Assertion failure: IsAncestorFrameCrossDoc(aAncestor.mFrame, aFrame) (Fix the caller), at /builds/worker/checkouts/gecko/layout/base/nsLayoutUtils.cpp:2484
Categories
(Core :: Layout, defect)
Tracking
()
Tracking | Status | |
---|---|---|
firefox-esr78 | --- | unaffected |
firefox82 | --- | unaffected |
firefox83 | --- | wontfix |
firefox84 | --- | verified |
People
(Reporter: jkratzer, Assigned: emilio)
References
(Blocks 1 open bug, Regression)
Details
(4 keywords, Whiteboard: [bugmon:bisected,confirmed], [wptsync upstream], [retriggered])
Crash Data
Attachments
(3 files)
Testcase found while fuzzing mozilla-central rev b1a74943bc51 (built with --enable-debug).
Assertion failure: IsAncestorFrameCrossDoc(aAncestor.mFrame, aFrame) (Fix the caller), at /builds/worker/checkouts/gecko/layout/base/nsLayoutUtils.cpp:2484
==1482071==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f524da26abe bp 0x7ffddf4e8180 sp 0x7ffddf4e80e0 T1482071)
==1482071==The signal is caused by a WRITE memory access.
==1482071==Hint: address points to the zero page.
#0 0x7f524da26abe in nsLayoutUtils::TransformFrameRectToAncestor(nsIFrame const*, nsRect const&, mozilla::RelativeTo, bool*, mozilla::Maybe<mozilla::gfx::Matrix4x4TypedFlagged<mozilla::gfx::UnknownUnits, mozilla::gfx::UnknownUnits> >*, bool, nsIFrame**) /builds/worker/checkouts/gecko/layout/base/nsLayoutUtils.cpp:2483:3
#1 0x7f524dd7fc2c in TransformFrameRectToAncestor /builds/worker/checkouts/gecko/layout/base/nsLayoutUtils.h:805:12
#2 0x7f524dd7fc2c in mozilla::ContainerState::ProcessDisplayItems(nsDisplayList*) /builds/worker/checkouts/gecko/layout/painting/FrameLayerBuilder.cpp:4878:28
#3 0x7f524dd88419 in mozilla::FrameLayerBuilder::BuildContainerLayerFor(nsDisplayListBuilder*, mozilla::layers::LayerManager*, nsIFrame*, nsDisplayItem*, nsDisplayList*, mozilla::ContainerLayerParameters const&, mozilla::gfx::Matrix4x4Typed<mozilla::gfx::UnknownUnits, mozilla::gfx::UnknownUnits, float> const*, unsigned int) /builds/worker/checkouts/gecko/layout/painting/FrameLayerBuilder.cpp:6307:9
#4 0x7f524dde3626 in nsDisplayMasksAndClipPaths::BuildLayer(nsDisplayListBuilder*, mozilla::layers::LayerManager*, mozilla::ContainerLayerParameters const&) /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:9266:36
#5 0x7f524dd78930 in mozilla::PaintedLayerData::CreateInactiveLayerData(mozilla::ContainerState*, nsPaintedDisplayItem*, mozilla::DisplayItemData*) /builds/worker/checkouts/gecko/layout/painting/FrameLayerBuilder.cpp:3794:25
#6 0x7f524dd78ecc in mozilla::PaintedLayerData::Accumulate(mozilla::ContainerState*, nsPaintedDisplayItem*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, nsRect const&, mozilla::DisplayItemClip const&, mozilla::LayerState, nsDisplayList*, mozilla::DisplayItemEntryType, nsTArray<unsigned long>&, RefPtr<mozilla::TransformClipNode> const&) /builds/worker/checkouts/gecko/layout/painting/FrameLayerBuilder.cpp:3845:9
#7 0x7f524dd7f252 in mozilla::ContainerState::ProcessDisplayItems(nsDisplayList*) /builds/worker/checkouts/gecko/layout/painting/FrameLayerBuilder.cpp:5092:27
#8 0x7f524dd88419 in mozilla::FrameLayerBuilder::BuildContainerLayerFor(nsDisplayListBuilder*, mozilla::layers::LayerManager*, nsIFrame*, nsDisplayItem*, nsDisplayList*, mozilla::ContainerLayerParameters const&, mozilla::gfx::Matrix4x4Typed<mozilla::gfx::UnknownUnits, mozilla::gfx::UnknownUnits, float> const*, unsigned int) /builds/worker/checkouts/gecko/layout/painting/FrameLayerBuilder.cpp:6307:9
#9 0x7f524dde3626 in nsDisplayMasksAndClipPaths::BuildLayer(nsDisplayListBuilder*, mozilla::layers::LayerManager*, mozilla::ContainerLayerParameters const&) /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:9266:36
#10 0x7f524dd78930 in mozilla::PaintedLayerData::CreateInactiveLayerData(mozilla::ContainerState*, nsPaintedDisplayItem*, mozilla::DisplayItemData*) /builds/worker/checkouts/gecko/layout/painting/FrameLayerBuilder.cpp:3794:25
#11 0x7f524dd78ecc in mozilla::PaintedLayerData::Accumulate(mozilla::ContainerState*, nsPaintedDisplayItem*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, nsRect const&, mozilla::DisplayItemClip const&, mozilla::LayerState, nsDisplayList*, mozilla::DisplayItemEntryType, nsTArray<unsigned long>&, RefPtr<mozilla::TransformClipNode> const&) /builds/worker/checkouts/gecko/layout/painting/FrameLayerBuilder.cpp:3845:9
#12 0x7f524dd7f252 in mozilla::ContainerState::ProcessDisplayItems(nsDisplayList*) /builds/worker/checkouts/gecko/layout/painting/FrameLayerBuilder.cpp:5092:27
#13 0x7f524dd88419 in mozilla::FrameLayerBuilder::BuildContainerLayerFor(nsDisplayListBuilder*, mozilla::layers::LayerManager*, nsIFrame*, nsDisplayItem*, nsDisplayList*, mozilla::ContainerLayerParameters const&, mozilla::gfx::Matrix4x4Typed<mozilla::gfx::UnknownUnits, mozilla::gfx::UnknownUnits, float> const*, unsigned int) /builds/worker/checkouts/gecko/layout/painting/FrameLayerBuilder.cpp:6307:9
#14 0x7f524dddd598 in nsDisplayTransform::BuildLayer(nsDisplayListBuilder*, mozilla::layers::LayerManager*, mozilla::ContainerLayerParameters const&) /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:8110:36
#15 0x7f524dd7fd9f in mozilla::ContainerState::ProcessDisplayItems(nsDisplayList*) /builds/worker/checkouts/gecko/layout/painting/FrameLayerBuilder.cpp:4889:41
#16 0x7f524dd88419 in mozilla::FrameLayerBuilder::BuildContainerLayerFor(nsDisplayListBuilder*, mozilla::layers::LayerManager*, nsIFrame*, nsDisplayItem*, nsDisplayList*, mozilla::ContainerLayerParameters const&, mozilla::gfx::Matrix4x4Typed<mozilla::gfx::UnknownUnits, mozilla::gfx::UnknownUnits, float> const*, unsigned int) /builds/worker/checkouts/gecko/layout/painting/FrameLayerBuilder.cpp:6307:9
#17 0x7f524dde3626 in nsDisplayMasksAndClipPaths::BuildLayer(nsDisplayListBuilder*, mozilla::layers::LayerManager*, mozilla::ContainerLayerParameters const&) /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:9266:36
#18 0x7f524dd78930 in mozilla::PaintedLayerData::CreateInactiveLayerData(mozilla::ContainerState*, nsPaintedDisplayItem*, mozilla::DisplayItemData*) /builds/worker/checkouts/gecko/layout/painting/FrameLayerBuilder.cpp:3794:25
#19 0x7f524dd78ecc in mozilla::PaintedLayerData::Accumulate(mozilla::ContainerState*, nsPaintedDisplayItem*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, nsRect const&, mozilla::DisplayItemClip const&, mozilla::LayerState, nsDisplayList*, mozilla::DisplayItemEntryType, nsTArray<unsigned long>&, RefPtr<mozilla::TransformClipNode> const&) /builds/worker/checkouts/gecko/layout/painting/FrameLayerBuilder.cpp:3845:9
#20 0x7f524dd7f252 in mozilla::ContainerState::ProcessDisplayItems(nsDisplayList*) /builds/worker/checkouts/gecko/layout/painting/FrameLayerBuilder.cpp:5092:27
#21 0x7f524dd88419 in mozilla::FrameLayerBuilder::BuildContainerLayerFor(nsDisplayListBuilder*, mozilla::layers::LayerManager*, nsIFrame*, nsDisplayItem*, nsDisplayList*, mozilla::ContainerLayerParameters const&, mozilla::gfx::Matrix4x4Typed<mozilla::gfx::UnknownUnits, mozilla::gfx::UnknownUnits, float> const*, unsigned int) /builds/worker/checkouts/gecko/layout/painting/FrameLayerBuilder.cpp:6307:9
#22 0x7f524dde3626 in nsDisplayMasksAndClipPaths::BuildLayer(nsDisplayListBuilder*, mozilla::layers::LayerManager*, mozilla::ContainerLayerParameters const&) /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:9266:36
#23 0x7f524dd78930 in mozilla::PaintedLayerData::CreateInactiveLayerData(mozilla::ContainerState*, nsPaintedDisplayItem*, mozilla::DisplayItemData*) /builds/worker/checkouts/gecko/layout/painting/FrameLayerBuilder.cpp:3794:25
#24 0x7f524dd78ecc in mozilla::PaintedLayerData::Accumulate(mozilla::ContainerState*, nsPaintedDisplayItem*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, nsRect const&, mozilla::DisplayItemClip const&, mozilla::LayerState, nsDisplayList*, mozilla::DisplayItemEntryType, nsTArray<unsigned long>&, RefPtr<mozilla::TransformClipNode> const&) /builds/worker/checkouts/gecko/layout/painting/FrameLayerBuilder.cpp:3845:9
#25 0x7f524dd7f252 in mozilla::ContainerState::ProcessDisplayItems(nsDisplayList*) /builds/worker/checkouts/gecko/layout/painting/FrameLayerBuilder.cpp:5092:27
#26 0x7f524dd88419 in mozilla::FrameLayerBuilder::BuildContainerLayerFor(nsDisplayListBuilder*, mozilla::layers::LayerManager*, nsIFrame*, nsDisplayItem*, nsDisplayList*, mozilla::ContainerLayerParameters const&, mozilla::gfx::Matrix4x4Typed<mozilla::gfx::UnknownUnits, mozilla::gfx::UnknownUnits, float> const*, unsigned int) /builds/worker/checkouts/gecko/layout/painting/FrameLayerBuilder.cpp:6307:9
#27 0x7f524dddd598 in nsDisplayTransform::BuildLayer(nsDisplayListBuilder*, mozilla::layers::LayerManager*, mozilla::ContainerLayerParameters const&) /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:8110:36
#28 0x7f524dd7fd9f in mozilla::ContainerState::ProcessDisplayItems(nsDisplayList*) /builds/worker/checkouts/gecko/layout/painting/FrameLayerBuilder.cpp:4889:41
#29 0x7f524dd88419 in mozilla::FrameLayerBuilder::BuildContainerLayerFor(nsDisplayListBuilder*, mozilla::layers::LayerManager*, nsIFrame*, nsDisplayItem*, nsDisplayList*, mozilla::ContainerLayerParameters const&, mozilla::gfx::Matrix4x4Typed<mozilla::gfx::UnknownUnits, mozilla::gfx::UnknownUnits, float> const*, unsigned int) /builds/worker/checkouts/gecko/layout/painting/FrameLayerBuilder.cpp:6307:9
#30 0x7f524dde3626 in nsDisplayMasksAndClipPaths::BuildLayer(nsDisplayListBuilder*, mozilla::layers::LayerManager*, mozilla::ContainerLayerParameters const&) /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:9266:36
#31 0x7f524dd78930 in mozilla::PaintedLayerData::CreateInactiveLayerData(mozilla::ContainerState*, nsPaintedDisplayItem*, mozilla::DisplayItemData*) /builds/worker/checkouts/gecko/layout/painting/FrameLayerBuilder.cpp:3794:25
#32 0x7f524dd78ecc in mozilla::PaintedLayerData::Accumulate(mozilla::ContainerState*, nsPaintedDisplayItem*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, nsRect const&, mozilla::DisplayItemClip const&, mozilla::LayerState, nsDisplayList*, mozilla::DisplayItemEntryType, nsTArray<unsigned long>&, RefPtr<mozilla::TransformClipNode> const&) /builds/worker/checkouts/gecko/layout/painting/FrameLayerBuilder.cpp:3845:9
#33 0x7f524dd7dd0e in mozilla::ContainerState::ProcessDisplayItems(nsDisplayList*) /builds/worker/checkouts/gecko/layout/painting/FrameLayerBuilder.cpp:4600:22
#34 0x7f524dd88419 in mozilla::FrameLayerBuilder::BuildContainerLayerFor(nsDisplayListBuilder*, mozilla::layers::LayerManager*, nsIFrame*, nsDisplayItem*, nsDisplayList*, mozilla::ContainerLayerParameters const&, mozilla::gfx::Matrix4x4Typed<mozilla::gfx::UnknownUnits, mozilla::gfx::UnknownUnits, float> const*, unsigned int) /builds/worker/checkouts/gecko/layout/painting/FrameLayerBuilder.cpp:6307:9
#35 0x7f524ddd3e89 in nsDisplayOwnLayer::BuildLayer(nsDisplayListBuilder*, mozilla::layers::LayerManager*, mozilla::ContainerLayerParameters const&) /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:6328:36
#36 0x7f524ddd8a5a in nsDisplayAsyncZoom::BuildLayer(nsDisplayListBuilder*, mozilla::layers::LayerManager*, mozilla::ContainerLayerParameters const&) /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:7305:26
#37 0x7f524dd7fd9f in mozilla::ContainerState::ProcessDisplayItems(nsDisplayList*) /builds/worker/checkouts/gecko/layout/painting/FrameLayerBuilder.cpp:4889:41
#38 0x7f524dd88419 in mozilla::FrameLayerBuilder::BuildContainerLayerFor(nsDisplayListBuilder*, mozilla::layers::LayerManager*, nsIFrame*, nsDisplayItem*, nsDisplayList*, mozilla::ContainerLayerParameters const&, mozilla::gfx::Matrix4x4Typed<mozilla::gfx::UnknownUnits, mozilla::gfx::UnknownUnits, float> const*, unsigned int) /builds/worker/checkouts/gecko/layout/painting/FrameLayerBuilder.cpp:6307:9
#39 0x7f524ddbe497 in nsDisplayList::BuildLayers(nsDisplayListBuilder*, mozilla::layers::LayerManager*, unsigned int, bool) /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:2320:28
#40 0x7f524ddbf596 in nsDisplayList::PaintRoot(nsDisplayListBuilder*, gfxContext*, unsigned int) /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:2535:9
#41 0x7f524da2a4b5 in nsLayoutUtils::PaintFrame(gfxContext*, nsIFrame*, nsRegion const&, unsigned int, nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) /builds/worker/checkouts/gecko/layout/base/nsLayoutUtils.cpp:3463:13
#42 0x7f524d9a7bbc in mozilla::PresShell::Paint(nsView*, nsRegion const&, mozilla::PaintFlags) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:6360:5
#43 0x7f524d67949f in nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*) /builds/worker/checkouts/gecko/view/nsViewManager.cpp:460:18
#44 0x7f524d678f93 in nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) /builds/worker/checkouts/gecko/view/nsViewManager.cpp:395:22
#45 0x7f524d67a8ff in nsViewManager::ProcessPendingUpdates() /builds/worker/checkouts/gecko/view/nsViewManager.cpp:1018:5
#46 0x7f524d9676c1 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2382:11
#47 0x7f524d96eac1 in TickDriver /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:374:13
#48 0x7f524d96eac1 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:353:7
#49 0x7f524d96e9ac in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:368:5
#50 0x7f524d96df58 in RunRefreshDrivers /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:829:5
#51 0x7f524d96df58 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:747:16
#52 0x7f524d96d860 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyParentProcessVsync() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:649:7
#53 0x7f524d96d2d9 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:570:9
#54 0x7f524dd2c377 in mozilla::layout::VsyncChild::RecvNotify(mozilla::VsyncEvent const&) /builds/worker/checkouts/gecko/layout/ipc/VsyncChild.cpp:55:16
#55 0x7f5249fe1f15 in mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:187:54
#56 0x7f5249d9375d in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundChild.cpp:6268:32
#57 0x7f5249a50a0e in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:2150:25
#58 0x7f5249a4d1cf in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:2074:9
#59 0x7f5249a4e5d6 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1922:3
#60 0x7f5249a4f1fb in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1953:13
#61 0x7f52491482bf in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:245:16
#62 0x7f524914693a in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:515:26
#63 0x7f52491459e4 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:374:15
#64 0x7f5249145b97 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:171:36
#65 0x7f524914b859 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:88:37
#66 0x7f524914b859 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_4>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:577:5
#67 0x7f524915ca37 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1197:14
#68 0x7f524916277a in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:513:10
#69 0x7f5249a562a4 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:109:5
#70 0x7f52499c81e3 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:334:10
#71 0x7f52499c80fd in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:327:3
#72 0x7f52499c80fd in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:309:3
#73 0x7f524d6bf538 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137:27
#74 0x7f524eebfaa3 in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:913:20
#75 0x7f5249a570b9 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:237:9
#76 0x7f52499c81e3 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:334:10
#77 0x7f52499c80fd in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:327:3
#78 0x7f52499c80fd in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:309:3
#79 0x7f524eebf688 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:744:34
#80 0x55cdb969c647 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
#81 0x55cdb969c647 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:304:18
#82 0x7f525da630b2 in __libc_start_main /build/glibc-ZN95T4/glibc-2.31/csu/../csu/libc-start.c:308:16
#83 0x55cdb967a3f9 in _start (/home/forb1dden/builds/mc-debug/firefox-bin+0x143f9)
UndefinedBehaviorSanitizer can not provide additional info.
SUMMARY: UndefinedBehaviorSanitizer: SEGV /builds/worker/checkouts/gecko/layout/base/nsLayoutUtils.cpp:2483:3 in nsLayoutUtils::TransformFrameRectToAncestor(nsIFrame const*, nsRect const&, mozilla::RelativeTo, bool*, mozilla::Maybe<mozilla::gfx::Matrix4x4TypedFlagged<mozilla::gfx::UnknownUnits, mozilla::gfx::UnknownUnits> >*, bool, nsIFrame**)
Reporter | ||
Comment 1•4 years ago
|
||
Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20201027044126-46a0e993f8bb.
The bug appears to have been introduced in the following build range:
Start: 459f586ec85a54f60d475d8315db21ba43de742e (20200930235025)
End: 5e28d7b69c23a40b2282e9a1b350fd428c6507ed (20200930235050)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=459f586ec85a54f60d475d8315db21ba43de742e&tochange=5e28d7b69c23a40b2282e9a1b350fd428c6507ed
Comment 2•4 years ago
|
||
I got a crash from the testcase : https://crash-stats.mozilla.org/report/index/d9a9851f-93e3-4ee3-af85-4c4760201027#tab-details
Updated•4 years ago
|
Comment 3•4 years ago
|
||
A Pernosco session is available here: https://pernos.co/debug/byklo3UBdl45ITkcuEOVKQ/index.html
Updated•4 years ago
|
Comment 4•4 years ago
•
|
||
(In reply to Mayank Bansal from comment #2)
I got a crash from the testcase : https://crash-stats.mozilla.org/report/index/d9a9851f-93e3-4ee3-af85-4c4760201027#tab-details
Note, I'm not sure this is correct. This is a crash signature in the gpu process and seems unrelated unless the OOM just happened to show up there first.
More worrisome, this test case freezes the browser completely. Somebody should probably take a look.
Comment 5•4 years ago
|
||
There's a fixed pos mathml element nested inside a few other element. Every element has a transform, so it becomes absolute and not fixed, it's parent is the body block, which seems weird since there are several transformed items in between the fixed pos element and the body that I would expect to be the fixed containing block, but maybe because they are mathml or something they can't be? So the reference frame for the fixed pos content is the body block. The fixed pos content is also inside several svg masks, and the reference frame for the svgs masks is one of the nested transformed elements. Since the fixed pos content is inside the mask we expect the reference frame for the fixed pos content (body) to be a descendant of the reference frame of the svg mask (nested element), but it's not.
Comment 6•4 years ago
|
||
(In reply to Jim Mathies [:jimm] from comment #4)
(In reply to Mayank Bansal from comment #2)
I got a crash from the testcase : https://crash-stats.mozilla.org/report/index/d9a9851f-93e3-4ee3-af85-4c4760201027#tab-details
Note, I'm not sure this is correct. This is a crash signature in the gpu process and seems unrelated unless the OOM just happened to show up there first.
More worrisome, this test case freezes the browser completely. Somebody should probably take a look.
I just ran the testcase on my Wintelx64+igfx Nightly, and I got a crash.
https://crash-stats.mozilla.org/report/index/e43f892c-85e8-426c-a25f-e5b590201111
https://crash-stats.mozilla.org/report/index/affe4682-b2b2-4f42-92a2-41fe00201111
https://crash-stats.mozilla.org/report/index/dd1b723c-5300-47d8-9231-f5ae70201111
https://crash-stats.mozilla.org/report/index/d62aff72-c6f1-4683-9c56-f32400201111
Do you want me to open a new bug?
Comment 7•4 years ago
|
||
The stack in comment 0 is from non-wr. For wr we run different code on the display list, and it is possible that the wr code gets confused in a different way from the produced display list.
Comment 8•4 years ago
|
||
Based on comment 1, ni? to Emilio.
Assignee | ||
Comment 9•4 years ago
|
||
Well, I added the assertion that's failing, but this is a pre-existing problem looks like... Anyhow I'll poke.
Assignee | ||
Comment 10•4 years ago
|
||
Otherwise fixed-pos elements still escape the container chain, which is
what the null-abspos container hack (currently used by mathml) is
supposed to prevent.
Assignee | ||
Comment 11•4 years ago
|
||
This fixes the frame tree issue. The WR issue seems unrelated and seems about the insane scales that this test-case applies which causes us to end up with massive elements.
Comment 12•4 years ago
|
||
bisection for the wr issue I got
https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=4651f71eeb5476a6dc9002a47a45c3a5b17aba6c&tochange=cad27f93a9869351457fc5d5290777420068e173
if anyone ends up filing a new bug for that
Comment 13•4 years ago
|
||
Comment 15•4 years ago
|
||
Comment 17•4 years ago
|
||
Backed out changeset 71d9d66a6a7f (bug 1673524) for mathml failures.
Backout link: https://hg.mozilla.org/integration/autoland/rev/f7fe1e518383e6485dbebcc89573fbfa60d3814a
Failure log: https://treeherder.mozilla.org/logviewer?job_id=321661058&repo=autoland&lineNumber=2477
[task 2020-11-13T03:52:34.989Z] 03:52:34 INFO - TEST-START | /mathml/relations/css-styling/not-participating-to-parent-layout.html
[task 2020-11-13T03:52:35.005Z] 03:52:35 INFO - Closing window 39
[task 2020-11-13T03:52:36.129Z] 03:52:36 INFO -
[task 2020-11-13T03:52:36.129Z] 03:52:36 INFO - TEST-PASS | /mathml/relations/css-styling/not-participating-to-parent-layout.html | mfrac layout is not affected by children with "display: none" style
[task 2020-11-13T03:52:36.129Z] 03:52:36 INFO - TEST-PASS | /mathml/relations/css-styling/not-participating-to-parent-layout.html | mfrac preferred width calculation is not affected by children with "position: absolute" style
[task 2020-11-13T03:52:36.129Z] 03:52:36 INFO - TEST-FAIL | /mathml/relations/css-styling/not-participating-to-parent-layout.html | mfrac layout is not affected by children with "position: absolute" style - assert_approx_equals: inline size expected 2 +/- 1 but got 104.31666564941406
[task 2020-11-13T03:52:36.129Z] 03:52:36 INFO - compareSize@http://web-platform.test:8000/mathml/support/layout-comparison.js:23:29
[task 2020-11-13T03:52:36.130Z] 03:52:36 INFO - compareLayout@http://web-platform.test:8000/mathml/support/layout-comparison.js:67:16
[task 2020-11-13T03:52:36.130Z] 03:52:36 INFO - runTests/</<@http://web-platform.test:8000/mathml/relations/css-styling/not-participating-to-parent-layout.html:63:30
[task 2020-11-13T03:52:36.130Z] 03:52:36 INFO - Test.prototype.step@http://web-platform.test:8000/resources/testharness.js:2044:25
[task 2020-11-13T03:52:36.130Z] 03:52:36 INFO - test@http://web-platform.test:8000/resources/testharness.js:572:30
[task 2020-11-13T03:52:36.130Z] 03:52:36 INFO - runTests/<@http://web-platform.test:8000/mathml/relations/css-styling/not-participating-to-parent-layout.html:61:17
[task 2020-11-13T03:52:36.130Z] 03:52:36 INFO - runTests@http://web-platform.test:8000/mathml/relations/css-styling/not-participating-to-parent-layout.html:29:11
[task 2020-11-13T03:52:36.130Z] 03:52:36 INFO - TEST-PASS | /mathml/relations/css-styling/not-participating-to-parent-layout.html | mfrac preferred width calculation is not affected by children with "position: fixed" style
[task 2020-11-13T03:52:36.130Z] 03:52:36 INFO - TEST-FAIL | /mathml/relations/css-styling/not-participating-to-parent-layout.html | mfrac layout is not affected by children with "position: fixed" style - assert_approx_equals: inline size expected 2 +/- 1 but got 104.31666564941406
[task 2020-11-13T03:52:36.130Z] 03:52:36 INFO - compareSize@http://web-platform.test:8000/mathml/support/layout-comparison.js:23:29
[task 2020-11-13T03:52:36.130Z] 03:52:36 INFO - compareLayout@http://web-platform.test:8000/mathml/support/layout-comparison.js:67:16
[task 2020-11-13T03:52:36.130Z] 03:52:36 INFO - runTests/</<@http://web-platform.test:8000/mathml/relations/css-styling/not-participating-to-parent-layout.html:63:30
[task 2020-11-13T03:52:36.131Z] 03:52:36 INFO - Test.prototype.step@http://web-platform.test:8000/resources/testharness.js:2044:25
[task 2020-11-13T03:52:36.131Z] 03:52:36 INFO - test@http://web-platform.test:8000/resources/testharness.js:572:30
[task 2020-11-13T03:52:36.131Z] 03:52:36 INFO - runTests/<@http://web-platform.test:8000/mathml/relations/css-styling/not-participating-to-parent-layout.html:61:17
[task 2020-11-13T03:52:36.131Z] 03:52:36 INFO - runTests@http://web-platform.test:8000/mathml/relations/css-styling/not-participating-to-parent-layout.html:29:11
[task 2020-11-13T03:52:36.131Z] 03:52:36 INFO - TEST-PASS | /mathml/relations/css-styling/not-participating-to-parent-layout.html | mi preferred width calculation is not affected by children with "display: none" style
[task 2020-11-13T03:52:36.131Z] 03:52:36 INFO - TEST-PASS | /mathml/relations/css-styling/not-participating-to-parent-layout.html | mi layout is not affected by children with "display: none" style
[task 2020-11-13T03:52:36.131Z] 03:52:36 INFO - TEST-PASS | /mathml/relations/css-styling/not-participating-to-parent-layout.html | mi preferred width calculation is not affected by children with "position: absolute" style
[task 2020-11-13T03:52:36.131Z] 03:52:36 INFO - TEST-FAIL | /mathml/relations/css-styling/not-participating-to-parent-layout.html | mi layout is not affected by children with "position: absolute" style - assert_approx_equals: inline size expected 8.70001220703125 +/- 1 but got 26.100006103515625
[task 2020-11-13T03:52:36.131Z] 03:52:36 INFO - compareSize@http://web-platform.test:8000/mathml/support/layout-comparison.js:23:29
[task 2020-11-13T03:52:36.131Z] 03:52:36 INFO - compareLayout@http://web-platform.test:8000/mathml/support/layout-comparison.js:67:16
[task 2020-11-13T03:52:36.131Z] 03:52:36 INFO - runTests/</<@http://web-platform.test:8000/mathml/relations/css-styling/not-participating-to-parent-layout.html:63:30
[task 2020-11-13T03:52:36.132Z] 03:52:36 INFO - Test.prototype.step@http://web-platform.test:8000/resources/testharness.js:2044:25
[task 2020-11-13T03:52:36.132Z] 03:52:36 INFO - test@http://web-platform.test:8000/resources/testharness.js:572:30
[task 2020-11-13T03:52:36.132Z] 03:52:36 INFO - runTests/<@http://web-platform.test:8000/mathml/relations/css-styling/not-participating-to-parent-layout.html:61:17
[task 2020-11-13T03:52:36.132Z] 03:52:36 INFO - runTests@http://web-platform.test:8000/mathml/relations/css-styling/not-participating-to-parent-layout.html:29:11
[task 2020-11-13T03:52:36.132Z] 03:52:36 INFO - TEST-PASS | /mathml/relations/css-styling/not-participating-to-parent-layout.html | mi preferred width calculation is not affected by children with "position: fixed" style
[task 2020-11-13T03:52:36.132Z] 03:52:36 INFO - TEST-UNEXPECTED-FAIL | /mathml/relations/css-styling/not-participating-to-parent-layout.html | mi layout is not affected by children with "position: fixed" style - assert_approx_equals: inline size expected 8.70001220703125 +/- 1 but got 26.100006103515625
[task 2020-11-13T03:52:36.132Z] 03:52:36 INFO - compareSize@http://web-platform.test:8000/mathml/support/layout-comparison.js:23:29
[task 2020-11-13T03:52:36.132Z] 03:52:36 INFO - compareLayout@http://web-platform.test:8000/mathml/support/layout-comparison.js:67:16
[task 2020-11-13T03:52:36.132Z] 03:52:36 INFO - runTests/</<@http://web-platform.test:8000/mathml/relations/css-styling/not-participating-to-parent-layout.html:63:30
[task 2020-11-13T03:52:36.132Z] 03:52:36 INFO - Test.prototype.step@http://web-platform.test:8000/resources/testharness.js:2044:25
[task 2020-11-13T03:52:36.132Z] 03:52:36 INFO - test@http://web-platform.test:8000/resources/testharness.js:572:30
[task 2020-11-13T03:52:36.132Z] 03:52:36 INFO - runTests/<@http://web-platform.test:8000/mathml/relations/css-styling/not-participating-to-parent-layout.html:61:17
[task 2020-11-13T03:52:36.132Z] 03:52:36 INFO - runTests@http://web-platform.test:8000/mathml/relations/css-styling/not-participating-to-parent-layout.html:29:11
[task 2020-11-13T03:52:36.136Z] 03:52:36 INFO -
[task 2020-11-13T03:52:36.136Z] 03:52:36 INFO - TEST-PASS | /mathml/relations/css-styling/not-participating-to-parent-layout.html | mmultiscripts layout is not affected by children with "display: none" style
...
Updated•4 years ago
|
Assignee | ||
Updated•4 years ago
|
Comment 18•4 years ago
|
||
Comment 19•4 years ago
|
||
bugherder |
Comment 20•4 years ago
|
||
Emilio, could you take a look at this please?
Thank you
Updated•4 years ago
|
Assignee | ||
Comment 21•4 years ago
|
||
I was hoping we wouldn't need to do this, oh well.
Assignee | ||
Updated•4 years ago
|
Comment 22•4 years ago
|
||
Reporter | ||
Comment 23•4 years ago
|
||
Bugmon Analysis:
Verified bug as fixed on rev mozilla-central 20201114094625-a39af1b7ae7f.
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.
Comment 24•4 years ago
|
||
bugherder |
Updated•4 years ago
|
Description
•