1360970 - Assertion failure: !(mHintsHandledByAncestors & nsChangeHint_ReconstructFrame) (why restyle descendants if we are reconstructing the frame for an ancestor?), at /home/worker/workspace/build/src/layout/base/GeckoRestyleManager.cpp:1143

Status: NEW

(Core :: Layout, defect, P3)

Description

[Jason Kratzer [:jkratzer]]

Attachment: Testcase

Testcase found while fuzzing mozilla-central rev 20170430-5278e2a35fc8.  Issue appears to be related to bug 1357869.

Assertion failure: !(mHintsHandledByAncestors & nsChangeHint_ReconstructFrame) (why restyle descendants if we are reconstructing the frame for an ancestor?), at /home/worker/workspace/build/src/layout/base/GeckoRestyleManager.cpp:1143

ASAN:DEADLYSIGNAL
=================================================================
==12139==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7ffaa5880832 bp 0x7ffc708627d0 sp 0x7ffc70862790 T0)
==12139==The signal is caused by a WRITE memory access.
==12139==Hint: address points to the zero page.
    #0 0x7ffaa5880831 in mozilla::ElementRestyler::ElementRestyler(mozilla::ElementRestyler const&, nsIFrame*, unsigned int) /home/worker/workspace/build/src/layout/base/GeckoRestyleManager.cpp:1141:3
    #1 0x7ffaa588fd38 in mozilla::ElementRestyler::RestyleContentChildren(nsIFrame*, nsRestyleHint) /home/worker/workspace/build/src/layout/base/GeckoRestyleManager.cpp:3454:29
    #2 0x7ffaa588c29d in mozilla::ElementRestyler::RestyleChildren(nsRestyleHint) /home/worker/workspace/build/src/layout/base/GeckoRestyleManager.cpp:2980:7
    #3 0x7ffaa588679c in mozilla::ElementRestyler::Restyle(nsRestyleHint) /home/worker/workspace/build/src/layout/base/GeckoRestyleManager.cpp:2003:5
    #4 0x7ffaa5887ac3 in mozilla::ElementRestyler::RestyleSelf(nsIFrame*, nsRestyleHint, unsigned int*, nsTArray<mozilla::ElementRestyler::SwapInstruction>&) /home/worker/workspace/build/src/layout/base/GeckoRestyleManager.cpp:2470:22
    #5 0x7ffaa5885fe6 in mozilla::ElementRestyler::Restyle(nsRestyleHint) /home/worker/workspace/build/src/layout/base/GeckoRestyleManager.cpp:1849:7
    #6 0x7ffaa588fd44 in mozilla::ElementRestyler::RestyleContentChildren(nsIFrame*, nsRestyleHint) /home/worker/workspace/build/src/layout/base/GeckoRestyleManager.cpp:3455:27
    #7 0x7ffaa588c29d in mozilla::ElementRestyler::RestyleChildren(nsRestyleHint) /home/worker/workspace/build/src/layout/base/GeckoRestyleManager.cpp:2980:7
    #8 0x7ffaa588679c in mozilla::ElementRestyler::Restyle(nsRestyleHint) /home/worker/workspace/build/src/layout/base/GeckoRestyleManager.cpp:2003:5
    #9 0x7ffaa5890c6a in mozilla::ElementRestyler::ComputeStyleChangeFor(nsIFrame*, nsStyleChangeList*, nsChangeHint, mozilla::RestyleTracker&, nsRestyleHint, mozilla::RestyleHintData const&, nsTArray<mozilla::ElementRestyler::ContextToClear>&, nsTArray<RefPtr<nsStyleContext> >&) /home/worker/workspace/build/src/layout/base/GeckoRestyleManager.cpp:3119:16
    #10 0x7ffaa587bb51 in mozilla::GeckoRestyleManager::ComputeAndProcessStyleChange(nsIFrame*, nsChangeHint, mozilla::RestyleTracker&, nsRestyleHint, mozilla::RestyleHintData const&) /home/worker/workspace/build/src/layout/base/GeckoRestyleManager.cpp:3530:3
    #11 0x7ffaa587b03b in mozilla::GeckoRestyleManager::RestyleElement(mozilla::dom::Element*, nsIFrame*, nsChangeHint, mozilla::RestyleTracker&, nsRestyleHint, mozilla::RestyleHintData const&) /home/worker/workspace/build/src/layout/base/GeckoRestyleManager.cpp:151:5
    #12 0x7ffaa58e27f8 in mozilla::RestyleTracker::ProcessOneRestyle(mozilla::dom::Element*, nsRestyleHint, nsChangeHint, mozilla::RestyleHintData const&) /home/worker/workspace/build/src/layout/base/RestyleTracker.cpp:95:22
    #13 0x7ffaa58e0ade in mozilla::RestyleTracker::DoProcessRestyles() /home/worker/workspace/build/src/layout/base/RestyleTracker.cpp:262:9
    #14 0x7ffaa587dbf4 in mozilla::GeckoRestyleManager::ProcessPendingRestyles() /home/worker/workspace/build/src/layout/base/GeckoRestyleManager.cpp:496:3
    #15 0x7ffaa58b4824 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /home/worker/workspace/build/src/layout/base/PresShell.cpp:4171:41
    #16 0x7ffaa58485db in nsRefreshDriver::Tick(long, mozilla::TimeStamp) /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:1823:18
    #17 0x7ffaa585111e in mozilla::RefreshDriverTimer::TickRefreshDrivers(long, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:300:7
    #18 0x7ffaa5850eed in mozilla::RefreshDriverTimer::Tick(long, mozilla::TimeStamp) /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:321:5
    #19 0x7ffaa5854785 in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::TimeStamp) /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:752:5
    #20 0x7ffaa5853856 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::TimeStamp) /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:665:35
    #21 0x7ffaa584f507 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::ParentProcessVsyncNotifier::Run() /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:512:20
    #22 0x7ffaa032772e in nsThread::ProcessNextEvent(bool, bool*) /home/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1270:14
    #23 0x7ffaa0323e60 in NS_ProcessNextEvent(nsIThread*, bool) /home/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:393:10
    #24 0x7ffaa0e426d5 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /home/worker/workspace/build/src/ipc/glue/MessagePump.cpp:96:21
    #25 0x7ffaa0d94d07 in MessageLoop::RunInternal() /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:238:10
    #26 0x7ffaa0d94b99 in MessageLoop::Run() /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:211:3
    #27 0x7ffaa537e07a in nsBaseAppShell::Run() /home/worker/workspace/build/src/widget/nsBaseAppShell.cpp:156:27
    #28 0x7ffaa7d01ed1 in nsAppStartup::Run() /home/worker/workspace/build/src/toolkit/components/startup/nsAppStartup.cpp:283:30
    #29 0x7ffaa7e54052 in XREMain::XRE_mainRun() /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4540:22
    #30 0x7ffaa7e55bbb in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4720:8
    #31 0x7ffaa7e56ab2 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4813:21
    #32 0x4ec0e8 in do_main(int, char**, char**) /home/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:236:22
    #33 0x4eba00 in main /home/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:307:16
    #34 0x7ffabcd4c82f in __libc_start_main /build/glibc-Qz8a69/glibc-2.23/csu/../csu/libc-start.c:291
    #35 0x41d734 in _start (/home/forb1dden/Shared/Mozilla/builds/asan-debug/firefox+0x41d734)

Comment 1

[Bob Clary [:bc] (inactive)]

Editing the summary to help when searching. We've also seen this assertion in bug 1357869, reassigning to the same component. Bughunter has seen this on 19 urls.

Comment 2

[Bob Clary [:bc] (inactive)]

fyi, Bughunter is still seeing this assertion.

Comment 3

[Ryan VanderMeulen [:RyanVM]]

Doesn't reproduce with Stylo enabled, but does with it still. We can probably close this out once it's the default across the board.

Anyway, here's a regression range just for kicks.
INFO: Last good revision: 620f5ed5c91ec42874c6b725d8caddb713bbe022
INFO: First bad revision: bd7af7e530068aeebf1c357bfed8e8d4c43e2d05
INFO: Pushlog:
https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=620f5ed5c91ec42874c6b725d8caddb713bbe022&tochange=bd7af7e530068aeebf1c357bfed8e8d4c43e2d05

Comment 4

[Ryan VanderMeulen [:RyanVM]]

(In reply to Ryan VanderMeulen [:RyanVM] from comment #3)
> but does with it still

And that should have been a without* of course.