2004166 - Assertion failure: aNewAbsoluteContainingBlock->GetAbsoluteContainingBlock() (nsIFrame::Init() should've constructed AbsoluteContainingBlock in this case, since the frame is a continuation!)

Status: VERIFIED FIXED

(Core :: Layout: Positioned, defect)

Description

[Tyson Smith [:tsmith]]

Found while fuzzing m-c 20251125-25d9b1462c78 (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework --upgrade
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>

Assertion failure: aNewAbsoluteContainingBlock->GetAbsoluteContainingBlock() (nsIFrame::Init() should've constructed AbsoluteContainingBlock in this case, since the frame is a continuation!), at /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:875

#0 0x75d08ee19de8 in MOZ_CrashSequence /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:237:3
#1 0x75d08ee19de8 in nsFrameConstructorState::PushAbsoluteContainingBlock(nsContainerFrame*, nsIFrame*, nsFrameConstructorSaveState&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:872:7
#2 0x75d08ee1a3aa in nsFrameConstructorState::ReparentAbsoluteItems(nsContainerFrame*) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:1006:5
#3 0x75d08ee28a3f in nsCSSFrameConstructor::CreateColumnSpanSiblings(nsFrameConstructorState&, nsContainerFrame*, nsFrameList&, nsIFrame*) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:10842:16
#4 0x75d08ee2f46d in nsCSSFrameConstructor::CreateIBSiblings(nsFrameConstructorState&, nsContainerFrame*, bool, nsFrameList&, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:11137:13
#5 0x75d08ee2bbdc in nsCSSFrameConstructor::ConstructInline(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItem&, nsContainerFrame*, nsStyleDisplay const*, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:11062:3
#6 0x75d08ee2a1cb in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:3782:16
#7 0x75d08ee2e11f in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:5413:3
#8 0x75d08ee1ff55 in nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsContainerFrame*, bool, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:9474:5
#9 0x75d08ee212c3 in nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, mozilla::ComputedStyle*, nsContainerFrame*, bool, nsFrameList&, bool, nsIFrame*) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:9761:3
#10 0x75d08ee253bb in nsCSSFrameConstructor::ConstructBlock(nsFrameConstructorState&, nsIContent*, nsContainerFrame*, nsContainerFrame*, mozilla::ComputedStyle*, nsContainerFrame**, nsFrameList&, nsIFrame*) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:10623:3
#11 0x75d08ee29110 in nsCSSFrameConstructor::ConstructNonScrollableBlock(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItem&, nsContainerFrame*, nsStyleDisplay const*, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:4454:3
#12 0x75d08ee2a1cb in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:3782:16
#13 0x75d08ee2e11f in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:5413:3
#14 0x75d08ee1ff55 in nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsContainerFrame*, bool, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:9474:5
#15 0x75d08ee33fc5 in nsCSSFrameConstructor::ContentAppended(nsIContent*, nsCSSFrameConstructor::InsertionKind) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:6562:3
#16 0x75d08ed23085 in mozilla::RestyleManager::ProcessRestyledFrames(nsStyleChangeList&) /builds/worker/checkouts/gecko/layout/style/RestyleManager.cpp:1620:27
#17 0x75d08ed2a8d4 in mozilla::RestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) /builds/worker/checkouts/gecko/layout/style/RestyleManager.cpp:3287:7
#18 0x75d08ed2bd61 in mozilla::RestyleManager::ProcessPendingRestyles() /builds/worker/checkouts/gecko/layout/style/RestyleManager.cpp:3377:3
#19 0x75d08edd8ee7 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4479:37
#20 0x75d08ad705fd in FlushPendingNotifications /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:1526:5
#21 0x75d08ad705fd in mozilla::dom::Document::DetermineProximityToViewportAndNotifyResizeObservers() /builds/worker/checkouts/gecko/dom/base/Document.cpp:18633:11
#22 0x75d08ed9c354 in operator() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2507:14
#23 0x75d08ed9c354 in operator() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:1311:7
#24 0x75d08ed9c354 in RunRenderingPhaseLegacy<(lambda at /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:1290:35)> /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:1283:3
#25 0x75d08ed9c354 in void nsRefreshDriver::RunRenderingPhase<nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick)::$_10>(mozilla::RenderingPhase, nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick)::$_10&&, bool (*)(mozilla::dom::Document const&)) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:1290:3
#26 0x75d08ed98331 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2503:3
#27 0x75d08eda1bf1 in TickDriver /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:365:13
#28 0x75d08eda1bf1 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver>>&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:343:7
#29 0x75d08eda1af0 in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:359:5
#30 0x75d08eda199d in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:949:5
#31 0x75d08eda0f3a in mozilla::VsyncRefreshDriverTimer::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:859:5
#32 0x75d08eda0426 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsyncTimerOnMainThread() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:590:14
#33 0x75d08e1573db in mozilla::dom::VsyncMainChild::RecvNotify(mozilla::VsyncEvent const&, float const&) /builds/worker/checkouts/gecko/dom/ipc/VsyncMainChild.cpp:66:15
#34 0x75d08e3d95a9 in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:229:78
#35 0x75d0899903a2 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundChild.cpp:5097:32
#36 0x75d08993194e in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1793:25
#37 0x75d08992eed0 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, std::unique_ptr<IPC::Message, std::default_delete<IPC::Message>>) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1719:9
#38 0x75d08992f8d7 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1508:3
#39 0x75d0899308b9 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1610:14
#40 0x75d088d24d77 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:705:16
#41 0x75d088d1f6f4 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:1325:20
#42 0x75d088d1e377 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:1148:15
#43 0x75d088d1e7f5 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:641:36
#44 0x75d088d2bbf6 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:333:37
#45 0x75d088d2bbf6 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:549:5
#46 0x75d088d3dcd3 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1164:16
#47 0x75d088d445cf in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:461:10
#48 0x75d0899371d7 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#49 0x75d0898926e1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:361:3
#50 0x75d0898926e1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:343:3
#51 0x75d08e99dc58 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:152:27
#52 0x75d08ea6b564 in nsAppShell::Run() /builds/worker/checkouts/gecko/widget/gtk/nsAppShell.cpp:555:33
#53 0x75d08faac83b in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:656:20
#54 0x75d089938084 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
#55 0x75d0898926e1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:361:3
#56 0x75d0898926e1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:343:3
#57 0x75d08faabf91 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:594:34
#58 0x565683a7ef5c in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:465:22

Comment 1

[Tyson Smith [:tsmith]]

Attachment: testcase.html

Comment 2

[Mayank Bansal]

Got a very different crash signature from the testcase on nightly: https://crash-stats.mozilla.org/report/index/e9093663-0512-4d52-aa3e-811e00251205

Comment 3

[Ting-Yu Lin [:TYLin] (PST, UTC-7)]

The assertion is added in bug 1994083. I'll take a look.

Comment 4

[BugBot [:suhaib / :marco/ :calixte]]

Set release status flags based on info from the regressing bug 1994083

Comment 5

[Ting-Yu Lin [:TYLin] (PST, UTC-7)]

Attachment: Bug 2004166 - Ensure a continuation is an abspos containing block in PushAbsoluteContainingBlock(). r?dholbert

Assume an ib-split -moz-block-inside-inline-wrapper is split by a column-span.
The wrapper before column-span might not be an absolute containing block if
it does not have any abspos children. In that case, nsIFrame::Init() won't
create an absolute containing block for the wrapper continuation after the
column-span.

This patch removes the assertions and properly sets up an absolute containing
block for the continuation when it needs one.

Comment 6

[Bugmon [:jkratzer for issues]]

Verified bug as reproducible on mozilla-central 20251205154040-927d777b0ff0.
The bug appears to have been introduced in the following build range:

Start: d9a70e57fd708c5dae01d8c7732073853984bf60 (20251124185727)
End: 95ed8ab23f3939bca3437acb008a33f7c4743646 (20251124222246)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=d9a70e57fd708c5dae01d8c7732073853984bf60&tochange=95ed8ab23f3939bca3437acb008a33f7c4743646

Comment 7

[Pulsebot]

Pushed by aethanyc@gmail.com:
https://github.com/mozilla-firefox/firefox/commit/854dfaf9a5f5
https://hg.mozilla.org/integration/autoland/rev/cf4ea2cf0c47
Ensure a continuation is an abspos containing block in PushAbsoluteContainingBlock(). r=dholbert,layout-reviewers

Comment 8

[Web Platform Test Sync Bot [:wpt-sync] (Matrix: #interop:mozilla.org)]

Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/56588 for changes under testing/web-platform/tests

Comment 9

[BugBot [:suhaib / :marco/ :calixte]]

Set release status flags based on info from the regressing bug 1994083

Comment 10

[Cosmin Sabou [:CosminS]]

https://hg.mozilla.org/mozilla-central/rev/cf4ea2cf0c47

Comment 11

[Web Platform Test Sync Bot [:wpt-sync] (Matrix: #interop:mozilla.org)]

Upstream PR merged by moz-wptsync-bot

Comment 12

[Bugmon [:jkratzer for issues]]

Verified bug as fixed on rev mozilla-central 20251209143057-7c6e6dc03dc0.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Comment 13

[Phabricator Automation]

firefox-beta Uplift Approval Request

• User impact if declined: If declined, Firefox crashes when loading the testcase on both debug and release builds.
• Code covered by automated testing: yes
• Fix verified in Nightly: yes
• Needs manual QE test: no
• Steps to reproduce for manual QE testing:
• Risk associated with taking this patch: low
• Explanation of risk level: The risk is low given the patch is small and it affects only webpages using multi-column, column-span, and abspos elements.
• String changes made/needed: N/A
• Is Android affected?: yes

Comment 14

[Ting-Yu Lin [:TYLin] (PST, UTC-7)]

Attachment: Bug 2004166 - Ensure a continuation is an abspos containing block in PushAbsoluteContainingBlock().

Assume an ib-split -moz-block-inside-inline-wrapper is split by a column-span.
The wrapper before column-span might not be an absolute containing block if
it does not have any abspos children. In that case, nsIFrame::Init() won't
create an absolute containing block for the wrapper continuation after the
column-span.

This patch removes the assertions and properly sets up an absolute containing
block for the continuation when it needs one.

Original Revision: https://phabricator.services.mozilla.com/D275275

Comment 15

[Pulsebot]

https://github.com/mozilla-firefox/firefox/commit/1f55b9d91a5e
https://hg.mozilla.org/releases/mozilla-beta/rev/58a883e3465b