1713880 - Assertion failure: aBuilder->IsForEventDelivery(), at src/layout/painting/nsDisplayList.h:4849

Status: VERIFIED FIXED

(Core :: Web Painting, defect, P3)

Description

[Tyson Smith [:tsmith]]

Attachment: testcase.html

Found while fuzzing m-c 20210525-8f1b67bbc5af (--enable-debug --enable-fuzzing)

Assertion failure: aBuilder->IsForEventDelivery(), at src/layout/painting/nsDisplayList.h:4849

#0 0x7fbe9e7c8728 in nsDisplayBackgroundColor::nsDisplayBackgroundColor(nsDisplayListBuilder*, nsIFrame*, nsRect const&, mozilla::ComputedStyle const*, unsigned int const&) src/layout/painting/nsDisplayList.h:4849:7
#1 0x7fbe9e7c83f2 in nsDisplayBackgroundColor* MakeDisplayItemWithIndex<nsDisplayBackgroundColor, nsIFrame, nsRect&, mozilla::ComputedStyle*&, unsigned int&>(nsDisplayListBuilder*, nsIFrame*, unsigned short, nsRect&, mozilla::ComputedStyle*&, unsigned int&) src/layout/painting/nsDisplayList.h:2143:28
#2 0x7fbe9e795ad0 in MakeDisplayItem<nsDisplayBackgroundColor, nsIFrame, nsRect &, mozilla::ComputedStyle *&, unsigned int &> src/layout/painting/nsDisplayList.h:2186:10
#3 0x7fbe9e795ad0 in CreateBackgroundColor src/layout/painting/nsDisplayList.cpp:3616:10
#4 0x7fbe9e795ad0 in nsDisplayBackgroundImage::AppendBackgroundItemsToTop(nsDisplayListBuilder*, nsIFrame*, nsRect const&, nsDisplayList*, bool, mozilla::ComputedStyle*, nsRect const&, nsIFrame*, mozilla::Maybe<nsDisplayListBuilder::AutoBuildingDisplayList>*) src/layout/painting/nsDisplayList.cpp:3723:40
#5 0x7fbe9e515fb4 in nsIFrame::DisplayBackgroundUnconditional(nsDisplayListBuilder*, nsDisplayListSet const&, bool) src/layout/generic/nsIFrame.cpp:2568:14
#6 0x7fbe9e4850ef in nsIFrame::DisplayBorderBackgroundOutline(nsDisplayListBuilder*, nsDisplayListSet const&, bool) src/layout/generic/nsIFrame.cpp:2595:7
#7 0x7fbe9e46bfb3 in nsBlockFrame::BuildDisplayList(nsDisplayListBuilder*, nsDisplayListSet const&) src/layout/generic/nsBlockFrame.cpp:6952:3
#8 0x7fbe9e518443 in nsIFrame::BuildDisplayListForStackingContext(nsDisplayListBuilder*, nsDisplayList*, bool*) src/layout/generic/nsIFrame.cpp:3420:5
#9 0x7fbe9e4868ef in nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*, nsIFrame*, nsDisplayListSet const&, mozilla::EnumSet<nsIFrame::DisplayChildFlag, unsigned int>) src/layout/generic/nsIFrame.cpp:4231:12
#10 0x7fbe9e4777a8 in nsCanvasFrame::BuildDisplayList(nsDisplayListBuilder*, nsDisplayListSet const&) src/layout/generic/nsCanvasFrame.cpp:641:5
#11 0x7fbe9e486bb7 in nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*, nsIFrame*, nsDisplayListSet const&, mozilla::EnumSet<nsIFrame::DisplayChildFlag, unsigned int>) src/layout/generic/nsIFrame.cpp:4264:14
#12 0x7fbe9e4d82c2 in mozilla::ScrollFrameHelper::BuildDisplayList(nsDisplayListBuilder*, nsDisplayListSet const&) src/layout/generic/nsGfxScrollFrame.cpp:3951:15
#13 0x7fbe9e486bb7 in nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*, nsIFrame*, nsDisplayListSet const&, mozilla::EnumSet<nsIFrame::DisplayChildFlag, unsigned int>) src/layout/generic/nsIFrame.cpp:4264:14
#14 0x7fbe9e4472ac in mozilla::ViewportFrame::BuildDisplayList(nsDisplayListBuilder*, nsDisplayListSet const&) src/layout/generic/ViewportFrame.cpp:66:3
#15 0x7fbe9e518443 in nsIFrame::BuildDisplayListForStackingContext(nsDisplayListBuilder*, nsDisplayList*, bool*) src/layout/generic/nsIFrame.cpp:3420:5
#16 0x7fbe9e3f00ad in nsLayoutUtils::PaintFrame(gfxContext*, nsIFrame*, nsRegion const&, unsigned int, nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) src/layout/base/nsLayoutUtils.cpp:3407:17
#17 0x7fbe9e369ba7 in mozilla::PresShell::Paint(nsView*, nsRegion const&, mozilla::PaintFlags) src/layout/base/PresShell.cpp:6402:5
#18 0x7fbe9e019921 in nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*) src/view/nsViewManager.cpp:459:18
#19 0x7fbe9e01943b in nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) src/view/nsViewManager.cpp:394:22
#20 0x7fbe9e01a9af in nsViewManager::ProcessPendingUpdates() src/view/nsViewManager.cpp:972:5
#21 0x7fbe9e328985 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) src/layout/base/nsRefreshDriver.cpp:2431:11
#22 0x7fbe9e32fc7a in TickDriver src/layout/base/nsRefreshDriver.cpp:346:13
#23 0x7fbe9e32fc7a in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) src/layout/base/nsRefreshDriver.cpp:324:7
#24 0x7fbe9e32fb93 in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:340:5
#25 0x7fbe9e32fa60 in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:773:5
#26 0x7fbe9e32f0c8 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:702:16
#27 0x7fbe9e32e9ae in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyParentProcessVsync() src/layout/base/nsRefreshDriver.cpp:615:7
#28 0x7fbe9e32e429 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) src/layout/base/nsRefreshDriver.cpp:536:9
#29 0x7fbe9db46a66 in mozilla::dom::VsyncChild::RecvNotify(mozilla::VsyncEvent const&, float const&) src/dom/ipc/VsyncChild.cpp:68:15
#30 0x7fbe9a88a490 in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:178:54
#31 0x7fbe9a65a39c in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundChild.cpp:6008:32
#32 0x7fbe9a2dfe11 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) src/ipc/glue/MessageChannel.cpp:2155:25
#33 0x7fbe9a2dc1c1 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) src/ipc/glue/MessageChannel.cpp:2079:9
#34 0x7fbe9a2dd6fd in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) src/ipc/glue/MessageChannel.cpp:1924:3
#35 0x7fbe9a2de47b in mozilla::ipc::MessageChannel::MessageTask::Run() src/ipc/glue/MessageChannel.cpp:1955:13
#36 0x7fbe99a0bdae in mozilla::RunnableTask::Run() src/xpcom/threads/TaskController.cpp:482:16
#37 0x7fbe999e99d9 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) src/xpcom/threads/TaskController.cpp:766:26
#38 0x7fbe999e8934 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) src/xpcom/threads/TaskController.cpp:621:15
#39 0x7fbe999e8ac3 in mozilla::TaskController::ProcessPendingMTTask(bool) src/xpcom/threads/TaskController.cpp:405:36
#40 0x7fbe99a0f5a6 in operator() src/xpcom/threads/TaskController.cpp:138:37
#41 0x7fbe99a0f5a6 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:534:5
#42 0x7fbe999fb52f in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1159:16
#43 0x7fbe99a0215a in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:548:10
#44 0x7fbe9a2e5726 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:85:21
#45 0x7fbe9a24db67 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:335:10
#46 0x7fbe9a24da82 in RunHandler src/ipc/chromium/src/base/message_loop.cc:328:3
#47 0x7fbe9a24da82 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:310:3
#48 0x7fbe9e062e58 in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:137:27
#49 0x7fbe9fa0b193 in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:911:20
#50 0x7fbe9a2e661a in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:235:9
#51 0x7fbe9a24db67 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:335:10
#52 0x7fbe9a24da82 in RunHandler src/ipc/chromium/src/base/message_loop.cc:328:3
#53 0x7fbe9a24da82 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:310:3
#54 0x7fbe9fa0adae in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:743:34
#55 0x55e70a772c56 in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#56 0x55e70a772c56 in main src/browser/app/nsBrowserApp.cpp:313:18
#57 0x7fbeafbfe0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
#58 0x55e70a74fa5c in _start (/home/worker/builds/m-c-20210525093431-fuzzing-debug/firefox-bin+0x15a5c)

Comment 1

[Tyson Smith [:tsmith]]

A Pernosco session is available here: https://pernos.co/debug/SLgZLSEMAegDPAsNCL2LHw/index.html

Comment 2

[Hiroyuki Ikezoe (:hiro)]

I am pretty sure this was regressed by bug 1699890.

Comment 3

[Bugmon [:jkratzer for issues]]

Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20210601213358-83f4bfe5ea71.
The bug appears to have been introduced in the following build range:

Start: 8bee937821e3725b922352a0493f53b5e431c3d0 (20210524213758)
End: 38bfba07a1aca3de3dbf3183e16a9dca26c65c54 (20210525020049)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=8bee937821e3725b922352a0493f53b5e431c3d0&tochange=38bfba07a1aca3de3dbf3183e16a9dca26c65c54

Comment 4

[Julien Cristau [:jcristau]]

Is there a user impact here besides the assertion in debug builds?

Comment 6

[Christian Holler (:decoder)]

:tnikkel since you set severity/priority, can you answer the question in comment 4? It would be good to have the question of impact/effect of assertions documented in the bug. Thanks!

Comment 7

[Timothy Nikkel (:tnikkel)]

After a quick look it seems the impact to users would be minor or none.

Comment 8

[Tyson Smith [:tsmith]]

This issue is currently the second most reported issue by the browser fuzzers. It has been reported over 16,000 times.

How much effort would be required to fix this issue?
Is this assertion adding value? Can it be removed or lowered to a non-fatal assertion?

Comment 9

[Timothy Nikkel (:tnikkel)]

Attachment: Bug 1713880. Don't create a background color item if the frame is themed because we will never draw it even if there is a compositor animation of bg color. r?hiro

Comment 10

[Pulsebot]

Pushed by tnikkel@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/2f89d9558ce9
Don't create a background color item if the frame is themed because we will never draw it even if there is a compositor animation of bg color. r=hiro

Comment 11

[Marian-Vasile Laza]

https://hg.mozilla.org/mozilla-central/rev/2f89d9558ce9

Comment 12

[Bugmon [:jkratzer for issues]]

Verified bug as fixed on rev mozilla-central 20230117161302-455aa95a34de.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.