Found while fuzzing m-c 20221212-d9b14b6b3a52 (--enable-address-sanitizer --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -a --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

Hit MOZ_CRASH(index out of bounds: the len is 4 but the index is 8) at gfx/wr/webrender_api/src/display_list.rs:2238

#0 0x7fe5742ed069 in MOZ_Crash /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:261:3
#1 0x7fe5742ed069 in RustMozCrash /builds/worker/checkouts/gecko/mozglue/static/rust/wrappers.cpp:18:3
#2 0x7fe5742ecf30 in mozglue_static::panic_hook::h87dc444f7c63beba /builds/worker/checkouts/gecko/mozglue/static/rust/lib.rs:91:9
#3 0x7fe5742ebc55 in core::ops::function::Fn::call::he5f5a2e5ad5a0df4 /builds/worker/fetches/rust/library/core/src/ops/function.rs:78:5
#4 0x7fe578088e3b in std::panicking::rust_panic_with_hook::hb95930056730415d (/home/user/workspace/browsers/m-c-20221229092636-fuzzing-asan-opt/libxul.so+0x27ef3e3b) (BuildId: 48cd9f98c841a06a1e1cc4823363000365d6fad7)
#5 0x7fe5780ad2c6 in std::panicking::begin_panic_handler::_$u7b$$u7b$closure$u7d$$u7d$::h251d4677403105eb std.82f3c14a-cgu.8
#6 0x7fe5780ad0bb in std::sys_common::backtrace::__rust_end_short_backtrace::h4aa72274704f4358 std.82f3c14a-cgu.8
#7 0x7fe5780889b1 in rust_begin_unwind (/home/user/workspace/browsers/m-c-20221229092636-fuzzing-asan-opt/libxul.so+0x27ef39b1) (BuildId: 48cd9f98c841a06a1e1cc4823363000365d6fad7)
#8 0x7fe5780f94e2 in core::panicking::panic_fmt::h8c57bd6922066c10 (/home/user/workspace/browsers/m-c-20221229092636-fuzzing-asan-opt/libxul.so+0x27f644e2) (BuildId: 48cd9f98c841a06a1e1cc4823363000365d6fad7)
#9 0x7fe5780f96b1 in core::panicking::panic_bounds_check::h1654d256162967ba (/home/user/workspace/browsers/m-c-20221229092636-fuzzing-asan-opt/libxul.so+0x27f646b1) (BuildId: 48cd9f98c841a06a1e1cc4823363000365d6fad7)
#10 0x7fe5737a982d in _$LT$usize$u20$as$u20$core..slice..index..SliceIndex$LT$$u5b$T$u5d$$GT$$GT$::index::hda55fdbb57abdd00 /builds/worker/fetches/rust/library/core/src/slice/index.rs:259:10
#11 0x7fe5737a982d in core::slice::index::_$LT$impl$u20$core..ops..index..Index$LT$I$GT$$u20$for$u20$$u5b$T$u5d$$GT$::index::hcecbc040048dae06 /builds/worker/fetches/rust/library/core/src/slice/index.rs:18:9
#12 0x7fe5737a982d in _$LT$alloc..vec..Vec$LT$T$C$A$GT$$u20$as$u20$core..ops..index..Index$LT$I$GT$$GT$::index::hf3bc711d623d5538 /builds/worker/fetches/rust/library/alloc/src/vec/mod.rs:2736:9
#13 0x7fe5737a982d in webrender_api::display_list::DisplayListBuilder::current_offset::hd24821aaa0806ca6 /builds/worker/checkouts/gecko/gfx/wr/webrender_api/src/display_list.rs:2238:29
#14 0x7fe5737a982d in webrender_api::display_list::DisplayListBuilder::define_scroll_frame::h38e875d0126cd6c9 /builds/worker/checkouts/gecko/gfx/wr/webrender_api/src/display_list.rs:1914:30
#15 0x7fe5724a0dec in wr_dp_define_scroll_layer /builds/worker/checkouts/gecko/gfx/webrender_bindings/src/bindings.rs:2750:26
#16 0x7fe563a1f26d in mozilla::wr::DisplayListBuilder::DefineScrollLayer(unsigned long const&, mozilla::Maybe<mozilla::wr::WrSpatialId> const&, mozilla::wr::Box2D<float, mozilla::wr::LayoutPixel> const&, mozilla::wr::Box2D<float, mozilla::wr::LayoutPixel> const&, mozilla::wr::Vector2D<float, mozilla::wr::LayoutPixel> const&, unsigned long, mozilla::wr::HasScrollLinkedEffect, mozilla::wr::SpatialTreeItemKey) /builds/worker/checkouts/gecko/gfx/webrender_bindings/WebRenderAPI.cpp:1135:16
#17 0x7fe56351687f in mozilla::layers::ClipManager::DefineScrollLayers(mozilla::ActiveScrolledRoot const*, mozilla::nsDisplayItem*) /builds/worker/checkouts/gecko/gfx/layers/wr/ClipManager.cpp:379:25
#18 0x7fe56351531f in mozilla::layers::ClipManager::SwitchItem(mozilla::nsDisplayListBuilder*, mozilla::nsDisplayItem*) /builds/worker/checkouts/gecko/gfx/layers/wr/ClipManager.cpp:261:39
#19 0x7fe56359e777 in mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommandsFromDisplayList(mozilla::nsDisplayList*, mozilla::nsDisplayItem*, mozilla::nsDisplayListBuilder*, mozilla::layers::StackingContextHelper const&, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, bool) /builds/worker/checkouts/gecko/gfx/layers/wr/WebRenderCommandBuilder.cpp:2067:43
#20 0x7fe56a5f2645 in mozilla::nsDisplayWrapList::CreateWebRenderCommandsNewClipListOption(mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, mozilla::layers::RenderRootStateManager*, mozilla::nsDisplayListBuilder*, bool) /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:4659:30
#21 0x7fe56a5f7e8f in CreateWebRenderCommands /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.h:4966:12
#22 0x7fe56a5f7e8f in mozilla::nsDisplayOwnLayer::CreateWebRenderCommands(mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, mozilla::layers::RenderRootStateManager*, mozilla::nsDisplayListBuilder*) /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:5298:22
#23 0x7fe5635a0aba in mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommands(mozilla::nsDisplayItem*, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, mozilla::nsDisplayListBuilder*) /builds/worker/checkouts/gecko/gfx/layers/wr/WebRenderCommandBuilder.cpp:1822:41
#24 0x7fe56359e9cd in mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommandsFromDisplayList(mozilla::nsDisplayList*, mozilla::nsDisplayItem*, mozilla::nsDisplayListBuilder*, mozilla::layers::StackingContextHelper const&, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, bool) /builds/worker/checkouts/gecko/gfx/layers/wr/WebRenderCommandBuilder.cpp:2088:7
#25 0x7fe56359c6ec in mozilla::layers::WebRenderCommandBuilder::BuildWebRenderCommands(mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::nsDisplayList*, mozilla::nsDisplayListBuilder*, mozilla::layers::WebRenderScrollData&, WrFiltersHolder&&) /builds/worker/checkouts/gecko/gfx/layers/wr/WebRenderCommandBuilder.cpp:1743:5
#26 0x7fe5635bc800 in mozilla::layers::WebRenderLayerManager::EndTransactionWithoutLayer(mozilla::nsDisplayList*, mozilla::nsDisplayListBuilder*, WrFiltersHolder&&, mozilla::layers::WebRenderBackgroundData*, double) /builds/worker/checkouts/gecko/gfx/layers/wr/WebRenderLayerManager.cpp:362:30
#27 0x7fe56a5d582c in mozilla::nsDisplayList::PaintRoot(mozilla::nsDisplayListBuilder*, gfxContext*, unsigned int, mozilla::Maybe<double>) /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:2302:18
#28 0x7fe569f30c5e in nsLayoutUtils::PaintFrame(gfxContext*, nsIFrame*, nsRegion const&, unsigned int, mozilla::nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) /builds/worker/checkouts/gecko/layout/base/nsLayoutUtils.cpp:3461:9
#29 0x7fe569e3c73b in mozilla::PresShell::PaintInternal(nsView*, mozilla::PaintInternalFlags) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:6518:5
#30 0x7fe5696c595d in nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*) /builds/worker/checkouts/gecko/view/nsViewManager.cpp:433:18
#31 0x7fe5696c50fb in nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) /builds/worker/checkouts/gecko/view/nsViewManager.cpp:368:22
#32 0x7fe5696c702a in nsViewManager::ProcessPendingUpdates() /builds/worker/checkouts/gecko/view/nsViewManager.cpp:941:5
#33 0x7fe569db1007 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2806:11
#34 0x7fe569dd1776 in operator() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:1786:25
#35 0x7fe569dd1776 in mozilla::detail::RunnableFunction<nsRefreshDriver::EnsureTimerStarted(nsRefreshDriver::EnsureTimerStartedFlags)::$_1>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:546:5
#36 0x7fe560e5dad9 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:539:16
#37 0x7fe560e548f7 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:852:26
#38 0x7fe560e51b78 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:684:15
#39 0x7fe560e522a0 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:462:36
#40 0x7fe560e63be1 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:188:37
#41 0x7fe560e63be1 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_2>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:546:5
#42 0x7fe560e86d44 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1197:16
#43 0x7fe560e91134 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:476:10
#44 0x7fe5625f46ae in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#45 0x7fe562477507 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
#46 0x7fe562477507 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
#47 0x7fe562477507 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
#48 0x7fe5697bdec9 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
#49 0x7fe56e736608 in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:743:20
#50 0x7fe562477507 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
#51 0x7fe562477507 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
#52 0x7fe562477507 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
#53 0x7fe56e735d9f in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:676:34
#54 0x55a02e965454 in content_process_main(mozilla::Bootstrap*, int, char**) /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#55 0x55a02e965917 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:359:18
#56 0x7fe58338bd8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#57 0x7fe58338be3f in __libc_start_main csu/../csu/libc-start.c:392:3
#58 0x55a02e8a3ed8 in _start (/home/user/workspace/browsers/m-c-20221229092636-fuzzing-asan-opt/firefox+0x111ed8) (BuildId: 7041d944462f6ab2c4618c24c708ba0814efd194)

Verified bug as reproducible on mozilla-central 20221230044034-3aeca13c7e9e.
The bug appears to have been introduced in the following build range:

Start: 5936168c80d1f6b8a55f7f528b0851e75e90660d (20220906092501)
End: d1b399bcd0474869d29804c13b2145a6a8b645da (20220906120315)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=5936168c80d1f6b8a55f7f528b0851e75e90660d&tochange=d1b399bcd0474869d29804c13b2145a6a8b645da

A Pernosco session is available here: https://pernos.co/debug/XYbPSACJQIK1cgQ0VajARQ/index.html

@gw: WR

Based on comment #1, this bug contains a bisection range found by bugmon. However, the Regressed by field is still not filled.

:gw, if possible, could you fill the Regressed by field and investigate this regression?

For more information, please visit auto_nag documentation.

I can reproduce this locally, it appears to be a bug in the display list supplied by Gecko, from what I can tell.

Specifically, there is a call to DefineScrollFrame which supplies an invalid parent spatial id.

From some logging, we see:

wr_api_begin_builder <- Begins a new display list, resets the spatial_nodes array in DisplayListBuilder
Define a scroll frame: parent=SpatialId(2, PipelineId(1, 2)) id=SpatialId(3, PipelineId(1, 2))
Define a scroll frame: parent=SpatialId(3, PipelineId(1, 2)) id=SpatialId(4, PipelineId(1, 2))
Define a scroll frame: parent=SpatialId(4, PipelineId(1, 2)) id=SpatialId(5, PipelineId(1, 2))
Define a scroll frame: parent=SpatialId(5, PipelineId(1, 2)) id=SpatialId(6, PipelineId(1, 2))
Define a scroll frame: parent=SpatialId(6, PipelineId(1, 2)) id=SpatialId(7, PipelineId(1, 2))
Define a scroll frame: parent=SpatialId(8, PipelineId(1, 2)) id=SpatialId(9, PipelineId(1, 2))
wr_api_begin_builder <- Begins a new display list, resets the spatial_nodes array in DisplayListBuilder
Define a scroll frame: parent=SpatialId(2, PipelineId(1, 2)) id=SpatialId(3, PipelineId(1, 2))
Define a scroll frame: parent=SpatialId(8, PipelineId(1, 2)) id=SpatialId(4, PipelineId(1, 2)) <--- Bad stuff happens here

So on the last line of that log, we can see that the parent id of the scroll node references an id that was defined in the previous display list, but not in the current display list (as there was a display list begin interleaved between those).

Timothy, any ideas on what could cause this?

Bugmon was unable reproduce this issue.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

A change to the Taskcluster build definitions over the weekend caused Bugmon to fail when reproducing issues. This issue has been corrected. Re-enabling bugmon.

I can still repro this locally, but it appears to be an issue in what Gecko is supplying to WR as a display list. Comment 5 has more details, and I also hit:

Assertion failure: IsAncestor(aOne, aTwo) || IsAncestor(aTwo, aOne), at /code/work/gecko1/obj-x86_64-pc-linux-gnu/dist/include/nsDisplayList.h:203

In a debug build. Unassigning for now as I'm not sure what's involved in fixing this, but Tim may have a better idea.