Closed Bug 1847329 Opened 2 years ago Closed 2 months ago

Assertion failure: false (Duplicate display item!), at /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:139

Categories

(Core :: Web Painting, defect)

Product:
Core
Component:
Web Painting
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
143 Branch
Tracking Flags:
Tracking Status
firefox-esr102 --- unaffected
firefox-esr115 --- wontfix
firefox-esr128 --- wontfix
firefox-esr140 --- wontfix
firefox116 --- wontfix
firefox117 --- wontfix
firefox118 --- wontfix
firefox141 --- wontfix
firefox142 --- wontfix
firefox143 --- verified

People

(Reporter: tsmith, Assigned: tnikkel)

References

(Blocks 1 open bug, Regression)

Details

(4 keywords, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(2 files)

testcase.html
236 bytes, text/html
Details
Bug 1847329. Don't put area elements (which don't have their own frames) into the top layer when painting. r?#layout-reviewers
48 bytes, text/x-phabricator-request
Details | Review
Attached file testcase.html

Found while fuzzing m-c 20230802-323a980eddb1 (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

Assertion failure: false (Duplicate display item!), at /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:139

#0 0x7fef6a96779e in mozilla::AssertUniqueItem(mozilla::nsDisplayItem*) /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:139:7
#1 0x7fef6a9a0712 in mozilla::nsDisplayBackgroundColor* mozilla::MakeDisplayItemWithIndex<mozilla::nsDisplayBackgroundColor, nsIFrame, nsRect&, mozilla::ComputedStyle const*&, unsigned int&>(mozilla::nsDisplayListBuilder*, nsIFrame*, unsigned short, nsRect&, mozilla::ComputedStyle const*&, unsigned int&) /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.h:1991:5
#2 0x7fef6a9741b0 in MakeDisplayItem<mozilla::nsDisplayBackgroundColor, nsIFrame, nsRect &, const mozilla::ComputedStyle *&, unsigned int &> /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.h:2016:10
#3 0x7fef6a9741b0 in CreateBackgroundColor /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:3071:10
#4 0x7fef6a9741b0 in mozilla::nsDisplayBackgroundImage::AppendBackgroundItemsToTop(mozilla::nsDisplayListBuilder*, nsIFrame*, nsRect const&, mozilla::nsDisplayList*, bool, nsRect const&, nsIFrame*, mozilla::Maybe<mozilla::nsDisplayListBuilder::AutoBuildingDisplayList>*) /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:3203:40
#5 0x7fef6a726167 in nsIFrame::DisplayBackgroundUnconditional(mozilla::nsDisplayListBuilder*, mozilla::nsDisplayListSet const&) /builds/worker/checkouts/gecko/layout/generic/nsIFrame.cpp:2649:7
#6 0x7fef6a69b148 in nsIFrame::DisplayBorderBackgroundOutline(mozilla::nsDisplayListBuilder*, mozilla::nsDisplayListSet const&) /builds/worker/checkouts/gecko/layout/generic/nsIFrame.cpp:2673:21
#7 0x7fef6a728791 in nsIFrame::BuildDisplayListForStackingContext(mozilla::nsDisplayListBuilder*, mozilla::nsDisplayList*, bool*) /builds/worker/checkouts/gecko/layout/generic/nsIFrame.cpp:3467:5
#8 0x7fef6a64ef0f in BuildDisplayListForTopLayerFrame(mozilla::nsDisplayListBuilder*, nsIFrame*, mozilla::nsDisplayList*) /builds/worker/checkouts/gecko/layout/generic/ViewportFrame.cpp:129:11
#9 0x7fef6a64dff2 in mozilla::ViewportFrame::BuildDisplayListForTopLayer(mozilla::nsDisplayListBuilder*, bool*) /builds/worker/checkouts/gecko/layout/generic/ViewportFrame.cpp:217:7
#10 0x7fef6a6e1cab in nsHTMLScrollFrame::MaybeCreateTopLayerAndWrapRootItems(mozilla::nsDisplayListBuilder*, mozilla::nsDisplayListCollection&, bool, AutoContainsBlendModeCapturer*, nsRect const&, int*) /builds/worker/checkouts/gecko/layout/generic/nsGfxScrollFrame.cpp:3691:23
#11 0x7fef6a6e40c7 in nsHTMLScrollFrame::BuildDisplayList(mozilla::nsDisplayListBuilder*, mozilla::nsDisplayListSet const&) /builds/worker/checkouts/gecko/layout/generic/nsGfxScrollFrame.cpp:4219:3
#12 0x7fef6a69cd4d in nsIFrame::BuildDisplayListForChild(mozilla::nsDisplayListBuilder*, nsIFrame*, mozilla::nsDisplayListSet const&, mozilla::EnumSet<nsIFrame::DisplayChildFlag, unsigned int>) /builds/worker/checkouts/gecko/layout/generic/nsIFrame.cpp:4314:14
#13 0x7fef6a64dc08 in mozilla::ViewportFrame::BuildDisplayList(mozilla::nsDisplayListBuilder*, mozilla::nsDisplayListSet const&) /builds/worker/checkouts/gecko/layout/generic/ViewportFrame.cpp:66:3
#14 0x7fef6a728791 in nsIFrame::BuildDisplayListForStackingContext(mozilla::nsDisplayListBuilder*, mozilla::nsDisplayList*, bool*) /builds/worker/checkouts/gecko/layout/generic/nsIFrame.cpp:3467:5
#15 0x7fef6a5e882f in nsLayoutUtils::PaintFrame(gfxContext*, nsIFrame*, nsRegion const&, unsigned int, mozilla::nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) /builds/worker/checkouts/gecko/layout/base/nsLayoutUtils.cpp:3364:15
#16 0x7fef6a551ca4 in mozilla::PresShell::PaintInternal(nsView*, mozilla::PaintInternalFlags) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:6415:5
#17 0x7fef6a0f00b6 in nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*) /builds/worker/checkouts/gecko/view/nsViewManager.cpp:408:18
#18 0x7fef6a0efaef in nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) /builds/worker/checkouts/gecko/view/nsViewManager.cpp:343:22
#19 0x7fef6a0f11a0 in nsViewManager::ProcessPendingUpdates() /builds/worker/checkouts/gecko/view/nsViewManager.cpp:916:5
#20 0x7fef6a0edeb3 in nsViewManager::WillPaintWindow(nsIWidget*) /builds/worker/checkouts/gecko/view/nsViewManager.cpp:574:7
#21 0x7fef6a0edda4 in nsView::WillPaintWindow(nsIWidget*) /builds/worker/checkouts/gecko/view/nsView.cpp:1065:7
#22 0x7fef6a12c397 in mozilla::widget::PuppetWidget::Paint() /builds/worker/checkouts/gecko/widget/PuppetWidget.cpp:976:31
#23 0x7fef6a12c2c1 in mozilla::widget::PuppetWidget::WidgetPaintTask::Run() /builds/worker/checkouts/gecko/widget/PuppetWidget.cpp:964:14
#24 0x7fef64b31f77 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:559:16
#25 0x7fef64b29b03 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:886:26
#26 0x7fef64b28357 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:709:15
#27 0x7fef64b287b5 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:495:36
#28 0x7fef64b35c96 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:218:37
#29 0x7fef64b35c96 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548:5
#30 0x7fef64b4c4aa in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1199:16
#31 0x7fef64b5330d in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10
#32 0x7fef657fbcf5 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#33 0x7fef65716bc1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#34 0x7fef65716bc1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#35 0x7fef6a15b5f8 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
#36 0x7fef6c49c8ab in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:717:20
#37 0x7fef657fcbd6 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
#38 0x7fef65716bc1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#39 0x7fef65716bc1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#40 0x7fef6c49c0fc in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:652:34
#41 0x558e09be7676 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#42 0x558e09be7676 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:375:18
#43 0x7fef78a29d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#44 0x7fef78a29e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#45 0x558e09bbe918 in _start (/home/user/workspace/browsers/m-c-20230804093527-fuzzing-debug/firefox-bin+0x58918) (BuildId: adca44d47b2806df6dca8e33ad503c5c606ef572)
Flags: in-testsuite?
Keywords: pernosco-wanted

Verified bug as reproducible on mozilla-central 20230804211014-8b506ab41451.
The bug appears to have been introduced in the following build range:

Start: dafb2e6890e11b74ec00d49c8f2767903a67aa92 (20230213153318)
End: 073223bab35f4149bf5665ec59b16684b7b9a65b (20230213163401)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=dafb2e6890e11b74ec00d49c8f2767903a67aa92&tochange=073223bab35f4149bf5665ec59b16684b7b9a65b

Successfully recorded a pernosco session. A link to the pernosco session will be added here shortly.

Keywords: pernosco-wantedpernosco, regression
Whiteboard: [bugmon:bisected,confirmed]
Regressed by: 1815913

Set release status flags based on info from the regressing bug 1815913

:sefeng, since you are the author of the regressor, bug 1815913, could you take a look? Also, could you set the severity field?

For more information, please visit BugBot documentation.

status-firefox116: --- → affected
status-firefox117: --- → affected
status-firefox-esr102: --- → unaffected
status-firefox-esr115: --- → affected
Flags: needinfo?(sefeng)

A pernosco session for this bug can be found here.

This is a low priority crash, I'll just add this one to my TODO list.

Flags: needinfo?(sefeng)
Flags: needinfo?(sefeng)

Clear my NI given I won't be able to work on this

Flags: needinfo?(sefeng)
Assignee: nobody → tnikkel
Severity: -- → S3

Neither Chrome nor Safari support full screening an area element.

Pushed by tnikkel@mozilla.com: https://github.com/mozilla-firefox/firefox/commit/7859b66f13aa https://hg.mozilla.org/integration/autoland/rev/86b451a772ae Don't put area elements (which don't have their own frames) into the top layer when painting. r=layout-reviewers,emilio

https://hg.mozilla.org/mozilla-central/rev/86b451a772ae

Status: NEW → RESOLVED
Closed: 2 months ago
status-firefox143: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 143 Branch

Verified bug as fixed on rev mozilla-central 20250723155040-c6c802b9d454.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
status-firefox143: fixedverified
Keywords: bugmon
status-firefox141: --- → wontfix
status-firefox142: --- → wontfix
status-firefox-esr128: --- → wontfix
status-firefox-esr140: --- → wontfix
Flags: in-testsuite? → in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: