Closed Bug 1800543 Opened 1 year ago Closed 1 year ago

Hit MOZ_CRASH(Element state change during style refresh (4096)) at /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:3281

Categories

(Core :: CSS Parsing and Computation, defect)

defect

Tracking

()

VERIFIED FIXED
109 Branch
Tracking Status
firefox-esr102 --- wontfix
firefox107 --- wontfix
firefox108 --- wontfix
firefox109 --- verified

People

(Reporter: tsmith, Assigned: emilio)

References

(Blocks 2 open bugs)

Details

(Keywords: assertion, testcase)

Crash Data

Attachments

(3 files)

Attached file testcase.html

Found while fuzzing m-c 20221114-1db8fd864320 (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

Hit MOZ_CRASH(Element state change during style refresh (4096)) at /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:3281

#0 0x7ff72c8b2220 in MOZ_Crash /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:261:3
#1 0x7ff72c8b2220 in mozilla::RestyleManager::ElementStateChanged(mozilla::dom::Element*, mozilla::dom::ElementState) /gecko/layout/base/RestyleManager.cpp:3279:5
#2 0x7ff72c8b1a17 in mozilla::PresShell::ElementStateChanged(mozilla::dom::Document*, mozilla::dom::Element*, mozilla::dom::ElementState) /gecko/layout/base/PresShell.cpp:4504:37
#3 0x7ff726bb4c9b in mozilla::dom::Document::ElementStateChanged(mozilla::dom::Element*, mozilla::dom::ElementState) /gecko/dom/base/Document.cpp:8074:3
#4 0x7ff726c21bcc in mozilla::dom::Element::UpdateState(bool) /gecko/dom/base/Element.cpp:386:14
#5 0x7ff729b1a15b in mozilla::TextControlState::SetValue(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const*, mozilla::EnumSet<mozilla::TextControlState::ValueSetterOption, unsigned int> const&) /gecko/dom/html/TextControlState.cpp:2707:47
#6 0x7ff729aeb402 in SetValue /gecko/dom/html/TextControlState.h:283:12
#7 0x7ff729aeb402 in mozilla::TextControlState::UnbindFromFrame(nsTextControlFrame*) /gecko/dom/html/TextControlState.cpp:2470:26
#8 0x7ff72cd7afb5 in nsTextControlFrame::DestroyFrom(nsIFrame*, mozilla::PostFrameDestroyData&) /gecko/layout/forms/nsTextControlFrame.cpp:148:25
#9 0x7ff72cb0d33c in nsFrameList::DestroyFramesFrom(nsIFrame*, mozilla::PostFrameDestroyData&) /gecko/layout/generic/nsFrameList.cpp:50:12
#10 0x7ff72ca721c1 in nsContainerFrame::DestroyFrom(nsIFrame*, mozilla::PostFrameDestroyData&) /gecko/layout/generic/nsContainerFrame.cpp:232:11
#11 0x7ff72cc37445 in nsInlineFrame::DestroyFrom(nsIFrame*, mozilla::PostFrameDestroyData&) /gecko/layout/generic/nsInlineFrame.cpp:179:21
#12 0x7ff72cc9c526 in nsLineBox::DeleteLineList(nsPresContext*, nsLineList&, nsIFrame*, nsFrameList*, mozilla::PostFrameDestroyData&) /gecko/layout/generic/nsLineBox.cpp:369:14
#13 0x7ff72ca7196a in nsBlockFrame::DestroyFrom(nsIFrame*, mozilla::PostFrameDestroyData&) /gecko/layout/generic/nsBlockFrame.cpp:482:3
#14 0x7ff72cc9c526 in nsLineBox::DeleteLineList(nsPresContext*, nsLineList&, nsIFrame*, nsFrameList*, mozilla::PostFrameDestroyData&) /gecko/layout/generic/nsLineBox.cpp:369:14
#15 0x7ff72ca7196a in nsBlockFrame::DestroyFrom(nsIFrame*, mozilla::PostFrameDestroyData&) /gecko/layout/generic/nsBlockFrame.cpp:482:3
#16 0x7ff72cc9c526 in nsLineBox::DeleteLineList(nsPresContext*, nsLineList&, nsIFrame*, nsFrameList*, mozilla::PostFrameDestroyData&) /gecko/layout/generic/nsLineBox.cpp:369:14
#17 0x7ff72ca7196a in nsBlockFrame::DestroyFrom(nsIFrame*, mozilla::PostFrameDestroyData&) /gecko/layout/generic/nsBlockFrame.cpp:482:3
#18 0x7ff72cb0d33c in nsFrameList::DestroyFramesFrom(nsIFrame*, mozilla::PostFrameDestroyData&) /gecko/layout/generic/nsFrameList.cpp:50:12
#19 0x7ff72ca721c1 in nsContainerFrame::DestroyFrom(nsIFrame*, mozilla::PostFrameDestroyData&) /gecko/layout/generic/nsContainerFrame.cpp:232:11
#20 0x7ff72caa7d8f in nsCanvasFrame::DestroyFrom(nsIFrame*, mozilla::PostFrameDestroyData&) /gecko/layout/generic/nsCanvasFrame.cpp:214:21
#21 0x7ff72cb0d33c in nsFrameList::DestroyFramesFrom(nsIFrame*, mozilla::PostFrameDestroyData&) /gecko/layout/generic/nsFrameList.cpp:50:12
#22 0x7ff72ca721c1 in nsContainerFrame::DestroyFrom(nsIFrame*, mozilla::PostFrameDestroyData&) /gecko/layout/generic/nsContainerFrame.cpp:232:11
#23 0x7ff72cab845e in Destroy /gecko/layout/generic/nsIFrame.h:663:5
#24 0x7ff72cab845e in nsContainerFrame::RemoveFrame(mozilla::FrameChildListID, nsIFrame*) /gecko/layout/generic/nsContainerFrame.cpp:186:19
#25 0x7ff72c9517cd in nsCSSFrameConstructor::ContentRemoved(nsIContent*, nsIContent*, nsCSSFrameConstructor::RemoveFlags) /gecko/layout/base/nsCSSFrameConstructor.cpp:7492:5
#26 0x7ff72c94b44d in nsCSSFrameConstructor::RecreateFramesForContent(nsIContent*, nsCSSFrameConstructor::InsertionKind) /gecko/layout/base/nsCSSFrameConstructor.cpp:8437:7
#27 0x7ff72c8e0d30 in mozilla::RestyleManager::ProcessRestyledFrames(nsStyleChangeList&) /gecko/layout/base/RestyleManager.cpp:1594:25
#28 0x7ff72c8e9705 in mozilla::RestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) /gecko/layout/base/RestyleManager.cpp:3164:9
#29 0x7ff72c8b0d86 in mozilla::RestyleManager::ProcessPendingRestyles() /gecko/layout/base/RestyleManager.cpp:3249:3
#30 0x7ff72c8af802 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /gecko/layout/base/PresShell.cpp:4396:39
#31 0x7ff72959b91d in FlushPendingNotifications /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:1465:5
#32 0x7ff72959b91d in mozilla::EventStateManager::FlushLayout(nsPresContext*) /gecko/dom/events/EventStateManager.cpp:5979:16
#33 0x7ff72959436c in mozilla::EventStateManager::PreHandleEvent(nsPresContext*, mozilla::WidgetEvent*, nsIFrame*, nsIContent*, nsEventStatus*, nsIContent*) /gecko/dom/events/EventStateManager.cpp:780:7
#34 0x7ff72c8cec42 in mozilla::PresShell::EventHandler::DispatchEvent(mozilla::EventStateManager*, mozilla::WidgetEvent*, bool, nsEventStatus*, nsIContent*) /gecko/layout/base/PresShell.cpp:8268:39
#35 0x7ff72c8c8736 in mozilla::PresShell::EventHandler::HandleEventWithCurrentEventInfo(mozilla::WidgetEvent*, nsEventStatus*, bool, nsIContent*) /gecko/layout/base/PresShell.cpp:8237:17
#36 0x7ff72c8c7ada in mozilla::PresShell::EventHandler::HandleEventUsingCoordinates(nsIFrame*, mozilla::WidgetGUIEvent*, nsEventStatus*, bool) /gecko/layout/base/PresShell.cpp:7186:30
#37 0x7ff72c8c6145 in mozilla::PresShell::EventHandler::HandleEvent(nsIFrame*, mozilla::WidgetGUIEvent*, bool, nsEventStatus*) /gecko/layout/base/PresShell.cpp:6989:12
#38 0x7ff72c8c4bf7 in mozilla::PresShell::HandleEvent(nsIFrame*, mozilla::WidgetGUIEvent*, bool, nsEventStatus*) /gecko/layout/base/PresShell.cpp:6932:23
#39 0x7ff72c163920 in nsViewManager::DispatchEvent(mozilla::WidgetGUIEvent*, nsView*, nsEventStatus*) /gecko/view/nsViewManager.cpp:679:18
#40 0x7ff72c163555 in nsView::HandleEvent(mozilla::WidgetGUIEvent*, bool) /gecko/view/nsView.cpp:1130:9
#41 0x7ff72c1dce50 in mozilla::widget::PuppetWidget::DispatchEvent(mozilla::WidgetGUIEvent*, nsEventStatus&) /gecko/widget/PuppetWidget.cpp:352:37
#42 0x7ff725f3bc71 in mozilla::layers::APZCCallbackHelper::DispatchWidgetEvent(mozilla::WidgetGUIEvent&) /gecko/gfx/layers/apz/util/APZCCallbackHelper.cpp:510:21
#43 0x7ff72b4bdcb3 in DispatchWidgetEventViaAPZ /gecko/dom/ipc/BrowserChild.cpp:1802:10
#44 0x7ff72b4bdcb3 in mozilla::dom::BrowserChild::HandleRealMouseButtonEvent(mozilla::WidgetMouseEvent const&, mozilla::layers::ScrollableLayerGuid const&, unsigned long const&) /gecko/dom/ipc/BrowserChild.cpp:1765:3
#45 0x7ff72b4bfa1b in mozilla::dom::BrowserChild::RecvRealMouseButtonEvent(mozilla::WidgetMouseEvent const&, mozilla::layers::ScrollableLayerGuid const&, unsigned long const&) /gecko/dom/ipc/BrowserChild.cpp:1732:3
#46 0x7ff72b4bfc08 in mozilla::dom::BrowserChild::RecvSynthMouseMoveEvent(mozilla::WidgetMouseEvent const&, mozilla::layers::ScrollableLayerGuid const&, unsigned long const&) /gecko/dom/ipc/BrowserChild.cpp:1697:8
#47 0x7ff72b6664e1 in mozilla::dom::PBrowserChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBrowserChild.cpp:5585:80
#48 0x7ff72b720746 in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PContentChild.cpp:8699:32
#49 0x7ff72517f2c9 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /gecko/ipc/glue/MessageChannel.cpp:1756:25
#50 0x7ff72517c3bf in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>) /gecko/ipc/glue/MessageChannel.cpp:1681:9
#51 0x7ff72517cfee in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /gecko/ipc/glue/MessageChannel.cpp:1481:3
#52 0x7ff72517e21e in mozilla::ipc::MessageChannel::MessageTask::Run() /gecko/ipc/glue/MessageChannel.cpp:1579:14
#53 0x7ff7239ff9e9 in mozilla::RunnableTask::Run() /gecko/xpcom/threads/TaskController.cpp:538:16
#54 0x7ff7239f6aa7 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:851:26
#55 0x7ff7239f3d28 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:683:15
#56 0x7ff7239f4450 in mozilla::TaskController::ProcessPendingMTTask(bool) /gecko/xpcom/threads/TaskController.cpp:461:36
#57 0x7ff723a05b24 in operator() /gecko/xpcom/threads/TaskController.cpp:190:37
#58 0x7ff723a05b24 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_3>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
#59 0x7ff723a28d20 in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1204:16
#60 0x7ff723a334b4 in NS_ProcessNextEvent(nsIThread*, bool) /gecko/xpcom/threads/nsThreadUtils.cpp:465:10
#61 0x7ff725186ab3 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /gecko/ipc/glue/MessagePump.cpp:107:5
#62 0x7ff72500afb7 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:381:10
#63 0x7ff72500afb7 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:374:3
#64 0x7ff72500afb7 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:356:3
#65 0x7ff72c25cad9 in nsBaseAppShell::Run() /gecko/widget/nsBaseAppShell.cpp:150:27
#66 0x7ff73123f268 in XRE_RunAppShell() /gecko/toolkit/xre/nsEmbedFunctions.cpp:884:20
#67 0x7ff72500afb7 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:381:10
#68 0x7ff72500afb7 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:374:3
#69 0x7ff72500afb7 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:356:3
#70 0x7ff73123e235 in XRE_InitChildProcess(int, char**, XREChildData const*) /gecko/toolkit/xre/nsEmbedFunctions.cpp:743:34
#71 0x555bbc5082d4 in content_process_main(mozilla::Bootstrap*, int, char**) /gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#72 0x555bbc508797 in main /gecko/browser/app/nsBrowserApp.cpp:359:18
#73 0x7ff745d2e082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
#74 0x555bbc446d58 in _start (/home/worker/builds/m-c-20221114160131-fuzzing-asan-opt/firefox+0x111d58) (BuildId: af906ad682e541e574dd213dd02326c8caecd2e2)
Flags: in-testsuite?
See Also: → 1793410
Flags: needinfo?(emilio)
Assignee: nobody → emilio
Flags: needinfo?(emilio)

Just like setting it does, since at the very least it influences
:user-valid/:user-invalid matching.

Pushed by ealvarez@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/56f699fdd260
Clearing the form should update element state. r=edgar
Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/36964 for changes under testing/web-platform/tests
Crash Signature: [@ mozilla::RestyleManager::ElementStateChanged ]
Status: NEW → RESOLVED
Closed: 1 year ago
Resolution: --- → FIXED
Target Milestone: --- → 109 Branch
Flags: in-testsuite? → in-testsuite+

The patch landed in nightly and beta is affected.
:emilio, is this bug important enough to require an uplift?

  • If yes, please nominate the patch for beta approval.
  • If no, please set status-firefox108 to wontfix.

For more information, please visit auto_nag documentation.

Flags: needinfo?(emilio)
Upstream PR merged by moz-wptsync-bot
Flags: needinfo?(emilio)

Verified bug as fixed on rev mozilla-central 20221115051541-1adc82d1eb96.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
Keywords: bugmon

Bug appears to be fixed on mozilla-central 20221115051541-1adc82d1eb96 but BugMon was unable to find a usable build for 1db8fd864320.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

FWIW, here's a slightly simplified version of the testcase which I generated locally, as a step towards coming up with a way of triggering other crashes of this for other bits (in service of bug 1793410).

(I haven't come up with other ways of crashing yet; but this testcase does crash just like the original one, in Nightlies from before the fix landed.)

Blocks: 1793410
See Also: 1793410
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: