Open Bug 2007941 Opened 3 months ago Updated 1 month ago

Assertion failure: mLazyAnchorPosAnchorChanges.IsEmpty(), at /layout/base/PresShell.cpp:11333

Categories

(Core :: Layout: Positioned, defect)

Product:
Core
Component:
Layout: Positioned
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
ASSIGNED
Tracking Flags:
Tracking Status
firefox-esr115 --- unaffected
firefox-esr140 --- unaffected
firefox146 --- wontfix
firefox147 --- wontfix
firefox148 --- wontfix

People

(Reporter: jkratzer, Assigned: jwatt)

References

(Blocks 3 open bugs, Regression)

Details

(Keywords: regression, testcase, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(1 file)

Testcase
982 bytes, text/html
Details

Testcase found while fuzzing mozilla-central rev 0358d735bf48 (built with: --enable-debug --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework pipx --upgrade
$ python -m pipx ensurepath
$ fuzzfetch --build 0358d735bf48 --debug --fuzzing  -n firefox
$ grizzly-replay-bugzilla ./firefox/firefox <bugid>

Assertion failure: mLazyAnchorPosAnchorChanges.IsEmpty(), at /layout/base/PresShell.cpp:11333

    ==157531==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x726fd29027eb bp 0x7fffb2b346c0 sp 0x7fffb2b346b0 T157531)
    ==157531==The signal is caused by a WRITE memory access.
    ==157531==Hint: address points to the zero page.
        #0 0x726fd29027eb in MOZ_CrashSequence /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:237:3
        #1 0x726fd29027eb in mozilla::PresShell::GetAnchorPosAnchor(nsAtom const*, nsIFrame const*) const /layout/base/PresShell.cpp:11333:3
        #2 0x726fd290146f in GetAnchorOf /layout/base/AnchorPositioningUtils.cpp:463:21
        #3 0x726fd290146f in mozilla::AnchorPositioningUtils::ResolveAnchorPosRect(nsIFrame const*, nsIFrame const*, nsAtom const*, bool, mozilla::AnchorPosResolutionCache*) /layout/base/AnchorPositioningUtils.cpp:548:24
        #4 0x726fd29e928c in PopulateAnchorResolutionCache(nsIFrame const*, mozilla::AnchorPosReferenceData*) /layout/generic/AbsoluteContainingBlock.cpp:239:34
        #5 0x726fd29e8222 in mozilla::AbsoluteContainingBlock::Reflow(nsContainerFrame*, nsPresContext*, mozilla::ReflowInput const&, nsReflowStatus&, nsRect const&, mozilla::EnumSet<mozilla::AbsPosReflowFlag, unsigned char>, mozilla::OverflowAreas*) /layout/generic/AbsoluteContainingBlock.cpp:285:16
        #6 0x726fd2b574cc in nsPageContentFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/generic/nsPageContentFrame.cpp:159:12
        #7 0x726fd2a87eb2 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /layout/generic/nsContainerFrame.cpp:717:14
        #8 0x726fd2b59b9b in nsPageFrame::ReflowPageContent(nsPresContext*, mozilla::ReflowInput const&) /layout/generic/nsPageFrame.cpp:200:3
        #9 0x726fd2b5a748 in nsPageFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/generic/nsPageFrame.cpp:222:13
        #10 0x726fd2a87adb in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /layout/generic/nsContainerFrame.cpp:681:14
        #11 0x726fd29fd492 in mozilla::PrintedSheetFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/generic/PrintedSheetFrame.cpp:168:5
        #12 0x726fd2a87eb2 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /layout/generic/nsContainerFrame.cpp:717:14
        #13 0x726fd2b5ef7b in nsPageSequenceFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/generic/nsPageSequenceFrame.cpp:367:5
        #14 0x726fd2a87adb in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /layout/generic/nsContainerFrame.cpp:681:14
        #15 0x726fd2a711fb in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/generic/nsCanvasFrame.cpp:508:7
        #16 0x726fd2a87adb in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /layout/generic/nsContainerFrame.cpp:681:14
        #17 0x726fd2a19128 in mozilla::ScrollContainerFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput&, bool, bool, mozilla::ReflowOutput*) /layout/generic/ScrollContainerFrame.cpp:912:3
        #18 0x726fd2a19874 in mozilla::ScrollContainerFrame::ReflowContents(mozilla::ScrollReflowInput&, mozilla::ReflowOutput const&) /layout/generic/ScrollContainerFrame.cpp:1022:3
        #19 0x726fd2a1bd97 in mozilla::ScrollContainerFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/generic/ScrollContainerFrame.cpp:1474:3
        #20 0x726fd2a87eb2 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /layout/generic/nsContainerFrame.cpp:717:14
        #21 0x726fd2a45fe3 in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/generic/ViewportFrame.cpp:422:7
        #22 0x726fd291dc0e in mozilla::PresShell::DoReflow(nsIFrame*, bool, mozilla::OverflowChangedTracker*) /layout/base/PresShell.cpp:10529:11
        #23 0x726fd2944951 in mozilla::PresShell::ProcessReflowCommands(bool) /layout/base/PresShell.cpp:10659:22
        #24 0x726fd2947689 in DoFlushLayout /layout/base/PresShell.cpp:10701:10
        #25 0x726fd2947689 in mozilla::PresShell::UpdateAnchorPosLayout() /layout/base/PresShell.cpp:11496:3
        #26 0x726fd29d5d1a in nsPresContext::UpdateContainerQueryStylesAndAnchorPosLayout() /layout/base/nsPresContext.cpp:1031:36
        #27 0x726fd2877bc3 in mozilla::RestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) /layout/style/RestyleManager.cpp:3184:18
        #28 0x726fd28793b1 in mozilla::RestyleManager::ProcessPendingRestyles() /layout/style/RestyleManager.cpp:3340:3
        #29 0x726fd2927e77 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /layout/base/PresShell.cpp:4471:37
        #30 0x726fd2d6bf67 in FlushPendingNotifications /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:1517:5
        #31 0x726fd2d6bf67 in nsPrintJob::ReflowPrintObject(std::unique_ptr<nsPrintObject, std::default_delete<nsPrintObject>> const&) /layout/printing/nsPrintJob.cpp:1380:14
        #32 0x726fd2d6b37d in nsPrintJob::ReflowDocList(std::unique_ptr<nsPrintObject, std::default_delete<nsPrintObject>> const&) /layout/printing/nsPrintJob.cpp:955:3
        #33 0x726fd2d68906 in nsPrintJob::InitPrintDocConstruction(bool) /layout/printing/nsPrintJob.cpp:996:5
        #34 0x726fd2d678a9 in nsPrintJob::DoCommonPrint(bool, nsIPrintSettings*, nsIWebProgressListener*, mozilla::dom::Document&) /layout/printing/nsPrintJob.cpp:441:3
        #35 0x726fd2d68b76 in CommonPrint /layout/printing/nsPrintJob.cpp:329:17
        #36 0x726fd2d68b76 in nsPrintJob::PrintPreview(mozilla::dom::Document&, nsIPrintSettings*, nsIWebProgressListener*, std::function<void (mozilla::dom::PrintPreviewResultInfo const&)>&&) /layout/printing/nsPrintJob.cpp:462:17
        #37 0x726fd299c8ca in nsDocumentViewer::PrintPreview(nsIPrintSettings*, nsIWebProgressListener*, std::function<void (mozilla::dom::PrintPreviewResultInfo const&)>&&) /layout/base/nsDocumentViewer.cpp:2813:27
        #38 0x726fce6b9961 in nsGlobalWindowOuter::Print(nsIPrintSettings*, mozilla::layout::RemotePrintJobChild*, nsIWebProgressListener*, nsIDocShell*, nsGlobalWindowOuter::IsPreview, nsGlobalWindowOuter::IsForWindowDotPrint, std::function<void (mozilla::dom::PrintPreviewResultInfo const&)>&&, RefPtr<mozilla::dom::BrowsingContext>*, mozilla::ErrorResult&) /dom/base/nsGlobalWindowOuter.cpp:5202:33
        #39 0x726fce67330f in nsGlobalWindowInner::PrintPreview(nsIPrintSettings*, nsIWebProgressListener*, nsIDocShell*, mozilla::ErrorResult&) /dom/base/nsGlobalWindowInner.cpp:3853:3
        #40 0x726fcf7f217c in mozilla::dom::Window_Binding::printPreview(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/./WindowBinding.cpp:3672:59
        #41 0x726fcfd05875 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::MaybeCrossOriginObjectThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /dom/bindings/BindingUtils.cpp:3306:13
        #42 0x726fd48a2994 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /js/src/vm/Interpreter.cpp:490:13
        #43 0x726fd48a223f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:586:12
        #44 0x726fd48b2f22 in CallFromStack /js/src/vm/Interpreter.cpp:658:10
        #45 0x726fd48b2f22 in js::Interpret(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:3272:16
        #46 0x726fd48a188a in js::RunScript(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:460:13
        #47 0x726fd48a2265 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:618:13
        #48 0x726fd48a363c in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /js/src/vm/Interpreter.cpp:685:8
        #49 0x726fd4ae615b in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /js/src/vm/CallAndConstruct.cpp:119:10
        #50 0x726fcfbaa48a in mozilla::dom::EventListener::HandleEvent(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/./EventListenerBinding.cpp:62:8
        #51 0x726fd06174a2 in void mozilla::dom::EventListener::HandleEvent<mozilla::dom::EventTarget*>(mozilla::dom::EventTarget* const&, mozilla::dom::Event&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObjectBase::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventListenerBinding.h:65:12
        #52 0x726fd0616e82 in mozilla::EventListenerManager::HandleEventSingleListener(mozilla::EventListenerManager::Listener*, nsAtom*, mozilla::WidgetEvent*, mozilla::dom::Event*, mozilla::dom::EventTarget*, bool) /dom/events/EventListenerManager.cpp:1282:43
        #53 0x726fd0618099 in mozilla::EventListenerManager::HandleEventWithListenerArray(mozilla::EventListenerManager::ListenerArray*, nsAtom*, mozilla::EventMessage, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, bool) /dom/events/EventListenerManager.cpp:1594:12
        #54 0x726fd0617981 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /dom/events/EventListenerManager.cpp:1499:35
        #55 0x726fd060c23e in HandleEvent /builds/worker/workspace/obj-build/dist/include/mozilla/EventListenerManager.h:465:5
        #56 0x726fd060c23e in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /dom/events/EventDispatcher.cpp:364:17
        #57 0x726fd060b90c in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /dom/events/EventDispatcher.cpp:605:16
        #58 0x726fd060e0c2 in mozilla::EventDispatcher::Dispatch(mozilla::dom::EventTarget*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /dom/events/EventDispatcher.cpp:1260:11
        #59 0x726fd2994d3a in nsDocumentViewer::LoadComplete(nsresult) /layout/base/nsDocumentViewer.cpp:994:7
        #60 0x726fd2e0c6c0 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /docshell/base/nsDocShell.cpp:6526:13
        #61 0x726fd2e0bbbf in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /docshell/base/nsDocShell.cpp:5847:7
        #62 0x726fd2e0d222 in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /docshell/base/nsDocShell.cpp:0:0
        #63 0x726fcd719c89 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /uriloader/base/nsDocLoader.cpp:1528:3
        #64 0x726fcd719442 in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /uriloader/base/nsDocLoader.cpp:1060:14
        #65 0x726fcd716f94 in nsDocLoader::DocLoaderIsEmpty(bool, mozilla::Maybe<nsresult> const&) /uriloader/base/nsDocLoader.cpp:855:9
        #66 0x726fcd7187ea in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /uriloader/base/nsDocLoader.cpp:722:5
        #67 0x726fd2e32f8f in nsDocShell::OnStopRequest(nsIRequest*, nsresult) /docshell/base/nsDocShell.cpp:14828:23
        #68 0x726fccaa42af in mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) /netwerk/base/nsLoadGroup.cpp:656:22
        #69 0x726fccaa5456 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /netwerk/base/nsLoadGroup.cpp:540:10
        #70 0x726fce85e7dc in mozilla::dom::Document::DoUnblockOnload() /dom/base/Document.cpp:12495:18
        #71 0x726fce844506 in mozilla::dom::Document::DispatchContentLoadedEvents() /dom/base/Document.cpp:8719:3
        #72 0x726fce911565 in operator()<> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1083:18
        #73 0x726fce911565 in __invoke_impl<void, (lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1082:9)> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/bits/invoke.h:60:14
        #74 0x726fce911565 in __invoke<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1082:9)> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/bits/invoke.h:95:14
        #75 0x726fce911565 in __apply_impl<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1082:9), std::tuple<> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/tuple:1740:14
        #76 0x726fce911565 in apply<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1082:9), std::tuple<> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/tuple:1751:14
        #77 0x726fce911565 in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1081:12
        #78 0x726fce911565 in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1132:13
        #79 0x726fcc83fd47 in mozilla::RunnableTask::Run() /xpcom/threads/TaskController.cpp:705:16
        #80 0x726fcc83a6c4 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:1325:20
        #81 0x726fcc839347 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:1148:15
        #82 0x726fcc8397c5 in mozilla::TaskController::ProcessPendingMTTask(bool) /xpcom/threads/TaskController.cpp:641:36
        #83 0x726fcc846bc6 in operator() /xpcom/threads/TaskController.cpp:333:37
        #84 0x726fcc846bc6 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /xpcom/threads/nsThreadUtils.h:549:5
        #85 0x726fcc858ca3 in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1164:16
        #86 0x726fcc85f59f in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:461:10
        #87 0x726fcd4483d7 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:85:21
        #88 0x726fcd3a2041 in RunHandler /ipc/chromium/src/base/message_loop.cc:361:3
        #89 0x726fcd3a2041 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:343:3
        #90 0x726fd24e7bb8 in nsBaseAppShell::Run() /widget/nsBaseAppShell.cpp:152:27
        #91 0x726fd25b50c4 in nsAppShell::Run() /widget/gtk/nsAppShell.cpp:555:33
        #92 0x726fd35fff0b in XRE_RunAppShell() /toolkit/xre/nsEmbedFunctions.cpp:656:20
        #93 0x726fcd449284 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:235:9
        #94 0x726fcd3a2041 in RunHandler /ipc/chromium/src/base/message_loop.cc:361:3
        #95 0x726fcd3a2041 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:343:3
        #96 0x726fd35ff661 in XRE_InitChildProcess(int, char**, XREChildData const*) /toolkit/xre/nsEmbedFunctions.cpp:594:34
        #97 0x5f002057bf1c in main /browser/app/nsBrowserApp.cpp:465:22
        #98 0x726fdda2a1c9 in __libc_start_call_main ./csu/../sysdeps/nptl/libc_start_call_main.h:58:16
        #99 0x726fdda2a28a in __libc_start_main ./csu/../csu/libc-start.c:360:3
        #100 0x5f002054fed8 in _start ??:0:0
    
    ==157531==Register values:
    rax = 0x0000000000000000  rbx = 0x00007fffb2b34770  rcx = 0x0000000000002c45  rdx = 0x0000726fddc04563
    rdi = 0x0000726fddc05700  rsi = 0x0000000000000000  rbp = 0x00007fffb2b346c0  rsp = 0x00007fffb2b346b0
     r8 = 0x0000000000000000   r9 = 0x0000000000000003  r10 = 0x0000000000000002  r11 = 0x0000000000000293
    r12 = 0x0000726fc8cc2e0c  r13 = 0x00005f0059c9f4a0  r14 = 0x0000726fc8cc2e0c  r15 = 0x00007fffb2b348b0
    UndefinedBehaviorSanitizer can not provide additional info.
    SUMMARY: UndefinedBehaviorSanitizer: SEGV (/home/jkratzer/builds/m-c-20251229090453-fuzzing-debug/libxul.so+0xab027eb) (BuildId: 2461912ed9483e8127e840f4eaf68d858f6b008a)
    ==157531==ABORTING
Attached file Testcase

Verified bug as reproducible on mozilla-central 20251229213517-ea0aabc7aff5.
The bug appears to have been introduced in the following build range:

Start: 86320e5ee4856f6ff1cfbd59d8b2a3ea94e5ece5 (20251013121640)
End: 911d08181eff65ba9b8d0ae464986fd536cb286e (20251013131735)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=86320e5ee4856f6ff1cfbd59d8b2a3ea94e5ece5&tochange=911d08181eff65ba9b8d0ae464986fd536cb286e

Keywords: regression
Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]
Regressed by: 1924210

Set release status flags based on info from the regressing bug 1924210

:jari, since you are the author of the regressor, bug 1924210, could you take a look? Also, could you set the severity field?

For more information, please visit BugBot documentation.

status-firefox146: --- → affected
status-firefox147: --- → affected
status-firefox148: --- → affected
status-firefox-esr140: --- → unaffected
Flags: needinfo?(jjalkanen)

Looks like this has to do with anchor positioning with fragmentation (printing in this case). That's known to not work entirely correctly right now.

This is a debug-only assert:
https://searchfox.org/firefox-main/rev/f9d8702e26624ab46a35bf6561a7c8143c6f246a/layout/base/PresShell.cpp#11329,11333

nsIFrame* PresShell::GetAnchorPosAnchor(
...
  MOZ_ASSERT(mLazyAnchorPosAnchorChanges.IsEmpty());

I'm not sure offhand what the significance is of that assert failing, or what variety of badness might result from it failing. Looks like jari added that assertion in bug 1974382 [which I'm adding as a dependency, for reference]; so, hopefully jari can comment on this & help with assessing severity here.

Blocks: css-anchor-position-1
Component: Layout → Layout: Positioned
Depends on: 1974382

This assert indicates that the frame tree is being modified and the algorithm to find an anchor may not work as intended (we can't yet traverse tree to find the anchors in reverse tree order). After we are done with modifying the frame tree, we need to call MergeAnchorPosAnchors and only then populate the anchor resolution cache.

The algorithm to find an anchor starts from leaves and moves up the tree while the insertion of frames to the frame tree works in the opposite direction so in general, an anchor can't be determined on the fly but it should work for example when all the involved anchors have different names, or when only a single anchor participates in the reflow. In the worst case, the wrong anchor is used when there are multiple anchors with the same name, or no anchor is found.

Flags: needinfo?(jjalkanen)

Thanks!

(In reply to Jari Jalkanen [:jari] from comment #5)

In the worst case, the wrong anchor is used when there are multiple anchors with the same name, or no anchor is found.

--> Sounds like this is at-worst a broken-layout type issue. Triaging as S3 (we can increase if we find any affected content, or if this turns out to be something the fuzzers are repeatedly tripping over).

Severity: -- → S3

Ting-Yu, would your work maybe help with this?

Whiteboard: [bugmon:bisected,confirmed] → [bugmon:bisected,confirmed][anchorpositioning:triage]
Whiteboard: [bugmon:bisected,confirmed][anchorpositioning:triage] → [bugmon:bisected,confirmed] [anchorpositioning:continuation]

(In reply to Jonathan Watt [:jwatt] from comment #7)

Ting-Yu, would your work maybe help with this?

Unfortunately, nope. In my local debug build (Bug 1994346 + layout.abspos.fragmentainer-aware-positioning.enabled=true), the testcase still crashes after opening the print preview.

Assignee: nobody → mozmail
Status: NEW → ASSIGNED
Whiteboard: [bugmon:bisected,confirmed] [anchorpositioning:continuation] → [bugmon:bisected,confirmed]

This has also been detected via live site testing.

Blocks: crash-scout

Unable to reproduce bug 2007941 using build mozilla-central 20251229090453-0358d735bf48. Without a baseline, bugmon is unable to analyze this bug.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: