Closed Bug 784061 Opened 12 years ago Closed 12 years ago

Assertion failure: "Non-display SVG do not maintain visual overflow rects"

Categories

(Core :: SVG, defect)

Product:
Core
Component:
SVG
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME
Tracking Flags:
Tracking Status
firefox16 --- unaffected
firefox17 - affected

People

(Reporter: jruderman, Unassigned)

References

Details

(Keywords: assertion, regression, testcase)

Attachments

(3 files)

testcase
234 bytes, image/svg+xml
Details
backtrace.txt
6.56 KB, text/plain
Details
crashtest patch
1.09 KB, patch
longsonr
: review+
Details | Diff | Splinter Review
Attached image testcase 
Assertion failure: !(mState & (nsFrameState(1) << (43))) || !(mState & (nsFrameState(1) << (22))) (Non-display SVG do not maintain visual overflow rects), at ../../../layout/generic/nsFrame.cpp:5088

This assertion was added recently:

changeset:   ad77846165e3
user:        Jonathan Watt
date:        Tue Aug 14 10:04:24 2012 +0100
summary:     Bug 780963 - Make UpdateOverflow() on filter primitive frames a no-op. r=roc.
Blocks: randomstyles
Is this an assertion benign or something we need to worry about? The assertion is new in Firefox 17, although the issue might be old.
Assignee: nobody → jwatt
status-firefox16: --- → unaffected
status-firefox17: --- → affected
tracking-firefox17: --- → ?
Doesn't seem to assert for me.
Does assert for me. (Linux x86_64 up-to-date debug build)
Could you attach a stack trace, Daniel?
Attached file backtrace.txt 
Sure, here's the backtrace.

The frame in question (which doesn't satisfy the assertion) is a nsSVGPathGeometryFrame, with frame-tree ancestry as follows:

(gdb) p this
$4 = (nsSVGPathGeometryFrame * const) 0x7f7910740600
(gdb) p mParent
$5 = (nsSVGContainerFrame *) 0x7f7910740208
(gdb) p mParent->mParent
$6 = (nsSVGOuterSVGAnonChildFrame *) 0x7f791073fef0
(gdb) p mParent->mParent->mParent
$7 = (nsSVGOuterSVGFrame *) 0x7f791073fd80
This also isn't any sort of unlucky startup race-condition.  I tried performing the testcase's style-tweak manually (in the web developer console), and it triggers the same assertion-failure.
(In reply to Daniel Holbert [:dholbert] from comment #5)
> Sure, here's the backtrace.

Thanks!

(In reply to Daniel Veditz [:dveditz] from comment #1)
> Is this an assertion benign

It's not a security issue, but it is a perf issue to a certain extent. We end up calling UpdateOverflow() up the parent chain which is a complete waste of cycles for non-display SVG.
We should avoid scheduling nsChangeHint_UpdateOverflow restyles for such frames, or, if that's messy, return if we encounter such frames in nsCSSFrameConstructor::ProcessRestyledFrames around these two locations:

http://hg.mozilla.org/mozilla-central/annotate/e327e66a027d/layout/base/nsCSSFrameConstructor.cpp#l8126
http://hg.mozilla.org/mozilla-central/annotate/e327e66a027d/layout/base/nsCSSFrameConstructor.cpp#l8157
Not a security issue, user impact hasn't yet been demonstrated. Please re-nominate if that changes in the future.
tracking-firefox17: ?-
Jonathan, are you working on this. If not, I can do something along the lines of comment 8.
Taking per irc.
Assignee: jwatt → longsonr
Assignee: longsonr → nobody
Doesn't assert any more.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → WORKSFORME
We should probably check in a crashtest, to be sure it's not just fixed on your configuration and that we don't later regress this.
Flags: in-testsuite?
Attached patch crashtest patchSplinter Review 
This patch adds the testcase (w/ reftest-wait) as a crashtest.
Attachment #677864 - Flags: review?(longsonr)
Attachment #677864 - Flags: review?(longsonr) → review+
This assertion was also mentioned in bug 795592, so maybe this was a dup.
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: