Closed Bug 2031798 Opened 2 months ago Closed 2 months ago

Assertion failure: p->value() == aFrame->GetDepthInFrameTree(), at /builds/worker/checkouts/gecko/layout/base/DepthOrderedFrameList.cpp:17

Categories

(Core :: Layout, defect)

defect

Tracking

()

VERIFIED FIXED
151 Branch
Tracking Status
firefox-esr115 --- unaffected
firefox-esr140 --- wontfix
firefox149 --- unaffected
firefox150 --- wontfix
firefox151 --- verified

People

(Reporter: tsmith, Assigned: hiro)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:bisected,confirmed], [wptsync upstream])

Attachments

(3 files)

Attached file testcase.html

Found while fuzzing m-c 20260409-e5128e3c28db (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework --upgrade
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>

Assertion failure: p->value() == aFrame->GetDepthInFrameTree(), at /builds/worker/checkouts/gecko/layout/base/DepthOrderedFrameList.cpp:17

#0 0x7fffebe88ebf in MOZ_CrashSequence /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:235:3
#1 0x7fffebe88ebf in mozilla::DepthOrderedFrameList::Add(nsIFrame*) /builds/worker/checkouts/gecko/layout/base/DepthOrderedFrameList.cpp:17:5
#2 0x7fffec0759dd in AddFrame /builds/worker/workspace/obj-build/dist/include/mozilla/layout/StickyScrollContainer.h:33:45
#3 0x7fffec0759dd in nsIFrame::DidSetComputedStyle(mozilla::ComputedStyle*) /builds/worker/checkouts/gecko/layout/generic/nsIFrame.cpp:1371:14
#4 0x7fffebfecc28 in nsBlockFrame::DidSetComputedStyle(mozilla::ComputedStyle*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:6730:21
#5 0x7fffec04c76e in nsIFrame::Init(nsIContent*, nsContainerFrame*, nsIFrame*) /builds/worker/checkouts/gecko/layout/generic/nsIFrame.cpp:754:3
#6 0x7fffebff1c8f in nsBlockFrame::Init(nsIContent*, nsContainerFrame*, nsIFrame*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:8163:21
#7 0x7fffebef799f in InitAndRestoreFrame /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:4401:14
#8 0x7fffebef799f in nsCSSFrameConstructor::ConstructBlock(nsFrameConstructorState&, nsIContent*, nsContainerFrame*, nsContainerFrame*, mozilla::ComputedStyle*, nsContainerFrame**, nsFrameList&, nsIFrame*) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:10053:5
#9 0x7fffebefb930 in nsCSSFrameConstructor::ConstructNonScrollableBlock(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItem&, nsContainerFrame*, nsStyleDisplay const*, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:4388:3
#10 0x7fffebefca09 in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:3720:16
#11 0x7fffebf00b0f in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:5359:3
#12 0x7fffebef25e5 in nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsContainerFrame*, bool, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:8931:5
#13 0x7fffebefe201 in nsCSSFrameConstructor::ConstructInline(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItem&, nsContainerFrame*, nsStyleDisplay const*, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:10488:3
#14 0x7fffebefca09 in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:3720:16
#15 0x7fffebf00b0f in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:5359:3
#16 0x7fffebef25e5 in nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsContainerFrame*, bool, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:8931:5
#17 0x7fffebefe201 in nsCSSFrameConstructor::ConstructInline(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItem&, nsContainerFrame*, nsStyleDisplay const*, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:10488:3
#18 0x7fffebefca09 in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:3720:16
#19 0x7fffebf00b0f in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:5359:3
#20 0x7fffebef25e5 in nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsContainerFrame*, bool, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:8931:5
#21 0x7fffebef3a26 in nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, mozilla::ComputedStyle*, nsContainerFrame*, bool, nsFrameList&, bool, nsIFrame*) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:9224:3
#22 0x7fffebef7b8b in nsCSSFrameConstructor::ConstructBlock(nsFrameConstructorState&, nsIContent*, nsContainerFrame*, nsContainerFrame*, mozilla::ComputedStyle*, nsContainerFrame**, nsFrameList&, nsIFrame*) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:10086:3
#23 0x7fffebefb930 in nsCSSFrameConstructor::ConstructNonScrollableBlock(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItem&, nsContainerFrame*, nsStyleDisplay const*, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:4388:3
#24 0x7fffebefca09 in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:3720:16
#25 0x7fffebf00b0f in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:5359:3
#26 0x7fffebef25e5 in nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsContainerFrame*, bool, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:8931:5
#27 0x7fffebf045c2 in nsCSSFrameConstructor::ContentRangeInserted(nsIContent*, nsIContent*, nsCSSFrameConstructor::InsertionKind) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:6534:3
#28 0x7fffebdf0f20 in mozilla::RestyleManager::ProcessRestyledFrames(nsStyleChangeList&) /builds/worker/checkouts/gecko/layout/style/RestyleManager.cpp:1668:25
#29 0x7fffebdf889d in mozilla::RestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) /builds/worker/checkouts/gecko/layout/style/RestyleManager.cpp:3229:7
#30 0x7fffebdf90b1 in mozilla::RestyleManager::ProcessPendingRestyles() /builds/worker/checkouts/gecko/layout/style/RestyleManager.cpp:3328:3
#31 0x7fffebeabd8a in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4489:37
#32 0x7fffebc4a2da in FlushPendingNotifications /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:1519:5
#33 0x7fffebc4a2da in mozilla::HTMLEditor::DoSplitNode(mozilla::EditorDOMPointBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent>> const&, nsIContent&) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditor.cpp:5392:16
#34 0x7fffebd2ef57 in mozilla::SplitNodeTransaction::DoTransactionInternal(mozilla::HTMLEditor&, nsIContent&, nsIContent&, unsigned int) /builds/worker/checkouts/gecko/editor/libeditor/SplitNodeTransaction.cpp:142:67
#35 0x7fffebd2e6e9 in mozilla::SplitNodeTransaction::DoTransaction() /builds/worker/checkouts/gecko/editor/libeditor/SplitNodeTransaction.cpp:116:55
#36 0x7fffebd833cf in DoTransaction /builds/worker/checkouts/gecko/editor/txmgr/TransactionItem.cpp:79:30
#37 0x7fffebd833cf in mozilla::TransactionManager::BeginTransaction(nsITransaction*, nsISupports*) /builds/worker/checkouts/gecko/editor/txmgr/TransactionManager.cpp:431:34
#38 0x7fffebd831d8 in mozilla::TransactionManager::DoTransaction(nsITransaction*) /builds/worker/checkouts/gecko/editor/txmgr/TransactionManager.cpp:72:17
#39 0x7fffebb7a6e3 in mozilla::EditorBase::DoTransactionInternal(nsITransaction*) /builds/worker/checkouts/gecko/editor/libeditor/EditorBase.cpp:947:41
#40 0x7fffebbfb9cb in mozilla::HTMLEditor::SplitNodeWithTransaction(mozilla::EditorDOMPointBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent>> const&) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditor.cpp:5107:17
#41 0x7fffebc02457 in mozilla::HTMLEditor::SplitNodeDeepWithTransaction(nsIContent&, mozilla::EditorDOMPointBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent>> const&, mozilla::HTMLEditor::SplitAtEdges) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditor.cpp:5189:11
#42 0x7fffebc222d2 in mozilla::HTMLEditor::SplitInlineAncestorsAtRangeBoundaries(mozilla::RangeItem&, mozilla::BlockInlineCheck, mozilla::dom::Element const&, nsIContent const*) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditSubActionHandler.cpp:7704:9
#43 0x7fffebb7281c in mozilla::AutoClonedRangeArray::SplitTextAtEndBoundariesAndInlineAncestorsAtBothBoundaries(mozilla::HTMLEditor&, mozilla::BlockInlineCheck, mozilla::dom::Element const&, nsIContent const*) /builds/worker/checkouts/gecko/editor/libeditor/AutoClonedRangeArray.cpp:926:21
#44 0x7fffebbf4880 in mozilla::HTMLEditor::AutoListElementCreator::SplitAtRangeEdgesAndCollectContentNodesToMoveIntoList(mozilla::HTMLEditor&, mozilla::AutoClonedRangeArray&, mozilla::HTMLEditor::SelectAllOfCurrentList, mozilla::dom::Element const&, nsTArray<mozilla::OwningNonNull<nsIContent>>&) const /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditSubActionHandler.cpp:3252:22
#45 0x7fffebbf3dd8 in mozilla::HTMLEditor::AutoListElementCreator::Run(mozilla::HTMLEditor&, mozilla::AutoClonedSelectionRangeArray&, mozilla::HTMLEditor::SelectAllOfCurrentList, mozilla::dom::Element const&) const /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditSubActionHandler.cpp:3157:17
#46 0x7fffebbf2c85 in mozilla::HTMLEditor::MakeOrChangeListAndListItemAsSubAction(nsStaticAtom const&, nsTSubstring<char16_t> const&, mozilla::HTMLEditor::SelectAllOfCurrentList, mozilla::dom::Element const&) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditSubActionHandler.cpp:3125:59
#47 0x7fffebc3fd73 in mozilla::HTMLEditor::MakeOrChangeListAsAction(nsStaticAtom const&, nsTSubstring<char16_t> const&, mozilla::HTMLEditor::SelectAllOfCurrentList, nsIPrincipal*) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditor.cpp:2716:7
#48 0x7fffebc53789 in mozilla::ListCommand::ToggleState(nsStaticAtom&, mozilla::HTMLEditor&, nsIPrincipal*) const /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditorCommands.cpp:264:20
#49 0x7fffebc518dc in mozilla::StateUpdatingCommandBase::DoCommandParam(mozilla::Command, mozilla::EditorBase&, nsIPrincipal*) const /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditorCommands.cpp:75:17
#50 0x7fffe7cfb886 in mozilla::dom::Document::ExecCommand(nsTSubstring<char16_t> const&, bool, mozilla::dom::TrustedHTMLOrString const&, nsIPrincipal&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/Document.cpp:5851:37
#51 0x7fffe8ffdb83 in mozilla::dom::Document_Binding::execCommand(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/./DocumentBinding.cpp:4664:36
#52 0x7fffe920e316 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3384:13
#53 0x7fffede427f4 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:488:13
#54 0x7fffede4209f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:584:12
#55 0x7fffede52c66 in CallFromStack /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:656:10
#56 0x7fffede52c66 in js::Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3270:16
#57 0x7fffede4171a in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:458:13
#58 0x7fffede420c5 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:616:13

Verified bug as reproducible on mozilla-central 20260414211344-facf11f6cdea.
The bug appears to have been introduced in the following build range:

Start: 158c6bfebb106ae42d5d4e3412e0d41f3865a079 (20260408050235)
End: 31e469718fa150c37a961de80f0015898a285563 (20260408083822)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=158c6bfebb106ae42d5d4e3412e0d41f3865a079&tochange=31e469718fa150c37a961de80f0015898a285563

Keywords: regression
Whiteboard: [bugmon:bisected,confirmed]

:hiro, since you are the author of the regressor, bug 2027261, could you take a look? Also, could you set the severity field?

For more information, please visit BugBot documentation.

Flags: needinfo?(hikezoe.birchill)

Boolean parameters are opaque at call sites. AllowCounters::Yes/No makes
the intent clear without consulting the function signature.

Assignee: nobody → hikezoe.birchill
Status: NEW → ASSIGNED

DidSetComputedStyle(nullptr) fires during InitAndRestoreFrame before IB-split
bits are set, so IsFirstContinuationOrIBSplitSibling incorrectly returns true
for non-first IB-split siblings, causing them to be added to
StickyScrollContainer. When later destroyed without being removed, these stale
entries trigger an assertion when new frames are allocated at the same address.

Since SSC registration requires correct IB-split information, move it out of
DidSetComputedStyle(nullptr) and into InitAndRestoreFrame where it runs after
Init but can be suppressed via StickyRegistration::Suppress. CreateIBSiblings
passes Suppress for blockFrame and inlineFrame since those are non-first
IB-split siblings and must not be registered with SSC; only aInitialInline
(the first IB-split sibling) is correctly registered via its own
InitAndRestoreFrame call before CreateIBSiblings runs. All other callers use
the default Register behavior.

Attachment #9570455 - Attachment description: Bug 2031798 - Register sticky frames with StickyScrollContainer in frame construction rather than in DidSetComputedStyle. r?#layout-reviewers → Bug 2031798 - Register/deregister sticky frames with StickyScrollContainer only for the primary frame. r?#layout-reviewers

Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/59309 for changes under testing/web-platform/tests

Whiteboard: [bugmon:bisected,confirmed] → [bugmon:bisected,confirmed], [wptsync upstream]
Status: ASSIGNED → RESOLVED
Closed: 2 months ago
Resolution: --- → FIXED
Target Milestone: --- → 151 Branch

Upstream PR merged by moz-wptsync-bot

Flags: needinfo?(hikezoe.birchill) → in-testsuite+

Is this something we should nominate for Release 150 and ESR140 uplift? Go ahead and do so if yes.

Flags: needinfo?(hikezoe.birchill)

Verified bug as fixed on rev mozilla-central 20260417094322-22fffa2cfadb.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
Keywords: bugmon
Flags: needinfo?(hikezoe.birchill)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: