Closed
Bug 1782071
Opened 2 years ago
Closed 2 years ago
Assertion failure: cachedStyles[i]->EqualForCachedAnonymousContentStyle(*cs) (cached anonymous content styles should be identical to those we would compute normally), at /layout/base/nsCSSFrameConstructor.cpp:4102
Categories
(Core :: Layout, defect)
Tracking
()
VERIFIED
FIXED
105 Branch
| Tracking | Status | |
|---|---|---|
| firefox-esr91 | --- | unaffected |
| firefox-esr102 | --- | unaffected |
| firefox103 | --- | wontfix |
| firefox104 | --- | wontfix |
| firefox105 | --- | verified |
People
(Reporter: jkratzer, Assigned: emilio)
References
(Blocks 1 open bug, Regression)
Details
(Keywords: regression, testcase, Whiteboard: [bugmon:bisected,confirmed])
Attachments
(2 files)
Testcase found while fuzzing mozilla-central rev 7a144cb09b52 (built with: --enable-debug --enable-fuzzing).
Testcase can be reproduced using the following commands:
$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build 7a144cb09b52 --debug --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html
Assertion failure: cachedStyles[i]->EqualForCachedAnonymousContentStyle(*cs) (cached anonymous content styles should be identical to those we would compute normally), at /layout/base/nsCSSFrameConstructor.cpp:4102
==3285107==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f5f77241a28 bp 0x7ffdf4c0ac60 sp 0x7ffdf4c0aba0 T3285107)
==3285107==The signal is caused by a WRITE memory access.
==3285107==Hint: address points to the zero page.
#0 0x7f5f77241a28 in nsCSSFrameConstructor::GetAnonymousContent(nsIContent*, nsIFrame*, nsTArray<nsIAnonymousContentCreator::ContentInfo>&) /layout/base/nsCSSFrameConstructor.cpp:4099:9
#1 0x7f5f7723ba0a in nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, mozilla::ComputedStyle*, nsContainerFrame*, bool, nsFrameList&, bool, nsIFrame*) /layout/base/nsCSSFrameConstructor.cpp:9721:3
#2 0x7f5f772467b2 in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameList&) /layout/base/nsCSSFrameConstructor.cpp:3890:9
#3 0x7f5f7724ac56 in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameList&) /layout/base/nsCSSFrameConstructor.cpp:5767:3
#4 0x7f5f7723b305 in nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsContainerFrame*, bool, nsFrameList&) /layout/base/nsCSSFrameConstructor.cpp:9629:5
#5 0x7f5f77240b8f in nsCSSFrameConstructor::BeginBuildingScrollFrame(nsFrameConstructorState&, nsIContent*, mozilla::ComputedStyle*, nsContainerFrame*, mozilla::PseudoStyleType, bool, nsContainerFrame*&) /layout/base/nsCSSFrameConstructor.cpp:4292:5
#6 0x7f5f7723ede8 in nsCSSFrameConstructor::SetUpDocElementContainingBlock(nsIContent*) /layout/base/nsCSSFrameConstructor.cpp:2813:9
#7 0x7f5f7723d8ff in nsCSSFrameConstructor::ConstructDocElementFrame(mozilla::dom::Element*) /layout/base/nsCSSFrameConstructor.cpp:2374:3
#8 0x7f5f7724f6c7 in nsCSSFrameConstructor::ContentRangeInserted(nsIContent*, nsIContent*, nsCSSFrameConstructor::InsertionKind) /layout/base/nsCSSFrameConstructor.cpp:7068:9
#9 0x7f5f771f1965 in mozilla::PresShell::ContentInserted(nsIContent*) /layout/base/PresShell.cpp:4526:22
#10 0x7f5f73b9044b in operator() /dom/base/MutationObservers.cpp:184:3
#11 0x7f5f73b9044b in Notify<IsRemoval::No, ShouldAssert::Yes, (lambda at /dom/base/MutationObservers.cpp:184:3), (lambda at /dom/base/MutationObservers.cpp:184:3)> /dom/base/MutationObservers.cpp:97:5
#12 0x7f5f73b9044b in mozilla::dom::MutationObservers::NotifyContentInserted(nsINode*, nsIContent*) /dom/base/MutationObservers.cpp:185:3
#13 0x7f5f73d13a2f in nsINode::InsertChildBefore(nsIContent*, nsIContent*, bool, mozilla::ErrorResult&) /dom/base/nsINode.cpp:1603:7
#14 0x7f5f73a87a60 in mozilla::dom::Document::InsertChildBefore(nsIContent*, nsIContent*, bool, mozilla::ErrorResult&) /dom/base/Document.cpp:7317:12
#15 0x7f5f73d1b442 in nsINode::ReplaceOrInsertBefore(bool, nsINode*, nsINode*, mozilla::ErrorResult&) /dom/base/nsINode.cpp:2795:5
#16 0x7f5f7422fd97 in InsertBefore /builds/worker/workspace/obj-build/dist/include/nsINode.h:2049:12
#17 0x7f5f7422fd97 in mozilla::dom::Node_Binding::insertBefore(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/NodeBinding.cpp:933:60
#18 0x7f5f750b332c in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /dom/bindings/BindingUtils.cpp:3287:13
#19 0x7f5f7a5c1860 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /js/src/vm/Interpreter.cpp:417:13
#20 0x7f5f7a5c10ba in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:505:12
#21 0x7f5f7a5b8577 in CallFromStack /js/src/vm/Interpreter.cpp:577:10
#22 0x7f5f7a5b8577 in Interpret(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:3325:16
#23 0x7f5f7a5afa02 in js::RunScript(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:389:13
#24 0x7f5f7a5c0fb6 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:537:13
#25 0x7f5f7a5c2588 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /js/src/vm/Interpreter.cpp:604:8
#26 0x7f5f79276be1 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /js/src/vm/CallAndConstruct.cpp:117:10
#27 0x7f5f74dce7d9 in mozilla::dom::EventListener::HandleEvent(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventListenerBinding.cpp:62:8
#28 0x7f5f75629cf6 in void mozilla::dom::EventListener::HandleEvent<mozilla::dom::EventTarget*>(mozilla::dom::EventTarget* const&, mozilla::dom::Event&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventListenerBinding.h:65:12
#29 0x7f5f75629a1d in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /dom/events/EventListenerManager.cpp:1310:43
#30 0x7f5f7562a6c7 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /dom/events/EventListenerManager.cpp:1506:17
#31 0x7f5f7561f604 in HandleEvent /dom/events/EventListenerManager.h:395:5
#32 0x7f5f7561f604 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /dom/events/EventDispatcher.cpp:348:17
#33 0x7f5f7561eb52 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /dom/events/EventDispatcher.cpp:550:16
#34 0x7f5f756213f1 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /dom/events/EventDispatcher.cpp:1119:11
#35 0x7f5f77265623 in nsDocumentViewer::LoadComplete(nsresult) /layout/base/nsDocumentViewer.cpp:1083:7
#36 0x7f5f78862de4 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /docshell/base/nsDocShell.cpp:6426:20
#37 0x7f5f7886289b in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /docshell/base/nsDocShell.cpp:5818:7
#38 0x7f5f7886374f in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /docshell/base/nsDocShell.cpp
#39 0x7f5f72fb3b4c in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /uriloader/base/nsDocLoader.cpp:1377:3
#40 0x7f5f72fb308a in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /uriloader/base/nsDocLoader.cpp:975:14
#41 0x7f5f72fb1341 in nsDocLoader::DocLoaderIsEmpty(bool, mozilla::Maybe<nsresult> const&) /uriloader/base/nsDocLoader.cpp:794:9
#42 0x7f5f72fb2528 in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /uriloader/base/nsDocLoader.cpp:677:5
#43 0x7f5f788847bd in nsDocShell::OnStopRequest(nsIRequest*, nsresult) /docshell/base/nsDocShell.cpp:13827:23
#44 0x7f5f722c77f0 in mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) /netwerk/base/nsLoadGroup.cpp:614:22
#45 0x7f5f722c8d03 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /netwerk/base/nsLoadGroup.cpp:518:10
#46 0x7f5f73aa8a8d in mozilla::dom::Document::DoUnblockOnload() /dom/base/Document.cpp:11676:18
#47 0x7f5f73a72fbf in mozilla::dom::Document::UnblockOnload(bool) /dom/base/Document.cpp:11614:9
#48 0x7f5f73a8f3b0 in mozilla::dom::Document::DispatchContentLoadedEvents() /dom/base/Document.cpp:8149:3
#49 0x7f5f73b4285b in applyImpl<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1147:12
#50 0x7f5f73b4285b in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1153:12
#51 0x7f5f73b4285b in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1200:13
#52 0x7f5f720be3e2 in mozilla::SchedulerGroup::Runnable::Run() /xpcom/threads/SchedulerGroup.cpp:140:20
#53 0x7f5f720f009e in mozilla::RunnableTask::Run() /xpcom/threads/TaskController.cpp:538:16
#54 0x7f5f720c87c9 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:851:26
#55 0x7f5f720c7353 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:683:15
#56 0x7f5f720c75c3 in mozilla::TaskController::ProcessPendingMTTask(bool) /xpcom/threads/TaskController.cpp:461:36
#57 0x7f5f720f38f6 in operator() /xpcom/threads/TaskController.cpp:187:37
#58 0x7f5f720f38f6 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
#59 0x7f5f720dd20f in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1205:16
#60 0x7f5f720e381d in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:465:10
#61 0x7f5f72cb3f26 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:85:21
#62 0x7f5f72bd91e7 in MessageLoop::RunInternal() /ipc/chromium/src/base/message_loop.cc:380:10
#63 0x7f5f72bd90f2 in RunHandler /ipc/chromium/src/base/message_loop.cc:373:3
#64 0x7f5f72bd90f2 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:355:3
#65 0x7f5f76e8b888 in nsBaseAppShell::Run() /widget/nsBaseAppShell.cpp:150:27
#66 0x7f5f78fb6e9b in XRE_RunAppShell() /toolkit/xre/nsEmbedFunctions.cpp:887:20
#67 0x7f5f72cb4e1a in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:235:9
#68 0x7f5f72bd91e7 in MessageLoop::RunInternal() /ipc/chromium/src/base/message_loop.cc:380:10
#69 0x7f5f72bd90f2 in RunHandler /ipc/chromium/src/base/message_loop.cc:373:3
#70 0x7f5f72bd90f2 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:355:3
#71 0x7f5f78fb64bc in XRE_InitChildProcess(int, char**, XREChildData const*) /toolkit/xre/nsEmbedFunctions.cpp:746:34
#72 0x558a15d49120 in content_process_main /browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#73 0x558a15d49120 in main /browser/app/nsBrowserApp.cpp:346:18
#74 0x7f5f88839082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
#75 0x558a15d1eecc in _start (/home/jkratzer/builds/mc-debug/firefox-bin+0x15ecc) (BuildId: a37b8cc815552de63d66f1eb3124d51cd433e0b8)
UndefinedBehaviorSanitizer can not provide additional info.
SUMMARY: UndefinedBehaviorSanitizer: SEGV /layout/base/nsCSSFrameConstructor.cpp:4099:9 in nsCSSFrameConstructor::GetAnonymousContent(nsIContent*, nsIFrame*, nsTArray<nsIAnonymousContentCreator::ContentInfo>&)
==3285107==ABORTING
|
Reporter | |
Comment 1•2 years ago
|
||
|
||
Comment 2•2 years ago
|
||
Bugmon Analysis
Verified bug as reproducible on mozilla-central 20220728093233-7a144cb09b52.
The bug appears to have been introduced in the following build range:
Start: 87e39a7da999bfa064f7acfcd4fa01f50f962d37 (20220530140717)
End: e1ebb4a9b8fa3f7d51755f7b65956f8e381b4d99 (20220530133109)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=87e39a7da999bfa064f7acfcd4fa01f50f962d37&tochange=e1ebb4a9b8fa3f7d51755f7b65956f8e381b4d99
Keywords: regression
Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]
|
||
Comment 3•2 years ago
|
||
The severity field is not set for this bug.
:dshin, could you have a look please?
For more information, please visit auto_nag documentation.
Flags: needinfo?(dshin)
|
||
Comment 4•2 years ago
|
||
Looking at the range & the fact that removal of GC no longer reproducing the assertion makes me think bug 1352532 may be the culprit here, though I'm lacking knowledge there to be really able to tell.
:jonco, can you take a look?
Flags: needinfo?(dshin) → needinfo?(jcoppeard)
|
||
Comment 5•2 years ago
|
||
Strange, none of those data structures are GC allocated. From the assertion message I think bug 1381071 could be involved.
Flags: needinfo?(emilio)
|
Assignee | |
Comment 6•2 years ago
|
||
See comment. Not sure how easy to test this is in practice since it
involves nodes getting cc'd.
I tried to repro (not too hard) with a crashtest running
SpecialPowers.gc() but that didn't cut it, looks like.
|
||
Updated•2 years ago
|
Assignee: nobody → emilio
Status: NEW → ASSIGNED
|
|
Assignee | |
Comment 7•2 years ago
|
||
Yes, this is a rather obscure edge case of the cache introduced in bug 1381071.
|
|
||
Comment 8•2 years ago
|
||
Set release status flags based on info from the regressing bug 1381071
status-firefox103:
--- → affected
status-firefox104:
--- → affected
status-firefox105:
--- → affected
status-firefox-esr102:
--- → unaffected
status-firefox-esr91:
--- → unaffected
|
||
Updated•2 years ago
|
Pushed by ealvarez@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/029943fb30d0
Invalidate the undisplayed style cache on ContentRemoved. r=boris
|
||
Comment 10•2 years ago
|
||
| bugherder | ||
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → 105 Branch
|
|
||
Comment 11•2 years ago
|
||
Bugmon Analysis
Verified bug as fixed on rev mozilla-central 20220818035341-f11d32415e9b.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
|
|
||
Comment 12•2 years ago
|
||
The patch landed in nightly and beta is affected.
:emilio, is this bug important enough to require an uplift?
- If yes, please nominate the patch for beta approval.
- If no, please set
status-firefox104towontfix.
For more information, please visit auto_nag documentation.
Flags: needinfo?(emilio)
|
|
Assignee | |
Updated•2 years ago
|
Flags: needinfo?(emilio)
You need to log in
before you can comment on or make changes to this bug.
Description
•