Open Bug 1907686 Opened 6 months ago Updated 5 months ago

Assertion failure: aContent != (*this)[i].mContent || !((*this)[i].mHint & nsChangeHint_ReconstructFrame) (Should not append a non-ReconstructFrame hint after appending a ReconstructFrame hint for the same content.)

Categories

(Core :: CSS Parsing and Computation, defect)

Product:
Core
Component:
CSS Parsing and Computation
Type:
defect

Tracking

()

Tracking Flags:
Tracking Status
firefox130 --- affected

People

(Reporter: tsmith, Unassigned, NeedInfo)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, bugmon, testcase, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(1 file)

testcase.html
297 bytes, text/html
Details
Attached file testcase.html

Found while fuzzing m-c 20240611-951502a5faeb (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework --upgrade
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>

Assertion failure: aContent != (*this)[i].mContent || !((*this)[i].mHint & nsChangeHint_ReconstructFrame) (Should not append a non-ReconstructFrame hint after appending a ReconstructFrame hint for the same content.), at /src/layout/base/nsStyleChangeList.cpp:61

#0 0x769f6cb17200 in nsStyleChangeList::AppendChange(nsIFrame*, nsIContent*, nsChangeHint) /src/layout/base/nsStyleChangeList.cpp:57:7
#1 0x769f6cd24fc5 in nsTableFrame::UpdateStyleOfOwnedAnonBoxesForTableWrapper(nsIFrame*, nsIFrame*, mozilla::ServoRestyleState&) /src/layout/tables/nsTableFrame.cpp:7316:32
#2 0x769f6cc3ea61 in nsIFrame::DoUpdateStyleOfOwnedAnonBoxes(mozilla::ServoRestyleState&) /src/layout/generic/nsIFrame.cpp:11225:7
#3 0x769f6cc3d994 in UpdateStyleOfOwnedAnonBoxes /src/layout/generic/nsIFrame.h:4140:7
#4 0x769f6cc3d994 in nsIFrame::UpdateStyleOfChildAnonBox(nsIFrame*, mozilla::ServoRestyleState&) /src/layout/generic/nsIFrame.cpp:10894:16
#5 0x769f6ca7c737 in mozilla::ServoRestyleState::ProcessMaybeNestedWrapperRestyle(nsIFrame*, unsigned long) /src/layout/base/RestyleManager.cpp:2344:23
#6 0x769f6ca7da21 in ProcessWrapperRestyles /src/layout/base/RestyleManager.cpp:2288:10
#7 0x769f6ca7da21 in mozilla::RestyleManager::ProcessPostTraversal(mozilla::dom::Element*, mozilla::ServoRestyleState&, mozilla::ServoPostTraversalFlags) /src/layout/base/RestyleManager.cpp:3069:26
#8 0x769f6ca7f726 in mozilla::RestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) /src/layout/base/RestyleManager.cpp:3265:28
#9 0x769f6ca53145 in mozilla::RestyleManager::ProcessPendingRestyles() /src/layout/base/RestyleManager.cpp:3370:3
#10 0x769f6ca5247c in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /src/layout/base/PresShell.cpp:4348:37
#11 0x769f691f0a68 in FlushPendingNotifications /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:1455:5
#12 0x769f691f0a68 in mozilla::dom::Document::FlushPendingNotifications(mozilla::ChangesToFlush) /src/dom/base/Document.cpp:11055:16
#13 0x769f6a99cfa0 in InitBasic /src/dom/events/ContentEventHandler.cpp:349:16
#14 0x769f6a99cfa0 in mozilla::ContentEventHandler::InitCommon(mozilla::EventMessage, mozilla::SelectionType, bool) /src/dom/events/ContentEventHandler.cpp:422:17
#15 0x769f6a99d639 in mozilla::ContentEventHandler::Init(mozilla::WidgetQueryContentEvent*) /src/dom/events/ContentEventHandler.cpp:494:17
#16 0x769f6a9a0ffb in mozilla::ContentEventHandler::OnQueryTextContent(mozilla::WidgetQueryContentEvent*) /src/dom/events/ContentEventHandler.cpp:1591:17
#17 0x769f6a9a06a8 in mozilla::ContentEventHandler::HandleQueryContentEvent(mozilla::WidgetQueryContentEvent*) /src/dom/events/ContentEventHandler.cpp:1425:12
#18 0x769f6a9ef988 in mozilla::IMEContentObserver::HandleQueryContentEvent(mozilla::WidgetQueryContentEvent*) /src/dom/events/IMEContentObserver.cpp:698:25
#19 0x769f6a9793c1 in mozilla::EventStateManager::HandleQueryContentEvent(mozilla::WidgetQueryContentEvent*) /src/dom/events/EventStateManager.cpp:1528:22
#20 0x769f6a978504 in mozilla::EventStateManager::PreHandleEvent(nsPresContext*, mozilla::WidgetEvent*, nsIFrame*, nsIContent*, nsEventStatus*, nsIContent*) /src/dom/events/EventStateManager.cpp:955:5
#21 0x769f6ca6a5cd in mozilla::PresShell::EventHandler::DispatchEvent(mozilla::EventStateManager*, mozilla::WidgetEvent*, bool, nsEventStatus*, nsIContent*) /src/layout/base/PresShell.cpp:8448:39
#22 0x769f6ca637d8 in mozilla::PresShell::EventHandler::HandleEventWithCurrentEventInfo(mozilla::WidgetEvent*, nsEventStatus*, bool, nsIContent*) /src/layout/base/PresShell.cpp:8416:17
#23 0x769f6ca6406a in mozilla::PresShell::EventHandler::HandleEventAtFocusedContent(mozilla::WidgetGUIEvent*, nsEventStatus*) /src/layout/base/PresShell.cpp:8162:7
#24 0x769f6ca61a1c in mozilla::PresShell::EventHandler::HandleEvent(nsIFrame*, mozilla::WidgetGUIEvent*, bool, nsEventStatus*) /src/layout/base/PresShell.cpp:7068:12
#25 0x769f6ca60f04 in mozilla::PresShell::HandleEvent(nsIFrame*, mozilla::WidgetGUIEvent*, bool, nsEventStatus*) /src/layout/base/PresShell.cpp:6986:23
#26 0x769f6c62cbde in nsViewManager::DispatchEvent(mozilla::WidgetGUIEvent*, nsView*, nsEventStatus*) /src/view/nsViewManager.cpp:652:18
#27 0x769f6c62c939 in nsView::HandleEvent(mozilla::WidgetGUIEvent*, bool) /src/view/nsView.cpp:1066:9
#28 0x769f6c66c913 in mozilla::widget::PuppetWidget::DispatchEvent(mozilla::WidgetGUIEvent*, nsEventStatus&) /src/widget/PuppetWidget.cpp:349:37
#29 0x769f6c64c41a in mozilla::ContentCacheInChild::CacheText(nsIWidget*, mozilla::widget::IMENotification const*) /src/widget/ContentCache.cpp:330:12
#30 0x769f6c64c25a in mozilla::ContentCacheInChild::CacheAll(nsIWidget*, mozilla::widget::IMENotification const*) /src/widget/ContentCache.cpp:184:27
#31 0x769f6c66ee2b in mozilla::widget::PuppetWidget::NotifyIMEOfFocusChange(mozilla::widget::IMENotification const&) /src/widget/PuppetWidget.cpp:757:9
#32 0x769f6c67981f in mozilla::widget::TextEventDispatcher::NotifyIME(mozilla::widget::IMENotification const&) /src/widget/TextEventDispatcher.cpp:487:40
#33 0x769f6c640e62 in nsBaseWidget::NotifyIME(mozilla::widget::IMENotification const&) /src/widget/nsBaseWidget.cpp:1923:43
#34 0x769f6a9ee5ef in mozilla::IMEStateManager::NotifyIME(mozilla::widget::IMENotification const&, nsIWidget*, mozilla::dom::BrowserParent*) /src/dom/events/IMEStateManager.cpp
#35 0x769f6a9f87bd in mozilla::IMEContentObserver::IMENotificationSender::SendFocusSet() /src/dom/events/IMEContentObserver.cpp:1932:3
#36 0x769f6a9f7fb5 in mozilla::IMEContentObserver::IMENotificationSender::Run() /src/dom/events/IMEContentObserver.cpp:1802:5
#37 0x769f6a9f7971 in mozilla::IMEContentObserver::TryToFlushPendingNotifications(bool) /src/dom/events/IMEContentObserver.cpp:1638:17
#38 0x769f6aa01318 in mozilla::IMEStateManager::OnFocusInEditor(nsPresContext&, mozilla::dom::Element*, mozilla::EditorBase&) /src/dom/events/IMEStateManager.cpp:1059:32
#39 0x769f6c7c0dc4 in mozilla::EditorBase::OnFocus(nsINode const&) /src/editor/libeditor/EditorBase.cpp:6027:3
#40 0x769f6c8450af in mozilla::HTMLEditor::OnFocus(nsINode const&) /src/editor/libeditor/HTMLEditor.cpp:784:22
#41 0x769f6c7cb549 in mozilla::EditorEventListener::Focus(mozilla::InternalFocusEvent const&) /src/editor/libeditor/EditorEventListener.cpp:1171:47
#42 0x769f6c7ca433 in mozilla::EditorEventListener::HandleEvent(mozilla::dom::Event*) /src/editor/libeditor/EditorEventListener.cpp:475:21
#43 0x769f6c8a912f in mozilla::HTMLEditorEventListener::HandleEvent(mozilla::dom::Event*) /src/editor/libeditor/HTMLEditorEventListener.cpp:102:42
#44 0x769f6a9e0ded in mozilla::EventListenerManager::HandleEventSingleListener(mozilla::EventListenerManager::Listener*, nsAtom*, mozilla::WidgetEvent*, mozilla::dom::Event*, mozilla::dom::EventTarget*, bool) /src/dom/events/EventListenerManager.cpp:1345:22
#45 0x769f6a9e1ef4 in mozilla::EventListenerManager::HandleEventWithListenerArray(mozilla::EventListenerManager::ListenerArray*, nsAtom*, mozilla::EventMessage, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, bool) /src/dom/events/EventListenerManager.cpp:1662:12
#46 0x769f6a9e1769 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /src/dom/events/EventListenerManager.cpp:1559:35
#47 0x769f6a9d572f in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /src/dom/events/EventDispatcher.cpp:365:17
#48 0x769f6a9d4a94 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /src/dom/events/EventDispatcher.cpp:529:12
#49 0x769f6a9d5253 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /src/dom/events/EventDispatcher.cpp:687:5
#50 0x769f6a9d767f in mozilla::EventDispatcher::Dispatch(mozilla::dom::EventTarget*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /src/dom/events/EventDispatcher.cpp:1221:11
#51 0x769f694afbaa in FocusBlurEvent::Run() /src/dom/base/nsFocusManager.cpp:2789:12
#52 0x769f68f814d9 in nsContentUtils::AddScriptRunner(already_AddRefed<nsIRunnable>) /src/dom/base/nsContentUtils.cpp:6321:13
#53 0x769f68f81729 in nsContentUtils::AddScriptRunner(nsIRunnable*) /src/dom/base/nsContentUtils.cpp:6327:3
#54 0x769f69439c94 in nsFocusManager::FireFocusOrBlurEvent(mozilla::EventMessage, mozilla::PresShell*, mozilla::dom::EventTarget*, bool, bool, mozilla::dom::EventTarget*) /src/dom/base/nsFocusManager.cpp:2930:3
#55 0x769f69438dc5 in nsFocusManager::SendFocusOrBlurEvent(mozilla::EventMessage, mozilla::PresShell*, mozilla::dom::Document*, mozilla::dom::EventTarget*, bool, bool, mozilla::dom::EventTarget*) /src/dom/base/nsFocusManager.cpp:2901:3
#56 0x769f69431006 in nsFocusManager::Focus(nsPIDOMWindowOuter*, mozilla::dom::Element*, unsigned int, bool, bool, bool, bool, unsigned long, mozilla::Maybe<nsFocusManager::BlurredElementInfo> const&) /src/dom/base/nsFocusManager.cpp:2722:9
#57 0x769f69428fc3 in nsFocusManager::SetFocusInner(mozilla::dom::Element*, int, bool, bool) /src/dom/base/nsFocusManager.cpp:1807:5
#58 0x769f6942b9f7 in nsFocusManager::SetFocus(mozilla::dom::Element*, unsigned int) /src/dom/base/nsFocusManager.cpp:483:3
#59 0x769f6935a553 in mozilla::dom::Selection::StyledRanges::MaybeFocusCommonEditingHost(mozilla::PresShell*) const /src/dom/base/Selection.cpp:3716:11
#60 0x769f69351abd in mozilla::dom::Selection::NotifySelectionListeners() /src/dom/base/Selection.cpp:3768:19
#61 0x769f69353fae in mozilla::dom::Selection::CollapseInternal(mozilla::dom::Selection::InLimiter, mozilla::RangeBoundaryBase<nsINode*, nsIContent*> const&, mozilla::ErrorResult&) /src/dom/base/Selection.cpp:2665:3
#62 0x769f69353671 in mozilla::dom::Selection::CollapseJS(nsINode*, unsigned int, mozilla::ErrorResult&) /src/dom/base/Selection.cpp:2541:3
#63 0x769f69b9b37d in mozilla::dom::Selection_Binding::setPosition(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/./SelectionBinding.cpp:767:24
#64 0x769f6a4236a7 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /src/dom/bindings/BindingUtils.cpp:3268:13
#65 0x769f6d7aa774 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /src/js/src/vm/Interpreter.cpp:491:13
#66 0x769f6d7a9f5f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /src/js/src/vm/Interpreter.cpp:585:12
#67 0x769f6d7b9ff9 in CallFromStack /src/js/src/vm/Interpreter.cpp:657:10
#68 0x769f6d7b9ff9 in js::Interpret(JSContext*, js::RunState&) /src/js/src/vm/Interpreter.cpp:3394:16
#69 0x769f6d7a96a6 in js::RunScript(JSContext*, js::RunState&) /src/js/src/vm/Interpreter.cpp:463:13
#70 0x769f6d7aa058 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /src/js/src/vm/Interpreter.cpp:617:13
#71 0x769f6d7ab55f in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /src/js/src/vm/Interpreter.cpp:684:8
#72 0x769f6d8af6e7 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /src/js/src/vm/CallAndConstruct.cpp:119:10
#73 0x769f6a191b38 in mozilla::dom::EventHandlerNonNull::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/./EventHandlerBinding.cpp:65:37
#74 0x769f6aa07529 in void mozilla::dom::EventHandlerNonNull::Call<nsCOMPtr<mozilla::dom::EventTarget>>(nsCOMPtr<mozilla::dom::EventTarget> const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventHandlerBinding.h:82:12
#75 0x769f6aa06607 in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) /src/dom/events/JSEventHandler.cpp:199:12
#76 0x769f6a9e0ded in mozilla::EventListenerManager::HandleEventSingleListener(mozilla::EventListenerManager::Listener*, nsAtom*, mozilla::WidgetEvent*, mozilla::dom::Event*, mozilla::dom::EventTarget*, bool) /src/dom/events/EventListenerManager.cpp:1345:22
#77 0x769f6a9e1ef4 in mozilla::EventListenerManager::HandleEventWithListenerArray(mozilla::EventListenerManager::ListenerArray*, nsAtom*, mozilla::EventMessage, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, bool) /src/dom/events/EventListenerManager.cpp:1662:12
#78 0x769f6a9e1769 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /src/dom/events/EventListenerManager.cpp:1559:35
#79 0x769f6a9d572f in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /src/dom/events/EventDispatcher.cpp:365:17
#80 0x769f6a9d4da1 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /src/dom/events/EventDispatcher.cpp:606:16
#81 0x769f6a9d767f in mozilla::EventDispatcher::Dispatch(mozilla::dom::EventTarget*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /src/dom/events/EventDispatcher.cpp:1221:11
#82 0x769f6caccad3 in nsDocumentViewer::LoadComplete(nsresult) /src/layout/base/nsDocumentViewer.cpp:1031:7
#83 0x769f6cf2a309 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /src/docshell/base/nsDocShell.cpp:6273:13
...
Flags: in-testsuite?

Verified bug as reproducible on mozilla-central 20240714194554-8e1eae15c143.
Unable to bisect testcase (Testcase reproduces on start build!):

Start: 89d21fac92b8f98201b8715c6c050aace4b46afb (20230717160307)
End: 951502a5faeb2d4ede9d2cc7628091f76996d12c (20240611133415)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False, nyx=False)

Whiteboard: [bugmon:bisected,confirmed]

The severity field is not set for this bug.
:alaskanemily, could you have a look please?

For more information, please visit BugBot documentation.

Flags: needinfo?(emcdonough)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: