Closed Bug 1652897 Opened 5 years ago Closed 5 years ago

Assertion failure: aPos && !HasAnyStateBits(NS_FRAME_IS_DIRTY), at src/layout/generic/nsIFrame.cpp:8635

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla80
Tracking Flags:
Tracking Status
firefox-esr68 --- unaffected
firefox-esr78 --- unaffected
firefox78 --- unaffected
firefox79 --- unaffected
firefox80 --- verified

People

(Reporter: tsmith, Assigned: saschanaz)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(2 files)

testcase.html
196 bytes, text/html
Details
Bug 1652897 - Remove IS_DIRTY assertion as it currently happens r=emilio
47 bytes, text/x-phabricator-request
Details | Review
Attached file testcase.html

Assertion failure: aPos && !HasAnyStateBits(NS_FRAME_IS_DIRTY), at src/layout/generic/nsIFrame.cpp:8635

#0 0x7fb5dd2a0583 in AnnotateMozCrashReason /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:42:19
#1 0x7fb5dd2a0583 in nsIFrame::PeekOffset(nsPeekOffsetStruct*) src/layout/generic/nsIFrame.cpp:8635:3
#2 0x7fb5dd22abbb in nsFrameSelection::PeekOffsetForCaretMove(nsDirection, bool, nsSelectionAmount, nsFrameSelection::CaretMovementStyle, nsPoint const&) const src/layout/generic/nsFrameSelection.cpp:929:24
#3 0x7fb5dd22a08f in nsFrameSelection::MoveCaret(nsDirection, bool, nsSelectionAmount, nsFrameSelection::CaretMovementStyle) src/layout/generic/nsFrameSelection.cpp:806:49
#4 0x7fb5da587323 in mozilla::dom::Selection::Modify(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, mozilla::ErrorResult&) src/dom/base/Selection.cpp:3300:24
#5 0x7fb5daf4d3ca in mozilla::dom::Selection_Binding::modify(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/SelectionBinding.cpp:1109:24
#6 0x7fb5db93b631 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) src/dom/bindings/BindingUtils.cpp:3219:13
#7 0x7fb5de775af1 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) src/js/src/vm/Interpreter.cpp:484:13
#8 0x7fb5de775369 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) src/js/src/vm/Interpreter.cpp:576:12
#9 0x7fb5de776e2f in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) src/js/src/vm/Interpreter.cpp:639:10
#10 0x7fb5de76a38b in CallFromStack src/js/src/vm/Interpreter.cpp:643:10
#11 0x7fb5de76a38b in Interpret(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:3332:16
#12 0x7fb5de760a16 in js::RunScript(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:456:10
#13 0x7fb5de7752c6 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) src/js/src/vm/Interpreter.cpp:611:13
#14 0x7fb5de776e2f in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) src/js/src/vm/Interpreter.cpp:639:10
#15 0x7fb5de77700f in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) src/js/src/vm/Interpreter.cpp:656:8
#16 0x7fb5de88ab67 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) src/js/src/jsapi.cpp:2846:10
#17 0x7fb5db1d410e in mozilla::dom::IdleRequestCallback::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::IdleDeadline&, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/WindowBinding.cpp:861:8
#18 0x7fb5da42b96a in mozilla::dom::IdleRequestCallback::Call(mozilla::dom::IdleDeadline&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/WindowBinding.h:784:12
#19 0x7fb5da516839 in Call /builds/worker/workspace/obj-build/dist/include/mozilla/dom/WindowBinding.h:797:12
#20 0x7fb5da516839 in mozilla::dom::IdleRequest::IdleRun(nsPIDOMWindowInner*, double, bool) src/dom/base/IdleRequest.cpp:62:13
#21 0x7fb5da39ce20 in nsGlobalWindowInner::RunIdleRequest(mozilla::dom::IdleRequest*, double, bool) src/dom/base/nsGlobalWindowInner.cpp:662:12
#22 0x7fb5da39c295 in nsGlobalWindowInner::ExecuteIdleRequest(mozilla::TimeStamp) src/dom/base/nsGlobalWindowInner.cpp:690:3
#23 0x7fb5da39c0c4 in IdleRequestExecutor::Run() src/dom/base/nsGlobalWindowInner.cpp:531:13
#24 0x7fb5d84c61d4 in mozilla::RunnableTask::Run() src/xpcom/threads/TaskController.cpp:242:16
#25 0x7fb5d84c4048 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) src/xpcom/threads/TaskController.cpp:495:24
#26 0x7fb5d84c2f0d in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) src/xpcom/threads/TaskController.cpp:394:15
#27 0x7fb5d84c3036 in mozilla::TaskController::ProcessPendingMTTask(bool) src/xpcom/threads/TaskController.cpp:162:36
#28 0x7fb5d84cab96 in operator() src/xpcom/threads/TaskController.cpp:83:37
#29 0x7fb5d84cab96 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_4>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:577:5
#30 0x7fb5d84de939 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1234:14
#31 0x7fb5d84e431a in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:513:10
#32 0x7fb5d8de759f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:87:21
#33 0x7fb5d8d56553 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:334:10
#34 0x7fb5d8d5646d in RunHandler src/ipc/chromium/src/base/message_loop.cc:327:3
#35 0x7fb5d8d5646d in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:309:3
#36 0x7fb5dce34678 in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:137:27
#37 0x7fb5de632b83 in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:913:20
#38 0x7fb5d8de8367 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:237:9
#39 0x7fb5d8d56553 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:334:10
#40 0x7fb5d8d5646d in RunHandler src/ipc/chromium/src/base/message_loop.cc:327:3
#41 0x7fb5d8d5646d in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:309:3
#42 0x7fb5de632677 in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:744:34
#43 0x55c69aafafb8 in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
#44 0x55c69aafafb8 in main src/browser/app/nsBrowserApp.cpp:303:18
#45 0x7fb5f3afdb96 in __libc_start_main /build/glibc-2ORdQG/glibc-2.27/csu/../csu/libc-start.c:310
#46 0x55c69aad8fa9 in _start (/home/worker/builds/m-c-20200713155948-fuzzing-debug/firefox-bin+0x16fa9)
Flags: in-testsuite?

A Pernosco session is available here: https://pernos.co/debug/9MmPu2_yDGg6qwDz7lxlpw/index.html

Whiteboard: [bugmon:bisected,confirmed]
Bugmon Analysis: Verified bug as reproducible on mozilla-central 20200714214702-d080e46635d3. The bug appears to have been introduced in the following build range: > Start: 7a138231bcdf9f223d26f40da5f29b53d9deffbc (20200710230542) > End: af91f317d081edb4bd9059e4334ae0ddcfe79bb2 (20200710230726) > Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=7a138231bcdf9f223d26f40da5f29b53d9deffbc&tochange=af91f317d081edb4bd9059e4334ae0ddcfe79bb2
Flags: needinfo?(krosylight)
Regressed by: 1637624
Has Regression Range: --- → yes

It's https://phabricator.services.mozilla.com/D83092. Probably just uncovered by that assertion rather than a regression?

Flags: needinfo?(krosylight)

Well, sure, but if it can happen then we shouldn't assert it.

Set release status flags based on info from the regressing bug 1637624

status-firefox78: --- → unaffected
status-firefox79: --- → unaffected
status-firefox-esr68: --- → unaffected
status-firefox-esr78: --- → unaffected
Severity: -- → S3

I guess this really is a bug in <caption> processing, as the caption frame has NS_FRAME_FIRST_REFLOW | NS_FRAME_IS_DIRTY and they disappear when retrying with the second <caption> removed or a closing tag </table> added. (Edit: Ah no, the closing tag only changes the target frame but the dirtiness tag remains in the second caption.)

Not an expert here, do you have an idea why the frame remains dirty here?

Flags: needinfo?(emilio)

Not really, it seems there's a table layout bug when multiple captions are involved.

We should probably at least file it referencing this test-case, and paper over the bug for now as it was papered over before (unless you want to dig and fix it of course, that's also fine).

Flags: needinfo?(emilio)

Okay, I'll file one and revert the assertion to return NS_ERROR_UNEXPECTED as it did before.

See Also: → 1654362
Assignee: nobody → krosylight
Status: NEW → ASSIGNED
Attachment #9165443 - Attachment description: Bug 1652897 - Remove IS_DIRTY assertion as it can currently happen r=emilio → Bug 1652897 - Remove IS_DIRTY assertion as it currently happens r=emilio
Attachment #9165443 - Attachment description: Bug 1652897 - Remove IS_DIRTY assertion as it currently happens r=emilio → Bug 1652897 - Remove IS_DIRTY assertion as it can currently happen r=emilio
Attachment #9165443 - Attachment description: Bug 1652897 - Remove IS_DIRTY assertion as it can currently happen r=emilio → Bug 1652897 - Remove IS_DIRTY assertion as it currently happens r=emilio
Pushed by krosylight@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/064d1e5fe3eb Remove IS_DIRTY assertion as it currently happens r=emilio

https://hg.mozilla.org/mozilla-central/rev/064d1e5fe3eb

Status: ASSIGNED → RESOLVED
Closed: 5 years ago
status-firefox80: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla80
Status: RESOLVED → VERIFIED
status-firefox80: fixedverified
Keywords: bugmon
Bugmon Analysis: Verified bug as fixed on rev mozilla-central 20200723032025-de6e53cc7889. Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Bugmon Analysis: Verified bug as fixed on rev mozilla-central 20200723032025-de6e53cc7889. Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: