1764942 - Assertion failure: false (Two layers that scroll together have different ancestor transforms), at /gfx/layers/apz/src/APZCTreeManager.cpp:1344

Status: RESOLVED FIXED

(Core :: Panning and Zooming, defect)

Description

[Jason Kratzer [:jkratzer]]

Testcase found while fuzzing mozilla-central rev 7f6fc25d231f (built with: --enable-debug --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build 7f6fc25d231f --debug --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

Assertion failure: false (Two layers that scroll together have different ancestor transforms), at /gfx/layers/apz/src/APZCTreeManager.cpp:1344

    ==2388109==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f62016e2f0e bp 0x7f611c5d0a10 sp 0x7f611c5d08d0 T2388427)
    ==2388109==The signal is caused by a WRITE memory access.
    ==2388109==Hint: address points to the zero page.
        #0 0x7f62016e2f0e in mozilla::layers::APZCTreeManager::PrepareNodeForLayer(mozilla::RecursiveMutexAutoLock const&, mozilla::layers::WebRenderScrollDataWrapper const&, mozilla::layers::FrameMetrics const&, mozilla::layers::LayersId, mozilla::Maybe<mozilla::layers::ZoomConstraints> const&, mozilla::layers::AncestorTransform const&, mozilla::layers::HitTestingTreeNode*, mozilla::layers::HitTestingTreeNode*, mozilla::layers::APZCTreeManager::TreeBuildingState&) /gfx/layers/apz/src/APZCTreeManager.cpp:1342:9
        #1 0x7f62016d4d5c in operator() /gfx/layers/apz/src/APZCTreeManager.cpp:490:38
        #2 0x7f62016d4d5c in std::enable_if<(std::is_same_v<decltype(fp0(fp)), void>) && (std::is_same_v<decltype(fp1(fp)), void>), void>::type mozilla::layers::ForEachNode<mozilla::layers::ReverseIterator, mozilla::layers::WebRenderScrollDataWrapper, mozilla::layers::APZCTreeManager::UpdateHitTestingTree(mozilla::layers::WebRenderScrollDataWrapper const&, bool, mozilla::layers::LayersId, unsigned int)::$_3, mozilla::layers::APZCTreeManager::UpdateHitTestingTree(mozilla::layers::WebRenderScrollDataWrapper const&, bool, mozilla::layers::LayersId, unsigned int)::$_4>(mozilla::layers::WebRenderScrollDataWrapper, mozilla::layers::APZCTreeManager::UpdateHitTestingTree(mozilla::layers::WebRenderScrollDataWrapper const&, bool, mozilla::layers::LayersId, unsigned int)::$_3 const&, mozilla::layers::APZCTreeManager::UpdateHitTestingTree(mozilla::layers::WebRenderScrollDataWrapper const&, bool, mozilla::layers::LayersId, unsigned int)::$_4 const&) /gfx/layers/TreeTraversal.h:139:3
        #3 0x7f62016d5c61 in std::enable_if<(std::is_same_v<decltype(fp0(fp)), void>) && (std::is_same_v<decltype(fp1(fp)), void>), void>::type mozilla::layers::ForEachNode<mozilla::layers::ReverseIterator, mozilla::layers::WebRenderScrollDataWrapper, mozilla::layers::APZCTreeManager::UpdateHitTestingTree(mozilla::layers::WebRenderScrollDataWrapper const&, bool, mozilla::layers::LayersId, unsigned int)::$_3, mozilla::layers::APZCTreeManager::UpdateHitTestingTree(mozilla::layers::WebRenderScrollDataWrapper const&, bool, mozilla::layers::LayersId, unsigned int)::$_4>(mozilla::layers::WebRenderScrollDataWrapper, mozilla::layers::APZCTreeManager::UpdateHitTestingTree(mozilla::layers::WebRenderScrollDataWrapper const&, bool, mozilla::layers::LayersId, unsigned int)::$_3 const&, mozilla::layers::APZCTreeManager::UpdateHitTestingTree(mozilla::layers::WebRenderScrollDataWrapper const&, bool, mozilla::layers::LayersId, unsigned int)::$_4 const&) /gfx/layers/TreeTraversal.h:143:5
        #4 0x7f62016d5c61 in std::enable_if<(std::is_same_v<decltype(fp0(fp)), void>) && (std::is_same_v<decltype(fp1(fp)), void>), void>::type mozilla::layers::ForEachNode<mozilla::layers::ReverseIterator, mozilla::layers::WebRenderScrollDataWrapper, mozilla::layers::APZCTreeManager::UpdateHitTestingTree(mozilla::layers::WebRenderScrollDataWrapper const&, bool, mozilla::layers::LayersId, unsigned int)::$_3, mozilla::layers::APZCTreeManager::UpdateHitTestingTree(mozilla::layers::WebRenderScrollDataWrapper const&, bool, mozilla::layers::LayersId, unsigned int)::$_4>(mozilla::layers::WebRenderScrollDataWrapper, mozilla::layers::APZCTreeManager::UpdateHitTestingTree(mozilla::layers::WebRenderScrollDataWrapper const&, bool, mozilla::layers::LayersId, unsigned int)::$_3 const&, mozilla::layers::APZCTreeManager::UpdateHitTestingTree(mozilla::layers::WebRenderScrollDataWrapper const&, bool, mozilla::layers::LayersId, unsigned int)::$_4 const&) /gfx/layers/TreeTraversal.h:143:5
        #5 0x7f62016d5c61 in std::enable_if<(std::is_same_v<decltype(fp0(fp)), void>) && (std::is_same_v<decltype(fp1(fp)), void>), void>::type mozilla::layers::ForEachNode<mozilla::layers::ReverseIterator, mozilla::layers::WebRenderScrollDataWrapper, mozilla::layers::APZCTreeManager::UpdateHitTestingTree(mozilla::layers::WebRenderScrollDataWrapper const&, bool, mozilla::layers::LayersId, unsigned int)::$_3, mozilla::layers::APZCTreeManager::UpdateHitTestingTree(mozilla::layers::WebRenderScrollDataWrapper const&, bool, mozilla::layers::LayersId, unsigned int)::$_4>(mozilla::layers::WebRenderScrollDataWrapper, mozilla::layers::APZCTreeManager::UpdateHitTestingTree(mozilla::layers::WebRenderScrollDataWrapper const&, bool, mozilla::layers::LayersId, unsigned int)::$_3 const&, mozilla::layers::APZCTreeManager::UpdateHitTestingTree(mozilla::layers::WebRenderScrollDataWrapper const&, bool, mozilla::layers::LayersId, unsigned int)::$_4 const&) /gfx/layers/TreeTraversal.h:143:5
        #6 0x7f62016d5c61 in std::enable_if<(std::is_same_v<decltype(fp0(fp)), void>) && (std::is_same_v<decltype(fp1(fp)), void>), void>::type mozilla::layers::ForEachNode<mozilla::layers::ReverseIterator, mozilla::layers::WebRenderScrollDataWrapper, mozilla::layers::APZCTreeManager::UpdateHitTestingTree(mozilla::layers::WebRenderScrollDataWrapper const&, bool, mozilla::layers::LayersId, unsigned int)::$_3, mozilla::layers::APZCTreeManager::UpdateHitTestingTree(mozilla::layers::WebRenderScrollDataWrapper const&, bool, mozilla::layers::LayersId, unsigned int)::$_4>(mozilla::layers::WebRenderScrollDataWrapper, mozilla::layers::APZCTreeManager::UpdateHitTestingTree(mozilla::layers::WebRenderScrollDataWrapper const&, bool, mozilla::layers::LayersId, unsigned int)::$_3 const&, mozilla::layers::APZCTreeManager::UpdateHitTestingTree(mozilla::layers::WebRenderScrollDataWrapper const&, bool, mozilla::layers::LayersId, unsigned int)::$_4 const&) /gfx/layers/TreeTraversal.h:143:5
        #7 0x7f62016d5c61 in std::enable_if<(std::is_same_v<decltype(fp0(fp)), void>) && (std::is_same_v<decltype(fp1(fp)), void>), void>::type mozilla::layers::ForEachNode<mozilla::layers::ReverseIterator, mozilla::layers::WebRenderScrollDataWrapper, mozilla::layers::APZCTreeManager::UpdateHitTestingTree(mozilla::layers::WebRenderScrollDataWrapper const&, bool, mozilla::layers::LayersId, unsigned int)::$_3, mozilla::layers::APZCTreeManager::UpdateHitTestingTree(mozilla::layers::WebRenderScrollDataWrapper const&, bool, mozilla::layers::LayersId, unsigned int)::$_4>(mozilla::layers::WebRenderScrollDataWrapper, mozilla::layers::APZCTreeManager::UpdateHitTestingTree(mozilla::layers::WebRenderScrollDataWrapper const&, bool, mozilla::layers::LayersId, unsigned int)::$_3 const&, mozilla::layers::APZCTreeManager::UpdateHitTestingTree(mozilla::layers::WebRenderScrollDataWrapper const&, bool, mozilla::layers::LayersId, unsigned int)::$_4 const&) /gfx/layers/TreeTraversal.h:143:5
        #8 0x7f62016d2dbf in mozilla::layers::APZCTreeManager::UpdateHitTestingTree(mozilla::layers::WebRenderScrollDataWrapper const&, bool, mozilla::layers::LayersId, unsigned int) /gfx/layers/apz/src/APZCTreeManager.cpp:449:5
        #9 0x7f6201747a42 in operator() /gfx/layers/apz/src/APZUpdater.cpp:199:25
        #10 0x7f6201747a42 in mozilla::detail::RunnableFunction<mozilla::layers::APZUpdater::UpdateScrollDataAndTreeState(mozilla::layers::LayersId, mozilla::layers::LayersId, mozilla::wr::Epoch const&, mozilla::layers::WebRenderScrollData&&)::$_28>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
        #11 0x7f6201705ddf in mozilla::layers::APZUpdater::ProcessQueue() /gfx/layers/apz/src/APZUpdater.cpp:462:23
        #12 0x7f620170563a in mozilla::layers::APZUpdater::CompleteSceneSwap(mozilla::wr::WrWindowId const&, mozilla::wr::WrPipelineInfo const&) /gfx/layers/apz/src/APZUpdater.cpp:124:12
        #13 0x7f6201708969 in apz_post_scene_swap /gfx/layers/apz/src/APZUpdater.cpp:530:3
        #14 0x7f620914967d in _$LT$webrender_bindings..bindings..APZCallbacks$u20$as$u20$webrender..renderer..SceneBuilderHooks$GT$::post_scene_swap::h34f7db911ac8b37f /gfx/webrender_bindings/src/bindings.rs:1002:13
        #15 0x7f620949ac57 in webrender::scene_builder_thread::SceneBuilderThread::forward_built_transactions::h4215143abc0d9510 /gfx/wr/webrender/src/scene_builder_thread.rs:719:13
        #16 0x7f620949ac57 in webrender::scene_builder_thread::SceneBuilderThread::run::h21ec878b91d835b0 /gfx/wr/webrender/src/scene_builder_thread.rs:319:21
        #17 0x7f6209406b88 in webrender::renderer::Renderer::new::_$u7b$$u7b$closure$u7d$$u7d$::h9ee9ade940d678e9 /gfx/wr/webrender/src/renderer/mod.rs:1249:13
        #18 0x7f6209406b88 in std::sys_common::backtrace::__rust_begin_short_backtrace::h31e5fb8cdd6356f6 /rustc/9d1b2106e23b1abd32fce1f17267604a5102f57a/library/std/src/sys_common/backtrace.rs:123:18
        #19 0x7f620919baee in std::thread::Builder::spawn_unchecked::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::he0483e4ff0a235a8 /rustc/9d1b2106e23b1abd32fce1f17267604a5102f57a/library/std/src/thread/mod.rs:477:17
        #20 0x7f620919baee in _$LT$core..panic..unwind_safe..AssertUnwindSafe$LT$F$GT$$u20$as$u20$core..ops..function..FnOnce$LT$$LP$$RP$$GT$$GT$::call_once::h7790b7c700350af2 /rustc/9d1b2106e23b1abd32fce1f17267604a5102f57a/library/core/src/panic/unwind_safe.rs:271:9
        #21 0x7f620919baee in std::panicking::try::do_call::h9ae0fa8f8320601d /rustc/9d1b2106e23b1abd32fce1f17267604a5102f57a/library/std/src/panicking.rs:406:40
        #22 0x7f620919baee in std::panicking::try::h86f95f67a88546b7 /rustc/9d1b2106e23b1abd32fce1f17267604a5102f57a/library/std/src/panicking.rs:370:19
        #23 0x7f620919baee in std::panic::catch_unwind::h7a8b6c1a584c9af5 /rustc/9d1b2106e23b1abd32fce1f17267604a5102f57a/library/std/src/panic.rs:133:14
        #24 0x7f620919baee in std::thread::Builder::spawn_unchecked::_$u7b$$u7b$closure$u7d$$u7d$::h86114f9cd6a3523e /rustc/9d1b2106e23b1abd32fce1f17267604a5102f57a/library/std/src/thread/mod.rs:476:30
        #25 0x7f620919baee in core::ops::function::FnOnce::call_once$u7b$$u7b$vtable.shim$u7d$$u7d$::h6384a4085cc4ad7e /rustc/9d1b2106e23b1abd32fce1f17267604a5102f57a/library/core/src/ops/function.rs:227:5
        #26 0x7f620a81b062 in _$LT$alloc..boxed..Box$LT$F$C$A$GT$$u20$as$u20$core..ops..function..FnOnce$LT$Args$GT$$GT$::call_once::h49b6c7c5155a2296 /rustc/9d1b2106e23b1abd32fce1f17267604a5102f57a/library/alloc/src/boxed.rs:1854:9
        #27 0x7f620a81b062 in _$LT$alloc..boxed..Box$LT$F$C$A$GT$$u20$as$u20$core..ops..function..FnOnce$LT$Args$GT$$GT$::call_once::ha8b5234bfeb15105 /rustc/9d1b2106e23b1abd32fce1f17267604a5102f57a/library/alloc/src/boxed.rs:1854:9
        #28 0x7f620a81b062 in std::sys::unix::thread::Thread::new::thread_start::h6f207dd842d64859 /rustc/9d1b2106e23b1abd32fce1f17267604a5102f57a/library/std/src/sys/unix/thread.rs:108:17
        #29 0x7f6218111608 in start_thread /build/glibc-sMfBJT/glibc-2.31/nptl/pthread_create.c:477:8
        #30 0x7f6217cd8162 in __clone /build/glibc-sMfBJT/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95
    
    UndefinedBehaviorSanitizer can not provide additional info.
    SUMMARY: UndefinedBehaviorSanitizer: SEGV /gfx/layers/apz/src/APZCTreeManager.cpp:1342:9 in mozilla::layers::APZCTreeManager::PrepareNodeForLayer(mozilla::RecursiveMutexAutoLock const&, mozilla::layers::WebRenderScrollDataWrapper const&, mozilla::layers::FrameMetrics const&, mozilla::layers::LayersId, mozilla::Maybe<mozilla::layers::ZoomConstraints> const&, mozilla::layers::AncestorTransform const&, mozilla::layers::HitTestingTreeNode*, mozilla::layers::HitTestingTreeNode*, mozilla::layers::APZCTreeManager::TreeBuildingState&)
    ==2388109==ABORTING

Comment 1

[Jason Kratzer [:jkratzer]]

Attachment: Testcase

Comment 2

[Bugmon [:jkratzer for issues]]

Bugmon Analysis
Verified bug as reproducible on mozilla-central 20220415092909-7f6fc25d231f.
The bug appears to have been introduced in the following build range:

Start: 3a83a5c25a2ed0b73f616f9def2f1e738a90ce90 (20210819033348)
End: 33fca42928519b723ac6efd93c4ffb69f569e23f (20210819044300)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=3a83a5c25a2ed0b73f616f9def2f1e738a90ce90&tochange=33fca42928519b723ac6efd93c4ffb69f569e23f

Comment 3

[Timothy Nikkel (:tnikkel)]

scaleZ(4294967296%) in the testcase, so we hit the limits of float or double precision and a combined transform somewhere calculated two different ways doesn't match?

Comment 4

[Bugmon [:jkratzer for issues]]

Bugmon Analysis
Testcase crashes using the initial build (mozilla-central 20220415092909-7f6fc25d231f) but not with tip (mozilla-central 20220416094814-1d47c0b691ea.)
The bug appears to have been fixed in the following build range:

Start: 8f289b005c6c06492fb2f7da1c2941220d497d5b (20220416003359)
End: 94cd0cb132f2eb2c644ae83314c60c50f03f300b (20220416035249)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=8f289b005c6c06492fb2f7da1c2941220d497d5b&tochange=94cd0cb132f2eb2c644ae83314c60c50f03f300b
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Comment 5

[Timothy Nikkel (:tnikkel)]

Fixed by bug 1745834 then.

Comment 6

[Release mgmt bot [:suhaib / :marco/ :calixte]]

:botond, since this bug contains a bisection range, could you fill (if possible) the regressed_by field?
For more information, please visit auto_nag documentation.