Open
Bug 1686859
Opened 4 years ago
Updated 9 months ago
Assertion failure: !i->IsMergedItem(), at /gecko/layout/painting/RetainedDisplayListBuilder.cpp:664
Categories
(Core :: Web Painting, defect, P2)
Core
Web Painting
Tracking
()
NEW
People
(Reporter: tsmith, Unassigned)
References
(Blocks 2 open bugs, )
Details
(Keywords: assertion, crash, testcase, Whiteboard: [bugmon:confirmed])
Crash Data
Attachments
(2 files)
==22537==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 (pc 0x7fc33364c6f7 bp 0x7ffd05f6fdb0 sp 0x7ffd05f6fbc0 T0)
==22537==The signal is caused by a WRITE memory access.
==22537==Hint: address points to the zero page.
#0 0x7fc33364c6f7 in MergeState::AddNewNode(nsDisplayItem*, mozilla::Maybe<Index<OldListUnits> > const&, mozilla::Span<Index<MergedListUnits> const, 18446744073709551615ul>, mozilla::Maybe<Index<MergedListUnits> > const&) /gecko/layout/painting/RetainedDisplayListBuilder.cpp:664:9
#1 0x7fc33364dc6b in MergeState::ProcessOldNode(Index<OldListUnits>, nsTArray<Index<MergedListUnits> >&&) /gecko/layout/painting/RetainedDisplayListBuilder.cpp:699:11
#2 0x7fc33364baf2 in MergeState::ProcessPredecessorsOfOldNode(Index<OldListUnits>) /gecko/layout/painting/RetainedDisplayListBuilder.cpp:740:9
#3 0x7fc33356f7b0 in MergeState::ProcessItemFromNewList(nsDisplayItem*, mozilla::Maybe<Index<MergedListUnits> > const&) /gecko/layout/painting/RetainedDisplayListBuilder.cpp:490:13
#4 0x7fc33356e9f7 in RetainedDisplayListBuilder::MergeDisplayLists(nsDisplayList*, RetainedDisplayList*, RetainedDisplayList*, mozilla::Maybe<mozilla::ActiveScrolledRoot const*>&, nsDisplayItem*) /gecko/layout/painting/RetainedDisplayListBuilder.cpp:841:31
#5 0x7fc33364af66 in MergeState::MergeChildLists(nsDisplayItem*, nsDisplayItem*, nsDisplayItem*) /gecko/layout/painting/RetainedDisplayListBuilder.cpp:518:37
#6 0x7fc33356f77c in MergeState::ProcessItemFromNewList(nsDisplayItem*, mozilla::Maybe<Index<MergedListUnits> > const&) /gecko/layout/painting/RetainedDisplayListBuilder.cpp:487:9
#7 0x7fc33356e9f7 in RetainedDisplayListBuilder::MergeDisplayLists(nsDisplayList*, RetainedDisplayList*, RetainedDisplayList*, mozilla::Maybe<mozilla::ActiveScrolledRoot const*>&, nsDisplayItem*) /gecko/layout/painting/RetainedDisplayListBuilder.cpp:841:31
#8 0x7fc333574268 in RetainedDisplayListBuilder::AttemptPartialUpdate(unsigned int) /gecko/layout/painting/RetainedDisplayListBuilder.cpp:1497:7
#9 0x7fc332e82535 in nsLayoutUtils::PaintFrame(gfxContext*, nsIFrame*, nsRegion const&, unsigned int, nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) /gecko/layout/base/nsLayoutUtils.cpp:3328:40
#10 0x7fc332d84fe0 in mozilla::PresShell::Paint(nsView*, nsRegion const&, mozilla::PaintFlags) /gecko/layout/base/PresShell.cpp:6389:5
#11 0x7fc332728cee in nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*) /gecko/view/nsViewManager.cpp:460:18
#12 0x7fc33272835e in nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) /gecko/view/nsViewManager.cpp:395:22
#13 0x7fc33272ad6c in nsViewManager::ProcessPendingUpdates() /gecko/view/nsViewManager.cpp:1016:5
#14 0x7fc332cf9cdf in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /gecko/layout/base/nsRefreshDriver.cpp:2375:11
#15 0x7fc332d065a9 in TickDriver /gecko/layout/base/nsRefreshDriver.cpp:357:13
#16 0x7fc332d065a9 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /gecko/layout/base/nsRefreshDriver.cpp:336:7
#17 0x7fc332d06221 in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /gecko/layout/base/nsRefreshDriver.cpp:351:5
#18 0x7fc332d05434 in RunRefreshDrivers /gecko/layout/base/nsRefreshDriver.cpp:799:5
#19 0x7fc332d05434 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /gecko/layout/base/nsRefreshDriver.cpp:722:16
#20 0x7fc332d04875 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyParentProcessVsync() /gecko/layout/base/nsRefreshDriver.cpp:624:7
#21 0x7fc332d04030 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) /gecko/layout/base/nsRefreshDriver.cpp:545:9
#22 0x7fc331e3c1d7 in mozilla::dom::VsyncChild::RecvNotify(mozilla::VsyncEvent const&, float const&) /gecko/dom/ipc/VsyncChild.cpp:68:15
#23 0x7fc32c3587fc in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:178:54
#24 0x7fc32bf49364 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundChild.cpp:6286:32
#25 0x7fc32b99e9ae in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /gecko/ipc/glue/MessageChannel.cpp:2153:25
#26 0x7fc32b99a814 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /gecko/ipc/glue/MessageChannel.cpp:2077:9
#27 0x7fc32b99c618 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /gecko/ipc/glue/MessageChannel.cpp:1925:3
#28 0x7fc32b99d238 in mozilla::ipc::MessageChannel::MessageTask::Run() /gecko/ipc/glue/MessageChannel.cpp:1956:13
#29 0x7fc32a672d09 in mozilla::RunnableTask::Run() /gecko/xpcom/threads/TaskController.cpp:459:16
#30 0x7fc32a66f707 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:739:26
#31 0x7fc32a66d647 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:598:15
#32 0x7fc32a66da9d in mozilla::TaskController::ProcessPendingMTTask(bool) /gecko/xpcom/threads/TaskController.cpp:382:36
#33 0x7fc32a67a8b4 in operator() /gecko/xpcom/threads/TaskController.cpp:126:37
#34 0x7fc32a67a8b4 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_4>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:534:5
#35 0x7fc32a69addd in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1200:14
#36 0x7fc32a698e10 in NS_ProcessNextEvent /gecko/xpcom/threads/nsThreadUtils.cpp:548:10
#37 0x7fc32a698e10 in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:897:22)> /builds/worker/workspace/obj-build/dist/include/mozilla/SpinEventLoopUntil.h:93:25
#38 0x7fc32a698e10 in nsThread::Shutdown() /gecko/xpcom/threads/nsThread.cpp:897:3
#39 0x7fc32a6ac212 in nsThreadPool::Shutdown() /gecko/xpcom/threads/nsThreadPool.cpp:400:17
#40 0x7fc32a6ac3cc in non-virtual thunk to nsThreadPool::Shutdown() /gecko/xpcom/threads/nsThreadPool.cpp
#41 0x7fc32a6788ef in applyImpl<nsIThreadPool, nsresult (nsIThreadPool::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1148:12
#42 0x7fc32a6788ef in apply<nsIThreadPool, nsresult (nsIThreadPool::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1154:12
#43 0x7fc32a6788ef in mozilla::detail::RunnableMethodImpl<nsCOMPtr<nsIThreadPool>, nsresult (nsIThreadPool::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1201:13
#44 0x7fc32a672d09 in mozilla::RunnableTask::Run() /gecko/xpcom/threads/TaskController.cpp:459:16
#45 0x7fc32a66f707 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:739:26
#46 0x7fc32a66d647 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:598:15
#47 0x7fc32a66da9d in mozilla::TaskController::ProcessPendingMTTask(bool) /gecko/xpcom/threads/TaskController.cpp:382:36
#48 0x7fc32a67a8b4 in operator() /gecko/xpcom/threads/TaskController.cpp:126:37
#49 0x7fc32a67a8b4 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_4>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:534:5
#50 0x7fc32a69addd in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1200:14
#51 0x7fc32a698e10 in NS_ProcessNextEvent /gecko/xpcom/threads/nsThreadUtils.cpp:548:10
#52 0x7fc32a698e10 in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:897:22)> /builds/worker/workspace/obj-build/dist/include/mozilla/SpinEventLoopUntil.h:93:25
#53 0x7fc32a698e10 in nsThread::Shutdown() /gecko/xpcom/threads/nsThread.cpp:897:3
#54 0x7fc32a6ac212 in nsThreadPool::Shutdown() /gecko/xpcom/threads/nsThreadPool.cpp:400:17
#55 0x7fc32a6ac3cc in non-virtual thunk to nsThreadPool::Shutdown() /gecko/xpcom/threads/nsThreadPool.cpp
#56 0x7fc32a6788ef in applyImpl<nsIThreadPool, nsresult (nsIThreadPool::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1148:12
#57 0x7fc32a6788ef in apply<nsIThreadPool, nsresult (nsIThreadPool::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1154:12
#58 0x7fc32a6788ef in mozilla::detail::RunnableMethodImpl<nsCOMPtr<nsIThreadPool>, nsresult (nsIThreadPool::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1201:13
#59 0x7fc32a672d09 in mozilla::RunnableTask::Run() /gecko/xpcom/threads/TaskController.cpp:459:16
#60 0x7fc32a66f707 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:739:26
#61 0x7fc32a66d647 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:598:15
#62 0x7fc32a66da9d in mozilla::TaskController::ProcessPendingMTTask(bool) /gecko/xpcom/threads/TaskController.cpp:382:36
#63 0x7fc32a67a8b4 in operator() /gecko/xpcom/threads/TaskController.cpp:126:37
#64 0x7fc32a67a8b4 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_4>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:534:5
#65 0x7fc32a69addd in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1200:14
#66 0x7fc32a698e10 in NS_ProcessNextEvent /gecko/xpcom/threads/nsThreadUtils.cpp:548:10
#67 0x7fc32a698e10 in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:897:22)> /builds/worker/workspace/obj-build/dist/include/mozilla/SpinEventLoopUntil.h:93:25
#68 0x7fc32a698e10 in nsThread::Shutdown() /gecko/xpcom/threads/nsThread.cpp:897:3
#69 0x7fc32a6ac212 in nsThreadPool::Shutdown() /gecko/xpcom/threads/nsThreadPool.cpp:400:17
#70 0x7fc32a6ac3cc in non-virtual thunk to nsThreadPool::Shutdown() /gecko/xpcom/threads/nsThreadPool.cpp
#71 0x7fc32a6788ef in applyImpl<nsIThreadPool, nsresult (nsIThreadPool::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1148:12
#72 0x7fc32a6788ef in apply<nsIThreadPool, nsresult (nsIThreadPool::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1154:12
#73 0x7fc32a6788ef in mozilla::detail::RunnableMethodImpl<nsCOMPtr<nsIThreadPool>, nsresult (nsIThreadPool::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1201:13
#74 0x7fc32a672d09 in mozilla::RunnableTask::Run() /gecko/xpcom/threads/TaskController.cpp:459:16
#75 0x7fc32a66f707 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:739:26
#76 0x7fc32a66d647 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:598:15
#77 0x7fc32a66da9d in mozilla::TaskController::ProcessPendingMTTask(bool) /gecko/xpcom/threads/TaskController.cpp:382:36
#78 0x7fc32a67a881 in operator() /gecko/xpcom/threads/TaskController.cpp:123:37
#79 0x7fc32a67a881 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_3>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:534:5
#80 0x7fc32a69addd in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1200:14
#81 0x7fc32a6a610c in NS_ProcessNextEvent(nsIThread*, bool) /gecko/xpcom/threads/nsThreadUtils.cpp:548:10
#82 0x7fc32b9a75cf in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /gecko/ipc/glue/MessagePump.cpp:87:21
#83 0x7fc32b89df01 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:334:10
#84 0x7fc32b89df01 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:327:3
#85 0x7fc32b89df01 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:309:3
#86 0x7fc3327ea227 in nsBaseAppShell::Run() /gecko/widget/nsBaseAppShell.cpp:137:27
#87 0x7fc33652efef in XRE_RunAppShell() /gecko/toolkit/xre/nsEmbedFunctions.cpp:902:20
#88 0x7fc32b89df01 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:334:10
#89 0x7fc32b89df01 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:327:3
#90 0x7fc32b89df01 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:309:3
#91 0x7fc33652e58c in XRE_InitChildProcess(int, char**, XREChildData const*) /gecko/toolkit/xre/nsEmbedFunctions.cpp:733:34
#92 0x564a490d52fd in content_process_main(mozilla::Bootstrap*, int, char**) /gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#93 0x564a490d5737 in main /gecko/browser/app/nsBrowserApp.cpp:305:18
#94 0x7fc34aedc0b2 in __libc_start_main /build/glibc-ZN95T4/glibc-2.31/csu/../csu/libc-start.c:308:16
#95 0x564a49028c99 in _start (/home/worker/builds/m-c-20210113043149-fuzzing-asan-opt/firefox+0x5ac99)
Flags: in-testsuite?
|
||
Comment 1•4 years ago
|
||
I got a crash with the testcase on WR+Wintelx64
https://crash-stats.mozilla.org/report/index/08c69a93-2a68-4087-8d85-ddfd40210115#tab-bugzilla
Crash Signature: [@ MergeState::ProcessOldNode ]
See Also: → 1618884
|
|
||
Updated•4 years ago
|
Component: Web Painting → Graphics: WebRender
|
Reporter | |
Comment 2•4 years ago
|
||
A Pernosco session is available here: https://pernos.co/debug/CDIyqkdc9nezfYN-T16TCg/index.html
|
||
Comment 3•4 years ago
|
||
Although it crashes with wr, it also crashes without wr for me. And the code that is crashing/asserting is pretty much independant of wr/non-wr.
Component: Graphics: WebRender → Web Painting
|
||
Comment 4•4 years ago
|
||
Bugmon Analysis:
Unable to reproduce bug using the following builds:
mozilla-central 20210115035053-0f5e4a3c6f0a
mozilla-central 20210115035053-0f5e4a3c6f0a
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.
Keywords: bugmon
Whiteboard: [bugmon:confirmed]
|
||
Comment 5•4 years ago
|
||
Simplified testcase. Seems that the trigger for the crash is inserting table cells with JavaScript.
|
|
||
Updated•4 years ago
|
Severity: -- → S2
Priority: -- → P2
| Comment hidden (Intermittent Failures Robot) |
|
||
Comment 7•3 years ago
|
||
Since the crash volume is low (less than 5 per week), the severity is downgraded to S3. Feel free to change it back if you think the bug is still critical.
For more information, please visit auto_nag documentation.
Severity: S2 → S3
|
|
Reporter | |
Comment 8•9 months ago
|
||
This has been detected by live site testing.
You need to log in
before you can comment on or make changes to this bug.
Description
•