2007715 - Hit MOZ_CRASH(Element state change during style refresh (6291456)) at /builds/worker/checkouts/gecko/layout/style/RestyleManager.cpp:3374

Status: NEW

(Core :: CSS Parsing and Computation, defect)

Description

[Tyson Smith [:tsmith]]

Attachment: testcase.html

Found while fuzzing m-c 20251028-ebd252259b1b (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework --upgrade
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>

Hit MOZ_CRASH(Element state change during style refresh (6291456)) at /builds/worker/checkouts/gecko/layout/style/RestyleManager.cpp:3374

#0 0x7b8df9c7ce54 in MOZ_CrashSequence /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:237:3
#1 0x7b8df9c7ce54 in MOZ_Crash /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:375:3
#2 0x7b8df9c7ce54 in mozilla::RestyleManager::ElementStateChanged(mozilla::dom::Element*, mozilla::dom::ElementState) /builds/worker/checkouts/gecko/layout/style/RestyleManager.cpp:3372:5
#3 0x7b8df9d2c0c3 in mozilla::PresShell::ElementStateChanged(mozilla::dom::Document*, mozilla::dom::Element*, mozilla::dom::ElementState) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4531:37
#4 0x7b8df5c489f0 in mozilla::dom::Document::ElementStateChanged(mozilla::dom::Element*, mozilla::dom::ElementState) /builds/worker/checkouts/gecko/dom/base/Document.cpp:8822:3
#5 0x7b8df5ca73c3 in mozilla::dom::Element::NotifyStateChange(mozilla::dom::ElementState) /builds/worker/checkouts/gecko/dom/base/Element.cpp:426:10
#6 0x7b8df7c7e68a in ~AutoStateChangeNotifier /builds/worker/workspace/obj-build/dist/include/mozilla/dom/Element.h:778:18
#7 0x7b8df7c7e68a in UpdateInRange /builds/worker/checkouts/gecko/dom/html/HTMLInputElement.cpp:7470:1
#8 0x7b8df7c7e68a in UpdateRangeUnderflowValidityState /builds/worker/checkouts/gecko/dom/html/HTMLInputElement.cpp:6977:3
#9 0x7b8df7c7e68a in mozilla::dom::HTMLInputElement::UpdateAllValidityStatesButNotElementState() /builds/worker/checkouts/gecko/dom/html/HTMLInputElement.cpp:7003:3
#10 0x7b8df7c7d6d4 in UpdateAllValidityStates /builds/worker/checkouts/gecko/dom/html/HTMLInputElement.cpp:6990:3
#11 0x7b8df7c7d6d4 in mozilla::dom::HTMLInputElement::OnValueChanged(mozilla::TextControlElement::ValueChangeKind, bool, nsTSubstring<char16_t> const*) /builds/worker/checkouts/gecko/dom/html/HTMLInputElement.cpp:7175:3
#12 0x7b8df7cd6e46 in OnValueChanged /builds/worker/workspace/obj-build/dist/include/mozilla/TextControlElement.h:210:12
#13 0x7b8df7cd6e46 in mozilla::TextControlState::SetValue(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const*, mozilla::EnumSet<mozilla::TextControlState::ValueSetterOption, unsigned int> const&) /builds/worker/checkouts/gecko/dom/html/TextControlState.cpp:2658:47
#14 0x7b8df7cc05b9 in SetValue /builds/worker/workspace/obj-build/dist/include/mozilla/TextControlState.h:291:12
#15 0x7b8df7cc05b9 in mozilla::TextControlState::UnbindFromFrame(nsTextControlFrame*) /builds/worker/checkouts/gecko/dom/html/TextControlState.cpp:2428:26
#16 0x7b8df9fced82 in nsTextControlFrame::Destroy(mozilla::FrameDestroyContext&) /builds/worker/checkouts/gecko/layout/forms/nsTextControlFrame.cpp:128:25
#17 0x7b8df9e6a1ab in nsBlockFrame::DoRemoveFrame(mozilla::FrameDestroyContext&, nsIFrame*, unsigned int) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:7126:20
#18 0x7b8df9e69990 in nsBlockFrame::RemoveFrame(mozilla::FrameDestroyContext&, mozilla::FrameChildListID, nsIFrame*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:6291:5
#19 0x7b8df9d89b2c in nsCSSFrameConstructor::ContentWillBeRemoved(nsIContent*, nsCSSFrameConstructor::RemovalKind) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:7553:3
#20 0x7b8df9d8518c in nsCSSFrameConstructor::RecreateFramesForContent(nsIContent*, nsCSSFrameConstructor::InsertionKind) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:8482:31
#21 0x7b8df9c73d94 in mozilla::RestyleManager::ProcessRestyledFrames(nsStyleChangeList&) /builds/worker/checkouts/gecko/layout/style/RestyleManager.cpp:1672:25
#22 0x7b8df9c7b3ad in mozilla::RestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) /builds/worker/checkouts/gecko/layout/style/RestyleManager.cpp:3250:7
#23 0x7b8df9c7c621 in mozilla::RestyleManager::ProcessPendingRestyles() /builds/worker/checkouts/gecko/layout/style/RestyleManager.cpp:3340:3
#24 0x7b8df9d2b147 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4471:37
#25 0x7b8df5c8ea8d in FlushPendingNotifications /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:1526:5
#26 0x7b8df5c8ea8d in mozilla::dom::Document::DetermineProximityToViewportAndNotifyResizeObservers() /builds/worker/checkouts/gecko/dom/base/Document.cpp:18890:11
#27 0x7b8df9cee0f4 in operator() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2504:14
#28 0x7b8df9cee0f4 in operator() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:1312:7
#29 0x7b8df9cee0f4 in RunRenderingPhaseLegacy<(lambda at /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:1291:35)> /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:1284:3
#30 0x7b8df9cee0f4 in void nsRefreshDriver::RunRenderingPhase<nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick)::$_10>(mozilla::RenderingPhase, nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick)::$_10&&, bool (*)(mozilla::dom::Document const&)) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:1291:3
#31 0x7b8df9cea1f1 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2500:3
#32 0x7b8df9cf3991 in TickDriver /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:366:13
#33 0x7b8df9cf3991 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver>>&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:344:7
#34 0x7b8df9cf3890 in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:360:5
#35 0x7b8df9cf373d in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:950:5
#36 0x7b8df9cf2cda in mozilla::VsyncRefreshDriverTimer::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:860:5
#37 0x7b8df9cf21c6 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsyncTimerOnMainThread() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:591:14
#38 0x7b8df909b5eb in mozilla::dom::VsyncMainChild::RecvNotify(mozilla::VsyncEvent const&, float const&) /builds/worker/checkouts/gecko/dom/ipc/VsyncMainChild.cpp:66:15
#39 0x7b8df931e3f9 in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:229:78
#40 0x7b8df48a1c12 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundChild.cpp:5102:32
#41 0x7b8df484318e in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1793:25
#42 0x7b8df4840710 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, std::unique_ptr<IPC::Message, std::default_delete<IPC::Message>>) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1719:9
#43 0x7b8df4841117 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1508:3
#44 0x7b8df48420f9 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1610:14
#45 0x7b8df3c402c7 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:705:16
#46 0x7b8df3c3ac44 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:1325:20
#47 0x7b8df3c398c7 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:1148:15
#48 0x7b8df3c39d45 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:641:36
#49 0x7b8df3c47146 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:333:37
#50 0x7b8df3c47146 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:549:5
#51 0x7b8df3c59223 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1164:16
#52 0x7b8df3c5fb1f in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:461:10
#53 0x7b8df4848a17 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#54 0x7b8df47a2681 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:361:3
#55 0x7b8df47a2681 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:343:3
#56 0x7b8df98eac58 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:152:27
#57 0x7b8df99b8164 in nsAppShell::Run() /builds/worker/checkouts/gecko/widget/gtk/nsAppShell.cpp:555:33
#58 0x7b8dfaa02cab in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:656:20
#59 0x7b8df48498c4 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
#60 0x7b8df47a2681 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:361:3
#61 0x7b8df47a2681 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:343:3
#62 0x7b8dfaa02401 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:594:34
#63 0x5dffa5b6ef1c in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:465:22

Comment 1

[Bugmon [:jkratzer for issues]]

Verified bug as reproducible on mozilla-central 20251224210403-bd70d95c6560.
Unable to bisect testcase (Testcase reproduces on start build!):

Start: 0156dcd4aad2d295618b4ce64957d99ce1857d7d (20241226093706)
End: ebd252259b1b0cb286e12edc2e14b9f483444920 (20251028215909)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False, nyx=False, searchfox=False, afl=False)

Comment 2

[Mayank Bansal]

Got a crash from the testcase on the Nighty: https://crash-stats.mozilla.org/report/index/25a0337d-0bdf-476b-b5a4-1fdf10251225

Comment 3

[Bugmon [:jkratzer for issues]]

Successfully recorded a pernosco session. A link to the pernosco session will be added here shortly.

