Closed Bug 1673524 Opened 4 years ago Closed 4 years ago

Assertion failure: IsAncestorFrameCrossDoc(aAncestor.mFrame, aFrame) (Fix the caller), at /builds/worker/checkouts/gecko/layout/base/nsLayoutUtils.cpp:2484

Categories

(Core :: Layout, defect)

defect
Not set
normal

Tracking

()

VERIFIED FIXED
84 Branch
Tracking Status
firefox-esr78 --- unaffected
firefox82 --- unaffected
firefox83 --- wontfix
firefox84 --- verified

People

(Reporter: jkratzer, Assigned: emilio)

References

(Blocks 1 open bug, Regression)

Details

(4 keywords, Whiteboard: [bugmon:bisected,confirmed], [wptsync upstream], [retriggered])

Crash Data

Attachments

(3 files)

Attached file testcase.html

Testcase found while fuzzing mozilla-central rev b1a74943bc51 (built with --enable-debug).

Assertion failure: IsAncestorFrameCrossDoc(aAncestor.mFrame, aFrame) (Fix the caller), at /builds/worker/checkouts/gecko/layout/base/nsLayoutUtils.cpp:2484

==1482071==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f524da26abe bp 0x7ffddf4e8180 sp 0x7ffddf4e80e0 T1482071)
==1482071==The signal is caused by a WRITE memory access.
==1482071==Hint: address points to the zero page.
    #0 0x7f524da26abe in nsLayoutUtils::TransformFrameRectToAncestor(nsIFrame const*, nsRect const&, mozilla::RelativeTo, bool*, mozilla::Maybe<mozilla::gfx::Matrix4x4TypedFlagged<mozilla::gfx::UnknownUnits, mozilla::gfx::UnknownUnits> >*, bool, nsIFrame**) /builds/worker/checkouts/gecko/layout/base/nsLayoutUtils.cpp:2483:3
    #1 0x7f524dd7fc2c in TransformFrameRectToAncestor /builds/worker/checkouts/gecko/layout/base/nsLayoutUtils.h:805:12
    #2 0x7f524dd7fc2c in mozilla::ContainerState::ProcessDisplayItems(nsDisplayList*) /builds/worker/checkouts/gecko/layout/painting/FrameLayerBuilder.cpp:4878:28
    #3 0x7f524dd88419 in mozilla::FrameLayerBuilder::BuildContainerLayerFor(nsDisplayListBuilder*, mozilla::layers::LayerManager*, nsIFrame*, nsDisplayItem*, nsDisplayList*, mozilla::ContainerLayerParameters const&, mozilla::gfx::Matrix4x4Typed<mozilla::gfx::UnknownUnits, mozilla::gfx::UnknownUnits, float> const*, unsigned int) /builds/worker/checkouts/gecko/layout/painting/FrameLayerBuilder.cpp:6307:9
    #4 0x7f524dde3626 in nsDisplayMasksAndClipPaths::BuildLayer(nsDisplayListBuilder*, mozilla::layers::LayerManager*, mozilla::ContainerLayerParameters const&) /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:9266:36
    #5 0x7f524dd78930 in mozilla::PaintedLayerData::CreateInactiveLayerData(mozilla::ContainerState*, nsPaintedDisplayItem*, mozilla::DisplayItemData*) /builds/worker/checkouts/gecko/layout/painting/FrameLayerBuilder.cpp:3794:25
    #6 0x7f524dd78ecc in mozilla::PaintedLayerData::Accumulate(mozilla::ContainerState*, nsPaintedDisplayItem*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, nsRect const&, mozilla::DisplayItemClip const&, mozilla::LayerState, nsDisplayList*, mozilla::DisplayItemEntryType, nsTArray<unsigned long>&, RefPtr<mozilla::TransformClipNode> const&) /builds/worker/checkouts/gecko/layout/painting/FrameLayerBuilder.cpp:3845:9
    #7 0x7f524dd7f252 in mozilla::ContainerState::ProcessDisplayItems(nsDisplayList*) /builds/worker/checkouts/gecko/layout/painting/FrameLayerBuilder.cpp:5092:27
    #8 0x7f524dd88419 in mozilla::FrameLayerBuilder::BuildContainerLayerFor(nsDisplayListBuilder*, mozilla::layers::LayerManager*, nsIFrame*, nsDisplayItem*, nsDisplayList*, mozilla::ContainerLayerParameters const&, mozilla::gfx::Matrix4x4Typed<mozilla::gfx::UnknownUnits, mozilla::gfx::UnknownUnits, float> const*, unsigned int) /builds/worker/checkouts/gecko/layout/painting/FrameLayerBuilder.cpp:6307:9
    #9 0x7f524dde3626 in nsDisplayMasksAndClipPaths::BuildLayer(nsDisplayListBuilder*, mozilla::layers::LayerManager*, mozilla::ContainerLayerParameters const&) /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:9266:36
    #10 0x7f524dd78930 in mozilla::PaintedLayerData::CreateInactiveLayerData(mozilla::ContainerState*, nsPaintedDisplayItem*, mozilla::DisplayItemData*) /builds/worker/checkouts/gecko/layout/painting/FrameLayerBuilder.cpp:3794:25
    #11 0x7f524dd78ecc in mozilla::PaintedLayerData::Accumulate(mozilla::ContainerState*, nsPaintedDisplayItem*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, nsRect const&, mozilla::DisplayItemClip const&, mozilla::LayerState, nsDisplayList*, mozilla::DisplayItemEntryType, nsTArray<unsigned long>&, RefPtr<mozilla::TransformClipNode> const&) /builds/worker/checkouts/gecko/layout/painting/FrameLayerBuilder.cpp:3845:9
    #12 0x7f524dd7f252 in mozilla::ContainerState::ProcessDisplayItems(nsDisplayList*) /builds/worker/checkouts/gecko/layout/painting/FrameLayerBuilder.cpp:5092:27
    #13 0x7f524dd88419 in mozilla::FrameLayerBuilder::BuildContainerLayerFor(nsDisplayListBuilder*, mozilla::layers::LayerManager*, nsIFrame*, nsDisplayItem*, nsDisplayList*, mozilla::ContainerLayerParameters const&, mozilla::gfx::Matrix4x4Typed<mozilla::gfx::UnknownUnits, mozilla::gfx::UnknownUnits, float> const*, unsigned int) /builds/worker/checkouts/gecko/layout/painting/FrameLayerBuilder.cpp:6307:9
    #14 0x7f524dddd598 in nsDisplayTransform::BuildLayer(nsDisplayListBuilder*, mozilla::layers::LayerManager*, mozilla::ContainerLayerParameters const&) /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:8110:36
    #15 0x7f524dd7fd9f in mozilla::ContainerState::ProcessDisplayItems(nsDisplayList*) /builds/worker/checkouts/gecko/layout/painting/FrameLayerBuilder.cpp:4889:41
    #16 0x7f524dd88419 in mozilla::FrameLayerBuilder::BuildContainerLayerFor(nsDisplayListBuilder*, mozilla::layers::LayerManager*, nsIFrame*, nsDisplayItem*, nsDisplayList*, mozilla::ContainerLayerParameters const&, mozilla::gfx::Matrix4x4Typed<mozilla::gfx::UnknownUnits, mozilla::gfx::UnknownUnits, float> const*, unsigned int) /builds/worker/checkouts/gecko/layout/painting/FrameLayerBuilder.cpp:6307:9
    #17 0x7f524dde3626 in nsDisplayMasksAndClipPaths::BuildLayer(nsDisplayListBuilder*, mozilla::layers::LayerManager*, mozilla::ContainerLayerParameters const&) /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:9266:36
    #18 0x7f524dd78930 in mozilla::PaintedLayerData::CreateInactiveLayerData(mozilla::ContainerState*, nsPaintedDisplayItem*, mozilla::DisplayItemData*) /builds/worker/checkouts/gecko/layout/painting/FrameLayerBuilder.cpp:3794:25
    #19 0x7f524dd78ecc in mozilla::PaintedLayerData::Accumulate(mozilla::ContainerState*, nsPaintedDisplayItem*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, nsRect const&, mozilla::DisplayItemClip const&, mozilla::LayerState, nsDisplayList*, mozilla::DisplayItemEntryType, nsTArray<unsigned long>&, RefPtr<mozilla::TransformClipNode> const&) /builds/worker/checkouts/gecko/layout/painting/FrameLayerBuilder.cpp:3845:9
    #20 0x7f524dd7f252 in mozilla::ContainerState::ProcessDisplayItems(nsDisplayList*) /builds/worker/checkouts/gecko/layout/painting/FrameLayerBuilder.cpp:5092:27
    #21 0x7f524dd88419 in mozilla::FrameLayerBuilder::BuildContainerLayerFor(nsDisplayListBuilder*, mozilla::layers::LayerManager*, nsIFrame*, nsDisplayItem*, nsDisplayList*, mozilla::ContainerLayerParameters const&, mozilla::gfx::Matrix4x4Typed<mozilla::gfx::UnknownUnits, mozilla::gfx::UnknownUnits, float> const*, unsigned int) /builds/worker/checkouts/gecko/layout/painting/FrameLayerBuilder.cpp:6307:9
    #22 0x7f524dde3626 in nsDisplayMasksAndClipPaths::BuildLayer(nsDisplayListBuilder*, mozilla::layers::LayerManager*, mozilla::ContainerLayerParameters const&) /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:9266:36
    #23 0x7f524dd78930 in mozilla::PaintedLayerData::CreateInactiveLayerData(mozilla::ContainerState*, nsPaintedDisplayItem*, mozilla::DisplayItemData*) /builds/worker/checkouts/gecko/layout/painting/FrameLayerBuilder.cpp:3794:25
    #24 0x7f524dd78ecc in mozilla::PaintedLayerData::Accumulate(mozilla::ContainerState*, nsPaintedDisplayItem*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, nsRect const&, mozilla::DisplayItemClip const&, mozilla::LayerState, nsDisplayList*, mozilla::DisplayItemEntryType, nsTArray<unsigned long>&, RefPtr<mozilla::TransformClipNode> const&) /builds/worker/checkouts/gecko/layout/painting/FrameLayerBuilder.cpp:3845:9
    #25 0x7f524dd7f252 in mozilla::ContainerState::ProcessDisplayItems(nsDisplayList*) /builds/worker/checkouts/gecko/layout/painting/FrameLayerBuilder.cpp:5092:27
    #26 0x7f524dd88419 in mozilla::FrameLayerBuilder::BuildContainerLayerFor(nsDisplayListBuilder*, mozilla::layers::LayerManager*, nsIFrame*, nsDisplayItem*, nsDisplayList*, mozilla::ContainerLayerParameters const&, mozilla::gfx::Matrix4x4Typed<mozilla::gfx::UnknownUnits, mozilla::gfx::UnknownUnits, float> const*, unsigned int) /builds/worker/checkouts/gecko/layout/painting/FrameLayerBuilder.cpp:6307:9
    #27 0x7f524dddd598 in nsDisplayTransform::BuildLayer(nsDisplayListBuilder*, mozilla::layers::LayerManager*, mozilla::ContainerLayerParameters const&) /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:8110:36
    #28 0x7f524dd7fd9f in mozilla::ContainerState::ProcessDisplayItems(nsDisplayList*) /builds/worker/checkouts/gecko/layout/painting/FrameLayerBuilder.cpp:4889:41
    #29 0x7f524dd88419 in mozilla::FrameLayerBuilder::BuildContainerLayerFor(nsDisplayListBuilder*, mozilla::layers::LayerManager*, nsIFrame*, nsDisplayItem*, nsDisplayList*, mozilla::ContainerLayerParameters const&, mozilla::gfx::Matrix4x4Typed<mozilla::gfx::UnknownUnits, mozilla::gfx::UnknownUnits, float> const*, unsigned int) /builds/worker/checkouts/gecko/layout/painting/FrameLayerBuilder.cpp:6307:9
    #30 0x7f524dde3626 in nsDisplayMasksAndClipPaths::BuildLayer(nsDisplayListBuilder*, mozilla::layers::LayerManager*, mozilla::ContainerLayerParameters const&) /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:9266:36
    #31 0x7f524dd78930 in mozilla::PaintedLayerData::CreateInactiveLayerData(mozilla::ContainerState*, nsPaintedDisplayItem*, mozilla::DisplayItemData*) /builds/worker/checkouts/gecko/layout/painting/FrameLayerBuilder.cpp:3794:25
    #32 0x7f524dd78ecc in mozilla::PaintedLayerData::Accumulate(mozilla::ContainerState*, nsPaintedDisplayItem*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, nsRect const&, mozilla::DisplayItemClip const&, mozilla::LayerState, nsDisplayList*, mozilla::DisplayItemEntryType, nsTArray<unsigned long>&, RefPtr<mozilla::TransformClipNode> const&) /builds/worker/checkouts/gecko/layout/painting/FrameLayerBuilder.cpp:3845:9
    #33 0x7f524dd7dd0e in mozilla::ContainerState::ProcessDisplayItems(nsDisplayList*) /builds/worker/checkouts/gecko/layout/painting/FrameLayerBuilder.cpp:4600:22
    #34 0x7f524dd88419 in mozilla::FrameLayerBuilder::BuildContainerLayerFor(nsDisplayListBuilder*, mozilla::layers::LayerManager*, nsIFrame*, nsDisplayItem*, nsDisplayList*, mozilla::ContainerLayerParameters const&, mozilla::gfx::Matrix4x4Typed<mozilla::gfx::UnknownUnits, mozilla::gfx::UnknownUnits, float> const*, unsigned int) /builds/worker/checkouts/gecko/layout/painting/FrameLayerBuilder.cpp:6307:9
    #35 0x7f524ddd3e89 in nsDisplayOwnLayer::BuildLayer(nsDisplayListBuilder*, mozilla::layers::LayerManager*, mozilla::ContainerLayerParameters const&) /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:6328:36
    #36 0x7f524ddd8a5a in nsDisplayAsyncZoom::BuildLayer(nsDisplayListBuilder*, mozilla::layers::LayerManager*, mozilla::ContainerLayerParameters const&) /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:7305:26
    #37 0x7f524dd7fd9f in mozilla::ContainerState::ProcessDisplayItems(nsDisplayList*) /builds/worker/checkouts/gecko/layout/painting/FrameLayerBuilder.cpp:4889:41
    #38 0x7f524dd88419 in mozilla::FrameLayerBuilder::BuildContainerLayerFor(nsDisplayListBuilder*, mozilla::layers::LayerManager*, nsIFrame*, nsDisplayItem*, nsDisplayList*, mozilla::ContainerLayerParameters const&, mozilla::gfx::Matrix4x4Typed<mozilla::gfx::UnknownUnits, mozilla::gfx::UnknownUnits, float> const*, unsigned int) /builds/worker/checkouts/gecko/layout/painting/FrameLayerBuilder.cpp:6307:9
    #39 0x7f524ddbe497 in nsDisplayList::BuildLayers(nsDisplayListBuilder*, mozilla::layers::LayerManager*, unsigned int, bool) /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:2320:28
    #40 0x7f524ddbf596 in nsDisplayList::PaintRoot(nsDisplayListBuilder*, gfxContext*, unsigned int) /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:2535:9
    #41 0x7f524da2a4b5 in nsLayoutUtils::PaintFrame(gfxContext*, nsIFrame*, nsRegion const&, unsigned int, nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) /builds/worker/checkouts/gecko/layout/base/nsLayoutUtils.cpp:3463:13
    #42 0x7f524d9a7bbc in mozilla::PresShell::Paint(nsView*, nsRegion const&, mozilla::PaintFlags) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:6360:5
    #43 0x7f524d67949f in nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*) /builds/worker/checkouts/gecko/view/nsViewManager.cpp:460:18
    #44 0x7f524d678f93 in nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) /builds/worker/checkouts/gecko/view/nsViewManager.cpp:395:22
    #45 0x7f524d67a8ff in nsViewManager::ProcessPendingUpdates() /builds/worker/checkouts/gecko/view/nsViewManager.cpp:1018:5
    #46 0x7f524d9676c1 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2382:11
    #47 0x7f524d96eac1 in TickDriver /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:374:13
    #48 0x7f524d96eac1 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:353:7
    #49 0x7f524d96e9ac in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:368:5
    #50 0x7f524d96df58 in RunRefreshDrivers /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:829:5
    #51 0x7f524d96df58 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:747:16
    #52 0x7f524d96d860 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyParentProcessVsync() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:649:7
    #53 0x7f524d96d2d9 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:570:9
    #54 0x7f524dd2c377 in mozilla::layout::VsyncChild::RecvNotify(mozilla::VsyncEvent const&) /builds/worker/checkouts/gecko/layout/ipc/VsyncChild.cpp:55:16
    #55 0x7f5249fe1f15 in mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:187:54
    #56 0x7f5249d9375d in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundChild.cpp:6268:32
    #57 0x7f5249a50a0e in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:2150:25
    #58 0x7f5249a4d1cf in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:2074:9
    #59 0x7f5249a4e5d6 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1922:3
    #60 0x7f5249a4f1fb in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1953:13
    #61 0x7f52491482bf in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:245:16
    #62 0x7f524914693a in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:515:26
    #63 0x7f52491459e4 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:374:15
    #64 0x7f5249145b97 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:171:36
    #65 0x7f524914b859 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:88:37
    #66 0x7f524914b859 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_4>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:577:5
    #67 0x7f524915ca37 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1197:14
    #68 0x7f524916277a in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:513:10
    #69 0x7f5249a562a4 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:109:5
    #70 0x7f52499c81e3 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:334:10
    #71 0x7f52499c80fd in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:327:3
    #72 0x7f52499c80fd in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:309:3
    #73 0x7f524d6bf538 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137:27
    #74 0x7f524eebfaa3 in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:913:20
    #75 0x7f5249a570b9 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:237:9
    #76 0x7f52499c81e3 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:334:10
    #77 0x7f52499c80fd in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:327:3
    #78 0x7f52499c80fd in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:309:3
    #79 0x7f524eebf688 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:744:34
    #80 0x55cdb969c647 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
    #81 0x55cdb969c647 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:304:18
    #82 0x7f525da630b2 in __libc_start_main /build/glibc-ZN95T4/glibc-2.31/csu/../csu/libc-start.c:308:16
    #83 0x55cdb967a3f9 in _start (/home/forb1dden/builds/mc-debug/firefox-bin+0x143f9)

UndefinedBehaviorSanitizer can not provide additional info.
SUMMARY: UndefinedBehaviorSanitizer: SEGV /builds/worker/checkouts/gecko/layout/base/nsLayoutUtils.cpp:2483:3 in nsLayoutUtils::TransformFrameRectToAncestor(nsIFrame const*, nsRect const&, mozilla::RelativeTo, bool*, mozilla::Maybe<mozilla::gfx::Matrix4x4TypedFlagged<mozilla::gfx::UnknownUnits, mozilla::gfx::UnknownUnits> >*, bool, nsIFrame**)
Flags: in-testsuite?

Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20201027044126-46a0e993f8bb.
The bug appears to have been introduced in the following build range:

Start: 459f586ec85a54f60d475d8315db21ba43de742e (20200930235025)
End: 5e28d7b69c23a40b2282e9a1b350fd428c6507ed (20200930235050)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=459f586ec85a54f60d475d8315db21ba43de742e&tochange=5e28d7b69c23a40b2282e9a1b350fd428c6507ed

Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]
Crash Signature: [@ OOM | large | mozalloc_abort | webrender::api_resources::ApiResources::update ]
Keywords: crash
Regressed by: 1668156
Has Regression Range: --- → yes

(In reply to Mayank Bansal from comment #2)

I got a crash from the testcase : https://crash-stats.mozilla.org/report/index/d9a9851f-93e3-4ee3-af85-4c4760201027#tab-details

Note, I'm not sure this is correct. This is a crash signature in the gpu process and seems unrelated unless the OOM just happened to show up there first.

More worrisome, this test case freezes the browser completely. Somebody should probably take a look.

Flags: needinfo?(svoisen)

There's a fixed pos mathml element nested inside a few other element. Every element has a transform, so it becomes absolute and not fixed, it's parent is the body block, which seems weird since there are several transformed items in between the fixed pos element and the body that I would expect to be the fixed containing block, but maybe because they are mathml or something they can't be? So the reference frame for the fixed pos content is the body block. The fixed pos content is also inside several svg masks, and the reference frame for the svgs masks is one of the nested transformed elements. Since the fixed pos content is inside the mask we expect the reference frame for the fixed pos content (body) to be a descendant of the reference frame of the svg mask (nested element), but it's not.

(In reply to Jim Mathies [:jimm] from comment #4)

(In reply to Mayank Bansal from comment #2)

I got a crash from the testcase : https://crash-stats.mozilla.org/report/index/d9a9851f-93e3-4ee3-af85-4c4760201027#tab-details

Note, I'm not sure this is correct. This is a crash signature in the gpu process and seems unrelated unless the OOM just happened to show up there first.

More worrisome, this test case freezes the browser completely. Somebody should probably take a look.

I just ran the testcase on my Wintelx64+igfx Nightly, and I got a crash.
https://crash-stats.mozilla.org/report/index/e43f892c-85e8-426c-a25f-e5b590201111
https://crash-stats.mozilla.org/report/index/affe4682-b2b2-4f42-92a2-41fe00201111
https://crash-stats.mozilla.org/report/index/dd1b723c-5300-47d8-9231-f5ae70201111
https://crash-stats.mozilla.org/report/index/d62aff72-c6f1-4683-9c56-f32400201111

Do you want me to open a new bug?

Flags: needinfo?(jmathies)

The stack in comment 0 is from non-wr. For wr we run different code on the display list, and it is possible that the wr code gets confused in a different way from the produced display list.

Based on comment 1, ni? to Emilio.

Flags: needinfo?(svoisen) → needinfo?(emilio)

Well, I added the assertion that's failing, but this is a pre-existing problem looks like... Anyhow I'll poke.

Assignee: nobody → emilio

Otherwise fixed-pos elements still escape the container chain, which is
what the null-abspos container hack (currently used by mathml) is
supposed to prevent.

This fixes the frame tree issue. The WR issue seems unrelated and seems about the insane scales that this test-case applies which causes us to end up with massive elements.

Flags: needinfo?(jmathies)
Flags: needinfo?(emilio)
Blocks: 1676773
Pushed by ealvarez@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/71d9d66a6a7f When passing a null abspos containing block, also make fixed pos respect it. r=TYLin
Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/26517 for changes under testing/web-platform/tests
Whiteboard: [bugmon:bisected,confirmed] → [bugmon:bisected,confirmed], [wptsync upstream]
Backout by btara@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/f7fe1e518383 Backed out changeset 71d9d66a6a7f for mathml failures CLOSED TREE
Upstream PR was closed without merging

Backed out changeset 71d9d66a6a7f (bug 1673524) for mathml failures.

Push with failures: https://treeherder.mozilla.org/jobs?repo=autoland&group_state=expanded&fromchange=32fc69f9bd12052e25ebb96e249211f5d8c58efe&searchStr=android%2C7.0%2Cx86-64%2Cdebug%2Cweb%2Cplatform%2Ctests%2Ctest-android-em-7.0-x86_64%2Fdebug-geckoview-web-platform-tests-e10s%2Cwpt2&selectedTaskRun=Y6dRXzt9TtmOtm4gh_KxEg.0&tochange=f7fe1e518383e6485dbebcc89573fbfa60d3814a

Backout link: https://hg.mozilla.org/integration/autoland/rev/f7fe1e518383e6485dbebcc89573fbfa60d3814a

Failure log: https://treeherder.mozilla.org/logviewer?job_id=321661058&repo=autoland&lineNumber=2477

[task 2020-11-13T03:52:34.989Z] 03:52:34     INFO - TEST-START | /mathml/relations/css-styling/not-participating-to-parent-layout.html
[task 2020-11-13T03:52:35.005Z] 03:52:35     INFO - Closing window 39
[task 2020-11-13T03:52:36.129Z] 03:52:36     INFO - 
[task 2020-11-13T03:52:36.129Z] 03:52:36     INFO - TEST-PASS | /mathml/relations/css-styling/not-participating-to-parent-layout.html | mfrac layout is not affected by children with "display: none" style 
[task 2020-11-13T03:52:36.129Z] 03:52:36     INFO - TEST-PASS | /mathml/relations/css-styling/not-participating-to-parent-layout.html | mfrac preferred width calculation is not affected by children with "position: absolute" style 
[task 2020-11-13T03:52:36.129Z] 03:52:36     INFO - TEST-FAIL | /mathml/relations/css-styling/not-participating-to-parent-layout.html | mfrac layout is not affected by children with "position: absolute" style - assert_approx_equals: inline size expected 2 +/- 1 but got 104.31666564941406
[task 2020-11-13T03:52:36.129Z] 03:52:36     INFO - compareSize@http://web-platform.test:8000/mathml/support/layout-comparison.js:23:29
[task 2020-11-13T03:52:36.130Z] 03:52:36     INFO - compareLayout@http://web-platform.test:8000/mathml/support/layout-comparison.js:67:16
[task 2020-11-13T03:52:36.130Z] 03:52:36     INFO - runTests/</<@http://web-platform.test:8000/mathml/relations/css-styling/not-participating-to-parent-layout.html:63:30
[task 2020-11-13T03:52:36.130Z] 03:52:36     INFO - Test.prototype.step@http://web-platform.test:8000/resources/testharness.js:2044:25
[task 2020-11-13T03:52:36.130Z] 03:52:36     INFO - test@http://web-platform.test:8000/resources/testharness.js:572:30
[task 2020-11-13T03:52:36.130Z] 03:52:36     INFO - runTests/<@http://web-platform.test:8000/mathml/relations/css-styling/not-participating-to-parent-layout.html:61:17
[task 2020-11-13T03:52:36.130Z] 03:52:36     INFO - runTests@http://web-platform.test:8000/mathml/relations/css-styling/not-participating-to-parent-layout.html:29:11
[task 2020-11-13T03:52:36.130Z] 03:52:36     INFO - TEST-PASS | /mathml/relations/css-styling/not-participating-to-parent-layout.html | mfrac preferred width calculation is not affected by children with "position: fixed" style 
[task 2020-11-13T03:52:36.130Z] 03:52:36     INFO - TEST-FAIL | /mathml/relations/css-styling/not-participating-to-parent-layout.html | mfrac layout is not affected by children with "position: fixed" style - assert_approx_equals: inline size expected 2 +/- 1 but got 104.31666564941406
[task 2020-11-13T03:52:36.130Z] 03:52:36     INFO - compareSize@http://web-platform.test:8000/mathml/support/layout-comparison.js:23:29
[task 2020-11-13T03:52:36.130Z] 03:52:36     INFO - compareLayout@http://web-platform.test:8000/mathml/support/layout-comparison.js:67:16
[task 2020-11-13T03:52:36.130Z] 03:52:36     INFO - runTests/</<@http://web-platform.test:8000/mathml/relations/css-styling/not-participating-to-parent-layout.html:63:30
[task 2020-11-13T03:52:36.131Z] 03:52:36     INFO - Test.prototype.step@http://web-platform.test:8000/resources/testharness.js:2044:25
[task 2020-11-13T03:52:36.131Z] 03:52:36     INFO - test@http://web-platform.test:8000/resources/testharness.js:572:30
[task 2020-11-13T03:52:36.131Z] 03:52:36     INFO - runTests/<@http://web-platform.test:8000/mathml/relations/css-styling/not-participating-to-parent-layout.html:61:17
[task 2020-11-13T03:52:36.131Z] 03:52:36     INFO - runTests@http://web-platform.test:8000/mathml/relations/css-styling/not-participating-to-parent-layout.html:29:11
[task 2020-11-13T03:52:36.131Z] 03:52:36     INFO - TEST-PASS | /mathml/relations/css-styling/not-participating-to-parent-layout.html | mi preferred width calculation is not affected by children with "display: none" style 
[task 2020-11-13T03:52:36.131Z] 03:52:36     INFO - TEST-PASS | /mathml/relations/css-styling/not-participating-to-parent-layout.html | mi layout is not affected by children with "display: none" style 
[task 2020-11-13T03:52:36.131Z] 03:52:36     INFO - TEST-PASS | /mathml/relations/css-styling/not-participating-to-parent-layout.html | mi preferred width calculation is not affected by children with "position: absolute" style 
[task 2020-11-13T03:52:36.131Z] 03:52:36     INFO - TEST-FAIL | /mathml/relations/css-styling/not-participating-to-parent-layout.html | mi layout is not affected by children with "position: absolute" style - assert_approx_equals: inline size expected 8.70001220703125 +/- 1 but got 26.100006103515625
[task 2020-11-13T03:52:36.131Z] 03:52:36     INFO - compareSize@http://web-platform.test:8000/mathml/support/layout-comparison.js:23:29
[task 2020-11-13T03:52:36.131Z] 03:52:36     INFO - compareLayout@http://web-platform.test:8000/mathml/support/layout-comparison.js:67:16
[task 2020-11-13T03:52:36.131Z] 03:52:36     INFO - runTests/</<@http://web-platform.test:8000/mathml/relations/css-styling/not-participating-to-parent-layout.html:63:30
[task 2020-11-13T03:52:36.132Z] 03:52:36     INFO - Test.prototype.step@http://web-platform.test:8000/resources/testharness.js:2044:25
[task 2020-11-13T03:52:36.132Z] 03:52:36     INFO - test@http://web-platform.test:8000/resources/testharness.js:572:30
[task 2020-11-13T03:52:36.132Z] 03:52:36     INFO - runTests/<@http://web-platform.test:8000/mathml/relations/css-styling/not-participating-to-parent-layout.html:61:17
[task 2020-11-13T03:52:36.132Z] 03:52:36     INFO - runTests@http://web-platform.test:8000/mathml/relations/css-styling/not-participating-to-parent-layout.html:29:11
[task 2020-11-13T03:52:36.132Z] 03:52:36     INFO - TEST-PASS | /mathml/relations/css-styling/not-participating-to-parent-layout.html | mi preferred width calculation is not affected by children with "position: fixed" style 
[task 2020-11-13T03:52:36.132Z] 03:52:36     INFO - TEST-UNEXPECTED-FAIL | /mathml/relations/css-styling/not-participating-to-parent-layout.html | mi layout is not affected by children with "position: fixed" style - assert_approx_equals: inline size expected 8.70001220703125 +/- 1 but got 26.100006103515625
[task 2020-11-13T03:52:36.132Z] 03:52:36     INFO - compareSize@http://web-platform.test:8000/mathml/support/layout-comparison.js:23:29
[task 2020-11-13T03:52:36.132Z] 03:52:36     INFO - compareLayout@http://web-platform.test:8000/mathml/support/layout-comparison.js:67:16
[task 2020-11-13T03:52:36.132Z] 03:52:36     INFO - runTests/</<@http://web-platform.test:8000/mathml/relations/css-styling/not-participating-to-parent-layout.html:63:30
[task 2020-11-13T03:52:36.132Z] 03:52:36     INFO - Test.prototype.step@http://web-platform.test:8000/resources/testharness.js:2044:25
[task 2020-11-13T03:52:36.132Z] 03:52:36     INFO - test@http://web-platform.test:8000/resources/testharness.js:572:30
[task 2020-11-13T03:52:36.132Z] 03:52:36     INFO - runTests/<@http://web-platform.test:8000/mathml/relations/css-styling/not-participating-to-parent-layout.html:61:17
[task 2020-11-13T03:52:36.132Z] 03:52:36     INFO - runTests@http://web-platform.test:8000/mathml/relations/css-styling/not-participating-to-parent-layout.html:29:11
[task 2020-11-13T03:52:36.136Z] 03:52:36     INFO - 
[task 2020-11-13T03:52:36.136Z] 03:52:36     INFO - TEST-PASS | /mathml/relations/css-styling/not-participating-to-parent-layout.html | mmultiscripts layout is not affected by children with "display: none" style 
...
Flags: needinfo?(emilio)
Attachment #9187271 - Attachment description: Bug 1673524 - When passing a null abspos containing block, also make fixed pos respect it. r=mats,TYLin → Bug 1673524 - When passing a null abspos containing block, also make fixed pos respect it. r=TYLin
Flags: needinfo?(emilio)
Pushed by ealvarez@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/e8b25e9932bf When passing a null abspos containing block, also make fixed pos respect it. r=TYLin
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → 84 Branch
Whiteboard: [bugmon:bisected,confirmed], [wptsync upstream] → [bugmon:bisected,confirmed], [wptsync upstream], [retriggered]

I was hoping we wouldn't need to do this, oh well.

Flags: needinfo?(emilio)

Bugmon Analysis:
Verified bug as fixed on rev mozilla-central 20201114094625-a39af1b7ae7f.
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
Keywords: bugmon
Upstream PR merged by moz-wptsync-bot
Flags: in-testsuite? → in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: