Closed Bug 1878805 Opened 5 months ago Closed 4 months ago

Hit MOZ_CRASH(Item found was in the wrong list! type 73 (outer type was 26 at depth 6, now is 42)) at /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.h:2210

Categories

(Core :: Web Painting, defect)

Product:
Core
Component:
Web Painting
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
firefox-esr115 --- unaffected
firefox122 --- unaffected
firefox123 --- unaffected
firefox124 --- fixed

People

(Reporter: tsmith, Assigned: sefeng)

References

(Blocks 1 open bug, Regression)

Details

(4 keywords)

Crash Data

Attachments

(1 file, 1 obsolete file)

testcase.html
776 bytes, text/html
Details
Attached file testcase.html

Found while fuzzing m-c 20240201-366005a91eda (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid> --xvfb

Hit MOZ_CRASH(Item found was in the wrong list! type 73 (outer type was 26 at depth 6, now is 42)) at /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.h:2210

#0 0x7f971a3f4783 in MOZ_Crash /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:301:3
#1 0x7f971a3f4783 in GetOldListIndex /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.h:2207:7
#2 0x7f971a3f4783 in mozilla::MergeState::HasMatchingItemInOldList(mozilla::nsDisplayItem*, mozilla::Index<mozilla::OldListUnits>*) /builds/worker/checkouts/gecko/layout/painting/RetainedDisplayListBuilder.cpp:623:16
#3 0x7f971a39571a in mozilla::MergeState::ProcessItemFromNewList(mozilla::nsDisplayItem*, mozilla::Maybe<mozilla::Index<mozilla::MergedListUnits>> const&) /builds/worker/checkouts/gecko/layout/painting/RetainedDisplayListBuilder.cpp:461:9
#4 0x7f971a3951c0 in mozilla::RetainedDisplayListBuilder::MergeDisplayLists(mozilla::nsDisplayList*, mozilla::RetainedDisplayList*, mozilla::RetainedDisplayList*, mozilla::Maybe<mozilla::ActiveScrolledRoot const*>&, mozilla::nsDisplayItem*) /builds/worker/checkouts/gecko/layout/painting/RetainedDisplayListBuilder.cpp:825:31
#5 0x7f971a3f48ce in mozilla::MergeState::MergeChildLists(mozilla::nsDisplayItem*, mozilla::nsDisplayItem*, mozilla::nsDisplayItem*) /builds/worker/checkouts/gecko/layout/painting/RetainedDisplayListBuilder.cpp:509:37
#6 0x7f971a3958a2 in mozilla::MergeState::ProcessItemFromNewList(mozilla::nsDisplayItem*, mozilla::Maybe<mozilla::Index<mozilla::MergedListUnits>> const&) /builds/worker/checkouts/gecko/layout/painting/RetainedDisplayListBuilder.cpp:481:9
#7 0x7f971a3951c0 in mozilla::RetainedDisplayListBuilder::MergeDisplayLists(mozilla::nsDisplayList*, mozilla::RetainedDisplayList*, mozilla::RetainedDisplayList*, mozilla::Maybe<mozilla::ActiveScrolledRoot const*>&, mozilla::nsDisplayItem*) /builds/worker/checkouts/gecko/layout/painting/RetainedDisplayListBuilder.cpp:825:31
#8 0x7f971a3f48ce in mozilla::MergeState::MergeChildLists(mozilla::nsDisplayItem*, mozilla::nsDisplayItem*, mozilla::nsDisplayItem*) /builds/worker/checkouts/gecko/layout/painting/RetainedDisplayListBuilder.cpp:509:37
#9 0x7f971a3958a2 in mozilla::MergeState::ProcessItemFromNewList(mozilla::nsDisplayItem*, mozilla::Maybe<mozilla::Index<mozilla::MergedListUnits>> const&) /builds/worker/checkouts/gecko/layout/painting/RetainedDisplayListBuilder.cpp:481:9
#10 0x7f971a3951c0 in mozilla::RetainedDisplayListBuilder::MergeDisplayLists(mozilla::nsDisplayList*, mozilla::RetainedDisplayList*, mozilla::RetainedDisplayList*, mozilla::Maybe<mozilla::ActiveScrolledRoot const*>&, mozilla::nsDisplayItem*) /builds/worker/checkouts/gecko/layout/painting/RetainedDisplayListBuilder.cpp:825:31
#11 0x7f971a3f48ce in mozilla::MergeState::MergeChildLists(mozilla::nsDisplayItem*, mozilla::nsDisplayItem*, mozilla::nsDisplayItem*) /builds/worker/checkouts/gecko/layout/painting/RetainedDisplayListBuilder.cpp:509:37
#12 0x7f971a3958a2 in mozilla::MergeState::ProcessItemFromNewList(mozilla::nsDisplayItem*, mozilla::Maybe<mozilla::Index<mozilla::MergedListUnits>> const&) /builds/worker/checkouts/gecko/layout/painting/RetainedDisplayListBuilder.cpp:481:9
#13 0x7f971a3951c0 in mozilla::RetainedDisplayListBuilder::MergeDisplayLists(mozilla::nsDisplayList*, mozilla::RetainedDisplayList*, mozilla::RetainedDisplayList*, mozilla::Maybe<mozilla::ActiveScrolledRoot const*>&, mozilla::nsDisplayItem*) /builds/worker/checkouts/gecko/layout/painting/RetainedDisplayListBuilder.cpp:825:31
#14 0x7f971a3994ab in mozilla::RetainedDisplayListBuilder::AttemptPartialUpdate(unsigned int) /builds/worker/checkouts/gecko/layout/painting/RetainedDisplayListBuilder.cpp:1655:9
#15 0x7f971a02af88 in nsLayoutUtils::PaintFrame(gfxContext*, nsIFrame*, nsRegion const&, unsigned int, mozilla::nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) /builds/worker/checkouts/gecko/layout/base/nsLayoutUtils.cpp:3329:38
#16 0x7f9719f94eaf in mozilla::PresShell::PaintInternal(nsView*, mozilla::PaintInternalFlags) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:6469:5
#17 0x7f9719b196e2 in nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*) /builds/worker/checkouts/gecko/view/nsViewManager.cpp:408:18
#18 0x7f9719b1916e in nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) /builds/worker/checkouts/gecko/view/nsViewManager.cpp:343:22
#19 0x7f9719b1a7cd in nsViewManager::ProcessPendingUpdates() /builds/worker/checkouts/gecko/view/nsViewManager.cpp:916:5
#20 0x7f9719f49c25 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2821:11
#21 0x7f9719f52ea1 in TickDriver /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:367:13
#22 0x7f9719f52ea1 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver>>&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:345:7
#23 0x7f9719f52da0 in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:361:5
#24 0x7f9719f52c3d in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:951:5
#25 0x7f9719f51edc in mozilla::VsyncRefreshDriverTimer::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:861:5
#26 0x7f9719f525a0 in mozilla::VsyncRefreshDriverTimer::NotifyVsyncOnMainThread(mozilla::VsyncEvent const&)::'lambda'()::operator()() const /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:706:31
#27 0x7f9719f523fc in mozilla::detail::RunnableFunction<mozilla::VsyncRefreshDriverTimer::NotifyVsyncOnMainThread(mozilla::VsyncEvent const&)::'lambda'()>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:548:5
#28 0x7f9714634ef7 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:578:16
#29 0x7f971462a666 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:905:26
#30 0x7f9714628e47 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:728:15
#31 0x7f97146292c5 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:514:36
#32 0x7f9714638e96 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:232:37
#33 0x7f9714638e96 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548:5
#34 0x7f971464e202 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1199:16
#35 0x7f971465534d in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10
#36 0x7f971532cce5 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#37 0x7f9715246f81 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#38 0x7f9715246f81 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#39 0x7f9719b838e8 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
#40 0x7f9719c40f28 in nsAppShell::Run() /builds/worker/checkouts/gecko/widget/gtk/nsAppShell.cpp:470:33
#41 0x7f971ba5650b in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:721:20
#42 0x7f971532dbc6 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
#43 0x7f9715246f81 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#44 0x7f9715246f81 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#45 0x7f971ba55d72 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:656:34
#46 0x55ad8bb563b6 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#47 0x55ad8bb563b6 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:375:18
#48 0x7f9728e29d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#49 0x7f9728e29e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#50 0x55ad8bb2c0e8 in _start (/home/user/workspace/browsers/m-c-20240205205906-fuzzing-debug/firefox-bin+0x590e8) (BuildId: 423cbb27af6f530f1075a2da5b5b0f74a372ec06)

Set release status flags based on info from the regressing bug 1860328

:sefeng, since you are the author of the regressor, bug 1860328, could you take a look? Also, could you set the severity field?

For more information, please visit BugBot documentation.

status-firefox122: --- → unaffected
status-firefox123: --- → unaffected
status-firefox-esr115: --- → unaffected
Flags: needinfo?(sefeng)

Unable to reproduce bug 1878805 using build mozilla-central 20240201173838-366005a91eda. Without a baseline, bugmon is unable to analyze this bug.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon

The bug is linked to a topcrash signature, which matches the following criterion:

  • Top 10 desktop browser crashes on nightly

For more information, please visit BugBot documentation.

Keywords: topcrash

Generally, we mark a caret frame for display first, and then
nsCaret tracks this frame in nsCaret::SchedulePaint to call
MarkNeedsDisplayItemRebuild() accordingly. However, it's possible
for nsCaret::SchedulePaint fails to find the caret frame (i.e, selection changes),
so we end up not calling MarkNeedsDisplayItemRebuild() on this frame.

This patch improves this case by manually setting this caret frame
to nsCaret, so that it's always tracked.

Assignee: nobody → sefeng
Status: NEW → ASSIGNED
Flags: needinfo?(sefeng)

Hey, I hit this crash today also while working on some Google Sheets metrics. Got here after I ran a regression window with mozregression.
I've also managed to do a reduced test case for it that can be used to always reproduce the issue using this google sheets document. In case it helps to doublecheck the fix.

All you need to do is:

  1. Click the cell with the formula in it (VALUE).
  2. Click the formula field on top.
  3. Quickly delete with the "Backspace" key both the "/8" character and operator.
Attachment #9378654 - Attachment description: Bug 1878805 - Fix a crash which a caret frame misses a MarkNeedsDisplayItemRebuild() call → Bug 1878805 - Fix a crash which a caret frame misses a MarkNeedsDisplayItemRebuild() call r=emilio
Pushed by sefeng@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/cd7ea27c5cf5
Fix a crash which a caret frame misses a MarkNeedsDisplayItemRebuild() call r=emilio
Backout by sstanca@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/3643afc155d5
Backed out changeset cd7ea27c5cf5 for causing reftests failures in 1878805.html. CLOSED TREE

Backed out for causing reftests failures in 1878805.html.

Flags: needinfo?(sefeng)

managed to fix the test, try push. Going to land this again.

Flags: needinfo?(sefeng)
Pushed by sefeng@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/0f0872e0fffb
Fix a crash which a caret frame misses a MarkNeedsDisplayItemRebuild() call r=emilio

https://hg.mozilla.org/mozilla-central/rev/0f0872e0fffb

Status: ASSIGNED → RESOLVED
Closed: 5 months ago
status-firefox124: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 124 Branch

Backed out 2 changesets (Bug 1878805, Bug 1860328) for causing crash spike in Bug 1870380

Backout: https://hg.mozilla.org/integration/autoland/rev/fb10265894329031d2dfadfde1f573c368cb494e

Status: RESOLVED → REOPENED
status-firefox124: fixed → ---
tracking-firefox124: + → ---
Flags: needinfo?(sefeng)
Resolution: FIXED → ---
Target Milestone: 124 Branch → ---

this will be fixed by backout of bug 1860328, will close this once we have confirmation from crash logs

fixed by backout of bug 1860328

Status: REOPENED → RESOLVED
Closed: 5 months ago4 months ago
status-firefox124: --- → fixed
Resolution: --- → FIXED

Just so I understand what happened here, was the crash spike that was caused by bug 1860328 not fixed by this bug's patch? Or did we decide that backing out both is the safer open before we merge to beta next week?

Correct, it did not fix the crash spike. It seemed it helped the volume a bit, but was not a full fix.
We backed both out (the regressor and this patch fix) and Sean will work on another fix.

Comment on attachment 9378654 [details]
Bug 1878805 - Fix a crash which a caret frame misses a MarkNeedsDisplayItemRebuild() call r=emilio

Revision D200880 was moved to bug 1860328. Setting attachment 9378654 [details] to obsolete.

Attachment #9378654 - Attachment is obsolete: true
Flags: needinfo?(sefeng)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: