Found while fuzzing m-c 20220826-9887a9dd3dd2 (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

Note: The test case uses window.printPreview().

Assertion failure: content->GetFlattenedTreeParentNodeForStyle() (Node not in the flattened tree still has a frame?), at /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4214

#0 0x7f5b991f8ffc in AssertFrameSubtreeIsSane(nsIFrame const&) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4213:5
#1 0x7f5b991f8f67 in AssertFrameSubtreeIsSane(nsIFrame const&) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4219:7
#2 0x7f5b991f8f67 in AssertFrameSubtreeIsSane(nsIFrame const&) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4219:7
#3 0x7f5b991f8f67 in AssertFrameSubtreeIsSane(nsIFrame const&) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4219:7
#4 0x7f5b991f8f67 in AssertFrameSubtreeIsSane(nsIFrame const&) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4219:7
#5 0x7f5b991f8f67 in AssertFrameSubtreeIsSane(nsIFrame const&) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4219:7
#6 0x7f5b991f8f67 in AssertFrameSubtreeIsSane(nsIFrame const&) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4219:7
#7 0x7f5b991f8f67 in AssertFrameSubtreeIsSane(nsIFrame const&) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4219:7
#8 0x7f5b991f8f67 in AssertFrameSubtreeIsSane(nsIFrame const&) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4219:7
#9 0x7f5b991c9392 in AssertFrameTreeIsSane /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4228:5
#10 0x7f5b991c9392 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4376:5
#11 0x7f5b9918e42c in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2553:22
#12 0x7f5b99197240 in TickDriver /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:375:13
#13 0x7f5b99197240 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:353:7
#14 0x7f5b99197143 in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:369:5
#15 0x7f5b99196e10 in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:896:5
#16 0x7f5b9919647a in mozilla::VsyncRefreshDriverTimer::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:810:5
#17 0x7f5b99195e65 in mozilla::VsyncRefreshDriverTimer::NotifyVsyncOnMainThread(mozilla::VsyncEvent const&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:731:5
#18 0x7f5b99195a9a in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsyncTimerOnMainThread() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:594:14
#19 0x7f5b991956ac in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:551:9
#20 0x7f5b9866f67b in mozilla::dom::VsyncMainChild::RecvNotify(mozilla::VsyncEvent const&, float const&) /builds/worker/checkouts/gecko/dom/ipc/VsyncMainChild.cpp:68:15
#21 0x7f5b988f89a6 in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:220:78
#22 0x7f5b94be70b4 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundChild.cpp:6326:32
#23 0x7f5b94b7b601 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1755:25
#24 0x7f5b94b78155 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message> >) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1680:9
#25 0x7f5b94b78cf6 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1480:3
#26 0x7f5b94b7a081 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1578:14
#27 0x7f5b93fb18ae in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:538:16
#28 0x7f5b93f89f59 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:851:26
#29 0x7f5b93f88ae3 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:683:15
#30 0x7f5b93f88d53 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:461:36
#31 0x7f5b93fb5106 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:187:37
#32 0x7f5b93fb5106 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
#33 0x7f5b93f9ea1f in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1205:16
#34 0x7f5b93fa502d in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:465:10
#35 0x7f5b94b81086 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#36 0x7f5b94aa6767 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
#37 0x7f5b94aa6672 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
#38 0x7f5b94aa6672 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
#39 0x7f5b98e55c68 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:150:27
#40 0x7f5b9af965ab in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:880:20
#41 0x7f5b94b81f7a in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
#42 0x7f5b94aa6767 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
#43 0x7f5b94aa6672 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
#44 0x7f5b94aa6672 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
#45 0x7f5b9af95ac3 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:739:34
#46 0x55ba49353429 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#47 0x55ba49353429 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:362:18
#48 0x7f5bac7b2082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
#49 0x55ba493291cc in _start (/home/worker/builds/m-c-20220826092109-fuzzing-debug/firefox-bin+0x161cc) (BuildId: 0461921b3fe3c177684df926794113257df4de83)

Bugmon Analysis
Verified bug as reproducible on mozilla-central 20220908213354-5caa044a10b8.
The bug appears to have been introduced in the following build range:

Start: e8c61e20953952b1c6727143e249656e9ef87cb2 (20211216135031)
End: 9896c12c490709e214030cd99f598e1ffa0076de (20211216153418)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=e8c61e20953952b1c6727143e249656e9ef87cb2&tochange=9896c12c490709e214030cd99f598e1ffa0076de

A Pernosco session is available here: https://pernos.co/debug/SzN1_lmXICFqRR_7KgaHXQ/index.html

Given the print APIs in the testcase -- in the regression range, probably would have been a "regression" from:

697defcfbb465411f43de91a5af86d0227d851c2 Jonathan Watt — Bug 1745452 - Remove the print progress dialog code. r=mstriemer,bobowen,webdriver-reviewers

("regression" in quotes since presumably the underlying bug predated that change, but maybe was harder to trigger or required a different testcase.)

The main issue here is that we have a dynamic change request from the
embed load. That would usually not get honored, because we're printing.
But we call into ReconstructFrames() and flush style before asking to
reconstruct the document, which means that replicated fixed frames that
don't get properly cleaned-up.

This is not a correctness issue because we're about to reconstruct the
whole frame tree anyways, but the intermediate state is invalid and
caught by our assertions.

https://hg.mozilla.org/mozilla-central/rev/55fa2a57839c

Bugmon Analysis
Bug marked as FIXED but still reproduces on mozilla-central 20220920033859-f7b2ae058d58. If you believe this to be incorrect, please remove the bugmon keyword to prevent further analysis.

Let me re-check, but the issue did repro for me locally before patch but doesn't after.

Based on comment #1, this bug contains a bisection range found by bugmon. However, the Regressed by field is still not filled.

:emilio, if possible, could you fill the Regressed by field and investigate this regression?

For more information, please visit auto_nag documentation.

Copying crash signatures from duplicate bugs.

Testcase crashes using the initial build (mozilla-central 20220826092109-9887a9dd3dd2) but not with tip (mozilla-central 20221105092350-4dfcb6e877c9.)

The bug appears to have been fixed in the following build range:

Start: 0f05a94dcbe33a2db2814e2e81aa3a19f4d20e19 (20220929062445)
End: a2601693650dcc94e7c3410f3fefc92f964cbcf9 (20220929093914)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=0f05a94dcbe33a2db2814e2e81aa3a19f4d20e19&tochange=a2601693650dcc94e7c3410f3fefc92f964cbcf9

Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Note, the URL in comment 12 renders with an empty pushlog, because the two referenced commits were part of the same push (a merge from autoland to mozilla-central).

Probably bugmon should've provided an autoland URL instead -- I assume its start/end commits there are from bisecting autoland builds.

Here's what that URL perhaps should look like:
https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=0f05a94dcbe33a2db2814e2e81aa3a19f4d20e19&tochange=a2601693650dcc94e7c3410f3fefc92f964cbcf9

[ni=jkratzre as FYI about this bugmon issue]

(Though also: I don't know see anything in that autoland pushlog that would believably fix this fatal-assertion... The pushlog just contains some JS ESM-ification commits, an l10n bump, and a Wayland-specific tweak in GTK widget code to fix some flickering. None of that seems like it'd believably influence PresShell.cpp assertions. So the good/bad builds in comment 12 are probably wrong, too. Maybe there was an unrelated crash that was somehow fixed in that range?)

(In reply to Daniel Holbert [:dholbert] from comment #13)

Note, the URL in comment 12 renders with an empty pushlog, because the two referenced commits were part of the same push (a merge from autoland to mozilla-central).

Probably bugmon should've provided an autoland URL instead -- I assume its start/end commits there are from bisecting autoland builds.

Here's what that URL perhaps should look like:
https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=0f05a94dcbe33a2db2814e2e81aa3a19f4d20e19&tochange=a2601693650dcc94e7c3410f3fefc92f964cbcf9

[ni=jkratzre as FYI about this bugmon issue]

So the problem here is that the testcase appears to be unreliable. It still reproduces for me on tip. I've made changes to bugmon to hopefully improve the reliability of these tests.

Testcase crashes using the initial build (mozilla-central 20220826092109-9887a9dd3dd2) but not with tip (mozilla-central 20221125214546-8b092cca2cab.)

Unable to bisect testcase (End build crashes!):

Start: 9887a9dd3dd25f318595ccc7796d7c0902ccd6da (20220826092109)
End: 8b092cca2cab001ed8d13fc83d17bdba39cffe0d (20221125214546)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False, nyx=False)

Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Looks like the testcase here is unreliable but still reproduces on tip. I'm going to leave bugmon disabled for now.