Assertion failure: frame == aAncestor, at /home/worker/workspace/build/src/layout/generic/nsFrame.cpp:2332

RESOLVED FIXED in Firefox 58

Status

()

RESOLVED FIXED
a year ago
a year ago

People

(Reporter: jkratzer, Assigned: mattwoodrow)

Tracking

(Blocks: 1 bug, {assertion, crash, testcase})

56 Branch
mozilla58
assertion, crash, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite ?

Firefox Tracking Flags

(firefox-esr52 unaffected, firefox56 wontfix, firefox57 wontfix, firefox58 fixed)

Details

Attachments

(3 attachments)

(Reporter)

Description

a year ago
Created attachment 8880822 [details]
trigger.html

Testcase found while fuzzing mozilla-central rev 20170621-2b07ef4f3381.

Assertion failure: frame == aAncestor, at /home/worker/workspace/build/src/layout/generic/nsFrame.cpp:2332

ASAN:DEADLYSIGNAL
=================================================================
==11074==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f9a4d57713b bp 0x7ffd569cc440 sp 0x7ffd569cc420 T0)
==11074==The signal is caused by a WRITE memory access.
==11074==Hint: address points to the zero page.
    #0 0x7f9a4d57713a in FrameParticipatesIn3DContext(nsIFrame*, nsIFrame*) /home/worker/workspace/build/src/layout/generic/nsFrame.cpp:2332:3
    #1 0x7f9a4d53be82 in ItemParticipatesIn3DContext(nsIFrame*, nsDisplayItem*) /home/worker/workspace/build/src/layout/generic/nsFrame.cpp:2350:10
    #2 0x7f9a4d53a80b in nsIFrame::BuildDisplayListForStackingContext(nsDisplayListBuilder*, nsRect const&, nsDisplayList*) /home/worker/workspace/build/src/layout/generic/nsFrame.cpp:2758:11
    #3 0x7f9a4d4aa79c in nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*, nsIFrame*, nsRect const&, nsDisplayListSet const&, unsigned int) /home/worker/workspace/build/src/layout/generic/nsFrame.cpp:3192:12
    #4 0x7f9a4d4e8edc in DisplayLine(nsDisplayListBuilder*, nsRect const&, nsRect const&, nsLineList_iterator&, int, int&, nsDisplayListSet const&, nsBlockFrame*, mozilla::css::TextOverflow*) /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:6654:13
    #5 0x7f9a4d4e7b23 in nsBlockFrame::BuildDisplayList(nsDisplayListBuilder*, nsRect const&, nsDisplayListSet const&) /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:6746:7
    #6 0x7f9a4d53a1d9 in nsIFrame::BuildDisplayListForStackingContext(nsDisplayListBuilder*, nsRect const&, nsDisplayList*) /home/worker/workspace/build/src/layout/generic/nsFrame.cpp:2593:5
    #7 0x7f9a4d4aa79c in nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*, nsIFrame*, nsRect const&, nsDisplayListSet const&, unsigned int) /home/worker/workspace/build/src/layout/generic/nsFrame.cpp:3192:12
    #8 0x7f9a4d4fbd3f in nsCanvasFrame::BuildDisplayList(nsDisplayListBuilder*, nsRect const&, nsDisplayListSet const&) /home/worker/workspace/build/src/layout/generic/nsCanvasFrame.cpp:590:5
    #9 0x7f9a4d4aad2c in nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*, nsIFrame*, nsRect const&, nsDisplayListSet const&, unsigned int) /home/worker/workspace/build/src/layout/generic/nsFrame.cpp:3243:14
    #10 0x7f9a4d5b2be8 in mozilla::ScrollFrameHelper::BuildDisplayList(nsDisplayListBuilder*, nsRect const&, nsDisplayListSet const&) /home/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.cpp:3508:15
    #11 0x7f9a4d4aad2c in nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*, nsIFrame*, nsRect const&, nsDisplayListSet const&, unsigned int) /home/worker/workspace/build/src/layout/generic/nsFrame.cpp:3243:14
    #12 0x7f9a4d4a9a25 in mozilla::ViewportFrame::BuildDisplayList(nsDisplayListBuilder*, nsRect const&, nsDisplayListSet const&) /home/worker/workspace/build/src/layout/generic/ViewportFrame.cpp:65:5
    #13 0x7f9a4d53a1d9 in nsIFrame::BuildDisplayListForStackingContext(nsDisplayListBuilder*, nsRect const&, nsDisplayList*) /home/worker/workspace/build/src/layout/generic/nsFrame.cpp:2593:5
    #14 0x7f9a4d662ee1 in nsSubDocumentFrame::BuildDisplayList(nsDisplayListBuilder*, nsRect const&, nsDisplayListSet const&) /home/worker/workspace/build/src/layout/generic/nsSubDocumentFrame.cpp:466:9
    #15 0x7f9a4d53a1d9 in nsIFrame::BuildDisplayListForStackingContext(nsDisplayListBuilder*, nsRect const&, nsDisplayList*) /home/worker/workspace/build/src/layout/generic/nsFrame.cpp:2593:5
    #16 0x7f9a4d4aa79c in nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*, nsIFrame*, nsRect const&, nsDisplayListSet const&, unsigned int) /home/worker/workspace/build/src/layout/generic/nsFrame.cpp:3192:12
    #17 0x7f9a4d84d78a in nsStackFrame::BuildDisplayListForChildren(nsDisplayListBuilder*, nsRect const&, nsDisplayListSet const&) /home/worker/workspace/build/src/layout/xul/nsStackFrame.cpp:59:5
    #18 0x7f9a4d7f6002 in nsBoxFrame::BuildDisplayList(nsDisplayListBuilder*, nsRect const&, nsDisplayListSet const&) /home/worker/workspace/build/src/layout/xul/nsBoxFrame.cpp:1356:3
    #19 0x7f9a4d4aad2c in nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*, nsIFrame*, nsRect const&, nsDisplayListSet const&, unsigned int) /home/worker/workspace/build/src/layout/generic/nsFrame.cpp:3243:14
    #20 0x7f9a4d7f64a7 in nsBoxFrame::BuildDisplayListForChildren(nsDisplayListBuilder*, nsRect const&, nsDisplayListSet const&) /home/worker/workspace/build/src/layout/xul/nsBoxFrame.cpp:1396:5
Flags: in-testsuite?
Component: Layout: HTML Frames → Layout: Web Painting
INFO: Last good revision: 958d2a5d10091401fd5e900e8e063d21940c137e
INFO: First bad revision: 7f894f791cdf170d788507d0eff30024ce699523
INFO: Pushlog:
https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=958d2a5d10091401fd5e900e8e063d21940c137e&tochange=7f894f791cdf170d788507d0eff30024ce699523

