Open Bug 1884801 Opened 7 months ago Updated 16 days ago

Assertion failure: aThebesContext->CurrentOp() == CompositionOp::OP_OVER, at /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4664

Categories

(Core :: Graphics: Text, defect)

defect

Tracking

()

Tracking Status
firefox-esr115 --- unaffected
firefox123 --- wontfix
firefox124 --- wontfix
firefox125 --- wontfix

People

(Reporter: tsmith, Unassigned)

References

(Blocks 1 open bug)

Details

(4 keywords, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(1 file)

Attached file testcase.html

Found while fuzzing m-c 20240131-ad50a175a7c5 (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>

Assertion failure: aThebesContext->CurrentOp() == CompositionOp::OP_OVER, at /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4664

#0 0xde0cb79d in mozilla::PresShell::RenderDocument(nsRect const&, mozilla::RenderDocumentFlags, unsigned int, gfxContext*) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4664:3
#1 0xd9f24e14 in mozilla::image::SVGDrawingCallback::operator()(gfxContext*, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, double> const&, mozilla::gfx::SamplingFilter, mozilla::gfx::BaseMatrix<double> const&) /builds/worker/checkouts/gecko/image/VectorImage.cpp:291:14
#2 0xd9ca1a70 in gfxCallbackDrawable::Draw(gfxContext*, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, double> const&, mozilla::gfx::ExtendMode, mozilla::gfx::SamplingFilter, double, mozilla::gfx::BaseMatrix<double> const&) /builds/worker/checkouts/gecko/gfx/thebes/gfxDrawable.cpp
#3 0xd9ddc80d in gfxUtils::DrawPixelSnapped(gfxContext*, gfxDrawable*, mozilla::gfx::SizeTyped<mozilla::gfx::UnknownUnits, double> const&, mozilla::image::ImageRegion const&, mozilla::gfx::SurfaceFormat, mozilla::gfx::SamplingFilter, unsigned int, double, bool) /builds/worker/checkouts/gecko/gfx/thebes/gfxUtils.cpp:571:13
#4 0xd9f2c54a in mozilla::image::VectorImage::Show(gfxDrawable*, mozilla::image::SVGDrawingParameters const&) /builds/worker/checkouts/gecko/image/VectorImage.cpp:1228:3
#5 0xd9f2bfde in mozilla::image::VectorImage::Draw(gfxContext*, mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> const&, mozilla::image::ImageRegion const&, unsigned int, mozilla::gfx::SamplingFilter, mozilla::SVGImageContext const&, unsigned int, float) /builds/worker/checkouts/gecko/image/VectorImage.cpp:1034:5
#6 0xdb8e7269 in mozilla::dom::CanvasRenderingContext2D::DrawDirectlyToCanvas(mozilla::DirectDrawInfo const&, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float>*, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float>, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float>, mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits>) /builds/worker/checkouts/gecko/dom/canvas/CanvasRenderingContext2D.cpp:5668:39
#7 0xdb8e5569 in mozilla::dom::CanvasRenderingContext2D::DrawImage(mozilla::dom::HTMLImageElementOrSVGImageElementOrHTMLCanvasElementOrHTMLVideoElementOrOffscreenCanvasOrImageBitmapOrVideoFrame const&, double, double, double, double, double, double, double, double, unsigned char, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/canvas/CanvasRenderingContext2D.cpp:5613:5
#8 0xdad506ca in DrawImage /builds/worker/workspace/obj-build/dist/include/mozilla/dom/CanvasRenderingContext2D.h:244:5
#9 0xdad506ca in mozilla::dom::CanvasRenderingContext2D_Binding::drawImage(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/./CanvasRenderingContext2DBinding.cpp:3906:28
#10 0xdb7c1755 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3258:13
#11 0xdfd887d3 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:479:13
#12 0xdfd882c1 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:573:12
#13 0xdfd89239 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:640:10
#14 0xdfd97c61 in CallFromStack /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:645:10
#15 0xdfd97c61 in js::Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3060:16
#16 0xdfd87ce8 in MaybeEnterInterpreterTrampoline(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:393:10
#17 0xdfd87815 in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:451:13
#18 0xdfd882de in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:605:13
#19 0xdfd89239 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:640:10
#20 0xdfd8940b in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:672:8
#21 0xdfea8b63 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/CallAndConstruct.cpp:119:10
#22 0xdb622c04 in mozilla::dom::Function::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, nsTArray<JS::Value> const&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/./FunctionBinding.cpp:50:8
#23 0xda4929ba in void mozilla::dom::Function::Call<nsCOMPtr<nsIGlobalObject>>(nsCOMPtr<nsIGlobalObject> const&, nsTArray<JS::Value> const&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/FunctionBinding.h:71:12
#24 0xda492795 in mozilla::dom::CallbackTimeoutHandler::Call(char const*) /builds/worker/checkouts/gecko/dom/base/TimeoutHandler.cpp:168:29
#25 0xda14205b in nsGlobalWindowInner::RunTimeoutHandler(mozilla::dom::Timeout*, nsIScriptContext*) /builds/worker/checkouts/gecko/dom/base/nsGlobalWindowInner.cpp:6317:38
#26 0xda48f198 in mozilla::dom::TimeoutManager::RunTimeout(mozilla::TimeStamp const&, mozilla::TimeStamp const&, bool) /builds/worker/checkouts/gecko/dom/base/TimeoutManager.cpp:879:44
#27 0xda48df6e in mozilla::dom::TimeoutExecutor::MaybeExecute() /builds/worker/checkouts/gecko/dom/base/TimeoutExecutor.cpp:179:11
#28 0xda490974 in Notify /builds/worker/checkouts/gecko/dom/base/TimeoutExecutor.cpp:246:5
#29 0xda490974 in non-virtual thunk to mozilla::dom::TimeoutExecutor::Notify(nsITimer*) /builds/worker/checkouts/gecko/dom/base/TimeoutExecutor.cpp
#30 0xd85c79ae in operator() /builds/worker/checkouts/gecko/xpcom/threads/nsTimerImpl.cpp:677:44
#31 0xd85c79ae in matchN<mozilla::Variant<nsTimerImpl::UnknownCallback, nsCOMPtr<nsITimerCallback>, nsCOMPtr<nsIObserver>, nsTimerImpl::FuncCallback, nsTimerImpl::ClosureCallback> &, (lambda at /builds/worker/checkouts/gecko/xpcom/threads/nsTimerImpl.cpp:677:7), (lambda at /builds/worker/checkouts/gecko/xpcom/threads/nsTimerImpl.cpp:678:7), (lambda at /builds/worker/checkouts/gecko/xpcom/threads/nsTimerImpl.cpp:681:7), (lambda at /builds/worker/checkouts/gecko/xpcom/threads/nsTimerImpl.cpp:682:7)> /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:309:16
#32 0xd85c79ae in matchN<mozilla::Variant<nsTimerImpl::UnknownCallback, nsCOMPtr<nsITimerCallback>, nsCOMPtr<nsIObserver>, nsTimerImpl::FuncCallback, nsTimerImpl::ClosureCallback> &, (lambda at /builds/worker/checkouts/gecko/xpcom/threads/nsTimerImpl.cpp:676:7), (lambda at /builds/worker/checkouts/gecko/xpcom/threads/nsTimerImpl.cpp:677:7), (lambda at /builds/worker/checkouts/gecko/xpcom/threads/nsTimerImpl.cpp:678:7), (lambda at /builds/worker/checkouts/gecko/xpcom/threads/nsTimerImpl.cpp:681:7), (lambda at /builds/worker/checkouts/gecko/xpcom/threads/nsTimerImpl.cpp:682:7)> /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:318:14
#33 0xd85c79ae in matchN<mozilla::Variant<nsTimerImpl::UnknownCallback, nsCOMPtr<nsITimerCallback>, nsCOMPtr<nsIObserver>, nsTimerImpl::FuncCallback, nsTimerImpl::ClosureCallback> &, (lambda at /builds/worker/checkouts/gecko/xpcom/threads/nsTimerImpl.cpp:676:7), (lambda at /builds/worker/checkouts/gecko/xpcom/threads/nsTimerImpl.cpp:677:7), (lambda at /builds/worker/checkouts/gecko/xpcom/threads/nsTimerImpl.cpp:678:7), (lambda at /builds/worker/checkouts/gecko/xpcom/threads/nsTimerImpl.cpp:681:7), (lambda at /builds/worker/checkouts/gecko/xpcom/threads/nsTimerImpl.cpp:682:7)> /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:902:12
#34 0xd85c79ae in match<(lambda at /builds/worker/checkouts/gecko/xpcom/threads/nsTimerImpl.cpp:676:7), (lambda at /builds/worker/checkouts/gecko/xpcom/threads/nsTimerImpl.cpp:677:7), (lambda at /builds/worker/checkouts/gecko/xpcom/threads/nsTimerImpl.cpp:678:7), (lambda at /builds/worker/checkouts/gecko/xpcom/threads/nsTimerImpl.cpp:681:7), (lambda at /builds/worker/checkouts/gecko/xpcom/threads/nsTimerImpl.cpp:682:7)> /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:857:12
#35 0xd85c79ae in nsTimerImpl::Fire(int) /builds/worker/checkouts/gecko/xpcom/threads/nsTimerImpl.cpp:675:22
#36 0xd85c6a8d in nsTimerEvent::Run() /builds/worker/checkouts/gecko/xpcom/threads/TimerThread.cpp:515:11
#37 0xd85eebad in mozilla::ThrottledEventQueue::Inner::ExecuteRunnable() /builds/worker/checkouts/gecko/xpcom/threads/ThrottledEventQueue.cpp:254:22
#38 0xd85eb4d2 in mozilla::ThrottledEventQueue::Inner::Executor::Run() /builds/worker/checkouts/gecko/xpcom/threads/ThrottledEventQueue.cpp:81:15
#39 0xd85bb195 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:578:16
#40 0xd85b05b0 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:905:26
#41 0xd85aec4f in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:728:15
#42 0xd85af132 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:514:36
#43 0xd85bf3bc in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:235:37
#44 0xd85bf3bc in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_1>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548:5
#45 0xd85d5977 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1199:16
#46 0xd85dcee2 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10
#47 0xd93058c8 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:107:5
#48 0xd921636e in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:370:10
#49 0xd921626a in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#50 0xd921626a in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#51 0xddcac8a6 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
#52 0xddd75938 in nsAppShell::Run() /builds/worker/checkouts/gecko/widget/gtk/nsAppShell.cpp:470:33
#53 0xdfb63774 in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:712:20
#54 0xd9306990 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
#55 0xd921636e in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:370:10
#56 0xd921626a in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#57 0xd921626a in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#58 0xdfb62fad in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:647:34
#59 0xdfb727c1 in mozilla::BootstrapImpl::XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/Bootstrap.cpp:67:12
#60 0x63ff0dbf in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#61 0x63ff0dbf in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:375:18
#62 0xe8421518  (/lib/i386-linux-gnu/libc.so.6+0x21518) (BuildId: 0598ef3e075d7653ff4d565675d15666ec9b7b31)
#63 0xe84215f2 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x215f2) (BuildId: 0598ef3e075d7653ff4d565675d15666ec9b7b31)
#64 0x63fc1c60 in _start (/home/user/workspace/browsers/linux32-m-c-20240311211339-fuzzing-debug/firefox-bin+0x5cc60) (BuildId: ed8791497eed2335098359ab4990ed1fca4a1b1a)
Flags: in-testsuite?
Severity: -- → S3

