Open Bug 1887929 Opened 11 months ago Updated 10 months ago

Assertion failure: aStops.LastElement().mPosition - 1 <= 1e6, at /builds/worker/checkouts/gecko/layout/painting/nsCSSRenderingGradients.cpp:538

Categories

(Core :: Web Painting, defect)

Product:
Core
Component:
Web Painting
Type:
defect

Tracking

()

Tracking Flags:
Tracking Status
firefox126 --- affected

People

(Reporter: tsmith, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, bugmon, testcase, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(1 file)

testcase.html
242 bytes, text/html
Details
Attached file testcase.html

Found while fuzzing m-c 20240325-86f79ebd2542 (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>

Assertion failure: aStops.LastElement().mPosition - 1 <= 1e6, at /builds/worker/checkouts/gecko/layout/painting/nsCSSRenderingGradients.cpp:538

#0 0x7d0c103dd768 in ClampColorStops /builds/worker/checkouts/gecko/layout/painting/nsCSSRenderingGradients.cpp:538:3
#1 0x7d0c103dd768 in mozilla::nsCSSGradientRenderer::Paint(gfxContext&, nsRect const&, nsRect const&, nsSize const&, mozilla::gfx::IntRectTyped<mozilla::CSSPixel> const&, nsRect const&, float) /builds/worker/checkouts/gecko/layout/painting/nsCSSRenderingGradients.cpp:816:5
#2 0x7d0c1040bcf5 in mozilla::nsImageRenderer::Draw(nsPresContext*, gfxContext&, nsRect const&, nsRect const&, nsRect const&, nsPoint const&, nsSize const&, mozilla::gfx::IntRectTyped<mozilla::CSSPixel> const&, float) /builds/worker/checkouts/gecko/layout/painting/nsImageRenderer.cpp:501:16
#3 0x7d0c103d7f5f in mozilla::nsImageRenderer::DrawBorderImageComponent(nsPresContext*, gfxContext&, nsRect const&, nsRect const&, mozilla::gfx::IntRectTyped<mozilla::CSSPixel> const&, mozilla::StyleBorderImageRepeat, mozilla::StyleBorderImageRepeat, nsSize const&, unsigned char, mozilla::Maybe<nsSize> const&, bool) /builds/worker/checkouts/gecko/layout/painting/nsImageRenderer.cpp:972:10
#4 0x7d0c103bd8a7 in nsCSSBorderImageRenderer::DrawBorderImage(nsPresContext*, gfxContext&, nsIFrame*, nsRect const&) /builds/worker/checkouts/gecko/layout/painting/nsCSSRenderingBorders.cpp:3565:32
#5 0x7d0c103bb40c in nsCSSRendering::PaintBorderWithStyleBorder(nsPresContext*, gfxContext&, nsIFrame*, nsRect const&, nsRect const&, nsStyleBorder const&, mozilla::ComputedStyle*, mozilla::PaintBorderFlags, mozilla::Sides) /builds/worker/checkouts/gecko/layout/painting/nsCSSRendering.cpp:860:24
#6 0x7d0c103bb09e in nsCSSRendering::PaintBorder(nsPresContext*, gfxContext&, nsIFrame*, nsRect const&, nsRect const&, mozilla::ComputedStyle*, mozilla::PaintBorderFlags, mozilla::Sides) /builds/worker/checkouts/gecko/layout/painting/nsCSSRendering.cpp:650:10
#7 0x7d0c103f2621 in mozilla::nsDisplayBorder::Paint(mozilla::nsDisplayListBuilder*, gfxContext*) /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:4217:13
#8 0x7d0c0bb0e77b in mozilla::layers::PaintItemByDrawTarget(mozilla::nsDisplayItem*, mozilla::gfx::DrawTarget*, mozilla::gfx::PointTyped<mozilla::LayoutDevicePixel, float> const&, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::nsDisplayListBuilder*, mozilla::gfx::BaseScaleFactors2D<mozilla::gfx::UnknownUnits, mozilla::gfx::UnknownUnits, float> const&, mozilla::Maybe<mozilla::gfx::DeviceColor>&) /builds/worker/checkouts/gecko/gfx/layers/wr/WebRenderCommandBuilder.cpp:2351:38
#9 0x7d0c0bb0d35f in mozilla::layers::WebRenderCommandBuilder::GenerateFallbackData(mozilla::nsDisplayItem*, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, mozilla::nsDisplayListBuilder*, mozilla::gfx::RectTyped<mozilla::LayoutDevicePixel, float>&) /builds/worker/checkouts/gecko/gfx/layers/wr/WebRenderCommandBuilder.cpp:2609:7
#10 0x7d0c0bb072f3 in mozilla::layers::WebRenderCommandBuilder::PushItemAsImage(mozilla::nsDisplayItem*, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, mozilla::nsDisplayListBuilder*) /builds/worker/checkouts/gecko/gfx/layers/wr/WebRenderCommandBuilder.cpp:2897:48
#11 0x7d0c0bb05982 in mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommandsFromDisplayList(mozilla::nsDisplayList*, mozilla::nsDisplayItem*, mozilla::nsDisplayListBuilder*, mozilla::layers::StackingContextHelper const&, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, bool) /builds/worker/checkouts/gecko/gfx/layers/wr/WebRenderCommandBuilder.cpp:2130:7
#12 0x7d0c103f7a02 in CreateWebRenderCommandsNewClipListOption /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:4595:30
#13 0x7d0c103f7a02 in CreateWebRenderCommands /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.h:4949:12
#14 0x7d0c103f7a02 in mozilla::nsDisplayOwnLayer::CreateWebRenderCommands(mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, mozilla::layers::RenderRootStateManager*, mozilla::nsDisplayListBuilder*) /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:5221:22
#15 0x7d0c0bb071c6 in mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommands(mozilla::nsDisplayItem*, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, mozilla::nsDisplayListBuilder*) /builds/worker/checkouts/gecko/gfx/layers/wr/WebRenderCommandBuilder.cpp:1864:41
#16 0x7d0c0bb05982 in mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommandsFromDisplayList(mozilla::nsDisplayList*, mozilla::nsDisplayItem*, mozilla::nsDisplayListBuilder*, mozilla::layers::StackingContextHelper const&, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, bool) /builds/worker/checkouts/gecko/gfx/layers/wr/WebRenderCommandBuilder.cpp:2130:7
#17 0x7d0c0bb03f0a in mozilla::layers::WebRenderCommandBuilder::BuildWebRenderCommands(mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::nsDisplayList*, mozilla::nsDisplayListBuilder*, mozilla::layers::WebRenderScrollData&, WrFiltersHolder&&) /builds/worker/checkouts/gecko/gfx/layers/wr/WebRenderCommandBuilder.cpp:1785:5
#18 0x7d0c0bb19b78 in mozilla::layers::WebRenderLayerManager::EndTransactionWithoutLayer(mozilla::nsDisplayList*, mozilla::nsDisplayListBuilder*, WrFiltersHolder&&, mozilla::layers::WebRenderBackgroundData*, double) /builds/worker/checkouts/gecko/gfx/layers/wr/WebRenderLayerManager.cpp:364:30
#19 0x7d0c103e63f7 in mozilla::nsDisplayList::PaintRoot(mozilla::nsDisplayListBuilder*, gfxContext*, unsigned int, mozilla::Maybe<double>) /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:2279:18
#20 0x7d0c1004d131 in nsLayoutUtils::PaintFrame(gfxContext*, nsIFrame*, nsRegion const&, unsigned int, mozilla::nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) /builds/worker/checkouts/gecko/layout/base/nsLayoutUtils.cpp:3315:9
#21 0x7d0c0ffb641f in mozilla::PresShell::PaintInternal(nsView*, mozilla::PaintInternalFlags) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:6530:5
#22 0x7d0c0fb31f62 in nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*) /builds/worker/checkouts/gecko/view/nsViewManager.cpp:408:18
#23 0x7d0c0fb319ee in nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) /builds/worker/checkouts/gecko/view/nsViewManager.cpp:343:22
#24 0x7d0c0fb3304d in nsViewManager::ProcessPendingUpdates() /builds/worker/checkouts/gecko/view/nsViewManager.cpp:916:5
#25 0x7d0c0ff6acf5 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2820:11
#26 0x7d0c0ff74121 in TickDriver /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:367:13
#27 0x7d0c0ff74121 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver>>&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:345:7
#28 0x7d0c0ff74020 in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:361:5
#29 0x7d0c0ff73ebd in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:951:5
#30 0x7d0c0ff7315c in mozilla::VsyncRefreshDriverTimer::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:861:5
#31 0x7d0c0ff723c9 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsyncTimerOnMainThread() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:592:14
#32 0x7d0c0f2873cb in mozilla::dom::VsyncMainChild::RecvNotify(mozilla::VsyncEvent const&, float const&) /builds/worker/checkouts/gecko/dom/ipc/VsyncMainChild.cpp:66:15
#33 0x7d0c0f577555 in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:237:78
#34 0x7d0c0f4602c0 in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PContentChild.cpp:8274:32
#35 0x7d0c0b2192bf in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1818:25
#36 0x7d0c0b216012 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1737:9
#37 0x7d0c0b216c92 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1530:3
#38 0x7d0c0b217ddf in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1628:14
#39 0x7d0c0a513727 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:578:16
#40 0x7d0c0a508d96 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:905:26
#41 0x7d0c0a507577 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:728:15
#42 0x7d0c0a5079f5 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:514:36
#43 0x7d0c0a5176c6 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:232:37
#44 0x7d0c0a5176c6 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548:5
#45 0x7d0c0a52c9a2 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1199:16
#46 0x7d0c0a533aed in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10
#47 0x7d0c0b21f205 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#48 0x7d0c0b134fc1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#49 0x7d0c0b134fc1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#50 0x7d0c0fb9d0a8 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
#51 0x7d0c0fc605e8 in nsAppShell::Run() /builds/worker/checkouts/gecko/widget/gtk/nsAppShell.cpp:470:33
#52 0x7d0c11a9f80b in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:712:20
#53 0x7d0c0b2200e6 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
#54 0x7d0c0b134fc1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#55 0x7d0c0b134fc1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#56 0x7d0c11a9f072 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:647:34
#57 0x5b37fd367496 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#58 0x5b37fd367496 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:375:18
#59 0x7d0c20629d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#60 0x7d0c20629e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#61 0x5b37fd33d1c8 in _start (/home/user/workspace/browsers/m-c-20240326095207-fuzzing-debug/firefox-bin+0x591c8) (BuildId: 029ee0b176d80845d30b7dda01c8579ad5573961)
Flags: in-testsuite?

Verified bug as reproducible on mozilla-central 20240326211853-a93eeb987e4a.
Unable to bisect testcase (Testcase reproduces on start build!):

Start: ff84e2935cc3c0b1a61d28165919e628aabae448 (20230329030858)
End: 86f79ebd25420a0bc1feadea488ca0b1c59771c6 (20240325214523)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False, nyx=False)

Whiteboard: [bugmon:bisected,confirmed]

The severity field is not set for this bug.
:tnikkel, could you have a look please?

For more information, please visit BugBot documentation.

Flags: needinfo?(tnikkel)
Severity: -- → S3
Flags: needinfo?(tnikkel)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: