Closed Bug 1342323 Opened 8 years ago Closed 8 years ago

stylo: Crash at [@nsLayoutUtils::DoCompareTreePosition nsFrameConstructorState::ProcessFrameInsertions nsFrameConstructorState::~nsFrameConstructorState nsCSSFrameConstructor::ContentRangeInserted nsCSSFrameConstructor::RecreateFramesForContent]

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
firefox52 --- unaffected
firefox53 --- unaffected
firefox54 --- fixed

People

(Reporter: cbook, Assigned: hiro)

References

(
URL
)

Details

(Keywords: crash)

Attachments

(2 files)

bughunter stack
201.82 KB, text/plain
Details
Bug 1342323 - Fix wrong index for missing properties in the initial and final keyframes.
59 bytes, text/x-review-board-request
emilio
: review+
Details
Attached file bughunter stack
Found via bughunter topsite tests and reproduced on http://www.posta.com.tr with latest stylo debug build. Steps to reproduce: -> Load http://www.posta.com.tr --> after 10-20 seconds the fedora vm crash before the crash i get [6410] ###!!! ASSERTION: Absolutely positioned _and_ floating?: '!aStyleDisplay->IsAbsolutelyPositionedStyle()', file /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp, line 1144 not sure if its relatet
Summary: Crash at [@nsLayoutUtils::DoCompareTreePosition nsFrameConstructorState::ProcessFrameInsertions nsFrameConstructorState::~nsFrameConstructorState nsCSSFrameConstructor::ContentRangeInserted nsCSSFrameConstructor::RecreateFramesForContent] → stylo: Crash at [@nsLayoutUtils::DoCompareTreePosition nsFrameConstructorState::ProcessFrameInsertions nsFrameConstructorState::~nsFrameConstructorState nsCSSFrameConstructor::ContentRangeInserted nsCSSFrameConstructor::RecreateFramesForContent]
I believe this is because we don't follow correctly CSS2.1 section 9.7, that makes the computed float value of an absolutely positioned element be none. I have a patch for servo incoming.
With that I get past that point to hit a rust panic: thread '<unnamed>' panicked at 'assertion failed: len >= (self.len() as u32)', /home/emilio/projects/moz/stylo/servo/components/style/gecko_bindings/sugar/ns_t_array.rs:91 note: Run with `RUST_BACKTRACE=1` for a backtrace. Redirecting call to abort() to mozalloc_abort Will investigate this tomorrow I guess.
That assert comes from Servo_StyleSet_FillKeyframesForName, hiro, could you take a look?
Flags: needinfo?(hikezoe)
Servo patch for the crash described in this bug: https://github.com/servo/servo/pull/15730 Thanks for noting the assertion failure Tomcat! :)
The index value for missing properties in the initial and final keyframes was apparently wrong! https://hg.mozilla.org/mozilla-central/file/a08ec245fa24/servo/ports/geckolib/glue.rs#l1503 https://treeherder.mozilla.org/#/jobs?repo=try&revision=020c5c15ab74699050c014bbb17dcba9ed83f35c Thank you Emilio for notifying. I thought frame construction was totally unrelated to animations!
Flags: needinfo?(hikezoe)
Comment on attachment 8841290 [details] Bug 1342323 - Fix wrong index for missing properties in the initial and final keyframes. https://reviewboard.mozilla.org/r/115544/#review116988 Thanks for fixing this Hiro! :)
Attachment #8841290 - Flags: review?(emilio+bugs) → review+
Fixed. https://hg.mozilla.org/mozilla-central/rev/0260913ef653
Assignee: nobody → hikezoe
Status: NEW → RESOLVED
Closed: 8 years ago
status-firefox54: --- → fixed
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: