Hit MOZ_CRASH(bug: this is an unexpected case - please open a bug and talk to #gfx team!) at gfx/wr/webrender/src/spatial_tree.rs:957
Categories
(Core :: Graphics: WebRender, defect, P3)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr91 | --- | unaffected |
| firefox94 | --- | wontfix |
| firefox95 | --- | wontfix |
| firefox96 | --- | verified |
People
(Reporter: tsmith, Assigned: emilio)
References
(Blocks 1 open bug, Regressed 1 open bug, Regression)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:bisected,confirmed], [wptsync upstream])
Crash Data
Attachments
(2 files)
Found while fuzzing m-c 20211109-1bedbf784ec9 (--enable-address-sanitizer --enable-fuzzing)
Hit MOZ_CRASH(bug: this is an unexpected case - please open a bug and talk to #gfx team!) at gfx/wr/webrender/src/spatial_tree.rs:957
#0 0x7f7106321360 in MOZ_Crash /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:256:3
#1 0x7f7106321360 in RustMozCrash /gecko/mozglue/static/rust/wrappers.cpp:18:3
#2 0x7f7106321296 in mozglue_static::panic_hook::h183adc4d73b027cc /gecko/mozglue/static/rust/lib.rs:91:9
#3 0x7f7106320615 in core::ops::function::Fn::call::h2c49d8cefb0980e2 /builds/worker/fetches/rust/library/core/src/ops/function.rs:70:5
#4 0x7f7107e99587 in std::panicking::rust_panic_with_hook::hd83d5a96a789e1d3 (/home/worker/builds/m-c-20211109093712-fuzzing-asan-opt/libxul.so+0x18407587)
#5 0x7f7104dde5e8 in std::panicking::begin_panic::_$u7b$$u7b$closure$u7d$$u7d$::h5cffcd3c09905dfb /builds/worker/fetches/rust/library/std/src/panicking.rs:544:9
#6 0x7f7104db36d9 in std::sys_common::backtrace::__rust_end_short_backtrace::h1a31b5ce359ddaac /builds/worker/fetches/rust/library/std/src/sys_common/backtrace.rs:141:18
#7 0x7f70f4586f9c in std::panicking::begin_panic::hf2a51ed4961b214a /builds/worker/fetches/rust/library/std/src/panicking.rs:543:12
#8 0x7f710503ed4e in webrender::spatial_tree::SpatialTree::get_relative_transform_with_face::h8626d9d16120c196 /gecko/gfx/wr/webrender/src/spatial_tree.rs:957:9
#9 0x7f7105024cc0 in webrender::space::SpaceMapper$LT$F$C$T$GT$::set_target_spatial_node::h9a8da5cafc0dbf05 /gecko/gfx/wr/webrender/src/space.rs:73:29
#10 0x7f710513e233 in webrender::picture::PicturePrimitive::propagate_bounding_rect::hd4a52d6d699d4e94 /gecko/gfx/wr/webrender/src/picture.rs:6353:13
#11 0x7f710515361a in webrender::picture_graph::PictureGraph::propagate_bounding_rects::h0aca73798e40e340 /gecko/gfx/wr/webrender/src/picture_graph.rs:136:17
#12 0x7f710509ee3b in webrender::frame_builder::FrameBuilder::build_layer_screen_rects_and_cull_layers::hca85e550d09a2fb9 /gecko/gfx/wr/webrender/src/frame_builder.rs:389:9
#13 0x7f710509ee3b in webrender::frame_builder::FrameBuilder::build::hcfceb1ae26a610c2 /gecko/gfx/wr/webrender/src/frame_builder.rs:584:9
#14 0x7f71051ad082 in webrender::render_backend::Document::build_frame::h025c3bb47ae09797 /gecko/gfx/wr/webrender/src/render_backend.rs:453:25
#15 0x7f71051dcd97 in webrender::render_backend::RenderBackend::update_document::h1efe661c88788063 /gecko/gfx/wr/webrender/src/render_backend.rs:1357:41
#16 0x7f71051c7e9f in webrender::render_backend::RenderBackend::prepare_transactions::hec4e32534e742cd1 /gecko/gfx/wr/webrender/src/render_backend.rs:1206:28
#17 0x7f71051c7e9f in webrender::render_backend::RenderBackend::process_api_msg::h4ea01fe812ce4221 /gecko/gfx/wr/webrender/src/render_backend.rs:1058:17
#18 0x7f7104db6b36 in webrender::render_backend::RenderBackend::run::hcd5c20e118240471 /gecko/gfx/wr/webrender/src/render_backend.rs:722:21
#19 0x7f7104db6b36 in webrender::renderer::Renderer::new::_$u7b$$u7b$closure$u7d$$u7d$::hc32fd3dfe39adfde /gecko/gfx/wr/webrender/src/renderer/mod.rs:1325:13
#20 0x7f7104db6b36 in std::sys_common::backtrace::__rust_begin_short_backtrace::h707c1c3cd5edb57f /builds/worker/fetches/rust/library/std/src/sys_common/backtrace.rs:125:18
#21 0x7f7104e0bcde in std::thread::Builder::spawn_unchecked::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::hd8f10fa91d3a21d4 /builds/worker/fetches/rust/library/std/src/thread/mod.rs:481:17
#22 0x7f7104e0bcde in _$LT$core..panic..unwind_safe..AssertUnwindSafe$LT$F$GT$$u20$as$u20$core..ops..function..FnOnce$LT$$LP$$RP$$GT$$GT$::call_once::hb8fb6945e3d0be79 /builds/worker/fetches/rust/library/core/src/panic/unwind_safe.rs:271:9
#23 0x7f7104e0bcde in std::panicking::try::do_call::h347864793df2690f /builds/worker/fetches/rust/library/std/src/panicking.rs:403:40
#24 0x7f7104e0bcde in std::panicking::try::he1f3d83b25eca1a7 /builds/worker/fetches/rust/library/std/src/panicking.rs:367:19
#25 0x7f7104e0bcde in std::panic::catch_unwind::h4f630a3d4d41bb39 /builds/worker/fetches/rust/library/std/src/panic.rs:129:14
#26 0x7f7104e0bcde in std::thread::Builder::spawn_unchecked::_$u7b$$u7b$closure$u7d$$u7d$::h88c49cf0f29b96f2 /builds/worker/fetches/rust/library/std/src/thread/mod.rs:480:30
#27 0x7f7104e0bcde in core::ops::function::FnOnce::call_once$u7b$$u7b$vtable.shim$u7d$$u7d$::h6e87c90d8c20f292 /builds/worker/fetches/rust/library/core/src/ops/function.rs:227:5
#28 0x7f7107ea0102 in std::sys::unix::thread::Thread::new::thread_start::h3b1213720f18b702 std.ac3adaa7-cgu.2
#29 0x7f7114147608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477:8
#30 0x7f7113d0f292 in __clone /build/glibc-eX1tMB/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95
|
Reporter | |
Comment 1•2 years ago
|
||
|
|
Reporter | |
Comment 2•2 years ago
|
||
A Pernosco session is available here: https://pernos.co/debug/bZ3fZF4LgUiQVo7D3lBTqQ/index.html
|
||
Comment 3•2 years ago
|
||
Bugmon Analysis
Verified bug as reproducible on mozilla-central 20211118034937-f172e803d80c.
The bug appears to have been introduced in the following build range:
Start: 3339b501299addf81885d685c1ae1c139e10831b (20210927222840)
End: 72cb687968f86105ec9220c788b4af83240a2297 (20210928000602)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=3339b501299addf81885d685c1ae1c139e10831b&tochange=72cb687968f86105ec9220c788b4af83240a2297
|
||
Comment 4•2 years ago
|
||
Seems like someone actually did as the message requested. :)
|
||
Updated•2 years ago
|
|
|
||
Comment 5•2 years ago
|
||
I can reproduce the assertion failure. I suspect it's a bug in how Gecko is producing display lists, but I don't understand the test case very well - so I have some questions!
If I disable that assert, run the page, then save page, and remove the JS, it looks like:
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<style>
#a {
rotate: 1deg 1 0 44;
filter: drop-shadow(81px 6px 0px -moz-mac-menushadow);
}
</style>
</head>
<body>
<select id="a" multiple="multiple">
<option id="b">x
<content id="c">x
<ol id="d" style="position: fixed;">x</ol>
</content>
</option>
</select>
</body>
</html>
If I then load that page, it doesn't trigger the assert. Looking in devtools, the content element is missing. I'm assuming this is because it's not a legal element to have within an option tag, would that be right?
If that's the case, should Gecko be preventing JS from appending the content element to the option, maybe that's the correct fix?
I suspect what's happening is that the JS is producing a DOM structure that's not expected, and that the Gecko DL building code is then producing an invalid display list, since it doesn't expect to see a fixed position element within a select.
NI'ing a couple people who might be able to answer those questions.
|
Assignee | |
Comment 6•2 years ago
|
||
We shouldn't be creating frames for random elements inside <select> as per this code, so yeah that might be the first place to dig into.
|
|
||
Comment 7•2 years ago
|
||
Un-assigning for now, Emilio will take a look when time allows. Feel free to re-assign to me if it does still look like a gfx/wr issue.
|
|
Assignee | |
Comment 8•2 years ago
|
||
So on a debug build I get this assert. So yeah at the very least we're creating a malformed display-list.
|
|
Assignee | |
Updated•2 years ago
|
|
|
Assignee | |
Comment 9•2 years ago
|
||
We have other code to make sure that options themselves are in-flow, so
we really want abspos boxes not to escape the select element.
Other browsers don't allow having out-of-flow option children at all
(they seem to force descendants to be in-flow). However that seems
fairly more complicated to implement, and I don't think it particularly
matters how we deal with this as long as we deal with it in a
sorta-reasonable way.
|
||
Comment 10•2 years ago
|
||
:emilio, since this bug contains a bisection range, could you fill (if possible) the regressed_by field?
For more information, please visit auto_nag documentation.
|
|
Assignee | |
Comment 11•2 years ago
|
||
Technically bug 1732596, but it likely caused issues before...
|
||
Comment 12•2 years ago
|
||
Pushed by ealvarez@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/1f2d586e5968 Make sure <option> is a containing-block for positioned descendants. r=miko
Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/31721 for changes under testing/web-platform/tests
|
||
Comment 14•2 years ago
|
||
Backed out for causing failures at test_bug858459.html.
Backout link: https://hg.mozilla.org/integration/autoland/rev/7902135e6c944c55062ebc721e049b88d5f507af
Failure log: https://treeherder.mozilla.org/logviewer?job_id=358994495&repo=autoland&lineNumber=7901
Upstream PR was closed without merging
|
|
Assignee | |
Updated•2 years ago
|
|
|
||
Comment 16•2 years ago
|
||
Pushed by ealvarez@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/4a51ad7f61fb Make sure <option> is a containing-block for positioned descendants. r=miko
|
||
Comment 17•2 years ago
|
||
| bugherder | ||
|
|
||
Comment 18•2 years ago
|
||
Bugmon Analysis
Verified bug as fixed on rev mozilla-central 20211125043756-0bfe7aadbc81.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Upstream PR merged by moz-wptsync-bot
|
||
Updated•2 years ago
|
|
||
Updated•2 years ago
|
Description
•