1856017 - Assertion failure: cachedStyles[i]->EqualForCachedAnonymousContentStyle(*cs) (cached anonymous content styles should be identical to those we would compute normally), at /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:4110

Status: RESOLVED FIXED

(Core :: CSS Parsing and Computation, defect)

Description

[Tyson Smith [:tsmith]]

Attachment: testcase.html

Found while fuzzing m-c 20230928-2c0444cfb7d6 (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

This issue is easily discovered by fuzzers and is reported frequently, marking as fuzzblocker.

Assertion failure: cachedStyles[i]->EqualForCachedAnonymousContentStyle(*cs) (cached anonymous content styles should be identical to those we would compute normally), at /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:4110

#0 0x7fabfc08b840 in nsCSSFrameConstructor::GetAnonymousContent(nsIContent*, nsIFrame*, nsTArray<nsIAnonymousContentCreator::ContentInfo>&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:4107:9
#1 0x7fabfc08599a in nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, mozilla::ComputedStyle*, nsContainerFrame*, bool, nsFrameList&, bool, nsIFrame*) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:9707:3
#2 0x7fabfc08fdb4 in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:3886:9
#3 0x7fabfc094415 in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:5548:3
#4 0x7fabfc084669 in nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsContainerFrame*, bool, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:9492:5
#5 0x7fabfc08a809 in nsCSSFrameConstructor::BeginBuildingScrollFrame(nsFrameConstructorState&, nsIContent*, mozilla::ComputedStyle*, nsContainerFrame*, mozilla::PseudoStyleType, bool, nsContainerFrame*&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:4253:5
#6 0x7fabfc08e5ae in nsCSSFrameConstructor::ConstructScrollableBlock(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItem&, nsContainerFrame*, nsStyleDisplay const*, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:4541:48
#7 0x7fabfc08f779 in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:3758:16
#8 0x7fabfc094415 in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:5548:3
#9 0x7fabfc084669 in nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsContainerFrame*, bool, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:9492:5
#10 0x7fabfc0861fb in nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, mozilla::ComputedStyle*, nsContainerFrame*, bool, nsFrameList&, bool, nsIFrame*) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:9779:3
#11 0x7fabfc08fdb4 in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:3886:9
#12 0x7fabfc094415 in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:5548:3
#13 0x7fabfc084669 in nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsContainerFrame*, bool, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:9492:5
#14 0x7fabfc09a6fa in nsCSSFrameConstructor::ContentAppended(nsIContent*, nsCSSFrameConstructor::InsertionKind) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:6687:3
#15 0x7fabfc056305 in mozilla::RestyleManager::ProcessRestyledFrames(nsStyleChangeList&) /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:1608:27
#16 0x7fabfc05d284 in mozilla::RestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:3241:9
#17 0x7fabfc0309d5 in mozilla::RestyleManager::ProcessPendingRestyles() /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:3326:3
#18 0x7fabfc02fb6e in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4346:39
#19 0x7fabf83598f2 in FlushPendingNotifications /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:1472:5
#20 0x7fabf83598f2 in mozilla::dom::Document::FlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/dom/base/Document.cpp:10921:16
#21 0x7fabf773d93e in nsDocLoader::DocLoaderIsEmpty(bool, mozilla::Maybe<nsresult> const&) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:740:14
#22 0x7fabf773ee14 in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:678:5
#23 0x7fabfd6ea0ef in nsDocShell::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:13900:23
#24 0x7fabf696c2ef in mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:631:22
#25 0x7fabf696d830 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:535:10
#26 0x7fabf835e79c in mozilla::dom::Document::DoUnblockOnload() /builds/worker/checkouts/gecko/dom/base/Document.cpp:11706:18
#27 0x7fabf83448d4 in mozilla::dom::Document::DispatchContentLoadedEvents() /builds/worker/checkouts/gecko/dom/base/Document.cpp:8156:3
#28 0x7fabf83f3ec9 in operator()<> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1164:18
#29 0x7fabf83f3ec9 in __invoke_impl<void, (lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1163:9)> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/invoke.h:60:14
#30 0x7fabf83f3ec9 in __invoke<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1163:9)> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/invoke.h:95:14
#31 0x7fabf83f3ec9 in __apply_impl<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1163:9), std::tuple<> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/tuple:1678:14
#32 0x7fabf83f3ec9 in apply<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1163:9), std::tuple<> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/tuple:1687:14
#33 0x7fabf83f3ec9 in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1162:12
#34 0x7fabf83f3ec9 in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1213:13
#35 0x7fabf672e7d7 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:559:16
#36 0x7fabf6726393 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:886:26
#37 0x7fabf6724bd7 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:709:15
#38 0x7fabf6725035 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:495:36
#39 0x7fabf67324e6 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:218:37
#40 0x7fabf67324e6 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548:5
#41 0x7fabf6748d5a in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1198:16
#42 0x7fabf674fd8d in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10
#43 0x7fabf74021c5 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#44 0x7fabf731ce61 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#45 0x7fabf731ce61 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#46 0x7fabfbc3edb8 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
#47 0x7fabfde72f2b in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:721:20
#48 0x7fabf74030a6 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
#49 0x7fabf731ce61 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#50 0x7fabf731ce61 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#51 0x7fabfde72792 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:656:34
#52 0x562e36173236 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#53 0x562e36173236 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:375:18
#54 0x7fac0c629d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#55 0x7fac0c629e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#56 0x562e36148f68 in _start (/home/user/workspace/browsers/m-c-20230929092823-fuzzing-debug/firefox-bin+0x58f68) (BuildId: 37de933b011e6448c239d35680b8774a21c5676a)

Comment 1

[Emilio Cobos Álvarez (:emilio)]

Oh, you're testing with layout.css.zoom.enabled already I guess. That means it's a regression from bug 1854441.

Comment 2

[Tyson Smith [:tsmith]]

(In reply to Emilio Cobos Álvarez (:emilio) from comment #1)

Oh, you're testing with layout.css.zoom.enabled already I guess. That means it's a regression from bug 1854441.

I don't see layout.css.zoom.enabled listed in here should it be?

Comment 3

[Emilio Cobos Álvarez (:emilio)]

Ah, it's expected, we enable all CSS properties for fuzzing (bug 1670778).

Comment 4

[BugBot [:suhaib / :marco/ :calixte]]

Set release status flags based on info from the regressing bug 1854441

Comment 5

[Emilio Cobos Álvarez (:emilio)]

Attachment: Bug 1856017 - Ignore font-size differences in cached scrollbar styles. r=#layout,#style

The effective zoom from gets inherited onto the scrollbars, triggering
caching assertions. Luckily, we don't depend on font metrics to render
scrollbars, so we can just ignore it like we ignore font-family and lang
differences.

Comment 6

[Pulsebot]

Pushed by ealvarez@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/51193624fd47
Ignore font-size differences in cached scrollbar styles. r=layout-reviewers,jfkthame

Comment 7

[Web Platform Test Sync Bot [:wpt-sync] (Matrix: #interop:mozilla.org)]

Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/42255 for changes under testing/web-platform/tests

Comment 8

[Cristian Tuns]

https://hg.mozilla.org/mozilla-central/rev/51193624fd47

Comment 9

[Web Platform Test Sync Bot [:wpt-sync] (Matrix: #interop:mozilla.org)]

Upstream PR merged by moz-wptsync-bot

Comment 10

[Bugmon [:jkratzer for issues]]

Testcase crashes using the initial build (mozilla-central 20230928215127-2c0444cfb7d6) but not with tip (mozilla-central 20230930093408-8f142cb8ab16.)

The bug appears to have been fixed in the following build range:

Start: 2544b23196f95d2acf8dc0e39440ba04fa209278 (20230929171341)
End: eee85ca883b58f7e7ed94e3a2e4ed573475159d4 (20230929221032)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=2544b23196f95d2acf8dc0e39440ba04fa209278&tochange=eee85ca883b58f7e7ed94e3a2e4ed573475159d4

emilio, can you confirm that the above bisection range is responsible for fixing this issue?
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Comment 11

[Emilio Cobos Álvarez (:emilio)]

Yeah? I mean, it was a patch for this bug :)