Open Bug 1858798 Opened 1 year ago Updated 7 months ago

Assertion failure: false (MOZ_ASSERT_UNREACHABLE: There's at least one candidate on either axis), at /builds/worker/checkouts/gecko/layout/generic/ScrollSnap.cpp:270

Categories

(Core :: Layout: Scrolling and Overflow, defect, P3)

defect

Tracking

()

Tracking Status
firefox-esr115 --- unaffected
firefox120 --- wontfix
firefox121 --- wontfix
firefox122 --- wontfix
firefox123 --- wontfix
firefox124 --- fix-optional

People

(Reporter: tsmith, Unassigned, NeedInfo)

References

(Blocks 2 open bugs, Regression)

Details

(4 keywords)

Attachments

(1 file, 1 obsolete file)

Attached file testcase.html (obsolete) —

Found while fuzzing m-c 20230912-1b3be6b61583 (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

Assertion failure: false (MOZ_ASSERT_UNREACHABLE: There's at least one candidate on either axis), at /builds/worker/checkouts/gecko/layout/generic/ScrollSnap.cpp:270

#0 0x7ff0f813ffd9 in mozilla::CalcSnapPoints::GetBestEdge(nsSize const&) const /builds/worker/checkouts/gecko/layout/generic/ScrollSnap.cpp:270:5
#1 0x7ff0f81410bb in mozilla::ScrollSnapUtils::GetSnapPointForDestination(mozilla::ScrollSnapInfo const&, mozilla::ScrollUnit, mozilla::ScrollSnapFlags, nsRect const&, nsPoint const&, nsPoint const&) /builds/worker/checkouts/gecko/layout/generic/ScrollSnap.cpp:522:34
#2 0x7ff0f81db183 in GetSnapPointForDestination /builds/worker/checkouts/gecko/layout/generic/nsGfxScrollFrame.cpp:7564:10
#3 0x7ff0f81db183 in nsHTMLScrollFrame::ScrollToWithOrigin(nsPoint, nsRect const*, nsHTMLScrollFrame::ScrollOperationParams&&) /builds/worker/checkouts/gecko/layout/generic/nsGfxScrollFrame.cpp:2472:23
#4 0x7ff0f81df05f in nsHTMLScrollFrame::ScrollToInternal(nsPoint, mozilla::ScrollMode, mozilla::ScrollOrigin, nsRect const*, mozilla::ScrollSnapFlags, mozilla::ScrollTriggeredByScript) /builds/worker/checkouts/gecko/layout/generic/nsGfxScrollFrame.cpp:2378:3
#5 0x7ff0f825e7e5 in ScrollTo /builds/worker/checkouts/gecko/layout/generic/nsGfxScrollFrame.h:258:12
#6 0x7ff0f825e7e5 in non-virtual thunk to nsHTMLScrollFrame::ScrollTo(nsPoint, mozilla::ScrollMode, nsRect const*, mozilla::ScrollSnapFlags, mozilla::ScrollTriggeredByScript) /builds/worker/checkouts/gecko/layout/generic/nsGfxScrollFrame.h
#7 0x7ff0f803f1c8 in ScrollToShowRect /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:3547:23
#8 0x7ff0f803f1c8 in mozilla::PresShell::ScrollFrameIntoView(nsIFrame*, mozilla::Maybe<nsRect> const&, mozilla::ScrollAxis, mozilla::ScrollAxis, mozilla::ScrollFlags) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:3787:9
#9 0x7ff0f803dfb3 in mozilla::PresShell::DoScrollContentIntoView() /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:3667:3
#10 0x7ff0f80418a0 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4365:11
#11 0x7ff0f43500f2 in FlushPendingNotifications /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:1472:5
#12 0x7ff0f43500f2 in mozilla::dom::Document::FlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/dom/base/Document.cpp:10888:16
#13 0x7ff0f803d784 in mozilla::PresShell::ScrollContentIntoView(nsIContent*, mozilla::ScrollAxis, mozilla::ScrollAxis, mozilla::ScrollFlags) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:3607:16
#14 0x7ff0f4588d55 in nsFocusManager::ScrollIntoView(mozilla::PresShell*, nsIContent*, unsigned int) /builds/worker/checkouts/gecko/dom/base/nsFocusManager.cpp:2911:15
#15 0x7ff0f457d7ad in nsFocusManager::Focus(nsPIDOMWindowOuter*, mozilla::dom::Element*, unsigned int, bool, bool, bool, bool, unsigned long, mozilla::Maybe<nsFocusManager::BlurredElementInfo> const&) /builds/worker/checkouts/gecko/dom/base/nsFocusManager.cpp:2669:9
#16 0x7ff0f4575f23 in nsFocusManager::SetFocusInner(mozilla::dom::Element*, int, bool, bool) /builds/worker/checkouts/gecko/dom/base/nsFocusManager.cpp:1796:5
#17 0x7ff0f4577cf3 in nsFocusManager::SetFocus(mozilla::dom::Element*, unsigned int) /builds/worker/checkouts/gecko/dom/base/nsFocusManager.cpp:476:3
#18 0x7ff0f4390d88 in mozilla::dom::Element::Focus(mozilla::dom::FocusOptions const&, mozilla::dom::CallerType, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/Element.cpp:460:16
#19 0x7ff0f435f98e in mozilla::dom::Document::TryAutoFocusCandidate(mozilla::dom::Element&) /builds/worker/checkouts/gecko/dom/base/Document.cpp:13026:13
#20 0x7ff0f435f23e in mozilla::dom::Document::FlushAutoFocusCandidates() /builds/worker/checkouts/gecko/dom/base/Document.cpp:13009:9
#21 0x7ff0f8004741 in nsRefreshDriver::FlushAutoFocusDocuments() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2185:25
#22 0x7ff0f80030bc in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2646:7
#23 0x7ff0f800c4b1 in TickDriver /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:363:13
#24 0x7ff0f800c4b1 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver>>&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:341:7
#25 0x7ff0f800c3b0 in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:357:5
#26 0x7ff0f800c24d in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:924:5
#27 0x7ff0f800b599 in mozilla::VsyncRefreshDriverTimer::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:838:5
#28 0x7ff0f800a8f9 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsyncTimerOnMainThread() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:582:14
#29 0x7ff0f734baab in mozilla::dom::VsyncMainChild::RecvNotify(mozilla::VsyncEvent const&, float const&) /builds/worker/checkouts/gecko/dom/ipc/VsyncMainChild.cpp:66:15
#30 0x7ff0f764458a in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:220:78
#31 0x7ff0f75265f0 in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PContentChild.cpp:8646:32
#32 0x7ff0f3412f6f in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1800:25
#33 0x7ff0f340fcc2 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1725:9
#34 0x7ff0f3410942 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1525:3
#35 0x7ff0f3411a8f in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1623:14
#36 0x7ff0f27444b7 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:549:16
#37 0x7ff0f273c073 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:876:26
#38 0x7ff0f273a8b7 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:699:15
#39 0x7ff0f273ad15 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:485:36
#40 0x7ff0f2748239 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:214:37
#41 0x7ff0f2748239 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_1>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548:5
#42 0x7ff0f275ebd2 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1198:16
#43 0x7ff0f2765cbd in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10
#44 0x7ff0f3418e83 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:107:5
#45 0x7ff0f3333591 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#46 0x7ff0f3333591 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#47 0x7ff0f7c4f598 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
#48 0x7ff0f9e8777b in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:721:20
#49 0x7ff0f3419db6 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
#50 0x7ff0f3333591 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#51 0x7ff0f3333591 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#52 0x7ff0f9e86fe2 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:656:34
#53 0x564abb687236 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#54 0x564abb687236 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:375:18
#55 0x7ff107829d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#56 0x7ff107829e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#57 0x564abb65cf68 in _start (/home/user/workspace/browsers/m-c-20231011211944-fuzzing-debug/firefox-bin+0x58f68) (BuildId: 2eb5cce7d8cf9cabd42b9b13372b658517f57670)
Flags: in-testsuite?

Unable to reproduce bug 1858798 using build mozilla-central 20230912211753-1b3be6b61583. Without a baseline, bugmon is unable to analyze this bug.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon

The severity field is not set for this bug.
:hiro, could you have a look please?

For more information, please visit BugBot documentation.

Flags: needinfo?(hikezoe.birchill)

The assertion was newly introduced in Bug 1768393.

Severity: -- → S3
Flags: needinfo?(hikezoe.birchill)
Keywords: regression
Priority: -- → P3
Regressed by: 1768393

Heads up in case the assertion indicates a logic error you'd like to investigate.

Flags: needinfo?(hikezoe.birchill)

Set release status flags based on info from the regressing bug 1768393

Yeah, this is being under my radar. I haven't looked into details since math element is uncommon basically. I am going to leave NI to me for now.

Attached file testcase.html

Updated test case. Hopefully bugmon can work with this.

Attachment #9358184 - Attachment is obsolete: true

Unable to reproduce bug 1858798 using build mozilla-central 20230912211753-1b3be6b61583. Without a baseline, bugmon is unable to analyze this bug.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon

A Pernosco session is available here: https://pernos.co/debug/yiedYmTUWXPEn_rgx5BKPQ/index.html

I'm not sure why bugmon is struggling with this one.

Keywords: pernosco
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: