Closed
Bug 1427221
Opened 6 years ago
Closed 6 years ago
Intermittent Assertion failure: uint8_t(mClass) < mozilla::ArrayLength(sLayoutFrameTypes), at /builds/worker/workspace/build/src/layout/generic/nsIFrame.h:2796
Categories
(Core :: Web Painting, defect, P1)
Tracking
()
RESOLVED
FIXED
mozilla59
Tracking | Status | |
---|---|---|
firefox-esr52 | --- | unaffected |
firefox57 | --- | unaffected |
firefox58 | --- | fixed |
firefox59 | --- | fixed |
People
(Reporter: intermittent-bug-filer, Assigned: MatsPalmgren_bugz)
References
Details
(Keywords: assertion, intermittent-failure, Whiteboard: [stockwell fixed:product])
Attachments
(4 files)
6.56 KB,
text/plain
|
Details | |
2.10 KB,
patch
|
MatsPalmgren_bugz
:
review-
|
Details | Diff | Splinter Review |
1.06 KB,
patch
|
MatsPalmgren_bugz
:
review+
|
Details | Diff | Splinter Review |
3.56 KB,
patch
|
mattwoodrow
:
review+
gchang
:
approval-mozilla-beta+
gchang
:
approval-mozilla-release+
|
Details | Diff | Splinter Review |
Filed by: nerli [at] mozilla.com https://treeherder.mozilla.org/logviewer.html#?job_id=153455027&repo=autoland https://queue.taskcluster.net/v1/task/MqgorJVtTJW5vv2IpBGFig/runs/0/artifacts/public/logs/live_backing.log https://hg.mozilla.org/mozilla-central/raw-file/tip/layout/tools/reftest/reftest-analyzer.xhtml#logurl=https://queue.taskcluster.net/v1/task/MqgorJVtTJW5vv2IpBGFig/runs/0/artifacts/public/logs/live_backing.log&only_show_unexpected=1
Comment hidden (Intermittent Failures Robot) |
Comment 2•6 years ago
|
||
This assertion failure is bad because it indicates we are reading off the end of an array. Mats added this assertion in nsIFrame bug 1381405. mozilla::LayoutFrameType Type() const { MOZ_ASSERT(uint8_t(mClass) < mozilla::ArrayLength(sLayoutFrameTypes)); return sLayoutFrameTypes[uint8_t(mClass)]; }
Assignee | ||
Comment 3•6 years ago
|
||
I doubt there's an issue with a valid frame having an invalid mClass. I suspect the assertion fails because we use a frame that has been destroyed and is now poisoned.
Assignee | ||
Comment 4•6 years ago
|
||
#01: nsIFrame::Type [layout/generic/nsIFrame.h:2796] #02: RetainedDisplayListBuilder::AttemptPartialUpdate [layout/painting/RetainedDisplayListBuilder.cpp:756] #03: nsLayoutUtils::PaintFrame [layout/base/nsLayoutUtils.cpp:3809] ...
Comment hidden (Intermittent Failures Robot) |
Comment 6•6 years ago
|
||
This is a regression from bug 1426345. When we destroy a frame, we call RemoveDisplayItemDataForDeletion, which includes removing references to this frame from the root frame's ModifiedFrameList. Unfortunately, nsMathMLmfencedFrame's destructor (which runs after this) calls a function which adds it back again, and we end up with a dangling pointer.
Priority: P2 → P1
Updated•6 years ago
|
Assignee: nobody → matt.woodrow
Comment 9•6 years ago
|
||
Moving this code to the base class destructor should prevent similar bugs from popping up in other frame types.
Attachment #8940562 -
Flags: review?(mats)
Comment 10•6 years ago
|
||
Attachment #8940564 -
Flags: review?(mats)
Updated•6 years ago
|
Whiteboard: [stockwell needswork]
Assignee | ||
Comment 11•6 years ago
|
||
Comment on attachment 8940562 [details] [diff] [review] Defer cleaning up the modified state until the last possible opportunity Doing "complicated" stuff like this in the dtor should be avoided. I think this bug neatly demonstrates that it's a footgun. Allow me to suggest an alternative fix...
Attachment #8940562 -
Flags: review?(mats) → review-
Assignee | ||
Comment 12•6 years ago
|
||
Overriding DestroyFrom is the right way to do this I think. I also added an assertion that would have caught this bug earlier.
Attachment #8941025 -
Flags: review?(matt.woodrow)
Assignee | ||
Updated•6 years ago
|
Attachment #8940564 -
Flags: review?(mats) → review+
Comment 13•6 years ago
|
||
Comment on attachment 8941025 [details] [diff] [review] Alternative fix Review of attachment 8941025 [details] [diff] [review]: ----------------------------------------------------------------- ::: layout/generic/nsFrame.cpp @@ +858,5 @@ > + if (this != rootFrame) { > + nsTArray<nsIFrame*>* modifiedFrames = > + rootFrame->GetProperty(nsIFrame::ModifiedFrameList()); > + if (modifiedFrames) { > + MOZ_ASSERT(!modifiedFrames->Contains(this), Could we also/instead assert(!IsFrameModified()) from the nsFrame dtor?
Attachment #8941025 -
Flags: review?(matt.woodrow) → review+
Comment 14•6 years ago
|
||
Pushed by mpalmgren@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/3722e968f87b part 1 - Do nsMathMLmfencedFrame cleanup in DestroyFrom, not in the dtor. r=mattwoodrow https://hg.mozilla.org/integration/mozilla-inbound/rev/6397787172eb part 2 - Change test to fail every time. r=mats
Assignee | ||
Comment 15•6 years ago
|
||
(In reply to Matt Woodrow (:mattwoodrow) from comment #13) > Could we also/instead assert(!IsFrameModified()) from the nsFrame dtor? That assertion would fail: https://treeherder.mozilla.org/#/jobs?repo=try&revision=c1580c0da1227bf73dce4ececc3936bd8e0503bf I'm guessing it's because nsIFrame::RemoveDisplayItemDataForDeletion doesn't call SetFrameIsModified(false). It doesn't seem super-important to correct the bit there since we're about to delete the frame anyway, but feel free to file a follow-up bug if you want.
Updated•6 years ago
|
Comment 16•6 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/3722e968f87b https://hg.mozilla.org/mozilla-central/rev/6397787172eb
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla59
Comment 17•6 years ago
|
||
Matt, could you help to create the uplift request for 58 so that we can fix bug 1428178 accordingly?
Flags: needinfo?(matt.woodrow)
Updated•6 years ago
|
Whiteboard: [stockwell needswork] → [stockwell fixed:product]
Updated•6 years ago
|
Assignee: matt.woodrow → mats
Flags: needinfo?(matt.woodrow) → needinfo?(mats)
Assignee | ||
Comment 18•6 years ago
|
||
Comment on attachment 8941025 [details] [diff] [review] Alternative fix Approval Request Comment [Feature/Bug causing the regression]:bug 1426345 [User impact if declined]:crash [Is this code covered by automated tests?]:yes [Has the fix been verified in Nightly?]:yes [Needs manual test from QE? If yes, steps to reproduce]: no [List of other uplifts needed for the feature/fix]: [Is the change risky?]:no [Why is the change risky/not risky?]:trivial fix [String changes made/needed]:none
Flags: needinfo?(mats)
Attachment #8941025 -
Flags: approval-mozilla-beta?
Comment hidden (Intermittent Failures Robot) |
Comment 20•6 years ago
|
||
Comment on attachment 8941025 [details] [diff] [review] Alternative fix Fix a regression. Beta58+.
Attachment #8941025 -
Flags: approval-mozilla-release+
Attachment #8941025 -
Flags: approval-mozilla-beta?
Attachment #8941025 -
Flags: approval-mozilla-beta+
Comment 21•6 years ago
|
||
bugherder uplift |
https://hg.mozilla.org/releases/mozilla-release/rev/ae6c87e225d3
Comment 22•6 years ago
|
||
bugherder uplift |
https://hg.mozilla.org/releases/mozilla-beta/rev/72faa446f04e (FIREFOX_58b_RELBRANCH)
You need to log in
before you can comment on or make changes to this bug.
Description
•