Closed Bug 1696505 Opened 3 years ago Closed 2 years ago

Assertion failure: !OuterSVGIsCallingReflowSVG(aFrame) (Do not call under ISVGDisplayableFrame::ReflowSVG!), at src/layout/svg/SVGUtils.cpp:156

Categories

(Core :: SVG, defect)

Product:
Core
Component:
SVG
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
107 Branch
Tracking Flags:
Tracking Status
firefox-esr78 --- unaffected
firefox-esr91 --- wontfix
firefox-esr102 --- wontfix
firefox86 --- unaffected
firefox87 --- wontfix
firefox88 --- wontfix
firefox89 --- wontfix
firefox90 --- wontfix
firefox91 --- wontfix
firefox103 --- wontfix
firefox104 --- wontfix
firefox105 --- wontfix
firefox106 --- wontfix
firefox107 --- verified

People

(Reporter: tsmith, Assigned: longsonr)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(2 files, 1 obsolete file)

testcase.html
209 bytes, text/html
Details
Bug 1696505 - stop SVG text reflows triggering other reflows r=jwatt
48 bytes, text/x-phabricator-request
Details | Review
Attached file testcase.html

Assertion failure: !OuterSVGIsCallingReflowSVG(aFrame) (Do not call under ISVGDisplayableFrame::ReflowSVG!), at src/layout/svg/SVGUtils.cpp:156

#0 0x7f525e6d8f07 in mozilla::SVGUtils::ScheduleReflowSVG(nsIFrame*) src/layout/svg/SVGUtils.cpp:155:3
#1 0x7f525e6b4ed8 in mozilla::SVGMarkerObserver::OnRenderingChange() src/layout/svg/SVGObserverUtils.cpp:531:5
#2 0x7f525e6b7341 in OnNonDOMMutationRenderingChange src/layout/svg/SVGObserverUtils.cpp:247:3
#3 0x7f525e6b7341 in mozilla::SVGRenderingObserverSet::InvalidateAll() src/layout/svg/SVGObserverUtils.cpp:1067:19
#4 0x7f525e6b47fe in mozilla::SVGTextFrame::ReflowSVGNonDisplayText() src/layout/svg/SVGTextFrame.cpp:2856:3
#5 0x7f525e697897 in mozilla::SVGContainerFrame::ReflowSVGNonDisplayText(nsIFrame*) src/layout/svg/SVGContainerFrame.cpp:114:40
#6 0x7f525e6978ef in mozilla::SVGContainerFrame::ReflowSVGNonDisplayText(nsIFrame*) src/layout/svg/SVGContainerFrame.cpp:119:9
#7 0x7f525e698537 in mozilla::SVGDisplayContainerFrame::ReflowSVG() src/layout/svg/SVGContainerFrame.cpp:336:11
#8 0x7f525e6bc5b0 in mozilla::SVGOuterSVGFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/svg/SVGOuterSVGFrame.cpp:453:14
#9 0x7f525e3a5ec0 in mozilla::PresShell::DoReflow(nsIFrame*, bool, mozilla::OverflowChangedTracker*) src/layout/base/PresShell.cpp:9645:11
#10 0x7f525e3afa5e in mozilla::PresShell::ProcessReflowCommands(bool) src/layout/base/PresShell.cpp:9818:24
#11 0x7f525e3af004 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) src/layout/base/PresShell.cpp:4257:11
#12 0x7f525e41da81 in FlushPendingNotifications /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:1413:5
#13 0x7f525e41da81 in nsDocumentViewer::LoadComplete(nsresult) src/layout/base/nsDocumentViewer.cpp:965:16
#14 0x7f525f3e2590 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) src/docshell/base/nsDocShell.cpp:6520:20
#15 0x7f525f3e1f42 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) src/docshell/base/nsDocShell.cpp:5876:7
#16 0x7f525f3e2ecf in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) src/docshell/base/nsDocShell.cpp
#17 0x7f525ac3679c in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) src/uriloader/base/nsDocLoader.cpp:1332:3
#18 0x7f525ac35d4a in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) src/uriloader/base/nsDocLoader.cpp:938:14
#19 0x7f525ac34287 in nsDocLoader::DocLoaderIsEmpty(bool, mozilla::Maybe<nsresult> const&) src/uriloader/base/nsDocLoader.cpp:757:9
#20 0x7f525ac351cd in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) src/uriloader/base/nsDocLoader.cpp:640:5
#21 0x7f525ac3596c in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsresult) src/uriloader/base/nsDocLoader.cpp
#22 0x7f5259b71d66 in mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) src/netwerk/base/nsLoadGroup.cpp:616:22
#23 0x7f5259b73273 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) src/netwerk/base/nsLoadGroup.cpp:523:10
#24 0x7f525b5f9df1 in mozilla::dom::Document::DoUnblockOnload() src/dom/base/Document.cpp:11065:18
#25 0x7f525b5d8610 in mozilla::dom::Document::UnblockOnload(bool) src/dom/base/Document.cpp:10995:9
#26 0x7f525b5e934c in mozilla::dom::Document::DispatchContentLoadedEvents() src/dom/base/Document.cpp:7559:3
#27 0x7f525b65a526 in applyImpl<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1148:12
#28 0x7f525b65a526 in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1154:12
#29 0x7f525b65a526 in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1201:13
#30 0x7f52599c7d92 in mozilla::SchedulerGroup::Runnable::Run() src/xpcom/threads/SchedulerGroup.cpp:146:20
#31 0x7f52599ce30f in mozilla::RunnableTask::Run() src/xpcom/threads/TaskController.cpp:472:16
#32 0x7f52599cc886 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) src/xpcom/threads/TaskController.cpp:753:26
#33 0x7f52599cb6e4 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) src/xpcom/threads/TaskController.cpp:611:15
#34 0x7f52599cb897 in mozilla::TaskController::ProcessPendingMTTask(bool) src/xpcom/threads/TaskController.cpp:395:36
#35 0x7f52599d2126 in operator() src/xpcom/threads/TaskController.cpp:133:37
#36 0x7f52599d2126 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_3>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:534:5
#37 0x7f52599e3617 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1158:16
#38 0x7f52599e9a6a in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:548:10
#39 0x7f525a2fff16 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:87:21
#40 0x7f525a26b553 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:335:10
#41 0x7f525a26b46d in RunHandler src/ipc/chromium/src/base/message_loop.cc:328:3
#42 0x7f525a26b46d in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:310:3
#43 0x7f525e0c9828 in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:137:27
#44 0x7f525f908283 in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:902:20
#45 0x7f525a300dfc in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:237:9
#46 0x7f525a26b553 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:335:10
#47 0x7f525a26b46d in RunHandler src/ipc/chromium/src/base/message_loop.cc:328:3
#48 0x7f525a26b46d in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:310:3
#49 0x7f525f907e58 in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:733:34
#50 0x55768eacff86 in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#51 0x55768eacff86 in main src/browser/app/nsBrowserApp.cpp:306:18
#52 0x7f52705250b2 in __libc_start_main /build/glibc-ZN95T4/glibc-2.31/csu/../csu/libc-start.c:308:16
#53 0x55768eaadd2c in _start (/home/worker/builds/m-c-20210215162656-fuzzing-debug/firefox-bin+0x14d2c)
Flags: in-testsuite?

A Pernosco session is available here: https://pernos.co/debug/c-9e6DDl4jibVKGLSh4BtA/index.html

Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20210304215542-5199ec2d73fa.
The bug appears to have been introduced in the following build range:

Start: 6c32d769ff9a1ad140d62f94dc4f7af97fa3f696 (20210213095234)
End: 8e185d82ec0fb93d61cfd697636f5444b39a96cd (20210213074756)
Pushlog: https://hg.mozilla.org/mozilla-unified/pushloghtml?fromchange=6c32d769ff9a1ad140d62f94dc4f7af97fa3f696&tochange=8e185d82ec0fb93d61cfd697636f5444b39a96cd

Whiteboard: [bugmon:bisected,confirmed]
Flags: needinfo?(longsonr)
Regressed by: 1691659
Has Regression Range: --- → yes

Note: I see the assertion in question (Do not call under ISVGDisplayableFrame::ReflowSVG) firing on this testcase, in a debug build of the parent of the "regressing" commit (i.e. the parent of bug 1691659's patch), too. The regression here seems to be that bug 1691659 promoted this assertion to be fatal; up until that point it was just log-spew (but it was failing, nonetheless).

longsonr, since you were in this neighborhood recently: do you know how concerning it is that this is firing? Perhaps we should shift it back to be nonfatal?

Severity: -- → S3

We weren't catching these bugs before, now we are and we can start fixing them. That's a good thing, no?

We can shift it back to non-fatal but then we won't drive out any of these bugs. E.g. bug 1693032.

Flags: needinfo?(longsonr) → needinfo?(dholbert)

Set release status flags based on info from the regressing bug 1691659

status-firefox86: --- → unaffected
status-firefox87: --- → affected
status-firefox-esr78: --- → unaffected

Sorry, yeah - I spoke too hastily. To the extent that we have cycles to fix this, then yes, it's great that we've been made aware of a way to trigger this & can now fix it, in which case it's great for it to stay fatal.

But if we can't fix it in the near future, then it would potentially be less-good to leave it in its current fatal state, because it blocks fuzzers from traversing further in debug builds & discovering potentially-more-interesting and/or exploitable bugs that might have testcases similar to this one (which results in them aborting super early before they've triggered the hypothetically-more-interesting/exploitable behavior).

(roc has a good blog post on the subject from many years back, too.)

Flags: needinfo?(dholbert)
Assignee: nobody → longsonr
Status: NEW → ASSIGNED
status-firefox90: --- → affected

:jwatt, it looks like this is waiting on your review?

Flags: needinfo?(jwatt)

Sorry, there was a problem with the detection of inactive users. I'm reverting the change.

Assignee: nobody → longsonr
Status: NEW → ASSIGNED
Flags: needinfo?(jwatt)
Attachment #9208921 - Attachment is obsolete: true
Pushed by longsonr@gmail.com:
https://hg.mozilla.org/integration/autoland/rev/16afee6b8e87
stop SVG text reflows triggering other reflows r=jwatt

https://hg.mozilla.org/mozilla-central/rev/16afee6b8e87

Status: ASSIGNED → RESOLVED
Closed: 2 years ago
status-firefox107: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 107 Branch

Bugmon Analysis
Verified bug as fixed on rev mozilla-central 20221011035404-9dd268c4cf21.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
status-firefox107: fixedverified
Keywords: bugmon
Flags: in-testsuite? → in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: