Open Bug 1907470 Opened 1 year ago Updated 7 months ago

Assertion failure: aNewItem->HasModifiedFrame() == HasModifiedFrame(aNewItem), at /builds/worker/checkouts/gecko/layout/painting/RetainedDisplayListBuilder.cpp:459

Categories

(Core :: Web Painting, defect)

Product:
Core
Component:
Web Painting
Type:
defect

Tracking

()

Tracking Flags:
Tracking Status
firefox-esr115 --- unaffected
firefox-esr128 --- wontfix
firefox137 --- wontfix
firefox138 --- wontfix
firefox139 --- fix-optional

People

(Reporter: tsmith, Unassigned, NeedInfo)

References

(Blocks 2 open bugs, Regression,
URL
)

Details

(4 keywords, Whiteboard: [bugmon:bisected,confirmed])

Crash Data

Attachments

(2 files)

testcase.html
785 bytes, text/html
Details
testcase_2.html
491 bytes, text/html
Details
Attached file testcase.html

Found while fuzzing 20240707-0fb6382be830 (--enable-address-sanitizer --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework --upgrade
$ python -m fuzzfetch -a --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>

Assertion failure: aNewItem->HasModifiedFrame() == HasModifiedFrame(aNewItem), at /builds/worker/checkouts/gecko/layout/painting/RetainedDisplayListBuilder.cpp:459

#0 0x7c0709d8c02f in mozilla::MergeState::ProcessItemFromNewList(mozilla::nsDisplayItem*, mozilla::Maybe<mozilla::Index<mozilla::MergedListUnits>> const&) /builds/worker/checkouts/gecko/layout/painting/RetainedDisplayListBuilder.cpp:458:5
#1 0x7c0709d8ad66 in mozilla::RetainedDisplayListBuilder::MergeDisplayLists(mozilla::nsDisplayList*, mozilla::RetainedDisplayList*, mozilla::RetainedDisplayList*, mozilla::Maybe<mozilla::ActiveScrolledRoot const*>&, mozilla::nsDisplayItem*) /builds/worker/checkouts/gecko/layout/painting/RetainedDisplayListBuilder.cpp:836:31
#2 0x7c0709e61a9f in mozilla::MergeState::MergeChildLists(mozilla::nsDisplayItem*, mozilla::nsDisplayItem*, mozilla::nsDisplayItem*) /builds/worker/checkouts/gecko/layout/painting/RetainedDisplayListBuilder.cpp:509:37
#3 0x7c0709d8c16a in mozilla::MergeState::ProcessItemFromNewList(mozilla::nsDisplayItem*, mozilla::Maybe<mozilla::Index<mozilla::MergedListUnits>> const&) /builds/worker/checkouts/gecko/layout/painting/RetainedDisplayListBuilder.cpp:481:9
#4 0x7c0709d8ad66 in mozilla::RetainedDisplayListBuilder::MergeDisplayLists(mozilla::nsDisplayList*, mozilla::RetainedDisplayList*, mozilla::RetainedDisplayList*, mozilla::Maybe<mozilla::ActiveScrolledRoot const*>&, mozilla::nsDisplayItem*) /builds/worker/checkouts/gecko/layout/painting/RetainedDisplayListBuilder.cpp:836:31
#5 0x7c0709d9444e in mozilla::RetainedDisplayListBuilder::AttemptPartialUpdate(unsigned int) /builds/worker/checkouts/gecko/layout/painting/RetainedDisplayListBuilder.cpp:1668:9
#6 0x7c07096fa8ec in nsLayoutUtils::PaintFrame(gfxContext*, nsIFrame*, nsRegion const&, unsigned int, mozilla::nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) /builds/worker/checkouts/gecko/layout/base/nsLayoutUtils.cpp:3190:38
#7 0x7c07095f96b4 in mozilla::PresShell::PaintInternal(nsView*, mozilla::PaintInternalFlags) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:6464:5
#8 0x7c0708dddb83 in nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*) /builds/worker/checkouts/gecko/view/nsViewManager.cpp:406:18
#9 0x7c0708ddcfdb in nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) /builds/worker/checkouts/gecko/view/nsViewManager.cpp:341:22
#10 0x7c0708ddfa77 in nsViewManager::ProcessPendingUpdates() /builds/worker/checkouts/gecko/view/nsViewManager.cpp:896:5
#11 0x7c070956ec7e in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2807:11
#12 0x7c07095812b7 in TickDriver /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:368:13
#13 0x7c07095812b7 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver>>&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:346:7
#14 0x7c0709580fca in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:362:5
#15 0x7c0709580c41 in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:952:5
#16 0x7c070957fc67 in mozilla::VsyncRefreshDriverTimer::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:862:5
#17 0x7c070957e8c9 in mozilla::VsyncRefreshDriverTimer::NotifyVsyncOnMainThread(mozilla::VsyncEvent const&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:759:5
#18 0x7c070957df08 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsyncTimerOnMainThread() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:593:14
#19 0x7c070957db45 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:550:9
#20 0x7c0707fdfccb in mozilla::dom::VsyncMainChild::RecvNotify(mozilla::VsyncEvent const&, float const&) /builds/worker/checkouts/gecko/dom/ipc/VsyncMainChild.cpp:66:15
#21 0x7c070845f264 in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:222:78
#22 0x7c070075f471 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundChild.cpp:4919:32
#23 0x7c07006cb8d5 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1820:25
#24 0x7c07006c787f in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1739:9
#25 0x7c07006c87a1 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1530:3
#26 0x7c07006c9cf3 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1630:14
#27 0x7c06ff13f39a in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:580:16
#28 0x7c06ff12b6dd in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:907:26
#29 0x7c06ff128f28 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:730:15
#30 0x7c06ff129546 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:516:36
#31 0x7c06ff1465e4 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:237:37
#32 0x7c06ff1465e4 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_1>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548:5
#33 0x7c06ff16735d in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1204:16
#34 0x7c06ff172128 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10
#35 0x7c07006d3873 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:107:5
#36 0x7c07005b7824 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:370:10
#37 0x7c07005b7824 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#38 0x7c07005b7824 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#39 0x7c0708eb8e09 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
#40 0x7c070906d7eb in nsAppShell::Run() /builds/worker/checkouts/gecko/widget/gtk/nsAppShell.cpp:469:33
#41 0x7c070acc88fd in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:714:20
#42 0x7c07005b7824 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:370:10
#43 0x7c07005b7824 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#44 0x7c07005b7824 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#45 0x7c070acc7ee5 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:649:34
#46 0x5d287969b3b0 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#47 0x5d287969b3b0 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:378:18
Flags: in-testsuite?

This test case also triggers a different assertion when run in a debug build (that has also been reported by live site testing).

Assertion failure: PresContext()->LayoutPhaseCount(nsLayoutPhase::DisplayListBuilding) == 0, at /builds/worker/checkouts/gecko/layout/generic/nsIFrame.cpp:1133

#0 0x74c3e221f2a6 in nsIFrame::MarkNeedsDisplayItemRebuild() /builds/worker/checkouts/gecko/layout/generic/nsIFrame.cpp:1132:3
#1 0x74c3e2232b39 in InvalidateFrameInternal(nsIFrame*, bool, bool) /builds/worker/checkouts/gecko/layout/generic/nsIFrame.cpp:7552:13
#2 0x74c3dfb10229 in mozilla::dom::CanvasRenderingContext2D::EnsureTarget(mozilla::ErrorResult&, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> const*, bool, bool) /builds/worker/checkouts/gecko/dom/canvas/CanvasRenderingContext2D.cpp:1637:21
#3 0x74c3dfb12a6a in EnsureTarget /builds/worker/workspace/obj-build/dist/include/mozilla/dom/CanvasRenderingContext2D.h:723:12
#4 0x74c3dfb12a6a in mozilla::dom::CanvasRenderingContext2D::GetOptimizedSnapshot(mozilla::gfx::DrawTarget*, gfxAlphaType*) /builds/worker/checkouts/gecko/dom/canvas/CanvasRenderingContext2D.cpp:2102:8
#5 0x74c3e01f1e9a in mozilla::dom::HTMLCanvasElement::GetSurfaceSnapshot(gfxAlphaType*, mozilla::gfx::DrawTarget*) /builds/worker/checkouts/gecko/dom/html/HTMLCanvasElement.cpp:1406:29
#6 0x74c3e20fc8cd in nsLayoutUtils::SurfaceFromElement(mozilla::dom::HTMLCanvasElement*, unsigned int, RefPtr<mozilla::gfx::DrawTarget>&) /builds/worker/checkouts/gecko/layout/base/nsLayoutUtils.cpp:7368:37
#7 0x74c3e20fd142 in nsLayoutUtils::SurfaceFromElement(mozilla::dom::Element*, mozilla::Maybe<int> const&, mozilla::Maybe<int> const&, unsigned int, RefPtr<mozilla::gfx::DrawTarget>&) /builds/worker/checkouts/gecko/layout/base/nsLayoutUtils.cpp:7477:12
#8 0x74c3e2433e63 in SurfaceFromElement /builds/worker/checkouts/gecko/layout/base/nsLayoutUtils.h:2196:12
#9 0x74c3e2433e63 in mozilla::nsImageRenderer::PrepareImage() /builds/worker/checkouts/gecko/layout/painting/nsImageRenderer.cpp:167:28
#10 0x74c3e243222c in nsCSSRendering::PrepareImageLayer(nsPresContext*, nsIFrame*, unsigned int, nsRect const&, nsRect const&, nsStyleImageLayers::Layer const&, bool*) /builds/worker/checkouts/gecko/layout/painting/nsCSSRendering.cpp:3091:29
#11 0x74c3e245207f in mozilla::nsDisplayBackgroundImage::GetInitData(mozilla::nsDisplayListBuilder*, nsIFrame*, unsigned short, nsRect const&, mozilla::ComputedStyle const*) /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:2908:34
#12 0x74c3e2453f03 in mozilla::nsDisplayBackgroundImage::AppendBackgroundItemsToTop(mozilla::nsDisplayListBuilder*, nsIFrame*, nsRect const&, mozilla::nsDisplayList*, bool, nsRect const&, nsIFrame*, mozilla::Maybe<mozilla::nsDisplayListBuilder::AutoBuildingDisplayList>*) /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:3280:9
#13 0x74c3e22246cd in nsIFrame::DisplayBackgroundUnconditional(mozilla::nsDisplayListBuilder*, mozilla::nsDisplayListSet const&) /builds/worker/checkouts/gecko/layout/generic/nsIFrame.cpp:2641:7
#14 0x74c3e21b0f78 in nsIFrame::DisplayBorderBackgroundOutline(mozilla::nsDisplayListBuilder*, mozilla::nsDisplayListSet const&) /builds/worker/checkouts/gecko/layout/generic/nsIFrame.cpp:2665:21
#15 0x74c3e221b4a0 in nsHTMLCanvasFrame::BuildDisplayList(mozilla::nsDisplayListBuilder*, mozilla::nsDisplayListSet const&) /builds/worker/checkouts/gecko/layout/generic/nsHTMLCanvasFrame.cpp:471:3
#16 0x74c3e21b2445 in nsIFrame::BuildDisplayListForChild(mozilla::nsDisplayListBuilder*, nsIFrame*, mozilla::nsDisplayListSet const&, mozilla::EnumSet<nsIFrame::DisplayChildFlag, unsigned int>) /builds/worker/checkouts/gecko/layout/generic/nsIFrame.cpp:4327:12
#17 0x74c3e219c1ac in DisplayLine(mozilla::nsDisplayListBuilder*, nsLineList_iterator&, bool, mozilla::nsDisplayListSet const&, nsBlockFrame*, mozilla::css::TextOverflow*, unsigned int, int, int&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:7589:13
#18 0x74c3e219ad68 in nsBlockFrame::BuildDisplayList(mozilla::nsDisplayListBuilder*, mozilla::nsDisplayListSet const&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:7747:9
#19 0x74c3e21b2527 in nsIFrame::BuildDisplayListForChild(mozilla::nsDisplayListBuilder*, nsIFrame*, mozilla::nsDisplayListSet const&, mozilla::EnumSet<nsIFrame::DisplayChildFlag, unsigned int>) /builds/worker/checkouts/gecko/layout/generic/nsIFrame.cpp:4312:14
#20 0x74c3e21a0b58 in nsCanvasFrame::BuildDisplayList(mozilla::nsDisplayListBuilder*, mozilla::nsDisplayListSet const&) /builds/worker/checkouts/gecko/layout/generic/nsCanvasFrame.cpp:576:5
#21 0x74c3e21b2527 in nsIFrame::BuildDisplayListForChild(mozilla::nsDisplayListBuilder*, nsIFrame*, mozilla::nsDisplayListSet const&, mozilla::EnumSet<nsIFrame::DisplayChildFlag, unsigned int>) /builds/worker/checkouts/gecko/layout/generic/nsIFrame.cpp:4312:14
#22 0x74c3e215a30a in mozilla::ScrollContainerFrame::BuildDisplayList(mozilla::nsDisplayListBuilder*, mozilla::nsDisplayListSet const&) /builds/worker/checkouts/gecko/layout/generic/ScrollContainerFrame.cpp:4165:7
#23 0x74c3e21b2527 in nsIFrame::BuildDisplayListForChild(mozilla::nsDisplayListBuilder*, nsIFrame*, mozilla::nsDisplayListSet const&, mozilla::EnumSet<nsIFrame::DisplayChildFlag, unsigned int>) /builds/worker/checkouts/gecko/layout/generic/nsIFrame.cpp:4312:14
#24 0x74c3e217352d in mozilla::ViewportFrame::BuildDisplayList(mozilla::nsDisplayListBuilder*, mozilla::nsDisplayListSet const&) /builds/worker/checkouts/gecko/layout/generic/ViewportFrame.cpp:65:3
#25 0x74c3e2226d01 in nsIFrame::BuildDisplayListForStackingContext(mozilla::nsDisplayListBuilder*, mozilla::nsDisplayList*, bool*) /builds/worker/checkouts/gecko/layout/generic/nsIFrame.cpp:3461:5
#26 0x74c3e20ec716 in nsLayoutUtils::PaintFrame(gfxContext*, nsIFrame*, nsRegion const&, unsigned int, mozilla::nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) /builds/worker/checkouts/gecko/layout/base/nsLayoutUtils.cpp:3229:15
#27 0x74c3e205ef4f in mozilla::PresShell::PaintInternal(nsView*, mozilla::PaintInternalFlags) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:6464:5
#28 0x74c3e1c2e45c in nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*) /builds/worker/checkouts/gecko/view/nsViewManager.cpp:406:18
#29 0x74c3e1c2deae in nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) /builds/worker/checkouts/gecko/view/nsViewManager.cpp:341:22
#30 0x74c3e1c2f4a0 in nsViewManager::ProcessPendingUpdates() /builds/worker/checkouts/gecko/view/nsViewManager.cpp:896:5
#31 0x74c3e2017448 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2807:11
#32 0x74c3e20201c1 in TickDriver /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:368:13
#33 0x74c3e20201c1 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver>>&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:346:7
#34 0x74c3e20200c0 in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:362:5
#35 0x74c3e201ff5d in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:952:5
#36 0x74c3e201f24c in mozilla::VsyncRefreshDriverTimer::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:862:5
#37 0x74c3e201e5d9 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsyncTimerOnMainThread() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:593:14
#38 0x74c3e149c47b in mozilla::dom::VsyncMainChild::RecvNotify(mozilla::VsyncEvent const&, float const&) /builds/worker/checkouts/gecko/dom/ipc/VsyncMainChild.cpp:66:15
#39 0x74c3e1718cc7 in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:222:78
#40 0x74c3e164d790 in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PContentChild.cpp:8168:32
#41 0x74c3dd54796f in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1820:25
#42 0x74c3dd5446c2 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1739:9
#43 0x74c3dd545342 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1530:3
#44 0x74c3dd54648f in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1630:14
#45 0x74c3dc9d4997 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:580:16
#46 0x74c3dc9ca436 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:907:26
#47 0x74c3dc9c8e67 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:730:15
#48 0x74c3dc9c92e5 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:516:36
#49 0x74c3dc9d8396 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:234:37
#50 0x74c3dc9d8396 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548:5
#51 0x74c3dc9eba5d in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1204:16
#52 0x74c3dc9f273f in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10
#53 0x74c3dd54d4f5 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#54 0x74c3dd4a41f1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#55 0x74c3dd4a41f1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#56 0x74c3e1c92f48 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
#57 0x74c3e1d4bd94 in nsAppShell::Run() /builds/worker/checkouts/gecko/widget/gtk/nsAppShell.cpp:469:33
#58 0x74c3e2c0322b in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:714:20
#59 0x74c3dd54e346 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
#60 0x74c3dd4a41f1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#61 0x74c3dd4a41f1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#62 0x74c3e2c02abb in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:649:34
#63 0x55d00794ac9f in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#64 0x55d00794ac9f in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:378:18
Blocks: site-scout
URL: http://inbank.pl/

Thanks for filing. The LayoutPhaseCount assert is pointing out of the root of the problem: the modified assert is caused because we are invalidating during display list building.

Testcase crashes using the initial build (mozilla-central 20240707205150-0fb6382be830) but not with tip (mozilla-central 20240712041551-a52fa2f14d1d.)

Unable to bisect testcase (Start build didn't crash!):

Start: 0fb6382be83094550774d902bd79f88d0238b215 (20240707205150)
End: a52fa2f14d1dfb500de3b62b8d7450de744f9092 (20240712041551)
BuildFlags: BuildFlags(asan=True, tsan=False, debug=False, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False, nyx=False)

Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon
Whiteboard: [bugmon:bisected,confirmed]
See Also: → 1671949

Set release status flags based on info from the regressing bug 1829026

:lsalzman, since you are the author of the regressor, bug 1829026, could you take a look? Also, could you set the severity field?

For more information, please visit BugBot documentation.

status-firefox128: --- → affected
status-firefox129: --- → affected
status-firefox-esr115: --- → unaffected
status-firefox-esr128: --- → affected
Flags: needinfo?(lsalzman)

The comment says the canvas needs a full transaction, but this happens during a display list build. We may have re-used the canvas display item from the last paint, but I'm not sure that's important, I think it just wants to send a display list to webrender. So potential a way to fix this is to just skip this invalidate call if its during display list building (and somehow plumbing that information to this callsite).

A Pernosco session is available here: https://pernos.co/debug/cSWFkANeukj6WaaHWDfExQ/index.html

Keywords: pernosco
Severity: -- → S3
Flags: needinfo?(lsalzman)

Tyson, does this still reproduce for you with recent nightly?

Flags: needinfo?(twsmith)
Attached file testcase_2.html

I can reproduce the issue with this test cases. The original test case only reproduces the second assertion only seen in debug builds.

Flags: needinfo?(twsmith)
Crash Signature: [@ mozilla::MergeState::ProcessItemFromNewList ]
status-firefox128: wontfix → ---
status-firefox129: wontfix → ---
status-firefox130: wontfix → ---
status-firefox139: --- → affected

Timothy, could you look into fixing this? You would be the most experienced in this part of the code.

Flags: needinfo?(tnikkel)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: