Closed Bug 1821416 Opened 2 years ago Closed 2 years ago

Assertion failure: aReferenceElement == mSource.mElement, at /builds/worker/checkouts/gecko/dom/animation/ScrollTimeline.cpp:185

Categories

(Core :: DOM: Animation, defect)

defect

Tracking

()

VERIFIED FIXED
113 Branch
Tracking Status
firefox-esr102 --- unaffected
firefox110 --- unaffected
firefox111 --- unaffected
firefox112 --- wontfix
firefox113 --- verified

People

(Reporter: tsmith, Assigned: boris)

References

(Blocks 3 open bugs, Regression)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(2 files, 1 obsolete file)

Attached file testcase.html

Found while fuzzing m-c 20230308-64b0a4a734ea (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

Assertion failure: aReferenceElement == mSource.mElement, at /builds/worker/checkouts/gecko/dom/animation/ScrollTimeline.cpp:185

#0 0x7fe32b9c69a2 in mozilla::dom::ScrollTimeline::ReplacePropertiesWith(mozilla::dom::Element const*, mozilla::StyleScrollTimeline const&) /builds/worker/checkouts/gecko/dom/animation/ScrollTimeline.cpp:185:3
#1 0x7fe32f789b84 in BuildTimelines<mozilla::StyleScrollTimeline, mozilla::dom::ScrollTimeline> /builds/worker/checkouts/gecko/layout/style/TimelineManager.cpp:93:13
#2 0x7fe32f789b84 in void mozilla::TimelineManager::DoUpdateTimelines<mozilla::StyleScrollTimeline, mozilla::dom::ScrollTimeline>(nsPresContext*, mozilla::dom::Element*, mozilla::PseudoStyleType, nsStyleAutoArray<mozilla::StyleScrollTimeline> const&, unsigned long) /builds/worker/checkouts/gecko/layout/style/TimelineManager.cpp:129:23
#3 0x7fe32f74583f in Gecko_UpdateAnimations /builds/worker/checkouts/gecko/layout/style/GeckoBindings.cpp:563:37
#4 0x7fe3349a8c7b in _$LT$style..gecko..wrapper..GeckoElement$u20$as$u20$style..dom..TElement$GT$::update_animations::hfc42875f1b871eb6 /builds/worker/checkouts/gecko/servo/components/style/gecko/wrapper.rs:1481:13
#5 0x7fe3345855a0 in style::context::SequentialTask$LT$E$GT$::execute::h6f30728719c17694 /builds/worker/checkouts/gecko/servo/components/style/context.rs:491:17
#6 0x7fe3345855a0 in _$LT$style..context..SequentialTaskList$LT$E$GT$$u20$as$u20$core..ops..drop..Drop$GT$::drop::hcbaf5fdc2bac81c4 /builds/worker/checkouts/gecko/servo/components/style/context.rs:560:13
#7 0x7fe3345855a0 in core::ptr::drop_in_place$LT$style..context..SequentialTaskList$LT$style..gecko..wrapper..GeckoElement$GT$$GT$::h96bf931c856f7571 /rustc/fc594f15669680fa70d255faec3ca3fb507c3405/library/core/src/ptr/mod.rs:490:1
#8 0x7fe3345855a0 in core::ptr::drop_in_place$LT$style..context..ThreadLocalStyleContext$LT$style..gecko..wrapper..GeckoElement$GT$$GT$::h3031658830360262 /rustc/fc594f15669680fa70d255faec3ca3fb507c3405/library/core/src/ptr/mod.rs:490:1
#9 0x7fe3345e9726 in style::driver::traverse_dom::ha4f1d8078f09ad25 /builds/worker/checkouts/gecko/servo/components/style/driver.rs:191:1
#10 0x7fe33469714f in geckoservo::glue::traverse_subtree::h057e3a6a5aaa7b6a /builds/worker/checkouts/gecko/servo/ports/geckolib/glue.rs:288:5
#11 0x7fe3346975d9 in Servo_TraverseSubtree /builds/worker/checkouts/gecko/servo/ports/geckolib/glue.rs:348:5
#12 0x7fe32f779b19 in mozilla::ServoStyleSet::StyleNewSubtree(mozilla::dom::Element*) /builds/worker/checkouts/gecko/layout/style/ServoStyleSet.cpp:901:7
#13 0x7fe32f858812 in nsCSSFrameConstructor::CreateGeneratedContentItem(nsFrameConstructorState&, nsContainerFrame*, mozilla::dom::Element&, mozilla::ComputedStyle&, mozilla::PseudoStyleType, nsCSSFrameConstructor::FrameConstructionItemList&, mozilla::EnumSet<nsCSSFrameConstructor::ItemFlag, unsigned char>) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:1899:29
#14 0x7fe32f868ab3 in nsCSSFrameConstructor::BuildInlineChildItems(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItem&, bool, bool) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:11239:5
#15 0x7fe32f859443 in nsCSSFrameConstructor::AddFrameConstructionItemsInternal(nsFrameConstructorState&, nsIContent*, nsContainerFrame*, bool, mozilla::ComputedStyle*, mozilla::EnumSet<nsCSSFrameConstructor::ItemFlag, unsigned char>, nsCSSFrameConstructor::FrameConstructionItemList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:5440:5
#16 0x7fe32f8683a8 in nsCSSFrameConstructor::AddFrameConstructionItems(nsFrameConstructorState&, nsIContent*, bool, mozilla::ComputedStyle const&, nsCSSFrameConstructor::InsertionPoint const&, nsCSSFrameConstructor::FrameConstructionItemList&, mozilla::EnumSet<nsCSSFrameConstructor::ItemFlag, unsigned char>) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:5180:3
#17 0x7fe32f868a51 in nsCSSFrameConstructor::BuildInlineChildItems(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItem&, bool, bool) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:11232:5
#18 0x7fe32f859443 in nsCSSFrameConstructor::AddFrameConstructionItemsInternal(nsFrameConstructorState&, nsIContent*, nsContainerFrame*, bool, mozilla::ComputedStyle*, mozilla::EnumSet<nsCSSFrameConstructor::ItemFlag, unsigned char>, nsCSSFrameConstructor::FrameConstructionItemList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:5440:5
#19 0x7fe32f8683a8 in nsCSSFrameConstructor::AddFrameConstructionItems(nsFrameConstructorState&, nsIContent*, bool, mozilla::ComputedStyle const&, nsCSSFrameConstructor::InsertionPoint const&, nsCSSFrameConstructor::FrameConstructionItemList&, mozilla::EnumSet<nsCSSFrameConstructor::ItemFlag, unsigned char>) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:5180:3
#20 0x7fe32f85b6bc in nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, mozilla::ComputedStyle*, nsContainerFrame*, bool, nsFrameList&, bool, nsIFrame*) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:9781:9
#21 0x7fe32f85f248 in nsCSSFrameConstructor::ConstructBlock(nsFrameConstructorState&, nsIContent*, nsContainerFrame*, nsContainerFrame*, mozilla::ComputedStyle*, nsContainerFrame**, nsFrameList&, nsIFrame*) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:10655:3
#22 0x7fe32f8635c1 in nsCSSFrameConstructor::ConstructNonScrollableBlock(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItem&, nsContainerFrame*, nsStyleDisplay const*, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:4607:3
#23 0x7fe32f8647a2 in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:3748:16
#24 0x7fe32f868d94 in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:5580:3
#25 0x7fe32f85a26e in nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsContainerFrame*, bool, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:9517:5
#26 0x7fe32f85bb8f in nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, mozilla::ComputedStyle*, nsContainerFrame*, bool, nsFrameList&, bool, nsIFrame*) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:9799:3
#27 0x7fe32f85f248 in nsCSSFrameConstructor::ConstructBlock(nsFrameConstructorState&, nsIContent*, nsContainerFrame*, nsContainerFrame*, mozilla::ComputedStyle*, nsContainerFrame**, nsFrameList&, nsIFrame*) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:10655:3
#28 0x7fe32f8635c1 in nsCSSFrameConstructor::ConstructNonScrollableBlock(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItem&, nsContainerFrame*, nsStyleDisplay const*, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:4607:3
#29 0x7fe32f8647a2 in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:3748:16
#30 0x7fe32f868d94 in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:5580:3
#31 0x7fe32f85a26e in nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsContainerFrame*, bool, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:9517:5
#32 0x7fe32f86cb9d in nsCSSFrameConstructor::ContentRangeInserted(nsIContent*, nsIContent*, nsCSSFrameConstructor::InsertionKind) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:7195:3
#33 0x7fe32f82ea2d in mozilla::RestyleManager::ProcessRestyledFrames(nsStyleChangeList&) /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:1595:25
#34 0x7fe32f8358d4 in mozilla::RestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:3168:9
#35 0x7fe32f80dad0 in mozilla::RestyleManager::ProcessPendingRestyles() /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:3253:3
#36 0x7fe32f80d039 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4335:39
#37 0x7fe32f7d06c3 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2623:22
#38 0x7fe32f7d9f7d in TickDriver /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:373:13
#39 0x7fe32f7d9f7d in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver>>&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:351:7
#40 0x7fe32f7d9e83 in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:367:5
#41 0x7fe32f7d9d60 in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:911:5
#42 0x7fe32f7d90ca in mozilla::VsyncRefreshDriverTimer::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:825:5
#43 0x7fe32f7d8896 in mozilla::VsyncRefreshDriverTimer::NotifyVsyncOnMainThread(mozilla::VsyncEvent const&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:746:5
#44 0x7fe32f7d83a9 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsyncTimerOnMainThread() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:592:14
#45 0x7fe32f7d7fbd in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:549:9
#46 0x7fe32eb96a6b in mozilla::dom::VsyncMainChild::RecvNotify(mozilla::VsyncEvent const&, float const&) /builds/worker/checkouts/gecko/dom/ipc/VsyncMainChild.cpp:66:15
#47 0x7fe32ee922c3 in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:228:78
#48 0x7fe32ed67c46 in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PContentChild.cpp:8785:32
#49 0x7fe32ad826ba in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1800:25
#50 0x7fe32ad7f337 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1725:9
#51 0x7fe32ad7fe65 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1525:3
#52 0x7fe32ad8119f in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1623:14
#53 0x7fe32a115915 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:553:16
#54 0x7fe32a110a68 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:867:26
#55 0x7fe32a10f66a in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:698:15
#56 0x7fe32a10f9c5 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:464:36
#57 0x7fe32a119316 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:188:37
#58 0x7fe32a119316 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_3>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:547:5
#59 0x7fe32a12f4f7 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1239:16
#60 0x7fe32a1359ad in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:477:10
#61 0x7fe32ad88603 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#62 0x7fe32aca9fc8 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
#63 0x7fe32aca9ed1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
#64 0x7fe32aca9ed1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
#65 0x7fe32f457878 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
#66 0x7fe3316bd32b in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:738:20
#67 0x7fe32ad894c9 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
#68 0x7fe32aca9fc8 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
#69 0x7fe32aca9ed1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
#70 0x7fe32aca9ed1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
#71 0x7fe3316bce88 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:671:34
#72 0x556c6397cdf0 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#73 0x556c6397cdf0 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:353:18
#74 0x7fe33db59d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#75 0x7fe33db59e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#76 0x556c63953458 in _start (/home/user/workspace/browsers/m-c-20230309162312-fuzzing-debug/firefox-bin+0x5b458) (BuildId: c62b6a9559d84a76627000e3d4d860c545858f8d)
Flags: in-testsuite?

Verified bug as reproducible on mozilla-central 20230309214328-8aea0e783414.
The bug appears to have been introduced in the following build range:

Start: 9fa6f54ca6d9ee69e0f0750b09c65f5a0529ee42 (20230308040003)
End: e48d9c77a7593b2574a24a25464ef91f0270872b (20230308002521)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=9fa6f54ca6d9ee69e0f0750b09c65f5a0529ee42&tochange=e48d9c77a7593b2574a24a25464ef91f0270872b

Keywords: regression
Whiteboard: [bugmon:bisected,confirmed]

:boris from the regression range, this looks like it was introduced by bug 1814786 in fx112

Flags: needinfo?(boris.chiou)
Assignee: nobody → boris.chiou
Flags: needinfo?(boris.chiou)

We hit this assertion because the generated content may get changed and so
there are two possible ways to fix this assertion:

  1. Recreate the ScrollTimeline object if the scroller element is changed.
    However, this may make us register the ScrollTimeline object to
    ScrollTimelineSet frequently.
  2. Avoid creating the ScrollTimeline object for pseudo elements.

I take the 2nd option because I think the animatable pseudo elements
(i.e. :before, :after, and :marker) cannot be the scroll containers,
so even if we specify scroll-timeline-name on them, these timelines
shouldn't be referenceable, so it's not necessary to create them.

Set release status flags based on info from the regressing bug 1814786

And let ElementAnimationData store ScrollTimelineSet. Also, we avoid
using the generated content in ScrollTimeline::Scroller. Instead, we use a
pair of Element and PseudoStyleType to represent ScrollTimeline::Scroller.

Duplicate of this bug: 1821805
Attachment #9322504 - Attachment is obsolete: true
Pushed by bchiou@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/eb1e0edad072 Drop the element property usage from ScrollTimelineSet. r=emilio
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → 113 Branch

Verified bug as fixed on rev mozilla-central 20230317044730-f3211521687b.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
Keywords: bugmon

The patch landed in nightly and beta is affected.
:boris, is this bug important enough to require an uplift?

  • If yes, please nominate the patch for beta approval.
  • If no, please set status-firefox112 to wontfix.

For more information, please visit auto_nag documentation.

Flags: needinfo?(boris.chiou)

(In reply to Release mgmt bot [:suhaib / :marco/ :calixte] from comment #10)

The patch landed in nightly and beta is affected.
:boris, is this bug important enough to require an uplift?

  • If yes, please nominate the patch for beta approval.
  • If no, please set status-firefox112 to wontfix.

For more information, please visit auto_nag documentation.

No need to uplift because the pref is off.

Flags: needinfo?(boris.chiou)
Blocks: 1825652
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: