Closed Bug 1888586 Opened 6 months ago Closed 5 months ago

Hit MOZ_CRASH(Item found was in the wrong list! type 278 (outer type was 263 at depth 2, now is 2)) at /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.h:2215

Categories

(Core :: Web Painting, defect)

defect

Tracking

()

RESOLVED DUPLICATE of bug 1870415

People

(Reporter: tsmith, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, pernosco, testcase, Whiteboard: [bugmon:bisected,confirmed])

Crash Data

Attachments

(1 file)

Attached file testcase.html

Found while fuzzing m-c 20240320-dbb1856b4f33 (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>

Hit MOZ_CRASH(Item found was in the wrong list! type 278 (outer type was 263 at depth 2, now is 2)) at /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.h:2215

#0 0x7f8a7f4b3a69 in MOZ_Crash /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:317:3
#1 0x7f8a7f4b3a69 in GetOldListIndex /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.h:2212:7
#2 0x7f8a7f4b3a69 in mozilla::MergeState::HasMatchingItemInOldList(mozilla::nsDisplayItem*, mozilla::Index<mozilla::OldListUnits>*) /builds/worker/checkouts/gecko/layout/painting/RetainedDisplayListBuilder.cpp:634:16
#3 0x7f8a7f3a544e in mozilla::MergeState::ProcessItemFromNewList(mozilla::nsDisplayItem*, mozilla::Maybe<mozilla::Index<mozilla::MergedListUnits>> const&) /builds/worker/checkouts/gecko/layout/painting/RetainedDisplayListBuilder.cpp:461:9
#4 0x7f8a7f3a43c4 in mozilla::RetainedDisplayListBuilder::MergeDisplayLists(mozilla::nsDisplayList*, mozilla::RetainedDisplayList*, mozilla::RetainedDisplayList*, mozilla::Maybe<mozilla::ActiveScrolledRoot const*>&, mozilla::nsDisplayItem*) /builds/worker/checkouts/gecko/layout/painting/RetainedDisplayListBuilder.cpp:836:31
#5 0x7f8a7f4b3ed8 in mozilla::MergeState::MergeChildLists(mozilla::nsDisplayItem*, mozilla::nsDisplayItem*, mozilla::nsDisplayItem*) /builds/worker/checkouts/gecko/layout/painting/RetainedDisplayListBuilder.cpp:509:37
#6 0x7f8a7f3a58f0 in mozilla::MergeState::ProcessItemFromNewList(mozilla::nsDisplayItem*, mozilla::Maybe<mozilla::Index<mozilla::MergedListUnits>> const&) /builds/worker/checkouts/gecko/layout/painting/RetainedDisplayListBuilder.cpp:481:9
#7 0x7f8a7f3a43c4 in mozilla::RetainedDisplayListBuilder::MergeDisplayLists(mozilla::nsDisplayList*, mozilla::RetainedDisplayList*, mozilla::RetainedDisplayList*, mozilla::Maybe<mozilla::ActiveScrolledRoot const*>&, mozilla::nsDisplayItem*) /builds/worker/checkouts/gecko/layout/painting/RetainedDisplayListBuilder.cpp:836:31
#8 0x7f8a7f3b02c9 in mozilla::RetainedDisplayListBuilder::AttemptPartialUpdate(unsigned int) /builds/worker/checkouts/gecko/layout/painting/RetainedDisplayListBuilder.cpp:1666:9
#9 0x7f8a7eb5b918 in nsLayoutUtils::PaintFrame(gfxContext*, nsIFrame*, nsRegion const&, unsigned int, mozilla::nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) /builds/worker/checkouts/gecko/layout/base/nsLayoutUtils.cpp:3212:38
#10 0x7f8a7ea1f5da in mozilla::PresShell::PaintInternal(nsView*, mozilla::PaintInternalFlags) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:6530:5
#11 0x7f8a7df3ee03 in nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*) /builds/worker/checkouts/gecko/view/nsViewManager.cpp:408:18
#12 0x7f8a7df3e0db in nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) /builds/worker/checkouts/gecko/view/nsViewManager.cpp:343:22
#13 0x7f8a7df415b7 in nsViewManager::ProcessPendingUpdates() /builds/worker/checkouts/gecko/view/nsViewManager.cpp:916:5
#14 0x7f8a7e971bb2 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2820:11
#15 0x7f8a7e993ba2 in operator() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:1838:25
#16 0x7f8a7e993ba2 in mozilla::detail::RunnableFunction<nsRefreshDriver::EnsureTimerStarted(nsRefreshDriver::EnsureTimerStartedFlags)::$_1>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:548:5
#17 0x7f8a72a041aa in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:578:16
#18 0x7f8a729e9a3b in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:905:26
#19 0x7f8a729e6618 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:728:15
#20 0x7f8a729e6d19 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:514:36
#21 0x7f8a72a0c2a1 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:232:37
#22 0x7f8a72a0c2a1 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548:5
#23 0x7f8a72a3423f in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1199:16
#24 0x7f8a72a41efa in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10
#25 0x7f8a746d1e0e in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#26 0x7f8a744f0a7a in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:370:10
#27 0x7f8a744f0a7a in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#28 0x7f8a744f0a7a in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#29 0x7f8a7e078d59 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
#30 0x7f8a7e28af92 in nsAppShell::Run() /builds/worker/checkouts/gecko/widget/gtk/nsAppShell.cpp:470:33
#31 0x7f8a8304056e in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:712:20
#32 0x7f8a744f0a7a in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:370:10
#33 0x7f8a744f0a7a in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#34 0x7f8a744f0a7a in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#35 0x7f8a8303fac3 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:647:34
#36 0x5584533f4b5c in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#37 0x5584533f4b5c in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:375:18
#38 0x7f8a9b629d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#39 0x7f8a9b629e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#40 0x558453318e68 in _start (/home/user/workspace/browsers/m-c-20240328213634-fuzzing-asan-opt/firefox+0xdce68) (BuildId: 4b41b3bd44a9a667bda0196be41df5c62d959197)
Flags: in-testsuite?

I couldn't reproduce. I tried opt, debug, debug+fuzzing. Maybe some modified prefs? Maybe a pernosco?

Testcase crashes using the initial build (mozilla-central 20240320095303-dbb1856b4f33) but not with tip (mozilla-central 20240329045152-28b4eaeb7028.)

Unable to bisect testcase (End build crashes!):

Start: dbb1856b4f3345f0353d4ea33ed0f83a90420827 (20240320095303)
End: 28b4eaeb70285be21ee6612c4e891e41c7949b68 (20240329045152)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False, nyx=False)

Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon
Whiteboard: [bugmon:bisected,confirmed]

The bug is linked to a topcrash signature, which matches the following criterion:

  • Top 10 desktop browser crashes on nightly

For more information, please visit BugBot documentation.

Keywords: topcrash

(In reply to Bugmon [:jkratzer for issues] from comment #2)

Testcase crashes using the initial build but not with tip

Unable to bisect testcase (End build crashes!):

This seems contradictory, tip does not crash, but tip does crash?

Flags: needinfo?(twsmith)

This uses background-blend mode so I suspect this might be the same issue as bug 1870415.

See Also: → 1870415

278-256 (per frame bit) = 22 = COMPOSITOR_HITTEST_INFO
263-256 = 7 = BLEND_CONTAINER
2 = ASYNC_ZOOM

A Pernosco session is available here: https://pernos.co/debug/yZGPniLthlous1mHlDTXPw/index.html

Flags: needinfo?(twsmith)

(In reply to Timothy Nikkel (:tnikkel) from comment #4)

(In reply to Bugmon [:jkratzer for issues] from comment #2)

Testcase crashes using the initial build but not with tip

Unable to bisect testcase (End build crashes!):

This seems contradictory, tip does not crash, but tip does crash?

initial build (first reported by fuzzers) was 20240320095303-dbb1856b4f33 and tip was 20240329045152-28b4eaeb7028 so maybe the test case is not reliable?

Severity: -- → S3

After inspecting the pernosco I pretty confident this is the same issue as bug 1870415.

Depends on: 1870415
See Also: 1870415

The bug is linked to a topcrash signature, which matches the following criterion:

  • Top 10 desktop browser crashes on nightly

For more information, please visit BugBot documentation.

Keywords: topcrash
Keywords: topcrash

The bug is linked to a topcrash signature, which matches the following criterion:

  • Top 10 desktop browser crashes on nightly

For more information, please visit BugBot documentation.

Keywords: topcrash
See Also: → 1888583
Keywords: topcrash

The bug is linked to a topcrash signature, which matches the following criterion:

  • Top 10 desktop browser crashes on nightly

For more information, please visit BugBot documentation.

Keywords: topcrash

Based on the topcrash criteria, the crash signature linked to this bug is not a topcrash signature anymore.

For more information, please visit BugBot documentation.

Keywords: topcrash

I included the testcase here in my patch in bug 1870415.

Status: NEW → RESOLVED
Closed: 5 months ago
Duplicate of bug: 1870415
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: