Closed
Bug 1401992
Opened 7 years ago
Closed 7 years ago
stylo: Assertion failure: !mInStyleRefresh, at /builds/worker/workspace/build/src/layout/base/ServoRestyleManager.cpp:1228
Categories
(Core :: Layout, defect, P2)
Core
Layout
Tracking
()
RESOLVED
FIXED
mozilla58
Tracking | Status | |
---|---|---|
firefox-esr52 | --- | unaffected |
firefox55 | --- | unaffected |
firefox56 | --- | unaffected |
firefox57 | + | fixed |
firefox58 | --- | fixed |
People
(Reporter: jkratzer, Assigned: bholley)
References
(Blocks 2 open bugs)
Details
(Keywords: assertion, testcase)
Attachments
(4 files)
650 bytes,
text/html
|
Details | |
95.67 KB,
text/plain
|
Details | |
2.01 KB,
patch
|
bzbarsky
:
review+
|
Details | Diff | Splinter Review |
226 bytes,
text/plain
|
Sylvestre
:
approval-mozilla-beta+
|
Details |
Testcase found while fuzzing mozilla-central rev 47f7b6c64265. Please note that this testcase must be served up by a web server in order to reproduce.
Flags: in-testsuite?
Reporter | ||
Comment 1•7 years ago
|
||
Assignee | ||
Updated•7 years ago
|
Priority: -- → P2
Summary: Assertion failure: !mInStyleRefresh, at /builds/worker/workspace/build/src/layout/base/ServoRestyleManager.cpp:1228 → stylo: Assertion failure: !mInStyleRefresh, at /builds/worker/workspace/build/src/layout/base/ServoRestyleManager.cpp:1228
Assignee | ||
Comment 2•7 years ago
|
||
This looks like anonymous content unbinding stuff, I suspect bug 1397983.
Flags: needinfo?(emilio)
Assignee | ||
Updated•7 years ago
|
Assignee: nobody → emilio
Assignee | ||
Comment 3•7 years ago
|
||
Requesting tracking on all outstanding p2 stylo bugs.
tracking-firefox57:
--- → ?
Comment 4•7 years ago
|
||
I haven't been able to repro this, neither loading the test-case from bugzilla, nor manually serving from python -m http.server. Also, I'm not sure how this is possible, given this UpdateFieldSet call[1] isn't supposed to notify. [1]: http://searchfox.org/mozilla-central/rev/15ce5cb2db0c85abbabe39a962b0e697c9ef098f/dom/html/nsGenericHTMLElement.cpp#1942
Comment 5•7 years ago
|
||
Any chance to get some help reproducing this?
Flags: needinfo?(emilio) → needinfo?(jkratzer)
Reporter | ||
Comment 6•7 years ago
|
||
(In reply to Emilio Cobos Álvarez [:emilio] from comment #5) > Any chance to get some help reproducing this? All of my testing was done on a linux64 system using the latest mc-debug build. I've just tested and confirmed that this reproduces using the default prefs. Also, as you mentioned, I'm starting a web server via python -m SimpleHTTPServer in the testcase directory and navigating to http://localhost:8000/trigger.html.
Flags: needinfo?(jkratzer)
Comment 7•7 years ago
|
||
Hmm, I was testing with https://hg.mozilla.org/mozilla-central/rev/47f7b6c64265bc7bdd22eef7ab71abc97cf3f8bf. Will update and see.
Comment 8•7 years ago
|
||
No luck either with https://hg.mozilla.org/mozilla-central/rev/2cd3752963fc8f24f7c202687eab55e83222f608...
Comment 9•7 years ago
|
||
(In reply to Jason Kratzer [:jkratzer] from comment #6) > (In reply to Emilio Cobos Álvarez [:emilio] from comment #5) > > Any chance to get some help reproducing this? > > All of my testing was done on a linux64 system using the latest mc-debug > build. I've just tested and confirmed that this reproduces using the > default prefs. Also, as you mentioned, I'm starting a web server via python > -m SimpleHTTPServer in the testcase directory and navigating to > http://localhost:8000/trigger.html. I'm using linux64 too, and no extra prefs either (tried stylo disabled and enabled, just in case). Not sure what the difference could be.
Reporter | ||
Comment 10•7 years ago
|
||
I don't see why there would be a difference but have you tried a TC build? You can retrieve the latest using fuzzfetch: https://github.com/MozillaSecurity/fuzzfetch fuzzfetch -d
Assignee | ||
Comment 11•7 years ago
|
||
I can reproduce this. Emilio and I are discussing a fix. Thanks Jason!
Assignee | ||
Updated•7 years ago
|
Assignee: emilio → bobbyholley
Assignee | ||
Comment 12•7 years ago
|
||
MozReview-Commit-ID: DiywRognpqx
Attachment #8911318 -
Flags: review?(bzbarsky)
Comment 13•7 years ago
|
||
Comment on attachment 8911318 [details] [diff] [review] Don't cross anonymous boundaries when finding the fieldset. v1 Please add a crashtest? r=me
Attachment #8911318 -
Flags: review?(bzbarsky) → review+
Comment 14•7 years ago
|
||
(In reply to Boris Zbarsky [:bz] (still digging out from vacation mail) from comment #13) > Comment on attachment 8911318 [details] [diff] [review] > Don't cross anonymous boundaries when finding the fieldset. v1 > > Please add a crashtest? r=me I think a reftest with fieldset:valid / :invalid would be even better, since that doesn't just test the assertion.
Comment 15•7 years ago
|
||
Yes, something along the lines of Emilio's testcase: <!doctype html> <style> video { width: 100px; height: 100px; border: 10px solid purple; } fieldset { border: 10px solid blue; } fieldset:valid { border-color: green; } fieldset:invalid { border-color: red; } </style> <fieldset><video onclick="this.currentTime = -128; this.controls = !this.controls;"></fieldset> would be good.
Updated•7 years ago
|
Status: NEW → ASSIGNED
Assignee | ||
Comment 16•7 years ago
|
||
Yes, I have both a crashtest and a reftest, I just didn't upload them. Still fiddling with them a little bit to make them work for reasons unrelated to what's being tested.
Assignee | ||
Comment 17•7 years ago
|
||
I can't get the crashtest to work properly without triggering navigation, which seems to screw up the crashtest harness in the case where we don't crash. I'm going to call the reftest good enough here.
Assignee | ||
Comment 18•7 years ago
|
||
https://treeherder.mozilla.org/#/jobs?repo=try&revision=471f216d9e0910448227deb853d03f2249d6fb30
Comment 19•7 years ago
|
||
Pushed by bholley@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/581b6ab2826a Don't cross anonymous boundaries when finding the fieldset. r=bz https://hg.mozilla.org/integration/autoland/rev/5bfa23832767 Reftest. r=me
Comment 20•7 years ago
|
||
Pushed by bholley@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/fdf60b8a81c5 Make the reftest less flakey. r=me
Updated•7 years ago
|
status-firefox55:
--- → unaffected
status-firefox56:
--- → unaffected
status-firefox57:
--- → affected
status-firefox58:
--- → affected
status-firefox-esr52:
--- → unaffected
Flags: in-testsuite? → in-testsuite+
Comment 21•7 years ago
|
||
Pushed by bholley@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/4c191b4e631f Mark some tests as passing on android. r=me
Comment 22•7 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/581b6ab2826a https://hg.mozilla.org/mozilla-central/rev/5bfa23832767 https://hg.mozilla.org/mozilla-central/rev/fdf60b8a81c5 https://hg.mozilla.org/mozilla-central/rev/4c191b4e631f
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla58
Comment 23•7 years ago
|
||
Please request Beta approval on this when you get a chance.
Flags: needinfo?(bobbyholley)
Assignee | ||
Comment 24•7 years ago
|
||
Approval Request Comment [Feature/Bug causing the regression]: Pre-existing, fuzz bug. [User impact if declined]: Potentially incorrect rendering, potential crashes. [Is this code covered by automated tests?]: Yes [Has the fix been verified in Nightly?]: No [Needs manual test from QE? If yes, steps to reproduce]: No [List of other uplifts needed for the feature/fix]: None [Is the change risky?]: Not really. [Why is the change risky/not risky?]: Just adds a missing check of the sort that we have in other analogous code. The fact that it leads to various unexpected-passes on android is a good sign. [String changes made/needed]: None
Flags: needinfo?(bobbyholley)
Attachment #8911876 -
Flags: approval-mozilla-beta?
Updated•7 years ago
|
Comment 25•7 years ago
|
||
Comment on attachment 8911876 [details] revisions for uplift (same as comment 22) Fix a crash, taking it. Should be in 57b4
Attachment #8911876 -
Flags: approval-mozilla-beta? → approval-mozilla-beta+
Comment 26•7 years ago
|
||
bugherder uplift |
https://hg.mozilla.org/releases/mozilla-beta/rev/e56ebf10a5bd https://hg.mozilla.org/releases/mozilla-beta/rev/c4a05a728f4c https://hg.mozilla.org/releases/mozilla-beta/rev/8f3ede266c83
Comment 27•7 years ago
|
||
(In reply to Bobby Holley (:bholley) (busy with Stylo) from comment #24) > [Is this code covered by automated tests?]: Yes > [Has the fix been verified in Nightly?]: No > [Needs manual test from QE? If yes, steps to reproduce]: No Setting qe-verify- based on Bobby 's assessment on manual testing needs and the fact that this fix has automated coverage.
Flags: qe-verify-
You need to log in
before you can comment on or make changes to this bug.
Description
•