Hit MOZ_CRASH(Item found was in the wrong list! type 70 (outer type was 23 at depth 5, now is 39)) at /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.h:2215
Categories
(Core :: Web Painting, defect)
Tracking
()
Tracking | Status | |
---|---|---|
firefox-esr115 | --- | unaffected |
firefox124 | --- | unaffected |
firefox125 | --- | unaffected |
firefox126 | + | fixed |
People
(Reporter: tsmith, Assigned: emilio)
References
(Blocks 1 open bug, Regression)
Details
(4 keywords, Whiteboard: [bugmon:bisected,confirmed], [wptsync upstream])
Crash Data
Attachments
(2 files, 1 obsolete file)
Found while fuzzing m-c 20240320-dbb1856b4f33 (--enable-debug --enable-fuzzing)
To reproduce via Grizzly Replay:
$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>
Hit MOZ_CRASH(Item found was in the wrong list! type 70 (outer type was 23 at depth 5, now is 39)) at /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.h:2215
#0 0x7dfd723eb063 in MOZ_Crash /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:301:3
#1 0x7dfd723eb063 in GetOldListIndex /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.h:2212:7
#2 0x7dfd723eb063 in mozilla::MergeState::HasMatchingItemInOldList(mozilla::nsDisplayItem*, mozilla::Index<mozilla::OldListUnits>*) /builds/worker/checkouts/gecko/layout/painting/RetainedDisplayListBuilder.cpp:634:16
#3 0x7dfd7238bf5a in mozilla::MergeState::ProcessItemFromNewList(mozilla::nsDisplayItem*, mozilla::Maybe<mozilla::Index<mozilla::MergedListUnits>> const&) /builds/worker/checkouts/gecko/layout/painting/RetainedDisplayListBuilder.cpp:461:9
#4 0x7dfd7238ba00 in mozilla::RetainedDisplayListBuilder::MergeDisplayLists(mozilla::nsDisplayList*, mozilla::RetainedDisplayList*, mozilla::RetainedDisplayList*, mozilla::Maybe<mozilla::ActiveScrolledRoot const*>&, mozilla::nsDisplayItem*) /builds/worker/checkouts/gecko/layout/painting/RetainedDisplayListBuilder.cpp:836:31
#5 0x7dfd723eb1b1 in mozilla::MergeState::MergeChildLists(mozilla::nsDisplayItem*, mozilla::nsDisplayItem*, mozilla::nsDisplayItem*) /builds/worker/checkouts/gecko/layout/painting/RetainedDisplayListBuilder.cpp:509:37
#6 0x7dfd7238c0e2 in mozilla::MergeState::ProcessItemFromNewList(mozilla::nsDisplayItem*, mozilla::Maybe<mozilla::Index<mozilla::MergedListUnits>> const&) /builds/worker/checkouts/gecko/layout/painting/RetainedDisplayListBuilder.cpp:481:9
#7 0x7dfd7238ba00 in mozilla::RetainedDisplayListBuilder::MergeDisplayLists(mozilla::nsDisplayList*, mozilla::RetainedDisplayList*, mozilla::RetainedDisplayList*, mozilla::Maybe<mozilla::ActiveScrolledRoot const*>&, mozilla::nsDisplayItem*) /builds/worker/checkouts/gecko/layout/painting/RetainedDisplayListBuilder.cpp:836:31
#8 0x7dfd723eb1b1 in mozilla::MergeState::MergeChildLists(mozilla::nsDisplayItem*, mozilla::nsDisplayItem*, mozilla::nsDisplayItem*) /builds/worker/checkouts/gecko/layout/painting/RetainedDisplayListBuilder.cpp:509:37
#9 0x7dfd7238c0e2 in mozilla::MergeState::ProcessItemFromNewList(mozilla::nsDisplayItem*, mozilla::Maybe<mozilla::Index<mozilla::MergedListUnits>> const&) /builds/worker/checkouts/gecko/layout/painting/RetainedDisplayListBuilder.cpp:481:9
#10 0x7dfd7238ba00 in mozilla::RetainedDisplayListBuilder::MergeDisplayLists(mozilla::nsDisplayList*, mozilla::RetainedDisplayList*, mozilla::RetainedDisplayList*, mozilla::Maybe<mozilla::ActiveScrolledRoot const*>&, mozilla::nsDisplayItem*) /builds/worker/checkouts/gecko/layout/painting/RetainedDisplayListBuilder.cpp:836:31
#11 0x7dfd723eb1b1 in mozilla::MergeState::MergeChildLists(mozilla::nsDisplayItem*, mozilla::nsDisplayItem*, mozilla::nsDisplayItem*) /builds/worker/checkouts/gecko/layout/painting/RetainedDisplayListBuilder.cpp:509:37
#12 0x7dfd7238c0e2 in mozilla::MergeState::ProcessItemFromNewList(mozilla::nsDisplayItem*, mozilla::Maybe<mozilla::Index<mozilla::MergedListUnits>> const&) /builds/worker/checkouts/gecko/layout/painting/RetainedDisplayListBuilder.cpp:481:9
#13 0x7dfd7238ba00 in mozilla::RetainedDisplayListBuilder::MergeDisplayLists(mozilla::nsDisplayList*, mozilla::RetainedDisplayList*, mozilla::RetainedDisplayList*, mozilla::Maybe<mozilla::ActiveScrolledRoot const*>&, mozilla::nsDisplayItem*) /builds/worker/checkouts/gecko/layout/painting/RetainedDisplayListBuilder.cpp:836:31
#14 0x7dfd723eb1b1 in mozilla::MergeState::MergeChildLists(mozilla::nsDisplayItem*, mozilla::nsDisplayItem*, mozilla::nsDisplayItem*) /builds/worker/checkouts/gecko/layout/painting/RetainedDisplayListBuilder.cpp:509:37
#15 0x7dfd7238c0e2 in mozilla::MergeState::ProcessItemFromNewList(mozilla::nsDisplayItem*, mozilla::Maybe<mozilla::Index<mozilla::MergedListUnits>> const&) /builds/worker/checkouts/gecko/layout/painting/RetainedDisplayListBuilder.cpp:481:9
#16 0x7dfd7238ba00 in mozilla::RetainedDisplayListBuilder::MergeDisplayLists(mozilla::nsDisplayList*, mozilla::RetainedDisplayList*, mozilla::RetainedDisplayList*, mozilla::Maybe<mozilla::ActiveScrolledRoot const*>&, mozilla::nsDisplayItem*) /builds/worker/checkouts/gecko/layout/painting/RetainedDisplayListBuilder.cpp:836:31
#17 0x7dfd7238fceb in mozilla::RetainedDisplayListBuilder::AttemptPartialUpdate(unsigned int) /builds/worker/checkouts/gecko/layout/painting/RetainedDisplayListBuilder.cpp:1666:9
#18 0x7dfd72023848 in nsLayoutUtils::PaintFrame(gfxContext*, nsIFrame*, nsRegion const&, unsigned int, mozilla::nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) /builds/worker/checkouts/gecko/layout/base/nsLayoutUtils.cpp:3212:38
#19 0x7dfd71f8ce2f in mozilla::PresShell::PaintInternal(nsView*, mozilla::PaintInternalFlags) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:6500:5
#20 0x7dfd71b07e92 in nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*) /builds/worker/checkouts/gecko/view/nsViewManager.cpp:408:18
#21 0x7dfd71b0791e in nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) /builds/worker/checkouts/gecko/view/nsViewManager.cpp:343:22
#22 0x7dfd71b08f7d in nsViewManager::ProcessPendingUpdates() /builds/worker/checkouts/gecko/view/nsViewManager.cpp:916:5
#23 0x7dfd71f41b55 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2820:11
#24 0x7dfd71f4af81 in TickDriver /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:367:13
#25 0x7dfd71f4af81 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver>>&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:345:7
#26 0x7dfd71f4ae80 in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:361:5
#27 0x7dfd71f4ad1d in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:951:5
#28 0x7dfd71f49fbc in mozilla::VsyncRefreshDriverTimer::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:861:5
#29 0x7dfd71f49229 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsyncTimerOnMainThread() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:592:14
#30 0x7dfd7125a67b in mozilla::dom::VsyncMainChild::RecvNotify(mozilla::VsyncEvent const&, float const&) /builds/worker/checkouts/gecko/dom/ipc/VsyncMainChild.cpp:66:15
#31 0x7dfd7154aafd in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:237:78
#32 0x7dfd6d27f741 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundChild.cpp:5559:32
#33 0x7dfd6d21313f in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1818:25
#34 0x7dfd6d20fe92 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1737:9
#35 0x7dfd6d210b12 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1530:3
#36 0x7dfd6d211c5f in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1628:14
#37 0x7dfd6c50ec37 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:578:16
#38 0x7dfd6c5042b6 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:905:26
#39 0x7dfd6c502a97 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:728:15
#40 0x7dfd6c502f15 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:514:36
#41 0x7dfd6c512c49 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:235:37
#42 0x7dfd6c512c49 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_1>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548:5
#43 0x7dfd6c527eb2 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1199:16
#44 0x7dfd6c52effd in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10
#45 0x7dfd6d219033 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:107:5
#46 0x7dfd6d12f1d1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#47 0x7dfd6d12f1d1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#48 0x7dfd71b72f88 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
#49 0x7dfd71c36e58 in nsAppShell::Run() /builds/worker/checkouts/gecko/widget/gtk/nsAppShell.cpp:470:33
#50 0x7dfd73a6d13b in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:712:20
#51 0x7dfd6d219f66 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
#52 0x7dfd6d12f1d1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#53 0x7dfd6d12f1d1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#54 0x7dfd73a6c9a2 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:647:34
#55 0x634b1784c496 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#56 0x634b1784c496 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:375:18
#57 0x7dfd81229d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#58 0x7dfd81229e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#59 0x634b178221c8 in _start (/home/user/workspace/browsers/m-c-20240319164128-fuzzing-debug/firefox-bin+0x591c8) (BuildId: 2756970c6c3bfd6e230ff6ceb5b6ee56c22783ea)
Comment 1•7 months ago
|
||
Comment 2•7 months ago
|
||
Set release status flags based on info from the regressing bug 1860328
:sefeng, since you are the author of the regressor, bug 1860328, could you take a look? Also, could you set the severity field?
For more information, please visit BugBot documentation.
Comment 3•7 months ago
|
||
Verified bug as reproducible on mozilla-central 20240320211635-533a3c2e587f.
Unable to bisect testcase (Unable to launch the end build!):
Start: 218676b3830cbb5cdcbc82c4ccb924d948288b9c (20230323094537)
End: dbb1856b4f3345f0353d4ea33ed0f83a90420827 (20240320095303)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False, nyx=False)
Updated•7 months ago
|
Assignee | ||
Updated•7 months ago
|
Assignee | ||
Comment 4•7 months ago
|
||
The caret position is in the DOM, and sometimes can get out of sync.
While that is an issue, it's not new: The code before the regressing bug
papered over it on a pre-pass before entering DL building.
Instead, deal with it using MarkFramesForDisplay (just like we mark the
caret frame itself, which has the same issue), and invalidate the old
frame more precisely by tracking it in nsCaret directly.
Also, add missing invalidation in PresShell::SetCaret, where the caret
might change and the old caret might not be invalidated properly.
Updated•7 months ago
|
Assignee | ||
Updated•7 months ago
|
Assignee | ||
Updated•7 months ago
|
Comment 6•7 months ago
|
||
Copying crash signatures from duplicate bugs.
Assignee | ||
Comment 10•7 months ago
|
||
Table captions have a similar issue as column spanners, where their
parent might not be the in the subtree of the style frame of its
ancestors. In particular, a repaint posted to a table that
doesn't cause a repaint in the table wrapper might not cause a repaint
of its captions.
Handle table captions like we treat out of flows and spanners, and add
more comments around this set-up.
Updated•7 months ago
|
Comment 11•7 months ago
|
||
Comment on attachment 9392862 [details]
Bug 1886506 - Don't use handled hints for table captions. r=TYLin,tnikkel,#style,#layout
Revision D205504 was moved to bug 1870380. Setting attachment 9392862 [details] to obsolete.
Comment 12•7 months ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/73c915ed013b
https://hg.mozilla.org/mozilla-central/rev/71657ce5e467
Comment 13•7 months ago
|
||
Testcase crashes using the initial build (mozilla-central 20240320095303-dbb1856b4f33) but not with tip (mozilla-central 20240323092917-341c752f9f93.)
The bug appears to have been fixed in the following build range:
Start: 81b0c51c60e1a5b9875dd4c1f676817552b10e09 (20240322110706)
End: 640f274ba8d721083e3a62631c1c96e652d0965c (20240322132255)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=81b0c51c60e1a5b9875dd4c1f676817552b10e09&tochange=640f274ba8d721083e3a62631c1c96e652d0965c
emilio, can you confirm that the above bisection range is responsible for fixing this issue?
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Comment 16•7 months ago
|
||
This is still observed with the latest Nightly 126.0a1 20240324090148. Here on Windows 10, and a tab with Google Sheets crashed (bp-ad0a1643-b2e1-463f-8491-6a80f0240324) while I tried to link the inline text in a cell (edited the cell, selected all text, Ctrl+K to open the link dialog). Do you want a new bug or shall this one be reopened?
Assignee | ||
Comment 17•7 months ago
|
||
Can you file a new one and ni?ing me? Thanks
Comment 18•6 months ago
|
||
(In reply to Pulsebot from comment #7)
Pushed by ealvarez@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/73c915ed013b
Fix caret paint invalidation issues. r=sefeng
== Change summary for alert #42056 (as of Thu, 28 Mar 2024 23:39:54 GMT) ==
Improvements:
Ratio | Test | Platform | Options | Absolute values (old vs new) |
---|---|---|---|---|
10% | perf_reftest_singletons line-iterator.html | macosx1015-64-shippable-qr | e10s fission stylo webrender | 1,487.48 -> 1,333.57 |
10% | perf_reftest_singletons line-iterator.html | windows10-64-shippable-qr | e10s fission stylo webrender | 1,222.20 -> 1,098.46 |
9% | perf_reftest_singletons line-iterator.html | linux1804-64-shippable-qr | e10s fission stylo webrender | 1,239.05 -> 1,123.56 |
9% | perf_reftest_singletons line-iterator.html | linux1804-64-shippable-qr | e10s fission stylo webrender | 1,240.44 -> 1,125.94 |
For up to date results, see: https://treeherder.mozilla.org/perfherder/alerts?id=42056
Description
•