Closed Bug 1797407 Opened 2 years ago Closed 2 years ago

Hit MOZ_CRASH(assertion failed: !element.has_dirty_descendants()) at /builds/worker/checkouts/gecko/servo/components/style/traversal.rs:526

Categories

(Core :: CSS Parsing and Computation, defect)

Product:
Core
Component:
CSS Parsing and Computation
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
108 Branch
Tracking Flags:
Tracking Status
firefox-esr102 --- unaffected
firefox106 --- unaffected
firefox107 --- unaffected
firefox108 --- verified

People

(Reporter: tsmith, Assigned: emilio)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: assertion, testcase)

Crash Data

Attachments

(2 files)

testcase.html
188 bytes, text/html
Details
Bug 1797407 - Don't propagate bits for children invalidated under display:none/not in the flat tree. r=boris,#style
48 bytes, text/x-phabricator-request
Details | Review
Attached file testcase.html

Found while fuzzing m-c 20221021-321d39a49683 (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

Hit MOZ_CRASH(assertion failed: !element.has_dirty_descendants()) at /builds/worker/checkouts/gecko/servo/components/style/traversal.rs:526

#0 0x7fc1e4ee7b05 in MOZ_Crash /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:261:3
#1 0x7fc1e4ee7b05 in RustMozCrash /builds/worker/checkouts/gecko/mozglue/static/rust/wrappers.cpp:18:3
#2 0x7fc1e4ee7a88 in mozglue_static::panic_hook::h78973aca7351e0a7 /builds/worker/checkouts/gecko/mozglue/static/rust/lib.rs:91:9
#3 0x7fc1e4ee750b in core::ops::function::Fn::call::h39922ba40a8415bd /rustc/a55dd71d5fb0ec5a6a3a9e8c27b2127ba491ce52/library/core/src/ops/function.rs:77:5
#4 0x7fc1e5e95549 in std::panicking::rust_panic_with_hook::hf26e9d4f97b40096 /rustc/a55dd71d5fb0ec5a6a3a9e8c27b2127ba491ce52/library/std/src/panicking.rs:702:17
#5 0x7fc1e5e95348 in std::panicking::begin_panic_handler::_$u7b$$u7b$closure$u7d$$u7d$::hfab912107608087a /rustc/a55dd71d5fb0ec5a6a3a9e8c27b2127ba491ce52/library/std/src/panicking.rs:586:13
#6 0x7fc1e5e92643 in std::sys_common::backtrace::__rust_end_short_backtrace::h434b685ce8d9965b /rustc/a55dd71d5fb0ec5a6a3a9e8c27b2127ba491ce52/library/std/src/sys_common/backtrace.rs:138:18
#7 0x7fc1e5e950b8 in rust_begin_unwind /rustc/a55dd71d5fb0ec5a6a3a9e8c27b2127ba491ce52/library/std/src/panicking.rs:584:5
#8 0x7fc1db24b372 in core::panicking::panic_fmt::ha6dc7f2ab2479463 /rustc/a55dd71d5fb0ec5a6a3a9e8c27b2127ba491ce52/library/core/src/panicking.rs:142:14
#9 0x7fc1db24b23c in core::panicking::panic::hb3ad04c589a0e3c8 /rustc/a55dd71d5fb0ec5a6a3a9e8c27b2127ba491ce52/library/core/src/panicking.rs:48:5
#10 0x7fc1e56e7279 in style::traversal::recalc_style_at::h0ddd8e819ba26045 /builds/worker/checkouts/gecko/servo/components/style/traversal.rs:526:9
#11 0x7fc1e56e7279 in _$LT$style..gecko..traversal..RecalcStyleOnly$u20$as$u20$style..traversal..DomTraversal$LT$style..gecko..wrapper..GeckoElement$GT$$GT$::process_preorder::hd897a811332d8066 /builds/worker/checkouts/gecko/servo/components/style/gecko/traversal.rs:37:13
#12 0x7fc1e56e7279 in style::driver::traverse_dom::he050b098748f2728 /builds/worker/checkouts/gecko/servo/components/style/driver.rs:112:9
#13 0x7fc1e578308b in geckoservo::glue::traverse_subtree::hfb479987c29261eb /builds/worker/checkouts/gecko/servo/ports/geckolib/glue.rs:277:5
#14 0x7fc1e5783500 in Servo_TraverseSubtree /builds/worker/checkouts/gecko/servo/ports/geckolib/glue.rs:337:5
#15 0x7fc1e0944d25 in mozilla::ServoStyleSet::StyleDocument(mozilla::ServoTraversalFlags) /builds/worker/checkouts/gecko/layout/style/ServoStyleSet.cpp:775:9
#16 0x7fc1e09fc98c in mozilla::RestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:3108:20
#17 0x7fc1e09d57a0 in mozilla::RestyleManager::ProcessPendingRestyles() /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:3245:3
#18 0x7fc1e09d4ef2 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4431:39
#19 0x7fc1dd077340 in FlushPendingNotifications /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:1478:5
#20 0x7fc1dd077340 in mozilla::dom::Document::FlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/dom/base/Document.cpp:10695:16
#21 0x7fc1ded48e3b in InitBasic /builds/worker/checkouts/gecko/dom/events/ContentEventHandler.cpp:254:16
#22 0x7fc1ded48e3b in mozilla::ContentEventHandler::InitCommon(mozilla::EventMessage, mozilla::SelectionType, bool) /builds/worker/checkouts/gecko/dom/events/ContentEventHandler.cpp:327:17
#23 0x7fc1ded4940f in mozilla::ContentEventHandler::Init(mozilla::WidgetQueryContentEvent*) /builds/worker/checkouts/gecko/dom/events/ContentEventHandler.cpp:400:7
#24 0x7fc1ded4d348 in mozilla::ContentEventHandler::OnQuerySelectedText(mozilla::WidgetQueryContentEvent*) /builds/worker/checkouts/gecko/dom/events/ContentEventHandler.cpp:1325:17
#25 0x7fc1ded9a01b in mozilla::IMEContentObserver::UpdateSelectionCache(bool) /builds/worker/checkouts/gecko/dom/events/IMEContentObserver.cpp:1289:11
#26 0x7fc1ded9bb19 in mozilla::IMEContentObserver::IMENotificationSender::SendSelectionChange() /builds/worker/checkouts/gecko/dom/events/IMEContentObserver.cpp:1824:7
#27 0x7fc1ded9af95 in mozilla::IMEContentObserver::IMENotificationSender::Run() /builds/worker/checkouts/gecko/dom/events/IMEContentObserver.cpp:1688:7
#28 0x7fc1e0998653 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2479:13
#29 0x7fc1e09a2580 in TickDriver /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:375:13
#30 0x7fc1e09a2580 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:353:7
#31 0x7fc1e09a2483 in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:369:5
#32 0x7fc1e09a2350 in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:913:5
#33 0x7fc1e09a16ba in mozilla::VsyncRefreshDriverTimer::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:827:5
#34 0x7fc1e09a0e6a in mozilla::VsyncRefreshDriverTimer::NotifyVsyncOnMainThread(mozilla::VsyncEvent const&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:748:5
#35 0x7fc1e09a096a in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsyncTimerOnMainThread() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:594:14
#36 0x7fc1e09a057c in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:551:9
#37 0x7fc1dfe6ab9b in mozilla::dom::VsyncMainChild::RecvNotify(mozilla::VsyncEvent const&, float const&) /builds/worker/checkouts/gecko/dom/ipc/VsyncMainChild.cpp:68:15
#38 0x7fc1e00faf36 in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:220:78
#39 0x7fc1dc262504 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundChild.cpp:6267:32
#40 0x7fc1dc1f3641 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1756:25
#41 0x7fc1dc1f0195 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message> >) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1681:9
#42 0x7fc1dc1f0d36 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1481:3
#43 0x7fc1dc1f20c1 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1579:14
#44 0x7fc1db5ea0f4 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:538:16
#45 0x7fc1db5e56f1 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:851:26
#46 0x7fc1db5e424a in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:683:15
#47 0x7fc1db5e45a5 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:461:36
#48 0x7fc1db5eda46 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:187:37
#49 0x7fc1db5eda46 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_2>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
#50 0x7fc1db603347 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1204:16
#51 0x7fc1db609b4d in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:465:10
#52 0x7fc1dc1f90c6 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#53 0x7fc1dc11ce37 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
#54 0x7fc1dc11cd42 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
#55 0x7fc1dc11cd42 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
#56 0x7fc1e064efd8 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:150:27
#57 0x7fc1e286376b in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:880:20
#58 0x7fc1dc1f9fba in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
#59 0x7fc1dc11ce37 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
#60 0x7fc1dc11cd42 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
#61 0x7fc1dc11cd42 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
#62 0x7fc1e2862d4e in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:739:34
#63 0x5608831f3c19 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#64 0x5608831f3c19 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:357:18
#65 0x7fc1f22cd082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
#66 0x5608831c98dc in _start (/home/user/workspace/browsers/m-c-20221025094808-fuzzing-debug/firefox-bin+0x168dc) (BuildId: 218e195d7f35924415692fd65e74feed063fa7a9)
Flags: in-testsuite?

The same test case is also triggers in opt builds:

Assertion failure: aElement->HasServoData() (Element without Servo data on a post-traversal? How?), at /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:2701

#0 0x7fbb1fcad749 in mozilla::RestyleManager::ProcessPostTraversal(mozilla::dom::Element*, mozilla::ServoRestyleState&, mozilla::ServoPostTraversalFlags) /gecko/layout/base/RestyleManager.cpp:2700:3
#1 0x7fbb1fcad336 in mozilla::RestyleManager::ProcessPostTraversal(mozilla::dom::Element*, mozilla::ServoRestyleState&, mozilla::ServoPostTraversalFlags) /gecko/layout/base/RestyleManager.cpp:2918:32
#2 0x7fbb1fcad336 in mozilla::RestyleManager::ProcessPostTraversal(mozilla::dom::Element*, mozilla::ServoRestyleState&, mozilla::ServoPostTraversalFlags) /gecko/layout/base/RestyleManager.cpp:2918:32
#3 0x7fbb1fcad336 in mozilla::RestyleManager::ProcessPostTraversal(mozilla::dom::Element*, mozilla::ServoRestyleState&, mozilla::ServoPostTraversalFlags) /gecko/layout/base/RestyleManager.cpp:2918:32
#4 0x7fbb1fcad336 in mozilla::RestyleManager::ProcessPostTraversal(mozilla::dom::Element*, mozilla::ServoRestyleState&, mozilla::ServoPostTraversalFlags) /gecko/layout/base/RestyleManager.cpp:2918:32
#5 0x7fbb1fcad336 in mozilla::RestyleManager::ProcessPostTraversal(mozilla::dom::Element*, mozilla::ServoRestyleState&, mozilla::ServoPostTraversalFlags) /gecko/layout/base/RestyleManager.cpp:2918:32
#6 0x7fbb1fcafba9 in mozilla::RestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) /gecko/layout/base/RestyleManager.cpp:3131:28
#7 0x7fbb1fc77256 in mozilla::RestyleManager::ProcessPendingRestyles() /gecko/layout/base/RestyleManager.cpp:3245:3
#8 0x7fbb1fc75db9 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /gecko/layout/base/PresShell.cpp:4426:39
#9 0x7fbb1c7eb536 in FlushPendingNotifications /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:1469:5
#10 0x7fbb1c7eb536 in mozilla::EventStateManager::FlushLayout(nsPresContext*) /gecko/dom/events/EventStateManager.cpp:5964:16
#11 0x7fbb1c7e58aa in mozilla::EventStateManager::PreHandleEvent(nsPresContext*, mozilla::WidgetEvent*, nsIFrame*, nsIContent*, nsEventStatus*, nsIContent*) /gecko/dom/events/EventStateManager.cpp:780:7
#12 0x7fbb1fc9541d in mozilla::PresShell::EventHandler::DispatchEvent(mozilla::EventStateManager*, mozilla::WidgetEvent*, bool, nsEventStatus*, nsIContent*) /gecko/layout/base/PresShell.cpp:8281:39
#13 0x7fbb1fc8eee9 in mozilla::PresShell::EventHandler::HandleEventWithCurrentEventInfo(mozilla::WidgetEvent*, nsEventStatus*, bool, nsIContent*) /gecko/layout/base/PresShell.cpp:8250:17
#14 0x7fbb1fc8e29d in mozilla::PresShell::EventHandler::HandleEventUsingCoordinates(nsIFrame*, mozilla::WidgetGUIEvent*, nsEventStatus*, bool) /gecko/layout/base/PresShell.cpp:7199:30
#15 0x7fbb1fc8c8fd in mozilla::PresShell::EventHandler::HandleEvent(nsIFrame*, mozilla::WidgetGUIEvent*, bool, nsEventStatus*) /gecko/layout/base/PresShell.cpp:7002:12
#16 0x7fbb1fc8b3cf in mozilla::PresShell::HandleEvent(nsIFrame*, mozilla::WidgetGUIEvent*, bool, nsEventStatus*) /gecko/layout/base/PresShell.cpp:6945:23
#17 0x7fbb1f4f3b0d in nsViewManager::DispatchEvent(mozilla::WidgetGUIEvent*, nsView*, nsEventStatus*) /gecko/view/nsViewManager.cpp:679:18
#18 0x7fbb1f4f3745 in nsView::HandleEvent(mozilla::WidgetGUIEvent*, bool) /gecko/view/nsView.cpp:1130:9
#19 0x7fbb1f57d0c5 in mozilla::widget::PuppetWidget::DispatchEvent(mozilla::WidgetGUIEvent*, nsEventStatus&) /gecko/widget/PuppetWidget.cpp:352:37
#20 0x7fbb190ac8e1 in mozilla::layers::APZCCallbackHelper::DispatchWidgetEvent(mozilla::WidgetGUIEvent&) /gecko/gfx/layers/apz/util/APZCCallbackHelper.cpp:510:21
#21 0x7fbb1e7f2a53 in DispatchWidgetEventViaAPZ /gecko/dom/ipc/BrowserChild.cpp:1802:10
#22 0x7fbb1e7f2a53 in mozilla::dom::BrowserChild::HandleRealMouseButtonEvent(mozilla::WidgetMouseEvent const&, mozilla::layers::ScrollableLayerGuid const&, unsigned long const&) /gecko/dom/ipc/BrowserChild.cpp:1765:3
#23 0x7fbb1e7f47dc in mozilla::dom::BrowserChild::RecvRealMouseButtonEvent(mozilla::WidgetMouseEvent const&, mozilla::layers::ScrollableLayerGuid const&, unsigned long const&) /gecko/dom/ipc/BrowserChild.cpp:1732:3
#24 0x7fbb1e7f49d9 in mozilla::dom::BrowserChild::RecvSynthMouseMoveEvent(mozilla::WidgetMouseEvent const&, mozilla::layers::ScrollableLayerGuid const&, unsigned long const&) /gecko/dom/ipc/BrowserChild.cpp:1697:8
#25 0x7fbb1e9a7dd8 in mozilla::dom::PBrowserChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBrowserChild.cpp:5585:80
#26 0x7fbb1ea643e0 in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PContentChild.cpp:8699:32
#27 0x7fbb18296e59 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /gecko/ipc/glue/MessageChannel.cpp:1756:25
#28 0x7fbb18293ec7 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message> >) /gecko/ipc/glue/MessageChannel.cpp:1681:9
#29 0x7fbb18294b14 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /gecko/ipc/glue/MessageChannel.cpp:1481:3
#30 0x7fbb18295da2 in mozilla::ipc::MessageChannel::MessageTask::Run() /gecko/ipc/glue/MessageChannel.cpp:1579:14
#31 0x7fbb16abdb52 in mozilla::RunnableTask::Run() /gecko/xpcom/threads/TaskController.cpp:538:16
#32 0x7fbb16ab4ab7 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:851:26
#33 0x7fbb16ab1d48 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:683:15
#34 0x7fbb16ab2470 in mozilla::TaskController::ProcessPendingMTTask(bool) /gecko/xpcom/threads/TaskController.cpp:461:36
#35 0x7fbb16ac4101 in operator() /gecko/xpcom/threads/TaskController.cpp:187:37
#36 0x7fbb16ac4101 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_2>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
#37 0x7fbb16ae7358 in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1204:16
#38 0x7fbb16af1e04 in NS_ProcessNextEvent(nsIThread*, bool) /gecko/xpcom/threads/nsThreadUtils.cpp:465:10
#39 0x7fbb1829e61f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /gecko/ipc/glue/MessagePump.cpp:85:21
#40 0x7fbb1811b691 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:381:10
#41 0x7fbb1811b691 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:374:3
#42 0x7fbb1811b691 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:356:3
#43 0x7fbb1f602807 in nsBaseAppShell::Run() /gecko/widget/nsBaseAppShell.cpp:150:27
#44 0x7fbb247c7b07 in XRE_RunAppShell() /gecko/toolkit/xre/nsEmbedFunctions.cpp:880:20
#45 0x7fbb1811b691 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:381:10
#46 0x7fbb1811b691 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:374:3
#47 0x7fbb1811b691 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:356:3
#48 0x7fbb247c6bf3 in XRE_InitChildProcess(int, char**, XREChildData const*) /gecko/toolkit/xre/nsEmbedFunctions.cpp:739:34
#49 0x563e982f26b5 in content_process_main(mozilla::Bootstrap*, int, char**) /gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#50 0x563e982f2b07 in main /gecko/browser/app/nsBrowserApp.cpp:357:18
#51 0x7fbb3f004082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
#52 0x563e98232a19 in _start (/home/worker/builds/m-c-20221021215351-fuzzing-asan-opt/firefox+0x7aa19) (BuildId: f1a05d5073161050f03b8b71e57b548e903a23a1)
Crash Signature: [@ mozilla::RestyleManager::ProcessPostTraversal]

The test uses summary and detail, so this might be related to our recently change.

A Pernosco session is available here: https://pernos.co/debug/ngVtAXoFlLX2L4KOBBO62g/index.html

Flags: needinfo?(emilio)
Flags: needinfo?(emilio)

Much like invalidated_descendants. This preserves our invariant that we
only visit elements with data in the post-traversal.

Assignee: nobody → emilio
Status: NEW → ASSIGNED
Pushed by ealvarez@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/02e3e61b085b
Don't propagate bits for children invalidated under display:none/not in the flat tree. r=boris,firefox-style-system-reviewers
Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/36669 for changes under testing/web-platform/tests

https://hg.mozilla.org/mozilla-central/rev/02e3e61b085b

Status: ASSIGNED → RESOLVED
Closed: 2 years ago
status-firefox108: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 108 Branch
Upstream PR merged by moz-wptsync-bot

Bugmon Analysis
Verified bug as fixed on rev mozilla-central 20221026224258-ab716c244f85.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
status-firefox108: fixedverified
Keywords: bugmon
status-firefox106: --- → unaffected
status-firefox107: --- → unaffected
status-firefox-esr102: --- → unaffected
Flags: in-testsuite? → in-testsuite+
Regressed by: 1794720
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: