Open
Bug 1673639
Opened 3 years ago
Updated 1 year ago
Assertion failure: clipFrame == aFrame->PresShell()->GetRootScrollFrame(), at /builds/worker/checkouts/gecko/gfx/layers/AnimationInfo.cpp:750
Categories
(Core :: Graphics: Layers, defect, P3)
Core
Graphics: Layers
Tracking
()
NEW
| Tracking | Status | |
|---|---|---|
| firefox84 | --- | disabled |
| firefox85 | --- | disabled |
| firefox86 | --- | disabled |
| firefox87 | --- | fix-optional |
People
(Reporter: jkratzer, Unassigned)
References
(Blocks 1 open bug, Regression)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:bisected,confirmed])
Attachments
(1 file)
|
552 bytes,
text/html
|
Details |
Testcase found while fuzzing mozzila-central rev e88890094825 (built with --enable-debug).
Assertion failure: clipFrame == aFrame->PresShell()->GetRootScrollFrame(), at /builds/worker/checkouts/gecko/gfx/layers/AnimationInfo.cpp:750
==3834185==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f59b1fc3d4c bp 0x7ffe9bb6bf70 sp 0x7ffe9bb6bb70 T3834185)
==3834185==The signal is caused by a WRITE memory access.
==3834185==Hint: address points to the zero page.
#0 0x7f59b1fc3d4c in GetPartialPrerenderData /builds/worker/checkouts/gecko/gfx/layers/AnimationInfo.cpp:750:7
#1 0x7f59b1fc3d4c in CreateAnimationData /builds/worker/checkouts/gecko/gfx/layers/AnimationInfo.cpp:829:33
#2 0x7f59b1fc3d4c in mozilla::layers::AnimationInfo::AddAnimationsForDisplayItem(nsIFrame*, nsDisplayListBuilder*, nsDisplayItem*, DisplayItemType, mozilla::layers::LayerManager*, mozilla::Maybe<mozilla::gfx::PointTyped<mozilla::LayoutDevicePixel, float> > const&) /builds/worker/checkouts/gecko/gfx/layers/AnimationInfo.cpp:965:7
#3 0x7f59b5752578 in nsDisplayListBuilder::AddAnimationsAndTransitionsToLayer(mozilla::layers::Layer*, nsDisplayListBuilder*, nsDisplayItem*, nsIFrame*, DisplayItemType) /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:369:17
#4 0x7f59b5779bf4 in nsDisplayTransform::BuildLayer(nsDisplayListBuilder*, mozilla::layers::LayerManager*, mozilla::ContainerLayerParameters const&) /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:8126:5
#5 0x7f59b571c28f in mozilla::ContainerState::ProcessDisplayItems(nsDisplayList*) /builds/worker/checkouts/gecko/layout/painting/FrameLayerBuilder.cpp:4890:41
#6 0x7f59b5724909 in mozilla::FrameLayerBuilder::BuildContainerLayerFor(nsDisplayListBuilder*, mozilla::layers::LayerManager*, nsIFrame*, nsDisplayItem*, nsDisplayList*, mozilla::ContainerLayerParameters const&, mozilla::gfx::Matrix4x4Typed<mozilla::gfx::UnknownUnits, mozilla::gfx::UnknownUnits, float> const*, unsigned int) /builds/worker/checkouts/gecko/layout/painting/FrameLayerBuilder.cpp:6309:9
#7 0x7f59b577cb91 in nsDisplayPerspective::BuildLayer(nsDisplayListBuilder*, mozilla::layers::LayerManager*, mozilla::ContainerLayerParameters const&) /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:8669:36
#8 0x7f59b571c28f in mozilla::ContainerState::ProcessDisplayItems(nsDisplayList*) /builds/worker/checkouts/gecko/layout/painting/FrameLayerBuilder.cpp:4890:41
#9 0x7f59b5724909 in mozilla::FrameLayerBuilder::BuildContainerLayerFor(nsDisplayListBuilder*, mozilla::layers::LayerManager*, nsIFrame*, nsDisplayItem*, nsDisplayList*, mozilla::ContainerLayerParameters const&, mozilla::gfx::Matrix4x4Typed<mozilla::gfx::UnknownUnits, mozilla::gfx::UnknownUnits, float> const*, unsigned int) /builds/worker/checkouts/gecko/layout/painting/FrameLayerBuilder.cpp:6309:9
#10 0x7f59b5770329 in nsDisplayOwnLayer::BuildLayer(nsDisplayListBuilder*, mozilla::layers::LayerManager*, mozilla::ContainerLayerParameters const&) /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:6320:36
#11 0x7f59b571c28f in mozilla::ContainerState::ProcessDisplayItems(nsDisplayList*) /builds/worker/checkouts/gecko/layout/painting/FrameLayerBuilder.cpp:4890:41
#12 0x7f59b5724909 in mozilla::FrameLayerBuilder::BuildContainerLayerFor(nsDisplayListBuilder*, mozilla::layers::LayerManager*, nsIFrame*, nsDisplayItem*, nsDisplayList*, mozilla::ContainerLayerParameters const&, mozilla::gfx::Matrix4x4Typed<mozilla::gfx::UnknownUnits, mozilla::gfx::UnknownUnits, float> const*, unsigned int) /builds/worker/checkouts/gecko/layout/painting/FrameLayerBuilder.cpp:6309:9
#13 0x7f59b5770329 in nsDisplayOwnLayer::BuildLayer(nsDisplayListBuilder*, mozilla::layers::LayerManager*, mozilla::ContainerLayerParameters const&) /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:6320:36
#14 0x7f59b577261f in nsDisplayFixedPosition::BuildLayer(nsDisplayListBuilder*, mozilla::layers::LayerManager*, mozilla::ContainerLayerParameters const&) /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:6621:26
#15 0x7f59b571c28f in mozilla::ContainerState::ProcessDisplayItems(nsDisplayList*) /builds/worker/checkouts/gecko/layout/painting/FrameLayerBuilder.cpp:4890:41
#16 0x7f59b5724909 in mozilla::FrameLayerBuilder::BuildContainerLayerFor(nsDisplayListBuilder*, mozilla::layers::LayerManager*, nsIFrame*, nsDisplayItem*, nsDisplayList*, mozilla::ContainerLayerParameters const&, mozilla::gfx::Matrix4x4Typed<mozilla::gfx::UnknownUnits, mozilla::gfx::UnknownUnits, float> const*, unsigned int) /builds/worker/checkouts/gecko/layout/painting/FrameLayerBuilder.cpp:6309:9
#17 0x7f59b5770329 in nsDisplayOwnLayer::BuildLayer(nsDisplayListBuilder*, mozilla::layers::LayerManager*, mozilla::ContainerLayerParameters const&) /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:6320:36
#18 0x7f59b5774efa in nsDisplayAsyncZoom::BuildLayer(nsDisplayListBuilder*, mozilla::layers::LayerManager*, mozilla::ContainerLayerParameters const&) /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:7297:26
#19 0x7f59b571c28f in mozilla::ContainerState::ProcessDisplayItems(nsDisplayList*) /builds/worker/checkouts/gecko/layout/painting/FrameLayerBuilder.cpp:4890:41
#20 0x7f59b5724909 in mozilla::FrameLayerBuilder::BuildContainerLayerFor(nsDisplayListBuilder*, mozilla::layers::LayerManager*, nsIFrame*, nsDisplayItem*, nsDisplayList*, mozilla::ContainerLayerParameters const&, mozilla::gfx::Matrix4x4Typed<mozilla::gfx::UnknownUnits, mozilla::gfx::UnknownUnits, float> const*, unsigned int) /builds/worker/checkouts/gecko/layout/painting/FrameLayerBuilder.cpp:6309:9
#21 0x7f59b575a987 in nsDisplayList::BuildLayers(nsDisplayListBuilder*, mozilla::layers::LayerManager*, unsigned int, bool) /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:2321:28
#22 0x7f59b575ba86 in nsDisplayList::PaintRoot(nsDisplayListBuilder*, gfxContext*, unsigned int) /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:2536:9
#23 0x7f59b53c7d75 in nsLayoutUtils::PaintFrame(gfxContext*, nsIFrame*, nsRegion const&, unsigned int, nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) /builds/worker/checkouts/gecko/layout/base/nsLayoutUtils.cpp:3464:13
#24 0x7f59b534569c in mozilla::PresShell::Paint(nsView*, nsRegion const&, mozilla::PaintFlags) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:6348:5
#25 0x7f59b501a12f in nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*) /builds/worker/checkouts/gecko/view/nsViewManager.cpp:460:18
#26 0x7f59b5019c23 in nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) /builds/worker/checkouts/gecko/view/nsViewManager.cpp:395:22
#27 0x7f59b501b58f in nsViewManager::ProcessPendingUpdates() /builds/worker/checkouts/gecko/view/nsViewManager.cpp:1018:5
#28 0x7f59b5305581 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2369:11
#29 0x7f59b530c931 in TickDriver /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:374:13
#30 0x7f59b530c931 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:353:7
#31 0x7f59b530c81c in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:368:5
#32 0x7f59b530bdc8 in RunRefreshDrivers /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:829:5
#33 0x7f59b530bdc8 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:747:16
#34 0x7f59b530b6d0 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyParentProcessVsync() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:649:7
#35 0x7f59b530b149 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:570:9
#36 0x7f59b56c88b7 in mozilla::layout::VsyncChild::RecvNotify(mozilla::VsyncEvent const&) /builds/worker/checkouts/gecko/layout/ipc/VsyncChild.cpp:55:16
#37 0x7f59b19acd65 in mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:187:54
#38 0x7f59b17633ed in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundChild.cpp:6080:32
#39 0x7f59b142b93e in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:2150:25
#40 0x7f59b14280ff in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:2074:9
#41 0x7f59b1429506 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1922:3
#42 0x7f59b142a12b in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1953:13
#43 0x7f59b0b2775f in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:245:16
#44 0x7f59b0b24bba in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:515:26
#45 0x7f59b0b23a94 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:374:15
#46 0x7f59b0b23c47 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:171:36
#47 0x7f59b0b2aea9 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:88:37
#48 0x7f59b0b2aea9 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_4>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:577:5
#49 0x7f59b0b3ce9f in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1234:14
#50 0x7f59b0b4295a in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:513:10
#51 0x7f59b1431144 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:109:5
#52 0x7f59b13a3913 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:334:10
#53 0x7f59b13a382d in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:327:3
#54 0x7f59b13a382d in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:309:3
#55 0x7f59b505fde8 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137:27
#56 0x7f59b68521e3 in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:913:20
#57 0x7f59b1431f59 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:237:9
#58 0x7f59b13a3913 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:334:10
#59 0x7f59b13a382d in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:327:3
#60 0x7f59b13a382d in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:309:3
#61 0x7f59b6851dc8 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:744:34
#62 0x5570e167a917 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
#63 0x5570e167a917 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:304:18
#64 0x7f59c53e80b2 in __libc_start_main /build/glibc-ZN95T4/glibc-2.31/csu/../csu/libc-start.c:308:16
#65 0x5570e16586c9 in _start (/home/worker/builds/m-c-20201008094950-fuzzing-debug/firefox-bin+0x176c9)
UndefinedBehaviorSanitizer can not provide additional info.
SUMMARY: UndefinedBehaviorSanitizer: SEGV /builds/worker/checkouts/gecko/gfx/layers/AnimationInfo.cpp:750:7 in GetPartialPrerenderData
==3834185==ABORTING
Flags: in-testsuite?
|
Reporter | |
Comment 1•3 years ago
|
||
Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20201027095021-3d6ed9f4cf34.
The bug appears to have been introduced in the following build range:
Start: c36cad76a78d33eb219513bf2117c1d72c6e1d65 (20200923060823)
End: 0a92348ed33532d65fffbfd9a8028220c2e5fc06 (20200923064020)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=c36cad76a78d33eb219513bf2117c1d72c6e1d65&tochange=0a92348ed33532d65fffbfd9a8028220c2e5fc06
Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]
|
||
Updated•2 years ago
|
Severity: normal → S3
status-firefox85:
--- → wontfix
status-firefox86:
--- → affected
Priority: -- → P3
Regressed by: 1659227
|
||
Updated•2 years ago
|
Has Regression Range: --- → yes
|
||
Updated•2 years ago
|
Keywords: regression
|
||
Comment 4•2 years ago
|
||
Yep, but the feature, partial pre-render, causing this assertion hasn't been enabled on beta/release channels yet.
status-firefox87:
--- → fix-optional
Flags: needinfo?(hikezoe.birchill)
|
||
Comment 5•1 year ago
|
||
Bugmon Analysis
Testcase crashes using the initial build (mozilla-central 20210327094311-2c4ad7073241) but not with tip (mozilla-central 20220325214737-2b624fdb002e.)
The bug appears to have been fixed in the following build range:
Start: 5e326057f05d47527e65905389618288ed2a0f51 (20220323032613)
End: 0ab8d1869fbfc43f80fe8c5f4d00fed88845d2e6 (20220323034111)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=5e326057f05d47527e65905389618288ed2a0f51&tochange=0ab8d1869fbfc43f80fe8c5f4d00fed88845d2e6
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Keywords: bugmon
You need to log in
before you can comment on or make changes to this bug.
Description
•