Closed Bug 1780650 Opened 2 years ago Closed 2 years ago

Assertion failure: aData.mLoader->GetDocument() (We only cache document-associated sheets), at src/layout/style/SharedStyleSheetCache.cpp:74

Categories

(Core :: CSS Parsing and Computation, defect)

defect

Tracking

()

VERIFIED FIXED
105 Branch
Tracking Status
firefox-esr91 --- wontfix
firefox-esr102 --- wontfix
firefox103 --- wontfix
firefox104 --- wontfix
firefox105 --- verified

People

(Reporter: tsmith, Assigned: emilio)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(2 files)

Attached file testcase.html (deleted) —

Found while fuzzing m-c 20220623-d26536dbf462 (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

Assertion failure: aData.mLoader->GetDocument() (We only cache document-associated sheets), at src/layout/style/SharedStyleSheetCache.cpp:74

#0 0x7fef217ffc8a in nsINode::AsContent() src/dom/base/nsINode.h:550:5
#1 0x7fef26797113 in nsAccessibilityService::CreateAccessibleByFrameType(nsIFrame*, nsIContent*, mozilla::a11y::LocalAccessible*) src/accessible/base/nsAccessibilityService.cpp:1474:61
#2 0x7fef2678f079 in nsAccessibilityService::CreateAccessible(nsINode*, mozilla::a11y::LocalAccessible*, bool*) src/accessible/base/nsAccessibilityService.cpp:1077:18
#3 0x7fef267bf4eb in mozilla::a11y::DocAccessible::DoARIAOwnsRelocation(mozilla::a11y::LocalAccessible*) src/accessible/generic/DocAccessible.cpp:2174:34
#4 0x7fef26776a58 in mozilla::a11y::NotificationController::WillRefresh(mozilla::TimeStamp) src/accessible/base/NotificationController.cpp:856:18
#5 0x7fef24fc6ac2 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) src/layout/base/nsRefreshDriver.cpp:2497:12
#6 0x7fef24fd0030 in TickDriver src/layout/base/nsRefreshDriver.cpp:375:13
#7 0x7fef24fd0030 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) src/layout/base/nsRefreshDriver.cpp:353:7
#8 0x7fef24fcff33 in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:369:5
#9 0x7fef24fcfc00 in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:896:5
#10 0x7fef24fcf26a in mozilla::VsyncRefreshDriverTimer::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:810:5
#11 0x7fef24fcec55 in mozilla::VsyncRefreshDriverTimer::NotifyVsyncOnMainThread(mozilla::VsyncEvent const&) src/layout/base/nsRefreshDriver.cpp:731:5
#12 0x7fef24fce88a in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsyncTimerOnMainThread() src/layout/base/nsRefreshDriver.cpp:594:14
#13 0x7fef24fce49c in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) src/layout/base/nsRefreshDriver.cpp:551:9
#14 0x7fef244d0ccb in mozilla::dom::VsyncMainChild::RecvNotify(mozilla::VsyncEvent const&, float const&) src/dom/ipc/VsyncMainChild.cpp:68:15
#15 0x7fef24752d36 in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:220:78
#16 0x7fef20baac44 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundChild.cpp:6085:32
#17 0x7fef20b3eb61 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) src/ipc/glue/MessageChannel.cpp:1781:25
#18 0x7fef20b3b6b5 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message> >) src/ipc/glue/MessageChannel.cpp:1706:9
#19 0x7fef20b3c256 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) src/ipc/glue/MessageChannel.cpp:1506:3
#20 0x7fef20b3d5e1 in mozilla::ipc::MessageChannel::MessageTask::Run() src/ipc/glue/MessageChannel.cpp:1604:14
#21 0x7fef1ff854ee in mozilla::RunnableTask::Run() src/xpcom/threads/TaskController.cpp:475:16
#22 0x7fef1ff5fec3 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) src/xpcom/threads/TaskController.cpp:788:26
#23 0x7fef1ff5ea73 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) src/xpcom/threads/TaskController.cpp:620:15
#24 0x7fef1ff5ece3 in mozilla::TaskController::ProcessPendingMTTask(bool) src/xpcom/threads/TaskController.cpp:398:36
#25 0x7fef1ff88ce9 in operator() src/xpcom/threads/TaskController.cpp:127:37
#26 0x7fef1ff88ce9 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_1>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
#27 0x7fef1ff7474f in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1180:16
#28 0x7fef1ff7ad4d in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:465:10
#29 0x7fef20b44594 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:107:5
#30 0x7fef20a6b7c7 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:380:10
#31 0x7fef20a6b6d2 in RunHandler src/ipc/chromium/src/base/message_loop.cc:373:3
#32 0x7fef20a6b6d2 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:355:3
#33 0x7fef24cad828 in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:137:27
#34 0x7fef26e0a85b in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:875:20
#35 0x7fef20b454da in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:235:9
#36 0x7fef20a6b7c7 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:380:10
#37 0x7fef20a6b6d2 in RunHandler src/ipc/chromium/src/base/message_loop.cc:373:3
#38 0x7fef20a6b6d2 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:355:3
#39 0x7fef26e09e7c in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:734:34
#40 0x563e37bd7f70 in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#41 0x563e37bd7f70 in main src/browser/app/nsBrowserApp.cpp:338:18
#42 0x7fef3d3d6c86 in __libc_start_main /build/glibc-uZu3wS/glibc-2.27/csu/../csu/libc-start.c:310
#43 0x563e37badd1c in _start (/home/twsmith/workspace/browsers/m-c-20220606154314-fuzzing-debug/firefox-bin+0x15d1c) (BuildId: 
Flags: in-testsuite?

Bugmon Analysis
Verified bug as reproducible on mozilla-central 20220721214008-675d5c0e4d1d.
The bug appears to have been introduced in the following build range:

Start: 0c294763bf35170c0983c7160c4641e46e3d99ca (20220217120859)
End: 78d918ef82ba7b067fa35cc9d2f524f5a2b34f5a (20220217162031)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=0c294763bf35170c0983c7160c4641e46e3d99ca&tochange=78d918ef82ba7b067fa35cc9d2f524f5a2b34f5a

Keywords: regression
Whiteboard: [bugmon:bisected,confirmed]

A Pernosco session is available here: https://pernos.co/debug/qpMT_FWqExIBLx78bD-YyA/index.html

(In reply to Bugmon [:jkratzer for issues] from comment #1)

Bugmon Analysis
Verified bug as reproducible on mozilla-central 20220721214008-675d5c0e4d1d.
The bug appears to have been introduced in the following build range:

Start: 0c294763bf35170c0983c7160c4641e46e3d99ca (20220217120859)
End: 78d918ef82ba7b067fa35cc9d2f524f5a2b34f5a (20220217162031)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=0c294763bf35170c0983c7160c4641e46e3d99ca&tochange=78d918ef82ba7b067fa35cc9d2f524f5a2b34f5a

It's hard for me to have an easy link of where this issue is a regression or which exact commit this issue regressed from in this pushlog.
https://hg.mozilla.org/integration/autoland/rev/15c3d4b61356373fa5a185024ed9ec483ffa56ba looks the most suspicious one to me, if I have to pick, but I am really not sure. Olli, what's your thought here? Thanks!

Flags: needinfo?(smaug)

Unfortunately the pernosco trace was expired. Waiting for it to be recreated.
(The stack trace and assertion don't quite match.)

But yes, if that is the regression range, about:blank change looks suspicious.

The new pernosco trace is ready. And indeed, the stack there is very different from comment 0.

(In reply to Hsin-Yi Tsai (Fx104 REO) [:hsinyi] from comment #5)

The new pernosco trace is ready. And indeed, the stack there is very different from comment 0.

Looking into the pernosco trace, the stack and the assertion are more consistent in StyleSheetCache and Loader code.
Forwarding the NI to Emilio to see if the assertion rings any bell. And I am more unsure if the regression pushlog in comment 1 looks right.

Flags: needinfo?(smaug) → needinfo?(emilio)
Severity: -- → S3

The document might be gone already if unlinking / cc has happened.

Assignee: nobody → emilio
Status: NEW → ASSIGNED
Flags: needinfo?(emilio)
Pushed by ealvarez@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/c557baaf59be Fix assert in SharedStyleSheetCache. r=boris
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → 105 Branch

Bugmon Analysis
Verified bug as fixed on rev mozilla-central 20220818035341-f11d32415e9b.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
Keywords: bugmon

:emilio, since this bug contains a bisection range, could you fill (if possible) the regressed_by field?
For more information, please visit auto_nag documentation.

Flags: needinfo?(emilio)
Flags: needinfo?(emilio)
Regressed by: 1736570

Set release status flags based on info from the regressing bug 1736570

You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: