Closed Bug 1186407 Opened 9 years ago Closed 9 years ago

Crashing on pages while clicking-selecting-dragging text

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1156238
Tracking Flags:
Tracking Status
firefox42 --- affected

People

(Reporter: kats, Unassigned)

References

(
URL
)

Details

(Keywords: regression)

Attachments

(3 files, 1 obsolete file)

Backtrace
10.99 KB, text/plain
Details
Frame dump
1.94 MB, text/plain
Details
MozReview Request: Bug 1186407 - Make sure the result of nsDisplayListBuilder::FindAnimatedGeometryRootFor is always an ancestor of aStopAtAncestor.
40 bytes, text/x-review-board-request
kats
: feedback-
Details 
+++ This bug was initially created as a clone of Bug #1181135 +++

STR:
- Enable APZ and e10s
- Load https://groups.google.com/forum/#!topic/mozilla.dev.platform/-cDq6DqBZ2k
- Select text and try to drag it. I find that selecting text across post boundaries seems to be the most effective

AR: Child process crashes.

This might actually be the same crash as bug 1181135, but since I'm running a debug build it's crashing on a MOZ_ASSERT so the stack is a little different. On a production build it might just go off into the weeds somewhere resulting in a different crash stack.
Attached file Backtrace (obsolete) — 

    
    

    
  

      
      
      
      

        Attached file
          
        Backtrace
      

    


  
I caught it in rr, here's a backtrace from the recording (the addresses will line up with the rest of the attachments I'm going to post)

        Attachment #8637205 -
        Attachment is obsolete: true

    
    

    
  

      
      
      
      

        Attached file
          
        Frame dump
      

    


  
Attached is a frame dump of the frame tree that contains mContainerAnimatedGeometryRoot.

(gdb) p mContainerAnimatedGeometryRoot
$8 = (const ViewportFrame *) 0x2aaacc356900
(gdb) p mBuilder->mReferenceFrame
$9 = (nsBlockFrame *) 0x2aaad5e0b168

The mContainerAnimatedGeometryRoot is actually an ancestor of the builder's reference frame, rather than the other way around (which is what the assert is expecting).

    
    

    
  


  
Bug 1186407 - Make sure the result of nsDisplayListBuilder::FindAnimatedGeometryRootFor is always an ancestor of aStopAtAncestor.

        Attachment #8637251 -
        Flags: review?(roc)

    
    

    
  
Comment on attachment 8637251 [details]
MozReview Request: Bug 1186407 - Make sure the result of nsDisplayListBuilder::FindAnimatedGeometryRootFor is always an ancestor of aStopAtAncestor.

When I tried this patch it resulted in a crash (assertion failure at nsFrame.cpp:2439) right on page load. Also the patch doesn't compile for lack of proper const propagation.

        Attachment #8637251 -
        Flags: feedback-

        Attachment #8637251 -
        Flags: review?(roc)

    
    

    
  
Oh, hey, this is the same thing as bug 1156238.

    
    

    
  
Oh, not exactly the same thing, but probably very related. That one happens at a different line in FrameLayerBuilder.

Also for posterity here's the discussion from when Markus and I were investigating this earlier today:

http://logs.glob.uno/?c=mozilla%23apz&s=22%20Jul%202015&e=22%20Jul%202015#c10913
See Also:  → 1156238
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → DUPLICATE

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: