Closed Bug 1712855 Opened 3 years ago Closed 3 years ago

Assertion failure: aThebesContext->CurrentOp() == CompositionOp::OP_OVER, at src/layout/base/PresShell.cpp:4542

Categories

(Core :: Graphics: ImageLib, defect, P3)

Product:
Core
Component:
Graphics: ImageLib
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
91 Branch
Tracking Flags:
Tracking Status
firefox-esr78 --- unaffected
firefox88 --- unaffected
firefox89 --- unaffected
firefox90 --- disabled
firefox91 --- fixed

People

(Reporter: tsmith, Assigned: aosmond)

References

(Blocks 2 open bugs, Regression)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(2 files)

testcase.html
407 bytes, text/html
Details
Bug 1712855 - Fix assertion when recording SVG image blobs with non-integer translation transforms.
48 bytes, text/x-phabricator-request
Details | Review
Attached file testcase.html

Found while fuzzing m-c 20210525-8f1b67bbc5af (--enable-debug --enable-fuzzing)

Assertion failure: aThebesContext->CurrentOp() == CompositionOp::OP_OVER, at src/layout/base/PresShell.cpp:4542

#0 0x7f458a3fd5c4 in mozilla::PresShell::RenderDocument(nsRect const&, mozilla::RenderDocumentFlags, unsigned int, gfxContext*) src/layout/base/PresShell.cpp:4542:3
#1 0x7f458742d08a in mozilla::image::SVGDrawingCallback::operator()(gfxContext*, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, double> const&, mozilla::gfx::SamplingFilter, mozilla::gfx::BaseMatrix<double> const&) src/image/VectorImage.cpp:294:14
#2 0x7f45872a3c95 in gfxCallbackDrawable::Draw(gfxContext*, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, double> const&, mozilla::gfx::ExtendMode, mozilla::gfx::SamplingFilter, double, mozilla::gfx::BaseMatrix<double> const&) src/gfx/thebes/gfxDrawable.cpp:149:12
#3 0x7f458734d84b in CreateSamplingRestrictedDrawable src/gfx/thebes/gfxUtils.cpp:326:14
#4 0x7f458734d84b in gfxUtils::DrawPixelSnapped(gfxContext*, gfxDrawable*, mozilla::gfx::SizeTyped<mozilla::gfx::UnknownUnits, double> const&, mozilla::image::ImageRegion const&, mozilla::gfx::SurfaceFormat, mozilla::gfx::SamplingFilter, unsigned int, double, bool) src/gfx/thebes/gfxUtils.cpp:553:48
#5 0x7f4587424c1f in mozilla::image::SourceSurfaceBlobImage::RecordDrawing(mozilla::layers::WebRenderLayerManager*, mozilla::wr::IpcResourceUpdateQueue&, mozilla::Maybe<mozilla::wr::BlobImageKey>) src/image/SourceSurfaceBlobImage.cpp:213:5
#6 0x7f4587423ea1 in mozilla::image::SourceSurfaceBlobImage::UpdateKey(mozilla::layers::WebRenderLayerManager*, mozilla::wr::IpcResourceUpdateQueue&) src/image/SourceSurfaceBlobImage.cpp:105:21
#7 0x7f4586fee060 in mozilla::layers::SharedSurfacesChild::ShareBlob(mozilla::layers::ImageContainer*, mozilla::layers::RenderRootStateManager*, mozilla::wr::IpcResourceUpdateQueue&, mozilla::wr::BlobImageKey&) src/gfx/layers/ipc/SharedSurfacesChild.cpp:402:20
#8 0x7f45870a9e90 in mozilla::layers::WebRenderBlobImageData::UpdateImageKey(mozilla::layers::ImageContainer*, mozilla::wr::IpcResourceUpdateQueue&) src/gfx/layers/wr/WebRenderUserData.cpp:304:7
#9 0x7f4587079093 in mozilla::layers::WebRenderCommandBuilder::CreateBlobImageKey(nsDisplayItem*, mozilla::layers::ImageContainer*, mozilla::wr::IpcResourceUpdateQueue&) src/gfx/layers/wr/WebRenderCommandBuilder.cpp:1953:21
#10 0x7f45870796e5 in mozilla::layers::WebRenderCommandBuilder::PushBlobImage(nsDisplayItem*, mozilla::layers::ImageContainer*, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::gfx::RectTyped<mozilla::LayoutDevicePixel, float> const&, mozilla::gfx::RectTyped<mozilla::LayoutDevicePixel, float> const&) src/gfx/layers/wr/WebRenderCommandBuilder.cpp:1962:7
#11 0x7f458a86e18e in mozilla::nsImageRenderer::BuildWebRenderDisplayItems(nsPresContext*, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, mozilla::layers::RenderRootStateManager*, nsDisplayItem*, nsRect const&, nsRect const&, nsRect const&, nsPoint const&, nsSize const&, mozilla::gfx::IntRectTyped<mozilla::CSSPixel> const&, float) src/layout/painting/nsImageRenderer.cpp:639:36
#12 0x7f458a86e614 in mozilla::nsImageRenderer::BuildWebRenderDisplayItemsForLayer(nsPresContext*, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, mozilla::layers::RenderRootStateManager*, nsDisplayItem*, nsRect const&, nsRect const&, nsPoint const&, nsRect const&, nsSize const&, float) src/layout/painting/nsImageRenderer.cpp:789:10
#13 0x7f458a80a5f2 in nsCSSRendering::BuildWebRenderDisplayItemsForStyleImageLayerWithSC(nsCSSRendering::PaintBGParams const&, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, mozilla::layers::RenderRootStateManager*, nsDisplayItem*, mozilla::ComputedStyle*, nsStyleBorder const&) src/layout/painting/nsCSSRendering.cpp:2636:33
#14 0x7f458a80a159 in nsCSSRendering::BuildWebRenderDisplayItemsForStyleImageLayer(nsCSSRendering::PaintBGParams const&, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, mozilla::layers::RenderRootStateManager*, nsDisplayItem*) src/layout/painting/nsCSSRendering.cpp:1901:10
#15 0x7f458a831fb3 in nsDisplayBackgroundImage::CreateWebRenderCommands(mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, mozilla::layers::RenderRootStateManager*, nsDisplayListBuilder*) src/layout/painting/nsDisplayList.cpp:4039:7
#16 0x7f4587077f8b in mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommands(nsDisplayItem*, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, nsDisplayListBuilder*) src/gfx/layers/wr/WebRenderCommandBuilder.cpp:1673:41
#17 0x7f458707665e in mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommandsFromDisplayList(nsDisplayList*, nsDisplayItem*, nsDisplayListBuilder*, mozilla::layers::StackingContextHelper const&, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&) src/gfx/layers/wr/WebRenderCommandBuilder.cpp:1796:7
#18 0x7f458a83e25c in CreateWebRenderCommands src/layout/painting/nsDisplayList.cpp:5645:30
#19 0x7f458a83e25c in nsDisplayOwnLayer::CreateWebRenderCommands(mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, mozilla::layers::RenderRootStateManager*, nsDisplayListBuilder*) src/layout/painting/nsDisplayList.cpp:6399:22
#20 0x7f4587077f8b in mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommands(nsDisplayItem*, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, nsDisplayListBuilder*) src/gfx/layers/wr/WebRenderCommandBuilder.cpp:1673:41
#21 0x7f458707665e in mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommandsFromDisplayList(nsDisplayList*, nsDisplayItem*, nsDisplayListBuilder*, mozilla::layers::StackingContextHelper const&, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&) src/gfx/layers/wr/WebRenderCommandBuilder.cpp:1796:7
#22 0x7f45870753e2 in mozilla::layers::WebRenderCommandBuilder::BuildWebRenderCommands(mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, nsDisplayList*, nsDisplayListBuilder*, mozilla::layers::WebRenderScrollData&, WrFiltersHolder&&) src/gfx/layers/wr/WebRenderCommandBuilder.cpp:1593:5
#23 0x7f45870a1cc4 in mozilla::layers::WebRenderLayerManager::EndTransactionWithoutLayer(nsDisplayList*, nsDisplayListBuilder*, WrFiltersHolder&&, mozilla::layers::WebRenderBackgroundData*, double) src/gfx/layers/wr/WebRenderLayerManager.cpp:368:30
#24 0x7f458a8292d2 in nsDisplayList::PaintRoot(nsDisplayListBuilder*, gfxContext*, unsigned int, mozilla::Maybe<double>) src/layout/painting/nsDisplayList.cpp:2504:18
#25 0x7f458a48b072 in nsLayoutUtils::PaintFrame(gfxContext*, nsIFrame*, nsRegion const&, unsigned int, nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) src/layout/base/nsLayoutUtils.cpp:3492:45
#26 0x7f458a404287 in mozilla::PresShell::Paint(nsView*, nsRegion const&, mozilla::PaintFlags) src/layout/base/PresShell.cpp:6399:5
#27 0x7f458a0b33b1 in nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*) src/view/nsViewManager.cpp:459:18
#28 0x7f458a0b2ecb in nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) src/view/nsViewManager.cpp:394:22
#29 0x7f458a0b443f in nsViewManager::ProcessPendingUpdates() src/view/nsViewManager.cpp:972:5
#30 0x7f458a3c3065 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) src/layout/base/nsRefreshDriver.cpp:2431:11
#31 0x7f458a3ca35a in TickDriver src/layout/base/nsRefreshDriver.cpp:346:13
#32 0x7f458a3ca35a in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) src/layout/base/nsRefreshDriver.cpp:324:7
#33 0x7f458a3ca273 in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:340:5
#34 0x7f458a3ca140 in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:773:5
#35 0x7f458a3c97a8 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:702:16
#36 0x7f458a3c908e in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyParentProcessVsync() src/layout/base/nsRefreshDriver.cpp:615:7
#37 0x7f458a3c8b09 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) src/layout/base/nsRefreshDriver.cpp:536:9
#38 0x7f4589bddea6 in mozilla::dom::VsyncChild::RecvNotify(mozilla::VsyncEvent const&, float const&) src/dom/ipc/VsyncChild.cpp:68:15
#39 0x7f4586949d40 in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:178:54
#40 0x7f458674c30c in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundChild.cpp:6008:32
#41 0x7f4586406a5e in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) src/ipc/glue/MessageChannel.cpp:2152:25
#42 0x7f4586402edd in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) src/ipc/glue/MessageChannel.cpp:2076:9
#43 0x7f4586404402 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) src/ipc/glue/MessageChannel.cpp:1924:3
#44 0x7f458640517b in mozilla::ipc::MessageChannel::MessageTask::Run() src/ipc/glue/MessageChannel.cpp:1955:13
#45 0x7f4585b3299e in mozilla::RunnableTask::Run() src/xpcom/threads/TaskController.cpp:482:16
#46 0x7f4585b105d9 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) src/xpcom/threads/TaskController.cpp:766:26
#47 0x7f4585b0f534 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) src/xpcom/threads/TaskController.cpp:621:15
#48 0x7f4585b0f6c3 in mozilla::TaskController::ProcessPendingMTTask(bool) src/xpcom/threads/TaskController.cpp:405:36
#49 0x7f4585b361c9 in operator() src/xpcom/threads/TaskController.cpp:141:37
#50 0x7f4585b361c9 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_1>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:534:5
#51 0x7f4585b2211f in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1159:16
#52 0x7f4585b28d4a in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:548:10
#53 0x7f458640c314 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:107:5
#54 0x7f45863749d7 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:335:10
#55 0x7f45863748f2 in RunHandler src/ipc/chromium/src/base/message_loop.cc:328:3
#56 0x7f45863748f2 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:310:3
#57 0x7f458a0fc868 in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:137:27
#58 0x7f458ba9fc13 in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:911:20
#59 0x7f458640d25a in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:235:9
#60 0x7f45863749d7 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:335:10
#61 0x7f45863748f2 in RunHandler src/ipc/chromium/src/base/message_loop.cc:328:3
#62 0x7f45863748f2 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:310:3
#63 0x7f458ba9f82e in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:743:34
#64 0x564ca9771b36 in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#65 0x564ca9771b36 in main src/browser/app/nsBrowserApp.cpp:313:18
#66 0x7f459c4810b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
#67 0x564ca974e93c in _start (/home/worker/builds/m-c-20210517212600-fuzzing-debug/firefox-bin+0x1593c)
Flags: in-testsuite?

Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20210525153449-4db2640cb0cd.
The bug appears to have been introduced in the following build range:

Start: 7b60e48c59aa3de1e55d39d5a5f126a586e6599a (20210513181651)
End: 6a727ff076e31d58e8cadb218e13d7f1fde3fb8f (20210513195255)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=7b60e48c59aa3de1e55d39d5a5f126a586e6599a&tochange=6a727ff076e31d58e8cadb218e13d7f1fde3fb8f

Whiteboard: [bugmon:bisected,confirmed]

Assuming bug 1704792

Flags: needinfo?(aosmond)
Regressed by: 1704792
Has Regression Range: --- → yes

Set release status flags based on info from the regressing bug 1704792

status-firefox88: --- → unaffected
status-firefox89: --- → unaffected
status-firefox-esr78: --- → unaffected
Assignee: nobody → aosmond
Severity: -- → S3
Flags: needinfo?(aosmond)
Priority: -- → P3
Component: Graphics: Text → ImageLib

Andrew, I see the patch was approved, should it land?

Flags: needinfo?(aosmond)

Andrew mentioned on Matrix the feature is disabled (bug 1713651), so this assertion is effectively harmless for now. We just need to make sure this is fixed before enabling the feature again.

Blocks: deferrable-blobs
status-firefox90: affecteddisabled
status-firefox91: --- → disabled
Flags: needinfo?(aosmond)
Pushed by aosmond@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/7b80ff096f0e
Fix assertion when recording SVG image blobs with non-integer translation transforms. r=jrmuizel

https://hg.mozilla.org/mozilla-central/rev/7b80ff096f0e

Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → 91 Branch

Bugmon Analysis
Verified bug as fixed on rev mozilla-central 20210622212907-536a892dd51f.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
Keywords: bugmon
Regressions: 1723741
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: