Closed
Bug 1367413
Opened 8 years ago
Closed 8 years ago
Assertion failure: kidOverflowBEnd >= kidBEnd, at /mozilla/builds/nightly/mozilla/layout/generic/nsAbsoluteContainingBlock.cpp:154
Categories
(Core :: Layout, defect)
Tracking
()
RESOLVED
FIXED
mozilla55
Tracking | Status | |
---|---|---|
firefox-esr45 | --- | unaffected |
firefox-esr52 | --- | unaffected |
firefox53 | --- | unaffected |
firefox54 | --- | unaffected |
firefox55 | --- | fixed |
People
(Reporter: bc, Assigned: dbaron)
References
()
Details
(Keywords: assertion, regression, testcase)
Attachments
(3 files)
1. https://www.tumblr.com/search/jody%20comer
2. Assertion failure: kidOverflowBEnd >= kidBEnd, at /home/worker/workspace/build/src/layout/generic/nsAbsoluteContainingBlock.cpp:154
This reproduces on Fedora 25 x86_64. We've seen this on about 133 urls since this assertion landed in bug 1365449 though Windows is the most common occurrence. Urls on https://ok.ru/ are fairly common.
Reproduced locally with a build from https://hg.mozilla.org/mzilla-central/rev/96e18bec9fc8a5ce623c16167c12756bbe190d73
Thread 0 (crashed)
0 libxul.so!nsAbsoluteContainingBlock::Reflow [nsAbsoluteContainingBlock.cpp:6dfa56094f0c : 154 + 0x18]
Comment 1•8 years ago
|
||
Comment 2•8 years ago
|
||
|kidOverflowBEnd| comes from GetScrollableOverflowRectRelativeToParent():
http://searchfox.org/mozilla-central/rev/2933592c4a01b634ab53315ce2d0e43fccb82181/layout/generic/nsAbsoluteContainingBlock.cpp#152
which is just GetScrollableOverflowRect() translated to the parent's coordinates.
So I think the invariant doesn't hold, as explained in:
http://searchfox.org/mozilla-central/rev/2933592c4a01b634ab53315ce2d0e43fccb82181/layout/generic/nsIFrame.h#3019-3022
status-firefox53:
--- → unaffected
status-firefox54:
--- → unaffected
status-firefox55:
--- → affected
status-firefox-esr45:
--- → unaffected
status-firefox-esr52:
--- → unaffected
Flags: needinfo?(dbaron)
Keywords: regression,
testcase
OS: Unspecified → All
Hardware: Unspecified → All
Version: 53 Branch → 55 Branch
Assignee | ||
Comment 3•8 years ago
|
||
OK, I guess we need to use the version that ignores transforms, and then manually convert to the parent's coordinate space.
Assignee | ||
Comment 4•8 years ago
|
||
Mats's testcase also doesn't hit the assertion for me until I resize the window, so I'll need to modify it a drop to make it a crashtest.
Flags: needinfo?(dbaron)
Assignee | ||
Comment 5•8 years ago
|
||
I confirmed that the test crashes in the crashtest harness without the
patch (although the harness doesn't exit!), whereas it passes with the
patch.
MozReview-Commit-ID: 37S6i1kvw37
Attachment #8870974 -
Flags: review?(mats)
Assignee | ||
Updated•8 years ago
|
Assignee: nobody → dbaron
Status: NEW → ASSIGNED
Assignee | ||
Comment 6•8 years ago
|
||
Updated•8 years ago
|
Attachment #8870974 -
Flags: review?(mats) → review+
Assignee | ||
Comment 7•8 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/e6bf2e19464cd774d46d243c82a64fa1b05056c8
Bug 1367413 - Fix assertion that can occur when paginating abs-pos elements with a transform. r=mats
Comment 8•8 years ago
|
||
bugherder |
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla55
You need to log in
before you can comment on or make changes to this bug.
Description
•