Closed Bug 1422908 Opened 7 years ago Closed 4 years ago

Assertion failure: false (item should have finite clip with respect to aASR), at /builds/worker/workspace/build/src/layout/painting/nsDisplayList.cpp:3086

Categories

(Core :: Web Painting, defect, P3)

Product:
Core
Component:
Web Painting
Version:
52 Branch
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla80
Tracking Flags:
Tracking Status
firefox-esr60 --- wontfix
firefox-esr68 --- wontfix
firefox-esr78 --- wontfix
firefox65 --- wontfix
firefox66 --- wontfix
firefox67 --- wontfix
firefox68 --- wontfix
firefox69 --- wontfix
firefox70 --- wontfix
firefox72 --- wontfix
firefox73 --- wontfix
firefox74 --- wontfix
firefox77 --- wontfix
firefox78 --- wontfix
firefox79 --- wontfix
firefox80 --- fixed

People

(Reporter: jkratzer, Assigned: TYLin)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, testcase, Whiteboard: [fuzzblocker])

Attachments

(4 files)

trigger.html
195 bytes, text/html
Details
frame-tree.txt
7.50 KB, text/plain
Details
Bug 1422908 - Use fieldset frame itself as the aPositionedFrame argument on PushAbsoluteContainingBlock.
47 bytes, text/x-phabricator-request
Details | Review
additional reftest
2.92 KB, patch
Details | Diff | Splinter Review
Attached file trigger.html
Testcase found while fuzzing mozilla-central rev 785572419acc. OS|Linux|0.0.0 Linux 4.4.0-98-generic #121-Ubuntu SMP Tue Oct 10 14:24:03 UTC 2017 x86_64 CPU|amd64|family 6 model 78 stepping 3|1 GPU||| Crash|SIGSEGV|0x0|0 0|0|libxul.so|nsDisplayItem::GetClipWithRespectToASR|hg:hg.mozilla.org/mozilla-central:layout/painting/nsDisplayList.cpp:785572419acc|3086|0x0 0|1|libxul.so|nsDisplayList::GetClippedBoundsWithRespectToASR|hg:hg.mozilla.org/mozilla-central:layout/painting/nsDisplayList.cpp:785572419acc|2270|0x16 0|2|libxul.so|nsDisplayWrapList::UpdateBounds|hg:hg.mozilla.org/mozilla-central:layout/painting/nsDisplayList.h:785572419acc|4709|0x19 0|3|libxul.so|nsDisplayWrapList::nsDisplayWrapList|hg:hg.mozilla.org/mozilla-central:layout/painting/nsDisplayList.cpp:785572419acc|6155|0xb 0|4|libxul.so|nsDisplayTransform::nsDisplayTransform|hg:hg.mozilla.org/mozilla-central:layout/painting/nsDisplayList.h:785572419acc|5766|0x5 0|5|libxul.so|WrapSeparatorTransform|hg:hg.mozilla.org/mozilla-central:layout/generic/nsFrame.cpp:785572419acc|2594|0xe 0|6|libxul.so|nsIFrame::BuildDisplayListForStackingContext|hg:hg.mozilla.org/mozilla-central:layout/generic/nsFrame.cpp:785572419acc|3242|0x22 0|7|libxul.so|nsIFrame::BuildDisplayListForChild|hg:hg.mozilla.org/mozilla-central:layout/generic/nsFrame.cpp:785572419acc|3680|0x19 0|8|libxul.so|DisplayLine|hg:hg.mozilla.org/mozilla-central:layout/generic/nsBlockFrame.cpp:785572419acc|6665|0x19 0|9|libxul.so|nsBlockFrame::BuildDisplayList|hg:hg.mozilla.org/mozilla-central:layout/generic/nsBlockFrame.cpp:785572419acc|6761|0x38 0|10|libxul.so|nsIFrame::BuildDisplayListForChild|hg:hg.mozilla.org/mozilla-central:layout/generic/nsFrame.cpp:785572419acc|3746|0x13 0|11|libxul.so|nsColumnSetFrame::BuildDisplayList|hg:hg.mozilla.org/mozilla-central:layout/generic/nsColumnSetFrame.cpp:785572419acc|1293|0x1c 0|12|libxul.so|nsIFrame::BuildDisplayListForChild|hg:hg.mozilla.org/mozilla-central:layout/generic/nsFrame.cpp:785572419acc|3746|0x13 0|13|libxul.so|DisplayLine|hg:hg.mozilla.org/mozilla-central:layout/generic/nsBlockFrame.cpp:785572419acc|6665|0x19 0|14|libxul.so|nsBlockFrame::BuildDisplayList|hg:hg.mozilla.org/mozilla-central:layout/generic/nsBlockFrame.cpp:785572419acc|6761|0x38 0|15|libxul.so|nsIFrame::BuildDisplayListForChild|hg:hg.mozilla.org/mozilla-central:layout/generic/nsFrame.cpp:785572419acc|3746|0x13 0|16|libxul.so|nsColumnSetFrame::BuildDisplayList|hg:hg.mozilla.org/mozilla-central:layout/generic/nsColumnSetFrame.cpp:785572419acc|1293|0x1c 0|17|libxul.so|nsIFrame::BuildDisplayListForChild|hg:hg.mozilla.org/mozilla-central:layout/generic/nsFrame.cpp:785572419acc|3746|0x13 0|18|libxul.so|DisplayLine|hg:hg.mozilla.org/mozilla-central:layout/generic/nsBlockFrame.cpp:785572419acc|6665|0x19 0|19|libxul.so|nsBlockFrame::BuildDisplayList|hg:hg.mozilla.org/mozilla-central:layout/generic/nsBlockFrame.cpp:785572419acc|6761|0x38 0|20|libxul.so|nsIFrame::BuildDisplayListForChild|hg:hg.mozilla.org/mozilla-central:layout/generic/nsFrame.cpp:785572419acc|3746|0x13 0|21|libxul.so|nsColumnSetFrame::BuildDisplayList|hg:hg.mozilla.org/mozilla-central:layout/generic/nsColumnSetFrame.cpp:785572419acc|1293|0x1c 0|22|libxul.so|nsIFrame::BuildDisplayListForChild|hg:hg.mozilla.org/mozilla-central:layout/generic/nsFrame.cpp:785572419acc|3746|0x13 0|23|libxul.so|nsCanvasFrame::BuildDisplayList|hg:hg.mozilla.org/mozilla-central:layout/generic/nsCanvasFrame.cpp:785572419acc|605|0x1c 0|24|libxul.so|nsIFrame::BuildDisplayListForChild|hg:hg.mozilla.org/mozilla-central:layout/generic/nsFrame.cpp:785572419acc|3746|0x13 0|25|libxul.so|mozilla::ScrollFrameHelper::BuildDisplayList|hg:hg.mozilla.org/mozilla-central:layout/generic/nsGfxScrollFrame.cpp:785572419acc|3583|0x1a 0|26|libxul.so|nsIFrame::BuildDisplayListForChild|hg:hg.mozilla.org/mozilla-central:layout/generic/nsFrame.cpp:785572419acc|3746|0x13 0|27|libxul.so|mozilla::ViewportFrame::BuildDisplayList|hg:hg.mozilla.org/mozilla-central:layout/generic/ViewportFrame.cpp:785572419acc|66|0x11 0|28|libxul.so|nsIFrame::BuildDisplayListForStackingContext|hg:hg.mozilla.org/mozilla-central:layout/generic/nsFrame.cpp:785572419acc|2976|0x17 0|29|libxul.so|nsLayoutUtils::PaintFrame|hg:hg.mozilla.org/mozilla-central:layout/base/nsLayoutUtils.cpp:785572419acc|3887|0x18 0|30|libxul.so|mozilla::PresShell::Paint|hg:hg.mozilla.org/mozilla-central:layout/base/PresShell.cpp:785572419acc|6488|0x17 0|31|libxul.so|nsViewManager::ProcessPendingUpdatesPaint|hg:hg.mozilla.org/mozilla-central:view/nsViewManager.cpp:785572419acc|480|0x12 0|32|libxul.so|nsViewManager::ProcessPendingUpdatesForView|hg:hg.mozilla.org/mozilla-central:view/nsViewManager.cpp:785572419acc|412|0xd 0|33|libxul.so|nsViewManager::ProcessPendingUpdates|hg:hg.mozilla.org/mozilla-central:view/nsViewManager.cpp:785572419acc|1102|0x11 0|34|libxul.so|nsRefreshDriver::Tick|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:785572419acc|2027|0x8 0|35|libxul.so|mozilla::RefreshDriverTimer::TickRefreshDrivers|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:785572419acc|306|0xf 0|36|libxul.so|mozilla::RefreshDriverTimer::Tick|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:785572419acc|328|0x12 0|37|libxul.so|mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:785572419acc|769|0x5 0|38|libxul.so|mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:785572419acc|583|0xc 0|39|libxul.so|mozilla::layout::VsyncChild::RecvNotify|hg:hg.mozilla.org/mozilla-central:layout/ipc/VsyncChild.cpp:785572419acc|68|0x9 0|40|libxul.so|mozilla::layout::PVsyncChild::OnMessageReceived|s3:gecko-generated-sources:06086093ccb59dd5a99cf8c9f9fb7f4860fd8ddbfd516af5e5b3508be62029679421dcf2abdf6b1c945b6a054050bd403c9574aad49f857cb4a31d3f4cf56b9a/ipc/ipdl/PVsyncChild.cpp:|155|0xf 0|41|libxul.so|mozilla::ipc::MessageChannel::DispatchAsyncMessage|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:785572419acc|2110|0x6 0|42|libxul.so|mozilla::ipc::MessageChannel::DispatchMessage|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:785572419acc|2040|0xb 0|43|libxul.so|mozilla::ipc::MessageChannel::RunMessage|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:785572419acc|1886|0xb 0|44|libxul.so|mozilla::ipc::MessageChannel::MessageTask::Run|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:785572419acc|1919|0xc 0|45|libxul.so|nsThread::ProcessNextEvent|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:785572419acc|1033|0x15
Flags: in-testsuite?
Priority: -- → P1
Priority: P1 → P3
Component: Layout: View Rendering → Layout: Web Painting
bughunter can reproduce on windows/linux with https://www.cbr.com/flash-catch-me-if-you-can/2/ and 12 other urls many from cbr.com.
See Also: → 1498873

The fuzzers have been hitting this regularly for a while now and it would be great to get it out of the way.

A Pernosco session is available here: https://pernos.co/debug/-DIK4LWw5GfaV1XvKCdeQw/index.html

status-firefox68: affectedwontfix
status-firefox70: affectedwontfix
status-firefox72: --- → wontfix
status-firefox73: --- → affected
status-firefox74: --- → affected
Whiteboard: [fuzzblocker]

No sense trying to bisect this since it is more than a year old.

Matt is there someone that could take a look at this? It has been around for a long time and the fuzzer are tripping over it[1]. If it is benign could we just remove the assertion or make it a warning?

[1] https://firefox-source-docs.mozilla.org/tools/fuzzing/#fuzz-blockers

Flags: needinfo?(matt.woodrow)
Keywords: bugmon
Attached file frame-tree.txt

transform-style:preserve-3d is supposed to create a containing block for fixed children, and it doesn't look like that's happening here, due to the interaction between <fieldset> and columns.

It appears that when we construct the FieldsetFrame, we adjust the abs pos containing block frame to be the ColumnSetWrapperFrame, here - https://searchfox.org/mozilla-central/rev/c86c19bd64f8f19590a4190c282781d3a9631422/layout/base/nsCSSFrameConstructor.cpp#3006

We call PushAbsoluteContainingBlock with the column set frame, but IsFixedPosContainingBlock() returns false for this frame (we haven't inherited the preserve-3d style into the anonymous frame), and we don't set mFixedPosIsAbsPos as we normally would.

Mats do you have ideas on how this is supposed to work? I'm not sure if this is a bug with preserve-3d, or frameset.

Flags: needinfo?(matt.woodrow) → needinfo?(mats)
Flags: needinfo?(aethanyc)

It appears that when we construct the FieldsetFrame, we adjust the abs pos containing block frame to be the ColumnSetWrapperFrame, here - https://searchfox.org/mozilla-central/rev/c86c19bd64f8f19590a4190c282781d3a9631422/layout/base/nsCSSFrameConstructor.cpp#3006

We call PushAbsoluteContainingBlock with the column set frame, but IsFixedPosContainingBlock() returns false for this frame (we haven't inherited the preserve-3d style into the anonymous frame), and we don't set mFixedPosIsAbsPos as we normally would.

I think this is a bug in ConstructFieldSetFrame. Currently, we adjust absPosContainer to be the ColumnSetWrapperFrame when we need to create multicol, and use it as the aPositionedFrame argument for PushAbsoluteContainingBlock.

However, per PushAbsoluteContainingBlock's document [1],

"aPositionedFrame is the frame whose style actually makes aNewAbsoluteContainingBlock a containing block."

So I think maybe we should just use FieldsetFrame itself as the aPositionedFrame since it is the frame that has the transform style.

[1] https://searchfox.org/mozilla-central/rev/7ec7ee4a9bde171ba195ab46ed6077e4baaef34d/layout/base/nsCSSFrameConstructor.cpp#729-732

Assignee: nobody → aethanyc
Flags: needinfo?(aethanyc)

Per documentation, aPositionedFrame (the second argument) of
PushAbsoluteContainingBlock should be the frame whose style actually
makes the new absolute containing block a containing block, so it should
be the fieldset frame itself, not fieldset's inner frame.

Flags: needinfo?(mats)
Pushed by aethanyc@gmail.com: https://hg.mozilla.org/integration/autoland/rev/4c76341bb13d Use fieldset frame itself as the aPositionedFrame argument on PushAbsoluteContainingBlock. r=mats

https://hg.mozilla.org/mozilla-central/rev/4c76341bb13d

Status: NEW → RESOLVED
Closed: 4 years ago
status-firefox80: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla80
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: