Assertion failure: aReferenceElement == mSource.mElement, at /builds/worker/checkouts/gecko/dom/animation/ScrollTimeline.cpp:185
Categories
(Core :: DOM: Animation, defect)
Tracking
()
Tracking | Status | |
---|---|---|
firefox-esr102 | --- | unaffected |
firefox110 | --- | unaffected |
firefox111 | --- | unaffected |
firefox112 | --- | wontfix |
firefox113 | --- | verified |
People
(Reporter: tsmith, Assigned: boris)
References
(Blocks 3 open bugs, Regression)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:bisected,confirmed])
Attachments
(2 files, 1 obsolete file)
Found while fuzzing m-c 20230308-64b0a4a734ea (--enable-debug --enable-fuzzing)
To reproduce via Grizzly Replay:
$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html
Assertion failure: aReferenceElement == mSource.mElement, at /builds/worker/checkouts/gecko/dom/animation/ScrollTimeline.cpp:185
#0 0x7fe32b9c69a2 in mozilla::dom::ScrollTimeline::ReplacePropertiesWith(mozilla::dom::Element const*, mozilla::StyleScrollTimeline const&) /builds/worker/checkouts/gecko/dom/animation/ScrollTimeline.cpp:185:3
#1 0x7fe32f789b84 in BuildTimelines<mozilla::StyleScrollTimeline, mozilla::dom::ScrollTimeline> /builds/worker/checkouts/gecko/layout/style/TimelineManager.cpp:93:13
#2 0x7fe32f789b84 in void mozilla::TimelineManager::DoUpdateTimelines<mozilla::StyleScrollTimeline, mozilla::dom::ScrollTimeline>(nsPresContext*, mozilla::dom::Element*, mozilla::PseudoStyleType, nsStyleAutoArray<mozilla::StyleScrollTimeline> const&, unsigned long) /builds/worker/checkouts/gecko/layout/style/TimelineManager.cpp:129:23
#3 0x7fe32f74583f in Gecko_UpdateAnimations /builds/worker/checkouts/gecko/layout/style/GeckoBindings.cpp:563:37
#4 0x7fe3349a8c7b in _$LT$style..gecko..wrapper..GeckoElement$u20$as$u20$style..dom..TElement$GT$::update_animations::hfc42875f1b871eb6 /builds/worker/checkouts/gecko/servo/components/style/gecko/wrapper.rs:1481:13
#5 0x7fe3345855a0 in style::context::SequentialTask$LT$E$GT$::execute::h6f30728719c17694 /builds/worker/checkouts/gecko/servo/components/style/context.rs:491:17
#6 0x7fe3345855a0 in _$LT$style..context..SequentialTaskList$LT$E$GT$$u20$as$u20$core..ops..drop..Drop$GT$::drop::hcbaf5fdc2bac81c4 /builds/worker/checkouts/gecko/servo/components/style/context.rs:560:13
#7 0x7fe3345855a0 in core::ptr::drop_in_place$LT$style..context..SequentialTaskList$LT$style..gecko..wrapper..GeckoElement$GT$$GT$::h96bf931c856f7571 /rustc/fc594f15669680fa70d255faec3ca3fb507c3405/library/core/src/ptr/mod.rs:490:1
#8 0x7fe3345855a0 in core::ptr::drop_in_place$LT$style..context..ThreadLocalStyleContext$LT$style..gecko..wrapper..GeckoElement$GT$$GT$::h3031658830360262 /rustc/fc594f15669680fa70d255faec3ca3fb507c3405/library/core/src/ptr/mod.rs:490:1
#9 0x7fe3345e9726 in style::driver::traverse_dom::ha4f1d8078f09ad25 /builds/worker/checkouts/gecko/servo/components/style/driver.rs:191:1
#10 0x7fe33469714f in geckoservo::glue::traverse_subtree::h057e3a6a5aaa7b6a /builds/worker/checkouts/gecko/servo/ports/geckolib/glue.rs:288:5
#11 0x7fe3346975d9 in Servo_TraverseSubtree /builds/worker/checkouts/gecko/servo/ports/geckolib/glue.rs:348:5
#12 0x7fe32f779b19 in mozilla::ServoStyleSet::StyleNewSubtree(mozilla::dom::Element*) /builds/worker/checkouts/gecko/layout/style/ServoStyleSet.cpp:901:7
#13 0x7fe32f858812 in nsCSSFrameConstructor::CreateGeneratedContentItem(nsFrameConstructorState&, nsContainerFrame*, mozilla::dom::Element&, mozilla::ComputedStyle&, mozilla::PseudoStyleType, nsCSSFrameConstructor::FrameConstructionItemList&, mozilla::EnumSet<nsCSSFrameConstructor::ItemFlag, unsigned char>) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:1899:29
#14 0x7fe32f868ab3 in nsCSSFrameConstructor::BuildInlineChildItems(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItem&, bool, bool) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:11239:5
#15 0x7fe32f859443 in nsCSSFrameConstructor::AddFrameConstructionItemsInternal(nsFrameConstructorState&, nsIContent*, nsContainerFrame*, bool, mozilla::ComputedStyle*, mozilla::EnumSet<nsCSSFrameConstructor::ItemFlag, unsigned char>, nsCSSFrameConstructor::FrameConstructionItemList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:5440:5
#16 0x7fe32f8683a8 in nsCSSFrameConstructor::AddFrameConstructionItems(nsFrameConstructorState&, nsIContent*, bool, mozilla::ComputedStyle const&, nsCSSFrameConstructor::InsertionPoint const&, nsCSSFrameConstructor::FrameConstructionItemList&, mozilla::EnumSet<nsCSSFrameConstructor::ItemFlag, unsigned char>) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:5180:3
#17 0x7fe32f868a51 in nsCSSFrameConstructor::BuildInlineChildItems(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItem&, bool, bool) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:11232:5
#18 0x7fe32f859443 in nsCSSFrameConstructor::AddFrameConstructionItemsInternal(nsFrameConstructorState&, nsIContent*, nsContainerFrame*, bool, mozilla::ComputedStyle*, mozilla::EnumSet<nsCSSFrameConstructor::ItemFlag, unsigned char>, nsCSSFrameConstructor::FrameConstructionItemList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:5440:5
#19 0x7fe32f8683a8 in nsCSSFrameConstructor::AddFrameConstructionItems(nsFrameConstructorState&, nsIContent*, bool, mozilla::ComputedStyle const&, nsCSSFrameConstructor::InsertionPoint const&, nsCSSFrameConstructor::FrameConstructionItemList&, mozilla::EnumSet<nsCSSFrameConstructor::ItemFlag, unsigned char>) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:5180:3
#20 0x7fe32f85b6bc in nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, mozilla::ComputedStyle*, nsContainerFrame*, bool, nsFrameList&, bool, nsIFrame*) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:9781:9
#21 0x7fe32f85f248 in nsCSSFrameConstructor::ConstructBlock(nsFrameConstructorState&, nsIContent*, nsContainerFrame*, nsContainerFrame*, mozilla::ComputedStyle*, nsContainerFrame**, nsFrameList&, nsIFrame*) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:10655:3
#22 0x7fe32f8635c1 in nsCSSFrameConstructor::ConstructNonScrollableBlock(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItem&, nsContainerFrame*, nsStyleDisplay const*, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:4607:3
#23 0x7fe32f8647a2 in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:3748:16
#24 0x7fe32f868d94 in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:5580:3
#25 0x7fe32f85a26e in nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsContainerFrame*, bool, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:9517:5
#26 0x7fe32f85bb8f in nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, mozilla::ComputedStyle*, nsContainerFrame*, bool, nsFrameList&, bool, nsIFrame*) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:9799:3
#27 0x7fe32f85f248 in nsCSSFrameConstructor::ConstructBlock(nsFrameConstructorState&, nsIContent*, nsContainerFrame*, nsContainerFrame*, mozilla::ComputedStyle*, nsContainerFrame**, nsFrameList&, nsIFrame*) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:10655:3
#28 0x7fe32f8635c1 in nsCSSFrameConstructor::ConstructNonScrollableBlock(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItem&, nsContainerFrame*, nsStyleDisplay const*, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:4607:3
#29 0x7fe32f8647a2 in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:3748:16
#30 0x7fe32f868d94 in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:5580:3
#31 0x7fe32f85a26e in nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsContainerFrame*, bool, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:9517:5
#32 0x7fe32f86cb9d in nsCSSFrameConstructor::ContentRangeInserted(nsIContent*, nsIContent*, nsCSSFrameConstructor::InsertionKind) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:7195:3
#33 0x7fe32f82ea2d in mozilla::RestyleManager::ProcessRestyledFrames(nsStyleChangeList&) /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:1595:25
#34 0x7fe32f8358d4 in mozilla::RestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:3168:9
#35 0x7fe32f80dad0 in mozilla::RestyleManager::ProcessPendingRestyles() /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:3253:3
#36 0x7fe32f80d039 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4335:39
#37 0x7fe32f7d06c3 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2623:22
#38 0x7fe32f7d9f7d in TickDriver /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:373:13
#39 0x7fe32f7d9f7d in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver>>&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:351:7
#40 0x7fe32f7d9e83 in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:367:5
#41 0x7fe32f7d9d60 in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:911:5
#42 0x7fe32f7d90ca in mozilla::VsyncRefreshDriverTimer::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:825:5
#43 0x7fe32f7d8896 in mozilla::VsyncRefreshDriverTimer::NotifyVsyncOnMainThread(mozilla::VsyncEvent const&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:746:5
#44 0x7fe32f7d83a9 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsyncTimerOnMainThread() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:592:14
#45 0x7fe32f7d7fbd in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:549:9
#46 0x7fe32eb96a6b in mozilla::dom::VsyncMainChild::RecvNotify(mozilla::VsyncEvent const&, float const&) /builds/worker/checkouts/gecko/dom/ipc/VsyncMainChild.cpp:66:15
#47 0x7fe32ee922c3 in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:228:78
#48 0x7fe32ed67c46 in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PContentChild.cpp:8785:32
#49 0x7fe32ad826ba in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1800:25
#50 0x7fe32ad7f337 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1725:9
#51 0x7fe32ad7fe65 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1525:3
#52 0x7fe32ad8119f in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1623:14
#53 0x7fe32a115915 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:553:16
#54 0x7fe32a110a68 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:867:26
#55 0x7fe32a10f66a in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:698:15
#56 0x7fe32a10f9c5 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:464:36
#57 0x7fe32a119316 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:188:37
#58 0x7fe32a119316 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_3>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:547:5
#59 0x7fe32a12f4f7 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1239:16
#60 0x7fe32a1359ad in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:477:10
#61 0x7fe32ad88603 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#62 0x7fe32aca9fc8 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
#63 0x7fe32aca9ed1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
#64 0x7fe32aca9ed1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
#65 0x7fe32f457878 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
#66 0x7fe3316bd32b in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:738:20
#67 0x7fe32ad894c9 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
#68 0x7fe32aca9fc8 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
#69 0x7fe32aca9ed1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
#70 0x7fe32aca9ed1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
#71 0x7fe3316bce88 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:671:34
#72 0x556c6397cdf0 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#73 0x556c6397cdf0 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:353:18
#74 0x7fe33db59d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#75 0x7fe33db59e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#76 0x556c63953458 in _start (/home/user/workspace/browsers/m-c-20230309162312-fuzzing-debug/firefox-bin+0x5b458) (BuildId: c62b6a9559d84a76627000e3d4d860c545858f8d)
Comment 1•2 years ago
|
||
Verified bug as reproducible on mozilla-central 20230309214328-8aea0e783414.
The bug appears to have been introduced in the following build range:
Start: 9fa6f54ca6d9ee69e0f0750b09c65f5a0529ee42 (20230308040003)
End: e48d9c77a7593b2574a24a25464ef91f0270872b (20230308002521)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=9fa6f54ca6d9ee69e0f0750b09c65f5a0529ee42&tochange=e48d9c77a7593b2574a24a25464ef91f0270872b
Comment 2•2 years ago
|
||
:boris from the regression range, this looks like it was introduced by bug 1814786 in fx112
Assignee | ||
Updated•2 years ago
|
Assignee | ||
Comment 3•2 years ago
|
||
We hit this assertion because the generated content may get changed and so
there are two possible ways to fix this assertion:
- Recreate the ScrollTimeline object if the scroller element is changed.
However, this may make us register the ScrollTimeline object to
ScrollTimelineSet frequently. - Avoid creating the ScrollTimeline object for pseudo elements.
I take the 2nd option because I think the animatable pseudo elements
(i.e. :before, :after, and :marker) cannot be the scroll containers,
so even if we specify scroll-timeline-name
on them, these timelines
shouldn't be referenceable, so it's not necessary to create them.
Assignee | ||
Updated•2 years ago
|
Updated•2 years ago
|
Comment 4•2 years ago
|
||
Set release status flags based on info from the regressing bug 1814786
Assignee | ||
Comment 5•2 years ago
|
||
And let ElementAnimationData store ScrollTimelineSet. Also, we avoid
using the generated content in ScrollTimeline::Scroller. Instead, we use a
pair of Element and PseudoStyleType to represent ScrollTimeline::Scroller.
Updated•2 years ago
|
Comment 8•2 years ago
|
||
bugherder |
Comment 9•2 years ago
|
||
Verified bug as fixed on rev mozilla-central 20230317044730-f3211521687b.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Comment 10•2 years ago
|
||
The patch landed in nightly and beta is affected.
:boris, is this bug important enough to require an uplift?
- If yes, please nominate the patch for beta approval.
- If no, please set
status-firefox112
towontfix
.
For more information, please visit auto_nag documentation.
Assignee | ||
Comment 11•2 years ago
|
||
(In reply to Release mgmt bot [:suhaib / :marco/ :calixte] from comment #10)
The patch landed in nightly and beta is affected.
:boris, is this bug important enough to require an uplift?
- If yes, please nominate the patch for beta approval.
- If no, please set
status-firefox112
towontfix
.For more information, please visit auto_nag documentation.
No need to uplift because the pref is off.
Description
•