Open Bug 1683956 Opened 2 years ago Updated 1 year ago

Assertion failure: !preTransformOverflows (InkOverflowRect() won't return the pre-effects rect!), at /builds/worker/checkouts/gecko/layout/svg/SVGIntegrationUtils.cpp:103

Categories

(Core :: SVG, defect)

defect

Tracking

()

Tracking Status
firefox86 --- affected

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, testcase, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(1 file, 1 obsolete file)

Attached file testcase.html (obsolete) —

Testcase found while fuzzing mozilla-central rev 8d8d3ecf368f (built with --enable-debug).

Assertion failure: !preTransformOverflows (InkOverflowRect() won't return the pre-effects rect!), at /builds/worker/checkouts/gecko/layout/svg/SVGIntegrationUtils.cpp:103

    #0 0x7fd215cd4ca5 in mozilla::PreEffectsInkOverflowCollector::PreEffectsInkOverflowRect(nsIFrame*, bool) /builds/worker/checkouts/gecko/layout/svg/SVGIntegrationUtils.cpp:102:7
    #1 0x7fd215cd4a54 in mozilla::PreEffectsInkOverflowCollector::AddBox(nsIFrame*) /builds/worker/checkouts/gecko/layout/svg/SVGIntegrationUtils.cpp:73:29
    #2 0x7fd215a41897 in nsLayoutUtils::GetAllInFlowBoxes(nsIFrame*, nsLayoutUtils::BoxCallback*) /builds/worker/checkouts/gecko/layout/base/nsLayoutUtils.cpp:3613:5
    #3 0x7fd215caaf31 in mozilla::GetPreEffectsInkOverflowUnion(nsIFrame*, nsIFrame*, nsRect const&, nsPoint const&, bool) /builds/worker/checkouts/gecko/layout/svg/SVGIntegrationUtils.cpp:130:3
    #4 0x7fd215caad86 in mozilla::SVGIntegrationUtils::GetSVGBBoxForNonSVGFrame(nsIFrame*, bool) /builds/worker/checkouts/gecko/layout/svg/SVGIntegrationUtils.cpp:239:20
    #5 0x7fd215cd722c in mozilla::SVGUtils::GetBBox(nsIFrame*, unsigned int, mozilla::gfx::BaseMatrix<double> const*) /builds/worker/checkouts/gecko/layout/svg/SVGUtils.cpp:1002:12
    #6 0x7fd215c91561 in mozilla::FilterInstance::FilterInstance(nsIFrame*, nsIContent*, mozilla::dom::UserSpaceMetrics const&, mozilla::Span<mozilla::StyleGenericFilter<mozilla::StyleAngle, float, float, mozilla::StyleCSSPixelLength, mozilla::StyleGenericSimpleShadow<mozilla::StyleGenericColor<mozilla::StyleRGBA>, mozilla::StyleCSSPixelLength, mozilla::StyleCSSPixelLength>, mozilla::StyleComputedUrl> const, 18446744073709551615ul>, bool, mozilla::SVGFilterPaintCallback*, mozilla::gfx::BaseMatrix<double> const&, nsRegion const*, nsRegion const*, nsRect const*, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, double> const*) /builds/worker/checkouts/gecko/layout/svg/FilterInstance.cpp:457:9
    #7 0x7fd215c90c89 in mozilla::FilterInstance::GetPreFilterNeededArea(nsIFrame*, nsRegion const&) /builds/worker/checkouts/gecko/layout/svg/FilterInstance.cpp:394:18
    #8 0x7fd215cabc7f in mozilla::SVGIntegrationUtils::GetRequiredSourceForInvalidArea(nsIFrame*, nsRect const&) /builds/worker/checkouts/gecko/layout/svg/SVGIntegrationUtils.cpp:383:10
    #9 0x7fd215b695d6 in nsIFrame::BuildDisplayListForStackingContext(nsDisplayListBuilder*, nsDisplayList*, bool*) /builds/worker/checkouts/gecko/layout/generic/nsIFrame.cpp:3282:9
    #10 0x7fd215adb2e8 in nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*, nsIFrame*, nsDisplayListSet const&, mozilla::EnumSet<nsIFrame::DisplayChildFlag, unsigned int>) /builds/worker/checkouts/gecko/layout/generic/nsIFrame.cpp:4261:12
    #11 0x7fd215accd48 in nsCanvasFrame::BuildDisplayList(nsDisplayListBuilder*, nsDisplayListSet const&) /builds/worker/checkouts/gecko/layout/generic/nsCanvasFrame.cpp:623:5
    #12 0x7fd215adb438 in nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*, nsIFrame*, nsDisplayListSet const&, mozilla::EnumSet<nsIFrame::DisplayChildFlag, unsigned int>) /builds/worker/checkouts/gecko/layout/generic/nsIFrame.cpp:4300:14
    #13 0x7fd215b2b289 in mozilla::ScrollFrameHelper::BuildDisplayList(nsDisplayListBuilder*, nsDisplayListSet const&) /builds/worker/checkouts/gecko/layout/generic/nsGfxScrollFrame.cpp:3915:15
    #14 0x7fd215adb438 in nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*, nsIFrame*, nsDisplayListSet const&, mozilla::EnumSet<nsIFrame::DisplayChildFlag, unsigned int>) /builds/worker/checkouts/gecko/layout/generic/nsIFrame.cpp:4300:14
    #15 0x7fd215a9de3b in mozilla::ViewportFrame::BuildDisplayList(nsDisplayListBuilder*, nsDisplayListSet const&) /builds/worker/checkouts/gecko/layout/generic/ViewportFrame.cpp:63:5
    #16 0x7fd215b6a716 in nsIFrame::BuildDisplayListForStackingContext(nsDisplayListBuilder*, nsDisplayList*, bool*) /builds/worker/checkouts/gecko/layout/generic/nsIFrame.cpp:3457:5
    #17 0x7fd215a3c35d in nsLayoutUtils::GetFramesForArea(mozilla::RelativeTo, nsRect const&, nsTArray<nsIFrame*>&, nsLayoutUtils::FrameForPointOptions const&) /builds/worker/checkouts/gecko/layout/base/nsLayoutUtils.cpp:2693:10
    #18 0x7fd215a3c0b3 in nsLayoutUtils::GetFrameForPoint(mozilla::RelativeTo, nsPoint, nsLayoutUtils::FrameForPointOptions const&) /builds/worker/checkouts/gecko/layout/base/nsLayoutUtils.cpp:2649:8
    #19 0x7fd21599c229 in mozilla::FindFrameTargetedByInputEvent(mozilla::WidgetGUIEvent*, mozilla::RelativeTo, nsPoint const&, unsigned int) /builds/worker/checkouts/gecko/layout/base/PositionedEventTargeting.cpp:490:22
    #20 0x7fd2159c01c4 in mozilla::PresShell::EventHandler::GetFrameToHandleNonTouchEvent(nsIFrame*, mozilla::WidgetGUIEvent*) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:7179:7
    #21 0x7fd2159bee1e in mozilla::PresShell::EventHandler::ComputeEventTargetFrameAndPresShellAtEventPoint(nsIFrame*, mozilla::WidgetGUIEvent*, mozilla::PresShell::EventHandler::EventTargetData*) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:7229:7
    #22 0x7fd2159bc015 in mozilla::PresShell::EventHandler::MaybeHandleEventWithAccessibleCaret(nsIFrame*, mozilla::WidgetGUIEvent*, nsEventStatus*) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:7347:10
    #23 0x7fd2159bbc53 in mozilla::PresShell::EventHandler::HandleEvent(nsIFrame*, mozilla::WidgetGUIEvent*, bool, nsEventStatus*) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:6877:7
    #24 0x7fd2159bb4f2 in mozilla::PresShell::HandleEvent(nsIFrame*, mozilla::WidgetGUIEvent*, bool, nsEventStatus*) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:6830:23
    #25 0x7fd215686682 in nsViewManager::DispatchEvent(mozilla::WidgetGUIEvent*, nsView*, nsEventStatus*) /builds/worker/checkouts/gecko/view/nsViewManager.cpp:750:18
    #26 0x7fd2156863a8 in nsView::HandleEvent(mozilla::WidgetGUIEvent*, bool) /builds/worker/checkouts/gecko/view/nsView.cpp:1133:9
    #27 0x7fd2156bfb51 in mozilla::widget::PuppetWidget::DispatchEvent(mozilla::WidgetGUIEvent*, nsEventStatus&) /builds/worker/checkouts/gecko/widget/PuppetWidget.cpp:379:37
    #28 0x7fd2127848bd in mozilla::layers::APZCCallbackHelper::DispatchWidgetEvent(mozilla::WidgetGUIEvent&) /builds/worker/checkouts/gecko/gfx/layers/apz/util/APZCCallbackHelper.cpp:479:21
    #29 0x7fd21519fe08 in DispatchWidgetEventViaAPZ /builds/worker/checkouts/gecko/dom/ipc/BrowserChild.cpp:1740:10
    #30 0x7fd21519fe08 in mozilla::dom::BrowserChild::HandleRealMouseButtonEvent(mozilla::WidgetMouseEvent const&, mozilla::layers::ScrollableLayerGuid const&, unsigned long const&) /builds/worker/checkouts/gecko/dom/ipc/BrowserChild.cpp:1679:3
    #31 0x7fd2151a10f1 in mozilla::dom::BrowserChild::RecvRealMouseButtonEvent(mozilla::WidgetMouseEvent const&, mozilla::layers::ScrollableLayerGuid const&, unsigned long const&) /builds/worker/checkouts/gecko/dom/ipc/BrowserChild.cpp:1646:3
    #32 0x7fd2151a1259 in mozilla::dom::BrowserChild::RecvSynthMouseMoveEvent(mozilla::WidgetMouseEvent const&, mozilla::layers::ScrollableLayerGuid const&, unsigned long const&) /builds/worker/checkouts/gecko/dom/ipc/BrowserChild.cpp:1611:8
    #33 0x7fd2120ef8af in mozilla::dom::PBrowserChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBrowserChild.cpp:5423:56
    #34 0x7fd211b6f30d in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PContentChild.cpp:8616:32
    #35 0x7fd2119eacfe in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:2153:25
    #36 0x7fd2119e72fd in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:2077:9
    #37 0x7fd2119e87a6 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1925:3
    #38 0x7fd2119e94eb in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1956:13
    #39 0x7fd2110ce19f in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:459:16
    #40 0x7fd2110cc79a in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:739:26
    #41 0x7fd2110cb844 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:598:15
    #42 0x7fd2110cb9f7 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:382:36
    #43 0x7fd2110d1a46 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:123:37
    #44 0x7fd2110d1a46 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_3>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:534:5
    #45 0x7fd2110e3035 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1200:14
    #46 0x7fd2110e90ea in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:548:10
    #47 0x7fd2119f05d6 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:87:21
    #48 0x7fd21195ca93 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:334:10
    #49 0x7fd21195c9ad in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:327:3
    #50 0x7fd21195c9ad in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:309:3
    #51 0x7fd2156d3458 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137:27
    #52 0x7fd216edb033 in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:902:20
    #53 0x7fd2119f14b9 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:237:9
    #54 0x7fd21195ca93 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:334:10
    #55 0x7fd21195c9ad in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:327:3
    #56 0x7fd21195c9ad in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:309:3
    #57 0x7fd216edac18 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:733:34
    #58 0x55e803106e07 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
    #59 0x55e803106e07 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:305:18
    #60 0x7fd225d330b2 in __libc_start_main /build/glibc-ZN95T4/glibc-2.31/csu/../csu/libc-start.c:308:16
Flags: in-testsuite?

Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20201222215026-be30820869d8.
Failed to bisect testcase (Testcase reproduces on start build!):

Start: af9a6768731160322cbcbc4a42fa475ed97bfaaf (20191225044743)
End: 54a95a4088a237cd14acc087cb433cb43216fbd1 (20201222093533)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=False, coverage=False, valgrind=False)

Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]

I tried loading this testcase in debug builds on both Linux and macOS, but didn't hit this assertion; any thoughts on what might be required to reproduce?

Severity: -- → S4
Flags: needinfo?(jkratzer)

(In reply to Jonathan Kew (:jfkthame) from comment #2)

I tried loading this testcase in debug builds on both Linux and macOS, but didn't hit this assertion; any thoughts on what might be required to reproduce?

The testcase must be served over HTTP in order to reproduce due to the use of XHR. My apologies for not mentioning that in comment 0. Also note, it may take a few reloads in order to reproduce.

Flags: needinfo?(jkratzer)

Bugmon Analysis
The bug appears to have been fixed in the following build range:

Start: 14445d08a3a414c568ee985bec7684c55761ea35 (20210306001811)
End: 4197952997ba47f2b4d1968d57230a4c448ddaa3 (20210306010831)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=14445d08a3a414c568ee985bec7684c55761ea35&tochange=4197952997ba47f2b4d1968d57230a4c448ddaa3
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon

The original testcase no longer reproduces. However, this bug is still occurring. I'm in the process of reducing a newer testcase that still reproduces this issue. I will attach it here once complete.

Flags: needinfo?(jkratzer)
Attached file testcase.zip

Testcase found while fuzzing mozilla-central rev 1e6d20eb3a01 (built with --enable-debug --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build 1e6d20eb3a01 --debug --fuzzing -n mc-debug
$ python -m grizzly.replay ./mc-debug/firefox ./testcase.zip
Attachment #9194462 - Attachment is obsolete: true
Flags: needinfo?(jkratzer)
Keywords: bugmon
No longer blocks: domino
Depends on: domino
Blocks: domino
No longer depends on: domino

Bugmon Analysis
Unable to reproduce bug 1683956 using build mozilla-central 20210327094311-2c4ad7073241. Without a baseline, bugmon is unable to analyze this bug.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon
You need to log in before you can comment on or make changes to this bug.