Open Bug 2009729 Opened 1 day ago Updated 10 hours ago

Assertion failure: aKidFrame->HasAnchorPosReference(), at /layout/generic/AbsoluteContainingBlock.cpp:256

Categories

(Core :: Layout: Positioned, defect)

Product:
Core
Component:
Layout: Positioned
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
ASSIGNED
Tracking Flags:
Tracking Status
firefox-esr140 --- unaffected
firefox147 --- unaffected
firefox148 --- affected
firefox149 --- affected

People

(Reporter: jkratzer, Assigned: dshin)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: bugmon, regression, testcase, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(4 files)

Testcase
1020 bytes, text/html
Details
Minimized Test Case
305 bytes, text/html
Details
Testcase that crashes before bug 2004495
350 bytes, text/html
Details
Bug 2009729: WIP: Ensure that we resolve fallback style with original style. r=emilio
48 bytes, text/x-phabricator-request
Details | Review

Testcase found while fuzzing mozilla-central rev ca4ebcf0db11 (built with: --enable-debug --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework pipx --upgrade
$ python -m pipx ensurepath
$ fuzzfetch --build ca4ebcf0db11 --debug --fuzzing  -n firefox
$ grizzly-replay-bugzilla ./firefox/firefox <bugid>

Assertion failure: aKidFrame->HasAnchorPosReference(), at /layout/generic/AbsoluteContainingBlock.cpp:256

    ==1460810==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7da3fffb8411 bp 0x7fff4aa4ef40 sp 0x7fff4aa4ef00 T1460810)
    ==1460810==The signal is caused by a WRITE memory access.
    ==1460810==Hint: address points to the zero page.
        #0 0x7da3fffb8411 in MOZ_CrashSequence /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:237:3
        #1 0x7da3fffb8411 in PopulateAnchorResolutionCache(nsIFrame const*, mozilla::AnchorPosReferenceData*) /layout/generic/AbsoluteContainingBlock.cpp:256:3
        #2 0x7da3fffbfae1 in AutoFallbackStyleSetter::AutoFallbackStyleSetter(nsIFrame*, mozilla::ComputedStyle*, mozilla::AnchorPosResolutionCache*, bool) /layout/generic/AbsoluteContainingBlock.cpp:1078:19
        #3 0x7da3fffb9973 in mozilla::AbsoluteContainingBlock::ReflowAbsoluteFrame(nsContainerFrame*, nsPresContext*, mozilla::ReflowInput const&, nsRect const&, nsRect const&, mozilla::EnumSet<mozilla::AbsPosReflowFlag, unsigned char>, nsIFrame*, nsReflowStatus&, mozilla::OverflowAreas*, mozilla::AnchorPosResolutionCache*) /layout/generic/AbsoluteContainingBlock.cpp:1322:29
        #4 0x7da3fffb7858 in mozilla::AbsoluteContainingBlock::Reflow(nsContainerFrame*, nsPresContext*, mozilla::ReflowInput const&, nsReflowStatus&, nsRect const&, mozilla::EnumSet<mozilla::AbsPosReflowFlag, unsigned char>, mozilla::OverflowAreas*) /layout/generic/AbsoluteContainingBlock.cpp:358:7
        #5 0x7da40001c585 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/generic/nsBlockFrame.cpp:1709:26
        #6 0x7da40002e7a7 in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, mozilla::CollapsingMargin&, int, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowState&) /layout/generic/nsBlockReflowContext.cpp:291:11
        #7 0x7da40002a541 in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowState&, GenericLineListIterator<nsLineLink, false>, bool*) /layout/generic/nsBlockFrame.cpp:4425:11
        #8 0x7da400027bc2 in nsBlockFrame::ReflowLine(mozilla::BlockReflowState&, GenericLineListIterator<nsLineLink, false>, bool*) /layout/generic/nsBlockFrame.cpp:3757:5
        #9 0x7da400020dbb in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowState&) /layout/generic/nsBlockFrame.cpp:3271:29
        #10 0x7da40001cea2 in nsBlockFrame::TrialReflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsBlockFrame::TrialReflowState&) /layout/generic/nsBlockFrame.cpp:1842:35
        #11 0x7da40001b870 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/generic/nsBlockFrame.cpp:1486:9
        #12 0x7da4000574db in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /layout/generic/nsContainerFrame.cpp:681:14
        #13 0x7da4000405ab in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/generic/nsCanvasFrame.cpp:508:7
        #14 0x7da4000574db in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /layout/generic/nsContainerFrame.cpp:681:14
        #15 0x7da3fffe84c8 in mozilla::ScrollContainerFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput&, bool, bool, mozilla::ReflowOutput*) /layout/generic/ScrollContainerFrame.cpp:914:3
        #16 0x7da3fffe8c14 in mozilla::ScrollContainerFrame::ReflowContents(mozilla::ScrollReflowInput&, mozilla::ReflowOutput const&) /layout/generic/ScrollContainerFrame.cpp:1024:3
        #17 0x7da3fffeb137 in mozilla::ScrollContainerFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/generic/ScrollContainerFrame.cpp:1476:3
        #18 0x7da4000578b2 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /layout/generic/nsContainerFrame.cpp:717:14
        #19 0x7da4000153a3 in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/generic/ViewportFrame.cpp:422:7
        #20 0x7da3ffeee1de in mozilla::PresShell::DoReflow(nsIFrame*, bool, mozilla::OverflowChangedTracker*) /layout/base/PresShell.cpp:10527:11
        #21 0x7da3fff14ed1 in mozilla::PresShell::ProcessReflowCommands(bool) /layout/base/PresShell.cpp:10657:22
        #22 0x7da3fff17c19 in DoFlushLayout /layout/base/PresShell.cpp:10699:10
        #23 0x7da3fff17c19 in mozilla::PresShell::UpdateAnchorPosLayout() /layout/base/PresShell.cpp:11494:3
        #24 0x7da3fffa4c3a in nsPresContext::UpdateContainerQueryStylesAndAnchorPosLayout() /layout/base/nsPresContext.cpp:1031:36
        #25 0x7da3ffe47fe3 in mozilla::RestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) /layout/style/RestyleManager.cpp:3184:18
        #26 0x7da3ffe497d1 in mozilla::RestyleManager::ProcessPendingRestyles() /layout/style/RestyleManager.cpp:3340:3
        #27 0x7da3ffef83f7 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /layout/base/PresShell.cpp:4471:37
        #28 0x7da3fbe1e7e5 in FlushPendingNotifications /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:1526:5
        #29 0x7da3fbe1e7e5 in mozilla::dom::Document::FlushPendingNotifications(mozilla::ChangesToFlush) /dom/base/Document.cpp:11624:16
        #30 0x7da40035053f in operator() /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/bits/std_function.h:622:14
        #31 0x7da40035053f in mozilla::dom::BrowsingContext::PreOrderWalkVoid(std::function<void (mozilla::dom::BrowsingContext*)> const&) /docshell/base/BrowsingContext.cpp:1315:3
        #32 0x7da3fbe52029 in PreOrderWalk<(lambda at /dom/base/Document.cpp:18863:23)> /builds/worker/workspace/obj-build/dist/include/mozilla/dom/BrowsingContext.h:627:7
        #33 0x7da3fbe52029 in FlushLayoutForWholeBrowsingContextTree /dom/base/Document.cpp:18863:10
        #34 0x7da3fbe52029 in mozilla::dom::Document::DetermineProximityToViewportAndNotifyResizeObservers() /dom/base/Document.cpp:18913:7
        #35 0x7da3ffebb4d4 in operator() /layout/base/nsRefreshDriver.cpp:2504:14
        #36 0x7da3ffebb4d4 in operator() /layout/base/nsRefreshDriver.cpp:1312:7
        #37 0x7da3ffebb4d4 in RunRenderingPhaseLegacy<(lambda at /layout/base/nsRefreshDriver.cpp:1291:35)> /layout/base/nsRefreshDriver.cpp:1284:3
        #38 0x7da3ffebb4d4 in void nsRefreshDriver::RunRenderingPhase<nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick)::$_10>(mozilla::RenderingPhase, nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick)::$_10&&, bool (*)(mozilla::dom::Document const&)) /layout/base/nsRefreshDriver.cpp:1291:3
        #39 0x7da3ffeb75d1 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) /layout/base/nsRefreshDriver.cpp:2500:3
        #40 0x7da3ffec0d71 in TickDriver /layout/base/nsRefreshDriver.cpp:366:13
        #41 0x7da3ffec0d71 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver>>&) /layout/base/nsRefreshDriver.cpp:344:7
        #42 0x7da3ffec0c70 in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /layout/base/nsRefreshDriver.cpp:360:5
        #43 0x7da3ffec0b1d in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /layout/base/nsRefreshDriver.cpp:950:5
        #44 0x7da3ffec00ba in mozilla::VsyncRefreshDriverTimer::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /layout/base/nsRefreshDriver.cpp:860:5
        #45 0x7da3ffebf5a6 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsyncTimerOnMainThread() /layout/base/nsRefreshDriver.cpp:591:14
        #46 0x7da3ff267f9b in mozilla::dom::VsyncMainChild::RecvNotify(mozilla::VsyncEvent const&, float const&) /dom/ipc/VsyncMainChild.cpp:66:15
        #47 0x7da3ff4eba09 in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:229:78
        #48 0x7da3faa66fc2 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundChild.cpp:5102:32
        #49 0x7da3faa0853e in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /ipc/glue/MessageChannel.cpp:1793:25
        #50 0x7da3faa05ac0 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, std::unique_ptr<IPC::Message, std::default_delete<IPC::Message>>) /ipc/glue/MessageChannel.cpp:1719:9
        #51 0x7da3faa064c7 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /ipc/glue/MessageChannel.cpp:1508:3
        #52 0x7da3faa074a9 in mozilla::ipc::MessageChannel::MessageTask::Run() /ipc/glue/MessageChannel.cpp:1610:14
        #53 0x7da3f9dfdda7 in mozilla::RunnableTask::Run() /xpcom/threads/TaskController.cpp:705:16
        #54 0x7da3f9df8724 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:1325:20
        #55 0x7da3f9df73a7 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:1148:15
        #56 0x7da3f9df7825 in mozilla::TaskController::ProcessPendingMTTask(bool) /xpcom/threads/TaskController.cpp:641:36
        #57 0x7da3f9e04c89 in operator() /xpcom/threads/TaskController.cpp:336:37
        #58 0x7da3f9e04c89 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_1>::Run() /xpcom/threads/nsThreadUtils.h:549:5
        #59 0x7da3f9e16d03 in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1164:16
        #60 0x7da3f9e1d5ff in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:461:10
        #61 0x7da3faa0dd83 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:107:5
        #62 0x7da3fa9670f1 in RunHandler /ipc/chromium/src/base/message_loop.cc:361:3
        #63 0x7da3fa9670f1 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:343:3
        #64 0x7da3ffab8958 in nsBaseAppShell::Run() /widget/nsBaseAppShell.cpp:152:27
        #65 0x7da3ffb85294 in nsAppShell::Run() /widget/gtk/nsAppShell.cpp:555:33
        #66 0x7da400bce8db in XRE_RunAppShell() /toolkit/xre/nsEmbedFunctions.cpp:656:20
        #67 0x7da3faa0ec74 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:235:9
        #68 0x7da3fa9670f1 in RunHandler /ipc/chromium/src/base/message_loop.cc:361:3
        #69 0x7da3fa9670f1 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:343:3
        #70 0x7da400bce031 in XRE_InitChildProcess(int, char**, XREChildData const*) /toolkit/xre/nsEmbedFunctions.cpp:594:34
        #71 0x639c9f6bd09c in main /browser/app/nsBrowserApp.cpp:465:22
        #72 0x7da40b1cf1c9 in __libc_start_call_main ./csu/../sysdeps/nptl/libc_start_call_main.h:58:16
        #73 0x7da40b1cf28a in __libc_start_main ./csu/../csu/libc-start.c:360:3
        #74 0x639c9f690ef8 in _start ??:0:0
    
    ==1460810==Register values:
    rax = 0x0000000000000000  rbx = 0x00007fff4aa4f020  rcx = 0x0000000000000100  rdx = 0x00007da40b3a9563
    rdi = 0x00007da40b3aa700  rsi = 0x0000000000000000  rbp = 0x00007fff4aa4ef40  rsp = 0x00007fff4aa4ef00
     r8 = 0x0000000000000000   r9 = 0x0000000000000003  r10 = 0x0000000000000002  r11 = 0x0000000000000293
    r12 = 0x00007da3f5d5d8ed  r13 = 0x00007fff4aa4f750  r14 = 0x0000639cd1573890  r15 = 0x0000639cd15fb168
    UndefinedBehaviorSanitizer can not provide additional info.
    SUMMARY: UndefinedBehaviorSanitizer: SEGV (/home/jkratzer/builds/m-c-20260112094656-fuzzing-debug/libxul.so+0xac01411) (BuildId: a641487e9cf2878742bbe18be55ea747e2920997)
    ==1460810==ABORTING
Attached file Testcase

Verified bug as reproducible on mozilla-central 20260112135943-8c00e8a44e20.
The bug appears to have been introduced in the following build range:

Start: 112153807f3e5ab6a27a4fc28d35a11eaeb50575 (20251222211314)
End: b1427f42c11e3460a0459e15e315008e68cc2c6b (20251222210353)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=112153807f3e5ab6a27a4fc28d35a11eaeb50575&tochange=b1427f42c11e3460a0459e15e315008e68cc2c6b

Keywords: regression
Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]

:dshin, since you are the author of the regressor, bug 2004495, could you take a look?

For more information, please visit BugBot documentation.

Flags: needinfo?(dshin)
Attached file Minimized Test Case

At the time of the crash, the computed style indicates being static-positioned, for some reason...

Set release status flags based on info from the regressing bug 2004495

status-firefox147: --- → unaffected
status-firefox148: --- → affected
status-firefox149: --- → affected
status-firefox-esr140: --- → unaffected

Ah, came up with a testcase that goes further back, it points at Bug 2006804.
No fallback fits in the containing block - middle option refers to a position-try rule that does not exist.
It seems that the resolved style for the last fallback at index 2 has position: static and position-anchor: none, and since the default anchor "changed," it tries to fill the anchor positioning cache.

I think the rule tree somehow ended up in a bad state, such that the [abs] style no longer is part of the cascade.

One thing that is notable to me is that we're feeding the current fallback style while trying to resolve the next fallback style here.

Flags: needinfo?(dshin)
Regressed by: 2006804
No longer regressed by: 2004495
Assignee: nobody → dshin
Status: NEW → ASSIGNED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: