Hit MOZ_CRASH(Element state change during style refresh (15360)) at /builds/worker/checkouts/gecko/layout/style/RestyleManager.cpp:3424
Categories
(Core :: Layout, defect)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox143 | --- | fix-optional |
| firefox144 | --- | affected |
People
(Reporter: tsmith, Unassigned)
References
(Blocks 2 open bugs)
Details
(Keywords: assertion, pernosco, testcase, Whiteboard: [bugmon:bisected,confirmed])
Crash Data
Attachments
(1 file)
|
302 bytes,
text/html
|
Details |
Found while fuzzing 20250628-fb8a961955b6 (--enable-debug --enable-fuzzing)
To reproduce via Grizzly Replay:
$ pip install fuzzfetch grizzly-framework --upgrade
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>
Hit MOZ_CRASH(Element state change during style refresh (15360)) at /builds/worker/checkouts/gecko/layout/style/RestyleManager.cpp:3424
#0 0x770f77c67a75 in MOZ_CrashSequence /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:248:3
#1 0x770f77c67a75 in MOZ_Crash /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:381:3
#2 0x770f77c67a75 in mozilla::RestyleManager::ElementStateChanged(mozilla::dom::Element*, mozilla::dom::ElementState) /builds/worker/checkouts/gecko/layout/style/RestyleManager.cpp:3422:5
#3 0x770f77d0ba80 in mozilla::PresShell::ElementStateChanged(mozilla::dom::Document*, mozilla::dom::Element*, mozilla::dom::ElementState) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4710:37
#4 0x770f73d788b0 in mozilla::dom::Document::ElementStateChanged(mozilla::dom::Element*, mozilla::dom::ElementState) /builds/worker/checkouts/gecko/dom/base/Document.cpp:8739:3
#5 0x770f73dd5983 in mozilla::dom::Element::NotifyStateChange(mozilla::dom::ElementState) /builds/worker/checkouts/gecko/dom/base/Element.cpp:391:10
#6 0x770f75d0a614 in ~AutoStateChangeNotifier /builds/worker/workspace/obj-build/dist/include/mozilla/dom/Element.h:772:18
#7 0x770f75d0a614 in UpdateValidityElementStates /builds/worker/checkouts/gecko/dom/html/HTMLInputElement.cpp:6301:1
#8 0x770f75d0a614 in UpdateAllValidityStates /builds/worker/checkouts/gecko/dom/html/HTMLInputElement.cpp:6926:5
#9 0x770f75d0a614 in mozilla::dom::HTMLInputElement::OnValueChanged(mozilla::TextControlElement::ValueChangeKind, bool, nsTSubstring<char16_t> const*) /builds/worker/checkouts/gecko/dom/html/HTMLInputElement.cpp:7109:3
#10 0x770f75d63f56 in OnValueChanged /builds/worker/workspace/obj-build/dist/include/mozilla/TextControlElement.h:210:12
#11 0x770f75d63f56 in mozilla::TextControlState::SetValue(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const*, mozilla::EnumSet<mozilla::TextControlState::ValueSetterOption, unsigned int> const&) /builds/worker/checkouts/gecko/dom/html/TextControlState.cpp:2750:47
#12 0x770f75d4d4ff in SetValue /builds/worker/workspace/obj-build/dist/include/mozilla/TextControlState.h:288:12
#13 0x770f75d4d4ff in mozilla::TextControlState::UnbindFromFrame(nsTextControlFrame*) /builds/worker/checkouts/gecko/dom/html/TextControlState.cpp:2488:26
#14 0x770f77fa4852 in nsTextControlFrame::Destroy(mozilla::FrameDestroyContext&) /builds/worker/checkouts/gecko/layout/forms/nsTextControlFrame.cpp:130:25
#15 0x770f77f292bb in nsLineBox::DeleteLineList(nsPresContext*, nsLineList&, nsFrameList*, mozilla::FrameDestroyContext&) /builds/worker/checkouts/gecko/layout/generic/nsLineBox.cpp:395:14
#16 0x770f77e26fd9 in nsBlockFrame::Destroy(mozilla::FrameDestroyContext&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:481:3
#17 0x770f77f292bb in nsLineBox::DeleteLineList(nsPresContext*, nsLineList&, nsFrameList*, mozilla::FrameDestroyContext&) /builds/worker/checkouts/gecko/layout/generic/nsLineBox.cpp:395:14
#18 0x770f77e26fd9 in nsBlockFrame::Destroy(mozilla::FrameDestroyContext&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:481:3
#19 0x770f77e474ad in nsBlockFrame::DoRemoveFrame(mozilla::FrameDestroyContext&, nsIFrame*, unsigned int) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:7286:20
#20 0x770f77e46cb0 in nsBlockFrame::RemoveFrame(mozilla::FrameDestroyContext&, mozilla::FrameChildListID, nsIFrame*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:6439:5
#21 0x770f77d679b3 in nsCSSFrameConstructor::ContentWillBeRemoved(nsIContent*, nsCSSFrameConstructor::RemoveFlags) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:7553:5
#22 0x770f77d631b7 in nsCSSFrameConstructor::RecreateFramesForContent(nsIContent*, nsCSSFrameConstructor::InsertionKind) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:8477:7
#23 0x770f77c5e7e0 in mozilla::RestyleManager::ProcessRestyledFrames(nsStyleChangeList&) /builds/worker/checkouts/gecko/layout/style/RestyleManager.cpp:1685:25
#24 0x770f77c65de4 in mozilla::RestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) /builds/worker/checkouts/gecko/layout/style/RestyleManager.cpp:3300:7
#25 0x770f77c67255 in mozilla::RestyleManager::ProcessPendingRestyles() /builds/worker/checkouts/gecko/layout/style/RestyleManager.cpp:3390:3
#26 0x770f77d0aa40 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4644:37
#27 0x770f73d8ba55 in FlushPendingNotifications /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:1491:5
#28 0x770f73d8ba55 in mozilla::dom::Document::FlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/dom/base/Document.cpp:11547:16
#29 0x770f73efb0eb in mozilla::dom::Selection::ScrollIntoView(short, mozilla::ScrollAxis, mozilla::ScrollAxis, mozilla::ScrollFlags, mozilla::SelectionScrollMode) /builds/worker/checkouts/gecko/dom/base/Selection.cpp:3867:31
#30 0x770f73f01aa8 in mozilla::dom::Selection::ScrollSelectionIntoViewEvent::Run() /builds/worker/checkouts/gecko/dom/base/Selection.cpp:3806:14
#31 0x770f77ccecf2 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2386:13
#32 0x770f77cd8771 in TickDriver /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:371:13
#33 0x770f77cd8771 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver>>&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:349:7
#34 0x770f77cd8670 in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:365:5
#35 0x770f77cd851d in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:955:5
#36 0x770f77cd7aba in mozilla::VsyncRefreshDriverTimer::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:865:5
#37 0x770f77cd6fb6 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsyncTimerOnMainThread() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:596:14
#38 0x770f770b3ffb in mozilla::dom::VsyncMainChild::RecvNotify(mozilla::VsyncEvent const&, float const&) /builds/worker/checkouts/gecko/dom/ipc/VsyncMainChild.cpp:66:15
#39 0x770f773344fd in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:229:78
#40 0x770f72acb102 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundChild.cpp:5097:32
#41 0x770f72a6b23e in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1797:25
#42 0x770f72a687c0 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, std::unique_ptr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1723:9
#43 0x770f72a691c7 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1512:3
#44 0x770f72a6a1a9 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1614:14
#45 0x770f71e95877 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:703:16
#46 0x770f71e8e97e in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:1310:20
#47 0x770f71e8d6b7 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:1133:15
#48 0x770f71e8db35 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:639:36
#49 0x770f71e9c8b6 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:333:37
#50 0x770f71e9c8b6 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548:5
#51 0x770f71eae4b3 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1159:16
#52 0x770f71eb4bdf in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10
#53 0x770f72a709d7 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#54 0x770f729cafc1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:367:3
#55 0x770f729cafc1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:349:3
#56 0x770f778e4428 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
#57 0x770f779b08f4 in nsAppShell::Run() /builds/worker/checkouts/gecko/widget/gtk/nsAppShell.cpp:471:33
#58 0x770f788db9cb in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:657:20
#59 0x770f72a71884 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
#60 0x770f729cafc1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:367:3
#61 0x770f729cafc1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:349:3
#62 0x770f788dacc5 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:595:34
#63 0x63939cfd7d0f in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:397:22
|
||
Comment 1•2 months ago
|
||
Verified bug as reproducible on mozilla-central 20250818213914-658cb05d36b5.
Unable to bisect testcase (Testcase reproduces on start build!):
Start: c59d951eb773cc6fb430bd008d6d2a091a85ad94 (20240820035734)
End: fb8a961955b61886ef0804635cd6b67044467036 (20250628205111)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False, nyx=False, searchfox=False, afl=False)
|
||
Updated•2 months ago
|
|
|
||
Updated•2 months ago
|
|
||
Comment 2•2 months ago
|
||
The bug is linked to a topcrash signature, which matches the following criterion:
- Top 10 content process crashes on beta
:dholbert, could you consider increasing the severity of this top-crash bug?
For more information, please visit BugBot documentation.
|
||
Updated•2 months ago
|
|
|
||
Updated•2 months ago
|
|
|
||
Comment 3•2 months ago
|
||
Successfully recorded a pernosco session. A link to the pernosco session will be added here shortly.
|
|
||
Comment 5•2 months ago
|
||
The bug is marked as tracked for firefox143 (beta). However, the bug still isn't assigned and has low severity.
:fgriffith, could you please find an assignee and increase the severity for this tracked bug? If you disagree with the tracking decision, please talk with the release managers.
For more information, please visit BugBot documentation.
|
||
Comment 6•2 months ago
•
|
||
(In reply to BugBot [:suhaib / :marco/ :calixte] from comment #5)
The bug is marked as tracked for firefox143 (beta). However, the bug still isn't assigned and has low severity.
No need to track this for 143 beta. This is a crash signature that's had similar volume on beta for a while (see bug 1793410 which is the umbrella bug for this signature), but it won't crash for release users. --> Resetting tracking flag.
Also: the "MOZ Crash Reason" field includes state-bits to help add some context about what was going on when we fail the assert. In this bug, the state bits are 15360 -- and looking at the crash volume, of the 290 crashes with this signature over the last 2 weeks, only 2 of them match this bug's 15360 state bits. The remaining 288 of them have 35184372088832 (which is bug 1889803).
--> This specific version of the signature is not a topcrash -- 2 crashes in 2 weeks (probably from testing this bug). (Bug 1889803 might arguably be a topcrash though?)
|
|
||
Comment 7•2 months ago
|
||
Note, 15360 is one of the values previously observed in-the-wild in bug 1793410 comment 14. As noted in that comment, 15360 is a bitmask which represents bits 10, 11, 12, 13 -- which mean VALID, INVALID, USER_VALID, and USER_INVALID.
From poking around in pernosco, it looks like this is in essentially the same situation that jfkthame described in bug 1889803 comment 2; we're destroying the text frame, and we assert that our validity-state-bits seem to be changing, as part of setting the attribute value during that process.
(Part of the reason the validity is changing is that DateTimeInputTypeBase::HasBadInput() has a catch-all early-return if there's no shadow-root inside our input element:
https://searchfox.org/firefox-main/rev/856a307913c2b73765b4e88d32cf15ed05549cae/dom/html/input/DateTimeInputTypes.cpp#74-77
...and we take that codepath here which makes us think that the input field has mysteriously become valid where it was previously invalid. But really it's just that our shadow root was destroyed as part of the teardown process here.)
|
|
||
Comment 8•2 months ago
|
||
The bug is linked to a topcrash signature, which matches the following criteria:
- Top 20 desktop browser crashes on beta
- Top 10 content process crashes on beta
- Top 10 AArch64 and ARM crashes on nightly
For more information, please visit BugBot documentation.
|
|
||
Updated•2 months ago
|
|
|
||
Comment 9•2 months ago
|
||
Thanks BugBot...
(In reply to Daniel Holbert [:dholbert] from comment #6)
[...] looking at the crash volume, of the 290 crashes with this signature over the last 2 weeks, only 2 of them match this bug's
15360state bits. The remaining 288 of them have35184372088832(which is bug 1889803).--> This specific version of the signature is not a topcrash -- 2 crashes in 2 weeks (probably from testing this bug). (Bug 1889803 might arguably be a topcrash though?)
--> Moving topcrash marker to bug 1889803 to reflect reality; hopefully that keeps BugBot from adding it repeatedly here.
|
|
||
Comment 10•2 months ago
|
||
The bug is linked to a topcrash signature, which matches the following criteria:
- Top 20 desktop browser crashes on beta
- Top 10 content process crashes on beta
- Top 10 AArch64 and ARM crashes on nightly
For more information, please visit BugBot documentation.
|
|
||
Comment 11•2 months ago
•
|
||
(In reply to Daniel Holbert [:dholbert] from comment #9)
--> Moving topcrash marker to bug 1889803 to reflect reality; hopefully that keeps BugBot from adding it repeatedly here.
(didn't work, per comment 10. Apparently bugbot marks all bugs-with-a-topcrash-signature as a topcrash, but it stops doing so if bugbot-itself has previously removed the topcrash signature, to avoid noise. So that's why it was adding topcrash here but not on bug 1889803; it wanted to add topcrash to bug 1889803, but it stopped itself because it's previously removed that status over there (bug 1889803 comment 14).)
Let's just dupe to bug 1889803 to avoid the bugbot back-and-forth and to avoid the misperception that we've got multiple distinct topcrashes. (These two bugs might have the same basic root cause, or distinct root causes; but in any case, only bug 1889803 is a topcrash, and when we fix it we can reopen this bug if the fix doesn't help with the testcase here.)
|
|
||
Comment 12•2 months ago
|
||
No valid actions for resolution (DUPLICATE).
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
|
|
||
Comment 13•1 month ago
|
||
(In reply to Daniel Holbert [:dholbert] from comment #7)
(Part of the reason the validity is changing is that
DateTimeInputTypeBase::HasBadInput()has a catch-all early-return if there's no shadow-root inside our input element:
https://searchfox.org/firefox-main/rev/856a307913c2b73765b4e88d32cf15ed05549cae/dom/html/input/DateTimeInputTypes.cpp#74-77
...and we take that codepath here which makes us think that the input field has mysteriously become valid where it was previously invalid. But really it's just that our shadow root was destroyed as part of the teardown process here.)
A bit more detail on this, regarding why our shadow-root was destroyed - I think that's because we take this path, where onchange() gets invoked for changes to the type attribute, with aDestroy defaulting to true:
https://searchfox.org/firefox-main/rev/66bb0c6d60554576b420b8e7138554c9edcdcc17/toolkit/content/widgets/datetimebox.js#51-61
That results in a call to this.teardown(); which calls this.shadowRoot.firstChild.remove();
I'm not entirely sure, but I suspect that (or something associated) is why DateTimeInputTypeBase::HasBadInput() is seeing a null shadow-root and taking the first early-return as a result.
Description
•