1858577 - Assertion failure: !aChangeList[j].mContent->GetPrimaryFrame() || !aChangeList[j].mContent->HasFlag(NODE_NEEDS_FRAME), at /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:1619

Status: NEW

(Core :: CSS Parsing and Computation, defect)

Description

[Tyson Smith [:tsmith]]

Attachment: testcase.html

Found while fuzzing m-c 20231007-8db232d0f8c7 (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

Assertion failure: !aChangeList[j].mContent->GetPrimaryFrame() || !aChangeList[j].mContent->HasFlag(NODE_NEEDS_FRAME), at /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:1619

#0 0x7f7ee8069c64 in mozilla::RestyleManager::ProcessRestyledFrames(nsStyleChangeList&) /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:1618:7
#1 0x7f7ee806eec4 in mozilla::RestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:3243:9
#2 0x7f7ee8042625 in mozilla::RestyleManager::ProcessPendingRestyles() /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:3328:3
#3 0x7f7ee80417be in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4346:39
#4 0x7f7ee43500f2 in FlushPendingNotifications /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:1472:5
#5 0x7f7ee43500f2 in mozilla::dom::Document::FlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/dom/base/Document.cpp:10888:16
#6 0x7f7ee4193f48 in FlushPendingNotifications /builds/worker/checkouts/gecko/dom/base/nsGlobalWindowInner.cpp:6367:11
#7 0x7f7ee4193f48 in nsGlobalWindowInner::ScrollTo(mozilla::dom::ScrollToOptions const&) /builds/worker/checkouts/gecko/dom/base/nsGlobalWindowInner.cpp:3827:3
#8 0x7f7ee53a9582 in mozilla::dom::Window_Binding::scrollTo(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/./WindowBinding.cpp:4505:28
#9 0x7f7ee5927302 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::MaybeCrossOriginObjectThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3327:13
#10 0x7f7eea0c65b4 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:486:13
#11 0x7f7eea0c5ecd in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:580:12
#12 0x7f7eea0d6498 in CallFromStack /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:652:10
#13 0x7f7eea0d6498 in js::Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3407:16
#14 0x7f7eea0c5422 in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:458:13
#15 0x7f7eea0c5ee9 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:612:13
#16 0x7f7eea0c738d in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:679:8
#17 0x7f7eea1adf74 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/CallAndConstruct.cpp:119:10
#18 0x7f7ee53706a8 in mozilla::dom::IdleRequestCallback::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::IdleDeadline&, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/./WindowBinding.cpp:453:8
#19 0x7f7ee4293934 in mozilla::dom::IdleRequestCallback::Call(mozilla::dom::IdleDeadline&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/WindowBinding.h:397:12
#20 0x7f7ee44203a6 in Call /builds/worker/workspace/obj-build/dist/include/mozilla/dom/WindowBinding.h:410:12
#21 0x7f7ee44203a6 in mozilla::dom::IdleRequest::IdleRun(nsPIDOMWindowInner*, double, bool) /builds/worker/checkouts/gecko/dom/base/IdleRequest.cpp:57:13
#22 0x7f7ee4177c61 in nsGlobalWindowInner::RunIdleRequest(mozilla::dom::IdleRequest*, double, bool) /builds/worker/checkouts/gecko/dom/base/nsGlobalWindowInner.cpp:725:12
#23 0x7f7ee4176ac1 in nsGlobalWindowInner::ExecuteIdleRequest(mozilla::TimeStamp) /builds/worker/checkouts/gecko/dom/base/nsGlobalWindowInner.cpp:753:3
#24 0x7f7ee4176850 in IdleRequestExecutor::Run() /builds/worker/checkouts/gecko/dom/base/nsGlobalWindowInner.cpp:594:13
#25 0x7f7ee27444b7 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:549:16
#26 0x7f7ee273c073 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:876:26
#27 0x7f7ee273aa0d in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:741:15
#28 0x7f7ee273ad15 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:485:36
#29 0x7f7ee27481c6 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:211:37
#30 0x7f7ee27481c6 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548:5
#31 0x7f7ee275ebd2 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1198:16
#32 0x7f7ee2765cbd in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10
#33 0x7f7ee3418ed5 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#34 0x7f7ee3333591 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#35 0x7f7ee3333591 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#36 0x7f7ee7c4f598 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
#37 0x7f7ee9e8777b in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:721:20
#38 0x7f7ee3419db6 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
#39 0x7f7ee3333591 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#40 0x7f7ee3333591 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#41 0x7f7ee9e86fe2 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:656:34
#42 0x556deaca4236 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#43 0x556deaca4236 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:375:18
#44 0x7f7ef6c29d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#45 0x7f7ef6c29e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#46 0x556deac79f68 in _start (/home/user/workspace/browsers/m-c-20231011211944-fuzzing-debug/firefox-bin+0x58f68) (BuildId: 2eb5cce7d8cf9cabd42b9b13372b658517f57670)

Comment 1

[Bugmon [:jkratzer for issues]]

Verified bug as reproducible on mozilla-central 20231012093726-03e0b5134ce5.
The bug appears to have been introduced in the following build range:

Start: dafb2e6890e11b74ec00d49c8f2767903a67aa92 (20230213153318)
End: 073223bab35f4149bf5665ec59b16684b7b9a65b (20230213163401)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=dafb2e6890e11b74ec00d49c8f2767903a67aa92&tochange=073223bab35f4149bf5665ec59b16684b7b9a65b

Comment 2

[Dianna Smith [:diannaS]]

:Sefeng, could you take a look at this? I think it was caused by bug 1815913 in fx112.

Comment 3

[Bugmon [:jkratzer for issues]]

Successfully recorded a pernosco session. A link to the pernosco session will be added here shortly.

Comment 4

[Bugmon [:jkratzer for issues]]

A pernosco session for this bug can be found here.

Comment 5

[Bugmon [:jkratzer for issues]]

A pernosco session for this bug can be found here.

Comment 6

[BugBot [:suhaib / :marco/ :calixte]]

Set release status flags based on info from the regressing bug 1815913

Comment 7

[Jonathan Kew [:jfkthame]]

Given the suspected regressor, moving this to DOM.

Comment 8

[Dianna Smith [:diannaS]]

is there a priority/severity for this (not sure how this affects fx users)?

Comment 9

[Timothy Nikkel (:tnikkel)]

Haven't investigated this, but I would guess this is just some edge case that is not hit in practice having to do with image maps (not used very often anymore I don't think).

Comment 10

[Sean Feng [:sefeng]]

Sorry I tried to make some progress on this one, however I don't have ideas since it's related to layout....It'd be great if I get someone from the layout team to check this one.

I know this bug was in CSS Parsing and Computation and moved to DOM, but yeah sorry I gotta move this back...