Closed Bug 967267 Opened 11 years ago Closed 9 years ago

Assertion failure: mStyleScopes.Contains(cur) [@TreeMatchContext::AssertHasAllStyleScopes]

Categories

(Core :: CSS Parsing and Computation, defect, P3)

Product:
Core
Component:
CSS Parsing and Computation
Version:
29 Branch
Type:
defect

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: tsmith, Unassigned)

References

Details

(4 keywords)

Crash Data

Attachments

(1 file)

ASSERT_mStyleScopes.Contains(cur).html
102 bytes, text/html
Details
Found by the BlackBerry Security Automated Analysis Team's fuzzing framework ALF. libxul.so!TreeMatchContext::AssertHasAllStyleScopes libxul.so!TreeMatchContext::SetStyleScopeForSelectorMatching libxul.so!ContentEnumFunc libxul.so!RuleHash::EnumerateAllRules libxul.so!nsCSSRuleProcessor::RulesMatching libxul.so!_ZL17EnumRulesMatchingI30PseudoElementRuleProcessorDataEbP21nsIStyleRuleProcessorPv libxul.so!nsStyleSet::FileRules libxul.so!nsStyleSet::ResolvePseudoElementStyle libxul.so!mozilla::ElementRestyler::RestyleSelf libxul.so!mozilla::ElementRestyler::Restyle libxul.so!mozilla::ElementRestyler::RestyleContentChildren libxul.so!mozilla::ElementRestyler::RestyleChildren libxul.so!mozilla::ElementRestyler::Restyle libxul.so!mozilla::ElementRestyler::RestyleContentChildren libxul.so!mozilla::ElementRestyler::RestyleChildren libxul.so!mozilla::ElementRestyler::Restyle libxul.so!mozilla::ElementRestyler::RestyleContentChildren libxul.so!mozilla::ElementRestyler::RestyleChildren libxul.so!mozilla::ElementRestyler::Restyle libxul.so!mozilla::RestyleManager::ComputeStyleChangeFor libxul.so!mozilla::RestyleManager::RestyleElement libxul.so!mozilla::RestyleTracker::ProcessOneRestyle libxul.so!mozilla::RestyleTracker::DoProcessRestyles libxul.so!mozilla::RestyleManager::ProcessPendingRestyles libxul.so!PresShell::FlushPendingNotifications
Crash Signature: [@ TreeMatchContext::AssertHasAllStyleScopes]
Severity: normal → critical
Keywords: assertion, crash, testcase
Status: UNCONFIRMED → NEW
Ever confirmed: true
The testcase contains <style scoped> so I guess this is a regression from bug 508725?
Blocks: 508725
Component: Layout → CSS Parsing and Computation
Keywords: regression
Priority: -- → P3
also found on sites like hetzler.de/go.to/modix/now/startseite.html with Assertion failure: mStyleScopes.Contains(cur), at c:\work\mozilla\builds\aurora\mozilla\layout\style\nsRuleProcessorData.h:188 on windows
OS: Linux → All
Hardware: x86_64 → All
Now also happening on B2G Desktop Debug while running gaia unit tests (specifically, gaia. Stack: #0 0x00007f3c52ab28ed in nanosleep () at ../sysdeps/unix/syscall-template.S:81 #1 0x00007f3c52ab2784 in __sleep (seconds=0) at ../sysdeps/unix/sysv/linux/sleep.c:137 #2 0x00007f3c50279e18 in ah_crap_handler (signum=11) at /share/code/mozbuild/gecko-dev/toolkit/xre/nsSigHandlers.cpp:88 #3 0x00007f3c50283d19 in nsProfileLock::FatalSignalHandler (signo=11, info=0x7fff24832670, context=0x7fff24832540) at /share/code/mozbuild/gecko-dev/profile/dirserviceprovider/src/nsProfileLock.cpp:185 #4 0x00007f3c508631e7 in AsmJSFaultHandler (signum=11, info=0x7fff24832670, context=0x7fff24832540) at /share/code/mozbuild/gecko-dev/js/src/jit/AsmJSSignalHandlers.cpp:979 #5 <signal handler called> #6 0x00007f3c4fd4b1bb in TreeMatchContext::AssertHasAllStyleScopes (this=0x7fff24832d20, aElement=<optimized out>) at /share/code/mozbuild/gecko-dev/layout/style/nsCSSRuleProcessor.cpp:3705 #7 0x00007f3c4fd4fa66 in TreeMatchContext::SetStyleScopeForSelectorMatching (this=0x7fff24832d20, aSubject=0x7f3c1a0b23e0, aScope=0x0) at /share/code/mozbuild/gecko-dev/layout/style/nsRuleProcessorData.h:190 #8 0x00007f3c4fd4d9b8 in AttributeEnumFunc (aData=0x7fff24832bc0, aSelector=0x7f3c1927ab00) at /share/code/mozbuild/gecko-dev/layout/style/nsCSSRuleProcessor.cpp:2739 #9 EnumerateSelectors (aSelectors=..., aData=aData@entry=0x7fff24832bc0) at /share/code/mozbuild/gecko-dev/layout/style/nsCSSRuleProcessor.cpp:2766 #10 0x00007f3c4fd4f5f4 in nsCSSRuleProcessor::HasAttributeDependentStyle (this=<optimized out>, aData=0x7fff24832ce0) at /share/code/mozbuild/gecko-dev/layout/style/nsCSSRuleProcessor.cpp:2847 #11 0x00007f3c4fdbf683 in SheetHasAttributeStyle (aProcessor=<optimized out>, aData=0x7fff24832ce0) at /share/code/mozbuild/gecko-dev/layout/style/nsStyleSet.cpp:2018 #12 0x00007f3c4f9112d8 in nsBindingManager::WalkRules (this=<optimized out>, aFunc=aFunc@entry=0x7f3c4fdbf674 <SheetHasAttributeStyle(nsIStyleRuleProcessor*, void*)>, aData=aData@entry=0x7fff24832ce0, aCutOffInheritance=aCutOffInheritance@entry=0x7fff24832c7f) at /share/code/mozbuild/gecko-dev/dom/xbl/nsBindingManager.cpp:691 #13 0x00007f3c4fdca226 in nsStyleSet::WalkRuleProcessors (this=this@entry=0x7f3c15a42400, aFunc=aFunc@entry=0x7f3c4fdbf674 <SheetHasAttributeStyle(nsIStyleRuleProcessor*, void*)>, aData=aData@entry=0x7fff24832ce0, aWalkAllXBLStylesheets=aWalkAllXBLStylesheets@entry=false) at /share/code/mozbuild/gecko-dev/layout/style/nsStyleSet.cpp:1156 #14 0x00007f3c4fdcdd08 in nsStyleSet::HasAttributeDependentStyle (this=0x7f3c15a42400, aPresContext=0x7f3917388000, aElement=aElement@entry=0x7f3c1a0b23e0, aAttribute=aAttribute@entry=0x7f3c3e073c70, aModType=aModType@entry=2, aAttrHasChanged=aAttrHasChanged@entry=false) at /share/code/mozbuild/gecko-dev/layout/style/nsStyleSet.cpp:2036 #15 0x00007f3c4fe2c8a6 in mozilla::RestyleManager::AttributeWillChange (this=0x7f3c10ce7400, aElement=aElement@entry=0x7f3c1a0b23e0, aNameSpaceID=aNameSpaceID@entry=0, aAttribute=aAttribute@entry=0x7f3c3e073c70, aModType=aModType@entry=2) at /share/code/mozbuild/gecko-dev/layout/base/RestyleManager.cpp:1003 #16 0x00007f3c4fe09f06 in PresShell::AttributeWillChange (this=0x7f3c10ce8000, aDocument=0x7f3917387800, aElement=0x7f3c1a0b23e0, aNameSpaceID=0, aAttribute=0x7f3c3e073c70, aModType=2) at /share/code/mozbuild/gecko-dev/layout/base/nsPresShell.cpp:4368 #17 0x00007f3c4fa4d371 in nsNodeUtils::AttributeWillChange (aElement=aElement@entry=0x7f3c1a0b23e0, aNameSpaceID=aNameSpaceID@entry=0, aAttribute=aAttribute@entry=0x7f3c3e073c70, aModType=2) at /share/code/mozbuild/gecko-dev/content/base/src/nsNodeUtils.cpp:100 #18 0x00007f3c4f9cf129 in mozilla::dom::Element::SetAttr (this=this@entry=0x7f3c1a0b23e0, aNamespaceID=0, aName=0x7f3c3e073c70, aPrefix=0x0, aValue=..., aNotify=aNotify@entry=true) at /share/code/mozbuild/gecko-dev/content/base/src/Element.cpp:1906 #19 0x00007f3c4fb317f3 in nsGenericHTMLElement::SetAttr (this=0x7f3c1a0b23e0, aNameSpaceID=<optimized out>, aName=<optimized out>, aPrefix=<optimized out>, aValue=..., aNotify=<optimized out>) at /share/code/mozbuild/gecko-dev/content/html/content/src/nsGenericHTMLElement.cpp:905 #20 0x00007f3c4f9cc587 in SetAttr (aNotify=true, aValue=..., aName=<optimized out>, aNameSpaceID=0, this=0x7f3c1a0b23e0) at ../../../dist/include/mozilla/dom/Element.h:432 #21 mozilla::dom::Element::SetAttribute (this=this@entry=0x7f3c1a0b23e0, aName=..., aValue=..., aError=...) at /share/code/mozbuild/gecko-dev/content/base/src/Element.cpp:969 #22 0x00007f3c4f21c511 in mozilla::dom::ElementBinding::setAttribute (cx=0x7f3c10a73510, obj=..., self=0x7f3c1a0b23e0, args=...) at /share/code/mozbuild/gecko-dev/obj-test/dom/bindings/ElementBinding.cpp:332 #23 0x00007f3c4f50c2c0 in mozilla::dom::GenericBindingMethod (cx=0x7f3c10a73510, argc=<optimized out>, vp=<optimized out>) at /share/code/mozbuild/gecko-dev/dom/bindings/BindingUtils.cpp:2348 #24 0x00007f3c50bed844 in js::CallJSNative (cx=0x7f3c10a73510, native=0x7f3c4f50c168 <mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*)>, args=...) at /share/code/mozbuild/gecko-dev/js/src/jscntxtinlines.h:230 #25 0x00007f3c50bdf128 in js::Invoke (cx=0x7f3c10a73510, args=..., construct=js::NO_CONSTRUCT) at /share/code/mozbuild/gecko-dev/js/src/vm/Interpreter.cpp:455 #26 0x00007f3c50bda8c6 in Interpret (cx=0x7f3c10a73510, state=...) at /share/code/mozbuild/gecko-dev/js/src/vm/Interpreter.cpp:2551 #27 0x00007f3c50bdef39 in js::RunScript (cx=cx@entry=0x7f3c10a73510, state=...) at /share/code/mozbuild/gecko-dev/js/src/vm/Interpreter.cpp:402 #28 0x00007f3c50bdf30b in js::Invoke (cx=cx@entry=0x7f3c10a73510, args=..., construct=construct@entry=js::NO_CONSTRUCT) at /share/code/mozbuild/gecko-dev/js/src/vm/Interpreter.cpp:474 #29 0x00007f3c50ad2bab in js_fun_apply (cx=0x7f3c10a73510, argc=<optimized out>, vp=0x7fff24834e78) at /share/code/mozbuild/gecko-dev/js/src/jsfun.cpp:1148 #30 0x00007f3c50bed844 in js::CallJSNative (cx=0x7f3c10a73510, native=0x7f3c50ad2830 <js_fun_apply(JSContext*, unsigned int, JS::Value*)>, args=...) at /share/code/mozbuild/gecko-dev/js/src/jscntxtinlines.h:230 #31 0x00007f3c50bdf128 in js::Invoke (cx=cx@entry=0x7f3c10a73510, args=..., construct=construct@entry=js::NO_CONSTRUCT) at /share/code/mozbuild/gecko-dev/js/src/vm/Interpreter.cpp:455 #32 0x00007f3c50bdf7a5 in js::Invoke (cx=cx@entry=0x7f3c10a73510, thisv=..., fval=..., argc=argc@entry=2, argv=0x7fff24835118, rval=...) at /share/code/mozbuild/gecko-dev/js/src/vm/Interpreter.cpp:511 #33 0x00007f3c5095baac in js::jit::DoCallFallback (cx=0x7f3c10a73510, frame=0x7fff24835190, stub_=<optimized out>, argc=2, vp=0x7fff24835108, res=...) at /share/code/mozbuild/gecko-dev/js/src/jit/BaselineIC.cpp:8329 Corresponding log messages: [26172] WARNING: Subdocument container has no frame: file /share/code/mozbuild/gecko-dev/layout/base/nsDocumentViewer.cpp, line 2511 ++DOMWINDOW == 28 (0x7f3c148bfc00) [pid = 26172] [serial = 2768] [outer = 0x7f3c148bc400] --DOCSHELL 0x7f391724b800 == 9 [pid = 26172] [id = 1390] --DOCSHELL 0x7f3a1780c800 == 8 [pid = 26172] [id = 1391] ++DOCSHELL 0x7f3917220000 == 9 [pid = 26172] [id = 1393] ++DOMWINDOW == 29 (0x7f3c10a18c00) [pid = 26172] [serial = 2769] [outer = (nil)] [26172] WARNING: Subdocument container has no presshell: file /share/code/mozbuild/gecko-dev/layout/base/nsDocumentViewer.cpp, line 2494 ++DOMWINDOW == 30 (0x7f3c10a1a800) [pid = 26172] [serial = 2770] [outer = 0x7f3c10a18c00] nsBlockReflowContext: Block(ul)(1)@7f3c25404e58 metrics=19200,67360320! nsBlockReflowContext: Block(div)(7)@7f3c233c5328 metrics=19200,67360320! [26172] WARNING: cannot SetMetaDataElement: 'NS_SUCCEEDED(rv)', file /share/code/mozbuild/gecko-dev/content/html/document/src/nsHTMLDocument.cpp, line 762 JavaScript warning: app://sharedtest.gaiamobile.org/common/vendor/chai/chai.js?time=1404153427225, line 1135: mutating the [[Prototype]] of an object will cause your code to run very slowly; instead create the object with the correct initi al [[Prototype]] value using Object.create nsBlockReflowContext: Block(ul)(1)@7f3c25404e58 metrics=19200,67368960! nsBlockReflowContext: Block(div)(7)@7f3c233c5328 metrics=19200,67368960! nsBlockReflowContext: Block(ul)(1)@7f3c25404e58 metrics=19200,67377600! nsBlockReflowContext: Block(div)(7)@7f3c233c5328 metrics=19200,67377600! nsBlockReflowContext: Block(ul)(1)@7f3c25404e58 metrics=19200,67386240! nsBlockReflowContext: Block(div)(7)@7f3c233c5328 metrics=19200,67386240! nsBlockReflowContext: Block(ul)(1)@7f3c25404e58 metrics=19200,67394880! nsBlockReflowContext: Block(div)(7)@7f3c233c5328 metrics=19200,67394880! Assertion failure: mStyleScopes.Contains(cur), at /share/code/mozbuild/gecko-dev/layout/style/nsCSSRuleProcessor.cpp:3705
Bug 1169423 triggers another assertion, but a small change to its testcase makes it trigger this bug's assertion instead.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: