Closed Bug 1888595 Opened 1 year ago Closed 1 year ago

Hit MOZ_CRASH(Element state change during style refresh (12884901888)) at /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:3401

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
126 Branch
Tracking Flags:
Tracking Status
firefox-esr115 --- unaffected
firefox124 --- wontfix
firefox125 --- wontfix
firefox126 --- verified

People

(Reporter: tsmith, Assigned: emilio)

References

(Blocks 1 open bug, Regression)

Details

(6 keywords, Whiteboard: [bugmon:bisected,confirmed], [wptsync upstream])

Crash Data

Attachments

(3 files)

testcase.html
313 bytes, text/html
Details
Root cause of the issue.
306 bytes, text/html
Details
Bug 1888595 - Auto directionality of non-value-associated form elements should always be LTR. r=smaug
48 bytes, text/x-phabricator-request
Details | Review
Attached file testcase.html

Found while fuzzing m-c 20240128-926d9cc16ea6 (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>

Hit MOZ_CRASH(Element state change during style refresh (12884901888)) at /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:3401

#0 0x7f75565dffa4 in MOZ_Crash /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:317:3
#1 0x7f75565dffa4 in mozilla::RestyleManager::ElementStateChanged(mozilla::dom::Element*, mozilla::dom::ElementState) /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:3399:5
#2 0x7f75565dfadf in mozilla::PresShell::ElementStateChanged(mozilla::dom::Document*, mozilla::dom::Element*, mozilla::dom::ElementState) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4479:37
#3 0x7f75527a0028 in mozilla::dom::Document::ElementStateChanged(mozilla::dom::Element*, mozilla::dom::ElementState) /builds/worker/checkouts/gecko/dom/base/Document.cpp:8249:3
#4 0x7f75527f5683 in mozilla::dom::Element::NotifyStateChange(mozilla::dom::ElementState) /builds/worker/checkouts/gecko/dom/base/Element.cpp:370:10
#5 0x7f75547342c6 in OnValueChanged /builds/worker/workspace/obj-build/dist/include/mozilla/TextControlElement.h:199:12
#6 0x7f75547342c6 in mozilla::TextControlState::SetValue(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const*, mozilla::EnumSet<mozilla::TextControlState::ValueSetterOption, unsigned int> const&) /builds/worker/checkouts/gecko/dom/html/TextControlState.cpp:2711:47
#7 0x7f7554717210 in SetValue /builds/worker/workspace/obj-build/dist/include/mozilla/TextControlState.h:284:12
#8 0x7f7554717210 in mozilla::TextControlState::UnbindFromFrame(nsTextControlFrame*) /builds/worker/checkouts/gecko/dom/html/TextControlState.cpp:2477:26
#9 0x7f75568aa054 in nsTextControlFrame::Destroy(mozilla::FrameDestroyContext&) /builds/worker/checkouts/gecko/layout/forms/nsTextControlFrame.cpp:137:25
#10 0x7f75568a0ed4 in nsNumberControlFrame::Destroy(mozilla::FrameDestroyContext&) /builds/worker/checkouts/gecko/layout/forms/nsNumberControlFrame.cpp:46:23
#11 0x7f7556724133 in DestroyFrames /builds/worker/checkouts/gecko/layout/generic/nsFrameList.cpp:40:12
#12 0x7f7556724133 in nsContainerFrame::Destroy(mozilla::FrameDestroyContext&) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:230:11
#13 0x7f755670c953 in nsBlockFrame::DoRemoveFrame(mozilla::FrameDestroyContext&, nsIFrame*, unsigned int) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:6942:20
#14 0x7f755670c250 in nsBlockFrame::RemoveFrame(mozilla::FrameDestroyContext&, mozilla::FrameChildListID, nsIFrame*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:6145:5
#15 0x7f755664d285 in nsCSSFrameConstructor::ContentRemoved(nsIContent*, nsIContent*, nsCSSFrameConstructor::RemoveFlags) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:7452:5
#16 0x7f7556648b56 in nsCSSFrameConstructor::RecreateFramesForContent(nsIContent*, nsCSSFrameConstructor::InsertionKind) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:8439:7
#17 0x7f7556606540 in mozilla::RestyleManager::ProcessRestyledFrames(nsStyleChangeList&) /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:1677:25
#18 0x7f755660d3f4 in mozilla::RestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:3283:9
#19 0x7f75565df005 in mozilla::RestyleManager::ProcessPendingRestyles() /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:3369:3
#20 0x7f75565de147 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4371:39
#21 0x7f75565a2669 in FlushPendingNotifications /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:1480:5
#22 0x7f75565a2669 in nsRefreshDriver::TickObserverArray(unsigned int, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2501:20
#23 0x7f755659ee88 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2735:28
#24 0x7f75565a89d1 in TickDriver /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:367:13
#25 0x7f75565a89d1 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver>>&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:345:7
#26 0x7f75565a88d0 in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:361:5
#27 0x7f75565a876d in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:951:5
#28 0x7f75565a7a0c in mozilla::VsyncRefreshDriverTimer::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:861:5
#29 0x7f75565a6c79 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsyncTimerOnMainThread() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:592:14
#30 0x7f75558bbbbb in mozilla::dom::VsyncMainChild::RecvNotify(mozilla::VsyncEvent const&, float const&) /builds/worker/checkouts/gecko/dom/ipc/VsyncMainChild.cpp:66:15
#31 0x7f7555bac255 in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:237:78
#32 0x7f75518899f1 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundChild.cpp:5559:32
#33 0x7f755181d35f in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1818:25
#34 0x7f755181a0b2 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1737:9
#35 0x7f755181ad32 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1530:3
#36 0x7f755181be7f in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1628:14
#37 0x7f7550b1e357 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:578:16
#38 0x7f7550b139c6 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:905:26
#39 0x7f7550b121a7 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:728:15
#40 0x7f7550b12625 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:514:36
#41 0x7f7550b222f6 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:232:37
#42 0x7f7550b222f6 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548:5
#43 0x7f7550b37622 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1199:16
#44 0x7f7550b3e76d in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10
#45 0x7f75518232a5 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#46 0x7f75517391e1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#47 0x7f75517391e1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#48 0x7f75561d1a98 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
#49 0x7f7556295108 in nsAppShell::Run() /builds/worker/checkouts/gecko/widget/gtk/nsAppShell.cpp:470:33
#50 0x7f75580ceb7b in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:712:20
#51 0x7f7551824186 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
#52 0x7f75517391e1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#53 0x7f75517391e1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#54 0x7f75580ce3a2 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:647:34
#55 0x557026b495c6 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#56 0x557026b495c6 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:375:18
#57 0x7f7565829d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#58 0x7f7565829e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#59 0x557026b1f2f8 in _start (/home/user/workspace/browsers/m-c-20240328213634-fuzzing-debug/firefox-bin+0x592f8) (BuildId: 7f200af63a26c28c956b7d3f6d16bb0d252d8fb3)
Flags: in-testsuite?

Got a crash from the testcase: https://crash-stats.mozilla.org/report/index/aa0ecf04-d779-49a6-bb5a-f2d3c0240329

Crash Signature: [@ mozilla::RestyleManager::ElementStateChanged ]
Keywords: crash
See Also: → 1793410

Verified bug as reproducible on mozilla-central 20240329045152-28b4eaeb7028.
The bug appears to have been introduced in the following build range:

Start: 62232a8766349abcac6f524710639f9b3da917a2 (20240115182158)
End: 8a68c5a8cac8300a140767d36eaed293e8f2664c (20240115210435)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=62232a8766349abcac6f524710639f9b3da917a2&tochange=8a68c5a8cac8300a140767d36eaed293e8f2664c

Keywords: regression
Whiteboard: [bugmon:bisected,confirmed]

The bug is linked to a topcrash signature, which matches the following criteria:

  • Top 10 content process crashes on beta
  • Top 10 AArch64 and ARM crashes on nightly
  • Top 10 AArch64 and ARM crashes on beta

For more information, please visit BugBot documentation.

Keywords: topcrash
status-firefox124: --- → wontfix
status-firefox125: --- → fix-optional
status-firefox-esr115: --- → unaffected
Flags: needinfo?(emilio)
Regressed by: 1856156

Successfully recorded a pernosco session. A link to the pernosco session will be added here shortly.

Keywords: pernosco-wantedpernosco

A pernosco session for this bug can be found here.

Flags: needinfo?(emilio)

https://html.spec.whatwg.org/#auto-directionality always returns null,
effectively, so should default to always LTR. Inheriting of the parent
directionality wouldn't be handled correctly because we stop the
inheritance on dir=auto boundaries.

Assignee: nobody → emilio
Status: NEW → ASSIGNED
Pushed by ealvarez@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/f01818290718 Auto directionality of non-value-associated form elements should always be LTR. r=smaug
Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/45477 for changes under testing/web-platform/tests
Whiteboard: [bugmon:bisected,confirmed] → [bugmon:bisected,confirmed], [wptsync upstream]

https://hg.mozilla.org/mozilla-central/rev/f01818290718

Status: ASSIGNED → RESOLVED
Closed: 1 year ago
status-firefox126: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 126 Branch
Upstream PR merged by moz-wptsync-bot

The patch landed in nightly and beta is affected.
:emilio, is this bug important enough to require an uplift?

  • If yes, please nominate the patch for beta approval.
  • If no, please set status-firefox125 to wontfix.

For more information, please visit BugBot documentation.

Flags: needinfo?(emilio)
status-firefox125: fix-optionalwontfix
Flags: needinfo?(emilio)

Verified bug as fixed on rev mozilla-central 20240403093409-c720e2e99bf3.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
status-firefox126: fixedverified
Keywords: bugmon
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: