Closed Bug 1688293 Opened 3 years ago Closed 3 years ago

Hit MOZ_CRASH(<html> (0x557e9901b180) has still dirty bit true or animation-only dirty bit true) at servo/ports/geckolib/glue.rs:5869

Categories

(Core :: CSS Parsing and Computation, defect)

defect

Tracking

()

VERIFIED FIXED
87 Branch
Tracking Status
firefox-esr78 --- unaffected
firefox85 --- wontfix
firefox86 --- fixed
firefox87 --- verified

People

(Reporter: jkratzer, Assigned: emilio)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:bisected,confirmed], [wptsync upstream])

Attachments

(2 files)

Attached file testcase.html

Testcase found while fuzzing mozilla-central rev a2507ffc9d4d (built with --enable-debug).

    #0 0x7f003e0f02b5 in MOZ_Crash /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:254:3
    #1 0x7f003e0f02b5 in RustMozCrash /builds/worker/checkouts/gecko/mozglue/static/rust/wrappers.cpp:17:3
    #2 0x7f003e0f0264 in mozglue_static::panic_hook::h49487e71d2be9419 /builds/worker/checkouts/gecko/mozglue/static/rust/lib.rs:89:9
    #3 0x7f003e0efb8b in core::ops::function::Fn::call::hb78177b2e6ef64d4 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/ops/function.rs:70:5
    #4 0x7f003f0e83a5 in std::panicking::rust_panic_with_hook::hfe7e1c684e3e6462 /rustc/e1884a8e3c3e813aada8254edfa120e85bf5ffca/library/std/src/panicking.rs:597:17
    #5 0x7f003f0e7ec6 in std::panicking::begin_panic_handler::_$u7b$$u7b$closure$u7d$$u7d$::h42939e004b32765c /rustc/e1884a8e3c3e813aada8254edfa120e85bf5ffca/library/std/src/panicking.rs:499:13
    #6 0x7f003f0e2efb in std::sys_common::backtrace::__rust_end_short_backtrace::h9d2070f7bf9fd56c /rustc/e1884a8e3c3e813aada8254edfa120e85bf5ffca/library/std/src/sys_common/backtrace.rs:141:18
    #7 0x7f003f0e7e28 in rust_begin_unwind /rustc/e1884a8e3c3e813aada8254edfa120e85bf5ffca/library/std/src/panicking.rs:495:5
    #8 0x7f003f0e7dda in std::panicking::begin_panic_fmt::h4a7e15187eac098d /rustc/e1884a8e3c3e813aada8254edfa120e85bf5ffca/library/std/src/panicking.rs:437:5
    #9 0x7f003ea324e7 in geckoservo::glue::Servo_AssertTreeIsClean::assert_subtree_is_clean::h4ae622cde41b1e20 /builds/worker/checkouts/gecko/servo/ports/geckolib/glue.rs:5869:9
    #10 0x7f003ea3225d in Servo_AssertTreeIsClean /builds/worker/checkouts/gecko/servo/ports/geckolib/glue.rs:5883:5
    #11 0x7f003a5beed7 in mozilla::ServoStyleSet::AssertTreeIsClean() /builds/worker/checkouts/gecko/layout/style/ServoStyleSet.cpp:959:5
    #12 0x7f003a66d72a in mozilla::RestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:3077:13
    #13 0x7f003a6471b7 in ProcessPendingRestyles /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:3111:3
    #14 0x7f003a6471b7 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4210:39
    #15 0x7f003a610742 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2194:22
    #16 0x7f003a6183e1 in TickDriver /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:357:13
    #17 0x7f003a6183e1 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:336:7
    #18 0x7f003a6182bf in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:351:5
    #19 0x7f003a617868 in RunRefreshDrivers /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:799:5
    #20 0x7f003a617868 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:722:16
    #21 0x7f003a617180 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyParentProcessVsync() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:624:7
    #22 0x7f003a616bf9 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:545:9
    #23 0x7f0039e15eb6 in mozilla::dom::VsyncChild::RecvNotify(mozilla::VsyncEvent const&, float const&) /builds/worker/checkouts/gecko/dom/ipc/VsyncChild.cpp:68:15
    #24 0x7f0036b94750 in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:178:54
    #25 0x7f003693d79c in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundChild.cpp:6286:32
    #26 0x7f00365f8fce in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:2153:25
    #27 0x7f00365f55cd in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:2077:9
    #28 0x7f00365f6a76 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1925:3
    #29 0x7f00365f77bb in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1956:13
    #30 0x7f0035cd4faf in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:461:16
    #31 0x7f0035cd358a in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:741:26
    #32 0x7f0035cd2634 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:600:15
    #33 0x7f0035cd27e7 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:384:36
    #34 0x7f0035cd88e9 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:126:37
    #35 0x7f0035cd88e9 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_4>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:534:5
    #36 0x7f0035ce9f55 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1200:14
    #37 0x7f0035cf001a in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:548:10
    #38 0x7f00365fe864 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:109:5
    #39 0x7f003656a5a3 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:334:10
    #40 0x7f003656a4bd in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:327:3
    #41 0x7f003656a4bd in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:309:3
    #42 0x7f003a3684f8 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137:27
    #43 0x7f003bb84163 in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:902:20
    #44 0x7f00365ff79c in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:237:9
    #45 0x7f003656a5a3 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:334:10
    #46 0x7f003656a4bd in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:327:3
    #47 0x7f003656a4bd in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:309:3
    #48 0x7f003bb83d38 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:733:34
    #49 0x557e96b4bf26 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
    #50 0x557e96b4bf26 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:306:18
    #51 0x7f004b6d50b2 in __libc_start_main /build/glibc-ZN95T4/glibc-2.31/csu/../csu/libc-start.c:308:16
Flags: in-testsuite?

Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20210122212755-5dc361e890c3.
The bug appears to have been introduced in the following build range:

Start: bd5d3910d2a4a819208b4e6f767c2d42a8a8d74d (20201002042125)
End: 2ce12e3e063c43c599ff6acb78be0d9bc038a862 (20201002045338)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=bd5d3910d2a4a819208b4e6f767c2d42a8a8d74d&tochange=2ce12e3e063c43c599ff6acb78be0d9bc038a862

Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]

Robert, do you have the cycles to look at this? Otherwise feel free to return the ni? back to me and I'll poke.

Flags: needinfo?(longsonr)
Regressed by: 1667641
Has Regression Range: --- → yes

The use is a child of a clipPath which means it's nondisplay. As such it doesn't really participate in reflow or display lists directly and perhaps that's why it's not getting whatever is dirty unset - presumably the animation bit because of the CSS animation in the test.

I'm not really sure of the purpose of the servo code here. It's odd that putting a rect as a child of a clipPath doesn't assert (or maybe it does) i.e. what's special about a <use> element?

I think I'd need some help to know where to start here so I think it may be best if I take you up on your offer to poke.

Flags: needinfo?(longsonr) → needinfo?(emilio)
Flags: needinfo?(emilio)

This is unsound. We're restyling, so you're not supposed to post more
restyles and such until we start processing changes. We could make this
specific case work I suppose (because we only post change hints, not
restyles), though turns out this is unneeded because it's redundant, as
nsStyleSVGReset::CalcDifference already returns the right hint when
these properties differ:

https://searchfox.org/mozilla-central/rev/851bbbd9d9a38c2785a24c13b6412751be8d3253/layout/style/nsStyleStruct.cpp#1022

Assignee: nobody → emilio
Status: NEW → ASSIGNED
Pushed by ealvarez@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/b117011813b0
SVGUseFrame shouldn't invalidate rendering observers from DidSetComputedStyle. r=longsonr
Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/27316 for changes under testing/web-platform/tests
Whiteboard: [bugmon:bisected,confirmed] → [bugmon:bisected,confirmed], [wptsync upstream]
Status: ASSIGNED → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → 87 Branch
Upstream PR merged by moz-wptsync-bot

Bugmon Analysis:
Verified bug as fixed on rev mozilla-central 20210126092542-06ee1ff0214b.
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
Keywords: bugmon

The patch landed in nightly and beta is affected.
:emilio, is this bug important enough to require an uplift?
If not please set status_beta to wontfix.

For more information, please visit auto_nag documentation.

Flags: needinfo?(emilio)

Comment on attachment 9199109 [details]
Bug 1688293 - SVGUseFrame shouldn't invalidate rendering observers from DidSetComputedStyle. r=longsonr

Beta/Release Uplift Approval Request

  • User impact if declined: Possible correctness issues on styling.
  • Is this code covered by automated tests?: Yes
  • Has the fix been verified in Nightly?: Yes
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: none
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Removes redundant / actually incorrect line of code.
  • String changes made/needed: none
Flags: needinfo?(emilio)
Attachment #9199109 - Flags: approval-mozilla-beta?

Comment on attachment 9199109 [details]
Bug 1688293 - SVGUseFrame shouldn't invalidate rendering observers from DidSetComputedStyle. r=longsonr

Approved for 86 beta 4, thanks.

Attachment #9199109 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: