Closed Bug 1804806 Opened 4 months ago Closed 3 months ago

Hit MOZ_CRASH(Element state change during style refresh (3072)) at /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:3280

Categories

(Core :: CSS Parsing and Computation, defect)

defect

Tracking

()

RESOLVED DUPLICATE of bug 1651070
Tracking Status
firefox109 --- affected

People

(Reporter: tsmith, Assigned: dshin)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, testcase, Whiteboard: [bugmon:bisected,confirmed])

Crash Data

Attachments

(3 files)

Attached file testcase.html

Found while fuzzing m-c 20221208-5b38548871de (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

Hit MOZ_CRASH(Element state change during style refresh (3072)) at /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:3280

#0 0x7f6998569e12 in MOZ_Crash /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:261:3
#1 0x7f6998569e12 in mozilla::RestyleManager::ElementStateChanged(mozilla::dom::Element*, mozilla::dom::ElementState) /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:3278:5
#2 0x7f69985699cc in mozilla::PresShell::ElementStateChanged(mozilla::dom::Document*, mozilla::dom::Element*, mozilla::dom::ElementState) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4531:37
#3 0x7f6994c03bbf in mozilla::dom::Document::ElementStateChanged(mozilla::dom::Element*, mozilla::dom::ElementState) /builds/worker/checkouts/gecko/dom/base/Document.cpp:8087:3
#4 0x7f6994c50ef7 in mozilla::dom::Element::UpdateState(bool) /builds/worker/checkouts/gecko/dom/base/Element.cpp:386:14
#5 0x7f6996bd3b23 in nsIConstraintValidation::SetValidityState(nsIConstraintValidation::ValidityStateType, bool) /builds/worker/checkouts/gecko/dom/html/nsIConstraintValidation.cpp:112:13
#6 0x7f6996b12e61 in UpdateStepMismatchValidityState /builds/worker/checkouts/gecko/dom/html/HTMLInputElement.cpp:6621:3
#7 0x7f6996b12e61 in mozilla::dom::HTMLInputElement::UpdateAllValidityStatesButNotElementState() /builds/worker/checkouts/gecko/dom/html/HTMLInputElement.cpp:6645:3
#8 0x7f6996b11fbf in UpdateAllValidityStates /builds/worker/checkouts/gecko/dom/html/HTMLInputElement.cpp:6630:3
#9 0x7f6996b11fbf in mozilla::dom::HTMLInputElement::OnValueChanged(mozilla::TextControlElement::ValueChangeKind) /builds/worker/checkouts/gecko/dom/html/HTMLInputElement.cpp:6731:3
#10 0x7f6996bb1240 in mozilla::TextControlState::SetValue(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const*, mozilla::EnumSet<mozilla::TextControlState::ValueSetterOption, unsigned int> const&) /builds/worker/checkouts/gecko/dom/html/TextControlState.cpp:2707:47
#11 0x7f6996b953fe in SetValue /builds/worker/checkouts/gecko/dom/html/TextControlState.h:283:12
#12 0x7f6996b953fe in mozilla::TextControlState::UnbindFromFrame(nsTextControlFrame*) /builds/worker/checkouts/gecko/dom/html/TextControlState.cpp:2470:26
#13 0x7f6998812c68 in nsTextControlFrame::DestroyFrom(nsIFrame*, mozilla::PostFrameDestroyData&) /builds/worker/checkouts/gecko/layout/forms/nsTextControlFrame.cpp:148:25
#14 0x7f69988098e2 in nsNumberControlFrame::DestroyFrom(nsIFrame*, mozilla::PostFrameDestroyData&) /builds/worker/checkouts/gecko/layout/forms/nsNumberControlFrame.cpp:47:23
#15 0x7f6998688d85 in nsBlockFrame::DoRemoveFrameInternal(nsIFrame*, unsigned int, mozilla::PostFrameDestroyData&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:6501:20
#16 0x7f69986872a1 in DoRemoveFrame /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.h:557:5
#17 0x7f69986872a1 in nsBlockFrame::RemoveFrame(mozilla::FrameChildListID, nsIFrame*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:5801:5
#18 0x7f69985cceaf in nsCSSFrameConstructor::ContentRemoved(nsIContent*, nsIContent*, nsCSSFrameConstructor::RemoveFlags) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:7597:5
#19 0x7f69985c900f in nsCSSFrameConstructor::RecreateFramesForContent(nsIContent*, nsCSSFrameConstructor::InsertionKind) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:8572:7
#20 0x7f6998589950 in mozilla::RestyleManager::ProcessRestyledFrames(nsStyleChangeList&) /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:1593:25
#21 0x7f69985907e4 in mozilla::RestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:3163:9
#22 0x7f6998568ff0 in mozilla::RestyleManager::ProcessPendingRestyles() /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:3248:3
#23 0x7f699856854f in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4423:39
#24 0x7f699852c213 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2605:22
#25 0x7f699853595d in TickDriver /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:374:13
#26 0x7f699853595d in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver>>&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:352:7
#27 0x7f6998535863 in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:368:5
#28 0x7f6998535740 in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:912:5
#29 0x7f6998534aaa in mozilla::VsyncRefreshDriverTimer::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:826:5
#30 0x7f6998534266 in mozilla::VsyncRefreshDriverTimer::NotifyVsyncOnMainThread(mozilla::VsyncEvent const&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:747:5
#31 0x7f6998533d79 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsyncTimerOnMainThread() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:593:14
#32 0x7f699853398d in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:550:9
#33 0x7f69979f1e6b in mozilla::dom::VsyncMainChild::RecvNotify(mozilla::VsyncEvent const&, float const&) /builds/worker/checkouts/gecko/dom/ipc/VsyncMainChild.cpp:68:15
#34 0x7f6997c78b88 in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:220:78
#35 0x7f6997b8c0bb in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PContentChild.cpp:8728:32
#36 0x7f6993da3d2a in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1756:25
#37 0x7f6993da0987 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1681:9
#38 0x7f6993da14d5 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1481:3
#39 0x7f6993da280f in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1579:14
#40 0x7f6993198915 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:538:16
#41 0x7f6993193efc in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:851:26
#42 0x7f6993192aca in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:683:15
#43 0x7f6993192e25 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:461:36
#44 0x7f699319c289 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:190:37
#45 0x7f699319c289 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_3>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:546:5
#46 0x7f69931b1ba8 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1204:16
#47 0x7f69931b831d in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:474:10
#48 0x7f6993da95b3 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:107:5
#49 0x7f6993cce598 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
#50 0x7f6993cce4a1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
#51 0x7f6993cce4a1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
#52 0x7f69981da938 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:150:27
#53 0x7f699a40784b in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:884:20
#54 0x7f6993daa4c9 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
#55 0x7f6993cce598 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
#56 0x7f6993cce4a1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
#57 0x7f6993cce4a1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
#58 0x7f699a406ddc in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:743:34
#59 0x5558b0fe2ca0 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#60 0x5558b0fe2ca0 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:359:18
#61 0x7f69a8681d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#62 0x7f69a8681e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#63 0x5558b0fb9308 in _start (/home/user/workspace/browsers/m-c-20221208153054-fuzzing-debug/firefox-bin+0x5b308) (BuildId: cf3f3feb87a6f6cf895057243eae02a02822a19c)
Flags: in-testsuite?
See Also: → 1793410
Crash Signature: [@ mozilla::RestyleManager::ElementStateChanged ]
Blocks: 1793410
See Also: 1793410

Verified bug as reproducible on mozilla-central 20221209160025-4af9c56eb6d8.
Unable to bisect testcase (Testcase reproduces on start build!):

Start: 026fe822049a08d53bd3d711c2e7aa0dd06c19c5 (20211210053159)
End: 5b38548871dee65439a5f352fe4080ef4f0b2351 (20221208153054)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False, nyx=False)

Whiteboard: [bugmon:bisected,confirmed]
Assignee: nobody → dshin
Attached file testcase 2

Here's a somewhat reduced/simplified testcase.

Attached file Reduced Test Case

Reduced test case that avoids animation/kegen stuff.
If we comment out the last two lines of the timeout callback, the number field contains ۰٫۲۴, which translates from Urdu to English as 0.24. If we examine b.validationMessage, it says: "Please select a valid value. The two nearest valid values are ۰ and ۱." Because the value is not specified outright, and the step size is 1, we consider values 0 and 1 to be valid but not 0.24.

If we comment out the last line of the timeout callback, and examine b.validationMessage, it says: "Please enter a number." Since the language context changed to Hebrew, this behaviour makes sense.

Seems that when we uncomment all timeout callback lines, we cause the reconstruction of the layout element for b, and the change in validity above leads to the crash.

This is bug 1651070, actually.
The reason why :dholbert's case in bug 1804806 comment 2 crashes is because it calls the wrong update - UpdateValidityState is only valid for datetime inputs, and we actually hit the warning: "'!IsDateTimeInputType(mType)', file /home/dshin/mozilla-unified/dom/html/HTMLInputElement.cpp:2249"
Really, it should be UpdateBadInputValidityState. (UpdateValidityState should be renamed to be datetime specific as well).

Status: NEW → RESOLVED
Closed: 3 months ago
Duplicate of bug: 1651070
Resolution: --- → DUPLICATE
No longer blocks: 1793410

No valid actions for resolution (DUPLICATE).
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon
You need to log in before you can comment on or make changes to this bug.