Closed Bug 1695957 Opened 4 years ago Closed 3 years ago

crash near null in [@ mozilla::layers::ClipManager::PopOverrideForASR]

Categories

(Core :: Graphics: WebRender, defect, P3)

defect

Tracking

()

RESOLVED FIXED
91 Branch
Tracking Status
firefox-esr78 --- unaffected
firefox-esr91 --- fixed
firefox86 --- unaffected
firefox87 --- wontfix
firefox88 --- wontfix
firefox89 --- wontfix
firefox90 --- wontfix
firefox91 --- fixed

People

(Reporter: tsmith, Assigned: MatsPalmgren_bugz)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: crash, regression, testcase, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(2 files, 1 obsolete file)

Attached file testcase.html (obsolete) —

First seen fuzzing m-c 20210301-40bd5bbe396c. Requires fission.

==21994==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000040 (pc 0x7f9311461d9f bp 0x7ffdeb90d670 sp 0x7ffdeb90d650 T0)
==21994==The signal is caused by a READ memory access.
==21994==Hint: address points to the zero page.
    #0 0x7f9311461d9f in std::deque<mozilla::wr::WrSpatialId, std::allocator<mozilla::wr::WrSpatialId> >::pop_back() /builds/worker/fetches/clang/bin/../lib/gcc/x86_64-unknown-linux-gnu/7.4.0/../../../../include/c++/7.4.0/bits/stl_deque.h
    #1 0x7f931143d7ae in pop /builds/worker/fetches/clang/bin/../lib/gcc/x86_64-unknown-linux-gnu/7.4.0/../../../../include/c++/7.4.0/bits/stl_stack.h:261:4
    #2 0x7f931143d7ae in mozilla::layers::ClipManager::PopOverrideForASR(mozilla::ActiveScrolledRoot const*) /gecko/gfx/layers/wr/ClipManager.cpp:117:14
    #3 0x7f931143d5a8 in mozilla::layers::ClipManager::EndList(mozilla::layers::StackingContextHelper const&) /gecko/gfx/layers/wr/ClipManager.cpp:81:7
    #4 0x7f93114ade19 in mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommandsFromDisplayList(nsDisplayList*, nsDisplayItem*, nsDisplayListBuilder*, mozilla::layers::StackingContextHelper const&, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&) /gecko/gfx/layers/wr/WebRenderCommandBuilder.cpp:1874:16
    #5 0x7f931730b26f in nsDisplayTransform::CreateWebRenderCommands(mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, mozilla::layers::RenderRootStateManager*, nsDisplayListBuilder*) /gecko/layout/painting/nsDisplayList.cpp:8021:30
    #6 0x7f93114aef5b in mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommands(nsDisplayItem*, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, nsDisplayListBuilder*) /gecko/gfx/layers/wr/WebRenderCommandBuilder.cpp:1677:41
    #7 0x7f93114ad281 in mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommandsFromDisplayList(nsDisplayList*, nsDisplayItem*, nsDisplayListBuilder*, mozilla::layers::StackingContextHelper const&, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&) /gecko/gfx/layers/wr/WebRenderCommandBuilder.cpp:1800:7
    #8 0x7f93172f5de3 in nsDisplayWrapList::CreateWebRenderCommands(mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, mozilla::layers::RenderRootStateManager*, nsDisplayListBuilder*) /gecko/layout/painting/nsDisplayList.cpp:5587:30
    #9 0x7f93173181b5 in nsDisplayMasksAndClipPaths::CreateWebRenderCommands(mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, mozilla::layers::RenderRootStateManager*, nsDisplayListBuilder*) /gecko/layout/painting/nsDisplayList.cpp:9547:25
    #10 0x7f93114aef5b in mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommands(nsDisplayItem*, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, nsDisplayListBuilder*) /gecko/gfx/layers/wr/WebRenderCommandBuilder.cpp:1677:41
    #11 0x7f93114ad281 in mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommandsFromDisplayList(nsDisplayList*, nsDisplayItem*, nsDisplayListBuilder*, mozilla::layers::StackingContextHelper const&, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&) /gecko/gfx/layers/wr/WebRenderCommandBuilder.cpp:1800:7
    #12 0x7f93172f5de3 in nsDisplayWrapList::CreateWebRenderCommands(mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, mozilla::layers::RenderRootStateManager*, nsDisplayListBuilder*) /gecko/layout/painting/nsDisplayList.cpp:5587:30
    #13 0x7f93173181b5 in nsDisplayMasksAndClipPaths::CreateWebRenderCommands(mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, mozilla::layers::RenderRootStateManager*, nsDisplayListBuilder*) /gecko/layout/painting/nsDisplayList.cpp:9547:25
    #14 0x7f93114aef5b in mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommands(nsDisplayItem*, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, nsDisplayListBuilder*) /gecko/gfx/layers/wr/WebRenderCommandBuilder.cpp:1677:41
    #15 0x7f93114ad281 in mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommandsFromDisplayList(nsDisplayList*, nsDisplayItem*, nsDisplayListBuilder*, mozilla::layers::StackingContextHelper const&, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&) /gecko/gfx/layers/wr/WebRenderCommandBuilder.cpp:1800:7
    #16 0x7f93172f5de3 in nsDisplayWrapList::CreateWebRenderCommands(mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, mozilla::layers::RenderRootStateManager*, nsDisplayListBuilder*) /gecko/layout/painting/nsDisplayList.cpp:5587:30
    #17 0x7f93173181b5 in nsDisplayMasksAndClipPaths::CreateWebRenderCommands(mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, mozilla::layers::RenderRootStateManager*, nsDisplayListBuilder*) /gecko/layout/painting/nsDisplayList.cpp:9547:25
    #18 0x7f93114aef5b in mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommands(nsDisplayItem*, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, nsDisplayListBuilder*) /gecko/gfx/layers/wr/WebRenderCommandBuilder.cpp:1677:41
    #19 0x7f93114ad281 in mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommandsFromDisplayList(nsDisplayList*, nsDisplayItem*, nsDisplayListBuilder*, mozilla::layers::StackingContextHelper const&, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&) /gecko/gfx/layers/wr/WebRenderCommandBuilder.cpp:1800:7
    #20 0x7f93172f5de3 in nsDisplayWrapList::CreateWebRenderCommands(mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, mozilla::layers::RenderRootStateManager*, nsDisplayListBuilder*) /gecko/layout/painting/nsDisplayList.cpp:5587:30
    #21 0x7f93173181b5 in nsDisplayMasksAndClipPaths::CreateWebRenderCommands(mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, mozilla::layers::RenderRootStateManager*, nsDisplayListBuilder*) /gecko/layout/painting/nsDisplayList.cpp:9547:25
    #22 0x7f93114aef5b in mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommands(nsDisplayItem*, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, nsDisplayListBuilder*) /gecko/gfx/layers/wr/WebRenderCommandBuilder.cpp:1677:41
    #23 0x7f93114ad281 in mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommandsFromDisplayList(nsDisplayList*, nsDisplayItem*, nsDisplayListBuilder*, mozilla::layers::StackingContextHelper const&, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&) /gecko/gfx/layers/wr/WebRenderCommandBuilder.cpp:1800:7
    #24 0x7f93172f5de3 in nsDisplayWrapList::CreateWebRenderCommands(mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, mozilla::layers::RenderRootStateManager*, nsDisplayListBuilder*) /gecko/layout/painting/nsDisplayList.cpp:5587:30
    #25 0x7f93173181b5 in nsDisplayMasksAndClipPaths::CreateWebRenderCommands(mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, mozilla::layers::RenderRootStateManager*, nsDisplayListBuilder*) /gecko/layout/painting/nsDisplayList.cpp:9547:25
    #26 0x7f93114aef5b in mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommands(nsDisplayItem*, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, nsDisplayListBuilder*) /gecko/gfx/layers/wr/WebRenderCommandBuilder.cpp:1677:41
    #27 0x7f93114ad281 in mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommandsFromDisplayList(nsDisplayList*, nsDisplayItem*, nsDisplayListBuilder*, mozilla::layers::StackingContextHelper const&, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&) /gecko/gfx/layers/wr/WebRenderCommandBuilder.cpp:1800:7
    #28 0x7f93172f5de3 in nsDisplayWrapList::CreateWebRenderCommands(mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, mozilla::layers::RenderRootStateManager*, nsDisplayListBuilder*) /gecko/layout/painting/nsDisplayList.cpp:5587:30
    #29 0x7f93172fc308 in nsDisplayOwnLayer::CreateWebRenderCommands(mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, mozilla::layers::RenderRootStateManager*, nsDisplayListBuilder*) /gecko/layout/painting/nsDisplayList.cpp:6336:22
    #30 0x7f93114aef5b in mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommands(nsDisplayItem*, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, nsDisplayListBuilder*) /gecko/gfx/layers/wr/WebRenderCommandBuilder.cpp:1677:41
    #31 0x7f93114ad281 in mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommandsFromDisplayList(nsDisplayList*, nsDisplayItem*, nsDisplayListBuilder*, mozilla::layers::StackingContextHelper const&, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&) /gecko/gfx/layers/wr/WebRenderCommandBuilder.cpp:1800:7
    #32 0x7f93114aba3f in mozilla::layers::WebRenderCommandBuilder::BuildWebRenderCommands(mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, nsDisplayList*, nsDisplayListBuilder*, mozilla::layers::WebRenderScrollData&, WrFiltersHolder&&) /gecko/gfx/layers/wr/WebRenderCommandBuilder.cpp:1597:5
    #33 0x7f93114c6289 in mozilla::layers::WebRenderLayerManager::EndTransactionWithoutLayer(nsDisplayList*, nsDisplayListBuilder*, WrFiltersHolder&&, mozilla::layers::WebRenderBackgroundData*) /gecko/gfx/layers/wr/WebRenderLayerManager.cpp:372:30
    #34 0x7f93172d47a9 in nsDisplayList::PaintRoot(nsDisplayListBuilder*, gfxContext*, unsigned int) /gecko/layout/painting/nsDisplayList.cpp:2457:18
    #35 0x7f9316bf3e5e in nsLayoutUtils::PaintFrame(gfxContext*, nsIFrame*, nsRegion const&, unsigned int, nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) /gecko/layout/base/nsLayoutUtils.cpp:3463:13
    #36 0x7f9316b0a221 in mozilla::PresShell::Paint(nsView*, nsRegion const&, mozilla::PaintFlags) /gecko/layout/base/PresShell.cpp:6400:5
    #37 0x7f931650bef5 in nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*) /gecko/view/nsViewManager.cpp:459:18
    #38 0x7f931650b60f in nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) /gecko/view/nsViewManager.cpp:394:22
    #39 0x7f931650d50c in nsViewManager::ProcessPendingUpdates() /gecko/view/nsViewManager.cpp:972:5
    #40 0x7f9316a897e3 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /gecko/layout/base/nsRefreshDriver.cpp:2375:11
    #41 0x7f9316a947d5 in TickDriver /gecko/layout/base/nsRefreshDriver.cpp:357:13
    #42 0x7f9316a947d5 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /gecko/layout/base/nsRefreshDriver.cpp:336:7
    #43 0x7f9316a94541 in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /gecko/layout/base/nsRefreshDriver.cpp:351:5
    #44 0x7f9316a93991 in RunRefreshDrivers /gecko/layout/base/nsRefreshDriver.cpp:799:5
    #45 0x7f9316a93991 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /gecko/layout/base/nsRefreshDriver.cpp:722:16
    #46 0x7f9316a92f4f in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyParentProcessVsync() /gecko/layout/base/nsRefreshDriver.cpp:624:7
    #47 0x7f9316a926d1 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) /gecko/layout/base/nsRefreshDriver.cpp:545:9
    #48 0x7f9315ca06c7 in mozilla::dom::VsyncChild::RecvNotify(mozilla::VsyncEvent const&, float const&) /gecko/dom/ipc/VsyncChild.cpp:68:15
    #49 0x7f93107ae3cc in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:178:54
    #50 0x7f93103a5482 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundChild.cpp:6243:32
    #51 0x7f930fe39bea in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /gecko/ipc/glue/MessageChannel.cpp:2153:25
    #52 0x7f930fe3624e in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /gecko/ipc/glue/MessageChannel.cpp:2077:9
    #53 0x7f930fe37c08 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /gecko/ipc/glue/MessageChannel.cpp:1925:3
    #54 0x7f930fe3876b in mozilla::ipc::MessageChannel::MessageTask::Run() /gecko/ipc/glue/MessageChannel.cpp:1956:13
    #55 0x7f930ec01036 in mozilla::RunnableTask::Run() /gecko/xpcom/threads/TaskController.cpp:472:16
    #56 0x7f930ebfdbf3 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:760:26
    #57 0x7f930ebfbac7 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:611:15
    #58 0x7f930ebfbf1d in mozilla::TaskController::ProcessPendingMTTask(bool) /gecko/xpcom/threads/TaskController.cpp:395:36
    #59 0x7f930ec08671 in operator() /gecko/xpcom/threads/TaskController.cpp:133:37
    #60 0x7f930ec08671 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_3>::Run() /gecko/xpcom/threads/nsThreadUtils.h:534:5
    #61 0x7f930ec239c4 in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1158:16
    #62 0x7f930ec2d91c in NS_ProcessNextEvent(nsIThread*, bool) /gecko/xpcom/threads/nsThreadUtils.cpp:548:10
    #63 0x7f930fe413ff in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /gecko/ipc/glue/MessagePump.cpp:87:21
    #64 0x7f930fd4b841 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:335:10
    #65 0x7f930fd4b841 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:328:3
    #66 0x7f930fd4b841 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:310:3
    #67 0x7f93165c8c37 in nsBaseAppShell::Run() /gecko/widget/nsBaseAppShell.cpp:137:27
    #68 0x7f931a089b1f in XRE_RunAppShell() /gecko/toolkit/xre/nsEmbedFunctions.cpp:902:20
    #69 0x7f930fd4b841 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:335:10
    #70 0x7f930fd4b841 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:328:3
    #71 0x7f930fd4b841 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:310:3
    #72 0x7f931a0892af in XRE_InitChildProcess(int, char**, XREChildData const*) /gecko/toolkit/xre/nsEmbedFunctions.cpp:733:34
    #73 0x55b15c4fb9fd in content_process_main(mozilla::Bootstrap*, int, char**) /gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
    #74 0x55b15c4fbe21 in main /gecko/browser/app/nsBrowserApp.cpp:309:18
    #75 0x7f932eb120b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
    #76 0x55b15c44f399 in _start (/home/worker/builds/m-c-20210302034602-fuzzing-asan-opt/firefox+0x5a399)
Flags: in-testsuite?
Attached file prefs.js —
Attached file testcase.html —
Attachment #9206394 - Attachment is obsolete: true
Keywords: bugmon

A Pernosco session is available here: https://pernos.co/debug/oYbD8bB0Qsvhtd0WF3mYTA/index.html

Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20210303041649-c45b1e6bcd01.
The bug appears to have been introduced in the following build range:

Start: aafff593562887152fdabcd62ff55dd23630bf4e (20210207100438)
End: 64ddd35a8fc03a079aa5ae81617a33b720399276 (20210207100838)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=aafff593562887152fdabcd62ff55dd23630bf4e&tochange=64ddd35a8fc03a079aa5ae81617a33b720399276

Whiteboard: [bugmon:bisected,confirmed]
Flags: needinfo?(tnikkel)
Regressed by: 1675547
Has Regression Range: --- → yes

Interesting. Thanks for the bisect and needinfo.

Set release status flags based on info from the regressing bug 1675547

Is the stack and Pernosco session from an opt build? Because I get a fatal assert before the stack here when running on Windows (but not mac or linux) that would explain the how we end up there.

Flags: needinfo?(twsmith)

I used a -O0 ASan build for the Pernosco session. It was reported by the fuzzers also running non-debug builds. In both cases running on Linux.

Flags: needinfo?(twsmith)

I guess the thing I'm interested in is if --enable-debug was enabled for the stack in comment 0 and the pernosco session as that is what determines if assertions are enabled.

In both cases no --enable-debug was not used.

Okay thanks, that explains what I'm seeing then.

We're hitting this assert

https://searchfox.org/mozilla-central/rev/237a7450b7a34a2c76b4aee0a859f222f0fb998e/layout/painting/nsDisplayList.h#282

which has an open fuzz bug filed for it, so I'm guessing we ignore that assert when we fuzz debug builds. So the clips are not in an expected configuration and then later the webrender clip manager gets confused as a result.

I bet it's not too hard to hit that assert when fuzzing debug builds, and I'm guessing it would be even easier if you used the prefs apz.wr.activate_all_scroll_frames and apz.nonwr.activate_all_scroll_frames when fuzzing.

(In reply to Timothy Nikkel (:tnikkel) from comment #12)

I bet it's not too hard to hit that assert when fuzzing debug builds, and I'm guessing it would be even easier if you used the prefs apz.wr.activate_all_scroll_frames and apz.nonwr.activate_all_scroll_frames when fuzzing.

Should these prefs be added to prefpicker? This is what we use to generate prefs.js files when fuzzing.

Flags: needinfo?(tnikkel)

Oops sorry, didn't mean to remove your ni?.

Flags: needinfo?(tnikkel)

(In reply to Tyson Smith [:tsmith] from comment #13)

(In reply to Timothy Nikkel (:tnikkel) from comment #12)

I bet it's not too hard to hit that assert when fuzzing debug builds, and I'm guessing it would be even easier if you used the prefs apz.wr.activate_all_scroll_frames and apz.nonwr.activate_all_scroll_frames when fuzzing.

Should these prefs be added to prefpicker? This is what we use to generate prefs.js files when fuzzing.

prefpicker is the fuzzer's list of prefs that it toggles on/off and tests in both the on/off state some of the time? Then yes.

We hit this asset

https://searchfox.org/mozilla-central/rev/237a7450b7a34a2c76b4aee0a859f222f0fb998e/layout/painting/nsDisplayList.h#282

with a stack
#01: nsDisplayListBuilder::CreateClipChainIntersection
#02: nsDisplayItem::nsDisplayItem
#03: nsDisplayCompositorHitTestInfo* MakeDisplayItemWithIndex<nsDisplayCompositorHitTestInfo, nsIFrame>
#04: nsDisplayListBuilder::BuildCompositorHitTestInfoIfNeeded
#05: nsIFrame::DisplayBackgroundUnconditional
#06: nsIFrame::DisplayBorderBackgroundOutline
#07: nsBlockFrame::BuildDisplayList

The frame tree is approximately like this:
htmlscroll(html)
canvas(html)
block(html)
htmlscroll(body)
...
htmlscroll(marque)
...
placeholder(dialog)
absolutelist for block(html)
htmlscroll(dialog)
...

And everything has a css mask so we hit this code

https://searchfox.org/mozilla-central/rev/ddd065ed26206d7ded61a4e5a35abb0cd6dbd9bc/layout/generic/nsIFrame.cpp#3388

and the clip chain has a content clip for most of these elements. So that when we are creating a nsDisplayCompositorHitTestInfo inside htmlscroll(dialog) (the stack above) the content clip chain has ASRs: htmlscroll(marque), htmlscroll(body), htmlscroll(html). The contain block clip chain has ASRs: htmlscroll(dialog), htmlscroll(html). We try to combine these clips into the combined clip chain in CreateClipChainIntersection but we can't because they do not have ancestor-descendant relation in either direction.

Is there anything we can do differently with these mask induced content clips that cause us a lot of problems? Or some other solution?

We activate all scroll frames that want it with fission these days, so this type of problem might become more common.

Flags: needinfo?(mstange.moz)

Maybe we could mark these mask content clips and then clear them when go through a placeholder? Does that even make sense or does it break the purpose of them?

Crash Signature: [@ core::option::expect_failed | webrender::spatial_tree::SpatialTree::get_relative_transform] [@ core::option::expect_failed | webrender::spatial_tree::SpatialTree::get_relative_transform_with_face]

There are much more crashes in nightly than beta with these signatures, I guess this work is behind a pref?

Crash Signature: [@ core::option::expect_failed | webrender::spatial_tree::SpatialTree::get_relative_transform] [@ core::option::expect_failed | webrender::spatial_tree::SpatialTree::get_relative_transform_with_face] → [@ core::option::expect_failed | webrender::spatial_tree::SpatialTree::get_relative_transform] [@ core::option::expect_failed | webrender::spatial_tree::SpatialTree::get_relative_transform_with_face]

Fission makes us activate all scroll frames which makes this much more likely to happen.

Would be nice to get a fix for this that we can uplift to 88 still since we're running Fission experiments there this cycle and I expect we'll see the volume go up.

I don't think there is any fix for this bug eminent never mind an up liftable one.

See Also: → 1700812

I came here from https://crash-stats.mozilla.org/report/index/e7a48882-51e2-4d44-bdfb-11c0e0210326#tab-bugzilla. My steps to reproduce on latest Nightly macOS are a bit weird, but maybe they help:

  1. Visit https://arstechnica.com/gadgets/2009/09/retrospect-and-prospect-ten-years-of-risc-vs-cisc/ on Firefox on your iPhone.
  2. Use Handoff on macOS to open the link in Nightly.
  3. Click the "Show purposes" button on the cookie banner.

Reproduces reliably. If I do not use Handoff I cannot reproduce.

Because it's on arstechnica I would guess it is more likely bug 1701361.

Flags: needinfo?(tnikkel)

[Tracking Requested - why for this release]:

I don't think the testcase in this bug even triggers a get_relative_transform crash (I just checked with any asserts that might happen before that point disabled, it does not). This bug got tagged with those crashes because bug 1649668 was marked as a duplicate of this bug, however that action has since been undone.

I suggest tracking bug 1649668 and/or bug 1701361 if you are interested in tracking the get_relative_transform crashes. I'm reseting the tracking on this bug to ? so you can clear it if you agree and I'm setting tracking on those bugs so you can decide there.

And I'm removing that crash signature from this bug.

Crash Signature: [@ core::option::expect_failed | webrender::spatial_tree::SpatialTree::get_relative_transform] [@ core::option::expect_failed | webrender::spatial_tree::SpatialTree::get_relative_transform_with_face]
Severity: -- → S4
Priority: -- → P3

Bugmon Analysis
The bug appears to have been fixed in the following build range:

Start: 57328f12e67aafad12fd1f062fddf48b41120a4f (20210614004220)
End: 47b4452c0a6025476db68b16a2448b5752ce7562 (20210614012620)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=57328f12e67aafad12fd1f062fddf48b41120a4f&tochange=47b4452c0a6025476db68b16a2448b5752ce7562
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon
Assignee: nobody → mats
Status: NEW → RESOLVED
Closed: 3 years ago
Depends on: 1542807
Flags: needinfo?(mstange.moz)
Resolution: --- → FIXED
Target Milestone: --- → 91 Branch

I wouldn't trust those bisection ranges from the fuzzer, I've seen many of them in recent days that make no sense.

You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: