1966682 - Assertion failure: aContent != (*this)[i].mContent || !((*this)[i].mHint & nsChangeHint_ReconstructFrame) (Should not append a non-ReconstructFrame hint after appending a ReconstructFrame hint for the same content.), at /

Status: VERIFIED FIXED

(Core :: Layout, defect)

Description

[Jason Kratzer [:jkratzer]]

Testcase found while fuzzing mozilla-central rev 907a3d528f5e (built with: --enable-debug --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework --upgrade
$ python -m fuzzfetch --build 907a3d528f5e --debug --fuzzing  -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>

Assertion failure: aContent != (*this)[i].mContent || !((*this)[i].mHint & nsChangeHint_ReconstructFrame) (Should not append a non-ReconstructFrame hint after                  appending a ReconstructFrame hint for the same                  content.), at /

    ==2826251==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7e195efa9217 bp 0x7ffd80e31250 sp 0x7ffd80e31210 T2826251)
    ==2826251==The signal is caused by a WRITE memory access.
    ==2826251==Hint: address points to the zero page.
        #0 0x7e195efa9217 in MOZ_CrashSequence /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:248:3
        #1 0x7e195efa9217 in nsStyleChangeList::AppendChange(nsIFrame*, nsIContent*, nsChangeHint) /layout/base/nsStyleChangeList.cpp:57:7
        #2 0x7e195ef11eaf in mozilla::RestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) /layout/base/RestyleManager.cpp:3317:24
        #3 0x7e195eee67d5 in mozilla::RestyleManager::ProcessPendingRestyles() /layout/base/RestyleManager.cpp:3393:3
        #4 0x7e195eee5b49 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /layout/base/PresShell.cpp:4609:37
        #5 0x7e195b0cc215 in FlushPendingNotifications /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:1459:5
        #6 0x7e195b0cc215 in mozilla::dom::Document::FlushPendingNotifications(mozilla::ChangesToFlush) /dom/base/Document.cpp:11464:16
        #7 0x7e195aee46d9 in FlushPendingNotifications /dom/base/nsGlobalWindowInner.cpp:6411:11
        #8 0x7e195aee46d9 in nsGlobalWindowInner::ScrollTo(mozilla::dom::ScrollToOptions const&) /dom/base/nsGlobalWindowInner.cpp:3855:5
        #9 0x7e195aee44e0 in nsGlobalWindowInner::ScrollTo(double, double) /dom/base/nsGlobalWindowInner.cpp:3836:3
        #10 0x7e195bf37f8f in Scroll /dom/base/nsGlobalWindowInner.h:781:5
        #11 0x7e195bf37f8f in mozilla::dom::Window_Binding::scroll(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/./WindowBinding.cpp:4467:28
        #12 0x7e195c48a1d5 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::MaybeCrossOriginObjectThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /dom/bindings/BindingUtils.cpp:3302:13
        #13 0x7e195fc6a9e4 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /js/src/vm/Interpreter.cpp:494:13
        #14 0x7e195fc6a23f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:590:12
        #15 0x7e195fc7dee6 in CallFromStack /js/src/vm/Interpreter.cpp:662:10
        #16 0x7e195fc7dee6 in js::Interpret(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:3286:16
        #17 0x7e195fc69881 in js::RunScript(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:464:13
        #18 0x7e195fc6a265 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:622:13
        #19 0x7e195fc6b68b in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /js/src/vm/Interpreter.cpp:689:8
        #20 0x7e195ff85537 in js::CallSelfHostedFunction(JSContext*, JS::Handle<js::PropertyName*>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /js/src/vm/SelfHosting.cpp:1412:10
        #21 0x7e196097bc42 in js::jit::InterpretResume(JSContext*, JS::Handle<JSObject*>, JS::Value*, JS::MutableHandle<JS::Value>) /js/src/jit/VMFunctions.cpp:1139:10
        #22 0x18428ae15429  ([anon:js-executable-memory]+0x12429)
    
    ==2826251==Register values:
    rax = 0x0000000000000000  rbx = 0x00007ffd80e31440  rcx = 0x000000000000003d  rdx = 0x00007e1969c29563  
    rdi = 0x00007e1969c2a700  rsi = 0x0000000000000000  rbp = 0x00007ffd80e31250  rsp = 0x00007ffd80e31210  
     r8 = 0x0000000000000000   r9 = 0x0000000000000003  r10 = 0x0000000000000000  r11 = 0x0000000000000293  
    r12 = 0x0000000000000000  r13 = 0x000060083fa7ce40  r14 = 0x0000000000000200  r15 = 0x000060083fab0ee0  
    UndefinedBehaviorSanitizer can not provide additional info.
    SUMMARY: UndefinedBehaviorSanitizer: SEGV /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:248:3 in MOZ_CrashSequence
    ==2826251==ABORTING

Comment 1

[Jason Kratzer [:jkratzer]]

Attachment: Testcase

Comment 2

[Bugmon [:jkratzer for issues]]

Verified bug as reproducible on mozilla-central 20250515084440-907a3d528f5e.
The bug appears to have been introduced in the following build range:

Start: 32f5cd049a9c791a74a146f5286a537282c82d58 (20250425091026)
End: ecdd0e6ee8560e550f35c4d4a9aba8cfb36ec457 (20250425100853)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=32f5cd049a9c791a74a146f5286a537282c82d58&tochange=ecdd0e6ee8560e550f35c4d4a9aba8cfb36ec457

Comment 3

[Bugmon [:jkratzer for issues]]

Successfully recorded a pernosco session. A link to the pernosco session will be added here shortly.

Comment 4

[Bugmon [:jkratzer for issues]]

A pernosco session for this bug can be found here.

Comment 5

[BugBot [:suhaib / :marco/ :calixte]]

Set release status flags based on info from the regressing bug 1950759

:emilio, since you are the author of the regressor, bug 1950759, could you take a look? Also, could you set the severity field?

For more information, please visit BugBot documentation.

Comment 6

[Emilio Cobos Álvarez [:emilio]]

We're reconstructing the view transition root and also the root itself, and that ends up doing useless work.

Comment 7

[Emilio Cobos Álvarez [:emilio]]

Attachment: Bug 1966682 - Don't reframe the root when inserting / removing the view transition snapshot containing block. r=#vt,#layout

Comment 8

[Pulsebot]

Pushed by ealvarez@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/548b393fc06e
Don't reframe the root when inserting / removing the view transition snapshot containing block. r=dshin

Comment 9

[Web Platform Test Sync Bot [:wpt-sync] (Matrix: #interop:mozilla.org)]

Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/52697 for changes under testing/web-platform/tests

Comment 10

[Norisz Fay [:noriszfay]]

https://hg.mozilla.org/mozilla-central/rev/548b393fc06e

Comment 11

[Web Platform Test Sync Bot [:wpt-sync] (Matrix: #interop:mozilla.org)]

Upstream PR merged by moz-wptsync-bot

Comment 12

[Bugmon [:jkratzer for issues]]

Verified bug as fixed on rev mozilla-central 20250521212425-d614db7d6013.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.