Closed
Bug 1450686
Opened 6 years ago
Closed 3 years ago
Assertion failure: false (Two layers that scroll together have different ancestor transforms), at /builds/worker/workspace/build/src/gfx/layers/apz/src/APZCTreeManager.cpp:1061
Categories
(Core :: Web Painting, defect, P3)
Tracking
()
People
(Reporter: jkratzer, Unassigned)
References
(Blocks 2 open bugs)
Details
(Keywords: assertion, testcase, Whiteboard: [fuzzblocker])
Attachments
(4 files)
Testcase found while fuzzing mozilla-central rev c44f60c43432. rax = 0x0000000000000000 rdx = 0x0000000000000000 rcx = 0x00007f86f16872dd rbx = 0x00007f86cb72dbc0 rsi = 0x00007f86f1956770 rdi = 0x00007f86f1955540 rbp = 0x00007f86cb72dc70 rsp = 0x00007f86cb72da80 r8 = 0x00007f86f1956770 r9 = 0x00007f86cb72f700 r10 = 0x0000000000000012 r11 = 0x0000000000000000 r12 = 0x00007f86cb72db80 r13 = 0x00007f86bfa1a800 r14 = 0x00007f86cb72e378 r15 = 0x00007f86cb72dcb0 rip = 0x00007f86e048d431 OS|Linux|0.0.0 Linux 4.4.0-116-generic #140-Ubuntu SMP Mon Feb 12 21:23:04 UTC 2018 x86_64 CPU|amd64|family 6 model 78 stepping 3|1 GPU||| Crash|SIGSEGV|0x0|20 20|0|libxul.so|mozilla::layers::APZCTreeManager::PrepareNodeForLayer<mozilla::layers::LayerMetricsWrapper>|hg:hg.mozilla.org/mozilla-central:gfx/layers/apz/src/APZCTreeManager.cpp:c44f60c43432d468639b5fe078420e60c13fd3de|948|0x5 20|1|libxul.so||||0x1561ca4 20|2|libxul.so|mozilla::layers::ForEachNode<mozilla::layers::ReverseIterator, mozilla::layers::LayerMetricsWrapper, mozilla::layers::APZCTreeManager::UpdateHitTestingTreeImpl(mozilla::layers::LayersId, const ScrollNode&, bool, mozilla::layers::LayersId, uint32_t) [with ScrollNode = mozilla::layers::LayerMetricsWrapper]::<lambda(mozilla::layers::LayerMetricsWrapper)>, mozilla::layers::APZCTreeManager::UpdateHitTestingTreeImpl(mozilla::layers::LayersId, const ScrollNode&, bool, mozilla::layers::LayersId, uint32_t) [with ScrollNode = mozilla::layers::LayerMetricsWrapper]::<lambda(mozilla::layers::LayerMetricsWrapper)> >|hg:hg.mozilla.org/mozilla-central:gfx/layers/TreeTraversal.h:c44f60c43432d468639b5fe078420e60c13fd3de|137|0xc 20|3|libxul.so|mozilla::layers::ForEachNode<mozilla::layers::ReverseIterator, mozilla::layers::LayerMetricsWrapper, mozilla::layers::APZCTreeManager::UpdateHitTestingTreeImpl(mozilla::layers::LayersId, const ScrollNode&, bool, mozilla::layers::LayersId, uint32_t) [with ScrollNode = mozilla::layers::LayerMetricsWrapper]::<lambda(mozilla::layers::LayerMetricsWrapper)>, mozilla::layers::APZCTreeManager::UpdateHitTestingTreeImpl(mozilla::layers::LayersId, const ScrollNode&, bool, mozilla::layers::LayersId, uint32_t) [with ScrollNode = mozilla::layers::LayerMetricsWrapper]::<lambda(mozilla::layers::LayerMetricsWrapper)> >|hg:hg.mozilla.org/mozilla-central:gfx/layers/TreeTraversal.h:c44f60c43432d468639b5fe078420e60c13fd3de|142|0x25 20|4|libxul.so|mozilla::layers::ForEachNode<mozilla::layers::ReverseIterator, mozilla::layers::LayerMetricsWrapper, mozilla::layers::APZCTreeManager::UpdateHitTestingTreeImpl(mozilla::layers::LayersId, const ScrollNode&, bool, mozilla::layers::LayersId, uint32_t) [with ScrollNode = mozilla::layers::LayerMetricsWrapper]::<lambda(mozilla::layers::LayerMetricsWrapper)>, mozilla::layers::APZCTreeManager::UpdateHitTestingTreeImpl(mozilla::layers::LayersId, const ScrollNode&, bool, mozilla::layers::LayersId, uint32_t) [with ScrollNode = mozilla::layers::LayerMetricsWrapper]::<lambda(mozilla::layers::LayerMetricsWrapper)> >|hg:hg.mozilla.org/mozilla-central:gfx/layers/TreeTraversal.h:c44f60c43432d468639b5fe078420e60c13fd3de|142|0x25 20|5|libxul.so|mozilla::layers::ForEachNode<mozilla::layers::ReverseIterator, mozilla::layers::LayerMetricsWrapper, mozilla::layers::APZCTreeManager::UpdateHitTestingTreeImpl(mozilla::layers::LayersId, const ScrollNode&, bool, mozilla::layers::LayersId, uint32_t) [with ScrollNode = mozilla::layers::LayerMetricsWrapper]::<lambda(mozilla::layers::LayerMetricsWrapper)>, mozilla::layers::APZCTreeManager::UpdateHitTestingTreeImpl(mozilla::layers::LayersId, const ScrollNode&, bool, mozilla::layers::LayersId, uint32_t) [with ScrollNode = mozilla::layers::LayerMetricsWrapper]::<lambda(mozilla::layers::LayerMetricsWrapper)> >|hg:hg.mozilla.org/mozilla-central:gfx/layers/TreeTraversal.h:c44f60c43432d468639b5fe078420e60c13fd3de|142|0x25 20|6|libxul.so|mozilla::layers::ForEachNode<mozilla::layers::ReverseIterator, mozilla::layers::LayerMetricsWrapper, mozilla::layers::APZCTreeManager::UpdateHitTestingTreeImpl(mozilla::layers::LayersId, const ScrollNode&, bool, mozilla::layers::LayersId, uint32_t) [with ScrollNode = mozilla::layers::LayerMetricsWrapper]::<lambda(mozilla::layers::LayerMetricsWrapper)>, mozilla::layers::APZCTreeManager::UpdateHitTestingTreeImpl(mozilla::layers::LayersId, const ScrollNode&, bool, mozilla::layers::LayersId, uint32_t) [with ScrollNode = mozilla::layers::LayerMetricsWrapper]::<lambda(mozilla::layers::LayerMetricsWrapper)> >|hg:hg.mozilla.org/mozilla-central:gfx/layers/TreeTraversal.h:c44f60c43432d468639b5fe078420e60c13fd3de|142|0x25 20|7|libxul.so|mozilla::layers::ForEachNode<mozilla::layers::ReverseIterator, mozilla::layers::LayerMetricsWrapper, mozilla::layers::APZCTreeManager::UpdateHitTestingTreeImpl(mozilla::layers::LayersId, const ScrollNode&, bool, mozilla::layers::LayersId, uint32_t) [with ScrollNode = mozilla::layers::LayerMetricsWrapper]::<lambda(mozilla::layers::LayerMetricsWrapper)>, mozilla::layers::APZCTreeManager::UpdateHitTestingTreeImpl(mozilla::layers::LayersId, const ScrollNode&, bool, mozilla::layers::LayersId, uint32_t) [with ScrollNode = mozilla::layers::LayerMetricsWrapper]::<lambda(mozilla::layers::LayerMetricsWrapper)> >|hg:hg.mozilla.org/mozilla-central:gfx/layers/TreeTraversal.h:c44f60c43432d468639b5fe078420e60c13fd3de|142|0x25 20|8|libxul.so|mozilla::layers::ForEachNode<mozilla::layers::ReverseIterator, mozilla::layers::LayerMetricsWrapper, mozilla::layers::APZCTreeManager::UpdateHitTestingTreeImpl(mozilla::layers::LayersId, const ScrollNode&, bool, mozilla::layers::LayersId, uint32_t) [with ScrollNode = mozilla::layers::LayerMetricsWrapper]::<lambda(mozilla::layers::LayerMetricsWrapper)>, mozilla::layers::APZCTreeManager::UpdateHitTestingTreeImpl(mozilla::layers::LayersId, const ScrollNode&, bool, mozilla::layers::LayersId, uint32_t) [with ScrollNode = mozilla::layers::LayerMetricsWrapper]::<lambda(mozilla::layers::LayerMetricsWrapper)> >|hg:hg.mozilla.org/mozilla-central:gfx/layers/TreeTraversal.h:c44f60c43432d468639b5fe078420e60c13fd3de|142|0x25 20|9|libxul.so|mozilla::layers::ForEachNode<mozilla::layers::ReverseIterator, mozilla::layers::LayerMetricsWrapper, mozilla::layers::APZCTreeManager::UpdateHitTestingTreeImpl(mozilla::layers::LayersId, const ScrollNode&, bool, mozilla::layers::LayersId, uint32_t) [with ScrollNode = mozilla::layers::LayerMetricsWrapper]::<lambda(mozilla::layers::LayerMetricsWrapper)>, mozilla::layers::APZCTreeManager::UpdateHitTestingTreeImpl(mozilla::layers::LayersId, const ScrollNode&, bool, mozilla::layers::LayersId, uint32_t) [with ScrollNode = mozilla::layers::LayerMetricsWrapper]::<lambda(mozilla::layers::LayerMetricsWrapper)> >|hg:hg.mozilla.org/mozilla-central:gfx/layers/TreeTraversal.h:c44f60c43432d468639b5fe078420e60c13fd3de|142|0x25 20|10|libxul.so|mozilla::layers::APZCTreeManager::UpdateHitTestingTreeImpl<mozilla::layers::LayerMetricsWrapper>|hg:hg.mozilla.org/mozilla-central:gfx/layers/apz/src/APZCTreeManager.cpp:c44f60c43432d468639b5fe078420e60c13fd3de|387|0x90 20|11|libxul.so|mozilla::layers::APZCTreeManager::UpdateHitTestingTree|hg:hg.mozilla.org/mozilla-central:gfx/layers/apz/src/APZCTreeManager.cpp:c44f60c43432d468639b5fe078420e60c13fd3de|517|0xe 20|12|libxul.so|mozilla::layers::CompositorBridgeParent::NotifyShadowTreeTransaction|hg:hg.mozilla.org/mozilla-central:gfx/layers/ipc/CompositorBridgeParent.cpp:c44f60c43432d468639b5fe078420e60c13fd3de|872|0x1c 20|13|libxul.so|mozilla::layers::CrossProcessCompositorBridgeParent::ShadowLayersUpdated|hg:hg.mozilla.org/mozilla-central:gfx/layers/ipc/CrossProcessCompositorBridgeParent.cpp:c44f60c43432d468639b5fe078420e60c13fd3de|353|0x16 20|14|libxul.so|mozilla::layers::LayerTransactionParent::RecvUpdate|hg:hg.mozilla.org/mozilla-central:gfx/layers/ipc/LayerTransactionParent.cpp:c44f60c43432d468639b5fe078420e60c13fd3de|458|0x9 20|15|libxul.so|mozilla::layers::PLayerTransactionParent::OnMessageReceived|s3:gecko-generated-sources:80e773b9a63f9343067565d2423f3da08779c40243ab8e094bea2479a4740a49f045c296728e5f4976b7b1af0e170021b97b799aa9f29a37bf4c78036c0e9778/ipc/ipdl/PLayerTransactionParent.cpp:|107|0x6 20|16|libxul.so|mozilla::layers::PCompositorManagerParent::OnMessageReceived|s3:gecko-generated-sources:396220c98134f1d7dee22c1a270a4c88a029a4849d92cff4449fbb2ff2d3a8cd43ec4ed04152a400b2d75811da89c95c303c06d5e007b7ad46696475b588d732/ipc/ipdl/PCompositorManagerParent.cpp:|121|0xc 20|17|libxul.so|mozilla::ipc::MessageChannel::DispatchAsyncMessage|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:c44f60c43432d468639b5fe078420e60c13fd3de|2135|0x6 20|18|libxul.so|mozilla::ipc::MessageChannel::DispatchMessage|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:c44f60c43432d468639b5fe078420e60c13fd3de|2065|0xb 20|19|libxul.so|mozilla::ipc::MessageChannel::RunMessage|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:c44f60c43432d468639b5fe078420e60c13fd3de|1911|0xb 20|20|libxul.so|mozilla::ipc::MessageChannel::MessageTask::Run|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:c44f60c43432d468639b5fe078420e60c13fd3de|1944|0xc 20|21|libxul.so|MessageLoop::RunTask|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:c44f60c43432d468639b5fe078420e60c13fd3de|452|0x6 20|22|libxul.so|MessageLoop::DeferOrRunPendingTask|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:c44f60c43432d468639b5fe078420e60c13fd3de|460|0x17 20|23|libxul.so|MessageLoop::DoWork|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:c44f60c43432d468639b5fe078420e60c13fd3de|535|0x5 20|24|libxul.so|base::MessagePumpDefault::Run|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_pump_default.cc:c44f60c43432d468639b5fe078420e60c13fd3de|36|0xa 20|25|libxul.so|MessageLoop::RunInternal|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:c44f60c43432d468639b5fe078420e60c13fd3de|326|0x17 20|26|libxul.so|MessageLoop::Run|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:c44f60c43432d468639b5fe078420e60c13fd3de|319|0x8 20|27|libxul.so|base::Thread::ThreadMain|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/thread.cc:c44f60c43432d468639b5fe078420e60c13fd3de|181|0x8 20|28|libxul.so|ThreadFunc|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/platform_thread_posix.cc:c44f60c43432d468639b5fe078420e60c13fd3de|38|0x3 20|29|libpthread-2.23.so||||0x76ba 20|30|libc-2.23.so||||0x10741d
Flags: in-testsuite?
|
||
Comment 1•6 years ago
|
||
The stack in comment 0 is for a different assert than the bug summary. Is there a copy/paste error here?
Flags: needinfo?(jkratzer)
|
||
Comment 2•6 years ago
|
||
Here is the stack trace I see when I load the attached testcase in a debug build of Nightly. It is indeed the assert mentioned in the bug title.
|
|
||
Comment 3•6 years ago
|
||
And here is a client-side layer dump. The layers 0x7efe79ea1800 and 0x7efe772ae400 both have scrollId=4 but different ancestor transforms.
|
|
||
Comment 4•6 years ago
|
||
Moving to Layout as this is an instance of Layout giving us an unexpected layer tree.
Component: Panning and Zooming → Layout
|
Reporter | |
Updated•6 years ago
|
Flags: needinfo?(jkratzer)
|
||
Updated•6 years ago
|
Component: Layout → Layout: Web Painting
|
||
Comment 5•6 years ago
|
||
Display list dump for the broken paint. It looks like we're creating nsDisplayScrollInfoLayer, and hoisting it outside of the nsDisplayMask, assuming that the mask will always be inactive. nsDisplayMask can be active though now (and is in this testcase), so we're still getting nsDisplayCompositorHitTestInfo added within the mask. The frame with the mask is also transformed, so the hoisted APZ info, and the real ones have different ancestor transform. Markus, should we just be skipping the hoisting if the mask decides to be active (and can we force it to decide during building), or do we need something more complex here?
Flags: needinfo?(mstange)
|
|
||
Updated•6 years ago
|
Priority: -- → P3
|
||
Updated•5 years ago
|
status-firefox66:
--- → affected
status-firefox67:
--- → affected
|
|
||
Updated•5 years ago
|
Whiteboard: [fuzzblocker]
|
|
||
Updated•5 years ago
|
status-firefox68:
--- → wontfix
status-firefox69:
--- → affected
status-firefox70:
--- → affected
status-firefox-esr68:
--- → affected
|
|
||
Comment 6•5 years ago
•
|
||
This issue is hit frequently by the fuzzers and can limit their effectiveness.
A Pernosco session can be found here: https://pernos.co/debug/5I-765BwE1bxTpp0_34V4g/index.html
status-firefox71:
--- → affected
status-firefox72:
--- → affected
|
||
Comment 8•5 years ago
|
||
(In reply to Matt Woodrow (:mattwoodrow) from comment #5)
Markus, should we just be skipping the hoisting if the mask decides to be
active (and can we force it to decide during building), or do we need
something more complex here?
We should probably remove hoisting for masks entirely. Most masks can be active, and the ones that can be active will be active if there's anything actively scrolled inside them. Unless there's a filter between the mask and the scroll frame; in that case, the filter should hoist the scroll info layer, and then the mask should become active due to the scroll info layer item. For inactive scroll frames, no hoisting needs to be done; inactive scroll frames are handled with dispatch-to-content event regions which are propagated through inactive container items with a different mechanism. And while I think there are still some cases where masks cannot become active, I don't think it's worth worrying about them.
Flags: needinfo?(mstange)
|
|
||
Comment 9•4 years ago
•
|
||
botond: Are you able to take this issue? It has been around for a long time and fuzzers are frequently hitting it, it would be great to get this fixed.
Flags: needinfo?(botond)
|
|
||
Comment 10•4 years ago
|
||
Based on comment 8, a fix here does not seem trivial and requires attention from Web Painting folks (Matt / Miko / Markus).
As we haven't seen reports of the issue underlying this assertion actually causing a rendering or scrolling problem, we could downgrade it to a NS_ASSERTION if it's tripping up fuzzers.
Flags: needinfo?(botond)
|
|
||
Comment 11•4 years ago
|
||
That would be great.
|
|
||
Comment 12•4 years ago
|
||
(In reply to Botond Ballo [:botond] from comment #10)
As we haven't seen reports of the issue underlying this assertion actually causing a rendering or scrolling problem, we could downgrade it to a NS_ASSERTION if it's tripping up fuzzers.
Filed bug 1673492 with a patch to do this.
|
|
||
Comment 13•3 years ago
|
||
I can't reproduce this any more, either with or without WebRender.
Blocks: fixed-by-webrender
|
|
||
Comment 14•3 years ago
|
||
(Didn't mean to add that blocking bug.)
No longer blocks: fixed-by-webrender
|
|
||
Comment 15•3 years ago
|
||
Like bug 1491000, it looks like this was fixed by something along the way.
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
|
||
Updated•3 years ago
|
Resolution: FIXED → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•