1748335 - Assertion failure: !HasAnyStateBits(NS_FRAME_IS_DIRTY) (Must only be called on reflowed lines), at /layout/generic/nsIFrame.cpp:8082

Status: RESOLVED DUPLICATE of bug 876085

(Core :: Layout: Block and Inline, defect)

Description

[Jason Kratzer [:jkratzer]]

Testcase found while fuzzing mozilla-central rev 1cb2015e6fbc (built with: --enable-debug --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build 1cb2015e6fbc --debug --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

Assertion failure: !HasAnyStateBits(NS_FRAME_IS_DIRTY) (Must only be called on reflowed lines), at /layout/generic/nsIFrame.cpp:8082

    ==1183254==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f7cced8cbdd bp 0x7ffc92cd0c80 sp 0x7ffc92cd0c80 T1183254)
    ==1183254==The signal is caused by a WRITE memory access.
    ==1183254==Hint: address points to the zero page.
        #0 0x7f7cced8cbdd in nsIFrame::CachedIsEmpty() /layout/generic/nsIFrame.cpp:8081:3
        #1 0x7f7ccedd9b8e in nsLineBox::CachedIsEmpty() /layout/generic/nsLineBox.cpp:346:27
        #2 0x7f7ccecc5df7 in nsBlockFrame::CachedIsEmpty() /layout/generic/nsBlockFrame.cpp:3479:15
        #3 0x7f7ccedd9b8e in nsLineBox::CachedIsEmpty() /layout/generic/nsLineBox.cpp:346:27
        #4 0x7f7ccecbb5c3 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /layout/generic/nsBlockFrame.cpp:2814:30
        #5 0x7f7ccecb6cfb in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/generic/nsBlockFrame.cpp:1394:3
        #6 0x7f7ccecdb8ce in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /layout/generic/nsContainerFrame.cpp:1000:14
        #7 0x7f7ccecdab2b in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/generic/nsCanvasFrame.cpp:787:7
        #8 0x7f7ccecdb8ce in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /layout/generic/nsContainerFrame.cpp:1000:14
        #9 0x7f7cced293a6 in nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput&, bool, bool, mozilla::ReflowOutput*) /layout/generic/nsGfxScrollFrame.cpp:839:3
        #10 0x7f7cced29d6f in nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput&, mozilla::ReflowOutput const&) /layout/generic/nsGfxScrollFrame.cpp:974:3
        #11 0x7f7cced2dd91 in nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/generic/nsGfxScrollFrame.cpp:1369:3
        #12 0x7f7ccecab586 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /layout/generic/nsContainerFrame.cpp:1040:14
        #13 0x7f7ccecaad4d in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/generic/ViewportFrame.cpp:374:7
        #14 0x7f7ccebabb4f in mozilla::PresShell::DoReflow(nsIFrame*, bool, mozilla::OverflowChangedTracker*) /layout/base/PresShell.cpp:9637:11
        #15 0x7f7ccebb5c2e in mozilla::PresShell::ProcessReflowCommands(bool) /layout/base/PresShell.cpp:9808:24
        #16 0x7f7ccebb50d3 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /layout/base/PresShell.cpp:4300:11
        #17 0x7f7cceb7b7c5 in FlushPendingNotifications /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:1452:5
        #18 0x7f7cceb7b7c5 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) /layout/base/nsRefreshDriver.cpp:2425:20
        #19 0x7f7cceb83d50 in TickDriver /layout/base/nsRefreshDriver.cpp:348:13
        #20 0x7f7cceb83d50 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /layout/base/nsRefreshDriver.cpp:326:7
        #21 0x7f7cceb83c53 in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /layout/base/nsRefreshDriver.cpp:342:5
        #22 0x7f7cceb83b20 in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /layout/base/nsRefreshDriver.cpp:780:5
        #23 0x7f7cceb8334a in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /layout/base/nsRefreshDriver.cpp:703:16
        #24 0x7f7cceb82ba3 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyParentProcessVsync() /layout/base/nsRefreshDriver.cpp:620:7
        #25 0x7f7cceb82779 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) /layout/base/nsRefreshDriver.cpp:541:9
        #26 0x7f7cce3235ca in mozilla::dom::VsyncMainChild::RecvNotify(mozilla::VsyncEvent const&, float const&) /dom/ipc/VsyncMainChild.cpp:68:15
        #27 0x7f7ccaca81a2 in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:208:54
        #28 0x7f7ccaa4f5fc in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundChild.cpp:6187:32
        #29 0x7f7cca6d4dbf in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /ipc/glue/MessageChannel.cpp:2043:25
        #30 0x7f7cca6d16f1 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /ipc/glue/MessageChannel.cpp:1968:9
        #31 0x7f7cca6d2b75 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /ipc/glue/MessageChannel.cpp:1827:3
        #32 0x7f7cca6d37ad in mozilla::ipc::MessageChannel::MessageTask::Run() /ipc/glue/MessageChannel.cpp:1855:14
        #33 0x7f7cc9c42a7e in mozilla::RunnableTask::Run() /xpcom/threads/TaskController.cpp:468:16
        #34 0x7f7cc9c1c716 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:771:26
        #35 0x7f7cc9c1b3d8 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:607:15
        #36 0x7f7cc9c1b653 in mozilla::TaskController::ProcessPendingMTTask(bool) /xpcom/threads/TaskController.cpp:391:36
        #37 0x7f7cc9c460e6 in operator() /xpcom/threads/TaskController.cpp:124:37
        #38 0x7f7cc9c460e6 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
        #39 0x7f7cc9c31053 in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1183:16
        #40 0x7f7cc9c382ba in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:467:10
        #41 0x7f7cca6dabd6 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:85:21
        #42 0x7f7cca5fa0b7 in MessageLoop::RunInternal() /ipc/chromium/src/base/message_loop.cc:331:10
        #43 0x7f7cca5f9fc2 in RunHandler /ipc/chromium/src/base/message_loop.cc:324:3
        #44 0x7f7cca5f9fc2 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:306:3
        #45 0x7f7cce8775a8 in nsBaseAppShell::Run() /widget/nsBaseAppShell.cpp:137:27
        #46 0x7f7cd089a333 in XRE_RunAppShell() /toolkit/xre/nsEmbedFunctions.cpp:864:20
        #47 0x7f7cca6dbaca in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:235:9
        #48 0x7f7cca5fa0b7 in MessageLoop::RunInternal() /ipc/chromium/src/base/message_loop.cc:331:10
        #49 0x7f7cca5f9fc2 in RunHandler /ipc/chromium/src/base/message_loop.cc:324:3
        #50 0x7f7cca5f9fc2 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:306:3
        #51 0x7f7cd089996b in XRE_InitChildProcess(int, char**, XREChildData const*) /toolkit/xre/nsEmbedFunctions.cpp:701:34
        #52 0x55c627a14029 in content_process_main /browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
        #53 0x55c627a14029 in main /browser/app/nsBrowserApp.cpp:327:18
        #54 0x7f7ce03670b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
        #55 0x55c6279ef7bc in _start (/home/jkratzer/builds/mc-debug/firefox-bin+0x157bc)
    
    UndefinedBehaviorSanitizer can not provide additional info.
    SUMMARY: UndefinedBehaviorSanitizer: SEGV /layout/generic/nsIFrame.cpp:8081:3 in nsIFrame::CachedIsEmpty()
    ==1183254==ABORTING

Comment 1

[Jason Kratzer [:jkratzer]]

Attachment: Testcase

Comment 2

[Bugmon [:jkratzer for issues]]

Bugmon Analysis
Verified bug as reproducible on mozilla-central 20220103215519-a6af5cff5adf.
Failed to bisect testcase (Testcase reproduces on start build!):

Start: 1d89f3cb5bb3e5a37b0249977838c4a98c162c80 (20210105043131)
End: 1cb2015e6fbc11f3a03137692fe60b111b94693a (20220103092929)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False)

Comment 3

[BugBot [:suhaib / :marco/ :calixte]]

The severity field is not set for this bug.
:TYLin, could you have a look please?

For more information, please visit auto_nag documentation.

Comment 4

[Ting-Yu Lin [:TYLin] (PDT, UTC-7)]

The assertion tests the integrity of the frame's dirty bit. The testcase can reproduce the assertion on an ordinary debug build, and it doesn't crash release build.

Comment 5

[Bugmon [:jkratzer for issues]]

Testcase crashes using the initial build (mozilla-central 20220212094743-8436748a9b6d) but not with tip (mozilla-central 20230210211019-54d29db98836.)

The bug appears to have been fixed in the following build range:

Start: c6795729948b164cb9f45cde194fc1c02c3d0a73 (20230207235741)
End: 16950be9e3a0cf082ad3c3cb60b40bb28d6755cc (20230208000734)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=c6795729948b164cb9f45cde194fc1c02c3d0a73&tochange=16950be9e3a0cf082ad3c3cb60b40bb28d6755cc

jkratzer, can you confirm that the above bisection range is responsible for fixing this issue?
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Comment 6

[Jason Kratzer [:jkratzer]]

:emilio, can you confirm that this was fixed via bug 876085?

Comment 7

[Emilio Cobos Álvarez (:emilio)]

This particular instance sure, that'd make lots of sense. Though I suspect there are other ways to trigger the original issue. Should we close as dupe for now until we have another test-case?

Comment 8

[Jason Kratzer [:jkratzer]]

Emilio, my apologies but I should have checked the fuzz results before I added the NI. We do in fact have newer testcases that trigger this same issue. I need a bit to minimize the testcase but I'll go ahead and replace the original testcase with the newer one.

Comment 9

[Jason Kratzer [:jkratzer]]

Actually, the new testcase has a similar stack and assertion but does involve SVG elements. I'll close and dupe this issue and open a new one for the new testcase.