Found in m-c: BuildID=20180223194828 SourceStamp=ad3c6f89d67752309a473e57a47fb88f9da37683 Assertion failure: mTextRun->GetFlags2() & nsTextFrameUtils::Flags::TEXT_IS_TRANSFORMED (Text run should be transformed!), at src/layout/generic/nsTextFrame.cpp:1125 #0 BuildTextRunsScanner::BreakSink::SetCapitalization(unsigned int, unsigned int, bool*) src/layout/generic/nsTextFrame.cpp:1124:7 #1 nsLineBreaker::AppendText(nsAtom*, char16_t const*, unsigned int, unsigned int, nsILineBreakSink*) src/dom/base/nsLineBreaker.cpp:304:14 #2 nsLineBreaker::AppendText(nsAtom*, unsigned char const*, unsigned int, unsigned int, nsILineBreakSink*) src/dom/base/nsLineBreaker.cpp:340:12 #3 BuildTextRunsScanner::SetupBreakSinksForTextRun(gfxTextRun*, void const*) src/layout/generic/nsTextFrame.cpp:2657:22 #4 BuildTextRunsScanner::SetupLineBreakerContext(gfxTextRun*) src/layout/generic/nsTextFrame.cpp:2549:3 #5 BuildTextRunsScanner::FlushFrames(bool, bool) src/layout/generic/nsTextFrame.cpp:1680:12 #6 BuildTextRuns(mozilla::gfx::DrawTarget*, nsTextFrame*, nsIFrame*, nsLineList_iterator const*, nsTextFrame::TextRunType) src/layout/generic/nsTextFrame.cpp:1625:11 #7 nsTextFrame::EnsureTextRun(nsTextFrame::TextRunType, mozilla::gfx::DrawTarget*, nsIFrame*, nsLineList_iterator const*, unsigned int*) src/layout/generic/nsTextFrame.cpp:2871:7 #8 nsTextFrame::AddInlinePrefISizeForFlow(gfxContext*, nsIFrame::InlinePrefISizeData*, nsTextFrame::TextRunType) src/layout/generic/nsTextFrame.cpp:8734:5 #9 nsTextFrame::AddInlinePrefISize(gfxContext*, nsIFrame::InlinePrefISizeData*) src/layout/generic/nsTextFrame.cpp:8870:10 #10 nsContainerFrame::DoInlineIntrinsicISize(gfxContext*, nsIFrame::InlineIntrinsicISizeData*, nsLayoutUtils::IntrinsicISizeType) src/layout/generic/nsContainerFrame.cpp #11 nsInlineFrame::AddInlinePrefISize(gfxContext*, nsIFrame::InlinePrefISizeData*) src/layout/generic/nsInlineFrame.cpp:268:3 #12 nsContainerFrame::DoInlineIntrinsicISize(gfxContext*, nsIFrame::InlineIntrinsicISizeData*, nsLayoutUtils::IntrinsicISizeType) src/layout/generic/nsContainerFrame.cpp #13 nsInlineFrame::AddInlinePrefISize(gfxContext*, nsIFrame::InlinePrefISizeData*) src/layout/generic/nsInlineFrame.cpp:268:3 #14 nsBlockFrame::GetPrefISize(gfxContext*) src/layout/generic/nsBlockFrame.cpp:860:16 #15 nsFrame::RefreshSizeCache(nsBoxLayoutState&) src/layout/generic/nsFrame.cpp:10186:9 #16 nsFrame::GetXULMinSize(nsBoxLayoutState&) src/layout/generic/nsFrame.cpp:10310:5 #17 nsSprocketLayout::GetXULMinSize(nsIFrame*, nsBoxLayoutState&) src/layout/xul/nsSprocketLayout.cpp:1382:29 #18 nsBoxFrame::GetXULMinSize(nsBoxLayoutState&) src/layout/xul/nsBoxFrame.cpp:851:43 #19 nsBoxFrame::GetMinISize(gfxContext*) src/layout/xul/nsBoxFrame.cpp:612:20 #20 nsFrame::ShrinkWidthToFit(gfxContext*, int, nsIFrame::ComputeSizeFlags) src/layout/generic/nsFrame.cpp:6365:22 #21 nsContainerFrame::ComputeAutoSize(gfxContext*, mozilla::WritingMode, mozilla::LogicalSize const&, int, mozilla::LogicalSize const&, mozilla::LogicalSize const&, mozilla::LogicalSize const&, nsIFrame::ComputeSizeFlags) src/layout/generic/nsContainerFrame.cpp:852:27 #22 nsFrame::ComputeSize(gfxContext*, mozilla::WritingMode, mozilla::LogicalSize const&, int, mozilla::LogicalSize const&, mozilla::LogicalSize const&, mozilla::LogicalSize const&, nsIFrame::ComputeSizeFlags) src/layout/generic/nsFrame.cpp:5599:24 #23 mozilla::ReflowInput::InitConstraints(nsPresContext*, mozilla::LogicalSize const&, nsMargin const*, nsMargin const*, mozilla::LayoutFrameType) src/layout/generic/ReflowInput.cpp:2504:17 #24 mozilla::ReflowInput::Init(nsPresContext*, mozilla::LogicalSize const*, nsMargin const*, nsMargin const*) src/layout/generic/ReflowInput.cpp:414:3 #25 mozilla::ReflowInput::ReflowInput(nsPresContext*, mozilla::ReflowInput const&, nsIFrame*, mozilla::LogicalSize const&, mozilla::LogicalSize const*, unsigned int) src/layout/generic/ReflowInput.cpp:246:5 #26 void mozilla::Maybe<mozilla::ReflowInput>::emplace<nsPresContext*&, mozilla::ReflowInput const&, nsIFrame*&, mozilla::LogicalSize&>(nsPresContext*&, mozilla::ReflowInput const&, nsIFrame*&, mozilla::LogicalSize&) src/obj-firefox/dist/include/mozilla/Maybe.h:459:34 #27 nsLineLayout::ReflowFrame(nsIFrame*, nsReflowStatus&, mozilla::ReflowOutput*, bool&) src/layout/generic/nsLineLayout.cpp:863:23 #28 nsBlockFrame::ReflowInlineFrame(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsIFrame*, LineReflowStatus*) src/layout/generic/nsBlockFrame.cpp:4158:15 #29 nsBlockFrame::DoReflowInlineFrames(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool) src/layout/generic/nsBlockFrame.cpp:3958:5 #30 nsBlockFrame::ReflowInlineFrames(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:3832:9 #31 nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:2816:5 #32 nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) src/layout/generic/nsBlockFrame.cpp:2352:7 #33 nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsBlockFrame.cpp:1225:3 #34 nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) src/layout/generic/nsBlockReflowContext.cpp:306:11 #35 nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:3463:11 #36 nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:2813:5 #37 nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) src/layout/generic/nsBlockFrame.cpp:2352:7 #38 nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsBlockFrame.cpp:1225:3 #39 nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:941:14 #40 nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsCanvasFrame.cpp:717:5 #41 nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:941:14 #42 nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput*, bool, bool, mozilla::ReflowOutput*, bool) src/layout/generic/nsGfxScrollFrame.cpp:554:3 #43 nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput*, mozilla::ReflowOutput const&) src/layout/generic/nsGfxScrollFrame.cpp:677:3 #44 nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsGfxScrollFrame.cpp:1054:3 #45 nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:985:14 #46 mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/ViewportFrame.cpp:335:7 #47 mozilla::PresShell::DoReflow(nsIFrame*, bool) src/layout/base/PresShell.cpp:8974:11 #48 mozilla::PresShell::ProcessReflowCommands(bool) src/layout/base/PresShell.cpp:9147:24 #49 mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) src/layout/base/PresShell.cpp:4257:11 #50 nsRefreshDriver::Tick(long, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:1944:16 #51 mozilla::RefreshDriverTimer::TickRefreshDrivers(long, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) src/layout/base/nsRefreshDriver.cpp:310:7 #52 mozilla::RefreshDriverTimer::Tick(long, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:332:5 #53 mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:773:5 #54 mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:686:35 #55 mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:587:9 #56 mozilla::layout::VsyncChild::RecvNotify(mozilla::TimeStamp const&) src/layout/ipc/VsyncChild.cpp:68:16 #57 mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) src/obj-firefox/ipc/ipdl/PVsyncChild.cpp:155:20 #58 mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) src/obj-firefox/ipc/ipdl/PBackgroundChild.cpp:1812:28 #59 mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) src/ipc/glue/MessageChannel.cpp:2110:25 #60 mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) src/ipc/glue/MessageChannel.cpp:2040:17 #61 mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) src/ipc/glue/MessageChannel.cpp:1886:5 #62 mozilla::ipc::MessageChannel::MessageTask::Run() src/ipc/glue/MessageChannel.cpp:1919:15 #63 nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1040:14 #64 NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:517:10 #65 mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:97:21 #66 MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:326:10 #67 MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:299:3 #68 nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:157:27 #69 XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:892:22 #70 mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:269:9 #71 MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:326:10 #72 MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:299:3 #73 XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:718:34 #74 content_process_main(mozilla::Bootstrap*, int, char**) src/browser/app/../../ipc/contentproc/plugin-container.cpp:63:30 #75 main src/browser/app/nsBrowserApp.cpp:280:18 #76 __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291 #77 _start (firefox+0x423444)

This assertion was added in bug 1099110. Fortunately, it's followed by a runtime check for the same condition (testing a flag): > virtual void SetCapitalization(uint32_t aOffset, uint32_t aLength, > bool* aCapitalize) override { > MOZ_ASSERT(mTextRun->GetFlags2() & nsTextFrameUtils::Flags::TEXT_IS_TRANSFORMED, > "Text run should be transformed!"); > if (mTextRun->GetFlags2() & nsTextFrameUtils::Flags::TEXT_IS_TRANSFORMED) { > nsTransformedTextRun* transformedTextRun = > static_cast<nsTransformedTextRun*>(mTextRun.get()); > transformedTextRun->SetCapitalization(aOffset + mOffsetIntoTextRun, aLength, > aCapitalize); So this presumably isn't exploitable, thanks to that runtime check.

Yeah, I think this indicates that we have a stale textrun that does not correctly reflect a style change that has happened. So we're potentially going to render slightly incorrectly; but because we test the flag before attempting to downcast, this shouldn't result in anything disastrous. We should still debug the testcase to figure out what's really going wrong.