Crash in [@ mozilla::nsDisplayItem::GetOldListIndex]
Categories
(Core :: Web Painting, defect)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr115 | --- | unaffected |
| firefox124 | --- | unaffected |
| firefox125 | --- | unaffected |
| firefox126 | + | verified |
People
(Reporter: aryx, Assigned: emilio)
References
(Blocks 1 open bug, Regression)
Details
(5 keywords, Whiteboard: [bugmon:bisected,confirmed], [wptsync upstream])
Crash Data
Attachments
(2 files)
19 crashes from 8 install on Windows 10 & 11 with builds from yesterday. The crash signature had been observed the days before but patched in bug 1886506.
Steps to reproduce for me: a tab with Google Sheets crashed while I tried to link the inline text in a cell (edited the cell, selected all text, Ctrl+K to open the link dialog). The green background of an autocomplete for a cell if one types something was shown before when it should have not, unknown if related.
Crash report: https://crash-stats.mozilla.org/report/index/ad0a1643-b2e1-463f-8491-6a80f0240324
MOZ_CRASH Reason: Item found was in the wrong list! type 70 (outer type was 23 at depth 3, now is 23)
Top 10 frames of crashing thread:
0 xul.dll MOZ_Crash mfbt/Assertions.h:301
0 xul.dll mozilla::nsDisplayItem::GetOldListIndex layout/painting/nsDisplayList.h:2212
0 xul.dll mozilla::MergeState::HasMatchingItemInOldList layout/painting/RetainedDisplayListBuilder.cpp:634
0 xul.dll mozilla::MergeState::ProcessItemFromNewList layout/painting/RetainedDisplayListBuilder.cpp:460
0 xul.dll mozilla::RetainedDisplayListBuilder::MergeDisplayLists layout/painting/RetainedDisplayListBuilder.cpp:836
1 xul.dll mozilla::MergeState::MergeChildLists layout/painting/RetainedDisplayListBuilder.cpp:509
1 xul.dll mozilla::MergeState::ProcessItemFromNewList layout/painting/RetainedDisplayListBuilder.cpp:481
1 xul.dll mozilla::RetainedDisplayListBuilder::MergeDisplayLists layout/painting/RetainedDisplayListBuilder.cpp:836
2 xul.dll mozilla::MergeState::MergeChildLists layout/painting/RetainedDisplayListBuilder.cpp:509
2 xul.dll mozilla::MergeState::ProcessItemFromNewList layout/painting/RetainedDisplayListBuilder.cpp:481
|
||
Comment 1•2 years ago
|
||
Adding an NI for :emilio as requested in https://bugzilla.mozilla.org/show_bug.cgi?id=1886506#c17
|
||
Comment 2•2 years ago
|
||
Message is a bit different: Hit MOZ_CRASH(Item found was in the wrong list! type 40 (outer type was 23 at depth 3, now is 40)) at /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.h:2215
|
|
||
Updated•2 years ago
|
|
Assignee | |
Updated•2 years ago
|
|
|
Assignee | |
Comment 3•2 years ago
|
||
Sorry I thought the flags had been copied over.
|
|
Assignee | |
Updated•2 years ago
|
|
|
Assignee | |
Comment 4•2 years ago
|
||
Make the "is hidden due to non-collapsed selection" use the regular
caret-hiding mechanism, so that we make sure nsCaret and paint are
consistent on their caret visibility.
As part of this simplification:
-
Remove LookAndFeel::IntID::ShowCaretDuringSelection, it's 0 on all
platforms. -
Remove nsCaret::IsMenuPopupHidingCaret. Is really broken as per the
comments (it assumes single-process mode, doesn't deal with shadow
dom, and it's not like it's particularly useful anyways since the
menu popup could be semi-transparent or what not).
|
||
Updated•2 years ago
|
|
|
Assignee | |
Updated•2 years ago
|
|
||
Comment 5•2 years ago
|
||
I did bisect to confirm that testcase.html was regressed by bug 1860328 (and not fixed by the follow up bug 1886506).
|
||
Comment 6•2 years ago
|
||
Verified bug as reproducible on mozilla-central 20240325093847-19d905446a32.
The bug appears to have been introduced in the following build range:
Start: 9ae71156ef3c731f44e2af8d1d9c34b7eb7c6c9b (20240318070214)
End: d3946837037d31a7b6f83b1977e57c4ea384c904 (20240318091545)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=9ae71156ef3c731f44e2af8d1d9c34b7eb7c6c9b&tochange=d3946837037d31a7b6f83b1977e57c4ea384c904
|
||
Comment 8•2 years ago
|
||
The bug is linked to a topcrash signature, which matches the following criterion:
- Top 10 desktop browser crashes on nightly
For more information, please visit BugBot documentation.
|
||
Comment 9•2 years ago
|
||
| bugherder | ||
|
|
||
Comment 11•2 years ago
|
||
Verified bug as fixed on rev mozilla-central 20240326164915-7a41e44c6e1a.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
|
|
||
Comment 13•2 years ago
|
||
There are still crashes in nightlies dated mar 28 which should have this fix (and all other fixes I'm aware of related to the caret changes). So there are still bugs remaining.
|
|
Assignee | |
Comment 14•2 years ago
|
||
Yeah, happy to address them as they come, or try to paper them like the old DL building code did, I guess...
|
|
||
Comment 15•2 years ago
|
||
Two more fuzz bugs were filed for this assert last night: bug 1888583 and bug 1888586. So far I've been unable to reproduce either of them. Maybe someone else could try to reproduce?
Bug 1888586 uses background blend mode so I suspect it'll be a dupe of bug 1870415 (which I understand and will write a patch for).
Description
•