Closed Bug 1353651 Opened 7 years ago Closed 3 years ago

Assertion failure: !startedAny || collection (must have element transitions if we started any transitions)

Tracking

()

Status:

RESOLVED WORKSFORME

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, crash, testcase)

Attachments

(1 file)

Testcase 7 years ago Jason Kratzer [:jkratzer] 533 bytes, text/html		Details

Jason Kratzer [:jkratzer]

Reporter

Description

•

7 years ago

Attached file Testcase — Details

Testcase found while fuzzing mozilla-central asan-debug rev 20170401-655d6c600048.

Testcase requires the domFuzzLite extension:
https://www.squarefree.com/extensions/domFuzzLite.xpi

Furthermore, testcase appears to only trigger reliably under a virtual XWindow (xvfb).

Assertion failure: !startedAny || collection (must have element transitions if we started any transitions), at /home/worker/workspace/build/src/layout/style/nsTransitionManager.cpp:560
ASAN:DEADLYSIGNAL
=================================================================
==19622==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f5d2b9a327f bp 0x7ffe7158bb30 sp 0x7ffe7158b8e0 T0)
==19622==The signal is caused by a WRITE memory access.
==19622==Hint: address points to the zero page.
    #0 0x7f5d2b9a327e in nsTransitionManager::StyleContextChanged(mozilla::dom::Element*, nsStyleContext*, RefPtr<nsStyleContext>*) /home/worker/workspace/build/src/layout/style/nsTransitionManager.cpp:538:5
    #1 0x7f5d2ba16617 in mozilla::GeckoRestyleManager::TryInitiatingTransition(nsPresContext*, nsIContent*, nsStyleContext*, RefPtr<nsStyleContext>*) /home/worker/workspace/build/src/layout/base/GeckoRestyleManager.cpp:690:38
    #2 0x7f5d2ba20bf0 in mozilla::ElementRestyler::RestyleSelf(nsIFrame*, nsRestyleHint, unsigned int*, nsTArray<mozilla::ElementRestyler::SwapInstruction>&) /home/worker/workspace/build/src/layout/base/GeckoRestyleManager.cpp:2692:9
    #3 0x7f5d2ba1de76 in mozilla::ElementRestyler::Restyle(nsRestyleHint) /home/worker/workspace/build/src/layout/base/GeckoRestyleManager.cpp:1850:7
    #4 0x7f5d2ba28b6a in mozilla::ElementRestyler::ComputeStyleChangeFor(nsIFrame*, nsStyleChangeList*, nsChangeHint, mozilla::RestyleTracker&, nsRestyleHint, mozilla::RestyleHintData const&, nsTArray<mozilla::ElementRestyler::ContextToClear>&, nsTArray<RefPtr<nsStyleContext> >&) /home/worker/workspace/build/src/layout/base/GeckoRestyleManager.cpp:3125:16
    #5 0x7f5d2ba139d1 in mozilla::GeckoRestyleManager::ComputeAndProcessStyleChange(nsIFrame*, nsChangeHint, mozilla::RestyleTracker&, nsRestyleHint, mozilla::RestyleHintData const&) /home/worker/workspace/build/src/layout/base/GeckoRestyleManager.cpp:3536:3
    #6 0x7f5d2ba12ebb in mozilla::GeckoRestyleManager::RestyleElement(mozilla::dom::Element*, nsIFrame*, nsChangeHint, mozilla::RestyleTracker&, nsRestyleHint, mozilla::RestyleHintData const&) /home/worker/workspace/build/src/layout/base/GeckoRestyleManager.cpp:152:5
    #7 0x7f5d2ba79b48 in mozilla::RestyleTracker::ProcessOneRestyle(mozilla::dom::Element*, nsRestyleHint, nsChangeHint, mozilla::RestyleHintData const&) /home/worker/workspace/build/src/layout/base/RestyleTracker.cpp:95:22
    #8 0x7f5d2ba77e2e in mozilla::RestyleTracker::DoProcessRestyles() /home/worker/workspace/build/src/layout/base/RestyleTracker.cpp:262:9
    #9 0x7f5d2ba15a94 in mozilla::GeckoRestyleManager::ProcessPendingRestyles() /home/worker/workspace/build/src/layout/base/GeckoRestyleManager.cpp:504:3
    #10 0x7f5d2ba4c0f4 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /home/worker/workspace/build/src/layout/base/PresShell.cpp:4189:41
    #11 0x7f5d2b9dff2b in nsRefreshDriver::Tick(long, mozilla::TimeStamp) /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:1772:18
    #12 0x7f5d2b9e888e in mozilla::RefreshDriverTimer::TickRefreshDrivers(long, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:299:7
    #13 0x7f5d2b9e865d in mozilla::RefreshDriverTimer::Tick(long, mozilla::TimeStamp) /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:320:5
    #14 0x7f5d2b9ebfd5 in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::TimeStamp) /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:711:5
    #15 0x7f5d2b9eacd6 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::TimeStamp) /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:624:35
    #16 0x7f5d2b9eb820 in mozilla::detail::RunnableMethodImpl<mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver*, void (mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::*)(mozilla::TimeStamp), true, false, mozilla::TimeStamp>::Run() /home/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:899:13
    #17 0x7f5d265f26ee in nsThread::ProcessNextEvent(bool, bool*) /home/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1269:14
    #18 0x7f5d265eed90 in NS_ProcessNextEvent(nsIThread*, bool) /home/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:389:10
    #19 0x7f5d27115a15 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /home/worker/workspace/build/src/ipc/glue/MessagePump.cpp:96:21
    #20 0x7f5d270682d7 in MessageLoop::RunInternal() /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:238:10
    #21 0x7f5d27068169 in MessageLoop::Run() /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:211:3
    #22 0x7f5d2b529c1a in nsBaseAppShell::Run() /home/worker/workspace/build/src/widget/nsBaseAppShell.cpp:156:27
    #23 0x7f5d2de6ea01 in nsAppStartup::Run() /home/worker/workspace/build/src/toolkit/components/startup/nsAppStartup.cpp:283:30
    #24 0x7f5d2dfb9aef in XREMain::XRE_mainRun() /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4520:22
    #25 0x7f5d2dfbb62a in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4700:8
    #26 0x7f5d2dfbc482 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4791:21
    #27 0x4ec0e8 in do_main(int, char**, char**) /home/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:236:22
    #28 0x4eba00 in main /home/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:307:16
    #29 0x7f5d428e182f in __libc_start_main /build/glibc-Qz8a69/glibc-2.23/csu/../csu/libc-start.c:291

Flags: in-testsuite?

Jet Villegas (inactive)

Updated

•

7 years ago

Priority: -- → P3

Rares Doghi, Desktop QA

Comment 1

•

3 years ago

Hi Jason, does this issue still occur with an asan debug build ? I tried installing the extension you mentioned and it seems corrupted, does this issue still occur on your end ?

Flags: needinfo?(jkratzer)

Jason Kratzer [:jkratzer]

Reporter

Comment 2

•

3 years ago

(In reply to Rares Doghi from comment #1)

Hi Jason, does this issue still occur with an asan debug build ? I tried installing the extension you mentioned and it seems corrupted, does this issue still occur on your end ?

Rares, I can no longer reproduce this issue. Further, the assertion triggered in this bug no longer exists in layout/style/nsTransitionManager.cpp. I think we can safely close this issue.

Status: NEW → RESOLVED

Closed: 3 years ago

Flags: needinfo?(jkratzer)

Resolution: --- → WORKSFORME

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Quick Search

Assertion failure: !startedAny || collection (must have element transitions if we started any transitions)

Categories

(Core :: Layout, defect, P3)

Tracking

()

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, crash, testcase)

Crash Data

Security

(public)

User Story

Attachments

(1 file)

Description

Updated

Comment 1

Comment 2

Attachment

General

Description

File Name

Content Type