Found in mozilla-central: BuildID=20180329220707 SourceStamp=dcd10220d55aea46db212314c46d25a96a7be243 Assertion failure: !mInStyleRefresh, at src/layout/base/ServoRestyleManager.cpp:1299 #0 mozilla::ServoRestyleManager::ContentStateChanged(nsIContent*, mozilla::EventStates) src/layout/base/ServoRestyleManager.cpp:1299:3 #1 mozilla::PresShell::ContentStateChanged(nsIDocument*, nsIContent*, mozilla::EventStates) src/layout/base/PresShell.cpp:4399:37 #2 nsIDocument::ContentStateChanged(nsIContent*, mozilla::EventStates) src/dom/base/nsDocument.cpp:5378:3 #3 mozilla::dom::Element::UpdateState(bool) src/dom/base/Element.cpp:270:14 #4 mozilla::dom::HTMLFormElement::UpdateValidity(bool) src/dom/html/HTMLFormElement.cpp:2078:3 #5 nsIConstraintValidation::SetValidityState(nsIConstraintValidation::ValidityStateType, bool) src/dom/html/nsIConstraintValidation.cpp:209:13 #6 mozilla::dom::HTMLTextAreaElement::BindToTree(nsIDocument*, nsIContent*, nsIContent*, bool) src/dom/html/HTMLTextAreaElement.cpp:952:3 #7 mozilla::dom::Element::BindToTree(nsIDocument*, nsIContent*, nsIContent*, bool) src/dom/base/Element.cpp:1725:17 #8 nsGenericHTMLElement::BindToTree(nsIDocument*, nsIContent*, nsIContent*, bool) src/dom/html/nsGenericHTMLElement.cpp:416:43 #9 mozilla::dom::HTMLFormElement::BindToTree(nsIDocument*, nsIContent*, nsIContent*, bool) src/dom/html/HTMLFormElement.cpp:290:39 #10 mozilla::dom::Element::BindToTree(nsIDocument*, nsIContent*, nsIContent*, bool) src/dom/base/Element.cpp:1725:17 #11 nsGenericHTMLElement::BindToTree(nsIDocument*, nsIContent*, nsIContent*, bool) src/dom/html/nsGenericHTMLElement.cpp:416:43 #12 mozilla::dom::Element::BindToTree(nsIDocument*, nsIContent*, nsIContent*, bool) src/dom/base/Element.cpp:1725:17 #13 nsSVGElement::BindToTree(nsIDocument*, nsIContent*, nsIContent*, bool) src/dom/svg/nsSVGElement.cpp:252:35 #14 mozilla::dom::Element::BindToTree(nsIDocument*, nsIContent*, nsIContent*, bool) src/dom/base/Element.cpp:1725:17 #15 nsSVGElement::BindToTree(nsIDocument*, nsIContent*, nsIContent*, bool) src/dom/svg/nsSVGElement.cpp:252:35 #16 nsCSSFrameConstructor::GetAnonymousContent(nsIContent*, nsIFrame*, nsTArray<nsIAnonymousContentCreator::ContentInfo>&) src/layout/base/nsCSSFrameConstructor.cpp:4222:19 #17 nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, mozilla::ComputedStyle*, nsContainerFrame*, bool, nsFrameItems&, bool, PendingBinding*, nsIFrame*) src/layout/base/nsCSSFrameConstructor.cpp:10362:3 #18 nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameItems&) src/layout/base/nsCSSFrameConstructor.cpp:4046:9 #19 nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameItems&) src/layout/base/nsCSSFrameConstructor.cpp:6103:3 #20 nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsContainerFrame*, bool, nsFrameItems&) src/layout/base/nsCSSFrameConstructor.cpp:10238:5 #21 nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, mozilla::ComputedStyle*, nsContainerFrame*, bool, nsFrameItems&, bool, PendingBinding*, nsIFrame*) src/layout/base/nsCSSFrameConstructor.cpp:10434:3 #22 nsCSSFrameConstructor::ConstructFrameWithAnonymousChild(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItem&, nsContainerFrame*, nsFrameItems&, nsContainerFrame* (*)(nsIPresShell*, mozilla::ComputedStyle*), nsContainerFrame* (*)(nsIPresShell*, mozilla::ComputedStyle*), nsICSSAnonBoxPseudo*, bool) src/layout/base/nsCSSFrameConstructor.cpp:5215:5 #23 nsCSSFrameConstructor::ConstructOuterSVG(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItem&, nsContainerFrame*, nsStyleDisplay const*, nsFrameItems&) src/layout/base/nsCSSFrameConstructor.cpp:5232:10 #24 nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameItems&) src/layout/base/nsCSSFrameConstructor.cpp:3862:7 #25 nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameItems&) src/layout/base/nsCSSFrameConstructor.cpp:6103:3 #26 nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsContainerFrame*, bool, nsFrameItems&) src/layout/base/nsCSSFrameConstructor.cpp:10238:5 #27 nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, mozilla::ComputedStyle*, nsContainerFrame*, bool, nsFrameItems&, bool, PendingBinding*, nsIFrame*) src/layout/base/nsCSSFrameConstructor.cpp:10434:3 #28 nsCSSFrameConstructor::ConstructBlock(nsFrameConstructorState&, nsIContent*, nsContainerFrame*, nsContainerFrame*, mozilla::ComputedStyle*, nsContainerFrame**, nsFrameItems&, nsIFrame*, PendingBinding*) src/layout/base/nsCSSFrameConstructor.cpp:11360:3 #29 nsCSSFrameConstructor::ConstructNonScrollableBlockWithConstructor(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItem&, nsContainerFrame*, nsStyleDisplay const*, nsFrameItems&, nsBlockFrame* (*)(nsIPresShell*, mozilla::ComputedStyle*)) src/layout/base/nsCSSFrameConstructor.cpp:4969:3 #30 nsCSSFrameConstructor::ConstructNonScrollableBlock(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItem&, nsContainerFrame*, nsStyleDisplay const*, nsFrameItems&) src/layout/base/nsCSSFrameConstructor.cpp:4933:10 #31 nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameItems&) src/layout/base/nsCSSFrameConstructor.cpp:3862:7 #32 nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameItems&) src/layout/base/nsCSSFrameConstructor.cpp:6103:3 #33 nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsContainerFrame*, bool, nsFrameItems&) src/layout/base/nsCSSFrameConstructor.cpp:10238:5 #34 nsCSSFrameConstructor::ContentRangeInserted(nsIContent*, nsIContent*, nsIContent*, nsILayoutHistoryState*, nsCSSFrameConstructor::InsertionKind) src/layout/base/nsCSSFrameConstructor.cpp:7848:3 #35 nsCSSFrameConstructor::RecreateFramesForContent(nsIContent*, nsCSSFrameConstructor::InsertionKind) src/layout/base/nsCSSFrameConstructor.cpp:9285:9 #36 mozilla::RestyleManager::ProcessRestyledFrames(nsStyleChangeList&) src/layout/base/RestyleManager.cpp:1498:25 #37 mozilla::ServoRestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) src/layout/base/ServoRestyleManager.cpp:1183:9 #38 mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) src/layout/base/PresShell.cpp:4291:41 #39 nsRefreshDriver::Tick(long, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:1913:18 #40 mozilla::RefreshDriverTimer::TickRefreshDrivers(long, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) src/layout/base/nsRefreshDriver.cpp:308:7 #41 mozilla::RefreshDriverTimer::Tick(long, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:329:5 #42 mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:771:5 #43 mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:684:35 #44 mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::ParentProcessVsyncNotifier::Run() src/layout/base/nsRefreshDriver.cpp:530:20 #45 nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1096:14 #46 NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:519:10 #47 mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:97:21 #48 MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:326:10 #49 MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:299:3 #50 nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:157:27 #51 nsAppStartup::Run() src/toolkit/components/startup/nsAppStartup.cpp:290:30 #52 XREMain::XRE_mainRun() src/toolkit/xre/nsAppRunner.cpp:4766:22 #53 XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) src/toolkit/xre/nsAppRunner.cpp:4911:8 #54 XRE_main(int, char**, mozilla::BootstrapConfig const&) src/toolkit/xre/nsAppRunner.cpp:5003:21 #55 do_main(int, char**, char**) src/browser/app/nsBrowserApp.cpp:231:22 #56 main src/browser/app/nsBrowserApp.cpp:304:16 #57 __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291 #58 _start (/home/user/workspace/browsers/m-c-1522361227-asan-debug/firefox+0x423444)

It's inside DoProcessPendingRestyles but invoked from ProcessRestyledFrames. I guess it is actually safe to invoke from there, and we should just revert mInStyleRefresh when we are calling into ProcessRestyledFrames.

Actually, the whole "process the change hints" can probably have mInStyleRefresh unset.

(In reply to Xidorn Quan [:xidorn] UTC+10 from comment #1) > It's inside DoProcessPendingRestyles but invoked from ProcessRestyledFrames. > I guess it is actually safe to invoke from there, and we should just revert > mInStyleRefresh when we are calling into ProcessRestyledFrames. No, it's not sound in general to invalidate random style from frame construction or restyle processing. In this case it's fine (ish) because the content isn't styled yet and we'd discard the state change anyway. I'd rather not think about all the implications that would have... For starters that breaks the invariant that we always construct frames with up-to-date styles, but it has others... Keeping the DOM immutable during layout and painting is the sane thing I'd say. The right fix here is making <svg:use> not use anon content, but Shadow DOM. Of course that's not trivial though...

I can't think of anything better than that to fix this though... We can wallpaper the assertion moving it a few lines later if this blocks fuzzing.

This has the same underlying cause of bug 1472027, and the crashtest there already covers this. Fixed by bug 1450250, though the undelying bug is bug 1472169.