Closed Bug 1771503 Opened 2 years ago Closed 2 years ago

[fission] Assertion failure: false (Two layers that scroll together have different ancestor transforms), at /gfx/layers/apz/src/APZCTreeManager.cpp:1340

Categories

(Core :: Panning and Zooming, defect, P3)

x86_64
Linux
defect

Tracking

()

VERIFIED FIXED
103 Branch
Tracking Status
firefox-esr91 --- unaffected
firefox101 --- wontfix
firefox102 --- wontfix
firefox103 --- verified

People

(Reporter: jkratzer, Assigned: botond)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: regression, testcase, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(2 files)

Testcase found while fuzzing mozilla-central rev 914ead848de4 (built with: --enable-debug --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build 914ead848de4 --debug --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html
Assertion failure: false (Two layers that scroll together have different ancestor transforms), at /gfx/layers/apz/src/APZCTreeManager.cpp:1340

    ==3000486==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f479d5aeabb bp 0x7f46f77fad90 sp 0x7f46f77fac50 T3000609)
    ==3000486==The signal is caused by a WRITE memory access.
    ==3000486==Hint: address points to the zero page.
        #0 0x7f479d5aeabb in mozilla::layers::APZCTreeManager::PrepareNodeForLayer(mozilla::RecursiveMutexAutoLock const&, mozilla::layers::WebRenderScrollDataWrapper const&, mozilla::layers::FrameMetrics const&, mozilla::layers::LayersId, mozilla::Maybe<mozilla::layers::ZoomConstraints> const&, mozilla::layers::AncestorTransform const&, mozilla::layers::HitTestingTreeNode*, mozilla::layers::HitTestingTreeNode*, mozilla::layers::APZCTreeManager::TreeBuildingState&) /gfx/layers/apz/src/APZCTreeManager.cpp:1338:11
        #1 0x7f479d5a1ccd in operator() /gfx/layers/apz/src/APZCTreeManager.cpp:488:38
        #2 0x7f479d5a1ccd in std::enable_if<(std::is_same_v<decltype(fp0(fp)), void>) && (std::is_same_v<decltype(fp1(fp)), void>), void>::type mozilla::layers::ForEachNode<mozilla::layers::ReverseIterator, mozilla::layers::WebRenderScrollDataWrapper, mozilla::layers::APZCTreeManager::UpdateHitTestingTree(mozilla::layers::WebRenderScrollDataWrapper const&, bool, mozilla::layers::LayersId, unsigned int)::$_3, mozilla::layers::APZCTreeManager::UpdateHitTestingTree(mozilla::layers::WebRenderScrollDataWrapper const&, bool, mozilla::layers::LayersId, unsigned int)::$_4>(mozilla::layers::WebRenderScrollDataWrapper, mozilla::layers::APZCTreeManager::UpdateHitTestingTree(mozilla::layers::WebRenderScrollDataWrapper const&, bool, mozilla::layers::LayersId, unsigned int)::$_3 const&, mozilla::layers::APZCTreeManager::UpdateHitTestingTree(mozilla::layers::WebRenderScrollDataWrapper const&, bool, mozilla::layers::LayersId, unsigned int)::$_4 const&) /gfx/layers/TreeTraversal.h:139:3
        #3 0x7f479d5a28e1 in std::enable_if<(std::is_same_v<decltype(fp0(fp)), void>) && (std::is_same_v<decltype(fp1(fp)), void>), void>::type mozilla::layers::ForEachNode<mozilla::layers::ReverseIterator, mozilla::layers::WebRenderScrollDataWrapper, mozilla::layers::APZCTreeManager::UpdateHitTestingTree(mozilla::layers::WebRenderScrollDataWrapper const&, bool, mozilla::layers::LayersId, unsigned int)::$_3, mozilla::layers::APZCTreeManager::UpdateHitTestingTree(mozilla::layers::WebRenderScrollDataWrapper const&, bool, mozilla::layers::LayersId, unsigned int)::$_4>(mozilla::layers::WebRenderScrollDataWrapper, mozilla::layers::APZCTreeManager::UpdateHitTestingTree(mozilla::layers::WebRenderScrollDataWrapper const&, bool, mozilla::layers::LayersId, unsigned int)::$_3 const&, mozilla::layers::APZCTreeManager::UpdateHitTestingTree(mozilla::layers::WebRenderScrollDataWrapper const&, bool, mozilla::layers::LayersId, unsigned int)::$_4 const&) /gfx/layers/TreeTraversal.h:143:5
        #4 0x7f479d5a28e1 in std::enable_if<(std::is_same_v<decltype(fp0(fp)), void>) && (std::is_same_v<decltype(fp1(fp)), void>), void>::type mozilla::layers::ForEachNode<mozilla::layers::ReverseIterator, mozilla::layers::WebRenderScrollDataWrapper, mozilla::layers::APZCTreeManager::UpdateHitTestingTree(mozilla::layers::WebRenderScrollDataWrapper const&, bool, mozilla::layers::LayersId, unsigned int)::$_3, mozilla::layers::APZCTreeManager::UpdateHitTestingTree(mozilla::layers::WebRenderScrollDataWrapper const&, bool, mozilla::layers::LayersId, unsigned int)::$_4>(mozilla::layers::WebRenderScrollDataWrapper, mozilla::layers::APZCTreeManager::UpdateHitTestingTree(mozilla::layers::WebRenderScrollDataWrapper const&, bool, mozilla::layers::LayersId, unsigned int)::$_3 const&, mozilla::layers::APZCTreeManager::UpdateHitTestingTree(mozilla::layers::WebRenderScrollDataWrapper const&, bool, mozilla::layers::LayersId, unsigned int)::$_4 const&) /gfx/layers/TreeTraversal.h:143:5
        #5 0x7f479d5a28e1 in std::enable_if<(std::is_same_v<decltype(fp0(fp)), void>) && (std::is_same_v<decltype(fp1(fp)), void>), void>::type mozilla::layers::ForEachNode<mozilla::layers::ReverseIterator, mozilla::layers::WebRenderScrollDataWrapper, mozilla::layers::APZCTreeManager::UpdateHitTestingTree(mozilla::layers::WebRenderScrollDataWrapper const&, bool, mozilla::layers::LayersId, unsigned int)::$_3, mozilla::layers::APZCTreeManager::UpdateHitTestingTree(mozilla::layers::WebRenderScrollDataWrapper const&, bool, mozilla::layers::LayersId, unsigned int)::$_4>(mozilla::layers::WebRenderScrollDataWrapper, mozilla::layers::APZCTreeManager::UpdateHitTestingTree(mozilla::layers::WebRenderScrollDataWrapper const&, bool, mozilla::layers::LayersId, unsigned int)::$_3 const&, mozilla::layers::APZCTreeManager::UpdateHitTestingTree(mozilla::layers::WebRenderScrollDataWrapper const&, bool, mozilla::layers::LayersId, unsigned int)::$_4 const&) /gfx/layers/TreeTraversal.h:143:5
        #6 0x7f479d5a28e1 in std::enable_if<(std::is_same_v<decltype(fp0(fp)), void>) && (std::is_same_v<decltype(fp1(fp)), void>), void>::type mozilla::layers::ForEachNode<mozilla::layers::ReverseIterator, mozilla::layers::WebRenderScrollDataWrapper, mozilla::layers::APZCTreeManager::UpdateHitTestingTree(mozilla::layers::WebRenderScrollDataWrapper const&, bool, mozilla::layers::LayersId, unsigned int)::$_3, mozilla::layers::APZCTreeManager::UpdateHitTestingTree(mozilla::layers::WebRenderScrollDataWrapper const&, bool, mozilla::layers::LayersId, unsigned int)::$_4>(mozilla::layers::WebRenderScrollDataWrapper, mozilla::layers::APZCTreeManager::UpdateHitTestingTree(mozilla::layers::WebRenderScrollDataWrapper const&, bool, mozilla::layers::LayersId, unsigned int)::$_3 const&, mozilla::layers::APZCTreeManager::UpdateHitTestingTree(mozilla::layers::WebRenderScrollDataWrapper const&, bool, mozilla::layers::LayersId, unsigned int)::$_4 const&) /gfx/layers/TreeTraversal.h:143:5
        #7 0x7f479d5a28e1 in std::enable_if<(std::is_same_v<decltype(fp0(fp)), void>) && (std::is_same_v<decltype(fp1(fp)), void>), void>::type mozilla::layers::ForEachNode<mozilla::layers::ReverseIterator, mozilla::layers::WebRenderScrollDataWrapper, mozilla::layers::APZCTreeManager::UpdateHitTestingTree(mozilla::layers::WebRenderScrollDataWrapper const&, bool, mozilla::layers::LayersId, unsigned int)::$_3, mozilla::layers::APZCTreeManager::UpdateHitTestingTree(mozilla::layers::WebRenderScrollDataWrapper const&, bool, mozilla::layers::LayersId, unsigned int)::$_4>(mozilla::layers::WebRenderScrollDataWrapper, mozilla::layers::APZCTreeManager::UpdateHitTestingTree(mozilla::layers::WebRenderScrollDataWrapper const&, bool, mozilla::layers::LayersId, unsigned int)::$_3 const&, mozilla::layers::APZCTreeManager::UpdateHitTestingTree(mozilla::layers::WebRenderScrollDataWrapper const&, bool, mozilla::layers::LayersId, unsigned int)::$_4 const&) /gfx/layers/TreeTraversal.h:143:5
        #8 0x7f479d5a28e1 in std::enable_if<(std::is_same_v<decltype(fp0(fp)), void>) && (std::is_same_v<decltype(fp1(fp)), void>), void>::type mozilla::layers::ForEachNode<mozilla::layers::ReverseIterator, mozilla::layers::WebRenderScrollDataWrapper, mozilla::layers::APZCTreeManager::UpdateHitTestingTree(mozilla::layers::WebRenderScrollDataWrapper const&, bool, mozilla::layers::LayersId, unsigned int)::$_3, mozilla::layers::APZCTreeManager::UpdateHitTestingTree(mozilla::layers::WebRenderScrollDataWrapper const&, bool, mozilla::layers::LayersId, unsigned int)::$_4>(mozilla::layers::WebRenderScrollDataWrapper, mozilla::layers::APZCTreeManager::UpdateHitTestingTree(mozilla::layers::WebRenderScrollDataWrapper const&, bool, mozilla::layers::LayersId, unsigned int)::$_3 const&, mozilla::layers::APZCTreeManager::UpdateHitTestingTree(mozilla::layers::WebRenderScrollDataWrapper const&, bool, mozilla::layers::LayersId, unsigned int)::$_4 const&) /gfx/layers/TreeTraversal.h:143:5
        #9 0x7f479d5a28e1 in std::enable_if<(std::is_same_v<decltype(fp0(fp)), void>) && (std::is_same_v<decltype(fp1(fp)), void>), void>::type mozilla::layers::ForEachNode<mozilla::layers::ReverseIterator, mozilla::layers::WebRenderScrollDataWrapper, mozilla::layers::APZCTreeManager::UpdateHitTestingTree(mozilla::layers::WebRenderScrollDataWrapper const&, bool, mozilla::layers::LayersId, unsigned int)::$_3, mozilla::layers::APZCTreeManager::UpdateHitTestingTree(mozilla::layers::WebRenderScrollDataWrapper const&, bool, mozilla::layers::LayersId, unsigned int)::$_4>(mozilla::layers::WebRenderScrollDataWrapper, mozilla::layers::APZCTreeManager::UpdateHitTestingTree(mozilla::layers::WebRenderScrollDataWrapper const&, bool, mozilla::layers::LayersId, unsigned int)::$_3 const&, mozilla::layers::APZCTreeManager::UpdateHitTestingTree(mozilla::layers::WebRenderScrollDataWrapper const&, bool, mozilla::layers::LayersId, unsigned int)::$_4 const&) /gfx/layers/TreeTraversal.h:143:5
        #10 0x7f479d59fd50 in mozilla::layers::APZCTreeManager::UpdateHitTestingTree(mozilla::layers::WebRenderScrollDataWrapper const&, bool, mozilla::layers::LayersId, unsigned int) /gfx/layers/apz/src/APZCTreeManager.cpp:449:5
        #11 0x7f479d6165ff in operator() /gfx/layers/apz/src/APZUpdater.cpp:199:25
        #12 0x7f479d6165ff in mozilla::detail::RunnableFunction<mozilla::layers::APZUpdater::UpdateScrollDataAndTreeState(mozilla::layers::LayersId, mozilla::layers::LayersId, mozilla::wr::Epoch const&, mozilla::layers::WebRenderScrollData&&)::$_28>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
        #13 0x7f479d5d1b16 in mozilla::layers::APZUpdater::ProcessQueue() /gfx/layers/apz/src/APZUpdater.cpp:462:23