Bug 1359709 seems likely?
Blocks: 1359709
Has Regression Range: --- → yes
status-firefox56: --- → wontfix
status-firefox57: --- → wontfix
status-firefox58: --- → fix-optional
status-firefox-esr52: --- → unaffected
Flags: needinfo?(matt.woodrow)
Version: unspecified → 56 Branch
(Assignee)

Comment 2

a year ago
It looks like we're allowing the transform-style:preserve-3d property to be set on both the nsBlockFrame for the <li>, as well as the -moz-bullet-list pseudo element.

Bug 1359709 switched us to using GetFlattenedTreeParent, which assumes that we can only have one transform property per Element, and this has two, so it's getting confused.

Should we be blocking transform-style on pseudo elements? Or do we actually want to support the pseudo having a transform on top of the base one?

I think the spec only talks about transforms on elements, so doesn't cover this.
Flags: needinfo?(matt.woodrow) → needinfo?(dbaron)
So ::-moz-list-bullet should be thought of as similar to marker, to which transforms don't apply, per:
https://drafts.csswg.org/css-pseudo/#marker-pseudo

However, I believe that "Applies to: all elements" means that the property applies to all elements and to the ::before and ::after pseudo-elements, so I think the code should be able to deal with this being set on ::before or ::after.  (I can't find the spec text for that, though, but I think it's the way things work...)
Flags: needinfo?(dbaron)
(Assignee)

Comment 4

a year ago
So it sounds like there are two bugs here:

* The -moz-list-bullet frame is getting transforms applied, and it shouldn't. I guess we should make IsFrameOfType(eSupportsCSSTransforms) return false for this.

* When finding the ancestor frame to check if we're preserving 3d, we need to find the nearest ancestor that belong to a different 'element', including pseudo-elements. It sounds like GetFlattenedTreeParent isn't the right thing for that.
(Assignee)

Comment 5

a year ago
Created attachment 8917583 [details] [diff] [review]
Disallow transforms for nsBulletFrame
Assignee: nobody → matt.woodrow
Attachment #8917583 - Flags: review?(dbaron)
Comment on attachment 8917583 [details] [diff] [review]
Disallow transforms for nsBulletFrame

r=dbaron, I guess, although this feels like the sort of thing that ought to be fixed more generally.  (Maybe relatively few of our pseudos are web-exposed, though...)

If you let this bug close, make sure to file a bug on the other half of the problem, though.
Attachment #8917583 - Flags: review?(dbaron) → review+
(Assignee)

Comment 7

a year ago
Created attachment 8919498 [details]
preserve3d-pseudo.html

I actually think the second case isn't a bug, because ::before/::after pseudo elements get their own DOM element, so GetFlattenedTreeParent works correctly.

Attached a testcase showing preserve-3d working correctly on the ::after Element.

Comment 8

a year ago
Pushed by mwoodrow@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/e7a617e26b96
Don't allow nsBulletFrame to be transformed. r=dbaron
https://hg.mozilla.org/mozilla-central/rev/e7a617e26b96
Status: NEW → RESOLVED
Last Resolved: a year ago
status-firefox58: fix-optional → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla58
You need to log in before you can comment on or make changes to this bug.