul.so|AddAndRemoveImageAssociations(mozilla::css::ImageLoader&, nsIFrame*, nsStyleImageLayers const*, nsStyleImageLayers const*)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsIFrame.cpp:2aa3b889d60386ac20e2a7ab7f315a742a2eea87|952|0x33
0|3|libxul.so|nsIFrame::DidSetComputedStyle(mozilla::ComputedStyle*)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsIFrame.cpp:2aa3b889d60386ac20e2a7ab7f315a742a2eea87|1193|0xe
0|4|libxul.so|nsIFrame::SetComputedStyle(mozilla::ComputedStyle*)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsIFrame.h:2aa3b889d60386ac20e2a7ab7f315a742a2eea87|902|0xc
0|5|libxul.so|mozilla::RestyleManager::ProcessPostTraversal(mozilla::dom::Element*, mozilla::ServoRestyleState&, mozilla::ServoPostTraversalFlags)|hg:hg.mozilla.org/mozilla-central:layout/base/RestyleManager.cpp:2aa3b889d60386ac20e2a7ab7f315a742a2eea87|2755|0xb
0|6|libxul.so|mozilla::RestyleManager::ProcessPostTraversal(mozilla::dom::Element*, mozilla::ServoRestyleState&, mozilla::ServoPostTraversalFlags)|hg:hg.mozilla.org/mozilla-central:layout/base/RestyleManager.cpp:2aa3b889d60386ac20e2a7ab7f315a742a2eea87|2801|0x15
0|7|libxul.so|mozilla::RestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags)|hg:hg.mozilla.org/mozilla-central:layout/base/RestyleManager.cpp:2aa3b889d60386ac20e2a7ab7f315a742a2eea87|3007|0x17
0|8|libxul.so|mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush)|hg:hg.mozilla.org/mozilla-central:layout/base/PresShell.cpp:2aa3b889d60386ac20e2a7ab7f315a742a2eea87|4197|0x1c
0|9|libxul.so|nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp)|hg:hg.mozilla.org/mozilla-central:layout/base/PresShell.h:2aa3b889d60386ac20e2a7ab7f315a742a2eea87|1443|0xd
0|10|libxul.so|mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&)|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:2aa3b889d60386ac20e2a7ab7f315a742a2eea87|373|0xb
0|11|libxul.so|mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp)|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:2aa3b889d60386ac20e2a7ab7f315a742a2eea87|367|0x12
0|12|libxul.so|mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp)|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:2aa3b889d60386ac20e2a7ab7f315a742a2eea87|737|0x17
0|13|libxul.so|mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyParentProcessVsync()|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:2aa3b889d60386ac20e2a7ab7f315a742a2eea87|639|0x10
0|14|libxul.so|mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::ParentProcessVsyncNotifier::Run()|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:2aa3b889d60386ac20e2a7ab7f315a742a2eea87|538|0x14
0|15|libxul.so|mozilla::RunnableTask::Run()|hg:hg.mozilla.org/mozilla-central:xpcom/threads/TaskController.cpp:2aa3b889d60386ac20e2a7ab7f315a742a2eea87|209|0x11
0|16|libxul.so|mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/TaskController.cpp:2aa3b889d60386ac20e2a7ab7f315a742a2eea87|459|0xa
0|17|libxul.so|mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/TaskController.cpp:2aa3b889d60386ac20e2a7ab7f315a742a2eea87|337|0x5
0|18|libxul.so|mozilla::TaskController::ProcessPendingMTTask()|hg:hg.mozilla.org/mozilla-central:xpcom/threads/TaskController.cpp:2aa3b889d60386ac20e2a7ab7f315a742a2eea87|152|0x8
0|19|libxul.so|mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_4>::Run()|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.h:2aa3b889d60386ac20e2a7ab7f315a742a2eea87|577|0xd
0|20|libxul.so|nsThread::ProcessNextEvent(bool, bool*)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:2aa3b889d60386ac20e2a7ab7f315a742a2eea87|1234|0xe
0|21|libxul.so|NS_ProcessNextEvent(nsIThread*, bool)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:2aa3b889d60386ac20e2a7ab7f315a742a2eea87|513|0xc
0|22|libxul.so|mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:2aa3b889d60386ac20e2a7ab7f315a742a2eea87|87|0x7
0|23|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:2aa3b889d60386ac20e2a7ab7f315a742a2eea87|334|0x17
0|24|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:2aa3b889d60386ac20e2a7ab7f315a742a2eea87|309|0x8
0|25|libxul.so|nsBaseAppShell::Run()|hg:hg.mozilla.org/mozilla-central:widget/nsBaseAppShell.cpp:2aa3b889d60386ac20e2a7ab7f315a742a2eea87|137|0xd
0|26|libxul.so|XRE_RunAppShell()|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:2aa3b889d60386ac20e2a7ab7f315a742a2eea87|913|0xe
0|27|libxul.so|mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:2aa3b889d60386ac20e2a7ab7f315a742a2eea87|237|0x5
0|28|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:2aa3b889d60386ac20e2a7ab7f315a742a2eea87|334|0x17
0|29|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:2aa3b889d60386ac20e2a7ab7f315a742a2eea87|309|0x8
0|30|libxul.so|XRE_InitChildProcess(int, char**, XREChildData const*)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:2aa3b889d60386ac20e2a7ab7f315a742a2eea87|744|0x5
0|31|firefox-bin|content_process_main(mozilla::Bootstrap*, int, char**)|hg:hg.mozilla.org/mozilla-central:ipc/contentproc/plugin-container.cpp:2aa3b889d60386ac20e2a7ab7f315a742a2eea87|56|0x11
0|32|firefox-bin|main|hg:hg.mozilla.org/mozilla-central:browser/app/nsBrowserApp.cpp:2aa3b889d60386ac20e2a7ab7f315a742a2eea87|303|0x20
0|33|libc.so.6||||0x21b97
0|34|firefox-bin|<name omitted>|hg:hg.mozilla.org/mozilla-central:mfbt/UniquePtr.h:2aa3b889d60386ac20e2a7ab7f315a742a2eea87|253|0x17
Flags: in-testsuite?
Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]
Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20200715215205-c4186bb32c30.
Failed to bisect testcase (Start build crashes!):
> Start: e8b7c48d4e7ed1b63aeedff379b51e566ea499d9 (20191107015224)
> End: d4c6cd2e13bb057eb4d5f8c579f440936bf17241 (20200715093718)
> BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=True, coverage=False, valgrind=False)

Bugmon Analysis
Testcase crashes using the initial build (mozilla-central 20201219093321-fbdb6c91bd62) but not with tip (mozilla-central 20211217212339-2c242fa34cb6.)
Failed to bisect testcase (End build crashes!):

Start: fbdb6c91bd6256415a54c5198fb1e3bff8dd7c64 (20201219093321)
End: 2c242fa34cb67de2705237bbf48254c5781b5c9d (20211217212339)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False)
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon

It looks like bugmon may be having a difficult time reproducing this issue consistently.

Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: