1995803 - Assertion failure: sf && sf->PresShell() && !sf->PresShell()->IsResolutionUpdated(), at /builds/worker/checkouts/gecko/layout/base/nsLayoutUtils.cpp:783

Status: NEW

(Core :: Panning and Zooming, defect)

Description

[Tyson Smith [:tsmith]]

Attachment: testcase.html

Found while fuzzing 20250822-fd9ad3129f48 (--enable-debug --enable-fuzzing)

This is currently one of our most frequently reported issues when fuzzing on Android.

Assertion failure: sf && sf->PresShell() && !sf->PresShell()->IsResolutionUpdated(), at /builds/worker/checkouts/gecko/layout/base/nsLayoutUtils.cpp:783

14|0|libxul.so|nsLayoutUtils::NotifyPaintSkipTransaction(unsigned long)|hg:hg.mozilla.org/mozilla-central:layout/base/nsLayoutUtils.cpp:28553dbd41b69719386bc09fe09d84c3de72daa4|782|0xd7
14|1|libxul.so|mozilla::layers::WebRenderLayerManager::EndTransactionWithoutLayer(mozilla::nsDisplayList*, mozilla::nsDisplayListBuilder*, WrFiltersHolder&&, mozilla::layers::WebRenderBackgroundData*, double, bool)|hg:hg.mozilla.org/mozilla-central:gfx/layers/wr/WebRenderLayerManager.cpp:28553dbd41b69719386bc09fe09d84c3de72daa4|425|0x688
14|2|libxul.so|mozilla::nsDisplayList::PaintRoot(mozilla::nsDisplayListBuilder*, gfxContext*, unsigned int, mozilla::Maybe<double>)|hg:hg.mozilla.org/mozilla-central:layout/painting/nsDisplayList.cpp:28553dbd41b69719386bc09fe09d84c3de72daa4|2300|0x6e6
14|3|libxul.so|nsLayoutUtils::PaintFrame(gfxContext*, nsIFrame*, nsRegion const&, unsigned int, mozilla::nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags)|hg:hg.mozilla.org/mozilla-central:layout/base/nsLayoutUtils.cpp:28553dbd41b69719386bc09fe09d84c3de72daa4|3260|0x1bed
14|4|libxul.so|mozilla::PresShell::PaintInternal(nsIFrame*, mozilla::WindowRenderer*, mozilla::PaintInternalFlags)|hg:hg.mozilla.org/mozilla-central:layout/base/PresShell.cpp:28553dbd41b69719386bc09fe09d84c3de72daa4|6734|0x4db
14|5|libxul.so|nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*)|hg:hg.mozilla.org/mozilla-central:view/nsViewManager.cpp:28553dbd41b69719386bc09fe09d84c3de72daa4|383|0x24d
14|6|libxul.so|nsViewManager::ProcessPendingUpdatesForView(nsView*, bool)|hg:hg.mozilla.org/mozilla-central:view/nsViewManager.cpp:28553dbd41b69719386bc09fe09d84c3de72daa4|318|0x23e
14|7|libxul.so|nsViewManager::ProcessPendingUpdates()|hg:hg.mozilla.org/mozilla-central:view/nsViewManager.cpp:28553dbd41b69719386bc09fe09d84c3de72daa4|771|0xac
14|8|libxul.so|nsRefreshDriver::PaintIfNeeded()|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:28553dbd41b69719386bc09fe09d84c3de72daa4|2639|0x47f
14|9|libxul.so|nsRefreshDriver::RunRenderingPhaseLegacy<nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick)::$_13>(mozilla::RenderingPhase, nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick)::$_13&&)|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:28553dbd41b69719386bc09fe09d84c3de72daa4|1288|0x72
14|10|libxul.so|nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick)|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:28553dbd41b69719386bc09fe09d84c3de72daa4|2557|0x8f8
14|11|libxul.so|mozilla::detail::RunnableFunction<nsRefreshDriver::FinishedWaitingForTransaction()::$_0>::Run()|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.h:28553dbd41b69719386bc09fe09d84c3de72daa4|550|0x36
14|12|libxul.so|mozilla::RunnableTask::Run()|hg:hg.mozilla.org/mozilla-central:xpcom/threads/TaskController.cpp:28553dbd41b69719386bc09fe09d84c3de72daa4|705|0x17
14|13|libxul.so|mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/TaskController.cpp:28553dbd41b69719386bc09fe09d84c3de72daa4|1325|0x5b1
14|14|libxul.so|mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/TaskController.cpp:28553dbd41b69719386bc09fe09d84c3de72daa4|1148|0x57
14|15|libxul.so|mozilla::TaskController::ProcessPendingMTTask(bool)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/TaskController.cpp:28553dbd41b69719386bc09fe09d84c3de72daa4|641|0x65
14|16|libxul.so|mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run()|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.h:28553dbd41b69719386bc09fe09d84c3de72daa4|550|0x16
14|17|libxul.so|nsThread::ProcessNextEvent(bool, bool*)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:28553dbd41b69719386bc09fe09d84c3de72daa4|1161|0x5aa
14|18|libxul.so|NS_ProcessNextEvent(nsIThread*, bool)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:28553dbd41b69719386bc09fe09d84c3de72daa4|462|0x4f
14|19|libxul.so|mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:28553dbd41b69719386bc09fe09d84c3de72daa4|85|0xc0
14|20|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:28553dbd41b69719386bc09fe09d84c3de72daa4|343|0x61
14|21|libxul.so|nsBaseAppShell::Run()|hg:hg.mozilla.org/mozilla-central:widget/nsBaseAppShell.cpp:28553dbd41b69719386bc09fe09d84c3de72daa4|152|0x28
14|22|libxul.so|XRE_RunAppShell()|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:28553dbd41b69719386bc09fe09d84c3de72daa4|657|0x6b
14|23|libxul.so|mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:28553dbd41b69719386bc09fe09d84c3de72daa4|235|0x3c
14|24|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:28553dbd41b69719386bc09fe09d84c3de72daa4|343|0x61
14|25|libxul.so|XRE_InitChildProcess(int, char**, XREChildData const*)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:28553dbd41b69719386bc09fe09d84c3de72daa4|595|0x89b
14|26|libmozglue.so|Java_org_mozilla_gecko_mozglue_GeckoLoader_nativeRun|hg:hg.mozilla.org/mozilla-central:mozglue/android/APKOpen.cpp:28553dbd41b69719386bc09fe09d84c3de72daa4|471|0x2f2

Comment 1

[Daniel Holbert [:dholbert]]

This assertion (in nsLayoutUtils::NotifyPaintSkipTransaction) was originally added in bug 1668966, here (with slightly different variable-spelling -- f rather than sf): https://hg-edge.mozilla.org/integration/autoland/rev/5380e007a12c

--> Adding bug 1668966 as a dependency, and classified as APZ. (Not sure if the failure goes back that far, but it's useful to have that connection at least.)

Comment 2

[Botond Ballo [:botond]]

(In reply to Tyson Smith [:tsmith] from comment #0)

This is currently one of our most frequently reported issues when fuzzing on Android.

Discussed this at today's APZ meeting. Given the impact on fuzzing, we're tracking this in FFXP-3354 (APZ 2025 H2 Maintenance Quick Fixes).

Comment 3

[Hiroyuki Ikezoe (:hiro)]

I can't repro the assertion. From adb logcat;

10-24 05:58:21.352  6521  6568 E Web Content: [JavaScript Error: "Content-Security-Policy: (Report-Only policy) The page’s settings would block an inline script (script-src-elem) from being executed because it violates the following directive: “script-src 'self' 'nonce-IUGKHsrSnQm1dEkPKaZOrOqKs8W3zW2oywRYbOO4AsAVwuw4' 'unsafe-inline'”. Consider using a hash ('sha256-uWIfdRJDaMcrF3URg6u0pM5C227cniiNPhZM1yPFUSk=') or a nonce." {file: "https://bug1995803.bmoattachments.org/attachment.cgi?id=9521742" line: 1}]
10-24 05:58:21.353  6521  6568 E Web Content: [JavaScript Error: "Content-Security-Policy: (Report-Only policy) The page’s settings would block an event handler (script-src-attr) from being executed because it violates the following directive: “script-src 'self' 'nonce-IUGKHsrSnQm1dEkPKaZOrOqKs8W3zW2oywRYbOO4AsAVwuw4' 'unsafe-inline'”. Consider using a hash ('sha256-5KYv+PUboo5h+0+YAtGRPbwv5d/QxzHslP4YGnUaxRw=') together with 'unsafe-hashes'.
10-24 05:58:21.353  6521  6568 E Web Content: Source: go()" {file: "https://bug1995803.bmoattachments.org/attachment.cgi?id=9521742" line: 0}]

We need to change some preferences?

Comment 4

[Hiroyuki Ikezoe (:hiro)]

With full-screen-api.allow-trusted-requests-only=false the message disappears. But I don't yet see the assertion. The rendering result looks broken though.