1393840 - Assertion failure: mList.GetChildren()->GetTop()->GetType() == DisplayItemType::TYPE_TRANSFORM

Status: VERIFIED FIXED

(Core :: Web Painting, defect, P3)

Description

[Jason Kratzer [:jkratzer]]

Attachment: trigger.html

Testcase found while fuzzing mozilla-central rev 20170825-2306e153fba9.

Assertion failure: mList.GetChildren()->GetTop()->GetType() == DisplayItemType::TYPE_TRANSFORM, at /home/worker/workspace/build/src/layout/painting/nsDisplayList.cpp:8391
#01: nsIFrame::BuildDisplayListForStackingContext at layout/generic/nsFrame.cpp:2811
#02: nsLayoutUtils::PaintFrame at layout/painting/nsDisplayList.h:974
#03: GenerateAndPushTextMask at gfx/src/nsRegion.h:75
#04: nsDisplayBackgroundColor::Paint at layout/painting/nsDisplayList.cpp:4277
#05: mozilla::FrameLayerBuilder::PaintItems at layout/painting/FrameLayerBuilder.cpp:6074
#06: mozilla::FrameLayerBuilder::DrawPaintedLayer at layout/painting/FrameLayerBuilder.cpp:6250
#07: mozilla::layers::ClientPaintedLayer::PaintThebes at gfx/layers/client/ClientPaintedLayer.cpp:174
#08: mozilla::layers::ClientPaintedLayer::RenderLayerWithReadback at gfx/src/nsRegion.h:75
#09: mozilla::layers::ClientContainerLayer::RenderLayer at gfx/layers/client/ClientContainerLayer.h:59
#10: mozilla::layers::ClientContainerLayer::RenderLayer at gfx/layers/client/ClientContainerLayer.h:59
#11: mozilla::layers::ClientContainerLayer::RenderLayer at gfx/layers/client/ClientContainerLayer.h:59
#12: mozilla::layers::ClientLayerManager::EndTransactionInternal at gfx/layers/client/ClientLayerManager.cpp:380
#13: mozilla::layers::ClientLayerManager::EndTransaction at gfx/layers/client/ClientLayerManager.cpp:439
#14: nsDisplayList::PaintRoot at layout/painting/nsDisplayList.cpp:2343
#15: nsLayoutUtils::PaintFrame at mfbt/RefPtr.h:129
#16: mozilla::PresShell::Paint at layout/base/PresShell.cpp:6446
#17: nsViewManager::ProcessPendingUpdatesPaint at gfx/src/nsRegion.h:75
#18: nsViewManager::ProcessPendingUpdatesForView at view/nsViewManager.cpp:408
#19: nsViewManager::ProcessPendingUpdates at view/nsViewManager.cpp:1090
#20: nsRefreshDriver::Tick at layout/base/nsRefreshDriver.cpp:2081

Comment 1

[Jet Villegas (inactive)]

Matt: Is this assert innocuous in this case?

Comment 2

[Matt Woodrow (:mattwoodrow)]

It's probably a security issue!

We static cast the item to nsDisplayItem, and if this assert is firing, it seems like we'll likely be doing an invalid cast.

Comment 3

[Matt Woodrow (:mattwoodrow)]

I can't reproduce this locally. Did you have any other prefs set?

Comment 4

[Jason Kratzer [:jkratzer]]

Attachment: prefs-default.js

I've attached the prefs that I used to reproduce this issue.  Please note that I was just able to verify that this still triggers on mc-debug rev 946b9c995ec3.

Comment 5

[Matt Woodrow (:mattwoodrow)]

I still can't reproduce this unfortunately.

My guess is that it's to do with this code:

http://searchfox.org/mozilla-central/source/layout/generic/nsFrame.cpp#2806

We skip creating the nsDisplayTransform when building a displaylist for background-clip:text, but we still build the perspective item.

Perspective expects to be wrapped around a transform, so we'd hit this assertion.

CJ: Why don't we build the transforms here? Should we skip the perspective too?

Comment 6

[u459114]

The patch in bug 1343147 can also fix this bug

Comment 7

[Ryan VanderMeulen [:RyanVM]]

Calling this fixed based on comment 6. I've poked Ritu in bug 1343147 about the wontfix decision since this is rated sec-high. We should probably nominate that for ESR52 approval as well since bug 1299715 goes back that far AFAICT.

Comment 8

[Ryan VanderMeulen [:RyanVM]]

I was able to verify with mozregression that bug 1343147 fixed this on trunk (easily reproducible). For whatever reason, I haven't been able to make Beta hit the assertion using the same STR, though.

Comment 9

[Julien Cristau [:jcristau]]

please request uplift in 1343147 to esr52.

Comment 10

[Liz Henry (:lizzard) (relman/hg->git project)]

The fix for this for ESR is landing in bug 1343147.