Open Bug 1797417 Opened 2 years ago Updated 1 year ago

Assertion failure: !OuterSVGIsCallingReflowSVG(aFrame) (Do not call under ISVGDisplayableFrame::ReflowSVG!), at /builds/worker/checkouts/gecko/layout/svg/SVGUtils.cpp:156

Categories

(Core :: SVG, defect)

Product:
Core
Component:
SVG
Type:
defect

Tracking

()

Tracking Flags:
Tracking Status
firefox108 --- wontfix
firefox115 --- wontfix
firefox116 --- affected
firefox117 --- affected

People

(Reporter: tsmith, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, bugmon, testcase, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(1 file, 1 obsolete file)

testcase.html
(deleted), text/html
Details
Attached file testcase.html (obsolete) (deleted) —

Found while fuzzing m-c 20221025-41ff1810fc5e (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

Assertion failure: !OuterSVGIsCallingReflowSVG(aFrame) (Do not call under ISVGDisplayableFrame::ReflowSVG!), at /builds/worker/checkouts/gecko/layout/svg/SVGUtils.cpp:156

#0 0x7f366b4d66c7 in mozilla::SVGUtils::ScheduleReflowSVG(nsIFrame*) /builds/worker/checkouts/gecko/layout/svg/SVGUtils.cpp:155:3
#1 0x7f366b4b2e9b in mozilla::SVGMarkerObserver::OnRenderingChange() /builds/worker/checkouts/gecko/layout/svg/SVGObserverUtils.cpp:540:5
#2 0x7f366b4b5084 in OnNonDOMMutationRenderingChange /builds/worker/checkouts/gecko/layout/svg/SVGObserverUtils.cpp:247:3
#3 0x7f366b4b5084 in mozilla::SVGRenderingObserverSet::InvalidateAll() /builds/worker/checkouts/gecko/layout/svg/SVGObserverUtils.cpp:1072:15
#4 0x7f366b368578 in InvalidateFrameInternal(nsIFrame*, bool, bool) /builds/worker/checkouts/gecko/layout/generic/nsIFrame.cpp:7356:7
#5 0x7f366b3bf5b8 in InvalidateFrame /builds/worker/checkouts/gecko/layout/generic/nsTextFrame.cpp:4896:19
#6 0x7f366b3bf5b8 in nsTextFrame::ReflowText(nsLineLayout&, int, mozilla::gfx::DrawTarget*, mozilla::ReflowOutput&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsTextFrame.cpp:10085:3
#7 0x7f366b3bbb5e in nsLineLayout::ReflowFrame(nsIFrame*, nsReflowStatus&, mozilla::ReflowOutput*, bool&) /builds/worker/checkouts/gecko/layout/generic/nsLineLayout.cpp:873:40
#8 0x7f366b2a89ce in nsBlockFrame::ReflowInlineFrame(mozilla::BlockReflowState&, nsLineLayout&, nsLineList_iterator, nsIFrame*, LineReflowStatus*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:4714:15
#9 0x7f366b2a811b in nsBlockFrame::DoReflowInlineFrames(mozilla::BlockReflowState&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:4516:5
#10 0x7f366b2a4322 in nsBlockFrame::ReflowInlineFrames(mozilla::BlockReflowState&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:4390:9
#11 0x7f366b2a0847 in nsBlockFrame::ReflowLine(mozilla::BlockReflowState&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:3376:5
#12 0x7f366b29a85e in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowState&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:2890:9
#13 0x7f366b296031 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:1470:3
#14 0x7f366b4d0160 in mozilla::SVGTextFrame::DoReflow() /builds/worker/checkouts/gecko/layout/svg/SVGTextFrame.cpp:5141:8
#15 0x7f366b4c732c in mozilla::SVGTextFrame::MaybeReflowAnonymousBlockChild() /builds/worker/checkouts/gecko/layout/svg/SVGTextFrame.cpp:5082:5
#16 0x7f366b4b27ca in mozilla::SVGTextFrame::ReflowSVGNonDisplayText() /builds/worker/checkouts/gecko/layout/svg/SVGTextFrame.cpp:2855:3
#17 0x7f366b4964c7 in mozilla::SVGContainerFrame::ReflowSVGNonDisplayText(nsIFrame*) /builds/worker/checkouts/gecko/layout/svg/SVGContainerFrame.cpp:114:40
#18 0x7f366b49651d in mozilla::SVGContainerFrame::ReflowSVGNonDisplayText(nsIFrame*) /builds/worker/checkouts/gecko/layout/svg/SVGContainerFrame.cpp:119:9
#19 0x7f366b49651d in mozilla::SVGContainerFrame::ReflowSVGNonDisplayText(nsIFrame*) /builds/worker/checkouts/gecko/layout/svg/SVGContainerFrame.cpp:119:9
#20 0x7f366b497128 in mozilla::SVGDisplayContainerFrame::ReflowSVG() /builds/worker/checkouts/gecko/layout/svg/SVGContainerFrame.cpp:337:11
#21 0x7f366b4b9cc5 in mozilla::SVGOuterSVGFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/svg/SVGOuterSVGFrame.cpp:438:14
#22 0x7f366b1855e1 in mozilla::PresShell::DoReflow(nsIFrame*, bool, mozilla::OverflowChangedTracker*) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:9679:11
#23 0x7f366b1a8f7f in mozilla::PresShell::ProcessReflowCommands(bool) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:9851:24
#24 0x7f366b18efb3 in DoFlushLayout /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:9921:10
#25 0x7f366b18efb3 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4448:11
#26 0x7f3667831340 in FlushPendingNotifications /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:1478:5
#27 0x7f3667831340 in mozilla::dom::Document::FlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/dom/base/Document.cpp:10695:16
#28 0x7f366786c2f2 in FlushPendingNotifications /builds/worker/checkouts/gecko/dom/base/Document.cpp:10616:3
#29 0x7f366786c2f2 in nsIContent::GetPrimaryFrame(mozilla::FlushType) /builds/worker/checkouts/gecko/dom/base/Element.cpp:253:10
#30 0x7f366a3f9310 in GetSVGTextFrame /builds/worker/checkouts/gecko/dom/svg/SVGTextContentElement.cpp:37:21
#31 0x7f366a3f9310 in mozilla::dom::SVGTextContentElement::SelectSubString(unsigned int, unsigned int, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/svg/SVGTextContentElement.cpp:123:29
#32 0x7f366848337c in mozilla::dom::SVGTextContentElement_Binding::selectSubString(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/SVGTextContentElementBinding.cpp:477:24
#33 0x7f3668f7fd6c in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3287:13
#34 0x7f366e67d50c in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:459:13
#35 0x7f366e67ce31 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:547:12
#36 0x7f366e674198 in CallFromStack /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:619:10
#37 0x7f366e674198 in Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3375:16
#38 0x7f366e66b24d in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:431:13
#39 0x7f366e67cd2d in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:579:13
#40 0x7f366e67e26c in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:646:8
#41 0x7f366d2e272c in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/CallAndConstruct.cpp:117:10
#42 0x7f3668c6f493 in mozilla::dom::EventHandlerNonNull::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventHandlerBinding.cpp:65:37
#43 0x7f3669561ec9 in void mozilla::dom::EventHandlerNonNull::Call<nsCOMPtr<mozilla::dom::EventTarget> >(nsCOMPtr<mozilla::dom::EventTarget> const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventHandlerBinding.h:82:12
#44 0x7f36695610a3 in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) /builds/worker/checkouts/gecko/dom/events/JSEventHandler.cpp:201:12
#45 0x7f3669541e0e in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1316:22
#46 0x7f3669542a77 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1506:17
#47 0x7f36695379b4 in HandleEvent /builds/worker/checkouts/gecko/dom/events/EventListenerManager.h:395:5
#48 0x7f36695379b4 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:348:17
#49 0x7f3669536f02 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:550:16
#50 0x7f36695397a1 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:1119:11
#51 0x7f366b205353 in nsDocumentViewer::LoadComplete(nsresult) /builds/worker/checkouts/gecko/layout/base/nsDocumentViewer.cpp:1079:7
#52 0x7f366c86ba4d in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:6434:20
#53 0x7f366c86afb4 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:5827:7
#54 0x7f366c86c987 in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp
#55 0x7f3666cb9c4c in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:1380:3
#56 0x7f3666cb918a in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:978:14
#57 0x7f3666cb7441 in nsDocLoader::DocLoaderIsEmpty(bool, mozilla::Maybe<nsresult> const&) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:797:9
#58 0x7f3666cb8628 in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:680:5
#59 0x7f366c89f9a1 in nsDocShell::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:13841:23
#60 0x7f3665fabd00 in mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:628:22
#61 0x7f3665fad233 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:532:10
#62 0x7f366783638d in mozilla::dom::Document::DoUnblockOnload() /builds/worker/checkouts/gecko/dom/base/Document.cpp:11476:18
#63 0x7f366780169f in mozilla::dom::Document::UnblockOnload(bool) /builds/worker/checkouts/gecko/dom/base/Document.cpp:11414:9
#64 0x7f366781caf4 in mozilla::dom::Document::DispatchContentLoadedEvents() /builds/worker/checkouts/gecko/dom/base/Document.cpp:7950:3
#65 0x7f36678d249b in applyImpl<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1147:12
#66 0x7f36678d249b in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1153:12
#67 0x7f36678d249b in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1200:13
#68 0x7f3665d99d92 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/checkouts/gecko/xpcom/threads/SchedulerGroup.cpp:140:20
#69 0x7f3665da40f4 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:538:16
#70 0x7f3665d9f6f1 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:851:26
#71 0x7f3665d9e24a in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:683:15
#72 0x7f3665d9e5a5 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:461:36
#73 0x7f3665da7a46 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:187:37
#74 0x7f3665da7a46 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_2>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
#75 0x7f3665dbd347 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1204:16
#76 0x7f3665dc3b4d in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:465:10
#77 0x7f36669b30c6 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#78 0x7f36668d6e37 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
#79 0x7f36668d6d42 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
#80 0x7f36668d6d42 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
#81 0x7f366ae08fd8 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:150:27
#82 0x7f366d01d76b in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:880:20
#83 0x7f36669b3fba in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
#84 0x7f36668d6e37 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
#85 0x7f36668d6d42 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
#86 0x7f36668d6d42 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
#87 0x7f366d01cd4e in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:739:34
#88 0x5631e2bb6c19 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#89 0x5631e2bb6c19 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:357:18
#90 0x7f367ca81082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
#91 0x5631e2b8c8dc in _start (/home/worker/builds/m-c-20221025094808-fuzzing-debug/firefox-bin+0x168dc) (BuildId: 218e195d7f35924415692fd65e74feed063fa7a9)
Flags: in-testsuite?