        #14 0x7f479d5d151a in mozilla::layers::APZUpdater::CompleteSceneSwap(mozilla::wr::WrWindowId const&, mozilla::wr::WrPipelineInfo const&) /gfx/layers/apz/src/APZUpdater.cpp:124:12
        #15 0x7f479d5d4579 in apz_post_scene_swap /gfx/layers/apz/src/APZUpdater.cpp:530:3
        #16 0x7f47a5072a2c in _$LT$webrender_bindings..bindings..APZCallbacks$u20$as$u20$webrender..renderer..SceneBuilderHooks$GT$::post_scene_swap::h9f28a42068c49ada /gfx/webrender_bindings/src/bindings.rs:996:13
        #17 0x7f47a53c15fe in webrender::scene_builder_thread::SceneBuilderThread::forward_built_transactions::h4c367c10fac85db5 /gfx/wr/webrender/src/scene_builder_thread.rs:721:13
        #18 0x7f47a53c15fe in webrender::scene_builder_thread::SceneBuilderThread::run::h7b33773767b6f5a4 /gfx/wr/webrender/src/scene_builder_thread.rs:320:21
        #19 0x7f47a53471c4 in webrender::renderer::Renderer::new::_$u7b$$u7b$closure$u7d$$u7d$::h410e63645fd665a5 /gfx/wr/webrender/src/renderer/mod.rs:1249:13
        #20 0x7f47a53471c4 in std::sys_common::backtrace::__rust_begin_short_backtrace::hc75c7eec3187a581 /rustc/7737e0b5c4103216d6fd8cf941b7ab9bdbaace7c/library/std/src/sys_common/backtrace.rs:122:18
        #21 0x7f47a50c54ee in std::thread::Builder::spawn_unchecked_::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::hc55fe053c52da9cd /rustc/7737e0b5c4103216d6fd8cf941b7ab9bdbaace7c/library/std/src/thread/mod.rs:498:17
        #22 0x7f47a50c54ee in _$LT$core..panic..unwind_safe..AssertUnwindSafe$LT$F$GT$$u20$as$u20$core..ops..function..FnOnce$LT$$LP$$RP$$GT$$GT$::call_once::hdd5eb58ef5d6fa58 /rustc/7737e0b5c4103216d6fd8cf941b7ab9bdbaace7c/library/core/src/panic/unwind_safe.rs:271:9
        #23 0x7f47a50c54ee in std::panicking::try::do_call::h8762809a1d91b99e /rustc/7737e0b5c4103216d6fd8cf941b7ab9bdbaace7c/library/std/src/panicking.rs:492:40
        #24 0x7f47a50c54ee in std::panicking::try::hff50ac2417fbb750 /rustc/7737e0b5c4103216d6fd8cf941b7ab9bdbaace7c/library/std/src/panicking.rs:456:19
        #25 0x7f47a50c54ee in std::panic::catch_unwind::h0b9b0af923062ee2 /rustc/7737e0b5c4103216d6fd8cf941b7ab9bdbaace7c/library/std/src/panic.rs:137:14
        #26 0x7f47a50c54ee in std::thread::Builder::spawn_unchecked_::_$u7b$$u7b$closure$u7d$$u7d$::h2827219375680331 /rustc/7737e0b5c4103216d6fd8cf941b7ab9bdbaace7c/library/std/src/thread/mod.rs:497:30
        #27 0x7f47a50c54ee in core::ops::function::FnOnce::call_once$u7b$$u7b$vtable.shim$u7d$$u7d$::h2dea675d68f52078 /rustc/7737e0b5c4103216d6fd8cf941b7ab9bdbaace7c/library/core/src/ops/function.rs:227:5
        #28 0x7f47a6710512 in _$LT$alloc..boxed..Box$LT$F$C$A$GT$$u20$as$u20$core..ops..function..FnOnce$LT$Args$GT$$GT$::call_once::hf70ac038171e3e1a /rustc/7737e0b5c4103216d6fd8cf941b7ab9bdbaace7c/library/alloc/src/boxed.rs:1853:9
        #29 0x7f47a6710512 in _$LT$alloc..boxed..Box$LT$F$C$A$GT$$u20$as$u20$core..ops..function..FnOnce$LT$Args$GT$$GT$::call_once::he6690128792365ad /rustc/7737e0b5c4103216d6fd8cf941b7ab9bdbaace7c/library/alloc/src/boxed.rs:1853:9
        #30 0x7f47a6710512 in std::sys::unix::thread::Thread::new::thread_start::ha07928d93d5a5ec9 /rustc/7737e0b5c4103216d6fd8cf941b7ab9bdbaace7c/library/std/src/sys/unix/thread.rs:108:17
        #31 0x7f47b2f48608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477:8
        #32 0x7f47b2b0f132 in __clone /build/glibc-SzIz7B/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95
    
    UndefinedBehaviorSanitizer can not provide additional info.
    SUMMARY: UndefinedBehaviorSanitizer: SEGV /gfx/layers/apz/src/APZCTreeManager.cpp:1338:11 in mozilla::layers::APZCTreeManager::PrepareNodeForLayer(mozilla::RecursiveMutexAutoLock const&, mozilla::layers::WebRenderScrollDataWrapper const&, mozilla::layers::FrameMetrics const&, mozilla::layers::LayersId, mozilla::Maybe<mozilla::layers::ZoomConstraints> const&, mozilla::layers::AncestorTransform const&, mozilla::layers::HitTestingTreeNode*, mozilla::layers::HitTestingTreeNode*, mozilla::layers::APZCTreeManager::TreeBuildingState&)
    ==3000486==ABORTING
Attached file Testcase

Bugmon Analysis
Verified bug as reproducible on mozilla-central 20220527092603-914ead848de4.
The bug appears to have been introduced in the following build range:

Start: 33fca42928519b723ac6efd93c4ffb69f569e23f (20210819044300)
End: 7a2320e8b395cfd610e8619e6461ed310b3377e7 (20210819095342)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=33fca42928519b723ac6efd93c4ffb69f569e23f&tochange=7a2320e8b395cfd610e8619e6461ed310b3377e7

Keywords: regression
Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]

The regression range pushlog link in comment 2 is empty.

If I switch it to autoland instead of mozilla-central, I get this link:
https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=33fca42928519b723ac6efd93c4ffb69f569e23f&tochange=7a2320e8b395cfd610e8619e6461ed310b3377e7

...which is just a backout:
Brindusan Cristian — Backed out 28 changesets (bug 1722261) for causing linux asan failures.

So that's still a bit mysterious.

...and that "guilty" backout, bug 1722261, was a gecko-profiler bug, so it's unlikely to be related to this fuzzer bug.

FWIW I tried the testcase (a locally-saved copy) in a mozregression-launched asan-debug build from 2021-08-21, after the purported regression range, and it loaded just fine; though I was able to trigger the fatal assertion in a much-more-recent build (2022-06-01).

So I suspect the regression range in comment 2 is just bogus and was from bugmon inadvertently narrowing in on unrelated ASAN badness (the "linux asan failures" mentioned in the backout commit message)

I got this regression range using mozregression and linux asan-debug builds:
https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=c9d499871dc8c87d1f138d1a954b675df5030a43&tochange=51773d1ab7b50883b4c8ca2322bd646f122ece3e

That includes this commit which enabled fission by default:
https://hg.mozilla.org/mozilla-central/rev/bcf5711345c03edcffc33d7e70e6f59a6c46bfc4

So this issue was probably uncovered when we turned on fission, but really it was introduced earlier and just happened to not be reproducible in the default configuration.

See Also: → 1743731

bug 1726450 was the next-most-proximal thing (beyond enabling fission) to make this start aborting. Before that bug's patch, this testcase makes us spam this assertion non-fatally. After that bug's patch, this testcase makes us trip this assertion as a fatal assertion.

(Also: Some of the time, in "good" builds where the "Two layers" assertion is non-fatal, we hit another fatal assertion failure which makes us abort before we've even spammed the non-fatal "Two layers" assertion-failure. Specifically, we hit:

Assertion failure: !aParent || result->mParentAGR == aParent, at layout/painting/nsDisplayList.cpp:892

But that one's not entirely reliable; e.g. if I get a tab-crash from it and then I shift+reload, I typically get a working-just-fine tab afterwards, which spams the "Two layers" assertion [which again is non-fatal for the builds I'm discussing in this parenthetical].)

Anyway -- given bug 1726450 comment 3, it sounds like Botond would be very interested to know about the fact that we can still make this assertion fail.

Blocks: 1726450
Flags: needinfo?(botond)
Summary: Assertion failure: false (Two layers that scroll together have different ancestor transforms), at /gfx/layers/apz/src/APZCTreeManager.cpp:1340 → [fission] Assertion failure: false (Two layers that scroll together have different ancestor transforms), at /gfx/layers/apz/src/APZCTreeManager.cpp:1340
No longer blocks: 1726450
Regressed by: 1726450

Set release status flags based on info from the regressing bug 1726450

Yeah, after landing bug 1726450 (to upgrade this assertion to MOZ_ASSERT), we quickly discovered through reports from the fuzzing team that it's still triggered in a variety of scenarios (some other instances, all discovered through fuzzing, were: bug 1729581, bug 1734510, bug 1753779, bug 1764942).

This one's on my list to investigate.

Flags: needinfo?(botond)
Has Regression Range: --- → yes

The severity field is not set for this bug.
:botond, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(botond)
Attachment #9278473 - Attachment mime type: text/plain → text/html

The testcase sets a large transform on every element. These transforms get multiplied together up to the nesting depth of elements, their components reach very largue values (e.g. 5.37643645e+31), eventually becoming +/- inf (as we run out of bits in the exponent of float), and then NaN (since inf + -inf gives you NaN). NaNs do not compare equal to each other, so their presence will make this assertion fail.

Flags: needinfo?(botond)
Severity: -- → S3
Priority: -- → P3
Assignee: nobody → botond
Status: NEW → ASSIGNED
Pushed by bballo@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/a26122221a5f
Disable the 'two layers that scroll together' assertion for matrices with Inf or NaN elements. r=tnikkel
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → 103 Branch

Bugmon Analysis
Verified bug as fixed on rev mozilla-central 20220618093037-eda29d58035f.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
Keywords: bugmon
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: