Closed Bug 1395725 Opened 7 years ago Closed 7 years ago

stylo: Assertion failure: MayTraverseFrom(const_cast<Element*>(root))

Categories

(Core :: CSS Parsing and Computation, defect, P2)

Product:
Core
Component:
CSS Parsing and Computation
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla57
Tracking Flags:
Tracking Status
firefox-esr52 --- unaffected
firefox55 --- unaffected
firefox56 --- unaffected
firefox57 --- fixed

People

(Reporter: truber, Assigned: xidorn)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, testcase)

Attachments

(3 files)

testcase.html
(deleted), text/html
Details
simplified testcase
(deleted), text/html
Details
Bug 1395725 - Don't add children of <area> as servo restyle root.
(deleted), text/x-review-board-request
emilio
: review+
Details
Attached file testcase.html (deleted) — 
The attached testcase causes an assertion in m-c rev 20170831-fb22415719a9 with stylo enabled by pref.

Assertion failure: MayTraverseFrom(const_cast<Element*>(root)), at /builds/worker/workspace/build/src/layout/style/ServoStyleSet.cpp:898
#0 mozilla::ServoStyleSet::StyleDocument, at layout/style/ServoStyleSet.cpp:898
#1 mozilla::ServoRestyleManager::DoProcessPendingRestyles, at layout/base/ServoRestyleManager.cpp:1100
#2 mozilla::PresShell::DoFlushPendingNotifications, at layout/base/PresShell.cpp:4191
#3 nsRefreshDriver::Tick, at layout/base/nsRefreshDriver.cpp:1921
Flags: in-testsuite?
root is a <mathml>, and its parent is <area> which is display:none, and thus MayTraverseFrom returns false.
The restyle root is set from NoteDirtyElement in Element.cpp. There is an if-statement in that function that:
> if (!parent->GetPrimaryFrame() && Servo_Element_IsDisplayNone(parent)) {
>   return;
> }

However, <area> element always has nsImageFrame as its primary frame when there is <img> element using the corresponding <map>, and thus this condition doesn't protect us from setting the invisible <mathml> as a restyle root.
Attached file simplified testcase (deleted) — 
That said, majority of the code in the testcase isn't necessary to trigger this assertion.

What really important here is that, we have a valid <img> which uses a <map> which has <area>, and we dynamically insert a new element into the <area> element.
Assignee: nobody → xidorn+moz
Comment on attachment 8903453 [details]
Bug 1395725 - Don't add children of <area> as servo restyle root.

https://reviewboard.mozilla.org/r/175300/#review180434

::: dom/base/Element.cpp:4341
(Diff revision 1)
>  
>      // If the parent is styled but is display:none, we're done.
>      //
>      // We check for a frame to reduce the cases where we need the FFI call.
> -    if (!parent->GetPrimaryFrame() && Servo_Element_IsDisplayNone(parent)) {
> +    // We need to additionally check that it is not an <area> element because
> +    // <area> may have primary frame from <img>, but itself is display:none.

Please mention bug 135040 so I don't forget to revert this when I get to finish it.
Attachment #8903453 - Flags: review?(emilio) → review+
Comment on attachment 8903453 [details]
Bug 1395725 - Don't add children of <area> as servo restyle root.

https://reviewboard.mozilla.org/r/175300/#review180558

::: dom/base/Element.cpp:4339
(Diff revision 1)
>      // We check for a frame to reduce the cases where we need the FFI call.
> -    if (!parent->GetPrimaryFrame() && Servo_Element_IsDisplayNone(parent)) {
> +    // We need to additionally check that it is not an <area> element because
> +    // <area> may have primary frame from <img>, but itself is display:none.
> +    if ((!parent->GetPrimaryFrame() && Servo_Element_IsDisplayNone(parent)) ||
> +        parent->IsHTMLElement(nsGkAtoms::area)) {
>        return;
>      }

Can you separate out the area check into a separate if (...) { return } below? I think it would make the code easier to follow.
Priority: -- → P2
We're sorry, Autoland could not rebase your commits for you automatically. Please manually rebase your commits and try again.

hg error in cmd: hg rebase -s 099a87c95a58 -d 512562477a1e: rebasing 417502:099a87c95a58 "Bug 1395725 - Don't add children of <area> as servo restyle root. r=emilio" (tip)
merging dom/base/Element.cpp
merging layout/style/crashtests/crashtests.list
warning: conflicts while merging layout/style/crashtests/crashtests.list! (edit, then use 'hg resolve --mark')
unresolved conflicts (see hg resolve, then hg rebase --continue)
Pushed by xquan@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/feec5f3a726c
Don't add children of <area> as servo restyle root. r=emilio
https://hg.mozilla.org/mozilla-central/rev/feec5f3a726c
Status: NEW → RESOLVED
Closed: 7 years ago
status-firefox57: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla57
status-firefox55: --- → unaffected
status-firefox56: --- → unaffected
status-firefox-esr52: --- → unaffected
Flags: in-testsuite? → in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: