1697291 - Assertion failure: nsLayoutUtils::IsAncestorFrameCrossDoc(mAdditionalOffsetFrame, aFrame), at src/layout/painting/nsDisplayList.cpp:1508

Status: RESOLVED FIXED

(Core :: Web Painting, defect, P3)

Description

[Tyson Smith [:tsmith]]

Attachment: testcase.html

Assertion failure: nsLayoutUtils::IsAncestorFrameCrossDoc(mAdditionalOffsetFrame, aFrame), at src/layout/painting/nsDisplayList.cpp:1508

#0 0x7fdb0e78ce5e in operator() src/layout/painting/nsDisplayList.cpp:1507:7
#1 0x7fdb0e78ce5e in nsDisplayListBuilder::FindReferenceFrameFor(nsIFrame const*, nsPoint*) const src/layout/painting/nsDisplayList.cpp:1525:9
#2 0x7fdb0e51a371 in nsIFrame::BuildDisplayListForStackingContext(nsDisplayListBuilder*, nsDisplayList*, bool*) src/layout/generic/nsIFrame.cpp:3650:21
#3 0x7fdb0e488213 in nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*, nsIFrame*, nsDisplayListSet const&, mozilla::EnumSet<nsIFrame::DisplayChildFlag, unsigned int>) src/layout/generic/nsIFrame.cpp:4201:12
#4 0x7fdb0e46f68d in DisplayLine(nsDisplayListBuilder*, nsLineList_iterator&, bool, nsDisplayListSet const&, nsBlockFrame*, mozilla::css::TextOverflow*, unsigned int, int, int&) src/layout/generic/nsBlockFrame.cpp:6894:13
#5 0x7fdb0e46e184 in nsBlockFrame::BuildDisplayList(nsDisplayListBuilder*, nsDisplayListSet const&) src/layout/generic/nsBlockFrame.cpp:7052:9
#6 0x7fdb0e48837c in nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*, nsIFrame*, nsDisplayListSet const&, mozilla::EnumSet<nsIFrame::DisplayChildFlag, unsigned int>) src/layout/generic/nsIFrame.cpp:4234:14
#7 0x7fdb0e46f68d in DisplayLine(nsDisplayListBuilder*, nsLineList_iterator&, bool, nsDisplayListSet const&, nsBlockFrame*, mozilla::css::TextOverflow*, unsigned int, int, int&) src/layout/generic/nsBlockFrame.cpp:6894:13
#8 0x7fdb0e46e184 in nsBlockFrame::BuildDisplayList(nsDisplayListBuilder*, nsDisplayListSet const&) src/layout/generic/nsBlockFrame.cpp:7052:9
#9 0x7fdb0e519223 in nsIFrame::BuildDisplayListForStackingContext(nsDisplayListBuilder*, nsDisplayList*, bool*) src/layout/generic/nsIFrame.cpp:3406:5
#10 0x7fdb0e488213 in nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*, nsIFrame*, nsDisplayListSet const&, mozilla::EnumSet<nsIFrame::DisplayChildFlag, unsigned int>) src/layout/generic/nsIFrame.cpp:4201:12
#11 0x7fdb0e4790a8 in nsCanvasFrame::BuildDisplayList(nsDisplayListBuilder*, nsDisplayListSet const&) src/layout/generic/nsCanvasFrame.cpp:640:5
#12 0x7fdb0e48837c in nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*, nsIFrame*, nsDisplayListSet const&, mozilla::EnumSet<nsIFrame::DisplayChildFlag, unsigned int>) src/layout/generic/nsIFrame.cpp:4234:14
#13 0x7fdb0e4495ad in mozilla::ViewportFrame::BuildDisplayList(nsDisplayListBuilder*, nsDisplayListSet const&) src/layout/generic/ViewportFrame.cpp:66:3
#14 0x7fdb0e48837c in nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*, nsIFrame*, nsDisplayListSet const&, mozilla::EnumSet<nsIFrame::DisplayChildFlag, unsigned int>) src/layout/generic/nsIFrame.cpp:4234:14
#15 0x7fdb0e57f7a7 in BuildPreviousPageOverflow src/layout/generic/nsPageFrame.cpp:618:19
#16 0x7fdb0e57f7a7 in nsPageFrame::BuildDisplayList(nsDisplayListBuilder*, nsDisplayListSet const&) src/layout/generic/nsPageFrame.cpp:669:7
#17 0x7fdb0e519223 in nsIFrame::BuildDisplayListForStackingContext(nsDisplayListBuilder*, nsDisplayList*, bool*) src/layout/generic/nsIFrame.cpp:3406:5
#18 0x7fdb0e42b775 in mozilla::PrintedSheetFrame::BuildDisplayList(nsDisplayListBuilder*, nsDisplayListSet const&) src/layout/generic/PrintedSheetFrame.cpp:112:16
#19 0x7fdb0e519223 in nsIFrame::BuildDisplayListForStackingContext(nsDisplayListBuilder*, nsDisplayList*, bool*) src/layout/generic/nsIFrame.cpp:3406:5
#20 0x7fdb0e3f2465 in nsLayoutUtils::PaintFrame(gfxContext*, nsIFrame*, nsRegion const&, unsigned int, nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) src/layout/base/nsLayoutUtils.cpp:3385:17
#21 0x7fdb0e583a45 in nsPageSequenceFrame::PrintNextSheet() src/layout/generic/nsPageSequenceFrame.cpp:674:3
#22 0x7fdb0e7db699 in nsPrintJob::PrintSheet(nsPrintObject*, bool&) src/layout/printing/nsPrintJob.cpp:2351:31
#23 0x7fdb0e7db326 in nsPagePrintTimer::Run() src/layout/printing/nsPagePrintTimer.cpp:74:43
#24 0x7fdb09948fc2 in mozilla::SchedulerGroup::Runnable::Run() src/xpcom/threads/SchedulerGroup.cpp:146:20
#25 0x7fdb0994f58f in mozilla::RunnableTask::Run() src/xpcom/threads/TaskController.cpp:472:16
#26 0x7fdb0994db00 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) src/xpcom/threads/TaskController.cpp:760:26
#27 0x7fdb0994c8c4 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) src/xpcom/threads/TaskController.cpp:611:15
#28 0x7fdb0994ca77 in mozilla::TaskController::ProcessPendingMTTask(bool) src/xpcom/threads/TaskController.cpp:395:36
#29 0x7fdb099533a6 in operator() src/xpcom/threads/TaskController.cpp:133:37
#30 0x7fdb099533a6 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_3>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:534:5
#31 0x7fdb09964897 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1158:16
#32 0x7fdb0996b2aa in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:548:10
#33 0x7fdb0a291406 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:87:21
#34 0x7fdb0a1fc853 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:335:10
#35 0x7fdb0a1fc76d in RunHandler src/ipc/chromium/src/base/message_loop.cc:328:3
#36 0x7fdb0a1fc76d in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:310:3
#37 0x7fdb0e079328 in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:137:27
#38 0x7fdb0f8d0e83 in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:902:20
#39 0x7fdb0a2922ec in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:237:9
#40 0x7fdb0a1fc853 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:335:10
#41 0x7fdb0a1fc76d in RunHandler src/ipc/chromium/src/base/message_loop.cc:328:3
#42 0x7fdb0a1fc76d in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:310:3
#43 0x7fdb0f8d0a58 in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:733:34
#44 0x55880cda2fa6 in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#45 0x55880cda2fa6 in main src/browser/app/nsBrowserApp.cpp:309:18
#46 0x7fdb208fc0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16

Comment 1

[Tyson Smith [:tsmith]]

A Pernosco session is available here: https://pernos.co/debug/q9abyH1k9ISXzCQBQWUKDg/index.html

Comment 2

[Bugmon [:jkratzer for issues]]

Bugmon Analysis:
Unable to reproduce bug using the following builds:

mozilla-central 20210309161138-5f0f6477c734
mozilla-central 20210309094921-b332567cbbca
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.

Comment 3

[Tyson Smith [:tsmith]]

Marking as fuzzblocker. The fuzzers are frequently hitting this issue.

Comment 4

[Timothy Nikkel (:tnikkel)]

This cause of the assert is likely specific to printing, so if your fuzzing harness supports it you could still report instances of this assert that don't involve printing.

Comment 5

[Tyson Smith [:tsmith]]

In this case we are already doing so. With these buckets in place the fuzzer will still hit these issues (fairly frequently in this case). This causes unnecessary overhead and can block code paths from being explored. We also run the risk of making buckets that are overly inclusive.

That said we understand resources are limited. Some issues do not have direct impact on end users and other more important tasks may take priority.

We use [fuzzblocker] to indicate that, from the fuzzing perspective, this is important since in many cases it is not obvious. Fixing fuzzblockers really helps unblock the fuzzing pipeline.

Comment 6

[Emilio Cobos Álvarez (:emilio)]

Attachment: Bug 1697291 - Remove assertion that doesn't hold. r=miko,tnikkel

When actually printing, we create a temporary display list builder with
a reference frame which is the PrintedSheetFrame for the current frame:

https://searchfox.org/mozilla-central/rev/95c41d54c3fd65d51976d5188842a69b459a7589/layout/generic/nsPageSequenceFrame.cpp#674

So when building overflow from previous sheets, this assertion trivially
fails.

I don't think applying the offset even though the reference frame is the
printed sheet frame rather than the root frame is wrong, so remove the
assert to unblock fuzzers.

I tried to add the current test as a crashtest but it didn't repro on
trunk, so asking for another repro atm.

Comment 7

[Tyson Smith [:tsmith]]

Attachment: testcase.html

Comment 8

[Pulsebot]

Pushed by ealvarez@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/677cbb499510
Remove assertion that doesn't hold. r=miko

Comment 9

[Web Platform Test Sync Bot (Matrix: #interop:mozilla.org)]

Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/29150 for changes under testing/web-platform/tests

Comment 10

[Alexandru Michis [:malexandru]]

https://hg.mozilla.org/mozilla-central/rev/677cbb499510

Comment 11

[Web Platform Test Sync Bot (Matrix: #interop:mozilla.org)]

Upstream PR merged by moz-wptsync-bot

Comment 12

[BugBot [:suhaib / :marco/ :calixte]]

:emilio, since this bug contains a bisection range, could you fill (if possible) the regressed_by field?
For more information, please visit auto_nag documentation.

Comment 13

[Marco Castelluccio [:marco]]

Sorry, bug in the bot.