Open Bug 1441254 Opened 2 years ago Updated 10 months ago

Assertion failure: mTextRun->GetFlags2() & nsTextFrameUtils::Flags::TEXT_IS_TRANSFORMED (Text run should be transformed!), at src/layout/generic/nsTextFrame.cpp:1125

Categories

(Core :: Layout: Text and Fonts, defect, P3)

defect

Tracking

()

Tracking Status
firefox60 --- affected

People

(Reporter: tsmith, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, testcase)

Attachments

(1 file)

Attached file testcase.html
Found in m-c:
BuildID=20180223194828
SourceStamp=ad3c6f89d67752309a473e57a47fb88f9da37683

Assertion failure: mTextRun->GetFlags2() & nsTextFrameUtils::Flags::TEXT_IS_TRANSFORMED (Text run should be transformed!), at src/layout/generic/nsTextFrame.cpp:1125

#0 BuildTextRunsScanner::BreakSink::SetCapitalization(unsigned int, unsigned int, bool*) src/layout/generic/nsTextFrame.cpp:1124:7
#1 nsLineBreaker::AppendText(nsAtom*, char16_t const*, unsigned int, unsigned int, nsILineBreakSink*) src/dom/base/nsLineBreaker.cpp:304:14
#2 nsLineBreaker::AppendText(nsAtom*, unsigned char const*, unsigned int, unsigned int, nsILineBreakSink*) src/dom/base/nsLineBreaker.cpp:340:12
#3 BuildTextRunsScanner::SetupBreakSinksForTextRun(gfxTextRun*, void const*) src/layout/generic/nsTextFrame.cpp:2657:22
#4 BuildTextRunsScanner::SetupLineBreakerContext(gfxTextRun*) src/layout/generic/nsTextFrame.cpp:2549:3
#5 BuildTextRunsScanner::FlushFrames(bool, bool) src/layout/generic/nsTextFrame.cpp:1680:12
#6 BuildTextRuns(mozilla::gfx::DrawTarget*, nsTextFrame*, nsIFrame*, nsLineList_iterator const*, nsTextFrame::TextRunType) src/layout/generic/nsTextFrame.cpp:1625:11
#7 nsTextFrame::EnsureTextRun(nsTextFrame::TextRunType, mozilla::gfx::DrawTarget*, nsIFrame*, nsLineList_iterator const*, unsigned int*) src/layout/generic/nsTextFrame.cpp:2871:7
#8 nsTextFrame::AddInlinePrefISizeForFlow(gfxContext*, nsIFrame::InlinePrefISizeData*, nsTextFrame::TextRunType) src/layout/generic/nsTextFrame.cpp:8734:5
#9 nsTextFrame::AddInlinePrefISize(gfxContext*, nsIFrame::InlinePrefISizeData*) src/layout/generic/nsTextFrame.cpp:8870:10
#10 nsContainerFrame::DoInlineIntrinsicISize(gfxContext*, nsIFrame::InlineIntrinsicISizeData*, nsLayoutUtils::IntrinsicISizeType) src/layout/generic/nsContainerFrame.cpp
#11 nsInlineFrame::AddInlinePrefISize(gfxContext*, nsIFrame::InlinePrefISizeData*) src/layout/generic/nsInlineFrame.cpp:268:3
#12 nsContainerFrame::DoInlineIntrinsicISize(gfxContext*, nsIFrame::InlineIntrinsicISizeData*, nsLayoutUtils::IntrinsicISizeType) src/layout/generic/nsContainerFrame.cpp
#13 nsInlineFrame::AddInlinePrefISize(gfxContext*, nsIFrame::InlinePrefISizeData*) src/layout/generic/nsInlineFrame.cpp:268:3
#14 nsBlockFrame::GetPrefISize(gfxContext*) src/layout/generic/nsBlockFrame.cpp:860:16
#15 nsFrame::RefreshSizeCache(nsBoxLayoutState&) src/layout/generic/nsFrame.cpp:10186:9
#16 nsFrame::GetXULMinSize(nsBoxLayoutState&) src/layout/generic/nsFrame.cpp:10310:5
#17 nsSprocketLayout::GetXULMinSize(nsIFrame*, nsBoxLayoutState&) src/layout/xul/nsSprocketLayout.cpp:1382:29
#18 nsBoxFrame::GetXULMinSize(nsBoxLayoutState&) src/layout/xul/nsBoxFrame.cpp:851:43
#19 nsBoxFrame::GetMinISize(gfxContext*) src/layout/xul/nsBoxFrame.cpp:612:20
#20 nsFrame::ShrinkWidthToFit(gfxContext*, int, nsIFrame::ComputeSizeFlags) src/layout/generic/nsFrame.cpp:6365:22
#21 nsContainerFrame::ComputeAutoSize(gfxContext*, mozilla::WritingMode, mozilla::LogicalSize const&, int, mozilla::LogicalSize const&, mozilla::LogicalSize const&, mozilla::LogicalSize const&, nsIFrame::ComputeSizeFlags) src/layout/generic/nsContainerFrame.cpp:852:27
#22 nsFrame::ComputeSize(gfxContext*, mozilla::WritingMode, mozilla::LogicalSize const&, int, mozilla::LogicalSize const&, mozilla::LogicalSize const&, mozilla::LogicalSize const&, nsIFrame::ComputeSizeFlags) src/layout/generic/nsFrame.cpp:5599:24
#23 mozilla::ReflowInput::InitConstraints(nsPresContext*, mozilla::LogicalSize const&, nsMargin const*, nsMargin const*, mozilla::LayoutFrameType) src/layout/generic/ReflowInput.cpp:2504:17
#24 mozilla::ReflowInput::Init(nsPresContext*, mozilla::LogicalSize const*, nsMargin const*, nsMargin const*) src/layout/generic/ReflowInput.cpp:414:3
#25 mozilla::ReflowInput::ReflowInput(nsPresContext*, mozilla::ReflowInput const&, nsIFrame*, mozilla::LogicalSize const&, mozilla::LogicalSize const*, unsigned int) src/layout/generic/ReflowInput.cpp:246:5
#26 void mozilla::Maybe<mozilla::ReflowInput>::emplace<nsPresContext*&, mozilla::ReflowInput const&, nsIFrame*&, mozilla::LogicalSize&>(nsPresContext*&, mozilla::ReflowInput const&, nsIFrame*&, mozilla::LogicalSize&) src/obj-firefox/dist/include/mozilla/Maybe.h:459:34
#27 nsLineLayout::ReflowFrame(nsIFrame*, nsReflowStatus&, mozilla::ReflowOutput*, bool&) src/layout/generic/nsLineLayout.cpp:863:23
#28 nsBlockFrame::ReflowInlineFrame(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsIFrame*, LineReflowStatus*) src/layout/generic/nsBlockFrame.cpp:4158:15
#29 nsBlockFrame::DoReflowInlineFrames(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool) src/layout/generic/nsBlockFrame.cpp:3958:5
#30 nsBlockFrame::ReflowInlineFrames(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:3832:9
#31 nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:2816:5
#32 nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) src/layout/generic/nsBlockFrame.cpp:2352:7
#33 nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsBlockFrame.cpp:1225:3
#34 nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) src/layout/generic/nsBlockReflowContext.cpp:306:11
#35 nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:3463:11
#36 nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:2813:5
#37 nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) src/layout/generic/nsBlockFrame.cpp:2352:7
#38 nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsBlockFrame.cpp:1225:3
#39 nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:941:14
#40 nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsCanvasFrame.cpp:717:5
#41 nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:941:14
#42 nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput*, bool, bool, mozilla::ReflowOutput*, bool) src/layout/generic/nsGfxScrollFrame.cpp:554:3
#43 nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput*, mozilla::ReflowOutput const&) src/layout/generic/nsGfxScrollFrame.cpp:677:3
#44 nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsGfxScrollFrame.cpp:1054:3
#45 nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:985:14
#46 mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/ViewportFrame.cpp:335:7
#47 mozilla::PresShell::DoReflow(nsIFrame*, bool) src/layout/base/PresShell.cpp:8974:11
#48 mozilla::PresShell::ProcessReflowCommands(bool) src/layout/base/PresShell.cpp:9147:24
#49 mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) src/layout/base/PresShell.cpp:4257:11
#50 nsRefreshDriver::Tick(long, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:1944:16
#51 mozilla::RefreshDriverTimer::TickRefreshDrivers(long, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) src/layout/base/nsRefreshDriver.cpp:310:7
#52 mozilla::RefreshDriverTimer::Tick(long, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:332:5
#53 mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:773:5
#54 mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:686:35
#55 mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:587:9
#56 mozilla::layout::VsyncChild::RecvNotify(mozilla::TimeStamp const&) src/layout/ipc/VsyncChild.cpp:68:16
#57 mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) src/obj-firefox/ipc/ipdl/PVsyncChild.cpp:155:20
#58 mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) src/obj-firefox/ipc/ipdl/PBackgroundChild.cpp:1812:28
#59 mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) src/ipc/glue/MessageChannel.cpp:2110:25
#60 mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) src/ipc/glue/MessageChannel.cpp:2040:17
#61 mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) src/ipc/glue/MessageChannel.cpp:1886:5
#62 mozilla::ipc::MessageChannel::MessageTask::Run() src/ipc/glue/MessageChannel.cpp:1919:15
#63 nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1040:14
#64 NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:517:10
#65 mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:97:21
#66 MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:326:10
#67 MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:299:3
#68 nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:157:27
#69 XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:892:22
#70 mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:269:9
#71 MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:326:10
#72 MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:299:3
#73 XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:718:34
#74 content_process_main(mozilla::Bootstrap*, int, char**) src/browser/app/../../ipc/contentproc/plugin-container.cpp:63:30
#75 main src/browser/app/nsBrowserApp.cpp:280:18
#76 __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
#77 _start (firefox+0x423444)
Flags: in-testsuite?
Component: Layout → Layout: Text
This assertion was added in bug 1099110.

Fortunately, it's followed by a runtime check for the same condition (testing a flag):


>    virtual void SetCapitalization(uint32_t aOffset, uint32_t aLength,
>                                   bool* aCapitalize) override {
>      MOZ_ASSERT(mTextRun->GetFlags2() & nsTextFrameUtils::Flags::TEXT_IS_TRANSFORMED,
>                 "Text run should be transformed!");
>      if (mTextRun->GetFlags2() & nsTextFrameUtils::Flags::TEXT_IS_TRANSFORMED) {
>        nsTransformedTextRun* transformedTextRun =
>          static_cast<nsTransformedTextRun*>(mTextRun.get());
>        transformedTextRun->SetCapitalization(aOffset + mOffsetIntoTextRun, aLength,
>                                              aCapitalize);

So this presumably isn't exploitable, thanks to that runtime check.
Depends on: 1099110
Priority: -- → P3
See Also: → 1419847
Yeah, I think this indicates that we have a stale textrun that does not correctly reflect a style change that has happened. So we're potentially going to render slightly incorrectly; but because we test the flag before attempting to downcast, this shouldn't result in anything disastrous.

We should still debug the testcase to figure out what's really going wrong.
See Also: → 1555058
You need to log in before you can comment on or make changes to this bug.