Assertion failure: aNewFrame->GetParent() == outOfFlowFrameList->mContainingBlock (Parent of the frame is not the containing block?), at /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:1079
Categories
(Core :: CSS Parsing and Computation, defect)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr115 | --- | unaffected |
| firefox-esr140 | --- | unaffected |
| firefox149 | --- | wontfix |
| firefox150 | --- | wontfix |
| firefox151 | --- | wontfix |
| firefox152 | --- | fixed |
| firefox153 | --- | verified |
People
(Reporter: tsmith, Assigned: emilio)
References
(Blocks 1 open bug, Regression)
Details
(4 keywords, Whiteboard: [bugmon:bisected,confirmed], [wptsync upstream])
Attachments
(3 files)
Found while fuzzing m-c 20260210-80200c065fb1 (--enable-debug --enable-fuzzing)
To reproduce via Grizzly Replay:
$ pip install fuzzfetch grizzly-framework --upgrade
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>
Assertion failure: aNewFrame->GetParent() == outOfFlowFrameList->mContainingBlock (Parent of the frame is not the containing block?), at /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:1079
#0 0x7fffec2de86b in MOZ_CrashSequence /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:237:3
#1 0x7fffec2de86b in nsFrameConstructorState::AddChild(nsIFrame*, nsFrameList&, nsIContent*, nsContainerFrame*, bool, bool, bool, nsIFrame*) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:1078:5
#2 0x7fffec2e8d20 in nsCSSFrameConstructor::ConstructBlock(nsFrameConstructorState&, nsIContent*, nsContainerFrame*, nsContainerFrame*, mozilla::ComputedStyle*, nsContainerFrame**, nsFrameList&, nsIFrame*) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:10090:10
#3 0x7fffec2ecbd0 in nsCSSFrameConstructor::ConstructNonScrollableBlock(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItem&, nsContainerFrame*, nsStyleDisplay const*, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:4411:3
#4 0x7fffec2edc7b in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:3739:16
#5 0x7fffec2f1b7f in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:5377:3
#6 0x7fffec2e3885 in nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsContainerFrame*, bool, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:8964:5
#7 0x7fffec2e4cf6 in nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, mozilla::ComputedStyle*, nsContainerFrame*, bool, nsFrameList&, bool, nsIFrame*) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:9258:3
#8 0x7fffec2ee1c9 in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:3839:9
#9 0x7fffec2f1b7f in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:5377:3
#10 0x7fffec2e3885 in nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsContainerFrame*, bool, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:8964:5
#11 0x7fffec2f5630 in nsCSSFrameConstructor::ContentRangeInserted(nsIContent*, nsIContent*, nsCSSFrameConstructor::InsertionKind) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:6552:3
#12 0x7fffec1e9464 in mozilla::RestyleManager::ProcessRestyledFrames(nsStyleChangeList&) /builds/worker/checkouts/gecko/layout/style/RestyleManager.cpp:1672:25
#13 0x7fffec1f098d in mozilla::RestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) /builds/worker/checkouts/gecko/layout/style/RestyleManager.cpp:3196:7
#14 0x7fffec1f1c21 in mozilla::RestyleManager::ProcessPendingRestyles() /builds/worker/checkouts/gecko/layout/style/RestyleManager.cpp:3295:3
#15 0x7fffec29c89a in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4487:37
#16 0x7fffe8194a35 in FlushPendingNotifications /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:1535:5
#17 0x7fffe8194a35 in mozilla::dom::Document::FlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/dom/base/Document.cpp:11628:16
#18 0x7fffec2c2dba in mozilla::GetFrameForNode(nsINode*, mozilla::GeometryNodeType, mozilla::dom::GeometryUtilsOptions const&) /builds/worker/checkouts/gecko/layout/base/GeometryUtils.cpp:54:10
#19 0x7fffec2c30b4 in GetFrameForGeometryNode /builds/worker/checkouts/gecko/layout/base/GeometryUtils.cpp:0:0
#20 0x7fffec2c30b4 in mozilla::GetFirstNonAnonymousFrameForGeometryNode(mozilla::dom::TextOrElementOrDocument const&, mozilla::dom::GeometryUtilsOptions const&) /builds/worker/checkouts/gecko/layout/base/GeometryUtils.cpp:128:21
#21 0x7fffec280f4c in mozilla::TransformPoints(nsINode*, mozilla::dom::TextOrElementOrDocument const&, unsigned int, mozilla::gfx::PointTyped<mozilla::CSSPixel, float>*, mozilla::dom::ConvertCoordinateOptions const&, mozilla::dom::CallerType, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/layout/base/GeometryUtils.cpp:400:7
#22 0x7fffec281273 in mozilla::ConvertRectFromNode(nsINode*, mozilla::dom::DOMRectReadOnly&, mozilla::dom::TextOrElementOrDocument const&, mozilla::dom::ConvertCoordinateOptions const&, mozilla::dom::CallerType, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/layout/base/GeometryUtils.cpp:473:3
#23 0x7fffe8456e4b in nsINode::ConvertRectFromNode(mozilla::dom::DOMRectReadOnly&, mozilla::dom::TextOrElementOrDocument const&, mozilla::dom::ConvertCoordinateOptions const&, mozilla::dom::CallerType, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/nsINode.cpp:1535:10
#24 0x7fffe8e9a697 in mozilla::dom::Text_Binding::convertRectFromNode(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/./TextBinding.cpp:443:74
#25 0x7fffe965bba6 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3309:13
#26 0x7fffee21e244 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:490:13
#27 0x7fffee21daef in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:586:12
#28 0x7fffed8279c3 in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICFallbackStub*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/jit/BaselineIC.cpp:1698:10
|
||
Comment 1•2 months ago
|
||
Verified bug as reproducible on mozilla-central 20260320203203-9d9636476778.
The bug appears to have been introduced in the following build range:
Start: 5e2e0937d2b175d4c3d9c5f611f85c4ff957bc6b (20260210102756)
End: 012ebfd1eec96870acc52d551ca0adadd12f3e9b (20260210111333)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=5e2e0937d2b175d4c3d9c5f611f85c4ff957bc6b&tochange=012ebfd1eec96870acc52d551ca0adadd12f3e9b
|
||
Updated•2 months ago
|
|
||
Comment 2•2 months ago
|
||
:emilio, since you are the author of the regressor, bug 2015488, could you take a look? Also, could you set the severity field?
For more information, please visit BugBot documentation.
|
||
Updated•2 months ago
|
|
Assignee | |
Updated•2 months ago
|
|
|
||
Comment 3•2 months ago
|
||
Successfully recorded a pernosco session. A link to the pernosco session will be added here shortly.
|
|
Assignee | |
Updated•2 months ago
|
|
||
Comment 5•2 months ago
|
||
S3 given it's a debug assertion, and release build is not crashing.
|
|
Assignee | |
Comment 6•2 months ago
|
||
I'm a bit confused, that pernosco session is from an old tree?
if (parentStyle->StyleDisplay()->mTopLayer == StyleTopLayer::Auto &&
!aContent->IsInNativeAnonymousSubtree() &&
!aPossiblyLeafFrame->BackdropUnsupported()) {
CreateGeneratedContentItem(aState, aFrame, *aContent->AsElement(),
*parentStyle, PseudoStyleType::Backdrop,
itemsToConstruct);
}
That code is no longer in the tree since bug 2015488 so quite a while ago... Jason do you know what's going on?
|
||
Comment 7•2 months ago
|
||
(In reply to Emilio Cobos Álvarez [:emilio] from comment #6)
I'm a bit confused, that pernosco session is from an old tree?
Bugmon records a pernosco session using the revision from comment 0. We could pull the pernosco session from tip but then the stack in comment 0 won't match. Alternatively, we could just include the revision and build ID used for the pernosco session in the comment.
I don't feel particularly strongly about either. What would your preference be?
|
|
Assignee | |
Comment 8•2 months ago
|
||
Hmm not sure, I guess I'm surprised to see such an old revision on a bug filed a week ago. Something closer to tip if it still repros would be great but just a reminder would do I guess :)
|
|
Assignee | |
Updated•2 months ago
|
|
||
Updated•1 month ago
|
|
|
||
Updated•14 days ago
|
|
|
Assignee | |
Comment 9•1 day ago
|
||
If our document is already fullscreen, we were bypassing the "fullscreen
element allowed" check, causing an <svg:text> element to become
fullscreen incorrectly.
|
||
Updated•1 day ago
|
|
|
Assignee | |
Updated•1 day ago
|
|
||
Comment 10•1 day ago
|
||
Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/60230 for changes under testing/web-platform/tests
|
||
Comment 12•11 hours ago
|
||
| bugherder | ||
|
|
||
Comment 13•10 hours ago
|
||
Since nightly and release are affected, beta will likely be affected too.
For more information, please visit BugBot documentation.
Upstream PR merged by moz-wptsync-bot
|
|
||
Comment 15•8 hours ago
|
||
The patch landed in nightly and beta is affected.
:emilio, is this bug important enough to require an uplift?
- If yes, please nominate the patch for beta approval.
- See https://wiki.mozilla.org/Release_Management/Requesting_an_Uplift for documentation on how to request an uplift.
- If no, please set
status-firefox152towontfix.
For more information, please visit BugBot documentation.
|
|
Assignee | |
Comment 16•8 hours ago
|
||
If our document is already fullscreen, we were bypassing the "fullscreen
element allowed" check, causing an <svg:text> element to become
fullscreen incorrectly.
Original Revision: https://phabricator.services.mozilla.com/D302736
|
|
||
Updated•8 hours ago
|
|
|
||
Comment 17•8 hours ago
|
||
firefox-beta Uplift Approval Request
- User impact if declined/Reason for urgency: Low risk stability fix.
- Code covered by automated testing?: yes
- Fix verified in Nightly?: yes
- Needs manual QE testing?: yes
- Steps to reproduce for manual QE testing: none
- Risk associated with taking this patch: low
- Explanation of risk level: Trivialish change to make the "already fullscreen" path consistent.
- String changes made/needed?: none
- Is Android affected?: yes
|
|
Assignee | |
Updated•8 hours ago
|
|
||
Updated•7 hours ago
|
|
|
||
Updated•7 hours ago
|
|
||
Updated•7 hours ago
|
|
|
||
Comment 18•7 hours ago
|
||
| uplift | ||
|
|
||
Comment 19•3 hours ago
|
||
Verified bug as fixed on rev mozilla-central 20260528090416-ee0e0aa2307f.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Description
•