Closed Bug 1791883 Opened 2 years ago Closed 2 years ago

Assertion failure: IsAncestorFrameCrossDocInProcess(aAncestor.mFrame, aFrame) (Fix the caller), at /layout/base/nsLayoutUtils.cpp:2601

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
107 Branch
Tracking Flags:
Tracking Status
firefox-esr102 --- unaffected
firefox105 --- wontfix
firefox106 --- wontfix
firefox107 --- verified

People

(Reporter: jkratzer, Assigned: hiro)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: regression, testcase, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(2 files)

Testcase
394 bytes, text/plain
Details
Bug 1791883 - Ignore scroll-snap-align properties on scrollIntoView operations in the case where the scroll container equals to the target frame. r?emilio
48 bytes, text/x-phabricator-request
Details | Review

Testcase found while fuzzing mozilla-central rev 5ad292b847e4 (built with: --enable-debug --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build 5ad292b847e4 --debug --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

Assertion failure: IsAncestorFrameCrossDocInProcess(aAncestor.mFrame, aFrame) (Fix the caller), at /layout/base/nsLayoutUtils.cpp:2601

    ==2773406==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fcd0440252a bp 0x7ffeb9058770 sp 0x7ffeb9058700 T2773406)
    ==2773406==The signal is caused by a WRITE memory access.
    ==2773406==Hint: address points to the zero page.
        #0 0x7fcd0440252a in nsLayoutUtils::TransformFrameRectToAncestor(nsIFrame const*, nsRect const&, mozilla::RelativeTo, bool*, mozilla::Maybe<mozilla::gfx::Matrix4x4TypedFlagged<mozilla::gfx::UnknownUnits, mozilla::gfx::UnknownUnits> >*, bool, nsIFrame**) /layout/base/nsLayoutUtils.cpp:2600:3
        #1 0x7fcd0445c7d2 in TransformFrameRectToAncestor /layout/base/nsLayoutUtils.h:898:12
        #2 0x7fcd0445c7d2 in mozilla::ScrollSnapUtils::GetSnapAreaFor(nsIFrame const*, nsIFrame const*, nsRect const&) /layout/generic/ScrollSnap.cpp:617:23
        #3 0x7fcd04502945 in mozilla::ScrollFrameHelper::GetScrollSnapAlignFor(nsIFrame const*) const /layout/generic/nsGfxScrollFrame.cpp:8188:7
        #4 0x7fcd0436be4b in ScrollToShowRect /layout/base/PresShell.cpp:3608:31
        #5 0x7fcd0436be4b in mozilla::PresShell::ScrollFrameRectIntoView(nsIFrame*, nsRect const&, nsMargin const&, mozilla::ScrollAxis, mozilla::ScrollAxis, mozilla::ScrollFlags, nsIFrame const*) /layout/base/PresShell.cpp:3844:9
        #6 0x7fcd00bd0986 in mozilla::dom::Selection::ScrollIntoView(short, mozilla::ScrollAxis, mozilla::ScrollAxis, int) /dom/base/Selection.cpp:3067:14
        #7 0x7fcd00bd5a18 in mozilla::dom::Selection::ScrollSelectionIntoViewEvent::Run() /dom/base/Selection.cpp:2970:14
        #8 0x7fcd04331ea3 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) /layout/base/nsRefreshDriver.cpp:2464:13
        #9 0x7fcd0433b720 in TickDriver /layout/base/nsRefreshDriver.cpp:375:13
        #10 0x7fcd0433b720 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /layout/base/nsRefreshDriver.cpp:353:7
        #11 0x7fcd0433b623 in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /layout/base/nsRefreshDriver.cpp:369:5
        #12 0x7fcd0433b2f0 in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /layout/base/nsRefreshDriver.cpp:896:5
        #13 0x7fcd0433a95a in mozilla::VsyncRefreshDriverTimer::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /layout/base/nsRefreshDriver.cpp:810:5
        #14 0x7fcd0433a341 in mozilla::VsyncRefreshDriverTimer::NotifyVsyncOnMainThread(mozilla::VsyncEvent const&) /layout/base/nsRefreshDriver.cpp:731:5
        #15 0x7fcd04339f7a in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsyncTimerOnMainThread() /layout/base/nsRefreshDriver.cpp:594:14
        #16 0x7fcd04339b8c in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) /layout/base/nsRefreshDriver.cpp:551:9
        #17 0x7fcd03806c0b in mozilla::dom::VsyncMainChild::RecvNotify(mozilla::VsyncEvent const&, float const&) /dom/ipc/VsyncMainChild.cpp:68:15
        #18 0x7fcd03a936b6 in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:220:78
        #19 0x7fccffc7dd44 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundChild.cpp:6267:32
        #20 0x7fccffc11e21 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /ipc/glue/MessageChannel.cpp:1756:25
        #21 0x7fccffc0e975 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message> >) /ipc/glue/MessageChannel.cpp:1681:9
        #22 0x7fccffc0f516 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /ipc/glue/MessageChannel.cpp:1481:3
        #23 0x7fccffc108a1 in mozilla::ipc::MessageChannel::MessageTask::Run() /ipc/glue/MessageChannel.cpp:1579:14
        #24 0x7fccff04414e in mozilla::RunnableTask::Run() /xpcom/threads/TaskController.cpp:538:16
        #25 0x7fccff01c669 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:851:26
        #26 0x7fccff01b1f3 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:683:15
        #27 0x7fccff01b463 in mozilla::TaskController::ProcessPendingMTTask(bool) /xpcom/threads/TaskController.cpp:461:36
        #28 0x7fccff0479f6 in operator() /xpcom/threads/TaskController.cpp:187:37
        #29 0x7fccff0479f6 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
        #30 0x7fccff0312bf in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1205:16
        #31 0x7fccff0378cd in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:465:10
        #32 0x7fccffc178a6 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:85:21
        #33 0x7fccffb3cf07 in MessageLoop::RunInternal() /ipc/chromium/src/base/message_loop.cc:381:10
        #34 0x7fccffb3ce12 in RunHandler /ipc/chromium/src/base/message_loop.cc:374:3
        #35 0x7fccffb3ce12 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:356:3
        #36 0x7fcd03ff9d68 in nsBaseAppShell::Run() /widget/nsBaseAppShell.cpp:150:27
        #37 0x7fcd061f038b in XRE_RunAppShell() /toolkit/xre/nsEmbedFunctions.cpp:880:20
        #38 0x7fccffc1879a in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:235:9
        #39 0x7fccffb3cf07 in MessageLoop::RunInternal() /ipc/chromium/src/base/message_loop.cc:381:10
        #40 0x7fccffb3ce12 in RunHandler /ipc/chromium/src/base/message_loop.cc:374:3
        #41 0x7fccffb3ce12 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:356:3
        #42 0x7fcd061ef8a3 in XRE_InitChildProcess(int, char**, XREChildData const*) /toolkit/xre/nsEmbedFunctions.cpp:739:34
        #43 0x56095a0b3b39 in content_process_main /browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
        #44 0x56095a0b3b39 in main /browser/app/nsBrowserApp.cpp:359:18
        #45 0x7fcd15bf1d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
        #46 0x7fcd15bf1e3f in __libc_start_main csu/../csu/libc-start.c:392:3
        #47 0x56095a0898dc in _start (/home/jkratzer/builds/mc-debug/firefox-bin+0x168dc) (BuildId: 2ebac32fd3db8e6d90b518677cea9c50777fa56a)
    
    UndefinedBehaviorSanitizer can not provide additional info.
    SUMMARY: UndefinedBehaviorSanitizer: SEGV /layout/base/nsLayoutUtils.cpp:2600:3 in nsLayoutUtils::TransformFrameRectToAncestor(nsIFrame const*, nsRect const&, mozilla::RelativeTo, bool*, mozilla::Maybe<mozilla::gfx::Matrix4x4TypedFlagged<mozilla::gfx::UnknownUnits, mozilla::gfx::UnknownUnits> >*, bool, nsIFrame**)
    ==2773406==ABORTING
Attached file Testcase 

    
    

    
  
Bugmon Analysis

Verified bug as reproducible on mozilla-central 20220921214338-7c0a787fe65a.

The bug appears to have been introduced in the following build range:




Start: cac795fd16d2ae8730dcb7ee7653be5e488e1123 (20220731203048)

End: 4cf66fe9deb65f1add1e82fdf518a5a1f7729984 (20220801003018)

Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=cac795fd16d2ae8730dcb7ee7653be5e488e1123&tochange=4cf66fe9deb65f1add1e82fdf518a5a1f7729984




Keywords: regression
Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]

    
    

    
  
The severity field is not set for this bug.

:alaskanemily, could you have a look please?


For more information, please visit auto_nag documentation.


Flags: needinfo?(emcdonough)

    
    

    
  
Hiro, this looks like it was caused by bug 1777649, can you take a look?


Flags: needinfo?(emcdonough) → needinfo?(hikezoe.birchill)
Regressed by: 1777649

    
    

    
  
Set release status flags based on info from the regressing bug 1777649



          status-firefox105:
          --- → affected

          status-firefox106:
          --- → affected

          status-firefox107:
          --- → affected

          status-firefox-esr102:
          --- → unaffected

    
    

    
  
In the particular case in comment 0, the target frame is exactly same as the scrollable frame, so we can just ignore the scroll-snap-align property. But, what if there are multiple selected elements in a scroll container? Which one of the selected elements should be used for resolving scroll-snap-align? Masayuki?


Assignee: nobody → hikezoe.birchill
Status: NEW → ASSIGNED
Flags: needinfo?(hikezoe.birchill) → needinfo?(masayuki)

    
    

    
  
I am guessing either this anchorFrame or this focusFrame would be reasonable.



    
    

    
  
(In reply to Hiroyuki Ikezoe (:hiro) from comment #6)




But, what if there are multiple selected elements in a scroll container? Which one of the selected elements should be used for resolving scroll-snap-align? Masayuki?




I have no idea. Even in the editor module which works with Selection directly, we don't have enough tests, thus, I see a lot of odd handling when there are multiple selection ranges, e.g., range is adjusted for avoiding odd result only when there is only one Selection range...


Perhaps, if Selection ranges are not in same scollable element, ScrollIntoView doing nothing might be better than doing something odd.


Flags: needinfo?(masayuki)

    
    

    
  
(In reply to Masayuki Nakano [:masayuki] (he/him)(JST, +0900) from comment #9)




(In reply to Hiroyuki Ikezoe (:hiro) from comment #6)




But, what if there are multiple selected elements in a scroll container? Which one of the selected elements should be used for resolving scroll-snap-align? Masayuki?




I have no idea. Even in the editor module which works with Selection directly, we don't have enough tests, thus, I see a lot of odd handling when there are multiple selection ranges, e.g., range is adjusted for avoiding odd result only when there is only one Selection range...


Perhaps, if Selection ranges are not in same scollable element, ScrollIntoView doing nothing might be better than doing something odd.




Oh. That's indeed a complicated case if the ranges span on multiple scroll containers. :/


Okay, I will put off selection cases now, I am going to just fix the case here in this bug. Thanks!



        Attachment #9297924 -
        Attachment description: WIP: Bug 1791883 - Ignore scroll-snap-align properties on scrollIntoView operations in the case where the scroll container equals to the target frame. → Bug 1791883 - Ignore scroll-snap-align properties on scrollIntoView operations in the case where the scroll container equals to the target frame.

        Attachment #9297924 -
        Attachment description: Bug 1791883 - Ignore scroll-snap-align properties on scrollIntoView operations in the case where the scroll container equals to the target frame. → Bug 1791883 - Ignore scroll-snap-align properties on scrollIntoView operations in the case where the scroll container equals to the target frame. r?emilio

    
    

    
  
Pushed by hikezoe.birchill@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/1ee652e84a1f
Ignore scroll-snap-align properties on scrollIntoView operations in the case where the scroll container equals to the target frame. r=emilio

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/1ee652e84a1f


Status: ASSIGNED → RESOLVED
Closed: 2 years ago

          status-firefox107:
          affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 107 Branch

    
    

    
  
Bugmon Analysis

Verified bug as fixed on rev mozilla-central 20221014215500-0bf2cd2f9e73.

Removing bugmon keyword as no further action possible.  Please review the bug and re-add the keyword for further analysis.


Status: RESOLVED → VERIFIED

          status-firefox107:
          fixedverified
Keywords: bugmon

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: