Assertion failure: p->value() == aFrame->GetDepthInFrameTree(), at /builds/worker/checkouts/gecko/layout/base/DepthOrderedFrameList.cpp:17
Categories
(Core :: Layout, defect)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr115 | --- | unaffected |
| firefox-esr140 | --- | wontfix |
| firefox149 | --- | unaffected |
| firefox150 | --- | wontfix |
| firefox151 | --- | verified |
People
(Reporter: tsmith, Assigned: hiro)
References
(Blocks 1 open bug)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:bisected,confirmed], [wptsync upstream])
Attachments
(3 files)
Found while fuzzing m-c 20260409-e5128e3c28db (--enable-debug --enable-fuzzing)
To reproduce via Grizzly Replay:
$ pip install fuzzfetch grizzly-framework --upgrade
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>
Assertion failure: p->value() == aFrame->GetDepthInFrameTree(), at /builds/worker/checkouts/gecko/layout/base/DepthOrderedFrameList.cpp:17
#0 0x7fffebe88ebf in MOZ_CrashSequence /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:235:3
#1 0x7fffebe88ebf in mozilla::DepthOrderedFrameList::Add(nsIFrame*) /builds/worker/checkouts/gecko/layout/base/DepthOrderedFrameList.cpp:17:5
#2 0x7fffec0759dd in AddFrame /builds/worker/workspace/obj-build/dist/include/mozilla/layout/StickyScrollContainer.h:33:45
#3 0x7fffec0759dd in nsIFrame::DidSetComputedStyle(mozilla::ComputedStyle*) /builds/worker/checkouts/gecko/layout/generic/nsIFrame.cpp:1371:14
#4 0x7fffebfecc28 in nsBlockFrame::DidSetComputedStyle(mozilla::ComputedStyle*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:6730:21
#5 0x7fffec04c76e in nsIFrame::Init(nsIContent*, nsContainerFrame*, nsIFrame*) /builds/worker/checkouts/gecko/layout/generic/nsIFrame.cpp:754:3
#6 0x7fffebff1c8f in nsBlockFrame::Init(nsIContent*, nsContainerFrame*, nsIFrame*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:8163:21
#7 0x7fffebef799f in InitAndRestoreFrame /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:4401:14
#8 0x7fffebef799f in nsCSSFrameConstructor::ConstructBlock(nsFrameConstructorState&, nsIContent*, nsContainerFrame*, nsContainerFrame*, mozilla::ComputedStyle*, nsContainerFrame**, nsFrameList&, nsIFrame*) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:10053:5
#9 0x7fffebefb930 in nsCSSFrameConstructor::ConstructNonScrollableBlock(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItem&, nsContainerFrame*, nsStyleDisplay const*, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:4388:3
#10 0x7fffebefca09 in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:3720:16
#11 0x7fffebf00b0f in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:5359:3
#12 0x7fffebef25e5 in nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsContainerFrame*, bool, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:8931:5
#13 0x7fffebefe201 in nsCSSFrameConstructor::ConstructInline(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItem&, nsContainerFrame*, nsStyleDisplay const*, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:10488:3
#14 0x7fffebefca09 in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:3720:16
#15 0x7fffebf00b0f in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:5359:3
#16 0x7fffebef25e5 in nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsContainerFrame*, bool, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:8931:5
#17 0x7fffebefe201 in nsCSSFrameConstructor::ConstructInline(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItem&, nsContainerFrame*, nsStyleDisplay const*, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:10488:3
#18 0x7fffebefca09 in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:3720:16
#19 0x7fffebf00b0f in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:5359:3
#20 0x7fffebef25e5 in nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsContainerFrame*, bool, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:8931:5
#21 0x7fffebef3a26 in nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, mozilla::ComputedStyle*, nsContainerFrame*, bool, nsFrameList&, bool, nsIFrame*) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:9224:3
#22 0x7fffebef7b8b in nsCSSFrameConstructor::ConstructBlock(nsFrameConstructorState&, nsIContent*, nsContainerFrame*, nsContainerFrame*, mozilla::ComputedStyle*, nsContainerFrame**, nsFrameList&, nsIFrame*) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:10086:3
#23 0x7fffebefb930 in nsCSSFrameConstructor::ConstructNonScrollableBlock(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItem&, nsContainerFrame*, nsStyleDisplay const*, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:4388:3
#24 0x7fffebefca09 in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:3720:16
#25 0x7fffebf00b0f in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:5359:3
#26 0x7fffebef25e5 in nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsContainerFrame*, bool, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:8931:5
#27 0x7fffebf045c2 in nsCSSFrameConstructor::ContentRangeInserted(nsIContent*, nsIContent*, nsCSSFrameConstructor::InsertionKind) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:6534:3
#28 0x7fffebdf0f20 in mozilla::RestyleManager::ProcessRestyledFrames(nsStyleChangeList&) /builds/worker/checkouts/gecko/layout/style/RestyleManager.cpp:1668:25
#29 0x7fffebdf889d in mozilla::RestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) /builds/worker/checkouts/gecko/layout/style/RestyleManager.cpp:3229:7
#30 0x7fffebdf90b1 in mozilla::RestyleManager::ProcessPendingRestyles() /builds/worker/checkouts/gecko/layout/style/RestyleManager.cpp:3328:3
#31 0x7fffebeabd8a in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4489:37
#32 0x7fffebc4a2da in FlushPendingNotifications /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:1519:5
#33 0x7fffebc4a2da in mozilla::HTMLEditor::DoSplitNode(mozilla::EditorDOMPointBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent>> const&, nsIContent&) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditor.cpp:5392:16
#34 0x7fffebd2ef57 in mozilla::SplitNodeTransaction::DoTransactionInternal(mozilla::HTMLEditor&, nsIContent&, nsIContent&, unsigned int) /builds/worker/checkouts/gecko/editor/libeditor/SplitNodeTransaction.cpp:142:67
#35 0x7fffebd2e6e9 in mozilla::SplitNodeTransaction::DoTransaction() /builds/worker/checkouts/gecko/editor/libeditor/SplitNodeTransaction.cpp:116:55
#36 0x7fffebd833cf in DoTransaction /builds/worker/checkouts/gecko/editor/txmgr/TransactionItem.cpp:79:30
#37 0x7fffebd833cf in mozilla::TransactionManager::BeginTransaction(nsITransaction*, nsISupports*) /builds/worker/checkouts/gecko/editor/txmgr/TransactionManager.cpp:431:34
#38 0x7fffebd831d8 in mozilla::TransactionManager::DoTransaction(nsITransaction*) /builds/worker/checkouts/gecko/editor/txmgr/TransactionManager.cpp:72:17
#39 0x7fffebb7a6e3 in mozilla::EditorBase::DoTransactionInternal(nsITransaction*) /builds/worker/checkouts/gecko/editor/libeditor/EditorBase.cpp:947:41
#40 0x7fffebbfb9cb in mozilla::HTMLEditor::SplitNodeWithTransaction(mozilla::EditorDOMPointBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent>> const&) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditor.cpp:5107:17
#41 0x7fffebc02457 in mozilla::HTMLEditor::SplitNodeDeepWithTransaction(nsIContent&, mozilla::EditorDOMPointBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent>> const&, mozilla::HTMLEditor::SplitAtEdges) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditor.cpp:5189:11
#42 0x7fffebc222d2 in mozilla::HTMLEditor::SplitInlineAncestorsAtRangeBoundaries(mozilla::RangeItem&, mozilla::BlockInlineCheck, mozilla::dom::Element const&, nsIContent const*) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditSubActionHandler.cpp:7704:9
#43 0x7fffebb7281c in mozilla::AutoClonedRangeArray::SplitTextAtEndBoundariesAndInlineAncestorsAtBothBoundaries(mozilla::HTMLEditor&, mozilla::BlockInlineCheck, mozilla::dom::Element const&, nsIContent const*) /builds/worker/checkouts/gecko/editor/libeditor/AutoClonedRangeArray.cpp:926:21
#44 0x7fffebbf4880 in mozilla::HTMLEditor::AutoListElementCreator::SplitAtRangeEdgesAndCollectContentNodesToMoveIntoList(mozilla::HTMLEditor&, mozilla::AutoClonedRangeArray&, mozilla::HTMLEditor::SelectAllOfCurrentList, mozilla::dom::Element const&, nsTArray<mozilla::OwningNonNull<nsIContent>>&) const /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditSubActionHandler.cpp:3252:22
#45 0x7fffebbf3dd8 in mozilla::HTMLEditor::AutoListElementCreator::Run(mozilla::HTMLEditor&, mozilla::AutoClonedSelectionRangeArray&, mozilla::HTMLEditor::SelectAllOfCurrentList, mozilla::dom::Element const&) const /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditSubActionHandler.cpp:3157:17
#46 0x7fffebbf2c85 in mozilla::HTMLEditor::MakeOrChangeListAndListItemAsSubAction(nsStaticAtom const&, nsTSubstring<char16_t> const&, mozilla::HTMLEditor::SelectAllOfCurrentList, mozilla::dom::Element const&) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditSubActionHandler.cpp:3125:59
#47 0x7fffebc3fd73 in mozilla::HTMLEditor::MakeOrChangeListAsAction(nsStaticAtom const&, nsTSubstring<char16_t> const&, mozilla::HTMLEditor::SelectAllOfCurrentList, nsIPrincipal*) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditor.cpp:2716:7
#48 0x7fffebc53789 in mozilla::ListCommand::ToggleState(nsStaticAtom&, mozilla::HTMLEditor&, nsIPrincipal*) const /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditorCommands.cpp:264:20
#49 0x7fffebc518dc in mozilla::StateUpdatingCommandBase::DoCommandParam(mozilla::Command, mozilla::EditorBase&, nsIPrincipal*) const /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditorCommands.cpp:75:17
#50 0x7fffe7cfb886 in mozilla::dom::Document::ExecCommand(nsTSubstring<char16_t> const&, bool, mozilla::dom::TrustedHTMLOrString const&, nsIPrincipal&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/Document.cpp:5851:37
#51 0x7fffe8ffdb83 in mozilla::dom::Document_Binding::execCommand(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/./DocumentBinding.cpp:4664:36
#52 0x7fffe920e316 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3384:13
#53 0x7fffede427f4 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:488:13
#54 0x7fffede4209f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:584:12
#55 0x7fffede52c66 in CallFromStack /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:656:10
#56 0x7fffede52c66 in js::Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3270:16
#57 0x7fffede4171a in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:458:13
#58 0x7fffede420c5 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:616:13
Comment 1•2 months ago
|
||
Verified bug as reproducible on mozilla-central 20260414211344-facf11f6cdea.
The bug appears to have been introduced in the following build range:
Start: 158c6bfebb106ae42d5d4e3412e0d41f3865a079 (20260408050235)
End: 31e469718fa150c37a961de80f0015898a285563 (20260408083822)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=158c6bfebb106ae42d5d4e3412e0d41f3865a079&tochange=31e469718fa150c37a961de80f0015898a285563
Updated•2 months ago
|
Comment 2•2 months ago
|
||
:hiro, since you are the author of the regressor, bug 2027261, could you take a look? Also, could you set the severity field?
For more information, please visit BugBot documentation.
| Assignee | ||
Comment 3•2 months ago
|
||
Boolean parameters are opaque at call sites. AllowCounters::Yes/No makes
the intent clear without consulting the function signature.
Updated•2 months ago
|
| Assignee | ||
Comment 4•2 months ago
|
||
DidSetComputedStyle(nullptr) fires during InitAndRestoreFrame before IB-split
bits are set, so IsFirstContinuationOrIBSplitSibling incorrectly returns true
for non-first IB-split siblings, causing them to be added to
StickyScrollContainer. When later destroyed without being removed, these stale
entries trigger an assertion when new frames are allocated at the same address.
Since SSC registration requires correct IB-split information, move it out of
DidSetComputedStyle(nullptr) and into InitAndRestoreFrame where it runs after
Init but can be suppressed via StickyRegistration::Suppress. CreateIBSiblings
passes Suppress for blockFrame and inlineFrame since those are non-first
IB-split siblings and must not be registered with SSC; only aInitialInline
(the first IB-split sibling) is correctly registered via its own
InitAndRestoreFrame call before CreateIBSiblings runs. All other callers use
the default Register behavior.
Updated•2 months ago
|
Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/59309 for changes under testing/web-platform/tests
Comment 7•2 months ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/2463bb3b2947
https://hg.mozilla.org/mozilla-central/rev/ac97bc3bb967
https://hg.mozilla.org/mozilla-central/rev/1f7ff1420866
Comment 8•2 months ago
|
||
| bugherder | ||
Upstream PR merged by moz-wptsync-bot
Updated•2 months ago
|
Comment 10•2 months ago
|
||
Is this something we should nominate for Release 150 and ESR140 uplift? Go ahead and do so if yes.
Comment 11•2 months ago
|
||
Verified bug as fixed on rev mozilla-central 20260417094322-22fffa2cfadb.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
| Assignee | ||
Updated•2 months ago
|
Description
•