Join GitHub today
GitHub is home to over 50 million developers working together to host and review code, manage projects, and build software together.
Sign upassertion failed: !self.Document().needs_reflow() || (!for_display && self.Document().needs_paint()) || self.window_size.get().is_none() || self.suppress_reflow.get() #14239
Comments
|
@julen Do you have any idea what website you were looking at? |
|
To be honest I don't remember, although it might be one of the demos listed on the start page. I'm sorry I cannot be more accurate, it's been a long time since the crash... ¯_(ツ)_/¯ |
|
I hit it on reddit.com. Also seems like it's the same as #13499 |
This was referenced Oct 7, 2017
|
Minimal crashing testcase, found with domato: <script>
document.elementFromPoint(2,0).setAttribute("hidden","");
</script> |
This was referenced Mar 23, 2019
|
Sadly that testcase no longer makes Servo panic. |
|
@jdm Here's an example that reproduces on current servo: <script>
function jsfuzzer() {
try { /* newvar{var00107:Element} */ var var00107 = document.elementFromPoint(22,0); } catch(e) { }
try { window.scrollTo(0.00320673159955,0.795496244014); } catch(e) { }
try { var00107.setAttribute("hidden", "hidden"); } catch(e) { }
}
</script>
<body onload=jsfuzzer()>The scrollTo seems necessary now to reproduce this bug, but those specific values are just random. Debug backtraceVMware, Inc.
llvmpipe (LLVM 7.0, 256 bits)
3.3 (Core Profile) Mesa 18.3.4
assertion failed: !self.Document().needs_reflow() ||
(!for_display && self.Document().needs_paint()) ||
self.suppress_reflow.get() (thread ScriptThread PipelineId { namespace_id: PipelineNamespaceId(1), index: PipelineIndex(1) }, at components/script/dom/window.rs:1511)
stack backtrace:
0: 0x55d047c81ed6 - backtrace::backtrace::libunwind::trace::h8af3b710f1a5e12e
at /home/mateon/.cargo/registry/src/github.com-1ecc6299db9ec823/backtrace-0.3.9/src/backtrace/libunwind.rs:53
- backtrace::backtrace::trace::h2a1223234ae0346f
at /home/mateon/.cargo/registry/src/github.com-1ecc6299db9ec823/backtrace-0.3.9/src/backtrace/mod.rs:42
1: 0x55d047c7c4e3 - backtrace::capture::Backtrace::new_unresolved::h2dd57ce7b77a7435
at /home/mateon/.cargo/registry/src/github.com-1ecc6299db9ec823/backtrace-0.3.9/src/capture.rs:88
2: 0x55d047c7c43d - backtrace::capture::Backtrace::new::h8c6b161078e28d12
at /home/mateon/.cargo/registry/src/github.com-1ecc6299db9ec823/backtrace-0.3.9/src/capture.rs:63
3: 0x55d040c34351 - servo::main::{{closure}}::h5fe9a894213f10e8
at ports/servo/non_android_main.rs:110
4: 0x55d049d6fa48 - rust_panic_with_hook
at src/libstd/panicking.rs:482
5: 0x55d047cee467 - std::panicking::begin_panic::hd447f23770529d66
at /rustc/0ea22717a1e01fa535534b85a5347a7e49fc79de/src/libstd/panicking.rs:412
6: 0x55d043edadc8 - script::dom::window::Window::reflow::h623765f4bba58379
at components/script/dom/window.rs:1511
7: 0x55d043f5e249 - script::dom::document::Document::maybe_queue_document_completion::{{closure}}::h9e87a456d6dcd046
at components/script/dom/document.rs:1972
8: 0x55d043069e24 - core::ops::function::FnOnce::call_once::hc16b9b88d40eef7b
at /rustc/0ea22717a1e01fa535534b85a5347a7e49fc79de/src/libcore/ops/function.rs:231
9: 0x55d043f5dc9b - <script::dom::document::Document::maybe_queue_document_completion::fire_load_event<F> as script::task::TaskOnce>::run_once::h36f0c7f9379636ba
at components/script/task.rs:24
10: 0x55d04285df84 - <script::task::CancellableTask<T> as script::task::TaskOnce>::run_once::he28e36dcb4633419
at components/script/task.rs:122
11: 0x55d042851b9c - <T as script::task::TaskBox>::run_box::h5753341af730489d
at components/script/task.rs:64
12: 0x55d0426ad556 - script::script_thread::ScriptThread::handle_msg_from_script::h15d002ec5aef5d9d
at components/script/script_thread.rs:1745
13: 0x55d042280579 - script::script_thread::ScriptThread::handle_msgs::{{closure}}::h9f46a3c0a7bb7f95
at components/script/script_thread.rs:1348
14: 0x55d04228365e - script::script_thread::ScriptThread::profile_event::he7baa525ee50e51f
at components/script/script_thread.rs:1583
15: 0x55d0426a884e - script::script_thread::ScriptThread::handle_msgs::hd718a0404a74804d
at components/script/script_thread.rs:1341
16: 0x55d0426a5957 - script::script_thread::ScriptThread::start::h9d2b2f4b40ef17fd
at components/script/script_thread.rs:1178
17: 0x55d04227cd51 - <script::script_thread::ScriptThread as script_traits::ScriptThreadFactory>::create::{{closure}}::{{closure}}::h3d2e50a51a59531c
at components/script/script_thread.rs:731
18: 0x55d0439a2298 - profile_traits::mem::ProfilerChan::run_with_memory_reporting::h9a6fb4b77584b283
at /shared/dev/rust/servo/components/profile_traits/mem.rs:88
19: 0x55d04227d4ed - <script::script_thread::ScriptThread as script_traits::ScriptThreadFactory>::create::{{closure}}::hec71b1d6b339dd35
at components/script/script_thread.rs:729
20: 0x55d0445007f4 - std::sys_common::backtrace::__rust_begin_short_backtrace::h70010f71bf1d628c
at /rustc/0ea22717a1e01fa535534b85a5347a7e49fc79de/src/libstd/sys_common/backtrace.rs:136
21: 0x55d043457503 - std::thread::Builder::spawn_unchecked::{{closure}}::{{closure}}::hea3251b085d70f10
at /rustc/0ea22717a1e01fa535534b85a5347a7e49fc79de/src/libstd/thread/mod.rs:469
22: 0x55d04391efd3 - <std::panic::AssertUnwindSafe<F> as core::ops::function::FnOnce<()>>::call_once::hbd8938e17c48a216
at /rustc/0ea22717a1e01fa535534b85a5347a7e49fc79de/src/libstd/panic.rs:309
23: 0x55d043bcda49 - std::panicking::try::do_call::hd59da0280ee94513
at /rustc/0ea22717a1e01fa535534b85a5347a7e49fc79de/src/libstd/panicking.rs:297
24: 0x55d049d7a5f9 - __rust_maybe_catch_panic
at src/libpanic_unwind/lib.rs:87
25: 0x55d043a9fa9f - std::panicking::try::h96247a5f4e51c63e
at /rustc/0ea22717a1e01fa535534b85a5347a7e49fc79de/src/libstd/panicking.rs:276
26: 0x55d04396fcd5 - std::panic::catch_unwind::hc4559b7cad69ef45
at /rustc/0ea22717a1e01fa535534b85a5347a7e49fc79de/src/libstd/panic.rs:388
27: 0x55d04345508f - std::thread::Builder::spawn_unchecked::{{closure}}::h66879e6d1707cb6d
at /rustc/0ea22717a1e01fa535534b85a5347a7e49fc79de/src/libstd/thread/mod.rs:468
28: 0x55d0434581f8 - <F as alloc::boxed::FnBox<A>>::call_box::h87e072e6468861a9
at /rustc/0ea22717a1e01fa535534b85a5347a7e49fc79de/src/liballoc/boxed.rs:749
29: 0x55d049d7993d - call_once<(),()>
at /rustc/0ea22717a1e01fa535534b85a5347a7e49fc79de/src/liballoc/boxed.rs:759
- start_thread
at src/libstd/sys_common/thread.rs:14
- thread_start
at src/libstd/sys/unix/thread.rs:80
30: 0x7f48689effa2 - start_thread
31: 0x7f486890482e - clone
32: 0x0 - <unknown>
[2019-03-25T06:34:51Z ERROR servo] assertion failed: !self.Document().needs_reflow() ||
(!for_display && self.Document().needs_paint()) ||
self.suppress_reflow.get()
Pipeline failed in hard-fail mode. Crashing! |
|
I added some printlns to the logic around the assertion. Here's the code: pub fn reflow(&self, reflow_goal: ReflowGoal, reason: ReflowReason) -> bool {
self.Document().ensure_safe_to_run_script_or_layout();
let for_display = reflow_goal == ReflowGoal::Full;
let mut issued_reflow = false;
let condition = self.Document().needs_reflow();
if !for_display || condition.is_some() {
issued_reflow = self.force_reflow(reflow_goal, reason, condition);
// We shouldn't need a reflow immediately after a
// reflow, except if we're waiting for a deferred paint.
assert!({
let condition = self.Document().needs_reflow();
condition.is_none() ||
(!for_display && condition == Some(ReflowTriggerCondition::PaintPostponed)) ||
self.suppress_reflow.get()
});
}
/// snip, irrelevantAnd here are the state that causes the failing assertion:
|
|
Slightly simpler reproducer, actual values aren't necessary nor are the try catch. This was already mentioned but, just confirming. <script>
function jsfuzzer() {
var testvar = document.elementFromPoint(0, 0);
window.scrollTo(0.0, 0.0);
testvar.setAttribute("hidden", "hidden");
}
</script>
<body onload=jsfuzzer()> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
assertion failed: !self.Document().needs_reflow() ||
(!for_display && self.Document().needs_paint()) ||
self.window_size.get().is_none() || self.suppress_reflow.get()
URL:
Servo Version:
Servo 0.0.1-9467fbe
Backtrace:
This report was generated by the browser.html issue reporter.