Closed
Bug 1663740
Opened 4 years ago
Closed 3 years ago
Assertion failure: cachedStyles[i]->EqualForCachedAnonymousContentStyle(*cs) (cached anonymous content styles should be identical to those we would compute normally), at /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:3964
Categories
(Core :: Layout, defect)
Core
Layout
Tracking
()
VERIFIED
FIXED
91 Branch
People
(Reporter: jkratzer, Assigned: emilio)
References
(Blocks 1 open bug, Regression)
Details
(Keywords: assertion, testcase, Whiteboard: [bugmon:bisected,confirmed][fuzzblocker], [wptsync upstream])
Attachments
(2 files, 1 obsolete file)
Testcase found while fuzzing mozilla-central rev fb9c01b719fa (built with --enable-debug).
Assertion failure: cachedStyles[i]->EqualForCachedAnonymousContentStyle(*cs) (cached anonymous content styles should be identical to those we would compute normally), at /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:3964
#0 0x7f9586781fd5 in AnnotateMozCrashReason /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:42:19
#1 0x7f9586781fd5 in nsCSSFrameConstructor::GetAnonymousContent(nsIContent*, nsIFrame*, nsTArray<nsIAnonymousContentCreator::ContentInfo>&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:3961:9
#2 0x7f9586781173 in nsCSSFrameConstructor::BeginBuildingScrollFrame(nsFrameConstructorState&, nsIContent*, mozilla::ComputedStyle*, nsContainerFrame*, mozilla::PseudoStyleType, bool, nsContainerFrame*&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:4203:7
#3 0x7f9586788256 in ConstructScrollableBlockWithConstructor /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:4558:48
#4 0x7f9586788256 in nsCSSFrameConstructor::ConstructScrollableBlock(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItem&, nsContainerFrame*, nsStyleDisplay const*, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:4545:10
#5 0x7f9586785b7d in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:3611:16
#6 0x7f958678abcc in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:5652:3
#7 0x7f958677c3d5 in nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsContainerFrame*, bool, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:9438:5
#8 0x7f958677d08a in nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, mozilla::ComputedStyle*, nsContainerFrame*, bool, nsFrameList&, bool, nsIFrame*) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:9603:3
#9 0x7f95867861e1 in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:3762:9
#10 0x7f958678abcc in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:5652:3
#11 0x7f958677c3d5 in nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsContainerFrame*, bool, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:9438:5
#12 0x7f958677d08a in nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, mozilla::ComputedStyle*, nsContainerFrame*, bool, nsFrameList&, bool, nsIFrame*) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:9603:3
#13 0x7f9586780926 in nsCSSFrameConstructor::ConstructBlock(nsFrameConstructorState&, nsIContent*, nsContainerFrame*, nsContainerFrame*, mozilla::ComputedStyle*, nsContainerFrame**, nsFrameList&, nsIFrame*) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:10483:3
#14 0x7f95867882ea in ConstructScrollableBlockWithConstructor /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:4572:3
#15 0x7f95867882ea in nsCSSFrameConstructor::ConstructScrollableBlock(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItem&, nsContainerFrame*, nsStyleDisplay const*, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:4545:10
#16 0x7f9586785b7d in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:3611:16
#17 0x7f958678abcc in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:5652:3
#18 0x7f958677c3d5 in nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsContainerFrame*, bool, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:9438:5
#19 0x7f958678ee62 in nsCSSFrameConstructor::ContentRangeInserted(nsIContent*, nsIContent*, nsCSSFrameConstructor::InsertionKind) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:7193:3
#20 0x7f9586758ae4 in mozilla::RestyleManager::ProcessRestyledFrames(nsStyleChangeList&) /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:1484:25
#21 0x7f958675f63a in mozilla::RestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:3037:9
#22 0x7f9586739ce8 in ProcessPendingRestyles /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:3116:3
#23 0x7f9586739ce8 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4196:39
#24 0x7f9583be056b in FlushPendingNotifications /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:1412:5
#25 0x7f9583be056b in mozilla::dom::Document::FlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/dom/base/Document.cpp:10092:16
#26 0x7f95832165fd in nsDocLoader::DocLoaderIsEmpty(bool, mozilla::Maybe<nsresult> const&) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:702:14
#27 0x7f9583217838 in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:640:5
#28 0x7f958321808c in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp
#29 0x7f9581f45f16 in mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:615:22
#30 0x7f9581f47413 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:522:10
#31 0x7f9583be34af in mozilla::dom::Document::DoUnblockOnload() /builds/worker/checkouts/gecko/dom/base/Document.cpp:10825:18
#32 0x7f9583bc23f0 in mozilla::dom::Document::UnblockOnload(bool) /builds/worker/checkouts/gecko/dom/base/Document.cpp:10755:9
#33 0x7f958669e8c6 in UnblockOnload /builds/worker/checkouts/gecko/layout/style/Loader.cpp:2251:16
#34 0x7f958669e8c6 in mozilla::css::SheetLoadData::FireLoadEvent(nsIThreadInternal*) /builds/worker/checkouts/gecko/layout/style/Loader.cpp:450:12
#35 0x7f958669ea9c in AfterProcessNextEvent /builds/worker/checkouts/gecko/layout/style/Loader.cpp:423:3
#36 0x7f958669ea9c in non-virtual thunk to mozilla::css::SheetLoadData::AfterProcessNextEvent(nsIThreadInternal*, bool) /builds/worker/checkouts/gecko/layout/style/Loader.cpp
#37 0x7f9581dcfa68 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1266:3
#38 0x7f9581dd517a in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:513:10
#39 0x7f95826fe96f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:87:21
#40 0x7f958266f8e3 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:334:10
#41 0x7f958266f7fd in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:327:3
#42 0x7f958266f7fd in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:309:3
#43 0x7f9586475548 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137:27
#44 0x7f9587c9fac3 in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:913:20
#45 0x7f95826ff737 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:237:9
#46 0x7f958266f8e3 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:334:10
#47 0x7f958266f7fd in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:327:3
#48 0x7f958266f7fd in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:309:3
#49 0x7f9587c9f69c in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:744:34
#50 0x55589a98309f in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
#51 0x55589a98309f in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:303:18
#52 0x7f95964390b2 in __libc_start_main /build/glibc-YYA7BZ/glibc-2.31/csu/../csu/libc-start.c:308:16
#53 0x55589a9610a9 in _start (/home/worker/builds/m-c-20200823093112-fuzzing-debug/firefox-bin+0x170a9)
Flags: in-testsuite?
|
Reporter | |
Updated•4 years ago
|
Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]
|
|
Reporter | |
Comment 1•4 years ago
|
||
Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20200908215255-dc90a7a18c07.
Failed to bisect testcase (Start build crashes!):
> Start: e8b7c48d4e7ed1b63aeedff379b51e566ea499d9 (20191107015224)
> End: 80ac8d8c74d53bba7cac84f38951e6e9c5efc5e5 (20200908030802)
> BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=False, coverage=False, valgrind=False)
|
||
Comment 2•4 years ago
|
||
Attachment #9174458 -
Attachment is obsolete: true
|
|
||
Comment 3•4 years ago
|
||
A Pernosco session is available here: https://pernos.co/debug/e6LUXXia8WGn1KLNMjQoWw/index.html
|
|
||
Comment 4•4 years ago
|
||
sean, this issue is frequently hit by the fuzzers. Is there someone available to have a look?
Flags: needinfo?(svoisen)
|
||
Comment 6•3 years ago
•
|
||
The assertion that's failing here is https://searchfox.org/mozilla-central/rev/c03e8de87cdb0ce0378c0886d3c0ce8bbf9dc44e/layout/base/nsCSSFrameConstructor.cpp#3957-3962
which was added in bug 1554571.
emilio, looks like you reviewed that change, so you might be in a good position to reason about this. Perhaps you could take a look at some point?
Depends on: 1554571
Flags: needinfo?(dholbert) → needinfo?(emilio)
|
|
||
Updated•3 years ago
|
|
||
Updated•3 years ago
|
|
|
||
Comment 7•3 years ago
|
||
Marking as fuzzblocker. Please prioritize accordingly.
status-firefox91:
--- → affected
Whiteboard: [bugmon:bisected,confirmed] → [bugmon:bisected,confirmed][fuzzblocker]
|
Assignee | |
Comment 8•3 years ago
|
||
Moving to the top of the queue per comment 7.
Flags: needinfo?(emilio)
|
|
Assignee | |
Updated•3 years ago
|
Flags: needinfo?(emilio)
|
|
Assignee | |
Updated•3 years ago
|
Flags: needinfo?(emilio)
|
|
Assignee | |
Comment 9•3 years ago
|
||
Otherwise we assert due to the styles being different from the cached
ones, but it doesn't matter as these don't influence Gecko scrollbars.
|
||
Updated•3 years ago
|
Assignee: nobody → emilio
Status: NEW → ASSIGNED
|
||
Comment 10•3 years ago
|
||
Pushed by ealvarez@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/05b3135ed0f5 Specify has_no_effect_on_gecko_scrollbars on inherited internal properties. r=boris
Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/29328 for changes under testing/web-platform/tests
Whiteboard: [bugmon:bisected,confirmed][fuzzblocker] → [bugmon:bisected,confirmed][fuzzblocker], [wptsync upstream]
|
||
Comment 12•3 years ago
|
||
| bugherder | ||
Status: ASSIGNED → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → 91 Branch
|
||
Comment 13•3 years ago
|
||
Bugmon Analysis:
Verified bug as fixed on rev mozilla-central 20210610215038-8508c35e4979.
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.
Upstream PR merged by moz-wptsync-bot
|
||
Comment 15•3 years ago
|
||
The patch landed in nightly and beta is affected.
:emilio, is this bug important enough to require an uplift?
If not please set status_beta to wontfix.
For more information, please visit auto_nag documentation.
Flags: needinfo?(emilio)
|
||
Updated•3 years ago
|
status-firefox-esr78:
--- → wontfix
Flags: in-testsuite? → in-testsuite+
|
|
||
Comment 17•2 years ago
|
||
:emilio, since this bug contains a bisection range, could you fill (if possible) the regressed_by field?
For more information, please visit auto_nag documentation.
Flags: needinfo?(emilio)
|
|
Assignee | |
Updated•2 years ago
|
You need to log in
before you can comment on or make changes to this bug.
Description
•