A Pernosco session is available here: https://pernos.co/debug/BRlwRrDX-5-JfofVlQga5A/index.html

Bugmon Analysis
Verified bug as reproducible on mozilla-central 20221027215515-2dddf127c6ab.
Unable to bisect testcase (Testcase reproduces on start build!):

Start: 2f3b5d0ef91160a8b34e6e22ebc4b1475f35d9fc (20211029094127)
End: 41ff1810fc5e1ee4ccdea2f1f81fcfc6d04d0fa1 (20221025094808)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False, nyx=False)

Whiteboard: [bugmon:bisected,confirmed]

The severity field is not set for this bug.
:dholbert, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(dholbert)
Severity: -- → S3
Flags: needinfo?(dholbert)

Unable to reproduce bug 1797417 using build mozilla-central 20221025094808-41ff1810fc5e. Without a baseline, bugmon is unable to analyze this bug.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon
Attached file testcase.html (deleted) —
Attachment #9300268 - Attachment is obsolete: true
Whiteboard: [bugmon:bisected,confirmed] → [bugmon:bisected,confirm]
Keywords: bugmon

Verified bug as reproducible on mozilla-central 20230706040652-a0647e42fb1f.
Unable to bisect testcase (Testcase reproduces on start build!):

Start: f11b4ed312f4110f6a05d19a6acbe9b6139bf439 (20220707093757)
End: 41ff1810fc5e1ee4ccdea2f1f81fcfc6d04d0fa1 (20221025094808)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False, nyx=False)

Whiteboard: [bugmon:bisected,confirm] → [bugmon:bisected,confirmed]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: