Closed
Bug 1922339
Opened 1 year ago
Closed 1 year ago
Assertion failure: aDepth > 0.0f (Perspective must be positive!), at /builds/worker/workspace/obj-build/dist/include/mozilla/gfx/Matrix.h:1700
Categories
(Core :: CSS Parsing and Computation, defect)
Core
CSS Parsing and Computation
Tracking
()
VERIFIED
FIXED
133 Branch
| Tracking | Status | |
|---|---|---|
| firefox-esr115 | --- | unaffected |
| firefox-esr128 | --- | unaffected |
| firefox131 | --- | wontfix |
| firefox132 | --- | wontfix |
| firefox133 | --- | verified |
People
(Reporter: tsmith, Assigned: boris)
References
(Blocks 1 open bug, Regression)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:bisected,confirmed], [wptsync upstream])
Attachments
(2 files)
Found while fuzzing m-c 20240807-6a1530912556 (--enable-debug --enable-fuzzing)
To reproduce via Grizzly Replay:
$ pip install fuzzfetch grizzly-framework --upgrade
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>
Assertion failure: aDepth > 0.0f (Perspective must be positive!), at /builds/worker/workspace/obj-build/dist/include/mozilla/gfx/Matrix.h:1700
#0 0x7a2464eb19cb in mozilla::gfx::Matrix4x4Typed<mozilla::gfx::UnknownUnits, mozilla::gfx::UnknownUnits, float>::Perspective(float) /builds/worker/workspace/obj-build/dist/include/mozilla/gfx/Matrix.h:1700:5
#1 0x7a2464eac5fd in nsStyleTransformMatrix::ReadTransforms(mozilla::StyleGenericTranslate<mozilla::StyleLengthPercentageUnion, mozilla::StyleCSSPixelLength> const&, mozilla::StyleGenericRotate<float, mozilla::StyleAngle> const&, mozilla::StyleGenericScale<float> const&, mozilla::ResolvedMotionPathData const*, mozilla::StyleGenericTransform<mozilla::StyleGenericTransformOperation<mozilla::StyleAngle, float, mozilla::StyleCSSPixelLength, int, mozilla::StyleLengthPercentageUnion>> const&, nsStyleTransformMatrix::TransformReferenceBox&, float) /builds/worker/checkouts/gecko/layout/style/nsStyleTransformMatrix.cpp:616:5
#2 0x7a2464e733f4 in mozilla::AnimationValue::GetScaleValue(nsIFrame const*) const /builds/worker/checkouts/gecko/layout/style/StyleAnimationValue.cpp:148:7
#3 0x7a2464f89f42 in UpdateMinMaxScale /builds/worker/checkouts/gecko/layout/base/nsLayoutUtils.cpp:371:30
#4 0x7a2464f89f42 in GetMinAndMaxScaleForAnimationProperty /builds/worker/checkouts/gecko/layout/base/nsLayoutUtils.cpp:441:11
#5 0x7a2464f89f42 in nsLayoutUtils::ComputeSuitableScaleForAnimation(nsIFrame const*, nsSize const&, nsSize const&) /builds/worker/checkouts/gecko/layout/base/nsLayoutUtils.cpp:463:7
#6 0x7a246092f64c in mozilla::layers::ChooseScale(nsIFrame*, mozilla::nsDisplayItem*, nsRect const&, float, float, mozilla::gfx::BaseMatrix<float> const&, bool) /builds/worker/checkouts/gecko/gfx/layers/wr/StackingContextHelper.cpp:70:15
#7 0x7a2460930891 in mozilla::layers::StackingContextHelper::StackingContextHelper(mozilla::layers::StackingContextHelper const&, mozilla::ActiveScrolledRoot const*, nsIFrame*, mozilla::nsDisplayItem*, mozilla::wr::DisplayListBuilder&, mozilla::wr::StackingContextParams const&, mozilla::gfx::RectTyped<mozilla::LayoutDevicePixel, float> const&) /builds/worker/checkouts/gecko/gfx/layers/wr/StackingContextHelper.cpp:154:16
#8 0x7a24653137a4 in mozilla::nsDisplayTransform::CreateWebRenderCommands(mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, mozilla::layers::RenderRootStateManager*, mozilla::nsDisplayListBuilder*) /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:6694:25
#9 0x7a246096c416 in mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommands(mozilla::nsDisplayItem*, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, mozilla::nsDisplayListBuilder*) /builds/worker/checkouts/gecko/gfx/layers/wr/WebRenderCommandBuilder.cpp:1859:41
#10 0x7a246096ace1 in mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommandsFromDisplayList(mozilla::nsDisplayList*, mozilla::nsDisplayItem*, mozilla::nsDisplayListBuilder*, mozilla::layers::StackingContextHelper const&, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, bool) /builds/worker/checkouts/gecko/gfx/layers/wr/WebRenderCommandBuilder.cpp:2115:7
#11 0x7a24653137e4 in mozilla::nsDisplayTransform::CreateWebRenderCommands(mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, mozilla::layers::RenderRootStateManager*, mozilla::nsDisplayListBuilder*) /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:6697:30
#12 0x7a246096c416 in mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommands(mozilla::nsDisplayItem*, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, mozilla::nsDisplayListBuilder*) /builds/worker/checkouts/gecko/gfx/layers/wr/WebRenderCommandBuilder.cpp:1859:41
#13 0x7a246096ace1 in mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommandsFromDisplayList(mozilla::nsDisplayList*, mozilla::nsDisplayItem*, mozilla::nsDisplayListBuilder*, mozilla::layers::StackingContextHelper const&, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, bool) /builds/worker/checkouts/gecko/gfx/layers/wr/WebRenderCommandBuilder.cpp:2115:7
#14 0x7a24653137e4 in mozilla::nsDisplayTransform::CreateWebRenderCommands(mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, mozilla::layers::RenderRootStateManager*, mozilla::nsDisplayListBuilder*) /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:6697:30
#15 0x7a246096c416 in mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommands(mozilla::nsDisplayItem*, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, mozilla::nsDisplayListBuilder*) /builds/worker/checkouts/gecko/gfx/layers/wr/WebRenderCommandBuilder.cpp:1859:41
#16 0x7a246096ace1 in mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommandsFromDisplayList(mozilla::nsDisplayList*, mozilla::nsDisplayItem*, mozilla::nsDisplayListBuilder*, mozilla::layers::StackingContextHelper const&, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, bool) /builds/worker/checkouts/gecko/gfx/layers/wr/WebRenderCommandBuilder.cpp:2115:7
#17 0x7a246530c233 in CreateWebRenderCommandsNewClipListOption /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:4605:30
#18 0x7a246530c233 in CreateWebRenderCommands /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.h:4942:12
#19 0x7a246530c233 in mozilla::nsDisplayOwnLayer::CreateWebRenderCommands(mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, mozilla::layers::RenderRootStateManager*, mozilla::nsDisplayListBuilder*) /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:5231:22
#20 0x7a246096c416 in mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommands(mozilla::nsDisplayItem*, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, mozilla::nsDisplayListBuilder*) /builds/worker/checkouts/gecko/gfx/layers/wr/WebRenderCommandBuilder.cpp:1859:41
#21 0x7a246096ace1 in mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommandsFromDisplayList(mozilla::nsDisplayList*, mozilla::nsDisplayItem*, mozilla::nsDisplayListBuilder*, mozilla::layers::StackingContextHelper const&, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, bool) /builds/worker/checkouts/gecko/gfx/layers/wr/WebRenderCommandBuilder.cpp:2115:7
#22 0x7a2460969485 in mozilla::layers::WebRenderCommandBuilder::BuildWebRenderCommands(mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::nsDisplayList*, mozilla::nsDisplayListBuilder*, mozilla::layers::WebRenderScrollData&, WrFiltersHolder&&) /builds/worker/checkouts/gecko/gfx/layers/wr/WebRenderCommandBuilder.cpp:1780:5
#23 0x7a246097ea88 in mozilla::layers::WebRenderLayerManager::EndTransactionWithoutLayer(mozilla::nsDisplayList*, mozilla::nsDisplayListBuilder*, WrFiltersHolder&&, mozilla::layers::WebRenderBackgroundData*, double) /builds/worker/checkouts/gecko/gfx/layers/wr/WebRenderLayerManager.cpp:365:30
#24 0x7a24652fb381 in mozilla::nsDisplayList::PaintRoot(mozilla::nsDisplayListBuilder*, gfxContext*, unsigned int, mozilla::Maybe<double>) /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:2294:18
#25 0x7a2464f94da2 in nsLayoutUtils::PaintFrame(gfxContext*, nsIFrame*, nsRegion const&, unsigned int, mozilla::nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) /builds/worker/checkouts/gecko/layout/base/nsLayoutUtils.cpp:3195:9
#26 0x7a2464f05ef2 in mozilla::PresShell::PaintInternal(nsView*, mozilla::PaintInternalFlags) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:6513:5
#27 0x7a2464acf72c in nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*) /builds/worker/checkouts/gecko/view/nsViewManager.cpp:406:18
#28 0x7a2464acf17e in nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) /builds/worker/checkouts/gecko/view/nsViewManager.cpp:341:22
#29 0x7a2464ad0770 in nsViewManager::ProcessPendingUpdates() /builds/worker/checkouts/gecko/view/nsViewManager.cpp:896:5
#30 0x7a2464ebde97 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2877:11
#31 0x7a2464ec6a71 in TickDriver /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:368:13
#32 0x7a2464ec6a71 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver>>&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:346:7
#33 0x7a2464ec6970 in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:362:5
#34 0x7a2464ec680d in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:952:5
#35 0x7a2464ec5afc in mozilla::VsyncRefreshDriverTimer::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:862:5
#36 0x7a2464ec4e89 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsyncTimerOnMainThread() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:593:14
#37 0x7a246432ec4b in mozilla::dom::VsyncMainChild::RecvNotify(mozilla::VsyncEvent const&, float const&) /builds/worker/checkouts/gecko/dom/ipc/VsyncMainChild.cpp:66:15
#38 0x7a24645b53c7 in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:235:78
#39 0x7a24644eb0b0 in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PContentChild.cpp:8260:32
#40 0x7a246002ab5f in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1785:25
#41 0x7a2460027ae2 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1712:9
#42 0x7a2460028762 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1503:3
#43 0x7a24600298af in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1603:14
#44 0x7a245f4a3cd7 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:618:16
#45 0x7a245f499766 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:945:26
#46 0x7a245f498177 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:768:15
#47 0x7a245f4985f5 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:554:36
#48 0x7a245f4a76a9 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:271:37
#49 0x7a245f4a76a9 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_1>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548:5
#50 0x7a245f4bad6b in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1155:16
#51 0x7a245f4c1a4f in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10
#52 0x7a2460030693 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:107:5
#53 0x7a245ff83ac1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#54 0x7a245ff83ac1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#55 0x7a2464b36248 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
#56 0x7a2464be3848 in nsAppShell::Run() /builds/worker/checkouts/gecko/widget/gtk/nsAppShell.cpp:469:33
#57 0x7a2465aac80b in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:710:20
#58 0x7a2460031536 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
#59 0x7a245ff83ac1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#60 0x7a245ff83ac1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#61 0x7a2465aac09b in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:645:34
#62 0x5597dd43608e in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:403:22
Flags: in-testsuite?
|
Assignee | |
Updated•1 year ago
|
Severity: -- → S3
|
|
Assignee | |
Comment 1•1 year ago
|
||
It looks like we got a NaN in ProcessPerspective().
I suspect this is due to the combination effect from the zoom property on <html>, <body>, and <svg> elements.
|
|
Assignee | |
Comment 2•1 year ago
|
||
So it seems like the parameter of perspective() is affected by zoom property. However, I suspect it shouldn't because changing the length of perspective may result in an entire different projection.
|
|
Assignee | |
Comment 3•1 year ago
|
||
BTW I noticed if we use translateX(10px), we also tried to process a NaN to build the matrix.
|
||
Comment 4•1 year ago
|
||
Verified bug as reproducible on mozilla-central 20241003094710-ed6d212df870.
The bug appears to have been introduced in the following build range:
Start: bde59718573fa4e3d3317f88ee3aa8933f096378 (20240723212856)
End: cbe411e8ee43bc08773dcaead3ca9b64c3843189 (20240723224424)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=bde59718573fa4e3d3317f88ee3aa8933f096378&tochange=cbe411e8ee43bc08773dcaead3ca9b64c3843189
Keywords: regression
Whiteboard: [bugmon:bisected,confirmed]
|
||
Comment 5•1 year ago
|
||
Setting Bug 1909153 as regressor based on the pushlog in Comment 4. Please correct if needed.
status-firefox131:
--- → wontfix
status-firefox132:
--- → wontfix
status-firefox-esr115:
--- → unaffected
status-firefox-esr128:
--- → unaffected
Regressed by: 1909153
|
||
Comment 6•1 year ago
|
||
:emilio, since you are the author of the regressor, bug 1909153, could you take a look?
For more information, please visit BugBot documentation.
Flags: needinfo?(emilio)
|
||
Comment 7•1 year ago
|
||
(In reply to Boris Chiou [:boris] from comment #2)
So it seems like the parameter of perspective() is affected by zoom property. However, I suspect it shouldn't because changing the length of perspective may result in an entire different projection.
That's how zoom works tho, it just multiplies all lengths.
|
|
Assignee | |
Comment 8•1 year ago
•
|
||
Perhaps we could add an error handle here: https://searchfox.org/mozilla-central/rev/ce404cd26e52d09e6a48d664c1986da25df50484/servo/components/style/values/computed/box.rs#410 to avoid NaN, e.g. return value if self.0 is 0?
|
|
Assignee | |
Comment 9•1 year ago
|
||
Also, I noticed the the computation: Zoom(self.0 * specified.0) in compute_effective() return a 0 zoom in this case.
e.g.
Zoom(FixedPoint { value: 2 }) * Zoom(FixedPoint { value: 12 }) = Zoom(FixedPoint { value: 0 })
Perhaps we have to tweak this as well.
|
|
||
Comment 10•1 year ago
|
||
It is expected that enough small zooms eventually turn into zero. Zoom::inverted already deals with that case. Checking for the division by zero and probably returning the value or so makes sense to me.
|
|
Assignee | |
Comment 11•1 year ago
•
|
||
(In reply to Emilio Cobos Álvarez (:emilio) from comment #10)
It is expected that enough small zooms eventually turn into zero. Zoom::inverted already deals with that case. Checking for the division by zero and probably returning the value or so makes sense to me.
I see. When I changed ZOOM_FRACTION_BITS to 8, we wouldn't hit this assertion. However, it is possible to get a very small effective zoom again in other cases.
I will upload a patch to do the error handling because the effective zoom may become zero.
|
|
Assignee | |
Updated•1 year ago
|
Flags: needinfo?(emilio)
|
|
Assignee | |
Comment 12•1 year ago
|
||
The zoom factor is stored as a fixed point number, and the effective zoom may
be close to 0 (because we have to mulitply the zoom values of ancestors).
So we return the value as if the effective zoom was 1.0 if it is close to 0
to avoid returning something like NaN.
|
||
Updated•1 year ago
|
Assignee: nobody → boris.chiou
Status: NEW → ASSIGNED
|
||
Comment 13•1 year ago
|
||
Pushed by bchiou@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/7ad44be1dfac
Add the error handling if the effective zoom is close to zero. r=layout-reviewers,firefox-style-system-reviewers,emilio
Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/48505 for changes under testing/web-platform/tests
Whiteboard: [bugmon:bisected,confirmed] → [bugmon:bisected,confirmed], [wptsync upstream]
|
||
Comment 15•1 year ago
|
||
| bugherder | ||
Status: ASSIGNED → RESOLVED
Closed: 1 year ago
Resolution: --- → FIXED
Target Milestone: --- → 133 Branch
Upstream PR merged by moz-wptsync-bot
|
|
||
Comment 17•1 year ago
|
||
Verified bug as fixed on rev mozilla-central 20241008042228-b48e31d47d1f.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
You need to log in
before you can comment on or make changes to this bug.
Description
•