Closed
Bug 1682915
Opened 3 years ago
Closed 3 years ago
Testcase with IntersectionObserver in iframe triggers Assertion failure: IsAncestorFrameCrossDoc(aAncestor.mFrame, aFrame) (Fix the caller), at layout/base/nsLayoutUtils.cpp:2485
Categories
(Core :: Layout, defect)
Core
Layout
Tracking
()
VERIFIED
FIXED
87 Branch
| Tracking | Status | |
|---|---|---|
| firefox-esr78 | --- | unaffected |
| firefox85 | --- | wontfix |
| firefox86 | --- | wontfix |
| firefox87 | --- | verified |
People
(Reporter: jkratzer, Assigned: emilio)
References
(Blocks 1 open bug, Regression)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:bisected,confirmed], [wptsync upstream])
Attachments
(2 files)
Testcase found while fuzzing mozilla-central rev 5e25722bcc7c (built with --enable-debug).
Assertion failure: IsAncestorFrameCrossDoc(aAncestor.mFrame, aFrame) (Fix the caller), at /builds/worker/checkouts/gecko/layout/base/nsLayoutUtils.cpp:2485
#0 0x7fddbd61759e in nsLayoutUtils::TransformFrameRectToAncestor(nsIFrame const*, nsRect const&, mozilla::RelativeTo, bool*, mozilla::Maybe<mozilla::gfx::Matrix4x4TypedFlagged<mozilla::gfx::UnknownUnits, mozilla::gfx::UnknownUnits> >*, bool, nsIFrame**) /builds/worker/checkouts/gecko/layout/base/nsLayoutUtils.cpp:2484:3
#1 0x7fddba717e58 in TransformFrameRectToAncestor /builds/worker/checkouts/gecko/layout/base/nsLayoutUtils.h:817:12
#2 0x7fddba717e58 in ComputeTheIntersection /builds/worker/checkouts/gecko/dom/base/DOMIntersectionObserver.cpp:395:7
#3 0x7fddba717e58 in mozilla::dom::DOMIntersectionObserver::Update(mozilla::dom::Document*, double) /builds/worker/checkouts/gecko/dom/base/DOMIntersectionObserver.cpp:641:26
#4 0x7fddba8b5f11 in mozilla::dom::Document::UpdateIntersectionObservations(mozilla::TimeStamp) /builds/worker/checkouts/gecko/dom/base/Document.cpp:15471:17
#5 0x7fddbd556477 in nsRefreshDriver::UpdateIntersectionObservations(mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:1771:10
#6 0x7fddbd554d22 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2242:3
#7 0x7fddbd55c421 in TickDriver /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:357:13
#8 0x7fddbd55c421 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:336:7
#9 0x7fddbd55c30c in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:351:5
#10 0x7fddbd55b8b8 in RunRefreshDrivers /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:799:5
#11 0x7fddbd55b8b8 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:722:16
#12 0x7fddbd55b1d0 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyParentProcessVsync() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:624:7
#13 0x7fddbd55ac49 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:545:9
#14 0x7fddbcd69026 in mozilla::dom::VsyncChild::RecvNotify(mozilla::VsyncEvent const&, float const&) /builds/worker/checkouts/gecko/dom/ipc/VsyncChild.cpp:69:15
#15 0x7fddb9b616e0 in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:178:54
#16 0x7fddb990baac in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundChild.cpp:6286:32
#17 0x7fddb95cfbee in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:2153:25
#18 0x7fddb95cc1ed in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:2077:9
#19 0x7fddb95cd696 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1925:3
#20 0x7fddb95ce3db in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1956:13
#21 0x7fddb8cb415f in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:459:16
#22 0x7fddb8cb275a in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:739:26
#23 0x7fddb8cb1804 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:598:15
#24 0x7fddb8cb19b7 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:382:36
#25 0x7fddb8cb7a06 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:123:37
#26 0x7fddb8cb7a06 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_3>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:534:5
#27 0x7fddb8cc8ff5 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1200:14
#28 0x7fddb8ccf0aa in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:548:10
#29 0x7fddb95d54c6 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:87:21
#30 0x7fddb95419b3 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:334:10
#31 0x7fddb95418cd in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:327:3
#32 0x7fddb95418cd in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:309:3
#33 0x7fddbd2af968 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137:27
#34 0x7fddbeab5ac3 in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:902:20
#35 0x7fddb95d63a9 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:237:9
#36 0x7fddb95419b3 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:334:10
#37 0x7fddb95418cd in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:327:3
#38 0x7fddb95418cd in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:309:3
#39 0x7fddbeab56a8 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:733:34
#40 0x55723e394e07 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#41 0x55723e394e07 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:305:18
#42 0x7fddcd8d90b2 in __libc_start_main /build/glibc-ZN95T4/glibc-2.31/csu/../csu/libc-start.c:308:16
Flags: in-testsuite?
