Hit MOZ_CRASH(Item found was in the wrong list! type 278 (outer type was 263 at depth 2, now is 2)) at /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.h:2215
Categories
(Core :: Web Painting, defect)
Tracking
()
People
(Reporter: tsmith, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: assertion, pernosco, testcase, Whiteboard: [bugmon:bisected,confirmed])
Crash Data
Attachments
(1 file)
592 bytes,
text/html
|
Details |
Found while fuzzing m-c 20240320-dbb1856b4f33 (--enable-debug --enable-fuzzing)
To reproduce via Grizzly Replay:
$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>
Hit MOZ_CRASH(Item found was in the wrong list! type 278 (outer type was 263 at depth 2, now is 2)) at /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.h:2215
#0 0x7f8a7f4b3a69 in MOZ_Crash /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:317:3
#1 0x7f8a7f4b3a69 in GetOldListIndex /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.h:2212:7
#2 0x7f8a7f4b3a69 in mozilla::MergeState::HasMatchingItemInOldList(mozilla::nsDisplayItem*, mozilla::Index<mozilla::OldListUnits>*) /builds/worker/checkouts/gecko/layout/painting/RetainedDisplayListBuilder.cpp:634:16
#3 0x7f8a7f3a544e in mozilla::MergeState::ProcessItemFromNewList(mozilla::nsDisplayItem*, mozilla::Maybe<mozilla::Index<mozilla::MergedListUnits>> const&) /builds/worker/checkouts/gecko/layout/painting/RetainedDisplayListBuilder.cpp:461:9
#4 0x7f8a7f3a43c4 in mozilla::RetainedDisplayListBuilder::MergeDisplayLists(mozilla::nsDisplayList*, mozilla::RetainedDisplayList*, mozilla::RetainedDisplayList*, mozilla::Maybe<mozilla::ActiveScrolledRoot const*>&, mozilla::nsDisplayItem*) /builds/worker/checkouts/gecko/layout/painting/RetainedDisplayListBuilder.cpp:836:31
#5 0x7f8a7f4b3ed8 in mozilla::MergeState::MergeChildLists(mozilla::nsDisplayItem*, mozilla::nsDisplayItem*, mozilla::nsDisplayItem*) /builds/worker/checkouts/gecko/layout/painting/RetainedDisplayListBuilder.cpp:509:37
#6 0x7f8a7f3a58f0 in mozilla::MergeState::ProcessItemFromNewList(mozilla::nsDisplayItem*, mozilla::Maybe<mozilla::Index<mozilla::MergedListUnits>> const&) /builds/worker/checkouts/gecko/layout/painting/RetainedDisplayListBuilder.cpp:481:9
#7 0x7f8a7f3a43c4 in mozilla::RetainedDisplayListBuilder::MergeDisplayLists(mozilla::nsDisplayList*, mozilla::RetainedDisplayList*, mozilla::RetainedDisplayList*, mozilla::Maybe<mozilla::ActiveScrolledRoot const*>&, mozilla::nsDisplayItem*) /builds/worker/checkouts/gecko/layout/painting/RetainedDisplayListBuilder.cpp:836:31
#8 0x7f8a7f3b02c9 in mozilla::RetainedDisplayListBuilder::AttemptPartialUpdate(unsigned int) /builds/worker/checkouts/gecko/layout/painting/RetainedDisplayListBuilder.cpp:1666:9
#9 0x7f8a7eb5b918 in nsLayoutUtils::PaintFrame(gfxContext*, nsIFrame*, nsRegion const&, unsigned int, mozilla::nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) /builds/worker/checkouts/gecko/layout/base/nsLayoutUtils.cpp:3212:38
#10 0x7f8a7ea1f5da in mozilla::PresShell::PaintInternal(nsView*, mozilla::PaintInternalFlags) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:6530:5
#11 0x7f8a7df3ee03 in nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*) /builds/worker/checkouts/gecko/view/nsViewManager.cpp:408:18
#12 0x7f8a7df3e0db in nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) /builds/worker/checkouts/gecko/view/nsViewManager.cpp:343:22
#13 0x7f8a7df415b7 in nsViewManager::ProcessPendingUpdates() /builds/worker/checkouts/gecko/view/nsViewManager.cpp:916:5
#14 0x7f8a7e971bb2 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2820:11
#15 0x7f8a7e993ba2 in operator() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:1838:25
#16 0x7f8a7e993ba2 in mozilla::detail::RunnableFunction<nsRefreshDriver::EnsureTimerStarted(nsRefreshDriver::EnsureTimerStartedFlags)::$_1>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:548:5
#17 0x7f8a72a041aa in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:578:16
#18 0x7f8a729e9a3b in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:905:26
#19 0x7f8a729e6618 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:728:15
#20 0x7f8a729e6d19 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:514:36
#21 0x7f8a72a0c2a1 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:232:37
#22 0x7f8a72a0c2a1 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548:5
#23 0x7f8a72a3423f in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1199:16
#24 0x7f8a72a41efa in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10
#25 0x7f8a746d1e0e in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#26 0x7f8a744f0a7a in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:370:10
#27 0x7f8a744f0a7a in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#28 0x7f8a744f0a7a in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#29 0x7f8a7e078d59 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
#30 0x7f8a7e28af92 in nsAppShell::Run() /builds/worker/checkouts/gecko/widget/gtk/nsAppShell.cpp:470:33
#31 0x7f8a8304056e in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:712:20
#32 0x7f8a744f0a7a in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:370:10
#33 0x7f8a744f0a7a in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#34 0x7f8a744f0a7a in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#35 0x7f8a8303fac3 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:647:34
#36 0x5584533f4b5c in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#37 0x5584533f4b5c in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:375:18
#38 0x7f8a9b629d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#39 0x7f8a9b629e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#40 0x558453318e68 in _start (/home/user/workspace/browsers/m-c-20240328213634-fuzzing-asan-opt/firefox+0xdce68) (BuildId: 4b41b3bd44a9a667bda0196be41df5c62d959197)
Comment 1•6 months ago
|
||
I couldn't reproduce. I tried opt, debug, debug+fuzzing. Maybe some modified prefs? Maybe a pernosco?
Comment 2•6 months ago
|
||
Testcase crashes using the initial build (mozilla-central 20240320095303-dbb1856b4f33) but not with tip (mozilla-central 20240329045152-28b4eaeb7028.)
Unable to bisect testcase (End build crashes!):
Start: dbb1856b4f3345f0353d4ea33ed0f83a90420827 (20240320095303)
End: 28b4eaeb70285be21ee6612c4e891e41c7949b68 (20240329045152)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False, nyx=False)
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Comment 3•6 months ago
|
||
The bug is linked to a topcrash signature, which matches the following criterion:
- Top 10 desktop browser crashes on nightly
For more information, please visit BugBot documentation.
Updated•6 months ago
|
Comment 4•6 months ago
|
||
(In reply to Bugmon [:jkratzer for issues] from comment #2)
Testcase crashes using the initial build but not with tip
Unable to bisect testcase (End build crashes!):
This seems contradictory, tip does not crash, but tip does crash?
Updated•6 months ago
|
Comment 5•6 months ago
|
||
This uses background-blend mode so I suspect this might be the same issue as bug 1870415.
Comment 6•6 months ago
|
||
278-256 (per frame bit) = 22 = COMPOSITOR_HITTEST_INFO
263-256 = 7 = BLEND_CONTAINER
2 = ASYNC_ZOOM
Reporter | ||
Comment 7•6 months ago
|
||
A Pernosco session is available here: https://pernos.co/debug/yZGPniLthlous1mHlDTXPw/index.html
Reporter | ||
Comment 8•6 months ago
|
||
(In reply to Timothy Nikkel (:tnikkel) from comment #4)
(In reply to Bugmon [:jkratzer for issues] from comment #2)
Testcase crashes using the initial build but not with tip
Unable to bisect testcase (End build crashes!):
This seems contradictory, tip does not crash, but tip does crash?
initial build (first reported by fuzzers) was 20240320095303-dbb1856b4f33 and tip was 20240329045152-28b4eaeb7028 so maybe the test case is not reliable?
Updated•6 months ago
|
Comment 9•6 months ago
|
||
After inspecting the pernosco I pretty confident this is the same issue as bug 1870415.
Comment 10•6 months ago
|
||
The bug is linked to a topcrash signature, which matches the following criterion:
- Top 10 desktop browser crashes on nightly
For more information, please visit BugBot documentation.
Comment 11•6 months ago
|
||
The bug is linked to a topcrash signature, which matches the following criterion:
- Top 10 desktop browser crashes on nightly
For more information, please visit BugBot documentation.
Comment 12•6 months ago
|
||
The bug is linked to a topcrash signature, which matches the following criterion:
- Top 10 desktop browser crashes on nightly
For more information, please visit BugBot documentation.
Updated•6 months ago
|
Comment 13•6 months ago
|
||
Based on the topcrash criteria, the crash signature linked to this bug is not a topcrash signature anymore.
For more information, please visit BugBot documentation.
Comment 14•5 months ago
|
||
I included the testcase here in my patch in bug 1870415.
Description
•