Closed Bug 1366142 Opened 7 years ago Closed 7 years ago

stylo: Crash while clicking a line on waaark.com: Assertion failure: aFrame || (aHint & nsChangeHint_ReconstructFrame)

Categories

(Core :: CSS Parsing and Computation, defect, P1)

Product:
Core
Component:
CSS Parsing and Computation
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla55
Tracking Flags:
Tracking Status
firefox-esr52 --- unaffected
firefox53 --- unaffected
firefox54 --- unaffected
firefox55 --- fixed

People

(Reporter: shinglyu, Assigned: emilio)

References

Details

(Keywords: assertion, crash)

Attachments

(2 files)

crash.log
729.41 KB, text/plain
Details
Bug 1366142: Ignore reentrant change hints without primary frame.
59 bytes, text/x-review-board-request
heycam
: review+
Details
Attached file crash.log 
STR:
* Open http://waaark.com/
* Click on the "works" link

Expected
* Navigates to http://waaark.com/works/

Actual
* Crashed

Notes:
* If we open http://waaark.com/works/ directly, it will not crash, so probably due to some animation/transition after the link was clicked
Comment on attachment 8869299 [details]
crash.log

>Assertion failure: aFrame || (aHint & nsChangeHint_ReconstructFrame) (must have frame), at /home/shinglyu/workspace/stylo/mozilla-central-2/layout/base/nsStyleChangeList.cpp:20
>#01: ???[/home/shinglyu/workspace/stylo/mozilla-central-2/stylo-icecc/dist/bin/libxul.so +0x5217e4f]

I saw this assertion before.
And if I remember correctly the target content was SVGPathElement.
Attachment #8869299 - Attachment mime type: text/x-log → text/plain
Blocks: stylo-nightly
No longer blocks: stylo
Keywords: assertion, crash
Priority: -- → P2
Summary: stylo: Crash while clicking a line on waaark.com → stylo: Crash while clicking a line on waaark.com: Assertion failure: aFrame || (aHint & nsChangeHint_ReconstructFrame)
Yes, this is when getting reentrant changes to a pre-existing content. In this case to an SVG element.

The hint in this case is nsChangeHint_InvalidateRenderingObservers.

In any case, what's happening is that when invalidating SVG elements, we post change hints from change hint processing, and either assume that the frames are there (which isn't true because some hints are posted from DestroyFrame).

I think Gecko just ignores these hints (in the sense that Gecko will never find the frame while restyling).

We should probably do the same.
Assigning to Emilio because he submitted a patch.
Assignee: nobody → emilio+bugs
Priority: P2 → P1
(In reply to Emilio Cobos Álvarez [:emilio] from comment #2)
> I think Gecko just ignores these hints (in the sense that Gecko will never
> find the frame while restyling).

By this do you mean that we'll be traversing the frame tree to do restyling, and because the target frame is now gone, we'll never pick out the change hint from the table?  Sounds plausible.
Comment on attachment 8869703 [details]
Bug 1366142: Ignore reentrant change hints without primary frame.

https://reviewboard.mozilla.org/r/141288/#review144896
Attachment #8869703 - Flags: review?(cam) → review+
(In reply to Cameron McCormack (:heycam) from comment #5)
> (In reply to Emilio Cobos Álvarez [:emilio] from comment #2)
> > I think Gecko just ignores these hints (in the sense that Gecko will never
> > find the frame while restyling).
> 
> By this do you mean that we'll be traversing the frame tree to do restyling,
> and because the target frame is now gone, we'll never pick out the change
> hint from the table?  Sounds plausible.

Yes, I meant exactly that, thanks for rewording it :)
Pushed by ecoal95@gmail.com:
https://hg.mozilla.org/integration/autoland/rev/0665f9f01eb2
Ignore reentrant change hints without primary frame. r=heycam
https://hg.mozilla.org/mozilla-central/rev/0665f9f01eb2
Status: NEW → RESOLVED
Closed: 7 years ago
status-firefox55: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla55
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: