Found while fuzzing m-c 20230207-61a5e77067ce (--enable-debug --enable-fuzzing)

Unfortunately a test case is not available at this time.

Requires pref image.avif.sequence.enabled=true

Assertion failure: mGetIndex == aExpectedFrame, at /builds/worker/checkouts/gecko/image/AnimationFrameBuffer.h:172

#0 0x7fe7886c4f78 in mozilla::image::AnimationFrameBuffer::AdvanceTo(unsigned long) /builds/worker/checkouts/gecko/image/AnimationFrameBuffer.h:172:5
#1 0x7fe7886c4b83 in mozilla::image::AnimationSurfaceProvider::Advance(unsigned long) /builds/worker/checkouts/gecko/image/AnimationSurfaceProvider.cpp:129:31
#2 0x7fe7886db546 in Advance /builds/worker/checkouts/gecko/image/ISurfaceProvider.h:222:16
#3 0x7fe7886db546 in mozilla::image::FrameAnimator::AdvanceFrame(mozilla::image::AnimationState&, mozilla::image::DrawableSurface&, RefPtr<mozilla::image::imgFrame>&, mozilla::TimeStamp) /builds/worker/checkouts/gecko/image/FrameAnimator.cpp:322:11
#4 0x7fe7886dc679 in mozilla::image::FrameAnimator::RequestRefresh(mozilla::image::AnimationState&, mozilla::TimeStamp const&) /builds/worker/checkouts/gecko/image/FrameAnimator.cpp:410:9
#5 0x7fe7886fc757 in mozilla::image::RasterImage::RequestRefresh(mozilla::TimeStamp const&) /builds/worker/checkouts/gecko/image/RasterImage.cpp:155:27
#6 0x7fe78c604c5e in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2749:14
#7 0x7fe78c60d70d in TickDriver /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:373:13
#8 0x7fe78c60d70d in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver>>&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:351:7
#9 0x7fe78c60d613 in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:367:5
#10 0x7fe78c60d4f0 in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:911:5
#11 0x7fe78c60c85a in mozilla::VsyncRefreshDriverTimer::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:825:5
#12 0x7fe78c60c026 in mozilla::VsyncRefreshDriverTimer::NotifyVsyncOnMainThread(mozilla::VsyncEvent const&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:746:5
#13 0x7fe78c60bb39 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsyncTimerOnMainThread() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:592:14
#14 0x7fe78c60b74d in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:549:9
#15 0x7fe78b9f615b in mozilla::dom::VsyncMainChild::RecvNotify(mozilla::VsyncEvent const&, float const&) /builds/worker/checkouts/gecko/dom/ipc/VsyncMainChild.cpp:66:15
#16 0x7fe78bcef043 in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:228:78
#17 0x7fe787c70008 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundChild.cpp:6305:32
#18 0x7fe787bfaaca in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1800:25
#19 0x7fe787bf7747 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1725:9
#20 0x7fe787bf8275 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1525:3
#21 0x7fe787bf95af in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1623:14
#22 0x7fe786fa6b75 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:539:16
#23 0x7fe786fa1dbc in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:852:26
#24 0x7fe786fa098a in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:684:15
#25 0x7fe786fa0ce5 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:462:36
#26 0x7fe786faa626 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:188:37
#27 0x7fe786faa626 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_2>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:546:5
#28 0x7fe786fbfde7 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1225:16
#29 0x7fe786fc626d in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:477:10
#30 0x7fe787c00a13 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#31 0x7fe787b22938 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
#32 0x7fe787b22841 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
#33 0x7fe787b22841 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
#34 0x7fe78c298b18 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
#35 0x7fe78e505c1b in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:742:20
#36 0x7fe787c018d9 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
#37 0x7fe787b22938 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
#38 0x7fe787b22841 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
#39 0x7fe787b22841 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
#40 0x7fe78e505778 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:675:34
#41 0x564a49817ce0 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#42 0x564a49817ce0 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:353:18
#43 0x7fe79bdda082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
#44 0x564a497ee348 in _start (/home/twsmith/workspace/browsers/m-c-20230207214329-fuzzing-debug/firefox-bin+0x5b348) (BuildId: 9445fb3bc83584e5f74afe3301c4c94feb5023eb)

This is one where the stack doesn't tell us too much, there is internal state that is very helpful in understanding what is going on.

Should we mark this as resolved-incomplete and reopen if we get a test case?

My bad, I did while saving... Will revert if it's not right.

Probably leave it open for a bit. I usually let Tyson handle opening/closing his fuzz bugs as he has the best insight into it. There's still the possibility that we'll be able to get a pernosco recording for this.

I could see the same root cause as bug 1814560 causing this, but unsure if that is actually the case.

The fuzzers are no longer reporting this issue.