Assertion failure: false (item should have finite clip with respect to aASR), at /builds/worker/workspace/build/src/layout/painting/nsDisplayList.cpp:3086
Categories
(Core :: Web Painting, defect, P3)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr60 | --- | wontfix |
| firefox-esr68 | --- | wontfix |
| firefox-esr78 | --- | wontfix |
| firefox65 | --- | wontfix |
| firefox66 | --- | wontfix |
| firefox67 | --- | wontfix |
| firefox68 | --- | wontfix |
| firefox69 | --- | wontfix |
| firefox70 | --- | wontfix |
| firefox72 | --- | wontfix |
| firefox73 | --- | wontfix |
| firefox74 | --- | wontfix |
| firefox77 | --- | wontfix |
| firefox78 | --- | wontfix |
| firefox79 | --- | wontfix |
| firefox80 | --- | fixed |
People
(Reporter: jkratzer, Assigned: TYLin)
References
(Blocks 1 open bug)
Details
(Keywords: assertion, testcase, Whiteboard: [fuzzblocker])
Attachments
(4 files)
Testcase found while fuzzing mozilla-central rev 785572419acc. OS|Linux|0.0.0 Linux 4.4.0-98-generic #121-Ubuntu SMP Tue Oct 10 14:24:03 UTC 2017 x86_64 CPU|amd64|family 6 model 78 stepping 3|1 GPU||| Crash|SIGSEGV|0x0|0 0|0|libxul.so|nsDisplayItem::GetClipWithRespectToASR|hg:hg.mozilla.org/mozilla-central:layout/painting/nsDisplayList.cpp:785572419acc|3086|0x0 0|1|libxul.so|nsDisplayList::GetClippedBoundsWithRespectToASR|hg:hg.mozilla.org/mozilla-central:layout/painting/nsDisplayList.cpp:785572419acc|2270|0x16 0|2|libxul.so|nsDisplayWrapList::UpdateBounds|hg:hg.mozilla.org/mozilla-central:layout/painting/nsDisplayList.h:785572419acc|4709|0x19 0|3|libxul.so|nsDisplayWrapList::nsDisplayWrapList|hg:hg.mozilla.org/mozilla-central:layout/painting/nsDisplayList.cpp:785572419acc|6155|0xb 0|4|libxul.so|nsDisplayTransform::nsDisplayTransform|hg:hg.mozilla.org/mozilla-central:layout/painting/nsDisplayList.h:785572419acc|5766|0x5 0|5|libxul.so|WrapSeparatorTransform|hg:hg.mozilla.org/mozilla-central:layout/generic/nsFrame.cpp:785572419acc|2594|0xe 0|6|libxul.so|nsIFrame::BuildDisplayListForStackingContext|hg:hg.mozilla.org/mozilla-central:layout/generic/nsFrame.cpp:785572419acc|3242|0x22 0|7|libxul.so|nsIFrame::BuildDisplayListForChild|hg:hg.mozilla.org/mozilla-central:layout/generic/nsFrame.cpp:785572419acc|3680|0x19 0|8|libxul.so|DisplayLine|hg:hg.mozilla.org/mozilla-central:layout/generic/nsBlockFrame.cpp:785572419acc|6665|0x19 0|9|libxul.so|nsBlockFrame::BuildDisplayList|hg:hg.mozilla.org/mozilla-central:layout/generic/nsBlockFrame.cpp:785572419acc|6761|0x38 0|10|libxul.so|nsIFrame::BuildDisplayListForChild|hg:hg.mozilla.org/mozilla-central:layout/generic/nsFrame.cpp:785572419acc|3746|0x13 0|11|libxul.so|nsColumnSetFrame::BuildDisplayList|hg:hg.mozilla.org/mozilla-central:layout/generic/nsColumnSetFrame.cpp:785572419acc|1293|0x1c 0|12|libxul.so|nsIFrame::BuildDisplayListForChild|hg:hg.mozilla.org/mozilla-central:layout/generic/nsFrame.cpp:785572419acc|3746|0x13 0|13|libxul.so|DisplayLine|hg:hg.mozilla.org/mozilla-central:layout/generic/nsBlockFrame.cpp:785572419acc|6665|0x19 0|14|libxul.so|nsBlockFrame::BuildDisplayList|hg:hg.mozilla.org/mozilla-central:layout/generic/nsBlockFrame.cpp:785572419acc|6761|0x38 0|15|libxul.so|nsIFrame::BuildDisplayListForChild|hg:hg.mozilla.org/mozilla-central:layout/generic/nsFrame.cpp:785572419acc|3746|0x13 0|16|libxul.so|nsColumnSetFrame::BuildDisplayList|hg:hg.mozilla.org/mozilla-central:layout/generic/nsColumnSetFrame.cpp:785572419acc|1293|0x1c 0|17|libxul.so|nsIFrame::BuildDisplayListForChild|hg:hg.mozilla.org/mozilla-central:layout/generic/nsFrame.cpp:785572419acc|3746|0x13 0|18|libxul.so|DisplayLine|hg:hg.mozilla.org/mozilla-central:layout/generic/nsBlockFrame.cpp:785572419acc|6665|0x19 0|19|libxul.so|nsBlockFrame::BuildDisplayList|hg:hg.mozilla.org/mozilla-central:layout/generic/nsBlockFrame.cpp:785572419acc|6761|0x38 0|20|libxul.so|nsIFrame::BuildDisplayListForChild|hg:hg.mozilla.org/mozilla-central:layout/generic/nsFrame.cpp:785572419acc|3746|0x13 0|21|libxul.so|nsColumnSetFrame::BuildDisplayList|hg:hg.mozilla.org/mozilla-central:layout/generic/nsColumnSetFrame.cpp:785572419acc|1293|0x1c 0|22|libxul.so|nsIFrame::BuildDisplayListForChild|hg:hg.mozilla.org/mozilla-central:layout/generic/nsFrame.cpp:785572419acc|3746|0x13 0|23|libxul.so|nsCanvasFrame::BuildDisplayList|hg:hg.mozilla.org/mozilla-central:layout/generic/nsCanvasFrame.cpp:785572419acc|605|0x1c 0|24|libxul.so|nsIFrame::BuildDisplayListForChild|hg:hg.mozilla.org/mozilla-central:layout/generic/nsFrame.cpp:785572419acc|3746|0x13 0|25|libxul.so|mozilla::ScrollFrameHelper::BuildDisplayList|hg:hg.mozilla.org/mozilla-central:layout/generic/nsGfxScrollFrame.cpp:785572419acc|3583|0x1a 0|26|libxul.so|nsIFrame::BuildDisplayListForChild|hg:hg.mozilla.org/mozilla-central:layout/generic/nsFrame.cpp:785572419acc|3746|0x13 0|27|libxul.so|mozilla::ViewportFrame::BuildDisplayList|hg:hg.mozilla.org/mozilla-central:layout/generic/ViewportFrame.cpp:785572419acc|66|0x11 0|28|libxul.so|nsIFrame::BuildDisplayListForStackingContext|hg:hg.mozilla.org/mozilla-central:layout/generic/nsFrame.cpp:785572419acc|2976|0x17 0|29|libxul.so|nsLayoutUtils::PaintFrame|hg:hg.mozilla.org/mozilla-central:layout/base/nsLayoutUtils.cpp:785572419acc|3887|0x18 0|30|libxul.so|mozilla::PresShell::Paint|hg:hg.mozilla.org/mozilla-central:layout/base/PresShell.cpp:785572419acc|6488|0x17 0|31|libxul.so|nsViewManager::ProcessPendingUpdatesPaint|hg:hg.mozilla.org/mozilla-central:view/nsViewManager.cpp:785572419acc|480|0x12 0|32|libxul.so|nsViewManager::ProcessPendingUpdatesForView|hg:hg.mozilla.org/mozilla-central:view/nsViewManager.cpp:785572419acc|412|0xd 0|33|libxul.so|nsViewManager::ProcessPendingUpdates|hg:hg.mozilla.org/mozilla-central:view/nsViewManager.cpp:785572419acc|1102|0x11 0|34|libxul.so|nsRefreshDriver::Tick|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:785572419acc|2027|0x8 0|35|libxul.so|mozilla::RefreshDriverTimer::TickRefreshDrivers|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:785572419acc|306|0xf 0|36|libxul.so|mozilla::RefreshDriverTimer::Tick|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:785572419acc|328|0x12 0|37|libxul.so|mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:785572419acc|769|0x5 0|38|libxul.so|mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:785572419acc|583|0xc 0|39|libxul.so|mozilla::layout::VsyncChild::RecvNotify|hg:hg.mozilla.org/mozilla-central:layout/ipc/VsyncChild.cpp:785572419acc|68|0x9 0|40|libxul.so|mozilla::layout::PVsyncChild::OnMessageReceived|s3:gecko-generated-sources:06086093ccb59dd5a99cf8c9f9fb7f4860fd8ddbfd516af5e5b3508be62029679421dcf2abdf6b1c945b6a054050bd403c9574aad49f857cb4a31d3f4cf56b9a/ipc/ipdl/PVsyncChild.cpp:|155|0xf 0|41|libxul.so|mozilla::ipc::MessageChannel::DispatchAsyncMessage|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:785572419acc|2110|0x6 0|42|libxul.so|mozilla::ipc::MessageChannel::DispatchMessage|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:785572419acc|2040|0xb 0|43|libxul.so|mozilla::ipc::MessageChannel::RunMessage|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:785572419acc|1886|0xb 0|44|libxul.so|mozilla::ipc::MessageChannel::MessageTask::Run|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:785572419acc|1919|0xc 0|45|libxul.so|nsThread::ProcessNextEvent|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:785572419acc|1033|0x15
|
||
Updated•6 years ago
|
|
|
||
Updated•6 years ago
|
|
||
Updated•6 years ago
|
|
||
Comment 1•6 years ago
|
||
bughunter can reproduce on windows/linux with https://www.cbr.com/flash-catch-me-if-you-can/2/ and 12 other urls many from cbr.com.
|
||
Updated•5 years ago
|
|
|
||
Updated•5 years ago
|
|
|
||
Updated•5 years ago
|
|
|
||
Comment 2•4 years ago
|
||
The fuzzers have been hitting this regularly for a while now and it would be great to get it out of the way.
A Pernosco session is available here: https://pernos.co/debug/-DIK4LWw5GfaV1XvKCdeQw/index.html
|
|
||
Updated•4 years ago
|
|
|
||
Updated•4 years ago
|
|
|
||
Comment 3•4 years ago
•
|
||
No sense trying to bisect this since it is more than a year old.
Matt is there someone that could take a look at this? It has been around for a long time and the fuzzer are tripping over it[1]. If it is benign could we just remove the assertion or make it a warning?
[1] https://firefox-source-docs.mozilla.org/tools/fuzzing/#fuzz-blockers
|
||
Comment 4•4 years ago
|
||
transform-style:preserve-3d is supposed to create a containing block for fixed children, and it doesn't look like that's happening here, due to the interaction between <fieldset> and columns.
It appears that when we construct the FieldsetFrame, we adjust the abs pos containing block frame to be the ColumnSetWrapperFrame, here - https://searchfox.org/mozilla-central/rev/c86c19bd64f8f19590a4190c282781d3a9631422/layout/base/nsCSSFrameConstructor.cpp#3006
We call PushAbsoluteContainingBlock with the column set frame, but IsFixedPosContainingBlock() returns false for this frame (we haven't inherited the preserve-3d style into the anonymous frame), and we don't set mFixedPosIsAbsPos as we normally would.
Mats do you have ideas on how this is supposed to work? I'm not sure if this is a bug with preserve-3d, or frameset.
|
|
||
Updated•4 years ago
|
|
Assignee | |
Comment 5•4 years ago
|
||
It appears that when we construct the FieldsetFrame, we adjust the abs pos containing block frame to be the ColumnSetWrapperFrame, here - https://searchfox.org/mozilla-central/rev/c86c19bd64f8f19590a4190c282781d3a9631422/layout/base/nsCSSFrameConstructor.cpp#3006
We call PushAbsoluteContainingBlock with the column set frame, but IsFixedPosContainingBlock() returns false for this frame (we haven't inherited the preserve-3d style into the anonymous frame), and we don't set mFixedPosIsAbsPos as we normally would.
I think this is a bug in ConstructFieldSetFrame. Currently, we adjust absPosContainer to be the ColumnSetWrapperFrame when we need to create multicol, and use it as the aPositionedFrame argument for PushAbsoluteContainingBlock.
However, per PushAbsoluteContainingBlock's document [1],
"aPositionedFrame is the frame whose style actually makes aNewAbsoluteContainingBlock a containing block."
So I think maybe we should just use FieldsetFrame itself as the aPositionedFrame since it is the frame that has the transform style.
|
|
Assignee | |
Comment 6•4 years ago
|
||
Per documentation, aPositionedFrame (the second argument) of
PushAbsoluteContainingBlock should be the frame whose style actually
makes the new absolute containing block a containing block, so it should
be the fieldset frame itself, not fieldset's inner frame.
|
||
Comment 7•4 years ago
|
||
Pushed by aethanyc@gmail.com: https://hg.mozilla.org/integration/autoland/rev/4c76341bb13d Use fieldset frame itself as the aPositionedFrame argument on PushAbsoluteContainingBlock. r=mats
|
||
Comment 9•4 years ago
|
||
| bugherder | ||
|
||
Updated•4 years ago
|
Description
•