Closed
Bug 2006998
Opened 2 months ago
Closed 1 month ago
Assertion failure: wm == outerWM (Shouldn't have to care about orthogonal writing-modes and such inside the control, except for the number spin-box which forces horizontal-tb), at /builds/worker/checkouts/gecko/layout/forms/nsTextControlFrame.cpp:669
Categories
(Core :: Layout: Form Controls, defect)
Core
Layout: Form Controls
Tracking
()
VERIFIED
FIXED
148 Branch
| Tracking | Status | |
|---|---|---|
| firefox-esr115 | --- | unaffected |
| firefox-esr140 | --- | unaffected |
| firefox146 | --- | unaffected |
| firefox147 | --- | fixed |
| firefox148 | --- | fixed |
People
(Reporter: tsmith, Assigned: emilio)
References
(Blocks 1 open bug, Regression)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:bisected,confirmed], [wptsync upstream])
Crash Data
Attachments
(3 files)
Found while fuzzing m-c 20251218-6ba2c924f7fe (--enable-debug --enable-fuzzing)
To reproduce via Grizzly Replay:
$ pip install fuzzfetch grizzly-framework --upgrade
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>
Assertion failure: wm == outerWM (Shouldn't have to care about orthogonal writing-modes and such inside the control, except for the number spin-box which forces horizontal-tb), at /builds/worker/checkouts/gecko/layout/forms/nsTextControlFrame.cpp:669
#0 0x7fd9ab8c2b07 in MOZ_CrashSequence /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:237:3
#1 0x7fd9ab8c2b07 in nsTextControlFrame::ReflowTextControlChild(nsIFrame*, nsPresContext*, mozilla::ReflowInput const&, nsReflowStatus&, mozilla::ReflowOutput&, mozilla::LogicalSize const&, int&) /builds/worker/checkouts/gecko/layout/forms/nsTextControlFrame.cpp:665:5
#2 0x7fd9ab8c1b2b in nsTextControlFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/forms/nsTextControlFrame.cpp:613:7
#3 0x7fd9ab6dcfe2 in mozilla::AbsoluteContainingBlock::ReflowAbsoluteFrame(nsContainerFrame*, nsPresContext*, mozilla::ReflowInput const&, nsRect const&, nsRect const&, mozilla::EnumSet<mozilla::AbsPosReflowFlag, unsigned char>, nsIFrame*, nsReflowStatus&, mozilla::OverflowAreas*, mozilla::AnchorPosResolutionCache*) /builds/worker/checkouts/gecko/layout/generic/AbsoluteContainingBlock.cpp:1392:16
#4 0x7fd9ab6da238 in mozilla::AbsoluteContainingBlock::Reflow(nsContainerFrame*, nsPresContext*, mozilla::ReflowInput const&, nsReflowStatus&, nsRect const&, mozilla::EnumSet<mozilla::AbsPosReflowFlag, unsigned char>, mozilla::OverflowAreas*) /builds/worker/checkouts/gecko/layout/generic/AbsoluteContainingBlock.cpp:332:7
#5 0x7fd9ab737a01 in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/ViewportFrame.cpp:473:35
#6 0x7fd9ab60f35e in mozilla::PresShell::DoReflow(nsIFrame*, bool, mozilla::OverflowChangedTracker*) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:10529:11
#7 0x7fd9ab6360d1 in mozilla::PresShell::ProcessReflowCommands(bool) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:10659:22
#8 0x7fd9ab619682 in DoFlushLayout /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:10701:10
#9 0x7fd9ab619682 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4481:9
#10 0x7fd9a758cb8d in FlushPendingNotifications /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:1526:5
#11 0x7fd9a758cb8d in mozilla::dom::Document::DetermineProximityToViewportAndNotifyResizeObservers() /builds/worker/checkouts/gecko/dom/base/Document.cpp:18959:11
#12 0x7fd9ab5dc6a4 in operator() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2504:14
#13 0x7fd9ab5dc6a4 in operator() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:1312:7
#14 0x7fd9ab5dc6a4 in RunRenderingPhaseLegacy<(lambda at /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:1291:35)> /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:1284:3
#15 0x7fd9ab5dc6a4 in void nsRefreshDriver::RunRenderingPhase<nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick)::$_10>(mozilla::RenderingPhase, nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick)::$_10&&, bool (*)(mozilla::dom::Document const&)) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:1291:3
#16 0x7fd9ab5d87a1 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2500:3
#17 0x7fd9ab5e1f41 in TickDriver /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:366:13
#18 0x7fd9ab5e1f41 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver>>&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:344:7
#19 0x7fd9ab5e1e40 in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:360:5
#20 0x7fd9ab5e1ced in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:950:5
#21 0x7fd9ab5e128a in mozilla::VsyncRefreshDriverTimer::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:860:5
#22 0x7fd9ab5e0776 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsyncTimerOnMainThread() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:591:14
#23 0x7fd9aa98bd7b in mozilla::dom::VsyncMainChild::RecvNotify(mozilla::VsyncEvent const&, float const&) /builds/worker/checkouts/gecko/dom/ipc/VsyncMainChild.cpp:66:15
#24 0x7fd9aac0f359 in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:229:78
#25 0x7fd9a619b052 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundChild.cpp:5097:32
#26 0x7fd9a613b0ae in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1793:25
#27 0x7fd9a6138630 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, std::unique_ptr<IPC::Message, std::default_delete<IPC::Message>>) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1719:9
#28 0x7fd9a6139037 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1508:3
#29 0x7fd9a613a019 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1610:14
#30 0x7fd9a5523287 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:705:16
#31 0x7fd9a551dc04 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:1325:20
#32 0x7fd9a551c887 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:1148:15
#33 0x7fd9a551cd05 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:641:36
#34 0x7fd9a552a169 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:336:37
#35 0x7fd9a552a169 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_1>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:549:5
#36 0x7fd9a553c1e3 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1164:16
#37 0x7fd9a5542adf in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:461:10
#38 0x7fd9a61408f3 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:107:5
#39 0x7fd9a6099d51 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:361:3
#40 0x7fd9a6099d51 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:343:3
#41 0x7fd9ab1da218 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:152:27
#42 0x7fd9ab2a79e4 in nsAppShell::Run() /builds/worker/checkouts/gecko/widget/gtk/nsAppShell.cpp:555:33
#43 0x7fd9ac2f631b in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:656:20
#44 0x7fd9a61417e4 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
#45 0x7fd9a6099d51 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:361:3
#46 0x7fd9a6099d51 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:343:3
#47 0x7fd9ac2f5a71 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:594:34
#48 0x61a9cdf0af1c in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:465:22
Flags: in-testsuite?
|
||
Comment 1•2 months ago
|
||
Verified bug as reproducible on mozilla-central 20251218095601-5223c4218ee6.
The bug appears to have been introduced in the following build range:
Start: 6ebf351b075c115bf11de852000181fcc051069c (20251217221022)
End: 04ec3b143db3344c8719bbef030094fae0474a66 (20251217221229)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=6ebf351b075c115bf11de852000181fcc051069c&tochange=04ec3b143db3344c8719bbef030094fae0474a66
Keywords: regression
Whiteboard: [bugmon:bisected,confirmed]
|
||
Comment 2•2 months ago
|
||
Based on comment #1, this bug contains a bisection range found by bugmon. However, the Regressed by field is still not filled.
:emilio, since you are the author of the changes in the range, if possible, could you fill the Regressed by field and investigate this regression?
For more information, please visit BugBot documentation.
Flags: needinfo?(emilio)
|
||
Comment 3•2 months ago
|
||
Bug 2001722 looks like the regressor, the need-info for :emilio is still relevant
status-firefox146:
--- → unaffected
status-firefox147:
--- → unaffected
status-firefox-esr115:
--- → unaffected
status-firefox-esr140:
--- → unaffected
Regressed by: 2001722
|
Assignee | |
Updated•2 months ago
|
Flags: needinfo?(emilio)
|
|
Assignee | |
Comment 7•2 months ago
|
||
This prevents special frames from having unexpected children. This
technically avoids having ::backdrop on things like a full-screen
<input>, but that seems unlikely and consistent with
::before / ::after / ::marker.
|
||
Updated•2 months ago
|
Assignee: nobody → emilio
Status: NEW → ASSIGNED
|
|
||
Comment 8•2 months ago
|
||
Copying crash signatures from duplicate bugs.
Crash Signature: [@ nsHTMLFramesetFrame::ReflowPlaceChild]
Pushed by ealvarez@mozilla.com:
https://github.com/mozilla-firefox/firefox/commit/28d9e40f24df
https://hg.mozilla.org/integration/autoland/rev/78ff6950573a
Avoid creating ::backdrop pseudo-elements for leaf frames. r=layout-reviewers,firefox-style-system-reviewers,dshin
Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/56888 for changes under testing/web-platform/tests
Whiteboard: [bugmon:bisected,confirmed] → [bugmon:bisected,confirmed], [wptsync upstream]
|
||
Comment 11•1 month ago
|
||
| bugherder | ||
Status: ASSIGNED → RESOLVED
Closed: 1 month ago
Resolution: --- → FIXED
Target Milestone: --- → 148 Branch
|
|
||
Comment 12•1 month ago
|
||
Testcase crashes using the initial build (mozilla-central 20251218042736-6ba2c924f7fe) but not with tip (mozilla-central 20251220093050-78ff6950573a.)
The bug appears to have been fixed in the following build range:
Start: 32ada603e525d24b66b77b5e8b015b5f55719327 (20251219210634)
End: 78ff6950573acd95b1003549cfdd564f0a156a1d (20251220093050)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=32ada603e525d24b66b77b5e8b015b5f55719327&tochange=78ff6950573acd95b1003549cfdd564f0a156a1d
emilio, can you confirm that the above bisection range is responsible for fixing this issue?
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Flags: needinfo?(emilio)
Keywords: bugmon
|
|
Assignee | |
Comment 13•1 month ago
|
||
Yeah, that's this bug :)
Status: RESOLVED → VERIFIED
Flags: needinfo?(emilio)
Upstream PR merged by moz-wptsync-bot
|
||
Updated•1 month ago
|
QA Whiteboard: [qa-triage-done-c149/b148]
|
|
Assignee | |
Comment 15•25 days ago
|
||
This prevents special frames from having unexpected children. This
technically avoids having ::backdrop on things like a full-screen
<input>, but that seems unlikely and consistent with
::before / ::after / ::marker.
Original Revision: https://phabricator.services.mozilla.com/D277188
|
|
||
Updated•25 days ago
|
Attachment #9539551 -
Flags: approval-mozilla-release?
|
|
||
Comment 16•25 days ago
|
||
firefox-release Uplift Approval Request
- User impact if declined: Interop improvements
- Code covered by automated testing: yes
- Fix verified in Nightly: yes
- Needs manual QE test: no
- Steps to reproduce for manual QE testing:
- Risk associated with taking this patch: medium
- Explanation of risk level: This is not generally the kind of stack that I would be comfortable uplifting, but the patches are covered by tests and most of them have been in beta for a while, which mitigates a bit the risk of regressions.
- String changes made/needed: none
- Is Android affected?: yes
|
|
||
Updated•15 days ago
|
Attachment #9539551 -
Flags: approval-mozilla-release? → approval-mozilla-release+
|
||
Updated•15 days ago
|
|
||
Comment 17•15 days ago
|
||
| uplift | ||
You need to log in
before you can comment on or make changes to this bug.
Description
•