Closed Bug 1978487 Opened 3 months ago Closed 3 months ago

Hit MOZ_CRASH(unexpected frame type) at /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:8053

Categories

(Core :: Layout: Form Controls, defect)

Product:
Core
Component:
Layout: Form Controls
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
143 Branch
Tracking Flags:
Tracking Status
firefox-esr128 --- unaffected
firefox-esr140 --- unaffected
firefox141 --- unaffected
firefox142 --- verified
firefox143 --- verified

People

(Reporter: tsmith, Assigned: emilio)

References

(Blocks 1 open bug, Regression)

Details

(5 keywords, Whiteboard: [bugmon:bisected,confirmed], [wptsync upstream])

Crash Data

Attachments

(3 files)

testcase.html
83 bytes, text/html
Details
Bug 1978487 - Make all ButtonControlFrames non-fragmentable, not just nsComboboxControlFrame. r=#layout
48 bytes, text/x-phabricator-request
diannaS
: approval-mozilla-beta+
Details | Review
Bug 1978487 - Address some review comments. r=TYLin
48 bytes, text/x-phabricator-request
Details | Review
Attached file testcase.html

Found while fuzzing 20250715-bb851a378010 (--enable-address-sanitizer --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework --upgrade
$ python -m fuzzfetch -a --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>

Hit MOZ_CRASH(unexpected frame type) at /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:8053

#0 0x7fffdebd2069 in MOZ_CrashSequence /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:248:3
#1 0x7fffdebd2069 in nsCSSFrameConstructor::CreateContinuingFrame(nsIFrame*, nsContainerFrame*, bool) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:8053:5
#2 0x7fffded7005a in CreateContinuationFor /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:5393:42
#3 0x7fffded7005a in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowState&, GenericLineListIterator<nsLineLink, false>, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:4738:35
#4 0x7fffded6c8e9 in nsBlockFrame::ReflowLine(mozilla::BlockReflowState&, GenericLineListIterator<nsLineLink, false>, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:3879:5
#5 0x7fffded60a36 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowState&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:3386:29
#6 0x7fffded5a22b in nsBlockFrame::TrialReflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsBlockFrame::TrialReflowState&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:1953:35
#7 0x7fffded57345 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:1589:9
#8 0x7fffdedb2377 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:906:14
#9 0x7fffdedada7c in nsColumnSetFrame::ReflowColumns(mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&, nsColumnSetFrame::ReflowConfig const&, bool) /builds/worker/checkouts/gecko/layout/generic/nsColumnSetFrame.cpp:709:7
#10 0x7fffdedb4a15 in nsColumnSetFrame::FindBestBalanceBSize(mozilla::ReflowInput const&, nsPresContext*, nsColumnSetFrame::ReflowConfig&, nsColumnSetFrame::ColumnBalanceData, mozilla::ReflowOutput&, bool, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsColumnSetFrame.cpp:1143:9
#11 0x7fffdedb55c7 in nsColumnSetFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsColumnSetFrame.cpp:1260:5
#12 0x7fffded76eb8 in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, mozilla::CollapsingMargin&, int, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowState&) /builds/worker/checkouts/gecko/layout/generic/nsBlockReflowContext.cpp:291:11
#13 0x7fffded6f02d in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowState&, GenericLineListIterator<nsLineLink, false>, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:4555:11
#14 0x7fffded6c8e9 in nsBlockFrame::ReflowLine(mozilla::BlockReflowState&, GenericLineListIterator<nsLineLink, false>, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:3879:5
#15 0x7fffded60a36 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowState&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:3386:29
#16 0x7fffded5a22b in nsBlockFrame::TrialReflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsBlockFrame::TrialReflowState&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:1953:35
#17 0x7fffded57345 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:1589:9
#18 0x7fffdedb2377 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:906:14
#19 0x7fffdece56e6 in mozilla::ScrollContainerFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput&, bool, bool, mozilla::ReflowOutput*) /builds/worker/checkouts/gecko/layout/generic/ScrollContainerFrame.cpp:915:3
#20 0x7fffdece6bf1 in mozilla::ScrollContainerFrame::ReflowContents(mozilla::ScrollReflowInput&, mozilla::ReflowOutput const&) /builds/worker/checkouts/gecko/layout/generic/ScrollContainerFrame.cpp:1031:3
#21 0x7fffdeceb3c5 in mozilla::ScrollContainerFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/ScrollContainerFrame.cpp:1491:3
#22 0x7fffded76eb8 in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, mozilla::CollapsingMargin&, int, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowState&) /builds/worker/checkouts/gecko/layout/generic/nsBlockReflowContext.cpp:291:11
#23 0x7fffded6f02d in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowState&, GenericLineListIterator<nsLineLink, false>, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:4555:11
#24 0x7fffded6c8e9 in nsBlockFrame::ReflowLine(mozilla::BlockReflowState&, GenericLineListIterator<nsLineLink, false>, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:3879:5
#25 0x7fffded60a36 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowState&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:3386:29
#26 0x7fffded5a22b in nsBlockFrame::TrialReflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsBlockFrame::TrialReflowState&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:1953:35
#27 0x7fffded57345 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:1589:9
#28 0x7fffdedb2377 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:906:14
#29 0x7fffdedada7c in nsColumnSetFrame::ReflowColumns(mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&, nsColumnSetFrame::ReflowConfig const&, bool) /builds/worker/checkouts/gecko/layout/generic/nsColumnSetFrame.cpp:709:7
#30 0x7fffdedb5568 in nsColumnSetFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsColumnSetFrame.cpp:1253:37
#31 0x7fffded76eb8 in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, mozilla::CollapsingMargin&, int, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowState&) /builds/worker/checkouts/gecko/layout/generic/nsBlockReflowContext.cpp:291:11
#32 0x7fffded6f02d in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowState&, GenericLineListIterator<nsLineLink, false>, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:4555:11
#33 0x7fffded6c8e9 in nsBlockFrame::ReflowLine(mozilla::BlockReflowState&, GenericLineListIterator<nsLineLink, false>, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:3879:5
#34 0x7fffded60a36 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowState&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:3386:29
#35 0x7fffded5a22b in nsBlockFrame::TrialReflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsBlockFrame::TrialReflowState&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:1953:35
#36 0x7fffded57345 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:1589:9
#37 0x7fffdedb2377 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:906:14
#38 0x7fffded95105 in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsCanvasFrame.cpp:584:7
#39 0x7fffdedb2377 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:906:14
#40 0x7fffdece56e6 in mozilla::ScrollContainerFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput&, bool, bool, mozilla::ReflowOutput*) /builds/worker/checkouts/gecko/layout/generic/ScrollContainerFrame.cpp:915:3
#41 0x7fffdece6bf1 in mozilla::ScrollContainerFrame::ReflowContents(mozilla::ScrollReflowInput&, mozilla::ReflowOutput const&) /builds/worker/checkouts/gecko/layout/generic/ScrollContainerFrame.cpp:1031:3
#42 0x7fffdeceb3c5 in mozilla::ScrollContainerFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/ScrollContainerFrame.cpp:1491:3
#43 0x7fffdedc6af8 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:947:14
#44 0x7fffded44399 in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/ViewportFrame.cpp:415:7
#45 0x7fffdeb03a78 in mozilla::PresShell::DoReflow(nsIFrame*, bool, mozilla::OverflowChangedTracker*) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:10845:11
#46 0x7fffdeb455f7 in mozilla::PresShell::ProcessReflowCommands(bool) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:11015:22
#47 0x7fffdeb169c7 in DoFlushLayout /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:11065:10
#48 0x7fffdeb169c7 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4657:9
#49 0x7fffd79bcba4 in FlushPendingNotifications /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:1475:5
#50 0x7fffd79bcba4 in mozilla::dom::Document::FlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/dom/base/Document.cpp:11531:16
#51 0x7fffd797620d in FlushPendingNotifications /builds/worker/checkouts/gecko/dom/base/Document.cpp:11463:3
#52 0x7fffd797620d in mozilla::dom::Document::AutoEditorCommandTarget::AutoEditorCommandTarget(mozilla::dom::Document&, mozilla::dom::Document::InternalCommandData const&) /builds/worker/checkouts/gecko/dom/base/Document.cpp:5445:13
#53 0x7fffd7977ef9 in mozilla::dom::Document::ExecCommand(nsTSubstring<char16_t> const&, bool, mozilla::dom::TrustedHTMLOrString const&, nsIPrincipal&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/Document.cpp:5684:27
#54 0x7fffd934e70f in mozilla::dom::Document_Binding::execCommand(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/./DocumentBinding.cpp:4181:36
#55 0x7fffd97cea1f in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3306:13
#56 0x7fffe0597bc7 in CallJSNative /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:501:13
#57 0x7fffe0597bc7 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:597:12
#58 0x7fffe169ac39 in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICFallbackStub*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/jit/BaselineIC.cpp:1705:10
Flags: in-testsuite?

Got a crash from the testcase on the latest Nightly: https://crash-stats.mozilla.org/report/index/4312993f-8d9d-44bc-b5e1-caccc0250722

Crash Signature: [@ nsCSSFrameConstructor::CreateContinuingFrame ]

Bisection:
Bug 1873301 - Remove nsHTMLButtonControlFrame. r=dholbert,layout-reviewers,dshin
Differential Revision: https://phabricator.services.mozilla.com/D257149

Before the regressing bug, the testcase keeps on loading indefinitely, maybe becuase of the large number of columns.

Keywords: regression
Regressed by: 1873301

Verified bug as reproducible on mozilla-central 20250721154325-bca22a6d0402.
The bug appears to have been introduced in the following build range:

Start: 24935e432860eb5f2c5c2c7ffab8342dac8a1461 (20250715102651)
End: a8395671c107c9646401b918794696689cd5576c (20250715124335)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=24935e432860eb5f2c5c2c7ffab8342dac8a1461&tochange=a8395671c107c9646401b918794696689cd5576c

Whiteboard: [bugmon:bisected,confirmed]

:emilio, since you are the author of the regressor, bug 1873301, could you take a look? Also, could you set the severity field?

For more information, please visit BugBot documentation.

Flags: needinfo?(emilio)

Successfully recorded a pernosco session. A link to the pernosco session will be added here shortly.

Keywords: pernosco-wantedpernosco

A pernosco session for this bug can be found here.

Flags: needinfo?(emilio)

This matches the pre-regression behavior. I matched select's
break-inside behavior, but we might want to make that !important, since
the old code always used unconstrained bsize for the button contents?

Assignee: nobody → emilio
Status: NEW → ASSIGNED

Set release status flags based on info from the regressing bug 1873301

status-firefox141: --- → unaffected
status-firefox142: --- → affected
status-firefox-esr128: --- → unaffected
status-firefox-esr140: --- → unaffected
Pushed by ealvarez@mozilla.com: https://github.com/mozilla-firefox/firefox/commit/bc169c7f597e https://hg.mozilla.org/integration/autoland/rev/95c0fcb67725 Make all ButtonControlFrames non-fragmentable, not just nsComboboxControlFrame. r=layout-reviewers,dshin
Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/53900 for changes under testing/web-platform/tests
Whiteboard: [bugmon:bisected,confirmed] → [bugmon:bisected,confirmed], [wptsync upstream]
Component: CSS Parsing and Computation → Layout: Form Controls

https://hg.mozilla.org/mozilla-central/rev/95c0fcb67725
https://hg.mozilla.org/mozilla-central/rev/a25fdd64ffb2

Status: ASSIGNED → RESOLVED
Closed: 3 months ago
status-firefox143: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 143 Branch
Upstream PR merged by moz-wptsync-bot
Upstream PR merged by moz-wptsync-bot

The patch landed in nightly and beta is affected.
:emilio, is this bug important enough to require an uplift?

For more information, please visit BugBot documentation.

Flags: needinfo?(emilio)

Comment on attachment 9502081 [details]
Bug 1978487 - Make all ButtonControlFrames non-fragmentable, not just nsComboboxControlFrame. r=#layout

Beta/Release Uplift Approval Request

  • User impact if declined/Reason for urgency: recent regression
  • Is this code covered by automated tests?: Yes
  • Has the fix been verified in Nightly?: Yes
  • Needs manual test from QE?: Yes
  • If yes, steps to reproduce: comment 0
  • List of other uplifts needed: none
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Simple fix
  • String changes made/needed: none
  • Is Android affected?: Yes
Flags: needinfo?(emilio)
Attachment #9502081 - Flags: approval-mozilla-beta?
Flags: qe-verify+

Crash is resolved.
we are back to very looong layout calculation in the testcase, which is the pre-regression behaviour.

Verified bug as fixed on rev mozilla-central 20250723094141-92d83833f828.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
status-firefox143: fixedverified
Keywords: bugmon
Flags: in-testsuite? → in-testsuite+

Comment on attachment 9502081 [details]
Bug 1978487 - Make all ButtonControlFrames non-fragmentable, not just nsComboboxControlFrame. r=#layout

Approved for 142.0b3

Attachment #9502081 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Pushed by dsmith@mozilla.com: https://github.com/mozilla-firefox/firefox/commit/e70cafba0abd https://hg.mozilla.org/releases/mozilla-beta/rev/6553635bdeee Make all ButtonControlFrames non-fragmentable, not just nsComboboxControlFrame. r=layout-reviewers,dshin,a=dsmith
QA Whiteboard: [uplift][qa-ver-needed-c143/b142]

I was able to reproduce the crash with an affected Firefox Nightly 143.0a1 (2025-07-21) build on Windows 11 and macOS 13, with the testcase attached in Comment 0 -> the tab is crashing after loading the testcase.
Verified as fixed using Firefox 142.0b3 on Windows 11, macOS 13 and Ubuntu 22.04. The tab is no longer crashing after loading the testcase (the testcase keeps on loading indefinitely, as mentioned in Comment 18).
Also, please note that Firefox fails to quit properly when the tab is open (on macOS, several attempts are needed before the browser finally quits, and on Windows/Ubuntu, the window closes but the process remains active in the background for about 1-2 minutes) - but this also happened before the regressing bug. Please let me know if a separate bug should be filed for this. Thanks.

QA Whiteboard: [uplift][qa-ver-needed-c143/b142] → [uplift][qa-ver-done-c143/b142]
status-firefox142: fixedverified
Flags: qe-verify+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: