1870380 - Hit MOZ_CRASH(Item found was in the wrong list! type 25 (outer type was 42 at depth 3, now is 26)) at /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.h:2210

Status: VERIFIED FIXED

(Core :: Web Painting, defect)

Description

[Tyson Smith [:tsmith]]

Attachment: testcase.html

Found while fuzzing m-c 20231027-0321b9ee7835 (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

Hit MOZ_CRASH(Item found was in the wrong list! type 25 (outer type was 42 at depth 3, now is 26)) at /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.h:2210

#0 0x7f1da0317743 in MOZ_Crash /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:281:3
#1 0x7f1da0317743 in GetOldListIndex /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.h:2207:7
#2 0x7f1da0317743 in mozilla::MergeState::HasMatchingItemInOldList(mozilla::nsDisplayItem*, mozilla::Index<mozilla::OldListUnits>*) /builds/worker/checkouts/gecko/layout/painting/RetainedDisplayListBuilder.cpp:623:16
#3 0x7f1da02b831a in mozilla::MergeState::ProcessItemFromNewList(mozilla::nsDisplayItem*, mozilla::Maybe<mozilla::Index<mozilla::MergedListUnits>> const&) /builds/worker/checkouts/gecko/layout/painting/RetainedDisplayListBuilder.cpp:461:9
#4 0x7f1da02b7dc0 in mozilla::RetainedDisplayListBuilder::MergeDisplayLists(mozilla::nsDisplayList*, mozilla::RetainedDisplayList*, mozilla::RetainedDisplayList*, mozilla::Maybe<mozilla::ActiveScrolledRoot const*>&, mozilla::nsDisplayItem*) /builds/worker/checkouts/gecko/layout/painting/RetainedDisplayListBuilder.cpp:825:31
#5 0x7f1da031788e in mozilla::MergeState::MergeChildLists(mozilla::nsDisplayItem*, mozilla::nsDisplayItem*, mozilla::nsDisplayItem*) /builds/worker/checkouts/gecko/layout/painting/RetainedDisplayListBuilder.cpp:509:37
#6 0x7f1da02b84a2 in mozilla::MergeState::ProcessItemFromNewList(mozilla::nsDisplayItem*, mozilla::Maybe<mozilla::Index<mozilla::MergedListUnits>> const&) /builds/worker/checkouts/gecko/layout/painting/RetainedDisplayListBuilder.cpp:481:9
#7 0x7f1da02b7dc0 in mozilla::RetainedDisplayListBuilder::MergeDisplayLists(mozilla::nsDisplayList*, mozilla::RetainedDisplayList*, mozilla::RetainedDisplayList*, mozilla::Maybe<mozilla::ActiveScrolledRoot const*>&, mozilla::nsDisplayItem*) /builds/worker/checkouts/gecko/layout/painting/RetainedDisplayListBuilder.cpp:825:31
#8 0x7f1da031788e in mozilla::MergeState::MergeChildLists(mozilla::nsDisplayItem*, mozilla::nsDisplayItem*, mozilla::nsDisplayItem*) /builds/worker/checkouts/gecko/layout/painting/RetainedDisplayListBuilder.cpp:509:37
#9 0x7f1da02b84a2 in mozilla::MergeState::ProcessItemFromNewList(mozilla::nsDisplayItem*, mozilla::Maybe<mozilla::Index<mozilla::MergedListUnits>> const&) /builds/worker/checkouts/gecko/layout/painting/RetainedDisplayListBuilder.cpp:481:9
#10 0x7f1da02b7dc0 in mozilla::RetainedDisplayListBuilder::MergeDisplayLists(mozilla::nsDisplayList*, mozilla::RetainedDisplayList*, mozilla::RetainedDisplayList*, mozilla::Maybe<mozilla::ActiveScrolledRoot const*>&, mozilla::nsDisplayItem*) /builds/worker/checkouts/gecko/layout/painting/RetainedDisplayListBuilder.cpp:825:31
#11 0x7f1da02bc06b in mozilla::RetainedDisplayListBuilder::AttemptPartialUpdate(unsigned int) /builds/worker/checkouts/gecko/layout/painting/RetainedDisplayListBuilder.cpp:1674:9
#12 0x7f1d9ff4f505 in nsLayoutUtils::PaintFrame(gfxContext*, nsIFrame*, nsRegion const&, unsigned int, mozilla::nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) /builds/worker/checkouts/gecko/layout/base/nsLayoutUtils.cpp:3322:38
#13 0x7f1d9feb764f in mozilla::PresShell::PaintInternal(nsView*, mozilla::PaintInternalFlags) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:6463:5
#14 0x7f1d9fa400f2 in nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*) /builds/worker/checkouts/gecko/view/nsViewManager.cpp:408:18
#15 0x7f1d9fa3fb7e in nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) /builds/worker/checkouts/gecko/view/nsViewManager.cpp:343:22
#16 0x7f1d9fa411dd in nsViewManager::ProcessPendingUpdates() /builds/worker/checkouts/gecko/view/nsViewManager.cpp:916:5
#17 0x7f1d9fe6c405 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2816:11
#18 0x7f1d9fe75661 in TickDriver /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:366:13
#19 0x7f1d9fe75661 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver>>&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:344:7
#20 0x7f1d9fe75560 in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:360:5
#21 0x7f1d9fe753fd in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:949:5
#22 0x7f1d9fe74691 in mozilla::VsyncRefreshDriverTimer::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:859:5
#23 0x7f1d9fe738f9 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsyncTimerOnMainThread() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:591:14
#24 0x7f1d9f19fdcb in mozilla::dom::VsyncMainChild::RecvNotify(mozilla::VsyncEvent const&, float const&) /builds/worker/checkouts/gecko/dom/ipc/VsyncMainChild.cpp:66:15
#25 0x7f1d9f48bddd in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:227:78
#26 0x7f1d9f377e90 in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PContentChild.cpp:8264:32
#27 0x7f1d9b2a91ef in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1813:25
#28 0x7f1d9b2a5f42 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1732:9
#29 0x7f1d9b2a6bc2 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1525:3
#30 0x7f1d9b2a7d0f in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1623:14
#31 0x7f1d9a5beb67 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:549:16
#32 0x7f1d9a5b4773 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:876:26
#33 0x7f1d9a5b2f67 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:699:15
#34 0x7f1d9a5b33e5 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:485:36
#35 0x7f1d9a5c2b49 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:214:37
#36 0x7f1d9a5c2b49 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_1>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548:5
#37 0x7f1d9a5d7bc2 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1199:16
#38 0x7f1d9a5deced in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10
#39 0x7f1d9b2af103 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:107:5
#40 0x7f1d9b1c8c91 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#41 0x7f1d9b1c8c91 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#42 0x7f1d9faa9788 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
#43 0x7f1d9fb66538 in nsAppShell::Run() /builds/worker/checkouts/gecko/widget/gtk/nsAppShell.cpp:470:33
#44 0x7f1da1b7f7bb in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:721:20
#45 0x7f1d9b2b0036 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
#46 0x7f1d9b1c8c91 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#47 0x7f1d9b1c8c91 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#48 0x7f1da1b7f022 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:656:34
#49 0x55a07f505f76 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#50 0x55a07f505f76 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:375:18
#51 0x7f1daf429d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#52 0x7f1daf429e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#53 0x55a07f4dbca8 in _start (/home/user/workspace/browsers/m-c-20231215155925-fuzzing-debug/firefox-bin+0x58ca8) (BuildId: 56a95eb23db675fa5f7f4350eda2a32f13dc28da)

Comment 1

[Mayank Bansal]

Got a crash from the testcase: https://crash-stats.mozilla.org/report/index/5c2021b9-bd92-4446-b286-db6440231216#tab-bugzilla

Comment 2

[Bugmon [:jkratzer for issues]]

Verified bug as reproducible on mozilla-central 20231215214115-8fd04cb03fbd.
Unable to bisect testcase (Testcase reproduces on start build!):

Start: 59c15c902a18e4ba5998f9dc6235c226cf58bc9a (20221217093017)
End: 0321b9ee7835c824a0c24ec6401551ecaa8cc826 (20231027040813)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False, nyx=False)

Comment 3

[BugBot [:suhaib / :marco/ :calixte]]

The bug is linked to a topcrash signature, which matches the following criterion:

• Top 10 desktop browser crashes on nightly

:tnikkel, could you consider increasing the severity of this top-crash bug?

For more information, please visit BugBot documentation.

Comment 4

[Timothy Nikkel (:tnikkel)]

This seems to have spiked on nightly starting with 20240202094312.

Changlog of what went into that nightly and urls from the crashes would be next steps.

Fuzzers would be ignoring this assert because of the existing open bugs for it, but if they are suddenly triggering more asserts that would be useful and maybe we can get a testcase out of it.

Comment 5

[Dianna Smith [:diannaS] - on Leave, back on August 9th]

changelog for 20240202094312

https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=366005a91eda9c0b765207a0623b7a9e46d9dea8&tochange=dd4c0135beb5076b1a073f8d52507b724781d423

:sean could the spike for this & bug 1870415 be bug 1860328?

Comment 6

[Sean Feng [:sefeng][PTO, back July 1st]]

I am not sure.....If the displayItem is nsDisplayCaret in these new crashes, then it's likely my patch causing it. However, it's more like an existing display list bug, isn't it?

I'd like know what Timothy's opinion on moving forward, I am happy to try out things, but not sure what to do.

Comment 7

[Timothy Nikkel (:tnikkel)]

There are different ways to hit this MOZ_CRASH, some of them having fuzzing testcases on bugzilla. Usually what causes us to hit this MOZ_CRASH is that the display list changes without a call to invalidate. We are merging the old and changed display lists (to produce the new display list) and we try to match up items but they don't match up even though the frame/display items are not marked as modified and we fail to merge. I haven't been able to prioritize fixing these known testcases because we don't see these crashes show up on crash stats.

We have 1 crash in all of January but over 100 crashes started on Feb 2 on nightly only. This makes me suspect it was a code change that caused a new way to hit this MOZ_CRASH. It's also possible that a popular site changed it's design to hit a bug that has been existing for a while. Someone with urls access to crashstats might be able to shed light on this.

I also see that there are multiple crashes with the same install time, but there are many different cpu types hitting this, so multiple users are hitting this and they are likely to hit it multiple times when they do hit it.

Comment 8

[Timothy Nikkel (:tnikkel)]

Bug 1877591 is the only other thing in the pushlog above that seems like it could possibly cause something like this. That only seems to have any effect during print or print preview. The crash stacks don't seem to be during printing. Print preview don't tend to have dynamic changes that trigger retained display list partial updates. So I suspect this less.

Comment 9

[Timothy Nikkel (:tnikkel)]

These are the crash reasons from a sampling of crashes

Item found was in the wrong list! type 73 (outer type was 26 at depth 4, now is 43)
Item found was in the wrong list! type 73 (outer type was 26 at depth 3, now is 26)
Item found was in the wrong list! type 31 (outer type was 26 at depth 6, now is 26)
Item found was in the wrong list! type 73 (outer type was 26 at depth 5, now is 43)
Item found was in the wrong list! type 73 (outer type was 26 at depth 2, now is 2)

73 = TRANSFORM
31 = FIXED_POSITION
26 = CONTAINER
43 = OPACITY
2 = ASYNC_ZOOM

Comment 10

[Dianna Smith [:diannaS] - on Leave, back on August 9th]

in regards to the urls on crashstats, there were a few google doc public links (ex1, ex2, ex3...all tables with checkboxes or dropdowns in them), a few netflix watching links, a google meet link, and one german car site

Comment 11

[Timothy Nikkel (:tnikkel)]

The new fuzz testcase in bug 1878805 would seem to confirm that bug 1860328 is behind this spike in crashes.

Comment 12

[Dianna Smith [:diannaS] - on Leave, back on August 9th]

:sefeng should we consider backing out bug 1860328?

also, should bug 1878805 & bug 1870415 and be duplicates?

Comment 13

[Sean Feng [:sefeng][PTO, back July 1st]]

Dianna, I just started to fix this. I think I can probably fix this by adding some MarkNeedsDisplayItemRebuild calls. I'll let you know if I can't fix this soon, so that we can back that patch out. Let me know if you disagree! Thanks

Comment 14

[Dianna Smith [:diannaS] - on Leave, back on August 9th]

Sounds good to me, just let me know!

Comment 15

[Sean Feng [:sefeng][PTO, back July 1st]]

Dianna, I just attached a patch bug 1878805, it should fix the spike of this signature.

I am hopeful that it can be landed by tomorrow. I think if for some reason I didn't get it landed tomorrow, then we can back the bug 1860328 out.

Are we okay with this timeline? If it's too slow, I am okay with backing bug 1860328 out now! Thanks!

Comment 16

[Dianna Smith [:diannaS] - on Leave, back on August 9th]

timeline sounds good! this would give us enough time to make sure we are all clear in nightly

Comment 17

[Sean Feng [:sefeng][PTO, back July 1st]]

Dianna, looks like I won't be able to land that patch today, can we back bug 1860328 out?

Comment 18

[Dianna Smith [:diannaS] - on Leave, back on August 9th]

decided offline to land the patch tomorrow after review

Comment 19

[Dianna Smith [:diannaS] - on Leave, back on August 9th]

Fixed by bug 1878805

Comment 20

[Bugmon [:jkratzer for issues]]

Bug marked as FIXED but still reproduces on mozilla-central 20240209114116-0fc754e65091. If you believe this to be incorrect, please remove the bugmon keyword to prevent further analysis.

Comment 21

[Sean Feng [:sefeng][PTO, back July 1st]]

bug 1878805 supposes to fix the spike of this assertion in Nightly, however it doesn't fix this particular crash, so yeah this one should remain open.

Comment 22

[Timothy Nikkel (:tnikkel)]

I would recommend moving all release tracking related things to bug 1878805 if possible. This bug just happened to have a coincidental signature.

Comment 23

[BugBot [:suhaib / :marco/ :calixte]]

Based on the topcrash criteria, the crash signature linked to this bug is not a topcrash signature anymore.

For more information, please visit BugBot documentation.

Comment 24

[Timothy Nikkel (:tnikkel)]

Although the testcase in bug 1886506 hits the same assert there are many ways to hit that assert with different causes. I've debugged the testcase here and it is indeed a different cause with a different fix from bug 1886506. I think Emilio will be posting a patch her shortly based on the results of my debugging.

Comment 25

[Emilio Cobos Álvarez (:emilio)]

Attachment: Bug 1870380 - Don't use handled hints for table captions. r=TYLin,tnikkel,#style,#layout

Table captions have a similar issue as column spanners, where their
parent might not be the in the subtree of the style frame of its
ancestors. In particular, a repaint posted to a table that
doesn't cause a repaint in the table wrapper might not cause a repaint
of its captions.

Handle table captions like we treat out of flows and spanners, and add
more comments around this set-up.

Comment 26

[Timothy Nikkel (:tnikkel)]

Recording what I found when I debugged this in case I want to refer to it later.

The testcase has a table with a caption and it turns on/off clip-path of all elements, but not at the same time because it is queued off an animation and the caption is created slightly later. So we get restyles of the table and caption at different times that invalidate their frames. If we get a restyle and invalidates both the table and the caption in the same restyle then when we handle the repaint for the table we remove the repaint hint when we handle caption's restyles because we think that the table is a parent caption so the repaint of the table covers everything in the subtree. But the table in the frame tree is a table wrapper frame which is the parent of the table frame and the caption frame. The table frame get's invalidated, and the caption is not a descendant of it and so the caption does not get invalidated but it's display items change and we do a partial update and fail.

Comment 27

[Pulsebot]

Pushed by ealvarez@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/83dc6e02a3fd
Don't use handled hints for table captions. r=tnikkel,layout-reviewers

Comment 28

[Iulian Moraru]

https://hg.mozilla.org/mozilla-central/rev/83dc6e02a3fd

Comment 29

[Web Platform Test Sync Bot [:wpt-sync] (Matrix: #interop:mozilla.org)]

Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/45352 for changes under testing/web-platform/tests

Comment 30

[Bugmon [:jkratzer for issues]]

Verified bug as fixed on rev mozilla-central 20240326164915-7a41e44c6e1a.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Comment 31

[Web Platform Test Sync Bot [:wpt-sync] (Matrix: #interop:mozilla.org)]

Upstream PR merged by moz-wptsync-bot