|
||
Comment 1•3 years ago
|
||
Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20201216214834-5feb91adec85.
The bug appears to have been introduced in the following build range:
Start: 83c6d05bae71db473743c7c67cab882673dd3119 (20201012105712)
End: 2906a77771b3abcc15c2859052c0d170b263133d (20201012110108)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=83c6d05bae71db473743c7c67cab882673dd3119&tochange=2906a77771b3abcc15c2859052c0d170b263133d
Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]
|
||
Comment 2•3 years ago
|
||
Per comment 1, it looks like this was a regression from bug 1670327.
emilio, mind taking a look?
Flags: needinfo?(emilio)
Regressed by: 1670327
Summary: Assertion failure: IsAncestorFrameCrossDoc(aAncestor.mFrame, aFrame) (Fix the caller), at /builds/worker/checkouts/gecko/layout/base/nsLayoutUtils.cpp:2485 → Testcase with IntersectionObserver in iframe triggers Assertion failure: IsAncestorFrameCrossDoc(aAncestor.mFrame, aFrame) (Fix the caller), at layout/base/nsLayoutUtils.cpp:2485
|
||
Updated•3 years ago
|
Has Regression Range: --- → yes
|
Assignee | |
Comment 3•3 years ago
|
||
The assertion was added just in bug 1668156, but sure.
Flags: needinfo?(emilio)
|
|
Assignee | |
Updated•3 years ago
|
Flags: needinfo?(emilio)
|
|
Assignee | |
Comment 4•3 years ago
|
||
Any chance to have a pernosco recording of this?
Flags: needinfo?(twsmith)
|
||
Comment 5•3 years ago
|
||
A Pernosco session is available here: https://pernos.co/debug/91vp7wCf0X82mN33Dr-gOQ/index.html
Flags: needinfo?(twsmith)
|
||
Updated•3 years ago
|
Keywords: regression
|
||
Updated•3 years ago
|
|
|
Assignee | |
Comment 6•3 years ago
|
||
The "compute the intersection" algorithm could deal with this case
easily (right now it doesn't), but the spec doesn't, so let's match the
spec and Safari lacking a compelling use case for this.
Chrome doesn't send a notification which this case, which is definitely
wrong.
|
||
Updated•3 years ago
|
Assignee: nobody → emilio
Status: NEW → ASSIGNED
|
|
Assignee | |
Updated•3 years ago
|
Flags: needinfo?(emilio)
|
||
Updated•3 years ago
|
Severity: -- → S3
Pushed by ealvarez@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/3a6b1d429787 Deal with root == target in intersection observer code. r=dholbert
Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/27592 for changes under testing/web-platform/tests
Whiteboard: [bugmon:bisected,confirmed] → [bugmon:bisected,confirmed], [wptsync upstream]
|
||
Comment 9•3 years ago
|
||
| bugherder | ||
Status: ASSIGNED → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → 87 Branch
|
|
||
Comment 10•3 years ago
|
||
Bugmon Analysis:
Verified bug as fixed on rev mozilla-central 20210211213143-8afd66ac1339.
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.
|
|
||
Updated•3 years ago
|
Upstream PR merged by moz-wptsync-bot
|
||
Updated•3 years ago
|
status-firefox85:
--- → wontfix
status-firefox-esr78:
--- → unaffected
Flags: in-testsuite? → in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•