CSS 3D Poster circle crashes on debug desktop build (Mobile FF)

RESOLVED FIXED in mozilla10

Status

()

Core
Graphics
RESOLVED FIXED
6 years ago
6 years ago

People

(Reporter: romaxa, Assigned: mattwoodrow)

Tracking

Trunk
mozilla10
x86
Linux
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(URL)

Attachments

(3 attachments, 1 obsolete attachment)

(Reporter)

Description

6 years ago
On attempt to run Fennec with css3d enabled on URL I'm getting error and crash:
****************************
###!!! ASSERTION: Child transform frame must preserve 3d!: 'childFrame->Preserves3D()', file layout/generic/nsFrame.cpp, line 1484
###!!! ASSERTION: Child transform frame must preserve 3d!: 'childFrame->Preserves3D()', file layout/generic/nsFrame.cpp, line 1484
###!!! ASSERTION: gfxASurface::CairoSurface called with mSurface == nsnull!: 'mSurface != nsnull', file gfx/thebes/gfxASurface.h, line 119
###!!! ASSERTION: gfxASurface::CairoSurface called with mSurface == nsnull!: 'mSurface != nsnull', file gfx/thebes/gfxASurface.h, line 119
###!!! ASSERTION: gfxASurface::CairoSurface called with mSurface == nsnull!: 'mSurface != nsnull', file gfx/thebes/gfxASurface.h, line 119
###!!! ASSERTION: gfxASurface::CairoSurface called with mSurface == nsnull!: 'mSurface != nsnull', file gfx/thebes/gfxASurface.h, line 119
###!!! ABORT: PopGroup should always return a surface pattern: 'sourceSurface', file gfx/layers/basic/BasicLayers.cpp, line 1916
mozilla::layers::BasicLayerManager::PaintLayer(gfxContext*, mozilla::layers::Layer*, void (*)(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, nsIntRegion const&, void*), void*, mozilla::layers::ReadbackProcessor*)+0x000007A3 [./libxul.so +0x01BAFAD3]
mozilla::layers::BasicLayerManager::PaintLayer(gfxContext*, mozilla::layers::Layer*, void (*)(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, nsIntRegion const&, void*), void*, mozilla::layers::ReadbackProcessor*)+0x000006D2 [./libxul.so +0x01BAFA02]
mozilla::layers::BasicLayerManager::PaintLayer(gfxContext*, mozilla::layers::Layer*, void (*)(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, nsIntRegion const&, void*), void*, mozilla::layers::ReadbackProcessor*)+0x000006D2 [./libxul.so +0x01BAFA02]
mozilla::layers::BasicLayerManager::EndTransactionInternal(void (*)(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, nsIntRegion const&, void*), void*, mozilla::layers::LayerManager::EndTransactionFlags)+0x00000492 [./libxul.so +0x01BB8DD6]
mozilla::layers::BasicLayerManager::EndTransaction(void (*)(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, nsIntRegion const&, void*), void*, mozilla::layers::LayerManager::EndTransactionFlags)+0x00000032 [./libxul.so +0x01BB8F3A]
UNKNOWN [./libxul.so +0x01BB8F77]
UNKNOWN [./libxul.so +0x005864A0]
#6  TouchBadMemory (
    msg=0xbfab4e64 "###!!! ABORT: PopGroup should always return a surface pattern: 'sourceSurface', file gfx/layers/basic/BasicLayers.cpp, line 1"...)
    at memory/mozalloc/mozalloc_abort.cpp:66
#7  mozalloc_abort (
    msg=0xbfab4e64 "###!!! ABORT: PopGroup should always return a surface pattern: 'sourceSurface', file gfx/layers/basic/BasicLayers.cpp, line 1"...)
    at memory/mozalloc/mozalloc_abort.cpp:87
#8  0xb6bec94d in Abort (aMsg=0xa <Address 0xa out of bounds>)
    at xpcom/base/nsDebugImpl.cpp:388
#9  0xb6becb70 in NS_DebugBreak_P (aSeverity=3, aStr=0xb7583528 "PopGroup should always return a surface pattern", 
    aExpr=0xb7582a62 "sourceSurface", 
    aFile=0xb7582bac "gfx/layers/basic/BasicLayers.cpp", aLine=1916) at xpcom/base/nsDebugImpl.cpp:345
#10 0xb6cb0ad3 in mozilla::layers::BasicLayerManager::PaintLayer (this=0xaff6fa00, aTarget=0xac0af9c0, aLayer=0xb00b3220, 
---Type <return> to continue, or q <return> to quit---
    aCallback=
    0xb562f720 <mozilla::FrameLayerBuilder::DrawThebesLayer(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, nsIntRegion const&, void*)>, aCallbackData=0xbfab614c, aReadback=0xbfab58a8)
    at gfx/layers/basic/BasicLayers.cpp:1916
#11 0xb6cb0a02 in mozilla::layers::BasicLayerManager::PaintLayer (this=0xaff6fa00, aTarget=0xac0af9c0, aLayer=0xb00b30c0, 
    aCallback=0xb562f720 <mozilla::FrameLayerBuilder::DrawThebesLayer(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, nsIntRegion const&, void*)>, aCallbackData=0xbfab614c, aReadback=0xbfab5c68)
    at gfx/layers/basic/BasicLayers.cpp:1903
#12 0xb6cb0a02 in mozilla::layers::BasicLayerManager::PaintLayer (this=0xaff6fa00, aTarget=0xac0af9c0, aLayer=0xb00b29e0, 
    aCallback=0xb562f720 <mozilla::FrameLayerBuilder::DrawThebesLayer(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, nsIntRegion const&, void*)>, aCallbackData=0xbfab614c, aReadback=0x0)
    at gfx/layers/basic/BasicLayers.cpp:1903
#13 0xb6cb9dd6 in mozilla::layers::BasicLayerManager::EndTransactionInternal (this=0xaff6fa00, 
    aCallback=0xb562f720 <mozilla::FrameLayerBuilder::DrawThebesLayer(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, nsIntRegion const&, void*)>, aCallbackData=0xbfab614c, aFlags=<value optimized out>)
    at gfx/layers/basic/BasicLayers.cpp:1616
#14 0xb6cb9f3a in mozilla::layers::BasicLayerManager::EndTransaction (this=0xaff6fa00, 
    aCallback=0xb562f720 <mozilla::FrameLayerBuilder::DrawThebesLayer(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, nsIntRegion const&, void*)>, aCallbackData=0xbfab614c, aFlags=mozilla::layers::LayerManager::END_DEFAULT)
    at gfx/layers/basic/BasicLayers.cpp:1567
#15 0xb6cb9f77 in mozilla::layers::BasicShadowLayerManager::EndTransaction (this=0xaff6fa00, 
    aCallback=0xb562f720 <mozilla::FrameLayerBuilder::DrawThebesLayer(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, nsIntRegion const&, void*)>, aCallbackData=0xbfab614c, aFlags=mozilla::layers::LayerManager::END_DEFAULT)
---Type <return> to continue, or q <return> to quit---
    at gfx/layers/basic/BasicLayers.cpp:3262
#16 0xb56874a0 in nsDisplayList::PaintForFrame (this=0xbfab650c, aBuilder=0xbfab614c, aCtx=0x0, aForFrame=0xad4f57e8, 
    aFlags=<value optimized out>)
    at layout/base/nsDisplayList.cpp:627
#17 0xb56876a5 in nsDisplayList::PaintRoot (this=0xbfab650c, aBuilder=0xbfab614c, aCtx=0x0, aFlags=5)
    at layout/base/nsDisplayList.cpp:538
#18 0xb56b7ace in nsLayoutUtils::PaintFrame (aRenderingContext=0x0, aFrame=0xad4f57e8, aDirtyRegion=..., aBackstop=4294967295, 
    aFlags=260) at layout/base/nsLayoutUtils.cpp:1697
#19 0xb56e041b in PresShell::Paint (this=0xb00b9480, aViewToPaint=0xad434cf0, aWidgetToPaint=0xb1559980, aDirtyRegion=..., 
    aIntDirtyRegion=..., aPaintDefaultBackground=0, aWillSendDidPaint=0)
    at layout/base/nsPresShell.cpp:5382
#20 0xb5dbcc45 in nsViewManager::RenderViews (this=0xb158e4c0, aView=0xad434cf0, aWidget=0xb1559980, aRegion=..., 
    aIntRegion=..., aPaintDefaultBackground=0, aWillSendDidPaint=0)
    at view/src/nsViewManager.cpp:416
#21 0xb5dbea6f in nsViewManager::Refresh (this=0xb158e4c0, aView=0xad434cf0, aWidget=0xb1559980, aRegion=..., aUpdateFlags=1)
    at view/src/nsViewManager.cpp:391
#22 0xb5dc1376 in nsViewManager::DispatchEvent (this=0xb158e4c0, aEvent=0xbfab6a1c, aView=0xad434cf0, aStatus=0xbfab68ac)
    at view/src/nsViewManager.cpp:894
#23 0xb5dbafd0 in HandleEvent (aEvent=0xbfab6a1c)
    at view/src/nsView.cpp:159
(Assignee)

Comment 1

6 years ago
So the reason that this demo isn't working is you have webkitTransform instead of MozTransform on line 142.

That should not be causing assertions or crashes though, looking into it.
(Reporter)

Comment 2

6 years ago
Ok, I did change that to mozTransform, and that works now. I replaced original source with correct coode, and placed old crashy version into http://romaxa.bolshe.net/css3d/poster/poster-circle-crash.html
(Assignee)

Comment 3

6 years ago
The assertion is bogus, I believe.

I'll make a proper testcase for this, but the problem is when we have two levels of nested transforms with preserve-3d and a child without a transform.

The initial parent wraps an nsDisplayTransform around the child (so childFrame->IsTransformed() is false). The grandparent then finds this child transform that returns false for Preserves3D() (since it's not actually transformed, just inheriting its parent's transform).

Wrapping these two transforms together is correct, and the assert is wrong.

The crash is much more worrying, since it looks to be a correct abort to me. Would it be possible for you to debug this romaxa? In particular, find out how PopGroupToSurface is returning NULL.
(Assignee)

Comment 4

6 years ago
Created attachment 563157 [details]
Testcase for the assertion
(Assignee)

Comment 5

6 years ago
Created attachment 563158 [details] [diff] [review]
Remove the incorrect assertion
Attachment #563158 - Flags: review?(roc)
Attachment #563158 - Flags: review?(roc) → review+
(Assignee)

Comment 6

6 years ago
Created attachment 563548 [details] [diff] [review]
Fix unbalanced save/restore pair

This took *way* too long for me to track down :(
Attachment #563548 - Flags: review?(roc)
Attachment #563548 - Flags: review?(roc) → review+
(Assignee)

Comment 7

6 years ago
Created attachment 563599 [details] [diff] [review]
Stop using PushGroup for 3d transforms entirely

Sretching the scope of this bug a little, but the previous fix still left us with broken rendering.

Using PushGroup (with the identity matrix set) was causing our temporary surfaces to be clipped to the surface extents, which are in a different coordinate space to the untransformed layer.

This stops using PushGroup for 3d transforms entirely, and just allocates a separate offscreen surface for the intermediate.

This testcase now looks correct for me on a desktop fennec build.
Attachment #563548 - Attachment is obsolete: true
Attachment #563599 - Flags: review?(roc)
Attachment #563599 - Flags: review?(roc) → review+
(Assignee)

Comment 8

6 years ago
Landed on inbound:

https://hg.mozilla.org/integration/mozilla-inbound/rev/06a077444292
https://hg.mozilla.org/integration/mozilla-inbound/rev/a08928f32bce
Whiteboard: [inbound]
https://hg.mozilla.org/mozilla-central/rev/06a077444292
https://hg.mozilla.org/mozilla-central/rev/a08928f32bce
Assignee: nobody → matt.woodrow
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
Whiteboard: [inbound]
Target Milestone: --- → mozilla10
You need to log in before you can comment on or make changes to this bug.