Attached testcase crashes in mozilla-central revision 62f79d676e0e. No assertions hit in debug build. Stack: #0 0x7f9896e32234 in InvalidArrayIndex_CRASH(unsigned long, unsigned long) src/xpcom/glue/nsTArray.cpp:35:3 #1 0x7f989e42b6e0 in ElementAt src/obj-firefox/dist/include/nsTArray.h:1045:7 #2 0x7f989e42b6e0 in operator[] src/obj-firefox/dist/include/nsTArray.h:1074 #3 0x7f989e42b6e0 in operator[] src/layout/style/nsStyleStruct.h:540 #4 0x7f989e42b6e0 in ComputeMaskGeometry src/layout/svg/nsSVGIntegrationUtils.cpp:461 #5 0x7f989e42b6e0 in GenerateMaskSurface src/layout/svg/nsSVGIntegrationUtils.cpp:522 #6 0x7f989e42b6e0 in nsSVGIntegrationUtils::PaintMaskAndClipPath(nsSVGIntegrationUtils::PaintFramesParams const&) src/layout/svg/nsSVGIntegrationUtils.cpp:858 #7 0x7f989de78995 in nsDisplayMask::PaintAsLayer(nsDisplayListBuilder*, nsRenderingContext*, mozilla::layers::LayerManager*) src/layout/base/nsDisplayList.cpp:6912:5 #8 0x7f989dcce2f6 in PaintInactiveLayer src/layout/base/FrameLayerBuilder.cpp:3593:5 #9 0x7f989dcce2f6 in mozilla::FrameLayerBuilder::PaintItems(nsTArray<mozilla::FrameLayerBuilder::ClippedDisplayItem>&, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, gfxContext*, nsRenderingContext*, nsDisplayListBuilder*, nsPresContext*, mozilla::gfx::IntPointTyped<mozilla::gfx::UnknownUnits> const&, float, float, int) src/layout/base/FrameLayerBuilder.cpp:5690

Regression of Bug 1235494

[Tracking Requested - why for this release]:

[Tracking Requested - why for this release]:

Tracked for 50 since it's a new regression.

Comment on attachment 8793706 [details] Bug 1304437 - Part 1. Return nsChangeHint_UpdateEffects when the length of the mask-image property has changed. https://reviewboard.mozilla.org/r/80400/#review79314 In the commit message: > Adapt nsChangeHint_UpdateEffects when the number of mask-image property changed. This sounds to me like we are changing the behaviour of UpdateEffects, instead of just choosing to return it. Something like this might be better: "Return nsChangeHint_UpdateEffects when the length of the mask-image property has changed." r=me with this and the change below. ::: layout/style/nsStyleStruct.cpp:2460 (Diff revision 2) > + if (mImageCount != aNewLayers.mImageCount) { > + hint |= nsChangeHint_UpdateEffects; > + } We don't need to add UpdateEffects if this nsStyleImageLayers is for background. Can we do something similar to aPositionChangeHint here? Maybe it makes more sense to pass in a single argument that says whether it's for background or mask, and then we determine what position change hint to use and whether to add UpdateEffects based on that. Same in nsStyleImageLayers::Layer::CalcDifference.

Comment on attachment 8793707 [details] Bug 1304437 - Part 2. Crash test. https://reviewboard.mozilla.org/r/80402/#review79316

Pushed by cku@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/0705576ca28c Part 1. Return nsChangeHint_UpdateEffects when the length of the mask-image property has changed. r=heycam https://hg.mozilla.org/integration/autoland/rev/d7582e076435 Part 2. Crash test. r=heycam

Tracking 52/51+.

https://hg.mozilla.org/mozilla-central/rev/0705576ca28c https://hg.mozilla.org/mozilla-central/rev/d7582e076435

Comment on attachment 8793706 [details] Bug 1304437 - Part 1. Return nsChangeHint_UpdateEffects when the length of the mask-image property has changed. Approval Request Comment [Feature/regressing bug #]: Bug 1235494 [User impact if declined]: Application crash by removing mask layers from mask-image. [Describe test coverage new/current, TreeHerder]: manual + try [Risks and why]: low. [String/UUID change made/needed]: Only part 1 is required. Aurora uses the same patch as central. I attached another patch for beta. Try result on beta: https://treeherder.mozilla.org/#/jobs?repo=try&revision=b15d0af930c5 Try result on autora: https://treeherder.mozilla.org/#/jobs?repo=try&revision=a449397bd28d&selectedJob=28028598

Comment on attachment 8793706 [details] Bug 1304437 - Part 1. Return nsChangeHint_UpdateEffects when the length of the mask-image property has changed. Fixes a reproducible crash, Aurora51+, Beta50+

beta patch landed in https://hg.mozilla.org/releases/mozilla-beta/rev/d1baa416e1b9 do you want also the crashtest uplifted ?

(In reply to Carsten Book [:Tomcat] from comment #25) > beta patch landed in > https://hg.mozilla.org/releases/mozilla-beta/rev/d1baa416e1b9 > > do you want also the crashtest uplifted ? No. Only functional correction patch(part 1) is required. Thanks

I've managed to reproduce the crash using the testcase.html from comment 0. This issue is verified fixed on Firefox 50.0b9 (2016-10-20), latest Aurora 51.0a2 (2016-10-21) and latest Nightly 52.0a1 (2016-10-21) under the following OSes; - Windows 10 x64 - Ubuntu 16.04 x64 - Mac OS X 10.11.6 Marking here accordingly.

Looks like a crashtest landed in: https://hg.mozilla.org/mozilla-central/rev/d7582e076435