Open Bug 1729589 Opened 3 years ago Updated 2 years ago

Assertion failure: IsAncestor(aOne, aTwo) || IsAncestor(aTwo, aOne), at src/layout/painting/nsDisplayList.h:270

Categories

(Core :: Web Painting, defect, P3)

Product:
Core
Component:
Web Painting
Type:
defect

Tracking

()

Tracking Flags:
Tracking Status
firefox93 --- affected
firefox94 --- affected

People

(Reporter: tsmith, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, testcase, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(1 file)

testcase.html
(deleted), text/html
Details
Attached file testcase.html (deleted) —

Found while fuzzing m-c 20210820-fe930f350465 (--enable-debug --enable-fuzzing)

Assertion failure: IsAncestor(aOne, aTwo) || IsAncestor(aTwo, aOne), at src/layout/painting/nsDisplayList.h:270

#0 0x7f0c10377420 in PickAncestor src/layout/painting/nsDisplayList.h:270:5
#1 0x7f0c10377420 in ~AutoContainerASRTracker src/layout/painting/nsDisplayList.h:1323:40
#2 0x7f0c10377420 in nsIFrame::BuildDisplayListForChild(mozilla::nsDisplayListBuilder*, nsIFrame*, mozilla::nsDisplayListSet const&, mozilla::EnumSet<nsIFrame::DisplayChildFlag, unsigned int>) src/layout/generic/nsIFrame.cpp:4242:3
#3 0x7f0c10352e1d in DisplayLine(mozilla::nsDisplayListBuilder*, nsLineList_iterator&, bool, mozilla::nsDisplayListSet const&, nsBlockFrame*, mozilla::css::TextOverflow*, unsigned int, int, int&) src/layout/generic/nsBlockFrame.cpp:6929:13
#4 0x7f0c10351864 in nsBlockFrame::BuildDisplayList(mozilla::nsDisplayListBuilder*, mozilla::nsDisplayListSet const&) src/layout/generic/nsBlockFrame.cpp:7087:9
#5 0x7f0c103fd026 in nsIFrame::BuildDisplayListForSimpleChild(mozilla::nsDisplayListBuilder*, nsIFrame*, mozilla::nsDisplayListSet const&) src/layout/generic/nsIFrame.cpp:3956:11
#6 0x7f0c10375524 in nsIFrame::BuildDisplayListForChild(mozilla::nsDisplayListBuilder*, nsIFrame*, mozilla::nsDisplayListSet const&, mozilla::EnumSet<nsIFrame::DisplayChildFlag, unsigned int>) src/layout/generic/nsIFrame.cpp:4060:5
#7 0x7f0c103b9191 in mozilla::ScrollFrameHelper::BuildDisplayList(mozilla::nsDisplayListBuilder*, mozilla::nsDisplayListSet const&) src/layout/generic/nsGfxScrollFrame.cpp:3977:15
#8 0x7f0c103fa443 in nsIFrame::BuildDisplayListForStackingContext(mozilla::nsDisplayListBuilder*, mozilla::nsDisplayList*, bool*) src/layout/generic/nsIFrame.cpp:3425:5
#9 0x7f0c1037680d in nsIFrame::BuildDisplayListForChild(mozilla::nsDisplayListBuilder*, nsIFrame*, mozilla::nsDisplayListSet const&, mozilla::EnumSet<nsIFrame::DisplayChildFlag, unsigned int>) src/layout/generic/nsIFrame.cpp:4236:12
#10 0x7f0c10352e1d in DisplayLine(mozilla::nsDisplayListBuilder*, nsLineList_iterator&, bool, mozilla::nsDisplayListSet const&, nsBlockFrame*, mozilla::css::TextOverflow*, unsigned int, int, int&) src/layout/generic/nsBlockFrame.cpp:6929:13
#11 0x7f0c10351864 in nsBlockFrame::BuildDisplayList(mozilla::nsDisplayListBuilder*, mozilla::nsDisplayListSet const&) src/layout/generic/nsBlockFrame.cpp:7087:9
#12 0x7f0c103fd026 in nsIFrame::BuildDisplayListForSimpleChild(mozilla::nsDisplayListBuilder*, nsIFrame*, mozilla::nsDisplayListSet const&) src/layout/generic/nsIFrame.cpp:3956:11
#13 0x7f0c10375524 in nsIFrame::BuildDisplayListForChild(mozilla::nsDisplayListBuilder*, nsIFrame*, mozilla::nsDisplayListSet const&, mozilla::EnumSet<nsIFrame::DisplayChildFlag, unsigned int>) src/layout/generic/nsIFrame.cpp:4060:5
#14 0x7f0c103b9191 in mozilla::ScrollFrameHelper::BuildDisplayList(mozilla::nsDisplayListBuilder*, mozilla::nsDisplayListSet const&) src/layout/generic/nsGfxScrollFrame.cpp:3977:15
#15 0x7f0c103fd026 in nsIFrame::BuildDisplayListForSimpleChild(mozilla::nsDisplayListBuilder*, nsIFrame*, mozilla::nsDisplayListSet const&) src/layout/generic/nsIFrame.cpp:3956:11
#16 0x7f0c10375524 in nsIFrame::BuildDisplayListForChild(mozilla::nsDisplayListBuilder*, nsIFrame*, mozilla::nsDisplayListSet const&, mozilla::EnumSet<nsIFrame::DisplayChildFlag, unsigned int>) src/layout/generic/nsIFrame.cpp:4060:5
#17 0x7f0c10352e1d in DisplayLine(mozilla::nsDisplayListBuilder*, nsLineList_iterator&, bool, mozilla::nsDisplayListSet const&, nsBlockFrame*, mozilla::css::TextOverflow*, unsigned int, int, int&) src/layout/generic/nsBlockFrame.cpp:6929:13
#18 0x7f0c10351864 in nsBlockFrame::BuildDisplayList(mozilla::nsDisplayListBuilder*, mozilla::nsDisplayListSet const&) src/layout/generic/nsBlockFrame.cpp:7087:9
#19 0x7f0c103fa443 in nsIFrame::BuildDisplayListForStackingContext(mozilla::nsDisplayListBuilder*, mozilla::nsDisplayList*, bool*) src/layout/generic/nsIFrame.cpp:3425:5
#20 0x7f0c1037680d in nsIFrame::BuildDisplayListForChild(mozilla::nsDisplayListBuilder*, nsIFrame*, mozilla::nsDisplayListSet const&, mozilla::EnumSet<nsIFrame::DisplayChildFlag, unsigned int>) src/layout/generic/nsIFrame.cpp:4236:12
#21 0x7f0c10358128 in nsCanvasFrame::BuildDisplayList(mozilla::nsDisplayListBuilder*, mozilla::nsDisplayListSet const&) src/layout/generic/nsCanvasFrame.cpp:610:5
#22 0x7f0c103fd026 in nsIFrame::BuildDisplayListForSimpleChild(mozilla::nsDisplayListBuilder*, nsIFrame*, mozilla::nsDisplayListSet const&) src/layout/generic/nsIFrame.cpp:3956:11
#23 0x7f0c10375524 in nsIFrame::BuildDisplayListForChild(mozilla::nsDisplayListBuilder*, nsIFrame*, mozilla::nsDisplayListSet const&, mozilla::EnumSet<nsIFrame::DisplayChildFlag, unsigned int>) src/layout/generic/nsIFrame.cpp:4060:5
#24 0x7f0c103b9191 in mozilla::ScrollFrameHelper::BuildDisplayList(mozilla::nsDisplayListBuilder*, mozilla::nsDisplayListSet const&) src/layout/generic/nsGfxScrollFrame.cpp:3977:15
#25 0x7f0c103fd026 in nsIFrame::BuildDisplayListForSimpleChild(mozilla::nsDisplayListBuilder*, nsIFrame*, mozilla::nsDisplayListSet const&) src/layout/generic/nsIFrame.cpp:3956:11
#26 0x7f0c10375524 in nsIFrame::BuildDisplayListForChild(mozilla::nsDisplayListBuilder*, nsIFrame*, mozilla::nsDisplayListSet const&, mozilla::EnumSet<nsIFrame::DisplayChildFlag, unsigned int>) src/layout/generic/nsIFrame.cpp:4060:5
#27 0x7f0c1032809a in mozilla::ViewportFrame::BuildDisplayList(mozilla::nsDisplayListBuilder*, mozilla::nsDisplayListSet const&) src/layout/generic/ViewportFrame.cpp:66:3
#28 0x7f0c103fa443 in nsIFrame::BuildDisplayListForStackingContext(mozilla::nsDisplayListBuilder*, mozilla::nsDisplayList*, bool*) src/layout/generic/nsIFrame.cpp:3425:5
#29 0x7f0c10639120 in mozilla::RetainedDisplayListBuilder::AttemptPartialUpdate(unsigned int) src/layout/painting/RetainedDisplayListBuilder.cpp:1447:34
#30 0x7f0c102ce485 in nsLayoutUtils::PaintFrame(gfxContext*, nsIFrame*, nsRegion const&, unsigned int, mozilla::nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) src/layout/base/nsLayoutUtils.cpp:3342:40
#31 0x7f0c1024226a in mozilla::PresShell::Paint(nsView*, nsRegion const&, mozilla::PaintFlags) src/layout/base/PresShell.cpp:6363:5
#32 0x7f0c0feb204e in nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*) src/view/nsViewManager.cpp:467:18
#33 0x7f0c0feb1b6b in nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) src/view/nsViewManager.cpp:402:22
#34 0x7f0c0feb314f in nsViewManager::ProcessPendingUpdates() src/view/nsViewManager.cpp:980:5
#35 0x7f0c101ff3ea in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) src/layout/base/nsRefreshDriver.cpp:2546:11
#36 0x7f0c1020677a in TickDriver src/layout/base/nsRefreshDriver.cpp:353:13
#37 0x7f0c1020677a in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) src/layout/base/nsRefreshDriver.cpp:331:7
#38 0x7f0c10206693 in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:347:5
#39 0x7f0c10206560 in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:782:5
#40 0x7f0c10205bfa in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:705:16
#41 0x7f0c10205515 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyParentProcessVsync() src/layout/base/nsRefreshDriver.cpp:622:7
#42 0x7f0c10204f99 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) src/layout/base/nsRefreshDriver.cpp:543:9
#43 0x7f0c0f9cb276 in mozilla::dom::VsyncChild::RecvNotify(mozilla::VsyncEvent const&, float const&) src/dom/ipc/VsyncChild.cpp:68:15
#44 0x7f0c0c5ecdb4 in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:178:54
#45 0x7f0c0c3c11cc in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundChild.cpp:6091:32
#46 0x7f0c0c04b6ff in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) src/ipc/glue/MessageChannel.cpp:2039:25
#47 0x7f0c0c047fe1 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) src/ipc/glue/MessageChannel.cpp:1964:9
#48 0x7f0c0c049465 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) src/ipc/glue/MessageChannel.cpp:1823:3
#49 0x7f0c0c04a0ad in mozilla::ipc::MessageChannel::MessageTask::Run() src/ipc/glue/MessageChannel.cpp:1851:14
#50 0x7f0c0b60d0ae in mozilla::RunnableTask::Run() src/xpcom/threads/TaskController.cpp:502:16
#51 0x7f0c0b5e837f in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) src/xpcom/threads/TaskController.cpp:805:26
#52 0x7f0c0b5e6fe8 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) src/xpcom/threads/TaskController.cpp:641:15
#53 0x7f0c0b5e7263 in mozilla::TaskController::ProcessPendingMTTask(bool) src/xpcom/threads/TaskController.cpp:425:36
#54 0x7f0c0b610719 in operator() src/xpcom/threads/TaskController.cpp:138:37
#55 0x7f0c0b610719 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_1>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
#56 0x7f0c0b5fbb5f in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1148:16
#57 0x7f0c0b6028aa in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:466:10
#58 0x7f0c0c051524 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:107:5
#59 0x7f0c0bf71b57 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:331:10
#60 0x7f0c0bf71a62 in RunHandler src/ipc/chromium/src/base/message_loop.cc:324:3
#61 0x7f0c0bf71a62 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:306:3
#62 0x7f0c0ff03d18 in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:137:27
#63 0x7f0c11d86713 in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:917:20
#64 0x7f0c0c05246a in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:235:9
#65 0x7f0c0bf71b57 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:331:10
#66 0x7f0c0bf71a62 in RunHandler src/ipc/chromium/src/base/message_loop.cc:324:3
#67 0x7f0c0bf71a62 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:306:3
#68 0x7f0c11d85d4e in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:749:34
#69 0x55e5059d3ab6 in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#70 0x55e5059d3ab6 in main src/browser/app/nsBrowserApp.cpp:327:18
#71 0x7f0c20db40b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
#72 0x55e5059b08bc in _start (/home/user/workspace/browsers/m-c-20210907094849-fuzzing-debug/firefox-bin+0x158bc)
Flags: in-testsuite?

Test case has position fixed and clip-path, so probably similar to existing bugs we have open on various asr related asserts (those features being key in the testcases in those bugs as well).

A Pernosco session is available here: https://pernos.co/debug/A7zTkeNbSkjO_ufMTkiJwg/index.html

Bugmon Analysis
Verified bug as reproducible on mozilla-central 20210908032417-a4d2ca53b2a4.
Failed to bisect testcase (Testcase reproduces on start build!):

Start: 6cc2266faca2a2301c81f3442d6d893ad3fc9fdf (20200909093957)
End: fe930f350465cb4e75a3940f6f58fb5d85757914 (20210820213313)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False)

Whiteboard: [bugmon:bisected,confirmed]

Bugmon Analysis
Testcase crashes using the initial build (mozilla-central 20210820213313-fe930f350465) but not with tip (mozilla-central 20211217212339-2c242fa34cb6.)
The bug appears to have been fixed in the following build range:

Start: 8983594fcd225968de1df3f6338edb23e328cc6b (20211115174035)
End: 75c615b53e7b96334ee7e75f0224be36daf04595 (20211115215316)
Pushlog: https://hg.mozilla.org/mozilla-unified/pushloghtml?fromchange=8983594fcd225968de1df3f6338edb23e328cc6b&tochange=75c615b53e7b96334ee7e75f0224be36daf04595
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon

Maybe

1a7d83ad692d43606caec1f2b177578a2b024eb3 Jeff Muizelaar — Bug 1711133. Draw nothing for unitialized filters. r=mstange

But if it's that then I expect the underlying bug still exists, this testcase just doesn't trigger it, but minor changes to the testcase would trigger it again, and the fuzzers would find it again if they are configure to not ignore this assert.

Severity: -- → S3
Priority: -- → P3
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: