Closed
Bug 1990582
Opened 4 months ago
Closed 4 months ago
Assertion failure: aFrame->HasAnyStateBits(NS_FRAME_CAPTURED_IN_VIEW_TRANSITION), at /dom/view-transitions/ViewTransition.cpp:356
Categories
(Core :: CSS Parsing and Computation, defect)
Tracking
()
VERIFIED
FIXED
145 Branch
| Tracking | Status | |
|---|---|---|
| firefox-esr140 | --- | unaffected |
| firefox143 | --- | unaffected |
| firefox144 | --- | wontfix |
| firefox145 | --- | verified |
People
(Reporter: jkratzer, Assigned: emilio)
References
(Blocks 1 open bug, Regression)
Details
(Keywords: regression, testcase, Whiteboard: [bugmon:bisected,confirmed], [wptsync upstream])
Attachments
(2 files)
Testcase found while fuzzing mozilla-central rev 7a0ce20629fc (built with: --enable-debug --enable-fuzzing).
Testcase can be reproduced using the following commands:
$ pip install fuzzfetch grizzly-framework --upgrade
$ python -m fuzzfetch --build 7a0ce20629fc --debug --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>
Assertion failure: aFrame->HasAnyStateBits(NS_FRAME_CAPTURED_IN_VIEW_TRANSITION), at /dom/view-transitions/ViewTransition.cpp:356
==2657664==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x75056b1ba37e bp 0x7fff0deda170 sp 0x7fff0deda110 T2657664)
==2657664==The signal is caused by a WRITE memory access.
==2657664==Hint: address points to the zero page.
#0 0x75056b1ba37e in MOZ_CrashSequence /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:248:3
#1 0x75056b1ba37e in mozilla::dom::ViewTransition::GetImageKeyForCapturedFrame(nsIFrame*, mozilla::layers::RenderRootStateManager*, mozilla::wr::IpcResourceUpdateQueue&) const /dom/view-transitions/ViewTransition.cpp:356:3
#2 0x75056bd20dac in operator() /layout/painting/nsDisplayList.cpp:5422:13
#3 0x75056bd20dac in mozilla::nsDisplayViewTransitionCapture::CreateWebRenderCommands(mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, mozilla::layers::RenderRootStateManager*, mozilla::nsDisplayListBuilder*) /layout/painting/nsDisplayList.cpp:5417:14
#4 0x750566f5f9e4 in mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommands(mozilla::nsDisplayItem*, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, mozilla::nsDisplayListBuilder*) /gfx/layers/wr/WebRenderCommandBuilder.cpp:1866:41
#5 0x750566f5e2fb in mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommandsFromDisplayList(mozilla::nsDisplayList*, mozilla::nsDisplayItem*, mozilla::nsDisplayListBuilder*, mozilla::layers::StackingContextHelper const&, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, bool) /gfx/layers/wr/WebRenderCommandBuilder.cpp:2194:7
#6 0x75056bd20105 in CreateWebRenderCommandsNewClipListOption /layout/painting/nsDisplayList.cpp:4671:30
#7 0x75056bd20105 in CreateWebRenderCommands /layout/painting/nsDisplayList.h:5072:12
#8 0x75056bd20105 in mozilla::nsDisplayOwnLayer::CreateWebRenderCommands(mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, mozilla::layers::RenderRootStateManager*, mozilla::nsDisplayListBuilder*, bool) /layout/painting/nsDisplayList.cpp:5345:22
#9 0x75056bd221e3 in mozilla::nsDisplayOwnLayer::CreateWebRenderCommands(mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, mozilla::layers::RenderRootStateManager*, mozilla::nsDisplayListBuilder*) /layout/painting/nsDisplayList.h:5585:12
#10 0x750566f5f9e4 in mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommands(mozilla::nsDisplayItem*, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, mozilla::nsDisplayListBuilder*) /gfx/layers/wr/WebRenderCommandBuilder.cpp:1866:41
#11 0x750566f5e2fb in mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommandsFromDisplayList(mozilla::nsDisplayList*, mozilla::nsDisplayItem*, mozilla::nsDisplayListBuilder*, mozilla::layers::StackingContextHelper const&, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, bool) /gfx/layers/wr/WebRenderCommandBuilder.cpp:2194:7
#12 0x750566f5c76e in mozilla::layers::WebRenderCommandBuilder::BuildWebRenderCommands(mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::nsDisplayList*, mozilla::nsDisplayListBuilder*, mozilla::layers::WebRenderScrollData&, WrFiltersHolder&&) /gfx/layers/wr/WebRenderCommandBuilder.cpp:1787:5
#13 0x750566f918ad in mozilla::layers::WebRenderLayerManager::EndTransactionWithoutLayer(mozilla::nsDisplayList*, mozilla::nsDisplayListBuilder*, WrFiltersHolder&&, mozilla::layers::WebRenderBackgroundData*, double, bool) /gfx/layers/wr/WebRenderLayerManager.cpp:388:30
#14 0x75056bd0f23b in mozilla::nsDisplayList::PaintRoot(mozilla::nsDisplayListBuilder*, gfxContext*, unsigned int, mozilla::Maybe<double>) /layout/painting/nsDisplayList.cpp:2308:18
#15 0x75056b9a87e8 in nsLayoutUtils::PaintFrame(gfxContext*, nsIFrame*, nsRegion const&, unsigned int, mozilla::nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) /layout/base/nsLayoutUtils.cpp:3254:9
#16 0x75056b92511d in mozilla::PresShell::PaintInternal(nsView*, mozilla::PaintInternalFlags) /layout/base/PresShell.cpp:6895:5
#17 0x75056b1c0c9a in mozilla::dom::ViewTransition::CaptureOldState() /dom/view-transitions/ViewTransition.cpp:1359:11
#18 0x75056b1bfdd4 in mozilla::dom::ViewTransition::Setup() /dom/view-transitions/ViewTransition.cpp:1429:25
#19 0x75056b1bfc00 in mozilla::dom::ViewTransition::PerformPendingOperations() /dom/view-transitions/ViewTransition.cpp:1081:14
#20 0x750567998b7c in mozilla::dom::Document::PerformPendingViewTransitionOperations() /dom/base/Document.cpp:18771:15
#21 0x75056b8e1de4 in operator() /layout/base/nsRefreshDriver.cpp:2541:29
#22 0x75056b8e1de4 in operator() /layout/base/nsRefreshDriver.cpp:1317:7
#23 0x75056b8e1de4 in RunRenderingPhaseLegacy<(lambda at /layout/base/nsRefreshDriver.cpp:1296:35)> /layout/base/nsRefreshDriver.cpp:1289:3
#24 0x75056b8e1de4 in void nsRefreshDriver::RunRenderingPhase<nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick)::$_11>(mozilla::RenderingPhase, nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick)::$_11&&, bool (*)(mozilla::dom::Document const&)) /layout/base/nsRefreshDriver.cpp:1296:3
#25 0x75056b8dda9a in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) /layout/base/nsRefreshDriver.cpp:2538:3
#26 0x75056b8e72e1 in TickDriver /layout/base/nsRefreshDriver.cpp:371:13
#27 0x75056b8e72e1 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver>>&) /layout/base/nsRefreshDriver.cpp:349:7
#28 0x75056b8e71e0 in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /layout/base/nsRefreshDriver.cpp:365:5
#29 0x75056b8e708d in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /layout/base/nsRefreshDriver.cpp:955:5
#30 0x75056b8e662a in mozilla::VsyncRefreshDriverTimer::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /layout/base/nsRefreshDriver.cpp:865:5
#31 0x75056b8e5b26 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsyncTimerOnMainThread() /layout/base/nsRefreshDriver.cpp:596:14
#32 0x75056acb97bb in mozilla::dom::VsyncMainChild::RecvNotify(mozilla::VsyncEvent const&, float const&) /dom/ipc/VsyncMainChild.cpp:66:15
#33 0x75056af3a13d in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:229:78
#34 0x7505666afa42 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundChild.cpp:5097:32
#35 0x75056664fd1e in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /ipc/glue/MessageChannel.cpp:1797:25
#36 0x75056664d2a0 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, std::unique_ptr<IPC::Message, std::default_delete<IPC::Message>>) /ipc/glue/MessageChannel.cpp:1723:9
#37 0x75056664dca7 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /ipc/glue/MessageChannel.cpp:1512:3
#38 0x75056664ec89 in mozilla::ipc::MessageChannel::MessageTask::Run() /ipc/glue/MessageChannel.cpp:1614:14
#39 0x750565a5fd77 in mozilla::RunnableTask::Run() /xpcom/threads/TaskController.cpp:705:16
#40 0x750565a5a897 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:1325:20
#41 0x750565a59547 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:1148:15
#42 0x750565a599c5 in mozilla::TaskController::ProcessPendingMTTask(bool) /xpcom/threads/TaskController.cpp:641:36
#43 0x750565a662c6 in operator() /xpcom/threads/TaskController.cpp:333:37
#44 0x750565a662c6 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /xpcom/threads/nsThreadUtils.h:549:5
#45 0x750565a785a3 in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1157:16
#46 0x750565a7ed4f in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:462:10
#47 0x750566655497 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:85:21
#48 0x7505665afdf1 in RunHandler /ipc/chromium/src/base/message_loop.cc:366:3
#49 0x7505665afdf1 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:348:3
#50 0x75056b4ec728 in nsBaseAppShell::Run() /widget/nsBaseAppShell.cpp:148:27
#51 0x75056b5b8194 in nsAppShell::Run() /widget/gtk/nsAppShell.cpp:471:33
#52 0x75056c5bf41b in XRE_RunAppShell() /toolkit/xre/nsEmbedFunctions.cpp:657:20
#53 0x750566656344 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:235:9
#54 0x7505665afdf1 in RunHandler /ipc/chromium/src/base/message_loop.cc:366:3
#55 0x7505665afdf1 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:348:3
#56 0x75056c5beb71 in XRE_InitChildProcess(int, char**, XREChildData const*) /toolkit/xre/nsEmbedFunctions.cpp:595:34
#57 0x62ff1665af9c in main /browser/app/nsBrowserApp.cpp:420:22
#58 0x7505769391c9 in __libc_start_call_main ./csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#59 0x75057693928a in __libc_start_main ./csu/../csu/libc-start.c:360:3
#60 0x62ff1662e7d8 in _start ??:0:0
==2657664==Register values:
rax = 0x0000000000000000 rbx = 0x00007fff0dedb230 rcx = 0x0000000000000164 rdx = 0x0000750576b13563
rdi = 0x0000750576b14700 rsi = 0x0000000000000000 rbp = 0x00007fff0deda170 rsp = 0x00007fff0deda110
r8 = 0x0000000000000000 r9 = 0x0000000000000003 r10 = 0x0000000000000000 r11 = 0x0000000000000293
r12 = 0x000062ff47ef1a50 r13 = 0x000062ff47b41f30 r14 = 0x000062ff48024750 r15 = 0x000062ff47f3b4a0
UndefinedBehaviorSanitizer can not provide additional info.
SUMMARY: UndefinedBehaviorSanitizer: SEGV (/home/jkratzer/builds/m-c-20250924094045-fuzzing-debug/libxul.so+0x9a7637e) (BuildId: 13a52bcabca4f771d3c4d9719716dbc923453aac)
==2657664==ABORTING
|
Reporter | |
Comment 1•4 months ago
|
||
|
|
Reporter | |
Updated•4 months ago
|
Attachment #9515414 -
Attachment filename: testcase.html.undefined → testcase.html
Attachment #9515414 -
Attachment mime type: text/plain → text/html
|
||
Comment 2•4 months ago
|
||
Verified bug as reproducible on mozilla-central 20250924212023-c3628eec879d.
The bug appears to have been introduced in the following build range:
Start: d1265ccec53e31caee0f1b5fd1d8ee156890a6de (20250903154042)
End: c187cce86b2aa5ea106b2f5683b293c2a647a101 (20250903091143)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=d1265ccec53e31caee0f1b5fd1d8ee156890a6de&tochange=c187cce86b2aa5ea106b2f5683b293c2a647a101
Keywords: regression
Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]
|
||
Comment 3•4 months ago
|
||
Set release status flags based on info from the regressing bug 1985924
:emilio, since you are the author of the regressor, bug 1985924, could you take a look? Also, could you set the severity field?
For more information, please visit BugBot documentation.
status-firefox143:
--- → unaffected
status-firefox144:
--- → affected
status-firefox145:
--- → affected
status-firefox-esr140:
--- → unaffected
Flags: needinfo?(emilio)
|
Assignee | |
Comment 4•4 months ago
|
||
Use the root element style frame (not primary frame) for style checks in
the root scroll frame.
This only makes a difference for display: table on the root, and is
needed because a lot of the checks that we do for filters, etc on the
root check IsRootElementStyleFrame(), so the checks are inconsistent
otherwise.
|
||
Updated•4 months ago
|
Assignee: nobody → emilio
Status: NEW → ASSIGNED
Pushed by ealvarez@mozilla.com:
https://github.com/mozilla-firefox/firefox/commit/f813e8d0c6eb
https://hg.mozilla.org/integration/autoland/rev/e7245cd02538
Fix view transitions with table as the root element frame. r=jwatt
|
|
Assignee | |
Updated•4 months ago
|
Flags: needinfo?(emilio)
Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/55098 for changes under testing/web-platform/tests
Whiteboard: [bugmon:bisected,confirmed] → [bugmon:bisected,confirmed], [wptsync upstream]
|
||
Comment 7•4 months ago
|
||
| bugherder | ||
Status: ASSIGNED → RESOLVED
Closed: 4 months ago
Resolution: --- → FIXED
Target Milestone: --- → 145 Branch
|
|
||
Comment 8•4 months ago
|
||
Verified bug as fixed on rev mozilla-central 20250926204708-c7991781a1dc.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Upstream PR merged by moz-wptsync-bot
|
||
Updated•4 months ago
|
Flags: in-testsuite+
|
|
||
Comment 10•4 months ago
|
||
The patch landed in nightly and beta is affected.
:emilio, is this bug important enough to require an uplift?
- If yes, please nominate the patch for beta approval.
- See https://wiki.mozilla.org/Release_Management/Requesting_an_Uplift for documentation on how to request an uplift.
- If no, please set
status-firefox144towontfix.
For more information, please visit BugBot documentation.
Flags: needinfo?(emilio)
|
|
Assignee | |
Comment 11•4 months ago
|
||
It's pretty harmless / unlikely the correctness issue would come up in practice.
Flags: needinfo?(emilio)
You need to log in
before you can comment on or make changes to this bug.
Description
•