Hit MOZ_CRASH(<html> (0x557e9901b180) has still dirty bit true or animation-only dirty bit true) at servo/ports/geckolib/glue.rs:5869
Categories
(Core :: CSS Parsing and Computation, defect)
Tracking
()
Tracking | Status | |
---|---|---|
firefox-esr78 | --- | unaffected |
firefox85 | --- | wontfix |
firefox86 | --- | fixed |
firefox87 | --- | verified |
People
(Reporter: jkratzer, Assigned: emilio)
References
(Blocks 1 open bug, Regression)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:bisected,confirmed], [wptsync upstream])
Attachments
(2 files)
1016 bytes,
text/html
|
Details | |
48 bytes,
text/x-phabricator-request
|
pascalc
:
approval-mozilla-beta+
|
Details | Review |
Testcase found while fuzzing mozilla-central rev a2507ffc9d4d (built with --enable-debug).
#0 0x7f003e0f02b5 in MOZ_Crash /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:254:3
#1 0x7f003e0f02b5 in RustMozCrash /builds/worker/checkouts/gecko/mozglue/static/rust/wrappers.cpp:17:3
#2 0x7f003e0f0264 in mozglue_static::panic_hook::h49487e71d2be9419 /builds/worker/checkouts/gecko/mozglue/static/rust/lib.rs:89:9
#3 0x7f003e0efb8b in core::ops::function::Fn::call::hb78177b2e6ef64d4 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/ops/function.rs:70:5
#4 0x7f003f0e83a5 in std::panicking::rust_panic_with_hook::hfe7e1c684e3e6462 /rustc/e1884a8e3c3e813aada8254edfa120e85bf5ffca/library/std/src/panicking.rs:597:17
#5 0x7f003f0e7ec6 in std::panicking::begin_panic_handler::_$u7b$$u7b$closure$u7d$$u7d$::h42939e004b32765c /rustc/e1884a8e3c3e813aada8254edfa120e85bf5ffca/library/std/src/panicking.rs:499:13
#6 0x7f003f0e2efb in std::sys_common::backtrace::__rust_end_short_backtrace::h9d2070f7bf9fd56c /rustc/e1884a8e3c3e813aada8254edfa120e85bf5ffca/library/std/src/sys_common/backtrace.rs:141:18
#7 0x7f003f0e7e28 in rust_begin_unwind /rustc/e1884a8e3c3e813aada8254edfa120e85bf5ffca/library/std/src/panicking.rs:495:5
#8 0x7f003f0e7dda in std::panicking::begin_panic_fmt::h4a7e15187eac098d /rustc/e1884a8e3c3e813aada8254edfa120e85bf5ffca/library/std/src/panicking.rs:437:5
#9 0x7f003ea324e7 in geckoservo::glue::Servo_AssertTreeIsClean::assert_subtree_is_clean::h4ae622cde41b1e20 /builds/worker/checkouts/gecko/servo/ports/geckolib/glue.rs:5869:9
#10 0x7f003ea3225d in Servo_AssertTreeIsClean /builds/worker/checkouts/gecko/servo/ports/geckolib/glue.rs:5883:5
#11 0x7f003a5beed7 in mozilla::ServoStyleSet::AssertTreeIsClean() /builds/worker/checkouts/gecko/layout/style/ServoStyleSet.cpp:959:5
#12 0x7f003a66d72a in mozilla::RestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:3077:13
#13 0x7f003a6471b7 in ProcessPendingRestyles /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:3111:3
#14 0x7f003a6471b7 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4210:39
#15 0x7f003a610742 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2194:22
#16 0x7f003a6183e1 in TickDriver /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:357:13
#17 0x7f003a6183e1 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:336:7
#18 0x7f003a6182bf in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:351:5
#19 0x7f003a617868 in RunRefreshDrivers /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:799:5
#20 0x7f003a617868 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:722:16
#21 0x7f003a617180 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyParentProcessVsync() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:624:7
#22 0x7f003a616bf9 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:545:9
#23 0x7f0039e15eb6 in mozilla::dom::VsyncChild::RecvNotify(mozilla::VsyncEvent const&, float const&) /builds/worker/checkouts/gecko/dom/ipc/VsyncChild.cpp:68:15
#24 0x7f0036b94750 in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:178:54
#25 0x7f003693d79c in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundChild.cpp:6286:32
#26 0x7f00365f8fce in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:2153:25
#27 0x7f00365f55cd in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:2077:9
#28 0x7f00365f6a76 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1925:3
#29 0x7f00365f77bb in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1956:13
#30 0x7f0035cd4faf in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:461:16
#31 0x7f0035cd358a in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:741:26
#32 0x7f0035cd2634 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:600:15
#33 0x7f0035cd27e7 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:384:36
#34 0x7f0035cd88e9 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:126:37
#35 0x7f0035cd88e9 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_4>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:534:5
#36 0x7f0035ce9f55 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1200:14
#37 0x7f0035cf001a in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:548:10
#38 0x7f00365fe864 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:109:5
#39 0x7f003656a5a3 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:334:10
#40 0x7f003656a4bd in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:327:3
#41 0x7f003656a4bd in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:309:3
#42 0x7f003a3684f8 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137:27
#43 0x7f003bb84163 in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:902:20
#44 0x7f00365ff79c in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:237:9
#45 0x7f003656a5a3 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:334:10
#46 0x7f003656a4bd in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:327:3
#47 0x7f003656a4bd in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:309:3
#48 0x7f003bb83d38 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:733:34
#49 0x557e96b4bf26 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#50 0x557e96b4bf26 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:306:18
#51 0x7f004b6d50b2 in __libc_start_main /build/glibc-ZN95T4/glibc-2.31/csu/../csu/libc-start.c:308:16
Comment 1•4 years ago
|
||
Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20210122212755-5dc361e890c3.
The bug appears to have been introduced in the following build range:
Start: bd5d3910d2a4a819208b4e6f767c2d42a8a8d74d (20201002042125)
End: 2ce12e3e063c43c599ff6acb78be0d9bc038a862 (20201002045338)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=bd5d3910d2a4a819208b4e6f767c2d42a8a8d74d&tochange=2ce12e3e063c43c599ff6acb78be0d9bc038a862
Assignee | ||
Comment 2•4 years ago
|
||
Robert, do you have the cycles to look at this? Otherwise feel free to return the ni? back to me and I'll poke.
Updated•4 years ago
|
Comment 3•4 years ago
|
||
The use is a child of a clipPath which means it's nondisplay. As such it doesn't really participate in reflow or display lists directly and perhaps that's why it's not getting whatever is dirty unset - presumably the animation bit because of the CSS animation in the test.
I'm not really sure of the purpose of the servo code here. It's odd that putting a rect as a child of a clipPath doesn't assert (or maybe it does) i.e. what's special about a <use> element?
I think I'd need some help to know where to start here so I think it may be best if I take you up on your offer to poke.
Updated•4 years ago
|
Assignee | ||
Updated•4 years ago
|
Assignee | ||
Comment 4•4 years ago
|
||
This is unsound. We're restyling, so you're not supposed to post more
restyles and such until we start processing changes. We could make this
specific case work I suppose (because we only post change hints, not
restyles), though turns out this is unneeded because it's redundant, as
nsStyleSVGReset::CalcDifference already returns the right hint when
these properties differ:
Updated•4 years ago
|
Comment 7•4 years ago
|
||
bugherder |
Comment 9•4 years ago
|
||
Bugmon Analysis:
Verified bug as fixed on rev mozilla-central 20210126092542-06ee1ff0214b.
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.
Comment 10•4 years ago
|
||
The patch landed in nightly and beta is affected.
:emilio, is this bug important enough to require an uplift?
If not please set status_beta
to wontfix
.
For more information, please visit auto_nag documentation.
Assignee | ||
Comment 11•4 years ago
|
||
Comment on attachment 9199109 [details]
Bug 1688293 - SVGUseFrame shouldn't invalidate rendering observers from DidSetComputedStyle. r=longsonr
Beta/Release Uplift Approval Request
- User impact if declined: Possible correctness issues on styling.
- Is this code covered by automated tests?: Yes
- Has the fix been verified in Nightly?: Yes
- Needs manual test from QE?: No
- If yes, steps to reproduce:
- List of other uplifts needed: none
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): Removes redundant / actually incorrect line of code.
- String changes made/needed: none
Comment 12•4 years ago
|
||
Comment on attachment 9199109 [details]
Bug 1688293 - SVGUseFrame shouldn't invalidate rendering observers from DidSetComputedStyle. r=longsonr
Approved for 86 beta 4, thanks.
Comment 13•4 years ago
|
||
bugherder uplift |
Updated•4 years ago
|
Description
•