Comment 4

[Bugmon [:jkratzer for issues]]

A pernosco session for this bug can be found here.

Comment 5

[BugBot [:suhaib / :marco/ :calixte]]

The bug is linked to a topcrash signature, which matches the following criterion:

• Top 10 AArch64 and ARM crashes on nightly

For more information, please visit BugBot documentation.

Comment 6

[Daniel Holbert [:dholbert]]

The numeric value in the assert here (6291456) is 2^21 + 2^22, which means the state-change here is about these two bits:

https://searchfox.org/firefox-main/rev/aee7c0f24f488cd7f5a835803b48dd0c0cb2fd5f/dom/base/rust/lib.rs#71-74

/// <https://html.spec.whatwg.org/multipage/#selector-in-range>
const INRANGE = 1 << 21;
/// <https://html.spec.whatwg.org/multipage/#selector-out-of-range>
const OUTOFRANGE = 1 << 22;

(That makes some sense with the testcase, which sets an input-number field to fractional value 0.26 and then sets a minimum value of 1 (which puts the value 0.26 out-of-range, of course.)

Comment 7

[Daniel Holbert [:dholbert]]

(In reply to BugBot [:suhaib / :marco/ :calixte] from comment #5)

The bug is linked to a topcrash signature, which matches the following criterion:

• Top 10 AArch64 and ARM crashes on nightly

Reviewing the recent crashes, basically all of them have a MOZ_CRASH_REASON with numeric value 35184372088832 which is not this bug here. It's the value mentioned in bug 1793410 comment 36 (noted as being the most frequent variant of this crash at that point too). That's bug 1889803. I'll move the topcrash annotation over there.

Comment 8

[BugBot [:suhaib / :marco/ :calixte]]

The bug is linked to a topcrash signature, which matches the following criterion:

• Top 10 AArch64 and ARM crashes on nightly

For more information, please visit BugBot documentation.

Comment 9

[Daniel Holbert [:dholbert]]

(bad bot, see comment 7)

Comment 10

[BugBot [:suhaib / :marco/ :calixte]]

The bug is linked to a topcrash signature, which matches the following criterion:

• Top 10 AArch64 and ARM crashes on nightly

For more information, please visit BugBot documentation.

Comment 11

[BugBot [:suhaib / :marco/ :calixte]]

The bug is linked to a topcrash signature, which matches the following criterion:

• Top 10 AArch64 and ARM crashes on nightly

For more information, please visit BugBot documentation.

Comment 12

[Daniel Holbert [:dholbert]]

(Looks like there's no way to stop the bot from adding topcrash here, despite my notes in comment 7. I'll just leave things as they are for now. Anyone perusing our topcrashes and running across this bug, see comment 7; that points to the other bug which is the real topcras here.)

Comment 13

[BugBot [:suhaib / :marco/ :calixte]]

Based on the topcrash criteria, the crash signature linked to this bug is not a topcrash signature anymore.

For more information, please visit BugBot documentation.

Comment 14

[Bugmon [:jkratzer for issues]]

Testcase crashes using the initial build (mozilla-central 20251028215909-ebd252259b1b) but not with tip (mozilla-central 20260306215830-f82bb3867ea5.)

The bug appears to have been fixed in the following build range:

Start: e0e9052e852859976f50235e11bb919cb83d30ba (20260306041829)
End: 68ace92d6cbc3c389d744f5a802de8618d8bb7d6 (20260306071920)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=e0e9052e852859976f50235e11bb919cb83d30ba&tochange=68ace92d6cbc3c389d744f5a802de8618d8bb7d6

tsmith, can you confirm that the above bisection range is responsible for fixing this issue?
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Comment 15

[Daniel Holbert [:dholbert]]

Similar to bug 1889803... Likely this was fixed by bug 1989331.

(grizzly-launched Firefox isn't working for me at the moment, and I can't reproduce the crash in a plain Firefox configuration [including before the patch landed] so I'll defer to Tyson to confirm bugbot's suspicion of this bug being fixed before closing this.)