Seen on aries device with current trunk and debug gecko during monkey testing the Homescreen.

[Blocking Requested - why for this release]:

I hit this fairly often with the homescreen

Matt, do you know this code?

Nope, looks like bz and mats worked on this recently.

I don't have any deeper knowledge of what this assertion is trying to catch. I just tacked on the "display:contents" test there. dbaron or bzbarsky probably knows what the assertion is for.

triage: It's hard to make a blocking call here without more info about the frequency/severity of this issue. Gregor, can you make the call on this one?

The assertion sounds bad enough to treat it as a blocker until proven otherwise.

I am busy until September 1 but I'll look into it then.

The assertion probably means that we got our "are we a restyle root" bit on an Element out of sync with the array of of restyle roots in RestyleTracker::mRestyleRoots. This might cause elements to be not restyled when they should. I wonder if this is a regression.

This is still happening. Cameron, do you have time now to investigate?

I do; I'll try to reproduce it tomorrow.

Gregor, do you have STR? I've just been playing around with the homescreen on a debug build on my Z3C but haven't encountered the assertion.

Oh I posted them in the bug I marked as duplicate. STR: Open settings Open Date & Time panel

Hmm, that doesn't seem to work for me. I am on a Gecko (89f4a647c549ec43791b0dfd771d3b923e93736c) and Gaia (3337e2b5a9f5acc8eb7c771ca165ec8b2d435264) that I updated to this morning. I don't get any assertions when going into the Date & Time panel. (I do see the usual "rule tree still referenced" / "old rule node" assertions at various points.)

I still hit the assertion. Lets see what we do different.

I just confirmed that "ac_add_options --enable-profiling" isn't the cause for the assertion.

No-Jun can you reproduce this issue with your debug build?

I haven't seen this in flame device before, I just flashed a debug build to my aries - I can't seem to get that exception. on Aries: I/GeckoDump( 320): AdbController: Failed to get key: [Exception... "Component returned failure code: 0x8000ffff (NS_ERROR_UNEXPECTED) [nsIPrefBranch.getCharPref]" nsresult: "0x8000ffff (NS_ERROR_UNEXPECTED)" location: "JS frame :: chrome://b2g/content/shell.js :: checkReloadKey :: line 503" data: no] UPDATE: but on flame, I just flashed the latest gaia in master, and now I get a crash (they're libxul errors though) https://crash-stats.mozilla.org/report/index/da81f75f-fd3d-47b2-be98-94d392151015

Hm not sure what the difference is. It's 100% reproducible for me. I tried to flash gaia in many different ways but the settings app is always asserting.

Are these builds you generate on try, or locally? Can you get a build to me so I can try it on my phone?

Plus the particular Gaia/Gecko revisions you built off so I've got the right sources for debugging.

I just downloaded a 'debug build' from b-i but the assertion doesn't trigger. The build seems way too fast for a debug build :/ So thats not very helpful.

Dave can also reproduce it in https://bugzilla.mozilla.org/show_bug.cgi?id=1207139#c19

Dave, can you tell me what Gaia/Gecko revision you built that exhibits the crash you mention in bug 1207139 comment 19? I'm assuming it's a DEBUG build. Any other pertinent build options? Are you on a Z3C too? Thanks.

(In reply to Cameron McCormack (:heycam) from comment #27) > Dave, can you tell me what Gaia/Gecko revision you built that exhibits the > crash you mention in bug 1207139 comment 19? I'm assuming it's a DEBUG > build. Any other pertinent build options? Are you on a Z3C too? Thanks. I was doing a debug eng build on aries. My gaia was at 01f886b8177a2765c125fa94582047a4265c9341 I normally build against b2g-inbound and was at: 268726:ea9151436305 My logcat produced just before touching Date & Time until the crash is: > 23:24:29.846 2524/2524 Gecko I [Child 2524] WARNING: Channel provided to SetRequestContext is not an nsIHttpChannel so referrer is not available for reporting.: file /home/work/B2G-aries/b2g-inbound/dom/security/nsCSPContext.cpp, line 632 > 23:24:29.906 2524/2524 Settings W [JavaScript Warning: "Property contained reference to invalid variable. Error in parsing value for 'color'. Falling back to 'inherit'." {file: "app://settings.gaiamobile.org/shared/elements/gaia_switch/style.css" line: 14 column: 212 source: " var(--label-color)"}] > 23:24:30.176 1644/1644 Gecko I [Parent 1644] WARNING: Channel needed (but null) in SetRequestContext. Cannot query loadgroup, which means report sending may fail.: file /home/work/B2G-aries/b2g-inbound/dom/security/nsCSPContext.cpp, line 622 > 23:24:30.176 1644/1644 Gecko I [Parent 1644] WARNING: Channel provided to SetRequestContext is not an nsIHttpChannel so referrer is not available for reporting.: file /home/work/B2G-aries/b2g-inbound/dom/security/nsCSPContext.cpp, line 632 > 23:24:30.186 1644/1644 Gecko I [Parent 1644] WARNING: Channel needed (but null) in SetRequestContext. Cannot query loadgroup, which means report sending may fail.: file /home/work/B2G-aries/b2g-inbound/dom/security/nsCSPContext.cpp, line 622 > 23:24:30.186 1644/1644 Gecko I [Parent 1644] WARNING: Channel provided to SetRequestContext is not an nsIHttpChannel so referrer is not available for reporting.: file /home/work/B2G-aries/b2g-inbound/dom/security/nsCSPContext.cpp, line 632 > 23:24:30.226 2524/2524 Settings W [JavaScript Warning: "Property contained reference to invalid variable. Error in parsing value for 'color'. Falling back to 'inherit'." {file: "app://settings.gaiamobile.org/shared/elements/gaia_switch/style.css" line: 14 column: 212 source: " var(--label-color)"}] > 23:24:30.236 2524/2524 Settings W [JavaScript Warning: "Property contained reference to invalid variable. Error in parsing value for 'color'. Falling back to 'inherit'." {file: "app://settings.gaiamobile.org/shared/elements/gaia_switch/style.css" line: 14 column: 212 source: " var(--label-color)"}] > 23:24:30.236 2524/2524 Settings W [JavaScript Warning: "Property contained reference to invalid variable. Error in parsing value for 'color'. Falling back to 'inherit'." {file: "app://settings.gaiamobile.org/shared/elements/gaia_switch/style.css" line: 14 column: 212 source: " var(--label-color)"}] > 23:24:30.246 2524/2524 Settings W [JavaScript Warning: "Property contained reference to invalid variable. Error in parsing value for 'color'. Falling back to 'inherit'." {file: "app://settings.gaiamobile.org/shared/elements/gaia_switch/style.css" line: 14 column: 212 source: " var(--label-color)"}] > 23:24:30.596 1644/1644 Gecko I > 23:24:30.596 1644/1644 Gecko I ###!!! [Parent][MessageChannel] Error: (msgtype=0x280082,name=PBrowser::Msg_Destroy) Channel error: cannot send/recv > 23:24:30.596 1644/1644 Gecko I > 23:24:30.596 1644/1677 Gecko I [Parent 1644] WARNING: pipe error (198): Connection reset by peer: file /home/work/B2G-aries/b2g-inbound/ipc/chromium/src/chrome/common/ipc_channel_posix.cc, line 459 > 23:24:30.616 1644/1644 Gecko I ############ ErrorPage.js > 23:24:30.656 1796/1796 Gecko I [Child 1796] ###!!! ASSERTION: Child frames aren't sorted correctly: '(!mFrames.IsEmpty() && mFrames.FirstChild()->GetContent()->GetContainingShadow()) || nsIFrame::IsFrameListSorted<IsOrderLEQWithDOMFallback>(mFrames)', file /home/work/B2G-aries/b2g-inbound/layout/generic/nsFlexContainerFrame.cpp, line 1975 > 23:24:30.676 1644/1644 Gecko I [Parent 1644] ###!!! ASSERTION: unknown process type: 'Error', file /home/work/B2G-aries/b2g-inbound/dom/ipc/CrashReporterParent.cpp, line 129 > 23:24:30.676 1644/1644 Gecko I XXX FIXME : Dispatch a mozChromeEvent: default-volume-channel-changed > 23:24:30.696 1644/1644 GeckoDump I Crash reporter : Can't fetch app.reportCrashes. Exception: [Exception... "Component returned failure code: 0x8000ffff (NS_ERROR_UNEXPECTED) [nsIPrefBranch.getBoolPref]" nsresult: "0x8000ffff (NS_ERROR_UNEXPECTED)" location: "JS frame :: chrome://b2g/content/shell.js :: shell_reportCrash :: line 184" data: no] > 23:24:30.696 1644/1644 Gecko I XXX FIXME : Dispatch a mozChromeEvent: handle-crash > 23:24:30.866 1796/1796 Gecko I [Child 1796] ###!!! ASSERTION: Child frames aren't sorted correctly: '(!mFrames.IsEmpty() && mFrames.FirstChild()->GetContent()->GetContainingShadow()) || nsIFrame::IsFrameListSorted<IsOrderLEQWithDOMFallback>(mFrames)', file /home/work/B2G-aries/b2g-inbound/layout/generic/nsFlexContainerFrame.cpp, line 1975 > 23:24:30.876 1644/1644 OomLogger E [Kill]: diag: In diag_send_log_mask_update, invalid status 0lowmem_shrink: convert oom_adj to oom_score_adj: > 23:24:30.886 1644/1644 OomLogger E [Kill]: lowmem_shrink: convert oom_adj to oom_score_adj: > 23:24:30.996 1796/1796 Gecko I [Child 1796] ###!!! ASSERTION: Child frames aren't sorted correctly: '(!mFrames.IsEmpty() && mFrames.FirstChild()->GetContent()->GetContainingShadow()) || nsIFrame::IsFrameListSorted<IsOrderLEQWithDOMFallback>(mFrames)', file /home/work/B2G-aries/b2g-inbound/layout/generic/nsFlexContainerFrame.cpp, line 1975 > 23:24:31.046 1644/1644 GeckoConsole E [JavaScript Error: "AbortError" {file: "resource://gre/modules/SettingsRequestManager.jsm" line: 401}] > 23:24:31.046 1644/1644 Gecko I -*- SettingsRequestManager: getRequest FAILED time.timezone > 23:24:31.046 1644/1644 Gecko I -*- SettingsRequestManager: Return message failed, Settings:Get:KO: [Exception... "Component returned failure code: 0xc1f30001 (NS_ERROR_NOT_INITIALIZED) [nsIMessageSender.sendAsyncMessage]" nsresult: "0xc1f30001 (NS_ERROR_NOT_INITIALIZED)" location: "JS frame :: resource://gre/modules/SettingsRequestManager.jsm :: returnMessage :: line 1054" data: no] > 23:24:31.086 1644/1644 Gecko I -*- SettingsRequestManager: Transaction for lock {8a9179d7-b61c-4d08-bcf0-048fabbc37f7} aborted > 23:24:31.436 1796/1796 Gecko I [Child 1796] ###!!! ASSERTION: Child frames aren't sorted correctly: '(!mFrames.IsEmpty() && mFrames.FirstChild()->GetContent()->GetContainingShadow()) || nsIFrame::IsFrameListSorted<IsOrderLEQWithDOMFallback>(mFrames)', file /home/work/B2G-aries/b2g-inbound/layout/generic/nsFlexContainerFrame.cpp, line 1975 > 23:24:31.466 1644/1644 GeckoConsole W [JavaScript Warning: "Property contained reference to invalid variable. Error in parsing value for 'color'. Falling back to 'inherit'." {file: "app://system.gaiamobile.org/shared/elements/gaia_switch/style.css" line: 16 column: 214 source: " var(--label-color)"}] > 23:24:31.826 1644/1644 GeckoConsole E [JavaScript Error: "NS_ERROR_NOT_IMPLEMENTED: SetNFCFocus for in-process mode is not yet supported" {file: "jar:file:///system/b2g/omni.ja!/components/BrowserElementParent.js" line: 994}] > 23:24:31.826 1644/1644 Gecko I [Parent 1644] WARNING: 'NS_FAILED(rv)', file /home/work/B2G-aries/b2g-inbound/dom/html/nsBrowserElement.cpp, line 726 which seems to be different from this bug.

David, can you try the STR from comment 14 if you still run a debug build on your z3c?

Mats, we're crashing here on this bit of the assertion expression: http://hg.mozilla.org/mozilla-central/annotate/b41b92c09fcf/layout/base/RestyleTracker.cpp#l127 element is an HTML <content> element, and GetCurrentDoc() returns null. Should we be using OwnerDoc() instead? I think the element is in a shadow tree (and thus not in the document), and I guess that we still should check whether it's a display:contents element. Is that right?

(In reply to Cameron McCormack (:heycam) (away Nov 3) from comment #30) > element is an HTML <content> element, and GetCurrentDoc() returns null. > Should we be using OwnerDoc() instead? I think the element is in a shadow > tree (and thus not in the document), and I guess that we still should check > whether it's a display:contents element. Is that right? Maybe you want GetComposedDoc() rather than OwnerDoc()?

Help NI :heycam

(In reply to David Baron [:dbaron] ⌚UTC+8 from comment #31) > Maybe you want GetComposedDoc() rather than OwnerDoc()? Yeah; let's try that.

I used GetCrossShadowCurrentDoc as that's what's being used in various other places in this file; it's the same as GetComposedDoc. The if statement just above the assertion should cause us to return early if GetCrossShadowCurrentDoc returns null (as it won't be equal to the RestyleTracker's mDocument).

Comment on attachment 8685734 [details] [diff] [review] patch https://treeherder.mozilla.org/#/jobs?repo=try&revision=c9002a62eb89