Closed
Bug 1375858
Opened 7 years ago
Closed 7 years ago
Assertion failure: frame == aAncestor, at /home/worker/workspace/build/src/layout/generic/nsFrame.cpp:2332
Categories
(Core :: Web Painting, defect)
Tracking
()
RESOLVED
FIXED
mozilla58
Tracking | Status | |
---|---|---|
firefox-esr52 | --- | unaffected |
firefox56 | --- | wontfix |
firefox57 | --- | wontfix |
firefox58 | --- | fixed |
People
(Reporter: jkratzer, Assigned: mattwoodrow)
References
(Blocks 1 open bug)
Details
(Keywords: assertion, crash, testcase)
Attachments
(3 files)
Testcase found while fuzzing mozilla-central rev 20170621-2b07ef4f3381. Assertion failure: frame == aAncestor, at /home/worker/workspace/build/src/layout/generic/nsFrame.cpp:2332 ASAN:DEADLYSIGNAL ================================================================= ==11074==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f9a4d57713b bp 0x7ffd569cc440 sp 0x7ffd569cc420 T0) ==11074==The signal is caused by a WRITE memory access. ==11074==Hint: address points to the zero page. #0 0x7f9a4d57713a in FrameParticipatesIn3DContext(nsIFrame*, nsIFrame*) /home/worker/workspace/build/src/layout/generic/nsFrame.cpp:2332:3 #1 0x7f9a4d53be82 in ItemParticipatesIn3DContext(nsIFrame*, nsDisplayItem*) /home/worker/workspace/build/src/layout/generic/nsFrame.cpp:2350:10 #2 0x7f9a4d53a80b in nsIFrame::BuildDisplayListForStackingContext(nsDisplayListBuilder*, nsRect const&, nsDisplayList*) /home/worker/workspace/build/src/layout/generic/nsFrame.cpp:2758:11 #3 0x7f9a4d4aa79c in nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*, nsIFrame*, nsRect const&, nsDisplayListSet const&, unsigned int) /home/worker/workspace/build/src/layout/generic/nsFrame.cpp:3192:12 #4 0x7f9a4d4e8edc in DisplayLine(nsDisplayListBuilder*, nsRect const&, nsRect const&, nsLineList_iterator&, int, int&, nsDisplayListSet const&, nsBlockFrame*, mozilla::css::TextOverflow*) /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:6654:13 #5 0x7f9a4d4e7b23 in nsBlockFrame::BuildDisplayList(nsDisplayListBuilder*, nsRect const&, nsDisplayListSet const&) /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:6746:7 #6 0x7f9a4d53a1d9 in nsIFrame::BuildDisplayListForStackingContext(nsDisplayListBuilder*, nsRect const&, nsDisplayList*) /home/worker/workspace/build/src/layout/generic/nsFrame.cpp:2593:5 #7 0x7f9a4d4aa79c in nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*, nsIFrame*, nsRect const&, nsDisplayListSet const&, unsigned int) /home/worker/workspace/build/src/layout/generic/nsFrame.cpp:3192:12 #8 0x7f9a4d4fbd3f in nsCanvasFrame::BuildDisplayList(nsDisplayListBuilder*, nsRect const&, nsDisplayListSet const&) /home/worker/workspace/build/src/layout/generic/nsCanvasFrame.cpp:590:5 #9 0x7f9a4d4aad2c in nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*, nsIFrame*, nsRect const&, nsDisplayListSet const&, unsigned int) /home/worker/workspace/build/src/layout/generic/nsFrame.cpp:3243:14 #10 0x7f9a4d5b2be8 in mozilla::ScrollFrameHelper::BuildDisplayList(nsDisplayListBuilder*, nsRect const&, nsDisplayListSet const&) /home/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.cpp:3508:15 #11 0x7f9a4d4aad2c in nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*, nsIFrame*, nsRect const&, nsDisplayListSet const&, unsigned int) /home/worker/workspace/build/src/layout/generic/nsFrame.cpp:3243:14 #12 0x7f9a4d4a9a25 in mozilla::ViewportFrame::BuildDisplayList(nsDisplayListBuilder*, nsRect const&, nsDisplayListSet const&) /home/worker/workspace/build/src/layout/generic/ViewportFrame.cpp:65:5 #13 0x7f9a4d53a1d9 in nsIFrame::BuildDisplayListForStackingContext(nsDisplayListBuilder*, nsRect const&, nsDisplayList*) /home/worker/workspace/build/src/layout/generic/nsFrame.cpp:2593:5 #14 0x7f9a4d662ee1 in nsSubDocumentFrame::BuildDisplayList(nsDisplayListBuilder*, nsRect const&, nsDisplayListSet const&) /home/worker/workspace/build/src/layout/generic/nsSubDocumentFrame.cpp:466:9 #15 0x7f9a4d53a1d9 in nsIFrame::BuildDisplayListForStackingContext(nsDisplayListBuilder*, nsRect const&, nsDisplayList*) /home/worker/workspace/build/src/layout/generic/nsFrame.cpp:2593:5 #16 0x7f9a4d4aa79c in nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*, nsIFrame*, nsRect const&, nsDisplayListSet const&, unsigned int) /home/worker/workspace/build/src/layout/generic/nsFrame.cpp:3192:12 #17 0x7f9a4d84d78a in nsStackFrame::BuildDisplayListForChildren(nsDisplayListBuilder*, nsRect const&, nsDisplayListSet const&) /home/worker/workspace/build/src/layout/xul/nsStackFrame.cpp:59:5 #18 0x7f9a4d7f6002 in nsBoxFrame::BuildDisplayList(nsDisplayListBuilder*, nsRect const&, nsDisplayListSet const&) /home/worker/workspace/build/src/layout/xul/nsBoxFrame.cpp:1356:3 #19 0x7f9a4d4aad2c in nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*, nsIFrame*, nsRect const&, nsDisplayListSet const&, unsigned int) /home/worker/workspace/build/src/layout/generic/nsFrame.cpp:3243:14 #20 0x7f9a4d7f64a7 in nsBoxFrame::BuildDisplayListForChildren(nsDisplayListBuilder*, nsRect const&, nsDisplayListSet const&) /home/worker/workspace/build/src/layout/xul/nsBoxFrame.cpp:1396:5
Flags: in-testsuite?
Updated•7 years ago
|
Component: Layout: HTML Frames → Layout: Web Painting
Comment 1•7 years ago
|
||
INFO: Last good revision: 958d2a5d10091401fd5e900e8e063d21940c137e INFO: First bad revision: 7f894f791cdf170d788507d0eff30024ce699523 INFO: Pushlog: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=958d2a5d10091401fd5e900e8e063d21940c137e&tochange=7f894f791cdf170d788507d0eff30024ce699523 Bug 1359709 seems likely?
Blocks: 1359709
Has Regression Range: --- → yes
status-firefox56:
--- → wontfix
status-firefox57:
--- → wontfix
status-firefox58:
--- → fix-optional
status-firefox-esr52:
--- → unaffected
Flags: needinfo?(matt.woodrow)
Version: unspecified → 56 Branch
Assignee | ||
Comment 2•7 years ago
|
||
It looks like we're allowing the transform-style:preserve-3d property to be set on both the nsBlockFrame for the <li>, as well as the -moz-bullet-list pseudo element. Bug 1359709 switched us to using GetFlattenedTreeParent, which assumes that we can only have one transform property per Element, and this has two, so it's getting confused. Should we be blocking transform-style on pseudo elements? Or do we actually want to support the pseudo having a transform on top of the base one? I think the spec only talks about transforms on elements, so doesn't cover this.
Flags: needinfo?(matt.woodrow) → needinfo?(dbaron)
So ::-moz-list-bullet should be thought of as similar to marker, to which transforms don't apply, per: https://drafts.csswg.org/css-pseudo/#marker-pseudo However, I believe that "Applies to: all elements" means that the property applies to all elements and to the ::before and ::after pseudo-elements, so I think the code should be able to deal with this being set on ::before or ::after. (I can't find the spec text for that, though, but I think it's the way things work...)
Flags: needinfo?(dbaron)
Assignee | ||
Comment 4•7 years ago
|
||
So it sounds like there are two bugs here: * The -moz-list-bullet frame is getting transforms applied, and it shouldn't. I guess we should make IsFrameOfType(eSupportsCSSTransforms) return false for this. * When finding the ancestor frame to check if we're preserving 3d, we need to find the nearest ancestor that belong to a different 'element', including pseudo-elements. It sounds like GetFlattenedTreeParent isn't the right thing for that.
Assignee | ||
Comment 5•7 years ago
|
||
Assignee: nobody → matt.woodrow
Attachment #8917583 -
Flags: review?(dbaron)
Comment on attachment 8917583 [details] [diff] [review] Disallow transforms for nsBulletFrame r=dbaron, I guess, although this feels like the sort of thing that ought to be fixed more generally. (Maybe relatively few of our pseudos are web-exposed, though...) If you let this bug close, make sure to file a bug on the other half of the problem, though.
Attachment #8917583 -
Flags: review?(dbaron) → review+
Assignee | ||
Comment 7•7 years ago
|
||
I actually think the second case isn't a bug, because ::before/::after pseudo elements get their own DOM element, so GetFlattenedTreeParent works correctly. Attached a testcase showing preserve-3d working correctly on the ::after Element.
Pushed by mwoodrow@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/e7a617e26b96 Don't allow nsBulletFrame to be transformed. r=dbaron
Comment 9•7 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/e7a617e26b96
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla58
You need to log in
before you can comment on or make changes to this bug.
Description
•