Closed Bug 1575908 Opened 5 years ago Closed 5 years ago

Assertion failure: mJustificationSpacings.IsEmpty(), at /builds/worker/workspace/build/src/layout/generic/nsTextFrame.cpp:3833

Categories

(Core :: Layout: Text and Fonts, defect)

Product:
Core
Component:
Layout: Text and Fonts
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla70
Tracking Flags:
Tracking Status
firefox-esr60 --- unaffected
firefox-esr68 --- unaffected
firefox68 --- unaffected
firefox69 --- unaffected
firefox70 --- fixed

People

(Reporter: jkratzer, Assigned: jfkthame)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: assertion, regression, testcase)

Attachments

(2 files)

testcase.html
(deleted), text/html
Details
Bug 1575908 - Remove spurious code trying to reinitialize a propertyProvider. r=emilio
(deleted), text/x-phabricator-request
Details

Testcase found while fuzzing mozilla-central rev dcfcd7909aff. I'm currently reducing the testcase and will attach it shortly.

Assertion failure: mJustificationSpacings.IsEmpty(), at /builds/worker/workspace/build/src/layout/generic/nsTextFrame.cpp:3833

rax = 0x0000563990d7f1a0   rdx = 0x0000000000000000
rcx = 0x00007f43cbb612b2   rbx = 0x00007fff0b4083e0
rsi = 0x00007f43d71ee8b0   rdi = 0x00007f43d71ed680
rbp = 0x00007fff0b408310   rsp = 0x00007fff0b408250
r8 = 0x00007f43d71ee8b0    r9 = 0x00007f43d8358780
r10 = 0x0000000000000000   r11 = 0x0000000000000000
r12 = 0x00000000071c71c8   r13 = 0x00007fff0b408288
r14 = 0x0000000000000024   r15 = 0x00000000000000e0
rip = 0x00007f43c8545d6a
OS|Linux|0.0.0 Linux 4.18.0-25-generic #26~18.04.1-Ubuntu SMP Thu Jun 27 07:28:31 UTC 2019 x86_64
CPU|amd64|family 6 model 94 stepping 3|1
GPU|||
Crash|SIGSEGV|0x0|0
0|0|libxul.so|PropertyProvider::SetupJustificationSpacing(bool)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsTextFrame.cpp:dcfcd7909aff0ef81a3b884ead0745645c6d6670|3833|0x35
0|1|libxul.so|nsTextFrame::PaintText(nsTextFrame::PaintTextParams const&, int, int, nsPoint const&, bool, float)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsTextFrame.cpp:dcfcd7909aff0ef81a3b884ead0745645c6d6670|6732|0xc
0|2|libxul.so|nsDisplayText::RenderToContext(gfxContext*, nsDisplayListBuilder*, bool)|hg:hg.mozilla.org/mozilla-central:layout/painting/nsDisplayList.cpp:dcfcd7909aff0ef81a3b884ead0745645c6d6670|9533|0x14
0|3|libxul.so|nsDisplayText::Paint(nsDisplayListBuilder*, gfxContext*)|hg:hg.mozilla.org/mozilla-central:layout/painting/nsDisplayList.cpp:dcfcd7909aff0ef81a3b884ead0745645c6d6670|9427|0x11
0|4|libxul.so|mozilla::FrameLayerBuilder::PaintItems(std::vector<mozilla::AssignedDisplayItem, std::allocator<mozilla::AssignedDisplayItem> >&, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, gfxContext*, nsDisplayListBuilder*, nsPresContext*, mozilla::gfx::IntPointTyped<mozilla::gfx::UnknownUnits> const&, float, float)|hg:hg.mozilla.org/mozilla-central:layout/painting/FrameLayerBuilder.cpp:dcfcd7909aff0ef81a3b884ead0745645c6d6670|7143|0x16
0|5|libxul.so|mozilla::FrameLayerBuilder::DrawPaintedLayer(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*)|hg:hg.mozilla.org/mozilla-central:layout/painting/FrameLayerBuilder.cpp:dcfcd7909aff0ef81a3b884ead0745645c6d6670|7305|0x18
0|6|libxul.so|mozilla::layers::ClientPaintedLayer::RenderLayerWithReadback(mozilla::layers::ReadbackProcessor*)|hg:hg.mozilla.org/mozilla-central:gfx/layers/client/ClientPaintedLayer.cpp:dcfcd7909aff0ef81a3b884ead0745645c6d6670|162|0x2d
0|7|libxul.so|mozilla::layers::ClientContainerLayer::RenderLayer()|hg:hg.mozilla.org/mozilla-central:gfx/layers/client/ClientContainerLayer.h:dcfcd7909aff0ef81a3b884ead0745645c6d6670|53|0xd
0|8|libxul.so|mozilla::layers::ClientContainerLayer::RenderLayer()|hg:hg.mozilla.org/mozilla-central:gfx/layers/client/ClientContainerLayer.h:dcfcd7909aff0ef81a3b884ead0745645c6d6670|53|0xd
0|9|libxul.so|mozilla::layers::ClientLayerManager::EndTransactionInternal(void (*)(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*), void*, mozilla::layers::LayerManager::EndTransactionFlags)|hg:hg.mozilla.org/mozilla-central:gfx/layers/client/ClientLayerManager.cpp:dcfcd7909aff0ef81a3b884ead0745645c6d6670|352|0x9
0|10|libxul.so|mozilla::layers::ClientLayerManager::EndTransaction(void (*)(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*), void*, mozilla::layers::LayerManager::EndTransactionFlags)|hg:hg.mozilla.org/mozilla-central:gfx/layers/client/ClientLayerManager.cpp:dcfcd7909aff0ef81a3b884ead0745645c6d6670|415|0x11
0|11|libxul.so|nsDisplayList::PaintRoot(nsDisplayListBuilder*, gfxContext*, unsigned int)|hg:hg.mozilla.org/mozilla-central:layout/painting/nsDisplayList.cpp:dcfcd7909aff0ef81a3b884ead0745645c6d6670|3171|0x17
0|12|libxul.so|nsLayoutUtils::PaintFrame(gfxContext*, nsIFrame*, nsRegion const&, unsigned int, nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags)|hg:hg.mozilla.org/mozilla-central:layout/base/nsLayoutUtils.cpp:dcfcd7909aff0ef81a3b884ead0745645c6d6670|4028|0x5
0|13|libxul.so|mozilla::PresShell::Paint(nsView*, nsRegion const&, mozilla::PaintFlags)|hg:hg.mozilla.org/mozilla-central:layout/base/PresShell.cpp:dcfcd7909aff0ef81a3b884ead0745645c6d6670|6112|0x1b
0|14|libxul.so|nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*)|hg:hg.mozilla.org/mozilla-central:view/nsViewManager.cpp:dcfcd7909aff0ef81a3b884ead0745645c6d6670|461|0x23
0|15|libxul.so|nsViewManager::ProcessPendingUpdatesForView(nsView*, bool)|hg:hg.mozilla.org/mozilla-central:view/nsViewManager.cpp:dcfcd7909aff0ef81a3b884ead0745645c6d6670|396|0x14
0|16|libxul.so|nsViewManager::ProcessPendingUpdates()|hg:hg.mozilla.org/mozilla-central:view/nsViewManager.cpp:dcfcd7909aff0ef81a3b884ead0745645c6d6670|1019|0x11
0|17|libxul.so|nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp)|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:dcfcd7909aff0ef81a3b884ead0745645c6d6670|2135|0x8
0|18|libxul.so|mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&)|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:dcfcd7909aff0ef81a3b884ead0745645c6d6670|350|0xb
0|19|libxul.so|mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp)|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:dcfcd7909aff0ef81a3b884ead0745645c6d6670|367|0xf
0|20|libxul.so|mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp)|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:dcfcd7909aff0ef81a3b884ead0745645c6d6670|727|0xf
0|21|libxul.so|mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::ParentProcessVsyncNotifier::Run()|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:dcfcd7909aff0ef81a3b884ead0745645c6d6670|525|0x15
0|22|libxul.so|nsThread::ProcessNextEvent(bool, bool*)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:dcfcd7909aff0ef81a3b884ead0745645c6d6670|1225|0x15
0|23|libxul.so|NS_ProcessNextEvent(nsIThread*, bool)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:dcfcd7909aff0ef81a3b884ead0745645c6d6670|486|0x11
0|24|libxul.so|mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:dcfcd7909aff0ef81a3b884ead0745645c6d6670|88|0xa
0|25|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:dcfcd7909aff0ef81a3b884ead0745645c6d6670|315|0x17
0|26|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:dcfcd7909aff0ef81a3b884ead0745645c6d6670|290|0x8
0|27|libxul.so|nsBaseAppShell::Run()|hg:hg.mozilla.org/mozilla-central:widget/nsBaseAppShell.cpp:dcfcd7909aff0ef81a3b884ead0745645c6d6670|137|0xd
0|28|libxul.so|nsAppStartup::Run()|hg:hg.mozilla.org/mozilla-central:toolkit/components/startup/nsAppStartup.cpp:dcfcd7909aff0ef81a3b884ead0745645c6d6670|276|0xe
0|29|libxul.so|XREMain::XRE_mainRun()|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsAppRunner.cpp:dcfcd7909aff0ef81a3b884ead0745645c6d6670|4569|0x11
0|30|libxul.so|XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsAppRunner.cpp:dcfcd7909aff0ef81a3b884ead0745645c6d6670|4707|0x8
0|31|libxul.so|XRE_main(int, char**, mozilla::BootstrapConfig const&)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsAppRunner.cpp:dcfcd7909aff0ef81a3b884ead0745645c6d6670|4788|0x5
0|32|firefox-bin|do_main|hg:hg.mozilla.org/mozilla-central:browser/app/nsBrowserApp.cpp:dcfcd7909aff0ef81a3b884ead0745645c6d6670|213|0x22
0|33|firefox-bin|main|hg:hg.mozilla.org/mozilla-central:browser/app/nsBrowserApp.cpp:dcfcd7909aff0ef81a3b884ead0745645c6d6670|295|0xf
0|34|libc-2.27.so||||0x21b97
0|35|firefox-bin|MOZ_ReportCrash|hg:hg.mozilla.org/mozilla-central:mfbt/Assertions.h:dcfcd7909aff0ef81a3b884ead0745645c6d6670|184|0x5
Flags: in-testsuite?

Testcase bisects to the following range:

Start: 2f9fcfd57416a8424ff12a11c9734ee9a2fb6ed0 (20190807113141)
End: 3a71baea939144b4ec37805a932f0250c74986b1 (20190807215212)

https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=2f9fcfd57416a8424ff12a11c9734ee9a2fb6ed0&tochange=3a71baea939144b4ec37805a932f0250c74986b1

NI :emilio as it looks like he touched this last.

Flags: needinfo?(emilio)
Attached file testcase.html (deleted) —

Testcase must be served via a local webserver in order to trigger the assertion.

This is a regression from bug 1411922.

This hunk here doesn't make sense to me:

https://searchfox.org/mozilla-central/rev/597a69c70a5cce6f42f159eb54ad1ef6745f5432/layout/generic/nsTextFrame.cpp#6728

For the aIsSelected case we're calling InitializeForDisplay twice, thus the assert.

Flags: needinfo?(emilio)
Regressed by: 1411922

What is that code trying to do? It's trying to compute the same range for selected and unselected text, but then modify the provider to not trim (?) that looks really weird.

Flags: needinfo?(jfkthame)
Flags: needinfo?(charles.w.marlow)

Yeah, that looks spurious to me. I suspect it's residual from trying to work around issues earlier in the evolution of the skip-ink patches, but doesn't really belong. I've pushed a try job with that code excised, to see if any tests are affected: https://treeherder.mozilla.org/#/jobs?repo=try&revision=35645bb198aec18e9f0e18ce37e2a3cd1c2c5048; will also look at it a bit more locally.

Flags: needinfo?(jfkthame)
Pushed by jkew@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/a3102cc8ce2f Remove spurious code trying to reinitialize a propertyProvider. r=emilio

https://hg.mozilla.org/mozilla-central/rev/a3102cc8ce2f

Status: NEW → RESOLVED
Closed: 5 years ago
status-firefox70: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla70
Assignee: nobody → jfkthame
status-firefox68: --- → unaffected
status-firefox69: --- → unaffected
status-firefox-esr60: --- → unaffected
status-firefox-esr68: --- → unaffected
Flags: needinfo?(charles.w.marlow)
Flags: in-testsuite?
Flags: in-testsuite+
Has Regression Range: --- → yes
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: