Closed
Bug 1683126
Opened 3 years ago
Closed 3 years ago
Assertion failure: !kidFrame->IsPlaceholderFrame() (we should never push fixed pos placeholders), at /builds/worker/checkouts/gecko/layout/generic/nsCanvasFrame.cpp:847
Categories
(Core :: Layout, defect)
Core
Layout
Tracking
()
VERIFIED
FIXED
87 Branch
| Tracking | Status | |
|---|---|---|
| firefox-esr78 | --- | unaffected |
| firefox85 | --- | wontfix |
| firefox86 | --- | wontfix |
| firefox87 | --- | verified |
People
(Reporter: bugmon, Assigned: MatsPalmgren_bugz)
References
(Blocks 2 open bugs, Regression)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:bisected,confirmed])
Attachments
(2 files)
Testcase found while fuzzing mozilla-central rev 2ab4142f19bc (built with --enable-debug --enable-fuzzing).
Assertion failure: !kidFrame->IsPlaceholderFrame() (we should never push fixed pos placeholders), at /builds/worker/checkouts/gecko/layout/generic/nsCanvasFrame.cpp:847
#0 0x7fd8c183d01d in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsCanvasFrame.cpp:846:7
#1 0x7fd8c184e1f8 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:1122:14
#2 0x7fd8c193ac70 in nsPageContentFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsPageContentFrame.cpp:69:5
#3 0x7fd8c184e1f8 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:1122:14
#4 0x7fd8c193be43 in nsPageFrame::ReflowPageContent(nsPresContext*, mozilla::ReflowInput const&) /builds/worker/checkouts/gecko/layout/generic/nsPageFrame.cpp:149:3
#5 0x7fd8c193c060 in nsPageFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsPageFrame.cpp:176:13
#6 0x7fd8c184dda0 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:1082:14
#7 0x7fd8c17ef6ff in mozilla::PrintedSheetFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/PrintedSheetFrame.cpp:196:5
#8 0x7fd8c184e1f8 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:1122:14
#9 0x7fd8c194068c in nsPageSequenceFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsPageSequenceFrame.cpp:343:5
#10 0x7fd8c184dda0 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:1082:14
#11 0x7fd8c1887aa5 in nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput*, bool, bool, mozilla::ReflowOutput*) /builds/worker/checkouts/gecko/layout/generic/nsGfxScrollFrame.cpp:758:3
#12 0x7fd8c1888589 in nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput*, mozilla::ReflowOutput const&) /builds/worker/checkouts/gecko/layout/generic/nsGfxScrollFrame.cpp:882:3
#13 0x7fd8c188c567 in nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsGfxScrollFrame.cpp:1280:3
#14 0x7fd8c184e1f8 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:1122:14
#15 0x7fd8c180e18d in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/ViewportFrame.cpp:337:7
#16 0x7fd8c171531b in mozilla::PresShell::DoReflow(nsIFrame*, bool, mozilla::OverflowChangedTracker*) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:9676:11
#17 0x7fd8c171ea1e in mozilla::PresShell::ProcessReflowCommands(bool) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:9849:24
#18 0x7fd8c171dfe4 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4248:11
#19 0x7fd8c1b99987 in nsPrintJob::ReflowPrintObject(mozilla::UniquePtr<nsPrintObject, mozilla::DefaultDelete<nsPrintObject> > const&) /builds/worker/checkouts/gecko/layout/printing/nsPrintJob.cpp:1855:14
#20 0x7fd8c1b98f4d in nsPrintJob::ReflowDocList(mozilla::UniquePtr<nsPrintObject, mozilla::DefaultDelete<nsPrintObject> > const&, bool) /builds/worker/checkouts/gecko/layout/printing/nsPrintJob.cpp:1448:3
#21 0x7fd8c1b956ca in nsPrintJob::InitPrintDocConstruction(bool) /builds/worker/checkouts/gecko/layout/printing/nsPrintJob.cpp:1488:5
#22 0x7fd8c1b9c872 in nsPrintJob::Observe(nsISupports*, char const*, char16_t const*) /builds/worker/checkouts/gecko/layout/printing/nsPrintJob.cpp:2675:17
#23 0x7fd8c2c0e0b8 in mozilla::embedding::PrintProgressDialogChild::RecvDialogOpened() /builds/worker/checkouts/gecko/toolkit/components/printingui/ipc/PrintProgressDialogChild.cpp:37:18
#24 0x7fd8bdb91b3b in mozilla::embedding::PPrintProgressDialogChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PPrintProgressDialogChild.cpp:234:28
#25 0x7fd8bd8dc60d in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PContentChild.cpp:8616:32
#26 0x7fd8bd7585be in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:2153:25
#27 0x7fd8bd754bbd in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:2077:9
#28 0x7fd8bd756066 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1925:3
#29 0x7fd8bd756dab in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1956:13
#30 0x7fd8bce3ba3f in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:459:16
#31 0x7fd8bce3a03a in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:739:26
#32 0x7fd8bce390e4 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:598:15
#33 0x7fd8bce39297 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:382:36
#34 0x7fd8bce3f359 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:126:37
#35 0x7fd8bce3f359 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_4>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:534:5
#36 0x7fd8bce508d5 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1200:14
#37 0x7fd8bce5698a in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:548:10
#38 0x7fd8bd75de44 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:109:5
#39 0x7fd8bd6ca363 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:334:10
#40 0x7fd8bd6ca27d in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:327:3
#41 0x7fd8bd6ca27d in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:309:3
#42 0x7fd8c1442108 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137:27
#43 0x7fd8c2c48783 in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:902:20
#44 0x7fd8bd75ed79 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:237:9
#45 0x7fd8bd6ca363 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:334:10
#46 0x7fd8bd6ca27d in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:327:3
#47 0x7fd8bd6ca27d in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:309:3
#48 0x7fd8c2c48368 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:733:34
#49 0x55b2c956ae07 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#50 0x55b2c956ae07 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:305:18
#51 0x7fd8d1a820b2 in __libc_start_main /build/glibc-ZN95T4/glibc-2.31/csu/../csu/libc-start.c:308:16
|
Reporter | |
Comment 1•3 years ago
|
||
Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20201217092748-2ab4142f19bc.
The bug appears to have been introduced in the following build range:
Start: a0b52f4d44f2f583fb6a8033c47973737f713bb8 (20201206213246)
End: b4cd29abb74ae321be6176130fcd2130c7179d6d (20201209034903)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=a0b52f4d44f2f583fb6a8033c47973737f713bb8&tochange=b4cd29abb74ae321be6176130fcd2130c7179d6d
Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]
|
||
Comment 2•3 years ago
•
|
||
Looks like this was regressed by https://hg.mozilla.org/mozilla-central/rev/230b74c414e78e44cc0d589ec704285eb67afb99
I can reproduce this fatal assertion failure in a current mozilla-central debug build, by print-previewing the testcase [using the new print dialog]; but it print-previews just fine if I first disable layout.display-list.improve-fragmentation in about:config.
This seems somewhat concerning (or at least annoying) given that it's a fatal assertion. Hence, classifying as S2 for now. Mats, would you mind taking a look?
Severity: -- → S2
Flags: needinfo?(mats)
|
||
Updated•3 years ago
|
Has Regression Range: --- → yes
|
Assignee | |
Comment 3•3 years ago
|
||
Sure, I'll take a look...
Assignee: nobody → mats
Flags: needinfo?(mats)
|
|
Assignee | |
Comment 4•3 years ago
|
||
This patch improves nsCanvasFrame::Reflow in a few ways.
First, we now iterate over mFrames and reflow every child.
This makes it more robust visavi the order of any placeholders
and the root frame, and also resilient against a missing root
frame (this fixes the fatal assertion in this bug). We now
also actually reflow all placeholders which wasn't the case
before. It seems like a prudent thing to do.
I also added a separate nsReflowStatus for each child.
We now also call SetOverflowAreasToDesiredBounds() in all
cases. We failed to do that in the 'mFrames.IsEmpty()' case
before, which triggered the assertions in bug 1655630 and
bug 1392106.
Pushed by mpalmgren@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/35053583b9a7 Make nsCanvasFrame::Reflow more robust. r=TYLin
|
||
Comment 6•3 years ago
|
||
| bugherder | ||
Status: NEW → RESOLVED
Closed: 3 years ago
status-firefox87:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 87 Branch
|
|
Reporter | |
Comment 7•3 years ago
|
||
Bugmon Analysis:
Verified bug as fixed on rev mozilla-central 20210202033500-babdc3b3a300.
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.
|
||
Updated•3 years ago
|
Keywords: regression
|
|
||
Comment 8•3 years ago
|
||
The patch landed in nightly and beta is affected.
:mats, is this bug important enough to require an uplift?
If not please set status_beta to wontfix.
For more information, please visit auto_nag documentation.
Flags: needinfo?(mats)
|
||
Updated•3 years ago
|
|
||
Updated•3 years ago
|
status-firefox85:
--- → wontfix
status-firefox-esr78:
--- → unaffected
|
||
Updated•2 years ago
|
Flags: needinfo?(MatsPalmgren_bugz)
You need to log in
before you can comment on or make changes to this bug.
Description
•