Last Comment Bug 689501 - CSS 3D Poster circle crashes on debug desktop build (Mobile FF)
: CSS 3D Poster circle crashes on debug desktop build (Mobile FF)
Status: RESOLVED FIXED
:
Product: Core
Classification: Components
Component: Graphics (show other bugs)
: Trunk
: x86 Linux
: -- normal (vote)
: mozilla10
Assigned To: Matt Woodrow (:mattwoodrow)
:
Mentors:
http://romaxa.bolshe.net/css3d/poster...
Depends on:
Blocks: 505115
  Show dependency treegraph
 
Reported: 2011-09-27 02:08 PDT by Oleg Romashin (:romaxa)
Modified: 2011-09-30 07:33 PDT (History)
4 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
Testcase for the assertion (261 bytes, text/html)
2011-09-28 13:36 PDT, Matt Woodrow (:mattwoodrow)
no flags Details
Remove the incorrect assertion (1.29 KB, patch)
2011-09-28 13:37 PDT, Matt Woodrow (:mattwoodrow)
roc: review+
Details | Diff | Review
Fix unbalanced save/restore pair (1.19 KB, patch)
2011-09-29 14:04 PDT, Matt Woodrow (:mattwoodrow)
roc: review+
Details | Diff | Review
Stop using PushGroup for 3d transforms entirely (5.84 KB, patch)
2011-09-29 17:02 PDT, Matt Woodrow (:mattwoodrow)
roc: review+
Details | Diff | Review

Description Oleg Romashin (:romaxa) 2011-09-27 02:08:20 PDT
On attempt to run Fennec with css3d enabled on URL I'm getting error and crash:
****************************
###!!! ASSERTION: Child transform frame must preserve 3d!: 'childFrame->Preserves3D()', file layout/generic/nsFrame.cpp, line 1484
###!!! ASSERTION: Child transform frame must preserve 3d!: 'childFrame->Preserves3D()', file layout/generic/nsFrame.cpp, line 1484
###!!! ASSERTION: gfxASurface::CairoSurface called with mSurface == nsnull!: 'mSurface != nsnull', file gfx/thebes/gfxASurface.h, line 119
###!!! ASSERTION: gfxASurface::CairoSurface called with mSurface == nsnull!: 'mSurface != nsnull', file gfx/thebes/gfxASurface.h, line 119
###!!! ASSERTION: gfxASurface::CairoSurface called with mSurface == nsnull!: 'mSurface != nsnull', file gfx/thebes/gfxASurface.h, line 119
###!!! ASSERTION: gfxASurface::CairoSurface called with mSurface == nsnull!: 'mSurface != nsnull', file gfx/thebes/gfxASurface.h, line 119
###!!! ABORT: PopGroup should always return a surface pattern: 'sourceSurface', file gfx/layers/basic/BasicLayers.cpp, line 1916
mozilla::layers::BasicLayerManager::PaintLayer(gfxContext*, mozilla::layers::Layer*, void (*)(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, nsIntRegion const&, void*), void*, mozilla::layers::ReadbackProcessor*)+0x000007A3 [./libxul.so +0x01BAFAD3]
mozilla::layers::BasicLayerManager::PaintLayer(gfxContext*, mozilla::layers::Layer*, void (*)(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, nsIntRegion const&, void*), void*, mozilla::layers::ReadbackProcessor*)+0x000006D2 [./libxul.so +0x01BAFA02]
mozilla::layers::BasicLayerManager::PaintLayer(gfxContext*, mozilla::layers::Layer*, void (*)(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, nsIntRegion const&, void*), void*, mozilla::layers::ReadbackProcessor*)+0x000006D2 [./libxul.so +0x01BAFA02]
mozilla::layers::BasicLayerManager::EndTransactionInternal(void (*)(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, nsIntRegion const&, void*), void*, mozilla::layers::LayerManager::EndTransactionFlags)+0x00000492 [./libxul.so +0x01BB8DD6]
mozilla::layers::BasicLayerManager::EndTransaction(void (*)(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, nsIntRegion const&, void*), void*, mozilla::layers::LayerManager::EndTransactionFlags)+0x00000032 [./libxul.so +0x01BB8F3A]
UNKNOWN [./libxul.so +0x01BB8F77]
UNKNOWN [./libxul.so +0x005864A0]
#6  TouchBadMemory (
    msg=0xbfab4e64 "###!!! ABORT: PopGroup should always return a surface pattern: 'sourceSurface', file gfx/layers/basic/BasicLayers.cpp, line 1"...)
    at memory/mozalloc/mozalloc_abort.cpp:66
#7  mozalloc_abort (
    msg=0xbfab4e64 "###!!! ABORT: PopGroup should always return a surface pattern: 'sourceSurface', file gfx/layers/basic/BasicLayers.cpp, line 1"...)
    at memory/mozalloc/mozalloc_abort.cpp:87
#8  0xb6bec94d in Abort (aMsg=0xa <Address 0xa out of bounds>)
    at xpcom/base/nsDebugImpl.cpp:388
#9  0xb6becb70 in NS_DebugBreak_P (aSeverity=3, aStr=0xb7583528 "PopGroup should always return a surface pattern", 
    aExpr=0xb7582a62 "sourceSurface", 
    aFile=0xb7582bac "gfx/layers/basic/BasicLayers.cpp", aLine=1916) at xpcom/base/nsDebugImpl.cpp:345
#10 0xb6cb0ad3 in mozilla::layers::BasicLayerManager::PaintLayer (this=0xaff6fa00, aTarget=0xac0af9c0, aLayer=0xb00b3220, 
---Type <return> to continue, or q <return> to quit---
    aCallback=
    0xb562f720 <mozilla::FrameLayerBuilder::DrawThebesLayer(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, nsIntRegion const&, void*)>, aCallbackData=0xbfab614c, aReadback=0xbfab58a8)
    at gfx/layers/basic/BasicLayers.cpp:1916
#11 0xb6cb0a02 in mozilla::layers::BasicLayerManager::PaintLayer (this=0xaff6fa00, aTarget=0xac0af9c0, aLayer=0xb00b30c0, 
    aCallback=0xb562f720 <mozilla::FrameLayerBuilder::DrawThebesLayer(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, nsIntRegion const&, void*)>, aCallbackData=0xbfab614c, aReadback=0xbfab5c68)
    at gfx/layers/basic/BasicLayers.cpp:1903
#12 0xb6cb0a02 in mozilla::layers::BasicLayerManager::PaintLayer (this=0xaff6fa00, aTarget=0xac0af9c0, aLayer=0xb00b29e0, 
    aCallback=0xb562f720 <mozilla::FrameLayerBuilder::DrawThebesLayer(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, nsIntRegion const&, void*)>, aCallbackData=0xbfab614c, aReadback=0x0)
    at gfx/layers/basic/BasicLayers.cpp:1903
#13 0xb6cb9dd6 in mozilla::layers::BasicLayerManager::EndTransactionInternal (this=0xaff6fa00, 
    aCallback=0xb562f720 <mozilla::FrameLayerBuilder::DrawThebesLayer(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, nsIntRegion const&, void*)>, aCallbackData=0xbfab614c, aFlags=<value optimized out>)
    at gfx/layers/basic/BasicLayers.cpp:1616
#14 0xb6cb9f3a in mozilla::layers::BasicLayerManager::EndTransaction (this=0xaff6fa00, 
    aCallback=0xb562f720 <mozilla::FrameLayerBuilder::DrawThebesLayer(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, nsIntRegion const&, void*)>, aCallbackData=0xbfab614c, aFlags=mozilla::layers::LayerManager::END_DEFAULT)
    at gfx/layers/basic/BasicLayers.cpp:1567
#15 0xb6cb9f77 in mozilla::layers::BasicShadowLayerManager::EndTransaction (this=0xaff6fa00, 
    aCallback=0xb562f720 <mozilla::FrameLayerBuilder::DrawThebesLayer(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, nsIntRegion const&, void*)>, aCallbackData=0xbfab614c, aFlags=mozilla::layers::LayerManager::END_DEFAULT)
---Type <return> to continue, or q <return> to quit---
    at gfx/layers/basic/BasicLayers.cpp:3262
#16 0xb56874a0 in nsDisplayList::PaintForFrame (this=0xbfab650c, aBuilder=0xbfab614c, aCtx=0x0, aForFrame=0xad4f57e8, 
    aFlags=<value optimized out>)
    at layout/base/nsDisplayList.cpp:627
#17 0xb56876a5 in nsDisplayList::PaintRoot (this=0xbfab650c, aBuilder=0xbfab614c, aCtx=0x0, aFlags=5)
    at layout/base/nsDisplayList.cpp:538
#18 0xb56b7ace in nsLayoutUtils::PaintFrame (aRenderingContext=0x0, aFrame=0xad4f57e8, aDirtyRegion=..., aBackstop=4294967295, 
    aFlags=260) at layout/base/nsLayoutUtils.cpp:1697
#19 0xb56e041b in PresShell::Paint (this=0xb00b9480, aViewToPaint=0xad434cf0, aWidgetToPaint=0xb1559980, aDirtyRegion=..., 
    aIntDirtyRegion=..., aPaintDefaultBackground=0, aWillSendDidPaint=0)
    at layout/base/nsPresShell.cpp:5382
#20 0xb5dbcc45 in nsViewManager::RenderViews (this=0xb158e4c0, aView=0xad434cf0, aWidget=0xb1559980, aRegion=..., 
    aIntRegion=..., aPaintDefaultBackground=0, aWillSendDidPaint=0)
    at view/src/nsViewManager.cpp:416
#21 0xb5dbea6f in nsViewManager::Refresh (this=0xb158e4c0, aView=0xad434cf0, aWidget=0xb1559980, aRegion=..., aUpdateFlags=1)
    at view/src/nsViewManager.cpp:391
#22 0xb5dc1376 in nsViewManager::DispatchEvent (this=0xb158e4c0, aEvent=0xbfab6a1c, aView=0xad434cf0, aStatus=0xbfab68ac)
    at view/src/nsViewManager.cpp:894
#23 0xb5dbafd0 in HandleEvent (aEvent=0xbfab6a1c)
    at view/src/nsView.cpp:159
Comment 1 Matt Woodrow (:mattwoodrow) 2011-09-27 14:31:19 PDT
So the reason that this demo isn't working is you have webkitTransform instead of MozTransform on line 142.

That should not be causing assertions or crashes though, looking into it.
Comment 2 Oleg Romashin (:romaxa) 2011-09-27 14:51:52 PDT
Ok, I did change that to mozTransform, and that works now. I replaced original source with correct coode, and placed old crashy version into http://romaxa.bolshe.net/css3d/poster/poster-circle-crash.html
Comment 3 Matt Woodrow (:mattwoodrow) 2011-09-27 15:21:47 PDT
The assertion is bogus, I believe.

I'll make a proper testcase for this, but the problem is when we have two levels of nested transforms with preserve-3d and a child without a transform.

The initial parent wraps an nsDisplayTransform around the child (so childFrame->IsTransformed() is false). The grandparent then finds this child transform that returns false for Preserves3D() (since it's not actually transformed, just inheriting its parent's transform).

Wrapping these two transforms together is correct, and the assert is wrong.

The crash is much more worrying, since it looks to be a correct abort to me. Would it be possible for you to debug this romaxa? In particular, find out how PopGroupToSurface is returning NULL.
Comment 4 Matt Woodrow (:mattwoodrow) 2011-09-28 13:36:37 PDT
Created attachment 563157 [details]
Testcase for the assertion
Comment 5 Matt Woodrow (:mattwoodrow) 2011-09-28 13:37:17 PDT
Created attachment 563158 [details] [diff] [review]
Remove the incorrect assertion
Comment 6 Matt Woodrow (:mattwoodrow) 2011-09-29 14:04:46 PDT
Created attachment 563548 [details] [diff] [review]
Fix unbalanced save/restore pair

This took *way* too long for me to track down :(
Comment 7 Matt Woodrow (:mattwoodrow) 2011-09-29 17:02:58 PDT
Created attachment 563599 [details] [diff] [review]
Stop using PushGroup for 3d transforms entirely

Sretching the scope of this bug a little, but the previous fix still left us with broken rendering.

Using PushGroup (with the identity matrix set) was causing our temporary surfaces to be clipped to the surface extents, which are in a different coordinate space to the untransformed layer.

This stops using PushGroup for 3d transforms entirely, and just allocates a separate offscreen surface for the intermediate.

This testcase now looks correct for me on a desktop fennec build.

Note You need to log in before you can comment on or make changes to this bug.