Found while fuzzing m-c 20211002-1a7d94a7a1e6 (--enable-debug --enable-fuzzing)

Assertion failure: false (item should have finite clip with respect to aASR), at /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:2594

#0 0x7f5f2210f648 in mozilla::nsDisplayItem::GetClipWithRespectToASR(mozilla::nsDisplayListBuilder*, mozilla::ActiveScrolledRoot const*) const /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:2594:3
#1 0x7f5f2210c738 in mozilla::nsDisplayList::GetClippedBoundsWithRespectToASR(mozilla::nsDisplayListBuilder*, mozilla::ActiveScrolledRoot const*, nsRect*) const /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:1998:35
#2 0x7f5f22129000 in UpdateUntransformedBounds /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:7029:33
#3 0x7f5f22129000 in mozilla::nsDisplayTransform::UpdateBounds(mozilla::nsDisplayListBuilder*) /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:6984:3
#4 0x7f5f22138d77 in mozilla::MergeState::MergeChildLists(mozilla::nsDisplayItem*, mozilla::nsDisplayItem*, mozilla::nsDisplayItem*) /builds/worker/checkouts/gecko/layout/painting/RetainedDisplayListBuilder.cpp:551:15
#5 0x7f5f220dff92 in mozilla::MergeState::ProcessItemFromNewList(mozilla::nsDisplayItem*, mozilla::Maybe<mozilla::Index<mozilla::MergedListUnits> > const&) /builds/worker/checkouts/gecko/layout/painting/RetainedDisplayListBuilder.cpp:504:9
#6 0x7f5f220df922 in mozilla::RetainedDisplayListBuilder::MergeDisplayLists(mozilla::nsDisplayList*, mozilla::RetainedDisplayList*, mozilla::RetainedDisplayList*, mozilla::Maybe<mozilla::ActiveScrolledRoot const*>&, mozilla::nsDisplayItem*) /builds/worker/checkouts/gecko/layout/painting/RetainedDisplayListBuilder.cpp:854:31
#7 0x7f5f22138c1e in mozilla::MergeState::MergeChildLists(mozilla::nsDisplayItem*, mozilla::nsDisplayItem*, mozilla::nsDisplayItem*) /builds/worker/checkouts/gecko/layout/painting/RetainedDisplayListBuilder.cpp:535:37
#8 0x7f5f220dff92 in mozilla::MergeState::ProcessItemFromNewList(mozilla::nsDisplayItem*, mozilla::Maybe<mozilla::Index<mozilla::MergedListUnits> > const&) /builds/worker/checkouts/gecko/layout/painting/RetainedDisplayListBuilder.cpp:504:9
#9 0x7f5f220df922 in mozilla::RetainedDisplayListBuilder::MergeDisplayLists(mozilla::nsDisplayList*, mozilla::RetainedDisplayList*, mozilla::RetainedDisplayList*, mozilla::Maybe<mozilla::ActiveScrolledRoot const*>&, mozilla::nsDisplayItem*) /builds/worker/checkouts/gecko/layout/painting/RetainedDisplayListBuilder.cpp:854:31
#10 0x7f5f220e24c2 in mozilla::RetainedDisplayListBuilder::AttemptPartialUpdate(unsigned int) /builds/worker/checkouts/gecko/layout/painting/RetainedDisplayListBuilder.cpp:1520:7
#11 0x7f5f21d76795 in nsLayoutUtils::PaintFrame(gfxContext*, nsIFrame*, nsRegion const&, unsigned int, mozilla::nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) /builds/worker/checkouts/gecko/layout/base/nsLayoutUtils.cpp:3336:40
#12 0x7f5f21cea279 in mozilla::PresShell::PaintInternal(nsView*, mozilla::PaintInternalFlags) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:6398:5
#13 0x7f5f219575c8 in nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*) /builds/worker/checkouts/gecko/view/nsViewManager.cpp:439:18
#14 0x7f5f219570fb in nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) /builds/worker/checkouts/gecko/view/nsViewManager.cpp:374:22
#15 0x7f5f21958696 in nsViewManager::ProcessPendingUpdates() /builds/worker/checkouts/gecko/view/nsViewManager.cpp:947:5
#16 0x7f5f21ca760d in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2553:11
#17 0x7f5f21cae9ba in TickDriver /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:353:13
#18 0x7f5f21cae9ba in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:331:7
#19 0x7f5f21cae8d3 in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:347:5
#20 0x7f5f21cae7a0 in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:782:5
#21 0x7f5f21cade3a in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:705:16
#22 0x7f5f21cad749 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyParentProcessVsync() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:622:7
#23 0x7f5f21cad1b9 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:543:9
#24 0x7f5f21471556 in mozilla::dom::VsyncChild::RecvNotify(mozilla::VsyncEvent const&, float const&) /builds/worker/checkouts/gecko/dom/ipc/VsyncChild.cpp:68:15
#25 0x7f5f1e0c48a4 in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:178:54
#26 0x7f5f1de9f18c in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundChild.cpp:6207:32
#27 0x7f5f1db25bbf in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:2043:25
#28 0x7f5f1db224a1 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1968:9
#29 0x7f5f1db23925 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1827:3
#30 0x7f5f1db2456d in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1855:14
#31 0x7f5f1d0cde5e in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:467:16
#32 0x7f5f1d0a910f in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:770:26
#33 0x7f5f1d0a7d78 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:606:15
#34 0x7f5f1d0a7ff3 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:390:36
#35 0x7f5f1d0d1429 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:126:37
#36 0x7f5f1d0d1429 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_1>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
#37 0x7f5f1d0bc90f in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1148:16
#38 0x7f5f1d0c365a in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:467:10
#39 0x7f5f1db2b9e4 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:107:5
#40 0x7f5f1da4c127 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:331:10
#41 0x7f5f1da4c032 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:324:3
#42 0x7f5f1da4c032 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:306:3
#43 0x7f5f219a9518 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137:27
#44 0x7f5f23841813 in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:917:20
#45 0x7f5f1db2c92a in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
#46 0x7f5f1da4c127 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:331:10
#47 0x7f5f1da4c032 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:324:3
#48 0x7f5f1da4c032 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:306:3
#49 0x7f5f23840e4e in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:749:34
#50 0x563ab3881b46 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#51 0x563ab3881b46 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:327:18
#52 0x7f5f335c00b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
#53 0x563ab385e94c in _start (/home/worker/builds/m-c-20211002095048-fuzzing-debug/firefox-bin+0x1594c)

This issue is hit frequently while fuzzing and while trying to reduce other unrelated issues, please prioritize it appropriately.

A Pernosco session is available here: https://pernos.co/debug/EBneI69IWBKdaDP5etuLNw/index.html

Bugmon Analysis
Verified bug as reproducible on mozilla-central 20211013034420-9b9f8bfe2625.
The bug appears to have been introduced in the following build range:

Start: 57328f12e67aafad12fd1f062fddf48b41120a4f (20210614004220)
End: e77eb14241b9e712ddda1e8c1cc21ef455377e3c (20210614070416)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=57328f12e67aafad12fd1f062fddf48b41120a4f&tochange=e77eb14241b9e712ddda1e8c1cc21ef455377e3c

The severity field is not set for this bug.
:mattwoodrow, could you have a look please?

For more information, please visit auto_nag documentation.

Matt is no longer working with Mozilla, redirecting the NeedInfo request to the triage owner.

Bugmon Analysis
Testcase crashes using the initial build (mozilla-central 20211002095048-1a7d94a7a1e6) but not with tip (mozilla-central 20220129091708-7f00dabac085.)
The bug appears to have been fixed in the following build range:

Start: 5c51b325c09f22a0d9384cfc5198f27ec9bdbfc8 (20220123214850)
End: e960e654cbc9f60ce79eb1535fd6ec4e3acc2029 (20220125100058)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=5c51b325c09f22a0d9384cfc5198f27ec9bdbfc8&tochange=e960e654cbc9f60ce79eb1535fd6ec4e3acc2029
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

The previous testcase no longer reproduces, however this one does.

Bugmon Analysis
Verified bug as reproducible on mozilla-central 20220526155159-67475e519671.
Unable to bisect testcase (Testcase reproduces on start build!):

Start: 257c3c51ab2338a35634610b9d3c6c4c305e6005 (20210527031253)
End: 1a7d94a7a1e6d83d7b8ad4f077683ded4bf1d893 (20211002095048)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False)

This bug prevents fuzzing from making progress; however, it has low severity. It is important for fuzz blocker bugs to be addressed in a timely manner (see here why?).
:tnikkel, could you increase the severity?

For more information, please visit auto_nag documentation.

This assert (item should have finite clip with respect to aASR) is tough. We can try to fix one instance but it might break something else.

This bug prevents fuzzing from making progress; however, it has low severity. It is important for fuzz blocker bugs to be addressed in a timely manner (see here why?).
:tnikkel, could you increase the severity?

For more information, please visit auto_nag documentation.

Are you just gonna needinfo me every week for the same thing? :( Please don't.

(In reply to Timothy Nikkel (:tnikkel) from comment #14)

Are you just gonna needinfo me every week for the same thing? :( Please don't.

ni?ing suhaib for visibility.

(In reply to Tyson Smith [:tsmith] from comment #15)

ni?ing suhaib for visibility.

Thank you for pinging me.

(In reply to Timothy Nikkel (:tnikkel) from comment #14)

Are you just gonna needinfo me every week for the same thing? :( Please don't.

This is should be fixed by https://github.com/mozilla/relman-auto-nag/pull/1612. However, you will still be getting weekly reminder emails with a list of bugs that have the [fuzzblocker] tag.

Tired of the weekly reminder emails.

For context regarding fuzzblocker status: at the time of writing the bucket that contains this issue has over 32,200 entries. It is currently the most reported issue by the browser fuzzers.

How much effort would be required to fix this issue?
Does this assertion provide value? if so can it be lowered to a non-fatal assertion?

I'll make them non-fatal in bug 1810662 and see what happens.

Testcase crashes using the initial build (mozilla-central 20220129091708-7f00dabac085) but not with tip (mozilla-central 20230127094652-f75c73066b88.)

The bug appears to have been fixed in the following build range:

Start: 8a995f387d67222577634ead27be919864f73295 (20230125114240)
End: eadea8a10f38cf8643042bdcaa743dcc1cbd26ab (20230125133738)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=8a995f387d67222577634ead27be919864f73295&tochange=eadea8a10f38cf8643042bdcaa743dcc1cbd26ab

tsmith, can you confirm that the above bisection range is responsible for fixing this issue?
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

We made the assert non-fatal in that range, but it still fires of course.

Thanks :tnikkel :)