1539318 - Assertion failure: false (should have already reflowed the kid), at src/layout/svg/SVGTextFrame.cpp:4828

Status: RESOLVED FIXED

(Core :: SVG, defect, P3)

Description

[Tyson Smith [:tsmith]]

Attachment: testcase.html

Reduced with m-c:
BuildID=20190325155340
SourceStamp=3d5cd10cb1b20c1f83a189fbeb2e22f470bac0ec

Assertion failure: false (should have already reflowed the kid), at src/layout/svg/SVGTextFrame.cpp:4828

#0 SVGTextFrame::DoGlyphPositioning() src/layout/svg/SVGTextFrame.cpp:4951:35
#1 SVGTextFrame::GetComputedTextLength(nsIContent*) src/layout/svg/SVGTextFrame.cpp:3694:3
#2 mozilla::dom::SVGTextContentElement_Binding::getComputedTextLength(JSContext*, JS::Handle<JSObject*>, mozilla::dom::SVGTextContentElement*, JSJitMethodCallArgs const&) src/obj-firefox/dom/bindings/SVGTextContentElementBinding.cpp:142:22
#3 bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) src/dom/bindings/BindingUtils.cpp:3144:13
#4 CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) src/js/src/vm/Interpreter.cpp:442:13
#5 js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:534:12
#6 InternalCall(JSContext*, js::AnyInvokeArgs const&) src/js/src/vm/Interpreter.cpp:589:10
#7 Interpret(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:3075:16
#8 js::RunScript(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:422:10
#9 js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:562:13
#10 InternalCall(JSContext*, js::AnyInvokeArgs const&) src/js/src/vm/Interpreter.cpp:589:10
#11 js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) src/js/src/vm/Interpreter.cpp:605:8
#12 JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) src/js/src/jsapi.cpp:2621:10
#13 mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) src/obj-firefox/dom/bindings/EventHandlerBinding.cpp:266:37
#14 void mozilla::dom::EventHandlerNonNull::Call<nsCOMPtr<mozilla::dom::EventTarget> >(nsCOMPtr<mozilla::dom::EventTarget> const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) src/obj-firefox/dist/include/mozilla/dom/EventHandlerBinding.h:363:12
#15 mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) src/dom/events/JSEventHandler.cpp:205:12
#16 mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) src/dom/events/EventListenerManager.cpp:1044:22
#17 mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) src/dom/events/EventListenerManager.cpp:1239:17
#18 mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) src/dom/events/EventDispatcher.cpp:351:17
#19 mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) src/dom/events/EventDispatcher.cpp:553:16
#20 mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) src/dom/events/EventDispatcher.cpp:1048:11
#21 nsDocumentViewer::LoadComplete(nsresult) src/layout/base/nsDocumentViewer.cpp:1102:7
#22 nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) src/docshell/base/nsDocShell.cpp:6596:21
#23 nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) src/docshell/base/nsDocShell.cpp:6397:7
#24 non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) src/docshell/base/nsDocShell.cpp
#25 nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) src/uriloader/base/nsDocLoader.cpp:1312:3
#26 nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) src/uriloader/base/nsDocLoader.cpp:871:14
#27 nsDocLoader::DocLoaderIsEmpty(bool) src/uriloader/base/nsDocLoader.cpp:709:9
#28 nsDocLoader::OnStopRequest(nsIRequest*, nsresult) src/uriloader/base/nsDocLoader.cpp:597:5
#29 non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsresult) src/uriloader/base/nsDocLoader.cpp
#30 mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) src/netwerk/base/nsLoadGroup.cpp:568:22
#31 mozilla::dom::Document::DoUnblockOnload() src/dom/base/Document.cpp:7743:18
#32 mozilla::dom::Document::UnblockOnload(bool) src/dom/base/Document.cpp:7675:9
#33 mozilla::dom::Document::DispatchContentLoadedEvents() src/dom/base/Document.cpp:4816:3
#34 mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() src/obj-firefox/dist/include/nsThreadUtils.h:1174:13
#35 mozilla::SchedulerGroup::Runnable::Run() src/xpcom/threads/SchedulerGroup.cpp:295:32
#36 nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1180:14
#37 NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:482:10
#38 mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:88:21
#39 MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:315:10
#40 MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:290:3
#41 nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:137:27
#42 XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:933:20
#43 mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:238:9
#44 MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:315:10
#45 MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:290:3
#46 XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:771:34
#47 content_process_main(mozilla::Bootstrap*, int, char**) src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
#48 main src/browser/app/nsBrowserApp.cpp:263:18

Comment 1

[Cameron McCormack (:heycam)]

https://treeherder.mozilla.org/#/jobs?repo=try&revision=746720ad09222099c178b2ef9debfd2279bf6bea

Comment 2

[Cameron McCormack (:heycam)]

Attachment: Bug 1539318 - Prevent getComputedTextLength() from working on non-display SVG text elements.

This adds the same bailing out behavior that was added in bug 1402109 to a number
of other functions implementing SVG DOM text methods.

Comment 3

[violet.bugreport]

This is also a bug in <switch> element, because once an outer svg is reflowed, we always reflow all the SVGTextFrame.

Unfortunately, fixing <switch> is not really enough to fix this one since the outer svg can be contained in a strange HTML element that doesn't reflow the svg at all...

Comment 4

[Pulsebot]

Pushed by cmccormack@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/e9ea26dd5b68
Prevent getComputedTextLength() from working on non-display SVG text elements. r=jwatt

Comment 5

[Cosmin Sabou [:CosminS]]

Push with failures: https://treeherder.mozilla.org/#/jobs?repo=autoland&resultStatus=success%2Ctestfailed%2Cbusted%2Cexception&fromchange=e9ea26dd5b6860369222508e8510888db71c1de4&tochange=6f280783594b75caee682ed71c8155934a9d59d9&searchStr=crashtest&selectedJob=244050186

Failure log: https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=244050186&repo=autoland&lineNumber=19938

Backout link: https://hg.mozilla.org/integration/autoland/rev/6f280783594b75caee682ed71c8155934a9d59d9

[task 2019-05-02T00:11:06.486Z] 00:11:06 INFO - REFTEST TEST-LOAD | file:///builds/worker/workspace/build/tests/reftest/tests/layout/svg/crashtests/1539318-1.html | 3368 / 3730 (90%)
[task 2019-05-02T00:16:06.532Z] 00:16:06 INFO - REFTEST TEST-UNEXPECTED-FAIL | file:///builds/worker/workspace/build/tests/reftest/tests/layout/svg/crashtests/1539318-1.html | load failed: timed out after 300000 ms waiting for 'load' event for file:///builds/worker/workspace/build/tests/reftest/tests/layout/svg/crashtests/1539318-1.html
[task 2019-05-02T00:16:06.532Z] 00:16:06 INFO - REFTEST INFO | Saved log: START file:///builds/worker/workspace/build/tests/reftest/tests/layout/svg/crashtests/1539318-1.html
[task 2019-05-02T00:16:06.532Z] 00:16:06 INFO - REFTEST INFO | Saved log: [CONTENT] AfterPaintListener in data:text/html;charset=UTF-8,%3C%21%2D%2DCLEAR%2D%2D%3E
[task 2019-05-02T00:16:06.536Z] 00:16:06 INFO - REFTEST INFO | Saved log: [CONTENT] AfterPaintListener in data:text/html;charset=UTF-8,%3C%21%2D%2DCLEAR%2D%2D%3E
[task 2019-05-02T00:16:06.537Z] 00:16:06 INFO - REFTEST INFO | Saved log: [CONTENT] AfterPaintListener in file:///builds/worker/workspace/build/tests/reftest/tests/layout/svg/crashtests/1539318-1.html
[task 2019-05-02T00:16:06.538Z] 00:16:06 INFO - REFTEST INFO | Saved log: [CONTENT] AfterPaintListener in file:///builds/worker/workspace/build/tests/reftest/tests/layout/svg/crashtests/1539318-1.html
[task 2019-05-02T00:16:06.540Z] 00:16:06 INFO - REFTEST TEST-END | file:///builds/worker/workspace/build/tests/reftest/tests/layout/svg/crashtests/1539318-1.html

Comment 6

[Cameron McCormack (:heycam)]

Oh, forgot to add the test file to the patch.

Comment 7

[Cameron McCormack (:heycam)]

Or actually, I just misnamed the test in the manifest.

Comment 8

[Pulsebot]

Pushed by cmccormack@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/f446fb2da3fb
Prevent getComputedTextLength() from working on non-display SVG text elements. r=jwatt

Comment 9

[Cristian Brindusan [:cbrindusan]]

https://hg.mozilla.org/mozilla-central/rev/f446fb2da3fb