Closed Bug 1403425 Opened 7 years ago Closed 6 years ago

Assertion failure: mFrames.IsEmpty() (unexpected second call to SetInitialChildList) [@ nsContainerFrame::SetInitialChildList]

Categories

(Core :: Layout, defect, P3)

Product:
Core
Component:
Layout
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla63
Tracking Flags:
Tracking Status
firefox-esr52 --- unaffected
firefox-esr60 --- wontfix
firefox57 --- wontfix
firefox58 --- wontfix
firefox60 --- wontfix
firefox61 --- wontfix
firefox62 --- wontfix
firefox63 --- fixed

People

(Reporter: tsmith, Assigned: xidorn)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, testcase, Whiteboard: [fuzzblocker])

Attachments

(2 files)

test_case.html
(deleted), text/html
Details
Bug 1403425 - Pass aListID to nsContainerFrame from nsColumnSetFrame::SetInitialChildList.
(deleted), text/x-review-board-request
dholbert
: review+
Details
Attached file test_case.html (deleted) —
Assertion failure: mFrames.IsEmpty() (unexpected second call to SetInitialChildList), at /src/layout/generic/nsContainerFrame.cpp:77 #0 nsContainerFrame::SetInitialChildList(mozilla::layout::FrameChildListID, nsFrameList&) /src/layout/generic/nsContainerFrame.cpp:92:7 #1 nsFrameConstructorState::ConstructBackdropFrameFor(nsIContent*, nsIFrame*) /src/layout/base/nsCSSFrameConstructor.cpp:1312:10 #2 nsFrameConstructorState::AddChild(nsIFrame*, nsFrameItems&, nsIContent*, nsStyleContext*, nsContainerFrame*, bool, bool, bool, bool, nsIFrame*) /src/layout/base/nsCSSFrameConstructor.cpp:1365:7 #3 nsCSSFrameConstructor::ConstructBlock(nsFrameConstructorState&, nsIContent*, nsContainerFrame*, nsContainerFrame*, nsStyleContext*, nsContainerFrame**, nsFrameItems&, nsIFrame*, PendingBinding*) /src/layout/base/nsCSSFrameConstructor.cpp:12427:10 #4 nsCSSFrameConstructor::ConstructNonScrollableBlockWithConstructor(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItem&, nsContainerFrame*, nsStyleDisplay const*, nsFrameItems&, nsBlockFrame* (*)(nsIPresShell*, nsStyleContext*)) /src/layout/base/nsCSSFrameConstructor.cpp:5104:3 #5 nsCSSFrameConstructor::ConstructNonScrollableBlock(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItem&, nsContainerFrame*, nsStyleDisplay const*, nsFrameItems&) /src/layout/base/nsCSSFrameConstructor.cpp:5068:10 #6 nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameItems&) /src/layout/base/nsCSSFrameConstructor.cpp:4015:7 #7 nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameItems&) /src/layout/base/nsCSSFrameConstructor.cpp:6406:3 #8 nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsContainerFrame*, bool, nsFrameItems&) /src/layout/base/nsCSSFrameConstructor.cpp:11054:5 #9 nsCSSFrameConstructor::ContentRangeInserted(nsIContent*, nsIContent*, nsIContent*, nsILayoutHistoryState*, nsCSSFrameConstructor::InsertionKind, TreeMatchContext*) /src/layout/base/nsCSSFrameConstructor.cpp:8427:3 #10 nsCSSFrameConstructor::RecreateFramesForContent(nsIContent*, nsCSSFrameConstructor::InsertionKind) /src/layout/base/nsCSSFrameConstructor.cpp:10090:9 #11 mozilla::RestyleManager::ProcessRestyledFrames(nsStyleChangeList&) /src/layout/base/RestyleManager.cpp:1514:25 #12 mozilla::ServoRestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) /src/layout/base/ServoRestyleManager.cpp:1138:9 #13 mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /src/layout/base/PresShell.cpp:4170:41 #14 nsRefreshDriver::Tick(long, mozilla::TimeStamp) /src/layout/base/nsRefreshDriver.cpp:1921:18 #15 mozilla::RefreshDriverTimer::TickRefreshDrivers(long, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /src/layout/base/nsRefreshDriver.cpp:307:7 #16 mozilla::RefreshDriverTimer::Tick(long, mozilla::TimeStamp) /src/layout/base/nsRefreshDriver.cpp:328:5 #17 mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::TimeStamp) /src/layout/base/nsRefreshDriver.cpp:770:5 #18 mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::TimeStamp) /src/layout/base/nsRefreshDriver.cpp:683:35 #19 mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::ParentProcessVsyncNotifier::Run() /src/layout/base/nsRefreshDriver.cpp:529:20 #20 nsThread::ProcessNextEvent(bool, bool*) /src/xpcom/threads/nsThread.cpp:1039:14 #21 NS_ProcessNextEvent(nsIThread*, bool) /src/xpcom/threads/nsThreadUtils.cpp:521:10 #22 mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /src/ipc/glue/MessagePump.cpp:97:21 #23 MessageLoop::RunInternal() /src/ipc/chromium/src/base/message_loop.cc:326:10 #24 MessageLoop::Run() /src/ipc/chromium/src/base/message_loop.cc:299:3 #25 nsBaseAppShell::Run() /src/widget/nsBaseAppShell.cpp:158:27 #26 nsAppStartup::Run() /src/toolkit/components/startup/nsAppStartup.cpp:288:30 #27 XREMain::XRE_mainRun() /src/toolkit/xre/nsAppRunner.cpp:4701:22 #28 XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /src/toolkit/xre/nsAppRunner.cpp:4865:8 #29 XRE_main(int, char**, mozilla::BootstrapConfig const&) /src/toolkit/xre/nsAppRunner.cpp:4960:21 #30 do_main(int, char**, char**) /src/browser/app/nsBrowserApp.cpp:236:22 #31 main /src/browser/app/nsBrowserApp.cpp:309:16 #32 __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291 #33 _start (firefox+0x41eb24)
Flags: in-testsuite?
status-firefox57: --- → wontfix
Priority: -- → P3
We are still seeing this frequently while fuzzing.
status-firefox58: affectedwontfix
status-firefox60: --- → affected
status-firefox61: --- → affected
status-firefox62: --- → affected
Flags: needinfo?(emilio)
I cannot repro this with the attached test-case Tyson, mind uploading another one?
Flags: needinfo?(emilio) → needinfo?(twsmith)
Hmm, I can repro if I move the requestFullScreen call to a click handler, like: <q id="a" style="column-count: 1" onclick="this.requestFullscreen();"> Click me and assert. Xidorn, this looks fullscreen-related. We create the backdrop frame for the columnset, but the columnset already has a moz-column-content frame, which is its content insertion frame. Do you know what's supposed to happen here? Should we add the backdrop placeholder to the content insertion frame of that? Then we get assertions about the ::-moz-column-content not being in the top layer...
Flags: needinfo?(twsmith) → needinfo?(xidorn+moz)
nsColumnSetFrame::SetInitialChildList invokes nsContainerFrame::SetInitialChildList with kPrincipalList unconditionally, which is just non-sense. We should just have it pass through aListID to nsContainerFrame.
Assignee: nobody → xidorn+moz
Flags: needinfo?(xidorn+moz)
Since it involves fullscreen, it's relatively hard to add a trivial crash test... and the fix should be simple enough so I would skip the test part I think.
Ugh, I totally missed backdrop was passing kBackdropList instead of kPrincipalList there!
Comment on attachment 8994075 [details] Bug 1403425 - Pass aListID to nsContainerFrame from nsColumnSetFrame::SetInitialChildList. https://reviewboard.mozilla.org/r/258658/#review265606
Attachment #8994075 - Flags: review?(dholbert) → review+
Pushed by xquan@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/0033146ff4cf Pass aListID to nsContainerFrame from nsColumnSetFrame::SetInitialChildList. r=dholbert
https://hg.mozilla.org/mozilla-central/rev/0033146ff4cf
Status: NEW → RESOLVED
Closed: 6 years ago
status-firefox63: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla63
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: