Assertion failure: !mForbiddenToFlush (This is bad!), at /layout/base/PresShell.cpp:4199
Categories
(Core :: Layout, defect)
Tracking
()
Tracking | Status | |
---|---|---|
firefox-esr115 | --- | unaffected |
firefox118 | --- | unaffected |
firefox119 | --- | unaffected |
firefox120 | --- | verified |
People
(Reporter: jkratzer, Assigned: emilio)
References
(Blocks 2 open bugs, Regression)
Details
(4 keywords, Whiteboard: [bugmon:bisected,confirmed])
Attachments
(3 files)
Testcase found while fuzzing mozilla-central rev 461a9c98a535 (built with: --enable-debug --enable-fuzzing).
Testcase can be reproduced using the following commands:
$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build 461a9c98a535 --debug --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html
Assertion failure: !mForbiddenToFlush (This is bad!), at /layout/base/PresShell.cpp:4199
==403871==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fc7c00bc490 bp 0x7ffda6281980 sp 0x7ffda6281840 T403871)
==403871==The signal is caused by a WRITE memory access.
==403871==Hint: address points to the zero page.
#0 0x7fc7c00bc490 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /layout/base/PresShell.cpp:4199:3
#1 0x7fc7bdaa09f6 in FlushPendingNotifications /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:1463:5
#2 0x7fc7bdaa09f6 in mozilla::dom::CanvasRenderingContext2D::UpdateFilter() /dom/canvas/CanvasRenderingContext2D.cpp:2899:18
#3 0x7fc7c04034ff in mozilla::SVGFilterObserverListForCanvasContext::OnRenderingChange() /layout/svg/SVGObserverUtils.cpp:963:20
#4 0x7fc7c0402645 in mozilla::SVGFilterObserver::OnRenderingChange() /layout/svg/SVGObserverUtils.cpp:834:26
#5 0x7fc7c0403fe4 in OnNonDOMMutationRenderingChange /layout/svg/SVGObserverUtils.cpp:254:3
#6 0x7fc7c0403fe4 in mozilla::SVGRenderingObserverSet::InvalidateAll() /layout/svg/SVGObserverUtils.cpp:1141:15
#7 0x7fc7c029bfdb in nsIFrame::Destroy(mozilla::FrameDestroyContext&) /layout/generic/nsIFrame.cpp:777:3
#8 0x7fc7c01cfc7d in nsContainerFrame::Destroy(mozilla::FrameDestroyContext&) /layout/generic/nsContainerFrame.cpp:299:22
#9 0x7fc7c0230f56 in nsFrameList::DestroyFrames(mozilla::FrameDestroyContext&) /layout/generic/nsFrameList.cpp:40:12
#10 0x7fc7c01cfa00 in nsContainerFrame::Destroy(mozilla::FrameDestroyContext&) /layout/generic/nsContainerFrame.cpp:230:11
#11 0x7fc7c0230f56 in nsFrameList::DestroyFrames(mozilla::FrameDestroyContext&) /layout/generic/nsFrameList.cpp:40:12
#12 0x7fc7c01cfa00 in nsContainerFrame::Destroy(mozilla::FrameDestroyContext&) /layout/generic/nsContainerFrame.cpp:230:11
#13 0x7fc7c040a602 in mozilla::SVGOuterSVGFrame::Destroy(mozilla::FrameDestroyContext&) /layout/svg/SVGOuterSVGFrame.cpp:784:29
#14 0x7fc7c01eead3 in nsBlockFrame::DoRemoveFrame(mozilla::FrameDestroyContext&, nsIFrame*, unsigned int) /layout/generic/nsBlockFrame.cpp:6752:20
#15 0x7fc7c01ee3f0 in nsBlockFrame::RemoveFrame(mozilla::FrameDestroyContext&, mozilla::FrameChildListID, nsIFrame*) /layout/generic/nsBlockFrame.cpp:6050:5
#16 0x7fc7c0129cfe in nsCSSFrameConstructor::ContentRemoved(nsIContent*, nsIContent*, nsCSSFrameConstructor::RemoveFlags) /layout/base/nsCSSFrameConstructor.cpp:7529:5
#17 0x7fc7c0125705 in nsCSSFrameConstructor::RecreateFramesForContent(nsIContent*, nsCSSFrameConstructor::InsertionKind) /layout/base/nsCSSFrameConstructor.cpp:8520:7
#18 0x7fc7c00e2760 in mozilla::RestyleManager::ProcessRestyledFrames(nsStyleChangeList&) /layout/base/RestyleManager.cpp:1660:25
#19 0x7fc7c00e9804 in mozilla::RestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) /layout/base/RestyleManager.cpp:3241:9
#20 0x7fc7c00bcf75 in mozilla::RestyleManager::ProcessPendingRestyles() /layout/base/RestyleManager.cpp:3326:3
#21 0x7fc7c00bc10e in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /layout/base/PresShell.cpp:4346:39
#22 0x7fc7bc3e7212 in FlushPendingNotifications /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:1472:5
#23 0x7fc7bc3e7212 in mozilla::dom::Document::FlushPendingNotifications(mozilla::ChangesToFlush) /dom/base/Document.cpp:10916:16
#24 0x7fc7bb7cb70e in nsDocLoader::DocLoaderIsEmpty(bool, mozilla::Maybe<nsresult> const&) /uriloader/base/nsDocLoader.cpp:740:14
#25 0x7fc7bb7ccbe4 in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /uriloader/base/nsDocLoader.cpp:678:5
#26 0x7fc7c177741f in nsDocShell::OnStopRequest(nsIRequest*, nsresult) /docshell/base/nsDocShell.cpp:13900:23
#27 0x7fc7ba9f931f in mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) /netwerk/base/nsLoadGroup.cpp:631:22
#28 0x7fc7ba9fa860 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /netwerk/base/nsLoadGroup.cpp:535:10
#29 0x7fc7bc3ec0bc in mozilla::dom::Document::DoUnblockOnload() /dom/base/Document.cpp:11701:18
#30 0x7fc7bc3d21f4 in mozilla::dom::Document::DispatchContentLoadedEvents() /dom/base/Document.cpp:8151:3
#31 0x7fc7bc482439 in operator()<> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1164:18
#32 0x7fc7bc482439 in __invoke_impl<void, (lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1163:9)> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/invoke.h:60:14
#33 0x7fc7bc482439 in __invoke<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1163:9)> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/invoke.h:95:14
#34 0x7fc7bc482439 in __apply_impl<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1163:9), std::tuple<> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/tuple:1678:14
#35 0x7fc7bc482439 in apply<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1163:9), std::tuple<> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/tuple:1687:14
#36 0x7fc7bc482439 in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1162:12
#37 0x7fc7bc482439 in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1213:13
#38 0x7fc7ba7bb277 in mozilla::RunnableTask::Run() /xpcom/threads/TaskController.cpp:559:16
#39 0x7fc7ba7b2e33 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:886:26
#40 0x7fc7ba7b1677 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:709:15
#41 0x7fc7ba7b1ad5 in mozilla::TaskController::ProcessPendingMTTask(bool) /xpcom/threads/TaskController.cpp:495:36
#42 0x7fc7ba7bef86 in operator() /xpcom/threads/TaskController.cpp:218:37
#43 0x7fc7ba7bef86 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /xpcom/threads/nsThreadUtils.h:548:5
#44 0x7fc7ba7d57fa in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1198:16
#45 0x7fc7ba7dc82d in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:480:10
#46 0x7fc7bb48fd75 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:85:21
#47 0x7fc7bb3aa431 in RunHandler /ipc/chromium/src/base/message_loop.cc:363:3
#48 0x7fc7bb3aa431 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:345:3
#49 0x7fc7bfcc98b8 in nsBaseAppShell::Run() /widget/nsBaseAppShell.cpp:148:27
#50 0x7fc7c1f00bbb in XRE_RunAppShell() /toolkit/xre/nsEmbedFunctions.cpp:721:20
#51 0x7fc7bb490c56 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:235:9
#52 0x7fc7bb3aa431 in RunHandler /ipc/chromium/src/base/message_loop.cc:363:3
#53 0x7fc7bb3aa431 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:345:3
#54 0x7fc7c1f00422 in XRE_InitChildProcess(int, char**, XREChildData const*) /toolkit/xre/nsEmbedFunctions.cpp:656:34
#55 0x55bda3e34236 in content_process_main /browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#56 0x55bda3e34236 in main /browser/app/nsBrowserApp.cpp:375:18
#57 0x7fc7cfdaad8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#58 0x7fc7cfdaae3f in __libc_start_main csu/../csu/libc-start.c:392:3
#59 0x55bda3e09f68 in _start (/home/jkratzer/builds/m-c-20231006092133-fuzzing-debug/firefox-bin+0x58f68) (BuildId: d97922557cda625d0f41e45d0271dc60e71db811)
UndefinedBehaviorSanitizer can not provide additional info.
SUMMARY: UndefinedBehaviorSanitizer: SEGV /layout/base/PresShell.cpp:4199:3 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush)
==403871==ABORTING
Reporter | ||
Comment 1•1 year ago
|
||
Comment 3•1 year ago
|
||
Verified bug as reproducible on mozilla-central 20231009093538-d5fd5e481ff2.
Unable to bisect testcase (Unable to launch the start build!):
Start: d420f9190e2f35e314aa67ee346650f86451792c (20221010033207)
End: 461a9c98a535b9896e9d394bdfee72ce90cf7afd (20231006092133)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False, nyx=False)
Updated•1 year ago
|
Comment 4•1 year ago
|
||
Successfully recorded a pernosco session. A link to the pernosco session will be added here shortly.
Assignee | ||
Updated•1 year ago
|
Comment 7•1 year ago
|
||
Set release status flags based on info from the regressing bug 1494263
Assignee | ||
Comment 8•1 year ago
|
||
Updated•1 year ago
|
Assignee | ||
Comment 9•1 year ago
|
||
Ah, I thought that would be enough but it's not. With that patch I get:
Assertion failure: inObserverSet == mInObserverSet (failed to track whether we're in our referenced element's observer set!), at /home/emilio/src/moz/gecko-8/layout/svg/SVGObserverUtils.cpp:1192
Robert, can you take a look if you have the time? Otherwise I can look but I'm a bit busy with other stuff.
Updated•1 year ago
|
Comment 10•1 year ago
|
||
(In reply to Emilio Cobos Álvarez (:emilio) from comment #9)
Ah, I thought that would be enough but it's not. With that patch I get: Assertion failure: inObserverSet [...]
Robert just landed bug 1859858 which should address comment 9. emilio: Could you re-test your patch on top of that? (Maybe this is good to go?)
(I suspect sec-approval isn't needed here, given that this seems to be a recently-introduced regression (from bug 1494263) that only affects Nightly, per (B) on https://firefox-source-docs.mozilla.org/bug-mgmt/processes/security-approval.html#on-requesting-sec-approval . Though, probably good to get this in before tomorrow's soft-freeze if possible.)
Assignee | ||
Comment 11•1 year ago
|
||
Yeah let's try to land as-is, the assert is specific to the crashtest above, so shouldn't block landing the patch anyways, but we should land a test. once both patches are in central.
Comment 12•1 year ago
|
||
Comment 13•1 year ago
|
||
Assignee | ||
Updated•1 year ago
|
Assignee | ||
Comment 14•1 year ago
|
||
Assignee | ||
Updated•1 year ago
|
Comment 15•1 year ago
|
||
Verified bug as fixed on rev mozilla-central 20231019042043-6bb5ad68d8ba.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Comment 16•1 year ago
|
||
Comment 17•1 year ago
|
||
Updated•9 months ago
|
Description
•