Hit MOZ_CRASH(Item found was in the wrong list! type 281 (outer type was 263 at depth 2, now is 3)) at /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.h:2210
Categories
(Core :: Web Painting, defect)
Tracking
()
People
(Reporter: tsmith, Assigned: tnikkel)
References
(Regression)
Details
(4 keywords, Whiteboard: [bugmon:bisected,confirmed], [wptsync upstream])
Crash Data
Attachments
(2 files)
Found while fuzzing m-c 20231020-9c4a85b9e8b5 (--enable-debug --enable-fuzzing)
To reproduce via Grizzly Replay:
$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html
NOTE: this test case is 100% reliable in some cases but does not work at all in other cases.
Hit MOZ_CRASH(Item found was in the wrong list! type 281 (outer type was 263 at depth 2, now is 3)) at /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.h:2210
#0 0x7f7bc7a794b3 in MOZ_Crash /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:281:3
#1 0x7f7bc7a794b3 in GetOldListIndex /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.h:2207:7
#2 0x7f7bc7a794b3 in mozilla::MergeState::HasMatchingItemInOldList(mozilla::nsDisplayItem*, mozilla::Index<mozilla::OldListUnits>*) /builds/worker/checkouts/gecko/layout/painting/RetainedDisplayListBuilder.cpp:623:16
#3 0x7f7bc7a1a08a in mozilla::MergeState::ProcessItemFromNewList(mozilla::nsDisplayItem*, mozilla::Maybe<mozilla::Index<mozilla::MergedListUnits>> const&) /builds/worker/checkouts/gecko/layout/painting/RetainedDisplayListBuilder.cpp:461:9
#4 0x7f7bc7a19b30 in mozilla::RetainedDisplayListBuilder::MergeDisplayLists(mozilla::nsDisplayList*, mozilla::RetainedDisplayList*, mozilla::RetainedDisplayList*, mozilla::Maybe<mozilla::ActiveScrolledRoot const*>&, mozilla::nsDisplayItem*) /builds/worker/checkouts/gecko/layout/painting/RetainedDisplayListBuilder.cpp:825:31
#5 0x7f7bc7a795fe in mozilla::MergeState::MergeChildLists(mozilla::nsDisplayItem*, mozilla::nsDisplayItem*, mozilla::nsDisplayItem*) /builds/worker/checkouts/gecko/layout/painting/RetainedDisplayListBuilder.cpp:509:37
#6 0x7f7bc7a1a212 in mozilla::MergeState::ProcessItemFromNewList(mozilla::nsDisplayItem*, mozilla::Maybe<mozilla::Index<mozilla::MergedListUnits>> const&) /builds/worker/checkouts/gecko/layout/painting/RetainedDisplayListBuilder.cpp:481:9
#7 0x7f7bc7a19b30 in mozilla::RetainedDisplayListBuilder::MergeDisplayLists(mozilla::nsDisplayList*, mozilla::RetainedDisplayList*, mozilla::RetainedDisplayList*, mozilla::Maybe<mozilla::ActiveScrolledRoot const*>&, mozilla::nsDisplayItem*) /builds/worker/checkouts/gecko/layout/painting/RetainedDisplayListBuilder.cpp:825:31
#8 0x7f7bc7a795fe in mozilla::MergeState::MergeChildLists(mozilla::nsDisplayItem*, mozilla::nsDisplayItem*, mozilla::nsDisplayItem*) /builds/worker/checkouts/gecko/layout/painting/RetainedDisplayListBuilder.cpp:509:37
#9 0x7f7bc7a1a212 in mozilla::MergeState::ProcessItemFromNewList(mozilla::nsDisplayItem*, mozilla::Maybe<mozilla::Index<mozilla::MergedListUnits>> const&) /builds/worker/checkouts/gecko/layout/painting/RetainedDisplayListBuilder.cpp:481:9
#10 0x7f7bc7a19b30 in mozilla::RetainedDisplayListBuilder::MergeDisplayLists(mozilla::nsDisplayList*, mozilla::RetainedDisplayList*, mozilla::RetainedDisplayList*, mozilla::Maybe<mozilla::ActiveScrolledRoot const*>&, mozilla::nsDisplayItem*) /builds/worker/checkouts/gecko/layout/painting/RetainedDisplayListBuilder.cpp:825:31
#11 0x7f7bc7a1dddb in mozilla::RetainedDisplayListBuilder::AttemptPartialUpdate(unsigned int) /builds/worker/checkouts/gecko/layout/painting/RetainedDisplayListBuilder.cpp:1674:9
#12 0x7f7bc76b1325 in nsLayoutUtils::PaintFrame(gfxContext*, nsIFrame*, nsRegion const&, unsigned int, mozilla::nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) /builds/worker/checkouts/gecko/layout/base/nsLayoutUtils.cpp:3322:38
#13 0x7f7bc761947f in mozilla::PresShell::PaintInternal(nsView*, mozilla::PaintInternalFlags) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:6453:5
#14 0x7f7bc71a22f2 in nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*) /builds/worker/checkouts/gecko/view/nsViewManager.cpp:408:18
#15 0x7f7bc71a1d7e in nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) /builds/worker/checkouts/gecko/view/nsViewManager.cpp:343:22
#16 0x7f7bc71a33dd in nsViewManager::ProcessPendingUpdates() /builds/worker/checkouts/gecko/view/nsViewManager.cpp:916:5
#17 0x7f7bc75ce2b5 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2816:11
#18 0x7f7bc75d7511 in TickDriver /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:366:13
#19 0x7f7bc75d7511 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver>>&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:344:7
#20 0x7f7bc75d7410 in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:360:5
#21 0x7f7bc75d72ad in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:949:5
#22 0x7f7bc75d6541 in mozilla::VsyncRefreshDriverTimer::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:859:5
#23 0x7f7bc75d57a9 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsyncTimerOnMainThread() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:591:14
#24 0x7f7bc68ff08b in mozilla::dom::VsyncMainChild::RecvNotify(mozilla::VsyncEvent const&, float const&) /builds/worker/checkouts/gecko/dom/ipc/VsyncMainChild.cpp:66:15
#25 0x7f7bc6bea53d in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:227:78
#26 0x7f7bc29551a1 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundChild.cpp:5589:32
#27 0x7f7bc28e887f in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1813:25
#28 0x7f7bc28e55d2 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1732:9
#29 0x7f7bc28e6252 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1525:3
#30 0x7f7bc28e739f in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1623:14
#31 0x7f7bc1bfe927 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:549:16
#32 0x7f7bc1bf4533 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:876:26
#33 0x7f7bc1bf2d27 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:699:15
#34 0x7f7bc1bf31a5 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:485:36
#35 0x7f7bc1c02909 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:214:37
#36 0x7f7bc1c02909 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_1>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548:5
#37 0x7f7bc1c17982 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1199:16
#38 0x7f7bc1c1eaad in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10
#39 0x7f7bc28ee793 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:107:5
#40 0x7f7bc2808321 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#41 0x7f7bc2808321 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#42 0x7f7bc720c288 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
#43 0x7f7bc72c8e88 in nsAppShell::Run() /builds/worker/checkouts/gecko/widget/gtk/nsAppShell.cpp:470:33
#44 0x7f7bc92e47cb in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:721:20
#45 0x7f7bc28ef6c6 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
#46 0x7f7bc2808321 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#47 0x7f7bc2808321 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#48 0x7f7bc92e4032 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:656:34
#49 0x556c79548f76 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#50 0x556c79548f76 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:375:18
#51 0x7f7bd62a9082 in __libc_start_main /build/glibc-wuryBv/glibc-2.31/csu/../csu/libc-start.c:308:16
#52 0x556c7951eca8 in _start (/home/twsmith/workspace/browsers/m-c-20231213144402-fuzzing-debug/firefox-bin+0x58ca8) (BuildId: 8e415e8dcb1496255d57b41416645981877a5dcb)
|
Reporter | |
Comment 1•2 years ago
|
||
A Pernosco session is available here: https://pernos.co/debug/iKUMB2Z7NRqHIJC79WtkiQ/index.html
|
||
Comment 2•2 years ago
|
||
got a crash from the testcase : https://crash-stats.mozilla.org/report/index/4b2c8bfa-aaf5-45d0-b2dd-f956c0231216#tab-bugzilla
|
||
Comment 3•2 years ago
|
||
Verified bug as reproducible on mozilla-central 20231215214115-8fd04cb03fbd.
The bug appears to have been introduced in the following build range:
Start: 59d6c667ab6651a0b219d1936cae9c8a8dab22ee (20230316075359)
End: 188dde9143643fa510a7e336c2f8d6555ca783ca (20230316115635)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=59d6c667ab6651a0b219d1936cae9c8a8dab22ee&tochange=188dde9143643fa510a7e336c2f8d6555ca783ca
|
||
Updated•2 years ago
|
|
Assignee | |
Comment 4•2 years ago
|
||
My regression gets bug 1813481, which makes more sense. The testcase uses color none but doesn't seem to use selects.
|
||
Comment 5•2 years ago
|
||
:tlouw, since you are the author of the regressor, bug 1813481, could you take a look? Also, could you set the severity field?
For more information, please visit BugBot documentation.
|
|
Assignee | |
Comment 6•2 years ago
|
||
That bug just makes the testcase "work", I don't think it's responsible for this issue.
|
|
Assignee | |
Comment 7•2 years ago
|
||
If I replace "lch(53% 16 none)" with "black" in the testcase I get this range
|
|
Assignee | |
Comment 8•2 years ago
|
||
The the content visibility pref forced on I get this regression range
I ran the regression twice and got this both times.
|
|
Assignee | |
Updated•2 years ago
|
|
|
||
Comment 9•2 years ago
|
||
Set release status flags based on info from the regressing bug 1820058
|
|
||
Updated•2 years ago
|
|
|
||
Comment 10•2 years ago
|
||
The bug is linked to a topcrash signature, which matches the following criterion:
- Top 10 desktop browser crashes on nightly
:tnikkel, could you consider increasing the severity of this top-crash bug?
For more information, please visit BugBot documentation.
|
|
Assignee | |
Comment 11•2 years ago
|
||
Same comment as bug 1870380.
|
|
Assignee | |
Updated•2 years ago
|
|
||
Updated•2 years ago
|
|
|
||
Comment 12•2 years ago
|
||
Based on the topcrash criteria, the crash signature linked to this bug is not a topcrash signature anymore.
For more information, please visit BugBot documentation.
|
||
Updated•2 years ago
|
|
||
Comment 13•2 years ago
|
||
Should this bug be resolved as a duplicate of bug 1870380 (or vice versa)?
I just hit this crash twice in 126.0a1 Nightly when editing a Google Sheet:
https://crash-stats.mozilla.org/report/index/91327ee3-edfa-4496-8052-cf8240240319
https://crash-stats.mozilla.org/report/index/3c485ef6-9a10-4a51-9104-2ffaa0240319
|
|
Assignee | |
Comment 14•2 years ago
|
||
(In reply to Chris Peterson [:cpeterson] from comment #13)
Should this bug be resolved as a duplicate of bug 1870380 (or vice versa)?
I think neither? Although they both the same assert there are multiple bugs that can cause us to hit that assert and we have two different testcases in the bugs.
I just hit this crash twice in 126.0a1 Nightly when editing a Google Sheet:
https://crash-stats.mozilla.org/report/index/91327ee3-edfa-4496-8052-cf8240240319
https://crash-stats.mozilla.org/report/index/3c485ef6-9a10-4a51-9104-2ffaa0240319
The nightly that crashed twice there has bug 1860328 (after it re-landed). Bug 1860328 was responsible for a spike in crashes with this signature the last time it landed and likely introduced a different way to hit this assert.
|
||
Comment 15•2 years ago
|
||
Jason / Tyson, any chance to get a test-case for this signature, but which is caused by bug 1860328? (Likely with contenteditable / <input> / <textarea>).
|
|
Reporter | |
Comment 16•2 years ago
|
||
I can have a look, any idea what the type value in the MOZ_CRASH message might be?
|
|
||
Comment 17•2 years ago
|
||
Type 73 is what bug 1878805 found, but not sure off-hand, could be multiple.
|
||
Comment 18•2 years ago
|
||
Rares got a crash:
https://crash-stats.mozilla.org/report/index/a0741744-cf41-470e-8ee5-1cd5d0240320
and has a STR here:
https://bugzilla.mozilla.org/show_bug.cgi?id=1886415
I don't know if it's related to this issue here because it isn't in the context of a contenteditable/input/textarea but with caret browsing enabled.
I don't manage to reproduce it on Windows 11.
|
|
Reporter | |
Updated•2 years ago
|
|
|
||
Comment 20•2 years ago
|
||
I don't have reliable STR, but 6 out of 6 times that I've hit this crash over the last two days, I was editing a Google spreadsheet and pressed Ctrl+Z (to undo some edits), quickly followed by Ctrl+Tab (to switch tabs).
|
|
Assignee | |
Comment 21•2 years ago
|
||
Thanks. We have a reliable fuzz testcase now, so hopefully that is enough to fix this.
|
|
||
Updated•2 years ago
|
|
|
Assignee | |
Comment 22•2 years ago
•
|
||
Can we track the new issue that started this week on bug 1886506 and/or bug 1886415 instead of here? This bug is an pre-existing bug that has been around for at least 3 months. The recent regression is tracked in those two bugs.
|
|
||
Comment 23•2 years ago
|
||
Moved tracking to bug 1886506
|
|
||
Comment 24•2 years ago
|
||
Can't repro this with the fix there.
|
|
||
Comment 25•2 years ago
|
||
No valid actions for resolution (DUPLICATE).
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
|
|
Assignee | |
Comment 26•2 years ago
|
||
This still crashes for me with autoland tip (so that includes both bug 1886506 and bug 1887552).
|
|
Assignee | |
Comment 27•2 years ago
|
||
I debugged this. This is an edge case with blend mode. Blend mode disables partial display list updates (because it is hard to handle for partial updates), but this testcase finds a way around the code that disables a partial update. Shouldn't be hard to fix, I just need to figure out how best to write a patch.
|
|
Assignee | |
Comment 28•2 years ago
|
||
(In reply to Timothy Nikkel (:tnikkel) from comment #27)
I debugged this. This is an edge case with blend mode. Blend mode disables partial display list updates (because it is hard to handle for partial updates), but this testcase finds a way around the code that disables a partial update. Shouldn't be hard to fix, I just need to figure out how best to write a patch.
This wasn't quite right. See the message of the patch I'll post for the explanation of what happened.
|
|
Assignee | |
Updated•2 years ago
|
|
||
Updated•2 years ago
|
|
|
Assignee | |
Comment 29•2 years ago
|
||
This bug is not disabled, it would be on all branches. This bug is not responsible for the crashes we see on crashstats though (that would be bug 1888583). This assert is only in builds with diagnostic asserts enabled (nightly and early beta). If we don't hit the assert though it's possible to have bad rendering or crashes. However since this issue has been around for a long time and until recently we didn't see it on crash stats its unlikely users actually his this issue.
|
|
||
Comment 30•2 years ago
•
|
||
Correcting the status since this was enabled by default for Fx124 - see Bug 1874874
|
|
Assignee | |
Comment 31•2 years ago
|
||
(In reply to Timothy Nikkel (:tnikkel) from comment #28)
This wasn't quite right. See the message of the patch I'll post for the explanation of what happened.
Update on this: I spent some time back and forth with try server and locally debugging and I think I was able to come up with a reliable test for this.
|
|
||
Updated•2 years ago
|
|
|
Assignee | |
Comment 33•2 years ago
|
||
When we call nsCanvasFrame::BuildDisplayList from nsHTMLScrollFrame::BuildDisplayList there is already a compositor hit test item in it, created here https://searchfox.org/mozilla-central/rev/ff08e36e1f368bd193b54f569dbd79105b50f9a0/layout/generic/nsGfxScrollFrame.cpp#4146
If we create a blend container item in nsCanvasFrame::BuildDisplayList it puts everything that might already exist in the display list inside the blend container item. It should only do this for the background items that we just created as this is for background blend mode, we are only blending within the background of this frame.
In the fuzz testcase we then have a partial display list build that visits the root scroll frame (because a scroll bar is dirty), so it builds the compositor hit test item for the canvas frame (the child of the scroll frame), but canvas frame is not modified, so we don't descend into it, and we don't call nsCanvasFrame::BuildDisplayList, so the compositor hit test item does not get wrapped in the blend container, and thus it has moved in the display list without being marked modified.
|
||
Updated•2 years ago
|
|
||
Comment 34•2 years ago
|
||
|
||
Comment 36•2 years ago
|
||
| bugherder | ||
|
||
Updated•1 year ago
|
Description
•