Closed Bug 1395725 Opened 2 years ago Closed 2 years ago

stylo: Assertion failure: MayTraverseFrom(const_cast<Element*>(root))

Categories

(Core :: CSS Parsing and Computation, defect, P2)

defect

Tracking

()

RESOLVED FIXED
mozilla57
Tracking Status
firefox-esr52 --- unaffected
firefox55 --- unaffected
firefox56 --- unaffected
firefox57 --- fixed

People

(Reporter: truber, Assigned: xidorn)

References

(Blocks 2 open bugs)

Details

(Keywords: assertion, testcase)

Attachments

(3 files)

Attached file testcase.html
The attached testcase causes an assertion in m-c rev 20170831-fb22415719a9 with stylo enabled by pref.

Assertion failure: MayTraverseFrom(const_cast<Element*>(root)), at /builds/worker/workspace/build/src/layout/style/ServoStyleSet.cpp:898
#0 mozilla::ServoStyleSet::StyleDocument, at layout/style/ServoStyleSet.cpp:898
#1 mozilla::ServoRestyleManager::DoProcessPendingRestyles, at layout/base/ServoRestyleManager.cpp:1100
#2 mozilla::PresShell::DoFlushPendingNotifications, at layout/base/PresShell.cpp:4191
#3 nsRefreshDriver::Tick, at layout/base/nsRefreshDriver.cpp:1921
Flags: in-testsuite?
root is a <mathml>, and its parent is <area> which is display:none, and thus MayTraverseFrom returns false.
The restyle root is set from NoteDirtyElement in Element.cpp. There is an if-statement in that function that:
> if (!parent->GetPrimaryFrame() && Servo_Element_IsDisplayNone(parent)) {
>   return;
> }

However, <area> element always has nsImageFrame as its primary frame when there is <img> element using the corresponding <map>, and thus this condition doesn't protect us from setting the invisible <mathml> as a restyle root.
Attached file simplified testcase
That said, majority of the code in the testcase isn't necessary to trigger this assertion.

What really important here is that, we have a valid <img> which uses a <map> which has <area>, and we dynamically insert a new element into the <area> element.
Assignee: nobody → xidorn+moz
Comment on attachment 8903453 [details]
Bug 1395725 - Don't add children of <area> as servo restyle root.

https://reviewboard.mozilla.org/r/175300/#review180434

::: dom/base/Element.cpp:4341
(Diff revision 1)
>  
>      // If the parent is styled but is display:none, we're done.
>      //
>      // We check for a frame to reduce the cases where we need the FFI call.
> -    if (!parent->GetPrimaryFrame() && Servo_Element_IsDisplayNone(parent)) {
> +    // We need to additionally check that it is not an <area> element because
> +    // <area> may have primary frame from <img>, but itself is display:none.

Please mention bug 135040 so I don't forget to revert this when I get to finish it.
Attachment #8903453 - Flags: review?(emilio) → review+
Comment on attachment 8903453 [details]
Bug 1395725 - Don't add children of <area> as servo restyle root.

https://reviewboard.mozilla.org/r/175300/#review180558

::: dom/base/Element.cpp:4339
(Diff revision 1)
>      // We check for a frame to reduce the cases where we need the FFI call.
> -    if (!parent->GetPrimaryFrame() && Servo_Element_IsDisplayNone(parent)) {
> +    // We need to additionally check that it is not an <area> element because
> +    // <area> may have primary frame from <img>, but itself is display:none.
> +    if ((!parent->GetPrimaryFrame() && Servo_Element_IsDisplayNone(parent)) ||
> +        parent->IsHTMLElement(nsGkAtoms::area)) {
>        return;
>      }

Can you separate out the area check into a separate if (...) { return } below? I think it would make the code easier to follow.
Priority: -- → P2
We're sorry, Autoland could not rebase your commits for you automatically. Please manually rebase your commits and try again.

hg error in cmd: hg rebase -s 099a87c95a58 -d 512562477a1e: rebasing 417502:099a87c95a58 "Bug 1395725 - Don't add children of <area> as servo restyle root. r=emilio" (tip)
merging dom/base/Element.cpp
merging layout/style/crashtests/crashtests.list
warning: conflicts while merging layout/style/crashtests/crashtests.list! (edit, then use 'hg resolve --mark')
unresolved conflicts (see hg resolve, then hg rebase --continue)
Pushed by xquan@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/feec5f3a726c
Don't add children of <area> as servo restyle root. r=emilio
https://hg.mozilla.org/mozilla-central/rev/feec5f3a726c
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla57
Flags: in-testsuite? → in-testsuite+
You need to log in before you can comment on or make changes to this bug.