Closed Bug 1962862 Opened 6 months ago Closed 5 months ago

Frequent crash (diagnostic assert) in [@ mozilla::nsDisplayItem::GetOldListIndex] in chatgpt.com

Categories

(Core :: Web Painting, defect, P2)

Product:
Core
Component:
Web Painting
Platform:
Unspecified
All
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
140 Branch
Tracking Flags:
Tracking Status
firefox-esr115 --- unaffected
firefox-esr128 --- unaffected
firefox138 --- unaffected
firefox139 --- disabled
firefox140 + fixed

People

(Reporter: aryx, Assigned: emilio)

References

(Blocks 2 open bugs, Regression)

Details

(5 keywords, Whiteboard: [viewtransitions:m1])

Crash Data

Attachments

(1 file)

Bug 1962862 - Changes to view-transition-name from / to none should invalidate paint. r=#vt,tnikkel
48 bytes, text/x-phabricator-request
Details | Review

43 reports from 26 installs of Firefox 139.0a1 with build IDs 20250425212424 and 20250426091604 on all desktop OS. Only few crash reporters shared the url but it was always ChatGPT. I could not reproduce with a basic query.

Push log in which the regression has likely started.

Emilio: Is this a regression from enabling view transitions in bug 1950759?

Crash report: https://crash-stats.mozilla.org/report/index/7e8055c4-2d10-4fb3-bdef-0c7530250426

MOZ_CRASH Reason:

Item found was in the wrong list! type 20 (outer type was 21 at depth 6, now is 21)

Top 10 frames:

0  xul.dll  MOZ_Crash(char const*, int, char const*)  mfbt/Assertions.h:381
0  xul.dll  mozilla::nsDisplayItem::GetOldListIndex(mozilla::nsDisplayList*, unsigned int...  layout/painting/nsDisplayList.h:2218
0  xul.dll  mozilla::MergeState::HasMatchingItemInOldList(mozilla::nsDisplayItem*, mozill...  layout/painting/RetainedDisplayListBuilder.cpp:633
0  xul.dll  mozilla::MergeState::ProcessItemFromNewList(mozilla::nsDisplayItem*, mozilla:...  layout/painting/RetainedDisplayListBuilder.cpp:460
0  xul.dll  mozilla::RetainedDisplayListBuilder::MergeDisplayLists(mozilla::nsDisplayList...  layout/painting/RetainedDisplayListBuilder.cpp:835
1  xul.dll  mozilla::MergeState::MergeChildLists(mozilla::nsDisplayItem*, mozilla::nsDisp...  layout/painting/RetainedDisplayListBuilder.cpp:509
1  xul.dll  mozilla::MergeState::ProcessItemFromNewList(mozilla::nsDisplayItem*, mozilla:...  layout/painting/RetainedDisplayListBuilder.cpp:481
1  xul.dll  mozilla::RetainedDisplayListBuilder::MergeDisplayLists(mozilla::nsDisplayList...  layout/painting/RetainedDisplayListBuilder.cpp:835
2  xul.dll  mozilla::MergeState::MergeChildLists(mozilla::nsDisplayItem*, mozilla::nsDisp...  layout/painting/RetainedDisplayListBuilder.cpp:509
2  xul.dll  mozilla::MergeState::ProcessItemFromNewList(mozilla::nsDisplayItem*, mozilla:...  layout/painting/RetainedDisplayListBuilder.cpp:481
Flags: needinfo?(emilio)

Seems likely (thus nightly only).

Jason, ni?ing just in case you have a test case since I suspect fuzzers will hit it relatively soon

Blocks: css-view-transitions-1
Flags: needinfo?(jkratzer)

Have the fuzzers been trained to produce view transitions testcases?

(In reply to Timothy Nikkel (:tnikkel) from comment #2)

Have the fuzzers been trained to produce view transitions testcases?

Afaiui yeah (I checked a while ago and I got told that once the pref gets turned on they should start hitting it).

Emilio, is this not the same issue as bug 1936080?

Flags: needinfo?(jkratzer)

If not, I have another testcase the produces the nearly the same assertion mentioned in comment 0.

Hit MOZ_CRASH(Item found was in the wrong list! type 20 (outer type was 21 at depth 2, now is 2)) at /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.h:2221

Hmm, not quite, we want something that requires document.startViewTransition(), otherwise it's likely not to be the same root cause...

(In reply to Jason Kratzer [:jkratzer] from comment #4)

Emilio, is this not the same issue as bug 1936080?

The testcase in that bug uses overflow-clip-box: content-box which is not something we ever plan on enabling for content for users.

:emilio do you plan on landing a fix for this? Or, should we disable it for now since it is a top crash in nighty?

status-firefox138: --- → unaffected
status-firefox139: affecteddisabled
status-firefox140: --- → affected
status-firefox-esr115: --- → unaffected
status-firefox-esr128: --- → unaffected
tracking-firefox140: --- → +
Keywords: regression
Regressed by: 1950759

I can reliably reproduce this crash in Nightly 140.0a1 (2025-04-29) on macOS: log into chatgpt.com and start a new chat.

Keywords: reproducible

Would be great to have a reproducible test-case here but will try to debug without it.

Assignee: nobody → emilio
Severity: -- → S2
Priority: -- → P2
Summary: Frequent crash (diagnostic assert) in [@ mozilla::nsDisplayItem::GetOldListIndex] → Frequent crash (diagnostic assert) in [@ mozilla::nsDisplayItem::GetOldListIndex] in chatgpt.com

Pernosco session incoming...

A Pernosco session is available here: https://pernos.co/debug/n3RdGY8BGsGLfS7uWHzbog/index.html

Blocks: site-scout
Keywords: pernosco

The bug is linked to a topcrash signature, which matches the following criteria:

  • Top 10 desktop browser crashes on nightly
  • Top 10 AArch64 and ARM crashes on nightly

For more information, please visit BugBot documentation.

Keywords: topcrash
Flags: needinfo?(emilio)
Pushed by ealvarez@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/c17c6e33bb4b Changes to view-transition-name from / to none should invalidate paint. r=tnikkel
Flags: in-testsuite+
Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/52269 for changes under testing/web-platform/tests

https://hg.mozilla.org/mozilla-central/rev/c17c6e33bb4b

Status: NEW → RESOLVED
Closed: 5 months ago
status-firefox140: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 140 Branch
Upstream PR merged by moz-wptsync-bot
Whiteboard: [viewtransitions:m1]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: