Closed Bug 1712228 Opened 3 years ago Closed 11 months ago

Hit MOZ_CRASH(Item found was in the wrong list! type 282 (outer type was 263 at depth 1, now is 0)) at /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.h:2380

Categories

(Core :: Web Painting, defect)

defect

Tracking

()

RESOLVED WORKSFORME
Tracking Status
firefox90 --- affected

People

(Reporter: tsmith, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, crash, testcase, Whiteboard: [bugmon:confirmed])

Attachments

(2 files)

Attached file testcase.html

Found while fuzzing m-c 20210507-950445712e58 (--enable-debug --enable-fuzzing)

Hit MOZ_CRASH(Item found was in the wrong list! type 282 (outer type was 263 at depth 1, now is 0)) at /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.h:2380

#0 0x7f106a7e362d in MOZ_Crash /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:256:3
#1 0x7f106a7e362d in GetOldListIndex /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.h:2377:7
#2 0x7f106a7e362d in MergeState::HasMatchingItemInOldList(nsDisplayItem*, Index<OldListUnits>*) /builds/worker/checkouts/gecko/layout/painting/RetainedDisplayListBuilder.cpp:604:16
#3 0x7f106a780e79 in MergeState::ProcessItemFromNewList(nsDisplayItem*, mozilla::Maybe<Index<MergedListUnits> > const&) /builds/worker/checkouts/gecko/layout/painting/RetainedDisplayListBuilder.cpp:427:9
#4 0x7f106a780a12 in RetainedDisplayListBuilder::MergeDisplayLists(nsDisplayList*, RetainedDisplayList*, RetainedDisplayList*, mozilla::Maybe<mozilla::ActiveScrolledRoot const*>&, nsDisplayItem*) /builds/worker/checkouts/gecko/layout/painting/RetainedDisplayListBuilder.cpp:812:31
#5 0x7f106a783782 in RetainedDisplayListBuilder::AttemptPartialUpdate(unsigned int) /builds/worker/checkouts/gecko/layout/painting/RetainedDisplayListBuilder.cpp:1473:7
#6 0x7f106a40f712 in nsLayoutUtils::PaintFrame(gfxContext*, nsIFrame*, nsRegion const&, unsigned int, nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) /builds/worker/checkouts/gecko/layout/base/nsLayoutUtils.cpp:3380:40
#7 0x7f106a389297 in mozilla::PresShell::Paint(nsView*, nsRegion const&, mozilla::PaintFlags) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:6402:5
#8 0x7f106a039551 in nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*) /builds/worker/checkouts/gecko/view/nsViewManager.cpp:459:18
#9 0x7f106a03906b in nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) /builds/worker/checkouts/gecko/view/nsViewManager.cpp:394:22
#10 0x7f106a03a5df in nsViewManager::ProcessPendingUpdates() /builds/worker/checkouts/gecko/view/nsViewManager.cpp:972:5
#11 0x7f106a348075 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2431:11
#12 0x7f106a355d1d in operator() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:1521:25
#13 0x7f106a355d1d in mozilla::detail::RunnableFunction<nsRefreshDriver::EnsureTimerStarted(nsRefreshDriver::EnsureTimerStartedFlags)::$_1>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:534:5
#14 0x7f1065a351ee in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:482:16
#15 0x7f1065a12e29 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:766:26
#16 0x7f1065a11d84 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:621:15
#17 0x7f1065a11f13 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:405:36
#18 0x7f1065a389e6 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:138:37
#19 0x7f1065a389e6 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:534:5
#20 0x7f1065a2496f in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1159:16
#21 0x7f1065a2b59a in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:548:10
#22 0x7f106630d5c6 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#23 0x7f1066275c37 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:335:10
#24 0x7f1066275b52 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:328:3
#25 0x7f1066275b52 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:310:3
#26 0x7f106a082a08 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137:27
#27 0x7f106ba27b53 in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:911:20
#28 0x7f106630e4ba in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
#29 0x7f1066275c37 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:335:10
#30 0x7f1066275b52 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:328:3
#31 0x7f1066275b52 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:310:3
#32 0x7f106ba2776e in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:743:34
#33 0x559bd6bc0b26 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#34 0x559bd6bc0b26 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:313:18
#35 0x7f107ae990b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
#36 0x559bd6b9d92c in _start (/home/user/workspace/browsers/m-c-20210520095745-fuzzing-debug/firefox-bin+0x1592c)
Severity: -- → S2
Flags: in-testsuite?

Bugmon Analysis:
Unable to reproduce bug using the following builds:

mozilla-central 20210520095745-45c659bd4922
mozilla-central 20210507214625-950445712e58
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon
Whiteboard: [bugmon:confirmed]

Doesn't seem to reproduce locally for me, perhaps I need a prefs.js file with a change to some fullscreen pref I can't find? The full screen request is auto-denied despite enabling the fullscreen pref I can find in about:config.

Attached file prefs.js

I am able to reproduce the issue on some but not all of my setups. Unfortunately I can't get it to reproduce under rr to get a Pernosco session. I'll keep trying.

I reproduced after a few tries with those prefs, thanks.

Severity: S2 → S3

Are you able to reproduce this anymore?

I just tried and failed.

Flags: needinfo?(twsmith)

I am unable to reproduce the issue with the attached test case and the fuzzers are no longer reporting the issue.

Status: NEW → RESOLVED
Closed: 11 months ago
Flags: needinfo?(twsmith)
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: