1409183 - stylo: Assertion failure: !mInStyleRefresh in [@ mozilla::ServoRestyleManager::ContentStateChanged]

Status: RESOLVED FIXED

(Core :: CSS Parsing and Computation, defect, P3)

Description

[Tyson Smith [:tsmith]]

Attachment: test_case.html

Assertion failure: !mInStyleRefresh, at /src/layout/base/ServoRestyleManager.cpp:1253

#0 mozilla::ServoRestyleManager::ContentStateChanged(nsIContent*, mozilla::EventStates) /src/layout/base/ServoRestyleManager.cpp:1253:3
#1 mozilla::PresShell::ContentStateChanged(nsIDocument*, nsIContent*, mozilla::EventStates) /src/layout/base/PresShell.cpp:4255:37
#2 nsDocument::ContentStateChanged(nsIContent*, mozilla::EventStates) /src/dom/base/nsDocument.cpp:5708:3
#3 mozilla::dom::Element::UpdateState(bool) /src/dom/base/Element.cpp:273:14
#4 mozilla::dom::HTMLInputElement::SetCheckedInternal(bool, bool) /src/dom/html/HTMLInputElement.cpp:3344:3
#5 mozilla::dom::HTMLInputElement::RadioSetChecked(bool) /src/dom/html/HTMLInputElement.cpp:3234:9
#6 mozilla::dom::HTMLInputElement::AddedToRadioGroup() /src/dom/html/HTMLInputElement.cpp:6749:5
#7 mozilla::dom::HTMLInputElement::BindToTree(nsIDocument*, nsIContent*, nsIContent*, bool) /src/dom/html/HTMLInputElement.cpp:4846:5
#8 mozilla::dom::Element::BindToTree(nsIDocument*, nsIContent*, nsIContent*, bool) /src/dom/base/Element.cpp:1710:17
#9 nsGenericHTMLElement::BindToTree(nsIDocument*, nsIContent*, nsIContent*, bool) /src/dom/html/nsGenericHTMLElement.cpp:482:43
#10 mozilla::dom::Element::BindToTree(nsIDocument*, nsIContent*, nsIContent*, bool) /src/dom/base/Element.cpp:1710:17
#11 nsSVGElement::BindToTree(nsIDocument*, nsIContent*, nsIContent*, bool) /src/dom/svg/nsSVGElement.cpp:268:35
#12 mozilla::dom::SVGTitleElement::BindToTree(nsIDocument*, nsIContent*, nsIContent*, bool) /src/dom/svg/SVGTitleElement.cpp:82:38
#13 mozilla::dom::Element::BindToTree(nsIDocument*, nsIContent*, nsIContent*, bool) /src/dom/base/Element.cpp:1710:17
#14 nsSVGElement::BindToTree(nsIDocument*, nsIContent*, nsIContent*, bool) /src/dom/svg/nsSVGElement.cpp:268:35
#15 mozilla::dom::SVGSVGElement::BindToTree(nsIDocument*, nsIContent*, nsIContent*, bool) /src/dom/svg/SVGSVGElement.cpp:515:37
#16 nsCSSFrameConstructor::GetAnonymousContent(nsIContent*, nsIFrame*, nsTArray<nsIAnonymousContentCreator::ContentInfo>&) /src/layout/base/nsCSSFrameConstructor.cpp:4395:19
#17 nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, nsStyleContext*, nsContainerFrame*, bool, nsFrameItems&, bool, PendingBinding*, nsIFrame*) /src/layout/base/nsCSSFrameConstructor.cpp:11288:3
#18 nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameItems&) /src/layout/base/nsCSSFrameConstructor.cpp:4206:9
#19 nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameItems&) /src/layout/base/nsCSSFrameConstructor.cpp:6411:3
#20 nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsContainerFrame*, bool, nsFrameItems&) /src/layout/base/nsCSSFrameConstructor.cpp:11060:5
#21 nsCSSFrameConstructor::ContentRangeInserted(nsIContent*, nsIContent*, nsIContent*, nsILayoutHistoryState*, nsCSSFrameConstructor::InsertionKind, TreeMatchContext*) /src/layout/base/nsCSSFrameConstructor.cpp:8434:3
#22 nsCSSFrameConstructor::RecreateFramesForContent(nsIContent*, nsCSSFrameConstructor::InsertionKind) /src/layout/base/nsCSSFrameConstructor.cpp:10096:9
#23 mozilla::RestyleManager::ProcessRestyledFrames(nsStyleChangeList&) /src/layout/base/RestyleManager.cpp:1513:25
#24 mozilla::ServoRestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) /src/layout/base/ServoRestyleManager.cpp:1158:9
#25 mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /src/layout/base/PresShell.cpp:4146:41
#26 nsRefreshDriver::Tick(long, mozilla::TimeStamp) /src/layout/base/nsRefreshDriver.cpp:1926:18
#27 mozilla::RefreshDriverTimer::TickRefreshDrivers(long, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /src/layout/base/nsRefreshDriver.cpp:307:7
#28 mozilla::RefreshDriverTimer::Tick(long, mozilla::TimeStamp) /src/layout/base/nsRefreshDriver.cpp:328:5
#29 mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::TimeStamp) /src/layout/base/nsRefreshDriver.cpp:770:5
#30 mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::TimeStamp) /src/layout/base/nsRefreshDriver.cpp:683:35
#31 mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::ParentProcessVsyncNotifier::Run() /src/layout/base/nsRefreshDriver.cpp:529:20
#32 nsThread::ProcessNextEvent(bool, bool*) /src/xpcom/threads/nsThread.cpp:1037:14
#33 NS_ProcessNextEvent(nsIThread*, bool) /src/xpcom/threads/nsThreadUtils.cpp:524:10
#34 mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /src/ipc/glue/MessagePump.cpp:97:21
#35 MessageLoop::RunInternal() /src/ipc/chromium/src/base/message_loop.cc:326:10
#36 MessageLoop::Run() /src/ipc/chromium/src/base/message_loop.cc:299:3
#37 nsBaseAppShell::Run() /src/widget/nsBaseAppShell.cpp:158:27
#38 nsAppStartup::Run() /src/toolkit/components/startup/nsAppStartup.cpp:288:30
#39 XREMain::XRE_mainRun() /src/toolkit/xre/nsAppRunner.cpp:4694:22
#40 XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /src/toolkit/xre/nsAppRunner.cpp:4856:8
#41 XRE_main(int, char**, mozilla::BootstrapConfig const&) /src/toolkit/xre/nsAppRunner.cpp:4951:21
#42 do_main(int, char**, char**) /src/browser/app/nsBrowserApp.cpp:231:22
#43 main /src/browser/app/nsBrowserApp.cpp:304:16
#44 __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291
#45 _start (firefox+0x41ebe4)

