Closed
Bug 1611847
Opened 5 years ago
Closed 5 years ago
Assertion failure: isRelevant == ((IsCurrent() || IsInEffect()) && mAnimation && mAnimation->ReplaceState() != AnimationReplaceState::Removed) (Out of date Animation::IsRelevant value), at /builds/worker/workspace/build/src/dom/animation/KeyframeEffect.cp
Categories
(Core :: DOM: Animation, defect, P3)
Core
DOM: Animation
Tracking
()
RESOLVED
FIXED
mozilla75
| Tracking | Status | |
|---|---|---|
| firefox-esr68 | --- | unaffected |
| firefox73 | --- | unaffected |
| firefox74 | --- | disabled |
| firefox75 | --- | fixed |
People
(Reporter: jkratzer, Assigned: boris)
References
(Blocks 1 open bug)
Details
(Keywords: assertion, testcase)
Attachments
(2 files)
Testcase found while fuzzing mozilla-central rev c0fa6d007c58.
rcx = 0x00007fba0d82c3ca rbx = 0x00007fb9ea743ae0
rsi = 0x00007fba195b88b0 rdi = 0x00007fba195b7680
rbp = 0x00007ffce6552590 rsp = 0x00007ffce6552560
r8 = 0x00007fba195b88b0 r9 = 0x00007fba1a71f780
r10 = 0x0000000000000000 r11 = 0x0000000000000000
r12 = 0x0000000000000001 r13 = 0x00007ffce65525b0
r14 = 0x00007ffce65525a8 r15 = 0x00007ffce65525b0
rip = 0x00007fba087cf429
OS|Linux|0.0.0 Linux 5.3.0-26-generic #28~18.04.1-Ubuntu SMP Wed Dec 18 16:40:14 UTC 2019 x86_64
CPU|amd64|family 6 model 94 stepping 3|8
GPU|||
Crash|SIGSEGV|0x0|0
0|0|libxul.so|mozilla::dom::KeyframeEffect::UpdateTargetRegistration()|hg:hg.mozilla.org/mozilla-central:dom/animation/KeyframeEffect.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|787|0x8c
0|1|libxul.so|mozilla::dom::KeyframeEffect::SetTarget(mozilla::dom::Nullable<mozilla::dom::ElementOrCSSPseudoElement> const&)|hg:hg.mozilla.org/mozilla-central:dom/animation/KeyframeEffect.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|997|0x5
0|2|libxul.so|mozilla::dom::KeyframeEffect_Binding::set_target|s3:gecko-generated-sources:0f9d1d97556e509403c51988ad453758a55cde310ee0840fe868c6ef2f4c5e59f401cbc2adc1381e9b7ec101f7f51a31ceb8994297a1ea0b87f37b786ea774a3/dom/bindings/KeyframeEffectBinding.cpp:|886|0x5
0|3|libxul.so|bool mozilla::dom::binding_detail::GenericSetter<mozilla::dom::binding_detail::NormalThisPolicy>(JSContext*, unsigned int, JS::Value*)|hg:hg.mozilla.org/mozilla-central:dom/bindings/BindingUtils.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|3099|0x1d
0|4|libxul.so|CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|450|0x19
0|5|libxul.so|js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|542|0x12
0|6|libxul.so|InternalCall|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|605|0x10
0|7|libxul.so|js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|622|0x8
0|8|libxul.so|js::CallSetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<JS::Value>)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|760|0x20
0|9|libxul.so|SetExistingProperty|hg:hg.mozilla.org/mozilla-central:js/src/vm/NativeObject.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|2956|0x1a
0|10|libxul.so|bool js::NativeSetProperty<(js::QualifiedBool)1>(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&)|hg:hg.mozilla.org/mozilla-central:js/src/vm/NativeObject.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|2985|0x2d
0|11|libxul.so|Interpret|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|2779|0xb8
0|12|libxul.so|js::RunScript(JSContext*, js::RunState&)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|386|0xfe
0|13|libxul.so|js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|577|0xf
0|14|libxul.so|InternalCall|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|605|0x10
0|15|libxul.so|js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|622|0x8
0|16|libxul.so|JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>)|hg:hg.mozilla.org/mozilla-central:js/src/jsapi.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|2797|0x1f
0|17|libxul.so|mozilla::dom::EventListener::HandleEvent(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&)|s3:gecko-generated-sources:9ca8646d8042e9b4b76d2e1b358b984be17743b71b832c0897d61bb500e0fecbe38fa54273dc522878c87fcb2c9bfd274a8190c7bc56fbbb58cb3ca68462e527/dom/bindings/EventListenerBinding.cpp:|52|0x5
0|18|libxul.so|mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*)|s3:gecko-generated-sources:f3d9c01258576daaac3afc4fb3b283652e7f1168abb5287eff6775451ebd0ab6a0e4c8d88d3a67f7147042501bc091c6dfed25b4b8ccf4e4f420897b8d0ba906/dist/include/mozilla/dom/EventListenerBinding.h:|66|0x1c
0|19|libxul.so|mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool)|hg:hg.mozilla.org/mozilla-central:dom/events/EventListenerManager.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|1271|0x1c
0|20|libxul.so|mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|326|0x6b
0|21|libxul.so|mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|558|0x12
0|22|libxul.so|mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|1055|0x1a
0|23|libxul.so|mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|1160|0x16
0|24|libxul.so|nsINode::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&)|hg:hg.mozilla.org/mozilla-central:dom/base/nsINode.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|1119|0x5
0|25|libxul.so|nsContentUtils::DispatchEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, mozilla::Trusted, bool*, mozilla::ChromeOnlyDispatch)|hg:hg.mozilla.org/mozilla-central:dom/base/nsContentUtils.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|4095|0x2a
0|26|libxul.so|nsContentUtils::DispatchTrustedEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, bool*)|hg:hg.mozilla.org/mozilla-central:dom/base/nsContentUtils.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|4065|0x21
0|27|libxul.so|mozilla::dom::Document::DispatchContentLoadedEvents()|hg:hg.mozilla.org/mozilla-central:dom/base/Document.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|7204|0x5
0|28|libxul.so|mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run()|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.h:c0fa6d007c58437398cc06a97d221c42d41dcf9e|1215|0x5
0|29|libxul.so|nsThread::ProcessNextEvent(bool, bool*)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|1220|0xe
0|30|libxul.so|NS_ProcessNextEvent(nsIThread*, bool)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|486|0x11
0|31|libxul.so|mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|87|0xa
0|32|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:c0fa6d007c58437398cc06a97d221c42d41dcf9e|315|0x19
0|33|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:c0fa6d007c58437398cc06a97d221c42d41dcf9e|290|0x8
0|34|libxul.so|nsBaseAppShell::Run()|hg:hg.mozilla.org/mozilla-central:widget/nsBaseAppShell.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|137|0xd
0|35|libxul.so|nsAppStartup::Run()|hg:hg.mozilla.org/mozilla-central:toolkit/components/startup/nsAppStartup.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|272|0x10
0|36|libxul.so|XREMain::XRE_mainRun()|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsAppRunner.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|4624|0x16
0|37|libxul.so|XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsAppRunner.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|4761|0x8
0|38|libxul.so|XRE_main(int, char**, mozilla::BootstrapConfig const&)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsAppRunner.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|4842|0x5
0|39|firefox-bin|do_main|hg:hg.mozilla.org/mozilla-central:browser/app/nsBrowserApp.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|217|0x26
0|40|firefox-bin|main|hg:hg.mozilla.org/mozilla-central:browser/app/nsBrowserApp.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|339|0xf
0|41|libc-2.27.so||||0x21b97
0|42|firefox-bin|__cxa_throw_bad_array_new_length|hg:hg.mozilla.org/mozilla-central:build/unix/stdc++compat/stdc++compat.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|82|0x12
0|43|firefox-bin||||0x10e30
0|44|ld-2.27.so||||0x10733
0|45|libdl-2.27.so||||0x202d80
0|46|libpthread-2.27.so||||0x219bb0
0|47|firefox-bin||||0x10e30
0|48|firefox-bin|_start|||0x29
Flags: in-testsuite?
|
Assignee | |
Updated•5 years ago
|
Flags: needinfo?(boris.chiou)
|
|
Assignee | |
Updated•5 years ago
|
Priority: -- → P3
|
|
Assignee | |
Comment 1•5 years ago
|
||
This might be related to bug 1608858. I will check this later after we fix bug 1608858.
|
||
Comment 2•5 years ago
|
||
(In reply to Boris Chiou [:boris] from comment #1)
This might be related to bug 1608858. I will check this later after we fix bug 1608858.
Unfortunately, I seems like bug 1608858 doesn't help with this (although they likely have a very similar cause).
|
|
Assignee | |
Comment 3•5 years ago
|
||
I'm trying to figure out what happened by the test case. First, this happens after setting a negative playback rate, so:
mPendingPlaybackRateisSome(-129).Animation->Pending()isPendingState::PlayPending.- So we just set a negative playback rate, and then early return in
Animation::UpdatePlaybackRate(). - In
KeyframeEffect::SetTarget()UnregisterTarget()on the old target. This looks ok.- Assign a new target, and call
UpdateTargetRegistration()on the new target. - In
UpdateTargetRegistration(),mAnimation->IsRelevant()is still not updated yet after setting the new negative playback. It is still true. - So we hit the assertion because both
IsCurrent()andIsInEffect()are false, butisRelevantis true.
So why IsCurrent() is false?
- Its AnimationPlayState is
AnimationPlayState::Finishedbecause of the negative pending playback rate and current time is 0.
And why IsInEffect() is false?
- Its progress is null because it is still in the before phase.
So looks like we have to update relevant in the earily return of Animation::UpdatePlaybackRate()?
Flags: needinfo?(boris.chiou)
|
|
Assignee | |
Updated•5 years ago
|
Assignee: nobody → boris.chiou
|
|
Assignee | |
Comment 4•5 years ago
|
||
|
|
||
Comment 5•5 years ago
|
||
Yes, that makes sense.
However, in the WIP patch, I wonder if we need to call UpdateEffect in order to update the EffectSet since otherwise if we call getAnimations() after updatePlaybackRate() we might hit a case where the EffectSet is out of sync with the relevance state like we did in bug 1608858?
|
|
Assignee | |
Comment 6•5 years ago
|
||
OK. Let me try this case.
|
|
Assignee | |
Comment 7•5 years ago
|
||
(In reply to Brian Birtles (:birtles) from comment #5)
Yes, that makes sense.
However, in the WIP patch, I wonder if we need to call
UpdateEffectin order to update theEffectSetsince otherwise if we callgetAnimations()afterupdatePlaybackRate()we might hit a case where theEffectSetis out of sync with the relevance state like we did in bug 1608858?
I cannot reproduce the assertion by calling getAnimations(). However, it's fine with me to use UpdateEffect, just in case.
|
||
Updated•5 years ago
|
Attachment #9128001 -
Attachment description: Bug 1611847 - Update relevance in the early return of UpdatePlaybackRate(). → Bug 1611847 - Update relevance and its effect set in the early return of UpdatePlaybackRate().
Pushed by bchiou@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/096dfc972a04
Update relevance and its effect set in the early return of UpdatePlaybackRate(). r=birtles
|
||
Comment 9•5 years ago
|
||
| bugherder | ||
Status: NEW → RESOLVED
Closed: 5 years ago
status-firefox75:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla75
|
||
Updated•5 years ago
|
status-firefox73:
--- → unaffected
status-firefox-esr68:
--- → unaffected
You need to log in
before you can comment on or make changes to this bug.
Description
•