Closed Bug 1375858 Opened 2 years ago Closed 2 years ago

Assertion failure: frame == aAncestor, at /home/worker/workspace/build/src/layout/generic/nsFrame.cpp:2332

Categories

(Core :: Web Painting, defect)

56 Branch
defect
Not set

Tracking

()

RESOLVED FIXED
mozilla58
Tracking Status
firefox-esr52 --- unaffected
firefox56 --- wontfix
firefox57 --- wontfix
firefox58 --- fixed

People

(Reporter: jkratzer, Assigned: mattwoodrow)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, crash, testcase)

Attachments

(3 files)

Attached file trigger.html
Testcase found while fuzzing mozilla-central rev 20170621-2b07ef4f3381.

Assertion failure: frame == aAncestor, at /home/worker/workspace/build/src/layout/generic/nsFrame.cpp:2332

ASAN:DEADLYSIGNAL
=================================================================
==11074==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f9a4d57713b bp 0x7ffd569cc440 sp 0x7ffd569cc420 T0)
==11074==The signal is caused by a WRITE memory access.
==11074==Hint: address points to the zero page.
    #0 0x7f9a4d57713a in FrameParticipatesIn3DContext(nsIFrame*, nsIFrame*) /home/worker/workspace/build/src/layout/generic/nsFrame.cpp:2332:3
    #1 0x7f9a4d53be82 in ItemParticipatesIn3DContext(nsIFrame*, nsDisplayItem*) /home/worker/workspace/build/src/layout/generic/nsFrame.cpp:2350:10
    #2 0x7f9a4d53a80b in nsIFrame::BuildDisplayListForStackingContext(nsDisplayListBuilder*, nsRect const&, nsDisplayList*) /home/worker/workspace/build/src/layout/generic/nsFrame.cpp:2758:11
    #3 0x7f9a4d4aa79c in nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*, nsIFrame*, nsRect const&, nsDisplayListSet const&, unsigned int) /home/worker/workspace/build/src/layout/generic/nsFrame.cpp:3192:12
    #4 0x7f9a4d4e8edc in DisplayLine(nsDisplayListBuilder*, nsRect const&, nsRect const&, nsLineList_iterator&, int, int&, nsDisplayListSet const&, nsBlockFrame*, mozilla::css::TextOverflow*) /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:6654:13
    #5 0x7f9a4d4e7b23 in nsBlockFrame::BuildDisplayList(nsDisplayListBuilder*, nsRect const&, nsDisplayListSet const&) /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:6746:7
    #6 0x7f9a4d53a1d9 in nsIFrame::BuildDisplayListForStackingContext(nsDisplayListBuilder*, nsRect const&, nsDisplayList*) /home/worker/workspace/build/src/layout/generic/nsFrame.cpp:2593:5
    #7 0x7f9a4d4aa79c in nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*, nsIFrame*, nsRect const&, nsDisplayListSet const&, unsigned int) /home/worker/workspace/build/src/layout/generic/nsFrame.cpp:3192:12
    #8 0x7f9a4d4fbd3f in nsCanvasFrame::BuildDisplayList(nsDisplayListBuilder*, nsRect const&, nsDisplayListSet const&) /home/worker/workspace/build/src/layout/generic/nsCanvasFrame.cpp:590:5
    #9 0x7f9a4d4aad2c in nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*, nsIFrame*, nsRect const&, nsDisplayListSet const&, unsigned int) /home/worker/workspace/build/src/layout/generic/nsFrame.cpp:3243:14
    #10 0x7f9a4d5b2be8 in mozilla::ScrollFrameHelper::BuildDisplayList(nsDisplayListBuilder*, nsRect const&, nsDisplayListSet const&) /home/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.cpp:3508:15
    #11 0x7f9a4d4aad2c in nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*, nsIFrame*, nsRect const&, nsDisplayListSet const&, unsigned int) /home/worker/workspace/build/src/layout/generic/nsFrame.cpp:3243:14
    #12 0x7f9a4d4a9a25 in mozilla::ViewportFrame::BuildDisplayList(nsDisplayListBuilder*, nsRect const&, nsDisplayListSet const&) /home/worker/workspace/build/src/layout/generic/ViewportFrame.cpp:65:5
    #13 0x7f9a4d53a1d9 in nsIFrame::BuildDisplayListForStackingContext(nsDisplayListBuilder*, nsRect const&, nsDisplayList*) /home/worker/workspace/build/src/layout/generic/nsFrame.cpp:2593:5
    #14 0x7f9a4d662ee1 in nsSubDocumentFrame::BuildDisplayList(nsDisplayListBuilder*, nsRect const&, nsDisplayListSet const&) /home/worker/workspace/build/src/layout/generic/nsSubDocumentFrame.cpp:466:9
    #15 0x7f9a4d53a1d9 in nsIFrame::BuildDisplayListForStackingContext(nsDisplayListBuilder*, nsRect const&, nsDisplayList*) /home/worker/workspace/build/src/layout/generic/nsFrame.cpp:2593:5
    #16 0x7f9a4d4aa79c in nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*, nsIFrame*, nsRect const&, nsDisplayListSet const&, unsigned int) /home/worker/workspace/build/src/layout/generic/nsFrame.cpp:3192:12
    #17 0x7f9a4d84d78a in nsStackFrame::BuildDisplayListForChildren(nsDisplayListBuilder*, nsRect const&, nsDisplayListSet const&) /home/worker/workspace/build/src/layout/xul/nsStackFrame.cpp:59:5
    #18 0x7f9a4d7f6002 in nsBoxFrame::BuildDisplayList(nsDisplayListBuilder*, nsRect const&, nsDisplayListSet const&) /home/worker/workspace/build/src/layout/xul/nsBoxFrame.cpp:1356:3
    #19 0x7f9a4d4aad2c in nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*, nsIFrame*, nsRect const&, nsDisplayListSet const&, unsigned int) /home/worker/workspace/build/src/layout/generic/nsFrame.cpp:3243:14
    #20 0x7f9a4d7f64a7 in nsBoxFrame::BuildDisplayListForChildren(nsDisplayListBuilder*, nsRect const&, nsDisplayListSet const&) /home/worker/workspace/build/src/layout/xul/nsBoxFrame.cpp:1396:5
Flags: in-testsuite?
Component: Layout: HTML Frames → Layout: Web Painting
INFO: Last good revision: 958d2a5d10091401fd5e900e8e063d21940c137e
INFO: First bad revision: 7f894f791cdf170d788507d0eff30024ce699523
INFO: Pushlog:
https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=958d2a5d10091401fd5e900e8e063d21940c137e&tochange=7f894f791cdf170d788507d0eff30024ce699523

Bug 1359709 seems likely?
Blocks: 1359709
Has Regression Range: --- → yes
Flags: needinfo?(matt.woodrow)
Version: unspecified → 56 Branch
It looks like we're allowing the transform-style:preserve-3d property to be set on both the nsBlockFrame for the <li>, as well as the -moz-bullet-list pseudo element.

Bug 1359709 switched us to using GetFlattenedTreeParent, which assumes that we can only have one transform property per Element, and this has two, so it's getting confused.

Should we be blocking transform-style on pseudo elements? Or do we actually want to support the pseudo having a transform on top of the base one?

I think the spec only talks about transforms on elements, so doesn't cover this.
Flags: needinfo?(matt.woodrow) → needinfo?(dbaron)
So ::-moz-list-bullet should be thought of as similar to marker, to which transforms don't apply, per:
https://drafts.csswg.org/css-pseudo/#marker-pseudo

However, I believe that "Applies to: all elements" means that the property applies to all elements and to the ::before and ::after pseudo-elements, so I think the code should be able to deal with this being set on ::before or ::after.  (I can't find the spec text for that, though, but I think it's the way things work...)
Flags: needinfo?(dbaron)
So it sounds like there are two bugs here:

* The -moz-list-bullet frame is getting transforms applied, and it shouldn't. I guess we should make IsFrameOfType(eSupportsCSSTransforms) return false for this.

* When finding the ancestor frame to check if we're preserving 3d, we need to find the nearest ancestor that belong to a different 'element', including pseudo-elements. It sounds like GetFlattenedTreeParent isn't the right thing for that.
Assignee: nobody → matt.woodrow
Attachment #8917583 - Flags: review?(dbaron)
Comment on attachment 8917583 [details] [diff] [review]
Disallow transforms for nsBulletFrame

r=dbaron, I guess, although this feels like the sort of thing that ought to be fixed more generally.  (Maybe relatively few of our pseudos are web-exposed, though...)

If you let this bug close, make sure to file a bug on the other half of the problem, though.
Attachment #8917583 - Flags: review?(dbaron) → review+
Attached file preserve3d-pseudo.html
I actually think the second case isn't a bug, because ::before/::after pseudo elements get their own DOM element, so GetFlattenedTreeParent works correctly.

Attached a testcase showing preserve-3d working correctly on the ::after Element.
Pushed by mwoodrow@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/e7a617e26b96
Don't allow nsBulletFrame to be transformed. r=dbaron
https://hg.mozilla.org/mozilla-central/rev/e7a617e26b96
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla58
You need to log in before you can comment on or make changes to this bug.