Comment 1

[Hiroyuki Ikezoe (:hiro)]

Similar to bug 1404180.

Comment 2

[Cameron McCormack (:heycam)]

Indeed, is does look similar.  This time associating with a radio group across the SVG <use> element shadow boundary.

Comment 3

[Ryan VanderMeulen [:RyanVM]]

INFO: Last good revision: aab0dfdae32f14246e3bed8824a5f7ce309276cd
INFO: First bad revision: 3e6477d932037d6026ac13bd8c988dc0a51935d4
INFO: Pushlog:
https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=aab0dfdae32f14246e3bed8824a5f7ce309276cd&tochange=3e6477d932037d6026ac13bd8c988dc0a51935d4

Comment 4

[Phabricator Automation]

Attachment: Bug 1409183: Don't consider anonymous checkboxes as part of the document radio group. r=smaug

Comment 5

[Emilio Cobos Álvarez (:emilio)]

Probably we should switch <svg:use> to Shadow DOM...

Comment 6

[Phabricator Automation]

Comment on attachment 8959649 [details]
Bug 1409183: Don't consider anonymous checkboxes as part of the document radio group. r=smaug

Olli Pettay [:smaug] has approved the revision.

https://phabricator.services.mozilla.com/D741

Comment 7

[Pulsebot]

Pushed by ecoal95@gmail.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/f930f3eafde5
Don't consider anonymous checkboxes as part of the document radio group. r=smaug

Comment 8

[Andrei Ciure[:aciure]]

https://hg.mozilla.org/mozilla-central/rev/f930f3eafde5

Comment 9

[Chris Peterson [:cpeterson]]

Emilio, should we uplift this fix to Beta 60? Or is this a fuzzing corner case that is unlikely to affect web content?

Comment 10

[Emilio Cobos Álvarez (:emilio)]

I think it's very hard to hit this, you need a checkbox in an <svg:use> subtree... It can be a footgun though, so given I don't think it's very risky, and there's still time, I think we can try to uplift it, your call.

We've shipped this since forever btw, the bug blocked only added the assertion.

Comment 11

[Chris Peterson [:cpeterson]]

(In reply to Emilio Cobos Álvarez [:emilio] from comment #10)
> We've shipped this since forever btw, the bug blocked only added the
> assertion.

Sounds like there's no need to rush this then.

firefox60=wontfix