Verified bug as reproducible on mozilla-central 20240311211339-2e7bccbd5370.
The bug appears to have been introduced in the following build range:

Start: 0ef83860e1ac8920e01df5796a40acb65f66f223 (20230925142537)
End: cf0ddbec5963b58732cc2ce17a8064ea31d45fb1 (20230926031150)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=0ef83860e1ac8920e01df5796a40acb65f66f223&tochange=cf0ddbec5963b58732cc2ce17a8064ea31d45fb1

Keywords: regression
Whiteboard: [bugmon:bisected,confirmed]

(In reply to Bugmon [:jkratzer for issues] from comment #1)

Verified bug as reproducible on mozilla-central 20240311211339-2e7bccbd5370.
The bug appears to have been introduced in the following build range:

Start: 0ef83860e1ac8920e01df5796a40acb65f66f223 (20230925142537)
End: cf0ddbec5963b58732cc2ce17a8064ea31d45fb1 (20230926031150)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=0ef83860e1ac8920e01df5796a40acb65f66f223&tochange=cf0ddbec5963b58732cc2ce17a8064ea31d45fb1

This pushlog is empty but if you change it to autoland it's not empty

https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=0ef83860e1ac8920e01df5796a40acb65f66f223&tochange=cf0ddbec5963b58732cc2ce17a8064ea31d45fb1

Regressed by bug 1852145?

Flags: needinfo?(aosmond)
Flags: needinfo?(aosmond)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: