Testcase found while fuzzing mozilla-central rev 5eb81f0156a8 (built with: --enable-debug --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build 5eb81f0156a8 --debug --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

Assertion failure: false (MOZ_ASSERT_UNREACHABLE: child not in the childlist of its parent), at /layout/mathml/nsMathMLContainerFrame.cpp:1295

    ==10512==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fe3aeea91d4 bp 0x7ffdf0840ef0 sp 0x7ffdf0840ea0 T10512)
    ==10512==The signal is caused by a WRITE memory access.
    ==10512==Hint: address points to the zero page.
        #0 0x7fe3aeea91d4 in GetInterFrameSpacingFor /layout/mathml/nsMathMLContainerFrame.cpp:1295:3
        #1 0x7fe3aeea91d4 in AddInterFrameSpacingToSize(mozilla::ReflowOutput&, nsMathMLContainerFrame*) /layout/mathml/nsMathMLContainerFrame.cpp:1308:11
        #2 0x7fe3aeea9f27 in nsMathMLContainerFrame::FixInterFrameSpacing(mozilla::ReflowOutput&) /layout/mathml/nsMathMLContainerFrame.cpp:1330:9
        #3 0x7fe3aeea7992 in nsMathMLContainerFrame::FinalizeReflow(mozilla::gfx::DrawTarget*, mozilla::ReflowOutput&) /layout/mathml/nsMathMLContainerFrame.cpp:538:3
        #4 0x7fe3aeea8b52 in nsMathMLContainerFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/mathml/nsMathMLContainerFrame.cpp:906:3
        #5 0x7fe3aeae6e33 in mozilla::PresShell::DoReflow(nsIFrame*, bool, mozilla::OverflowChangedTracker*) /layout/base/PresShell.cpp:9621:11
        #6 0x7fe3aeb0ae7f in mozilla::PresShell::ProcessReflowCommands(bool) /layout/base/PresShell.cpp:9799:22
        #7 0x7fe3aeaf0315 in DoFlushLayout /layout/base/PresShell.cpp:9870:10
        #8 0x7fe3aeaf0315 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /layout/base/PresShell.cpp:4352:11
        #9 0x7fe3aeae7ada in FlushPendingNotifications /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:1470:5
        #10 0x7fe3aeae7ada in DoFlushPendingNotifications /layout/base/PresShell.cpp:4151:3
        #11 0x7fe3aeae7ada in FlushPendingNotifications /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:1461:5
        #12 0x7fe3aeae7ada in HandlePostedReflowCallbacks /layout/base/PresShell.cpp:4119:5
        #13 0x7fe3aeae7ada in mozilla::PresShell::DidDoReflow(bool) /layout/base/PresShell.cpp:9414:3
        #14 0x7fe3aeb0af66 in mozilla::PresShell::ProcessReflowCommands(bool) /layout/base/PresShell.cpp:9821:5
        #15 0x7fe3aeaf0315 in DoFlushLayout /layout/base/PresShell.cpp:9870:10
        #16 0x7fe3aeaf0315 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /layout/base/PresShell.cpp:4352:11
        #17 0x7fe3aaf48371 in FlushPendingNotifications /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:1470:5
        #18 0x7fe3aaf48371 in mozilla::dom::Document::FlushPendingNotifications(mozilla::ChangesToFlush) /dom/base/Document.cpp:10733:16
        #19 0x7fe3aa39cc14 in nsDocLoader::DocLoaderIsEmpty(bool, mozilla::Maybe<nsresult> const&) /uriloader/base/nsDocLoader.cpp:742:14
        #20 0x7fe3aa39e025 in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /uriloader/base/nsDocLoader.cpp:680:5
        #21 0x7fe3b01e88fe in nsDocShell::OnStopRequest(nsIRequest*, nsresult) /docshell/base/nsDocShell.cpp:13904:23
        #22 0x7fe3a9615f0f in mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) /netwerk/base/nsLoadGroup.cpp:631:22
        #23 0x7fe3a9617433 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /netwerk/base/nsLoadGroup.cpp:535:10
        #24 0x7fe3aaf4d269 in mozilla::dom::Document::DoUnblockOnload() /dom/base/Document.cpp:11514:18
        #25 0x7fe3aaf1952b in mozilla::dom::Document::UnblockOnload(bool) /dom/base/Document.cpp:11452:9
        #26 0x7fe3aaf3438a in mozilla::dom::Document::DispatchContentLoadedEvents() /dom/base/Document.cpp:7990:3
        #27 0x7fe3aafe4b38 in applyImpl<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1163:12
        #28 0x7fe3aafe4b38 in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1169:12
        #29 0x7fe3aafe4b38 in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1216:13
        #30 0x7fe3a93fd252 in mozilla::SchedulerGroup::Runnable::Run() /xpcom/threads/SchedulerGroup.cpp:114:20
        #31 0x7fe3a9407985 in mozilla::RunnableTask::Run() /xpcom/threads/TaskController.cpp:541:16
        #32 0x7fe3a9402ad8 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:855:26
        #33 0x7fe3a94016aa in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:686:15
        #34 0x7fe3a9401a05 in mozilla::TaskController::ProcessPendingMTTask(bool) /xpcom/threads/TaskController.cpp:464:36
        #35 0x7fe3a940b386 in operator() /xpcom/threads/TaskController.cpp:188:37
        #36 0x7fe3a940b386 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_3>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:547:5
        #37 0x7fe3a94214e7 in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1239:16
        #38 0x7fe3a942799d in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:477:10
        #39 0x7fe3aa077633 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:85:21
        #40 0x7fe3a9f98ff8 in MessageLoop::RunInternal() /ipc/chromium/src/base/message_loop.cc:381:10
        #41 0x7fe3a9f98f01 in RunHandler /ipc/chromium/src/base/message_loop.cc:374:3
        #42 0x7fe3a9f98f01 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:356:3
        #43 0x7fe3ae73be78 in nsBaseAppShell::Run() /widget/nsBaseAppShell.cpp:148:27
        #44 0x7fe3b09c27db in XRE_RunAppShell() /toolkit/xre/nsEmbedFunctions.cpp:738:20
        #45 0x7fe3aa0784f9 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:235:9
        #46 0x7fe3a9f98ff8 in MessageLoop::RunInternal() /ipc/chromium/src/base/message_loop.cc:381:10
        #47 0x7fe3a9f98f01 in RunHandler /ipc/chromium/src/base/message_loop.cc:374:3
        #48 0x7fe3a9f98f01 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:356:3
        #49 0x7fe3b09c2338 in XRE_InitChildProcess(int, char**, XREChildData const*) /toolkit/xre/nsEmbedFunctions.cpp:671:34
        #50 0x557692401df0 in content_process_main /browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
        #51 0x557692401df0 in main /browser/app/nsBrowserApp.cpp:353:18
        #52 0x7fe3bcc29d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
        #53 0x7fe3bcc29e3f in __libc_start_main csu/../csu/libc-start.c:392:3
        #54 0x5576923d8458 in _start (/home/jkratzer/builds/m-c-20230303095645-fuzzing-debug/firefox-bin+0x5b458) (BuildId: d162de9a42fbd2000af77299d7eafa65b30c3888)
    
    UndefinedBehaviorSanitizer can not provide additional info.
    SUMMARY: UndefinedBehaviorSanitizer: SEGV /layout/mathml/nsMathMLContainerFrame.cpp:1295:3 in GetInterFrameSpacingFor
    ==10512==ABORTING

Verified bug as reproducible on mozilla-central 20230307095602-d0518009bfea.
The bug appears to have been introduced in the following build range:

Start: 06b1384b0ac76974add3756768c1746b464aa19f (20230113081820)
End: 64f9426ccca47ba05b9f4fe2380d87b8e833135b (20230113105852)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=06b1384b0ac76974add3756768c1746b464aa19f&tochange=64f9426ccca47ba05b9f4fe2380d87b8e833135b

I cannot reproduce at https://hg.mozilla.org/mozilla-central/rev/9fa6f54ca6d9 when trying quickly with ./mach run testcase.html. Is there any special config that could be involved in the fuzzing framework? Is the testcase flaky?

In the proposed regression range, 228f4a8ccf96b3bd724b82c7bd6ad92b4e7ba8ef seems the most likely to touch layout code and moreover the attached testcase has content-visibility.

I can reproduce with the grizzly build, here is a slightly reduced testcase.

This bug has been marked as a regression. Setting status flag for Nightly to affected.

:emilio do we have n/a severity here?

I don't think it should be non-applicable. It's disabled by default on non-nightly tho. How should content-visibility behave in MathML per spec?

:mrobinson, since you are the author of the regressor, bug 1663685, could you take a look?

For more information, please visit auto_nag documentation.

(In reply to Frédéric Wang (:fredw) from comment #4)

Created attachment 9321824 [details]
testcase.html

I can reproduce with the grizzly build, here is a slightly reduced testcase.

I failed to reproduce on a local build (--enable-debug --enable-fuzzing) with the attached testcase (by ./mach run testcase.html). Are there any extra steps I miss?

@asurkov: I was not able to reproduce either with a local build. I really needed to use the python -m grizzly.replay command mentioned above.

https://hg.mozilla.org/mozilla-central/rev/65273ac56e45

Verified bug as fixed on rev mozilla-central 20230504093414-0d4a9640bffd.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.