Closed Bug 1816474 Opened 2 years ago Closed 1 years ago

Assertion failure: !HasAnyStateBits(NS_FRAME_IS_DIRTY) || IsHiddenByContentVisibilityOfInFlowParentForLayout() (Must only be called on reflowed lines or those hidden by content-visibility.), at /layout/generic/nsIFrame.cpp:83

Categories

(Core :: Layout, defect, P3)

Product:
Core
Component:
Layout
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
117 Branch
Tracking Flags:
Tracking Status
firefox-esr102 --- unaffected
firefox-esr115 --- wontfix
firefox110 --- wontfix
firefox111 --- wontfix
firefox112 --- wontfix
firefox113 --- wontfix
firefox115 --- wontfix
firefox116 --- wontfix
firefox117 --- verified

People

(Reporter: jkratzer, Assigned: cathiechen)

References

(Blocks 2 open bugs, Regression)

Details

(Keywords: regression, testcase, Whiteboard: [bugmon:bisected,confirmed], [wptsync upstream])

Attachments

(2 files)

Testcase
153 bytes, text/plain
Details
Bug 1816474 - Assertion failure: IsHiddenByContentVisibilityOfInFlowParentForLayout() in nsIFrame.cpp, r?emilio
48 bytes, text/x-phabricator-request
Details | Review

Testcase found while fuzzing mozilla-central rev 3387e4f266f0 (built with: --enable-debug --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build 3387e4f266f0 --debug --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

Assertion failure: !HasAnyStateBits(NS_FRAME_IS_DIRTY) || IsHiddenByContentVisibilityOfInFlowParentForLayout() (Must only be called on reflowed lines or those hidden by content-visibility.), at /layout/generic/nsIFrame.cpp:83

    ==73839==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f1ba2bb3c59 bp 0x7ffef3dfce10 sp 0x7ffef3dfce00 T73839)
    ==73839==The signal is caused by a WRITE memory access.
    ==73839==Hint: address points to the zero page.
        #0 0x7f1ba2bb3c59 in nsIFrame::CachedIsEmpty() /layout/generic/nsIFrame.cpp:8377:3
        #1 0x7f1ba2bfd31e in nsLineBox::CachedIsEmpty() /layout/generic/nsLineBox.cpp:335:17
        #2 0x7f1ba2adf809 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowState&) /layout/generic/nsBlockFrame.cpp:3004:37
        #3 0x7f1ba2adb68b in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/generic/nsBlockFrame.cpp:1470:3
        #4 0x7f1ba2aff3aa in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /layout/generic/nsContainerFrame.cpp:1012:14
        #5 0x7f1ba2afe869 in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/generic/nsCanvasFrame.cpp:755:7
        #6 0x7f1ba2aff3aa in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /layout/generic/nsContainerFrame.cpp:1012:14
        #7 0x7f1ba2b48280 in nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput&, bool, bool, mozilla::ReflowOutput*) /layout/generic/nsGfxScrollFrame.cpp:863:3
        #8 0x7f1ba2b4925b in nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput&, mozilla::ReflowOutput const&) /layout/generic/nsGfxScrollFrame.cpp:1033:7
        #9 0x7f1ba2b4dd0d in nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/generic/nsGfxScrollFrame.cpp:1426:3
        #10 0x7f1ba2acffc7 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /layout/generic/nsContainerFrame.cpp:1052:14
        #11 0x7f1ba2acf724 in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/generic/ViewportFrame.cpp:385:7
        #12 0x7f1ba29cb16f in mozilla::PresShell::DoReflow(nsIFrame*, bool, mozilla::OverflowChangedTracker*) /layout/base/PresShell.cpp:9654:11
        #13 0x7f1ba29ef03f in mozilla::PresShell::ProcessReflowCommands(bool) /layout/base/PresShell.cpp:9831:22
        #14 0x7f1ba29d4ae5 in DoFlushLayout /layout/base/PresShell.cpp:9902:10
        #15 0x7f1ba29d4ae5 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /layout/base/PresShell.cpp:4385:11
        #16 0x7f1b9ef6a98b in FlushPendingNotifications /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:1463:5
        #17 0x7f1b9ef6a98b in mozilla::dom::Document::FlushPendingNotifications(mozilla::ChangesToFlush) /dom/base/Document.cpp:10770:16
        #18 0x7f1b9e3efa34 in nsDocLoader::DocLoaderIsEmpty(bool, mozilla::Maybe<nsresult> const&) /uriloader/base/nsDocLoader.cpp:742:14
        #19 0x7f1b9e3f0e65 in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /uriloader/base/nsDocLoader.cpp:680:5
        #20 0x7f1ba40c56de in nsDocShell::OnStopRequest(nsIRequest*, nsresult) /docshell/base/nsDocShell.cpp:13868:23
        #21 0x7f1b9d6cc8cf in mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) /netwerk/base/nsLoadGroup.cpp:628:22
        #22 0x7f1b9d6cddf3 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /netwerk/base/nsLoadGroup.cpp:532:10
        #23 0x7f1b9ef6f8b9 in mozilla::dom::Document::DoUnblockOnload() /dom/base/Document.cpp:11551:18
        #24 0x7f1b9ef3bb0b in mozilla::dom::Document::UnblockOnload(bool) /dom/base/Document.cpp:11489:9
        #25 0x7f1b9ef56888 in mozilla::dom::Document::DispatchContentLoadedEvents() /dom/base/Document.cpp:8016:3
        #26 0x7f1b9f006288 in applyImpl<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1162:12
        #27 0x7f1b9f006288 in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1168:12
        #28 0x7f1b9f006288 in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1215:13
        #29 0x7f1b9d4b92b2 in mozilla::SchedulerGroup::Runnable::Run() /xpcom/threads/SchedulerGroup.cpp:114:20
        #30 0x7f1b9d4c38a5 in mozilla::RunnableTask::Run() /xpcom/threads/TaskController.cpp:539:16
        #31 0x7f1b9d4beb1c in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:852:26
        #32 0x7f1b9d4bd6ea in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:684:15
        #33 0x7f1b9d4bda45 in mozilla::TaskController::ProcessPendingMTTask(bool) /xpcom/threads/TaskController.cpp:462:36
        #34 0x7f1b9d4c7356 in operator() /xpcom/threads/TaskController.cpp:188:37
        #35 0x7f1b9d4c7356 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_2>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:546:5
        #36 0x7f1b9d4dca37 in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1197:16
        #37 0x7f1b9d4e2e1d in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:477:10
        #38 0x7f1b9e0e6053 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:85:21
        #39 0x7f1b9e007b78 in MessageLoop::RunInternal() /ipc/chromium/src/base/message_loop.cc:381:10
        #40 0x7f1b9e007a81 in RunHandler /ipc/chromium/src/base/message_loop.cc:374:3
        #41 0x7f1b9e007a81 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:356:3
        #42 0x7f1ba262fd08 in nsBaseAppShell::Run() /widget/nsBaseAppShell.cpp:148:27
        #43 0x7f1ba48863db in XRE_RunAppShell() /toolkit/xre/nsEmbedFunctions.cpp:742:20
        #44 0x7f1b9e0e6f19 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:235:9
        #45 0x7f1b9e007b78 in MessageLoop::RunInternal() /ipc/chromium/src/base/message_loop.cc:381:10
        #46 0x7f1b9e007a81 in RunHandler /ipc/chromium/src/base/message_loop.cc:374:3
        #47 0x7f1b9e007a81 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:356:3
        #48 0x7f1ba4885f38 in XRE_InitChildProcess(int, char**, XREChildData const*) /toolkit/xre/nsEmbedFunctions.cpp:675:34
        #49 0x55cbcc99dce0 in content_process_main /browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
        #50 0x55cbcc99dce0 in main /browser/app/nsBrowserApp.cpp:353:18
        #51 0x7f1bb0c32d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
        #52 0x7f1bb0c32e3f in __libc_start_main csu/../csu/libc-start.c:392:3
        #53 0x55cbcc974348 in _start (/home/jkratzer/builds/m-c-20230202041118-fuzzing-debug/firefox-bin+0x5b348) (BuildId: 7b82c05821e58cbc39219826e804a13e8dbb6a47)
    
    UndefinedBehaviorSanitizer can not provide additional info.
    SUMMARY: UndefinedBehaviorSanitizer: SEGV /layout/generic/nsIFrame.cpp:8377:3 in nsIFrame::CachedIsEmpty()
    ==73839==ABORTING
Attached file Testcase
See Also: → 1748335

Verified bug as reproducible on mozilla-central 20230213170842-36b67e826e2d.
The bug appears to have been introduced in the following build range:

Start: 5cbd3d92a78c54b324b6009a25d196adaa8a669b (20221011093208)
End: 75c1403f58f79d1abd43d33fdd1beb36db9367c6 (20221011075004)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=5cbd3d92a78c54b324b6009a25d196adaa8a669b&tochange=75c1403f58f79d1abd43d33fdd1beb36db9367c6

Keywords: regression
Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]

This bug has been marked as a regression. Setting status flag for Nightly to affected.

status-firefox112: --- → affected

:mrobinson could this have been caused by bug 1794415 based on the regression range in comment 2?

Flags: needinfo?(mrobinson)

:diannaS Yes, that's probably the culprit for this regression.

Flags: needinfo?(mrobinson)

Set release status flags based on info from the regressing bug 1794415

status-firefox-esr102: --- → unaffected

The severity field is not set for this bug.
:emilio, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(emilio)
Blocks: css-content-visibility
Severity: -- → S3
Flags: needinfo?(emilio)
Priority: -- → P3

Set release status flags based on info from the regressing bug 1794415

status-firefox113: --- → affected

Bugmon was unable reproduce this issue.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon
Keywords: bugmon

A change to the Taskcluster build definitions over the weekend caused Bugmon to fail when reproducing issues. This issue has been corrected. Re-enabling bugmon.

Assignee: nobody → cathiechen
Status: NEW → ASSIGNED

Hi @emilio @mrobinson,
I think this patch is ready for review now.
Unfortunately, the crash issue is not reproducible for me, so I couldn't be 100% sure that this crash issue is fixed by the patch.
However, there are some clues from the crash info and the frame tree below.
The frame tree:

    Canvas(html)(-1)@103b2e0c8 parent=103b2e198 (x=0, y=0, w=75900, h=37440) [content=10a00c070] [cs=1083e44f8:-moz-scrolled-canvas] <
      Block(html)(-1)@103b2e938 parent=103b2e0c8 (x=0, y=0, w=0, h=0) [content=10a00c070] [cs=108373978] <
        line@103b2ebe8 count=2 state=inline,clean,prevmarginclean,not-impacted,not-wrapped,no-break,clear-before:none,clear-after:none(x=0, y=0, w=0, h=0) <
          Text(1)"\n\n"@103b2ea00 parent=103b2e938 next=103b2eb68 (x=0, y=0, w=0, h=0) [content=10a010200] [cs=1083e46d8:-moz-text] [run=0][0,2,T] 
          Placeholder(body)(2)@103b2eb68 parent=103b2e938 (x=0, y=0, w=0, h=0) [content=10a00c190] [cs=1083e47c8:-moz-oof-placeholder] outOfFlowFrame=Block(body)(2)@103b2eaa0
        >
        FloatList@103b2e9f0 <
          Block(body)(2)@103b2eaa0 parent=103b2e938 (x=480, y=480, w=-559038737, h=-559038737) ink-overflow=(x=0, y=0, w=0, h=0) scr-overflow=(x=0, y=0, w=0, h=0) [content=10a00c190] [cs=108373c48] <
          >
        >
      >
    >

This crash is caused by

  MOZ_ASSERT(!HasAnyStateBits(NS_FRAME_IS_DIRTY) ||
                 IsHiddenByContentVisibilityOfInFlowParentForLayout(),
             "Must only be called on reflowed lines or those hidden by "
             "content-visibility.");

From the frame tree, the line has two frames: Text(1)"\n\n"@103b2ea00 and Placeholder(body)(2)@103b2eb68, and the value of IsHiddenByContentVisibilityOfInFlowParentForLayout() for each are true and false.
So the MOZ_ASSERT could probably be happening when check for Placeholder(body)(2)@103b2eb68, which is not hidden by ContentVisibility because its value of Style()->IsAnonBox() && !IsFrameOfType(nsIFrame::eLineParticipant) is true. And it is not reflowed, because in nsBlockFrame::ReflowLine, if the first child (Text(1)"\n\n"@103b2ea00) is hidden, ReflowLine would return directly.

To fix this, the patch adds adjust to nsBlockFrame::ReflowLine to make sure the line with a certain anonymous frame won't skip reflow. And it also fixes some other assertions in this test case.
PTAL, thanks:)

Pushed by surkov.alexander@gmail.com: https://hg.mozilla.org/integration/autoland/rev/df6629fd2971 Assertion failure: IsHiddenByContentVisibilityOfInFlowParentForLayout() in nsIFrame.cpp, r=emilio
Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/41063 for changes under testing/web-platform/tests
Whiteboard: [bugmon:bisected,confirmed] → [bugmon:bisected,confirmed], [wptsync upstream]

https://hg.mozilla.org/mozilla-central/rev/df6629fd2971

Status: ASSIGNED → RESOLVED
Closed: 1 years ago
status-firefox117: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 117 Branch
Upstream PR merged by moz-wptsync-bot

Verified bug as fixed on rev mozilla-central 20230718092538-35e42e5979da.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
status-firefox117: fixedverified
Keywords: bugmon
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: