Closed Bug 1886506 Opened 7 months ago Closed 7 months ago

Hit MOZ_CRASH(Item found was in the wrong list! type 70 (outer type was 23 at depth 5, now is 39)) at /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.h:2215

Categories

(Core :: Web Painting, defect)

defect

Tracking

()

RESOLVED FIXED
126 Branch
Tracking Status
firefox-esr115 --- unaffected
firefox124 --- unaffected
firefox125 --- unaffected
firefox126 + fixed

People

(Reporter: tsmith, Assigned: emilio)

References

(Blocks 1 open bug, Regression)

Details

(4 keywords, Whiteboard: [bugmon:bisected,confirmed], [wptsync upstream])

Crash Data

Attachments

(2 files, 1 obsolete file)

Attached file testcase.html

Found while fuzzing m-c 20240320-dbb1856b4f33 (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>

Hit MOZ_CRASH(Item found was in the wrong list! type 70 (outer type was 23 at depth 5, now is 39)) at /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.h:2215

#0 0x7dfd723eb063 in MOZ_Crash /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:301:3
#1 0x7dfd723eb063 in GetOldListIndex /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.h:2212:7
#2 0x7dfd723eb063 in mozilla::MergeState::HasMatchingItemInOldList(mozilla::nsDisplayItem*, mozilla::Index<mozilla::OldListUnits>*) /builds/worker/checkouts/gecko/layout/painting/RetainedDisplayListBuilder.cpp:634:16
#3 0x7dfd7238bf5a in mozilla::MergeState::ProcessItemFromNewList(mozilla::nsDisplayItem*, mozilla::Maybe<mozilla::Index<mozilla::MergedListUnits>> const&) /builds/worker/checkouts/gecko/layout/painting/RetainedDisplayListBuilder.cpp:461:9
#4 0x7dfd7238ba00 in mozilla::RetainedDisplayListBuilder::MergeDisplayLists(mozilla::nsDisplayList*, mozilla::RetainedDisplayList*, mozilla::RetainedDisplayList*, mozilla::Maybe<mozilla::ActiveScrolledRoot const*>&, mozilla::nsDisplayItem*) /builds/worker/checkouts/gecko/layout/painting/RetainedDisplayListBuilder.cpp:836:31
#5 0x7dfd723eb1b1 in mozilla::MergeState::MergeChildLists(mozilla::nsDisplayItem*, mozilla::nsDisplayItem*, mozilla::nsDisplayItem*) /builds/worker/checkouts/gecko/layout/painting/RetainedDisplayListBuilder.cpp:509:37
#6 0x7dfd7238c0e2 in mozilla::MergeState::ProcessItemFromNewList(mozilla::nsDisplayItem*, mozilla::Maybe<mozilla::Index<mozilla::MergedListUnits>> const&) /builds/worker/checkouts/gecko/layout/painting/RetainedDisplayListBuilder.cpp:481:9
#7 0x7dfd7238ba00 in mozilla::RetainedDisplayListBuilder::MergeDisplayLists(mozilla::nsDisplayList*, mozilla::RetainedDisplayList*, mozilla::RetainedDisplayList*, mozilla::Maybe<mozilla::ActiveScrolledRoot const*>&, mozilla::nsDisplayItem*) /builds/worker/checkouts/gecko/layout/painting/RetainedDisplayListBuilder.cpp:836:31
#8 0x7dfd723eb1b1 in mozilla::MergeState::MergeChildLists(mozilla::nsDisplayItem*, mozilla::nsDisplayItem*, mozilla::nsDisplayItem*) /builds/worker/checkouts/gecko/layout/painting/RetainedDisplayListBuilder.cpp:509:37
#9 0x7dfd7238c0e2 in mozilla::MergeState::ProcessItemFromNewList(mozilla::nsDisplayItem*, mozilla::Maybe<mozilla::Index<mozilla::MergedListUnits>> const&) /builds/worker/checkouts/gecko/layout/painting/RetainedDisplayListBuilder.cpp:481:9
#10 0x7dfd7238ba00 in mozilla::RetainedDisplayListBuilder::MergeDisplayLists(mozilla::nsDisplayList*, mozilla::RetainedDisplayList*, mozilla::RetainedDisplayList*, mozilla::Maybe<mozilla::ActiveScrolledRoot const*>&, mozilla::nsDisplayItem*) /builds/worker/checkouts/gecko/layout/painting/RetainedDisplayListBuilder.cpp:836:31
#11 0x7dfd723eb1b1 in mozilla::MergeState::MergeChildLists(mozilla::nsDisplayItem*, mozilla::nsDisplayItem*, mozilla::nsDisplayItem*) /builds/worker/checkouts/gecko/layout/painting/RetainedDisplayListBuilder.cpp:509:37
#12 0x7dfd7238c0e2 in mozilla::MergeState::ProcessItemFromNewList(mozilla::nsDisplayItem*, mozilla::Maybe<mozilla::Index<mozilla::MergedListUnits>> const&) /builds/worker/checkouts/gecko/layout/painting/RetainedDisplayListBuilder.cpp:481:9
#13 0x7dfd7238ba00 in mozilla::RetainedDisplayListBuilder::MergeDisplayLists(mozilla::nsDisplayList*, mozilla::RetainedDisplayList*, mozilla::RetainedDisplayList*, mozilla::Maybe<mozilla::ActiveScrolledRoot const*>&, mozilla::nsDisplayItem*) /builds/worker/checkouts/gecko/layout/painting/RetainedDisplayListBuilder.cpp:836:31
#14 0x7dfd723eb1b1 in mozilla::MergeState::MergeChildLists(mozilla::nsDisplayItem*, mozilla::nsDisplayItem*, mozilla::nsDisplayItem*) /builds/worker/checkouts/gecko/layout/painting/RetainedDisplayListBuilder.cpp:509:37
#15 0x7dfd7238c0e2 in mozilla::MergeState::ProcessItemFromNewList(mozilla::nsDisplayItem*, mozilla::Maybe<mozilla::Index<mozilla::MergedListUnits>> const&) /builds/worker/checkouts/gecko/layout/painting/RetainedDisplayListBuilder.cpp:481:9
#16 0x7dfd7238ba00 in mozilla::RetainedDisplayListBuilder::MergeDisplayLists(mozilla::nsDisplayList*, mozilla::RetainedDisplayList*, mozilla::RetainedDisplayList*, mozilla::Maybe<mozilla::ActiveScrolledRoot const*>&, mozilla::nsDisplayItem*) /builds/worker/checkouts/gecko/layout/painting/RetainedDisplayListBuilder.cpp:836:31
#17 0x7dfd7238fceb in mozilla::RetainedDisplayListBuilder::AttemptPartialUpdate(unsigned int) /builds/worker/checkouts/gecko/layout/painting/RetainedDisplayListBuilder.cpp:1666:9
#18 0x7dfd72023848 in nsLayoutUtils::PaintFrame(gfxContext*, nsIFrame*, nsRegion const&, unsigned int, mozilla::nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) /builds/worker/checkouts/gecko/layout/base/nsLayoutUtils.cpp:3212:38
#19 0x7dfd71f8ce2f in mozilla::PresShell::PaintInternal(nsView*, mozilla::PaintInternalFlags) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:6500:5
#20 0x7dfd71b07e92 in nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*) /builds/worker/checkouts/gecko/view/nsViewManager.cpp:408:18
#21 0x7dfd71b0791e in nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) /builds/worker/checkouts/gecko/view/nsViewManager.cpp:343:22
#22 0x7dfd71b08f7d in nsViewManager::ProcessPendingUpdates() /builds/worker/checkouts/gecko/view/nsViewManager.cpp:916:5
#23 0x7dfd71f41b55 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2820:11
#24 0x7dfd71f4af81 in TickDriver /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:367:13
#25 0x7dfd71f4af81 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver>>&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:345:7
#26 0x7dfd71f4ae80 in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:361:5
#27 0x7dfd71f4ad1d in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:951:5
#28 0x7dfd71f49fbc in mozilla::VsyncRefreshDriverTimer::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:861:5
#29 0x7dfd71f49229 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsyncTimerOnMainThread() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:592:14
#30 0x7dfd7125a67b in mozilla::dom::VsyncMainChild::RecvNotify(mozilla::VsyncEvent const&, float const&) /builds/worker/checkouts/gecko/dom/ipc/VsyncMainChild.cpp:66:15
#31 0x7dfd7154aafd in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:237:78
#32 0x7dfd6d27f741 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundChild.cpp:5559:32
#33 0x7dfd6d21313f in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1818:25
#34 0x7dfd6d20fe92 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1737:9
#35 0x7dfd6d210b12 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1530:3
#36 0x7dfd6d211c5f in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1628:14
#37 0x7dfd6c50ec37 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:578:16
#38 0x7dfd6c5042b6 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:905:26
#39 0x7dfd6c502a97 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:728:15
#40 0x7dfd6c502f15 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:514:36
#41 0x7dfd6c512c49 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:235:37
#42 0x7dfd6c512c49 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_1>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548:5
#43 0x7dfd6c527eb2 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1199:16
#44 0x7dfd6c52effd in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10
#45 0x7dfd6d219033 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:107:5
#46 0x7dfd6d12f1d1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#47 0x7dfd6d12f1d1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#48 0x7dfd71b72f88 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
#49 0x7dfd71c36e58 in nsAppShell::Run() /builds/worker/checkouts/gecko/widget/gtk/nsAppShell.cpp:470:33
#50 0x7dfd73a6d13b in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:712:20
#51 0x7dfd6d219f66 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
#52 0x7dfd6d12f1d1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#53 0x7dfd6d12f1d1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#54 0x7dfd73a6c9a2 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:647:34
#55 0x634b1784c496 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#56 0x634b1784c496 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:375:18
#57 0x7dfd81229d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#58 0x7dfd81229e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#59 0x634b178221c8 in _start (/home/user/workspace/browsers/m-c-20240319164128-fuzzing-debug/firefox-bin+0x591c8) (BuildId: 2756970c6c3bfd6e230ff6ceb5b6ee56c22783ea)
Flags: in-testsuite?

Set release status flags based on info from the regressing bug 1860328

:sefeng, since you are the author of the regressor, bug 1860328, could you take a look? Also, could you set the severity field?

For more information, please visit BugBot documentation.

Flags: needinfo?(sefeng)

Verified bug as reproducible on mozilla-central 20240320211635-533a3c2e587f.
Unable to bisect testcase (Unable to launch the end build!):

Start: 218676b3830cbb5cdcbc82c4ccb924d948288b9c (20230323094537)
End: dbb1856b4f3345f0353d4ea33ed0f83a90420827 (20240320095303)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False, nyx=False)

Whiteboard: [bugmon:bisected,confirmed]
Flags: needinfo?(emilio)

The caret position is in the DOM, and sometimes can get out of sync.

While that is an issue, it's not new: The code before the regressing bug
papered over it on a pre-pass before entering DL building.

Instead, deal with it using MarkFramesForDisplay (just like we mark the
caret frame itself, which has the same issue), and invalidate the old
frame more precisely by tracking it in nsCaret directly.

Also, add missing invalidation in PresShell::SetCaret, where the caret
might change and the old caret might not be invalidated properly.

Assignee: nobody → emilio
Status: NEW → ASSIGNED
Blocks: 1886415
Flags: needinfo?(emilio)
Flags: needinfo?(sefeng)
Duplicate of this bug: 1870415

Copying crash signatures from duplicate bugs.

Crash Signature: [@ mozilla::nsDisplayItem::GetOldListIndex]
Pushed by ealvarez@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/73c915ed013b Fix caret paint invalidation issues. r=sefeng
Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/45271 for changes under testing/web-platform/tests
Whiteboard: [bugmon:bisected,confirmed] → [bugmon:bisected,confirmed], [wptsync upstream]
No longer blocks: 1870380

Table captions have a similar issue as column spanners, where their
parent might not be the in the subtree of the style frame of its
ancestors. In particular, a repaint posted to a table that
doesn't cause a repaint in the table wrapper might not cause a repaint
of its captions.

Handle table captions like we treat out of flows and spanners, and add
more comments around this set-up.

Attachment #9392862 - Attachment description: Bug 1886506 - Don't use handled hints from a table in its captions. r=TYLin,tnikkel,#style,#layout → Bug 1886506 - Don't use handled hints for table captions. r=TYLin,tnikkel,#style,#layout

Comment on attachment 9392862 [details]
Bug 1886506 - Don't use handled hints for table captions. r=TYLin,tnikkel,#style,#layout

Revision D205504 was moved to bug 1870380. Setting attachment 9392862 [details] to obsolete.

Attachment #9392862 - Attachment is obsolete: true
Status: ASSIGNED → RESOLVED
Closed: 7 months ago
Resolution: --- → FIXED
Target Milestone: --- → 126 Branch

Testcase crashes using the initial build (mozilla-central 20240320095303-dbb1856b4f33) but not with tip (mozilla-central 20240323092917-341c752f9f93.)

The bug appears to have been fixed in the following build range:

Start: 81b0c51c60e1a5b9875dd4c1f676817552b10e09 (20240322110706)
End: 640f274ba8d721083e3a62631c1c96e652d0965c (20240322132255)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=81b0c51c60e1a5b9875dd4c1f676817552b10e09&tochange=640f274ba8d721083e3a62631c1c96e652d0965c

emilio, can you confirm that the above bisection range is responsible for fixing this issue?
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Flags: needinfo?(emilio)
Keywords: bugmon

Yes

Flags: needinfo?(emilio)
Upstream PR merged by moz-wptsync-bot

This is still observed with the latest Nightly 126.0a1 20240324090148. Here on Windows 10, and a tab with Google Sheets crashed (bp-ad0a1643-b2e1-463f-8491-6a80f0240324) while I tried to link the inline text in a cell (edited the cell, selected all text, Ctrl+K to open the link dialog). Do you want a new bug or shall this one be reopened?

Flags: needinfo?(emilio)

Can you file a new one and ni?ing me? Thanks

Flags: needinfo?(emilio)
No longer blocks: 1886415
See Also: 1870415
No longer duplicate of this bug: 1870415
Regressions: 1888583

(In reply to Pulsebot from comment #7)

Pushed by ealvarez@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/73c915ed013b
Fix caret paint invalidation issues. r=sefeng

== Change summary for alert #42056 (as of Thu, 28 Mar 2024 23:39:54 GMT) ==

Improvements:

Ratio Test Platform Options Absolute values (old vs new)
10% perf_reftest_singletons line-iterator.html macosx1015-64-shippable-qr e10s fission stylo webrender 1,487.48 -> 1,333.57
10% perf_reftest_singletons line-iterator.html windows10-64-shippable-qr e10s fission stylo webrender 1,222.20 -> 1,098.46
9% perf_reftest_singletons line-iterator.html linux1804-64-shippable-qr e10s fission stylo webrender 1,239.05 -> 1,123.56
9% perf_reftest_singletons line-iterator.html linux1804-64-shippable-qr e10s fission stylo webrender 1,240.44 -> 1,125.94

For up to date results, see: https://treeherder.mozilla.org/perfherder/alerts?id=42056

Keywords: perf-alert
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: