Closed Bug 1745860 Opened 10 months ago Closed 8 months ago

Assertion failure: !child->GetPrimaryFrame(), at /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:6451

Categories

(Core :: Layout, defect)

defect

Tracking

()

VERIFIED FIXED
98 Branch
Tracking Status
firefox-esr91 --- wontfix
firefox97 --- wontfix
firefox98 --- verified

People

(Reporter: tsmith, Assigned: emilio)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: assertion, testcase, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(2 files)

Attached file testcase.html

Found while fuzzing m-c 20211212-1a4d98507807 (--enable-debug --enable-fuzzing)

Assertion failure: !child->GetPrimaryFrame(), at /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:6451

#0 0x7f990acf5bb6 in IssueSingleInsertNofications src/layout/base/nsCSSFrameConstructor.cpp:6451:5
#1 0x7f990acf5bb6 in nsCSSFrameConstructor::GetRangeInsertionPoint(nsIContent*, nsIContent*, nsCSSFrameConstructor::InsertionKind) src/layout/base/nsCSSFrameConstructor.cpp
#2 0x7f990acf63d5 in nsCSSFrameConstructor::ContentAppended(nsIContent*, nsCSSFrameConstructor::InsertionKind) src/layout/base/nsCSSFrameConstructor.cpp:6631:7
#3 0x7f990ac98cea in mozilla::PresShell::ContentAppended(nsIContent*) src/layout/base/PresShell.cpp:4459:22
#4 0x7f9907c2a49b in operator() src/dom/base/MutationObservers.cpp:162:3
#5 0x7f9907c2a49b in Notify<IsRemoval::No, ShouldAssert::Yes, (lambda at src/dom/base/MutationObservers.cpp:162:3), (lambda at src/dom/base/MutationObservers.cpp:162:3)> src/dom/base/MutationObservers.cpp:97:5
#6 0x7f9907c2a49b in mozilla::dom::MutationObservers::NotifyContentAppended(nsIContent*, nsIContent*) src/dom/base/MutationObservers.cpp:163:3
#7 0x7f9907daf657 in nsINode::InsertChildBefore(nsIContent*, nsIContent*, bool, mozilla::ErrorResult&) src/dom/base/nsINode.cpp:1589:7
#8 0x7f9907db70eb in nsINode::ReplaceOrInsertBefore(bool, nsINode*, nsINode*, mozilla::ErrorResult&) src/dom/base/nsINode.cpp:2776:5
#9 0x7f99082a6ec9 in InsertBefore src/dom/base/nsINode.h:2030:12
#10 0x7f99082a6ec9 in AppendChild src/dom/base/nsINode.h:2037:12
#11 0x7f99082a6ec9 in mozilla::dom::Node_Binding::appendChild(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/NodeBinding.cpp:996:60
#12 0x7f99090a1148 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) src/dom/bindings/BindingUtils.cpp:3306:13
#13 0x7f990cad58bf in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) src/js/src/vm/Interpreter.cpp:388:13
#14 0x7f990cad4fbd in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) src/js/src/vm/Interpreter.cpp:475:12
#15 0x7f990cad6a9e in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) src/js/src/vm/Interpreter.cpp:535:10
#16 0x7f990cacc2c6 in CallFromStack src/js/src/vm/Interpreter.cpp:539:10
#17 0x7f990cacc2c6 in Interpret(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:3243:16
#18 0x7f990cac31c3 in js::RunScript(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:357:13
#19 0x7f990cad4eb8 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) src/js/src/vm/Interpreter.cpp:507:13
#20 0x7f990cad6a9e in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) src/js/src/vm/Interpreter.cpp:535:10
#21 0x7f990cad6ca1 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) src/js/src/vm/Interpreter.cpp:552:8
#22 0x7f990cc92eb1 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) src/js/src/vm/CallAndConstruct.cpp:117:10
#23 0x7f9908db26ec in mozilla::dom::EventHandlerNonNull::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventHandlerBinding.cpp:283:37
#24 0x7f9909588199 in void mozilla::dom::EventHandlerNonNull::Call<nsCOMPtr<mozilla::dom::EventTarget> >(nsCOMPtr<mozilla::dom::EventTarget> const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventHandlerBinding.h:365:12
#25 0x7f9909587410 in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) src/dom/events/JSEventHandler.cpp:201:12
#26 0x7f990956843b in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) src/dom/events/EventListenerManager.cpp:1309:22
#27 0x7f99095690f9 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) src/dom/events/EventListenerManager.cpp:1500:17
#28 0x7f990955e1d4 in HandleEvent src/dom/events/EventListenerManager.h:395:5
#29 0x7f990955e1d4 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) src/dom/events/EventDispatcher.cpp:348:17
#30 0x7f990955d6f7 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) src/dom/events/EventDispatcher.cpp:550:16
#31 0x7f990955ff58 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) src/dom/events/EventDispatcher.cpp:1085:11
#32 0x7f9909562726 in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) src/dom/events/EventDispatcher.cpp
#33 0x7f9907dadd6d in nsINode::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) src/dom/base/nsINode.cpp:1354:17
#34 0x7f990790108a in nsContentUtils::DispatchEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, mozilla::Trusted, bool*, mozilla::ChromeOnlyDispatch) src/dom/base/nsContentUtils.cpp:4307:28
#35 0x7f9907900e87 in nsContentUtils::DispatchTrustedEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, bool*) src/dom/base/nsContentUtils.cpp:4277:10
#36 0x7f990970ae44 in mozilla::dom::HTMLMediaElement::DispatchEvent(nsTSubstring<char16_t> const&) src/dom/html/HTMLMediaElement.cpp:6240:10
#37 0x7f9905d09952 in mozilla::SchedulerGroup::Runnable::Run() src/xpcom/threads/SchedulerGroup.cpp:144:20
#38 0x7f9905d3949e in mozilla::RunnableTask::Run() src/xpcom/threads/TaskController.cpp:468:16
#39 0x7f9905d12ff6 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) src/xpcom/threads/TaskController.cpp:771:26
#40 0x7f9905d11cb8 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) src/xpcom/threads/TaskController.cpp:607:15
#41 0x7f9905d11f33 in mozilla::TaskController::ProcessPendingMTTask(bool) src/xpcom/threads/TaskController.cpp:391:36
#42 0x7f9905d3ca96 in operator() src/xpcom/threads/TaskController.cpp:124:37
#43 0x7f9905d3ca96 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
#44 0x7f9905d27993 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1183:16
#45 0x7f9905d2ec5a in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:467:10
#46 0x7f99067cecd6 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:85:21
#47 0x7f99066ee7a7 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:331:10
#48 0x7f99066ee6b2 in RunHandler src/ipc/chromium/src/base/message_loop.cc:324:3
#49 0x7f99066ee6b2 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:306:3
#50 0x7f990a95a608 in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:137:27
#51 0x7f990c959133 in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:864:20
#52 0x7f99067cfbca in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:235:9
#53 0x7f99066ee7a7 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:331:10
#54 0x7f99066ee6b2 in RunHandler src/ipc/chromium/src/base/message_loop.cc:324:3
#55 0x7f99066ee6b2 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:306:3
#56 0x7f990c95876b in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:701:34
#57 0x55b50f433ec9 in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#58 0x55b50f433ec9 in main src/browser/app/nsBrowserApp.cpp:327:18
#59 0x7f991b7000b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
#60 0x55b50f40f65c in _start (/home/worker/builds/m-c-20211212214735-fuzzing-debug/firefox-bin+0x1565c)
Flags: in-testsuite?

A Pernosco session is available here: https://pernos.co/debug/-aXDTASRgUdy5R8Ee5lm7g/index.html

Bugmon Analysis
Verified bug as reproducible on mozilla-central 20211214042524-51773d1ab7b5.
Failed to bisect testcase (Testcase reproduces on start build!):

Start: f805f27183c35c40305a5deb0396182133195829 (20201215092954)
End: 1a4d9850780709a65b7a090bfbd8eb48f209b3a7 (20211212214735)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False)

Whiteboard: [bugmon:bisected,confirmed]

The severity field is not set for this bug.
:jwatt, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(jwatt)

emilio, maybe you could take a look here, to assess severity & potentially fix if it's straightforward? Looks like the failing assertion is one that you added in bug 1427908:
https://hg.mozilla.org/mozilla-central/rev/97d9e1823553#l1.34

(At that point it was a multipart assertion, but the other parts have been removed over the years.)

Flags: needinfo?(jwatt) → needinfo?(emilio)
Assignee: nobody → emilio
Flags: needinfo?(emilio)
Status: NEW → RESOLVED
Closed: 8 months ago
Resolution: --- → FIXED
Target Milestone: --- → 98 Branch
Blocks: 135040
No longer blocks: 135040
Regressed by: 1427908
See Also: → 135040

Bugmon Analysis
Verified bug as fixed on rev mozilla-central 20220205091402-e240dde296a8.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
Keywords: bugmon
You need to log in before you can comment on or make changes to this bug.