Open Bug 1714701 Opened 3 years ago Updated 2 years ago

Assertion failure: !aPrevFrame || ... (aPrevFrame must be the last continuation in its chain!), at src/layout/base/nsFrameManager.cpp:82

Categories

(Core :: Layout, defect)

defect

Tracking

()

Tracking Status
firefox-esr91 --- wontfix
firefox-esr102 --- affected
firefox90 --- wontfix
firefox91 --- wontfix
firefox103 --- wontfix
firefox104 --- wontfix
firefox105 --- affected
firefox106 --- affected

People

(Reporter: tsmith, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, testcase, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(1 file, 1 obsolete file)

Attached file testcase.html (obsolete) —

Found while fuzzing m-c 20210602-2d291a99004d (--enable-debug --enable-fuzzing)

Assertion failure: !aPrevFrame || (!aPrevFrame->GetNextContinuation() || (aPrevFrame->GetNextContinuation()->HasAnyStateBits( NS_FRAME_IS_OVERFLOW_CONTAINER) && !aPrevFrame->HasAnyStateBits(NS_FRAME_IS_OVERFLOW_CONTAINER))) (aPrevFrame must be the last continuation in its chain!), at src/layout/base/nsFrameManager.cpp:82

#0 0x7f4e5a3417cf in nsFrameManager::InsertFrames(nsContainerFrame*, mozilla::layout::FrameChildListID, nsIFrame*, nsFrameList&) src/layout/base/nsFrameManager.cpp:76:3
#1 0x7f4e5a340448 in nsFrameConstructorState::ProcessFrameInsertions(mozilla::AbsoluteFrameList&, mozilla::layout::FrameChildListID) src/layout/base/nsCSSFrameConstructor.cpp:1291:22
#2 0x7f4e5a33fcc6 in ProcessFrameInsertionsForAllLists src/layout/base/nsCSSFrameConstructor.cpp:887:3
#3 0x7f4e5a33fcc6 in nsFrameConstructorState::~nsFrameConstructorState() src/layout/base/nsCSSFrameConstructor.cpp:878:3
#4 0x7f4e5a358643 in nsCSSFrameConstructor::ContentRangeInserted(nsIContent*, nsIContent*, nsCSSFrameConstructor::InsertionKind) src/layout/base/nsCSSFrameConstructor.cpp:7242:1
#5 0x7f4e5a31c044 in mozilla::RestyleManager::ProcessRestyledFrames(nsStyleChangeList&) src/layout/base/RestyleManager.cpp:1503:25
#6 0x7f4e5a322b9a in mozilla::RestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) src/layout/base/RestyleManager.cpp:3048:9
#7 0x7f4e5a2fcaa5 in ProcessPendingRestyles src/layout/base/RestyleManager.cpp:3127:3
#8 0x7f4e5a2fcaa5 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) src/layout/base/PresShell.cpp:4191:39
#9 0x7f4e5a2c5399 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) src/layout/base/nsRefreshDriver.cpp:2295:22
#10 0x7f4e5a2cd5ea in TickDriver src/layout/base/nsRefreshDriver.cpp:348:13
#11 0x7f4e5a2cd5ea in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) src/layout/base/nsRefreshDriver.cpp:326:7
#12 0x7f4e5a2cd503 in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:342:5
#13 0x7f4e5a2cd3d0 in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:775:5
#14 0x7f4e5a2cca38 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:704:16
#15 0x7f4e5a2cc320 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyParentProcessVsync() src/layout/base/nsRefreshDriver.cpp:617:7
#16 0x7f4e5a2cbd99 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) src/layout/base/nsRefreshDriver.cpp:538:9
#17 0x7f4e59ae1406 in mozilla::dom::VsyncChild::RecvNotify(mozilla::VsyncEvent const&, float const&) src/dom/ipc/VsyncChild.cpp:68:15
#18 0x7f4e5680a710 in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:178:54
#19 0x7f4e565d626c in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundChild.cpp:6061:32
#20 0x7f4e5625ada1 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) src/ipc/glue/MessageChannel.cpp:2155:25
#21 0x7f4e56257151 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) src/ipc/glue/MessageChannel.cpp:2079:9
#22 0x7f4e5625868d in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) src/ipc/glue/MessageChannel.cpp:1924:3
#23 0x7f4e5625940b in mozilla::ipc::MessageChannel::MessageTask::Run() src/ipc/glue/MessageChannel.cpp:1955:13
#24 0x7f4e55983d4e in mozilla::RunnableTask::Run() src/xpcom/threads/TaskController.cpp:482:16
#25 0x7f4e55961859 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) src/xpcom/threads/TaskController.cpp:785:26
#26 0x7f4e559606c8 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) src/xpcom/threads/TaskController.cpp:621:15
#27 0x7f4e55960943 in mozilla::TaskController::ProcessPendingMTTask(bool) src/xpcom/threads/TaskController.cpp:405:36
#28 0x7f4e55987546 in operator() src/xpcom/threads/TaskController.cpp:138:37
#29 0x7f4e55987546 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:534:5
#30 0x7f4e5597346f in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1159:16
#31 0x7f4e5597a0fa in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:548:10
#32 0x7f4e562606b6 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:85:21
#33 0x7f4e561c89d7 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:335:10
#34 0x7f4e561c88f2 in RunHandler src/ipc/chromium/src/base/message_loop.cc:328:3
#35 0x7f4e561c88f2 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:310:3
#36 0x7f4e59ffdac8 in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:137:27
#37 0x7f4e5b9cb943 in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:911:20
#38 0x7f4e562615aa in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:235:9
#39 0x7f4e561c89d7 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:335:10
#40 0x7f4e561c88f2 in RunHandler src/ipc/chromium/src/base/message_loop.cc:328:3
#41 0x7f4e561c88f2 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:310:3
#42 0x7f4e5b9cb55e in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:743:34
#43 0x55cf5c792c56 in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#44 0x55cf5c792c56 in main src/browser/app/nsBrowserApp.cpp:313:18
#45 0x7f4e6ab760b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
#46 0x55cf5c76fa5c in _start (/home/worker/builds/m-c-20210602214447-fuzzing-debug/firefox-bin+0x15a5c)
Flags: in-testsuite?

Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20210604213013-61484a56d30a.
Failed to bisect testcase (Testcase reproduces on start build!):

Start: 6237102f005d965efebc464ce3f93dec32b10268 (20200606094603)
End: 2d291a99004dd0aea5304bb8cae306a47083ff94 (20210602214447)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=True, coverage=False, valgrind=False)

Whiteboard: [bugmon:bisected,confirmed]

A Pernosco session is available here: https://pernos.co/debug/1CvX-iDKTkVsBGGQyemEmQ/index.html

Still reproduces in current mozilla-central, FWIW.

Severity: -- → S3

Bugmon Analysis
Testcase crashes using the initial build (mozilla-central 20210814094200-e67bca14d669) but not with tip (mozilla-central 20220812214215-fbae7216fa06.)

The bug appears to have been fixed in the following build range:

Start: bdb42cfe62138374343d5be83ac208826812cd2d (20220810161147)
End: a5ef26cc165936d1c01c42c0e5d2c597ebcc5a8f (20220810181917)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=bdb42cfe62138374343d5be83ac208826812cd2d&tochange=a5ef26cc165936d1c01c42c0e5d2c597ebcc5a8f

tsmith, can you confirm that the above bisection range is responsible for fixing this issue?
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Flags: needinfo?(twsmith)
Keywords: bugmon
Attached file testcase.html

Updated test case.

Attachment #9225335 - Attachment is obsolete: true
Flags: needinfo?(twsmith)

Bugmon Analysis
Verified bug as reproducible on mozilla-central 20220816160129-90f3275f3489.
Unable to bisect testcase (failed to find build near 2d291a99004d)

Whiteboard: [bugmon:bisected,confirmed]

Bugmon Analysis
Testcase crashes using the initial build (mozilla-central 20210911095121-9cbf4fe3f852) but not with tip (mozilla-central 20220910094302-9acb1117b572.)

The bug appears to have been fixed in the following build range:

Start: af1fc1e6eb24573a5ebad1754b9d4917e934a5f9 (20220831215447)
End: 76c1fb5130dcd9f4562826d42194ebf74ca268c8 (20220831180944)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=af1fc1e6eb24573a5ebad1754b9d4917e934a5f9&tochange=76c1fb5130dcd9f4562826d42194ebf74ca268c8

tsmith, can you confirm that the above bisection range is responsible for fixing this issue?
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Flags: needinfo?(twsmith)
Keywords: bugmon

This is still reproducible with the attached test case. Tested with m-c 20220913-93a9b1ba6411.

Flags: needinfo?(twsmith)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: