Assertion failure: !focusedTarget || focusedTarget == &target (If the focused target has been found on X axis, the target should be same), at /layout/generic/ScrollSnap.cpp:450
Categories
(Core :: Layout, defect, P3)
Tracking
()
Tracking | Status | |
---|---|---|
firefox-esr102 | --- | unaffected |
firefox106 | --- | wontfix |
firefox107 | --- | wontfix |
firefox108 | --- | verified |
People
(Reporter: jkratzer, Assigned: hiro)
References
(Blocks 1 open bug, Regression)
Details
(Keywords: regression, testcase, Whiteboard: [bugmon:bisected,confirmed])
Attachments
(2 files)
Testcase found while fuzzing mozilla-central rev 45d33d6757ba (built with: --enable-debug --enable-fuzzing).
Testcase can be reproduced using the following commands:
$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build 45d33d6757ba --debug --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html
Assertion failure: !focusedTarget || focusedTarget == &target (If the focused target has been found on X axis, the target should be same), at /layout/generic/ScrollSnap.cpp:450
==1218563==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f6b8d17824e bp 0x7ffc2d4395a0 sp 0x7ffc2d439440 T1218563)
==1218563==The signal is caused by a WRITE memory access.
==1218563==Hint: address points to the zero page.
#0 0x7f6b8d17824e in GetCandidateInLastTargets /layout/generic/ScrollSnap.cpp:447:11
#1 0x7f6b8d17824e in mozilla::ScrollSnapUtils::GetSnapPointForResnap(mozilla::layers::ScrollSnapInfo const&, nsRect const&, nsPoint const&, mozilla::UniquePtr<mozilla::ScrollSnapTargetIds, mozilla::DefaultDelete<mozilla::ScrollSnapTargetIds> > const&, nsIContent const*) /layout/generic/ScrollSnap.cpp:499:17
#2 0x7f6b8d203f9f in mozilla::ScrollFrameHelper::NeedsResnap() /layout/generic/nsGfxScrollFrame.cpp:8083:10
#3 0x7f6b8d203cda in nsHTMLScrollFrame::DidReflow(nsPresContext*, mozilla::ReflowInput const*) /layout/generic/nsGfxScrollFrame.cpp:1529:15
#4 0x7f6b8d1aea5c in nsContainerFrame::FinishReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput const&, mozilla::ReflowInput const*, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags) /layout/generic/nsContainerFrame.cpp:1154:14
#5 0x7f6b8d1a192b in nsBlockReflowContext::PlaceBlock(mozilla::ReflowInput const&, bool, nsLineBox*, nsCollapsingMargin&, mozilla::OverflowAreas&, nsReflowStatus const&) /layout/generic/nsBlockReflowContext.cpp:430:3
#6 0x7f6b8d19d8ba in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowState&, nsLineList_iterator, bool*) /layout/generic/nsBlockFrame.cpp:4183:15
#7 0x7f6b8d19a83e in nsBlockFrame::ReflowLine(mozilla::BlockReflowState&, nsLineList_iterator, bool*) /layout/generic/nsBlockFrame.cpp:3379:5
#8 0x7f6b8d194655 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowState&) /layout/generic/nsBlockFrame.cpp:2896:9
#9 0x7f6b8d18fb35 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/generic/nsBlockFrame.cpp:1472:3
#10 0x7f6b8d1b3d95 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /layout/generic/nsContainerFrame.cpp:1005:14
#11 0x7f6b8d1b2e8d in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/generic/nsCanvasFrame.cpp:794:7
#12 0x7f6b8d1b3d95 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /layout/generic/nsContainerFrame.cpp:1005:14
#13 0x7f6b8d1fd199 in nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput&, bool, bool, mozilla::ReflowOutput*) /layout/generic/nsGfxScrollFrame.cpp:838:3
#14 0x7f6b8d1fdd8f in nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput&, mozilla::ReflowOutput const&) /layout/generic/nsGfxScrollFrame.cpp:974:3
#15 0x7f6b8d2020e6 in nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/generic/nsGfxScrollFrame.cpp:1399:3
#16 0x7f6b8d1846a6 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /layout/generic/nsContainerFrame.cpp:1045:14
#17 0x7f6b8d183e0c in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/generic/ViewportFrame.cpp:375:7
#18 0x7f6b8d080079 in mozilla::PresShell::DoReflow(nsIFrame*, bool, mozilla::OverflowChangedTracker*) /layout/base/PresShell.cpp:9638:11
#19 0x7f6b8d0a380f in mozilla::PresShell::ProcessReflowCommands(bool) /layout/base/PresShell.cpp:9810:24
#20 0x7f6b8d089854 in DoFlushLayout /layout/base/PresShell.cpp:9880:10
#21 0x7f6b8d089854 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /layout/base/PresShell.cpp:4409:11
#22 0x7f6b8d04e603 in FlushPendingNotifications /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:1470:5
#23 0x7f6b8d04e603 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) /layout/base/nsRefreshDriver.cpp:2599:20
#24 0x7f6b8d05d812 in operator() /layout/base/nsRefreshDriver.cpp:1771:25
#25 0x7f6b8d05d812 in mozilla::detail::RunnableFunction<nsRefreshDriver::EnsureTimerStarted(nsRefreshDriver::EnsureTimerStartedFlags)::$_1>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
#26 0x7f6b87d6086e in mozilla::RunnableTask::Run() /xpcom/threads/TaskController.cpp:538:16
#27 0x7f6b87d38d89 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:851:26
#28 0x7f6b87d37913 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:683:15
#29 0x7f6b87d37b83 in mozilla::TaskController::ProcessPendingMTTask(bool) /xpcom/threads/TaskController.cpp:461:36
#30 0x7f6b87d64116 in operator() /xpcom/threads/TaskController.cpp:187:37
#31 0x7f6b87d64116 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
#32 0x7f6b87d4d9df in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1205:16
#33 0x7f6b87d53fed in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:465:10
#34 0x7f6b88934646 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:85:21
#35 0x7f6b88859ca7 in MessageLoop::RunInternal() /ipc/chromium/src/base/message_loop.cc:381:10
#36 0x7f6b88859bb2 in RunHandler /ipc/chromium/src/base/message_loop.cc:374:3
#37 0x7f6b88859bb2 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:356:3
#38 0x7f6b8cd157b8 in nsBaseAppShell::Run() /widget/nsBaseAppShell.cpp:150:27
#39 0x7f6b8ef0bd0b in XRE_RunAppShell() /toolkit/xre/nsEmbedFunctions.cpp:880:20
#40 0x7f6b8893553a in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:235:9
#41 0x7f6b88859ca7 in MessageLoop::RunInternal() /ipc/chromium/src/base/message_loop.cc:381:10
#42 0x7f6b88859bb2 in RunHandler /ipc/chromium/src/base/message_loop.cc:374:3
#43 0x7f6b88859bb2 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:356:3
#44 0x7f6b8ef0b223 in XRE_InitChildProcess(int, char**, XREChildData const*) /toolkit/xre/nsEmbedFunctions.cpp:739:34
#45 0x55b05248db39 in content_process_main /browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#46 0x55b05248db39 in main /browser/app/nsBrowserApp.cpp:359:18
#47 0x7f6b9ee5fd8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#48 0x7f6b9ee5fe3f in __libc_start_main csu/../csu/libc-start.c:392:3
#49 0x55b0524638dc in _start (/home/jkratzer/builds/mc-debug/firefox-bin+0x168dc) (BuildId: b1d395243da9b2b84533ddb248fa0c0bd65c19ef)
UndefinedBehaviorSanitizer can not provide additional info.
SUMMARY: UndefinedBehaviorSanitizer: SEGV /layout/generic/ScrollSnap.cpp:447:11 in GetCandidateInLastTargets
==1218563==ABORTING
Reporter | ||
Comment 1•2 years ago
|
||
Comment 2•2 years ago
|
||
Bugmon Analysis
Verified bug as reproducible on mozilla-central 20220920092542-45d33d6757ba.
The bug appears to have been introduced in the following build range:
Start: 307dd529e2a3dc6f6191a40d35c1c9e9fd94f727 (20220630220030)
End: 1f99e4a5113539ba2b85689d04f66fd0261db0a8 (20220701020433)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=307dd529e2a3dc6f6191a40d35c1c9e9fd94f727&tochange=1f99e4a5113539ba2b85689d04f66fd0261db0a8
Comment 3•2 years ago
|
||
The severity field is not set for this bug.
:alaskanemily, could you have a look please?
For more information, please visit auto_nag documentation.
Updated•2 years ago
|
Comment 4•2 years ago
|
||
Set release status flags based on info from the regressing bug 1530253
Updated•2 years ago
|
Assignee | ||
Comment 5•2 years ago
|
||
The focused content in question has two different nsIFrames;
line@7fbac175b628 count=1 state=inline,clean,prevmarginclean,not-impacted,not-wrapped,forced-break,clear-before:none,clear-after:none(x=153.6, y=58, w=56.6333, h=24) ink-overflow=(x=150.6, y=54, w=64.3833, h=97.0667) scr-overflow=(x=153.6, y=57, w=56.6333, h=91.0667) <
Inline(i id=id_0)(1)@7fbac175b3f0 parent=7fbac175b1e8 next=7fbabb6be020 next-in-flow=7fbabb6be020 (x=153.6, y=57, w=56.6333, h=91.0667) ink-overflow=(x=-3, y=-3, w=64.3833, h=97.0667) scr-overflow=(x=0, y=0, w=56.6333, h=91.0667) [content=7fbac1304820] [cs=7fbabb6c23e8] <
Text(0)"\n"@7fbac175b498 parent=7fbac175b3f0 next-in-flow=7fbac175bda8 (x=56.6333, y=1, w=0, h=24) ink-overflow=(x=-1.25, y=0, w=6, h=24) scr-overflow=(x=0, y=0, w=0, h=24) [content=7fbac1305500] [cs=7fbabb6c24d8:-moz-text] [run=7fbac1fbc400][0,1,F]
>
>
line@7fbabb6be0c8 count=1 state=inline,clean,prevmarginclean,not-impacted,not-wrapped,forced-break,clear-before:none,clear-after:none(x=153.6, y=82, w=70.9667, h=24) ink-overflow=(x=150.6, y=78, w=76.9667, h=97.0667) scr-overflow=(x=153.6, y=81, w=70.9667, h=91.0667) <
Inline(i id=id_0)(1)@7fbabb6be020 parent=7fbac175b1e8 next=7fbac175b538 prev-in-flow=7fbac175b3f0 (x=153.6, y=81, w=70.9667, h=91.0667) ink-overflow=(x=-3, y=-3, w=76.9667, h=97.0667) scr-overflow=(x=0, y=0, w=70.9667, h=91.0667) [content=7fbac1304820] [cs=7fbabb6c23e8] <
Text(0)" \n"@7fbac175bda8 parent=7fbabb6be020 prev-in-flow=7fbac175b498 (x=0, y=1, w=14.3333, h=24) ink-overflow=(x=-1.25, y=0, w=20.3333, h=24) scr-overflow=(x=0, y=0, w=14.3333, h=24) [content=7fbac1305500] [cs=7fbabb6c24d8:-moz-text] [run=7fbabb31e670][1,5,T]
>
>
In this specific case, the scroll-snap-type
is block proximity
so that the snap target points for both nsIFrams are same, thus we can ignore either of one of them in CollectScrollPositionsForSnap(). But if the scroll-snap-type
is inline
and if the scroll-snap-align
is center
, things are more complicated, we need to handle split-nsIFrame cases in both CollectScrollPositionsForSnap and AppendScrollPositionsForSnap. That will not be an easy task as far as I can tell, I mean with my current knowledge.
Setting S3:P3 for now, if there are a bunch of such cases in the wild (scroll snapping fails in such cases), we will bump up the priority.
Assignee | ||
Comment 6•2 years ago
|
||
Note that this bug is marked as "regressed by bug 1530253", indeed the assertion was added in bug 1530253, but in fact the assertion just caught a case that we haven't been handling properly since the beginning of our scroll snap implementation, i.e. since our old scroll snap implementation.
Comment 7•2 years ago
|
||
Should the assert be downgraded to NS_ASSERTION if we wanna live with it? Otherwise it unnecessarily breaks blocks fuzzers etc.
Assignee | ||
Comment 8•2 years ago
|
||
(In reply to Emilio Cobos Álvarez (:emilio) from comment #7)
Should the assert be downgraded to NS_ASSERTION if we wanna live with it? Otherwise it unnecessarily breaks blocks fuzzers etc.
Thanks for the suggestion. Indeed we should downgrade it for fuzzers.
Assignee | ||
Comment 9•2 years ago
|
||
The assertion is valid, but fixing it would be a bit of work (bug 1798240),
so now we degrade the assertion to make it harmless on fuzzers works.
Updated•2 years ago
|
Comment 10•2 years ago
|
||
Pushed by hikezoe.birchill@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/89ae75f45eaa Downgrade the assertion when we found multiple SnapTargets for the same focused content. r=emilio
Comment 11•2 years ago
|
||
bugherder |
Comment 12•2 years ago
|
||
Verified bug as fixed on rev mozilla-central 20221101035633-ad436fbed86d.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Description
•