Bug 31278 - Assertion Failure in RenderSVGRoot::mapLocalToContainer
Summary: Assertion Failure in RenderSVGRoot::mapLocalToContainer
Status: NEW
Alias: None
Product: WebKit
Classification: Unclassified
Component: SVG (show other bugs)
Version: 528+ (Nightly build)
Hardware: Macintosh Intel OS X 10.6
: P2 Normal
Assignee: Nobody
URL: http://intertwingly.net/blog/2009/11/...
Keywords: InRadar
: 52961 104636 120903 (view as bug list)
Depends on: 68117
Blocks: 41761
  Show dependency treegraph
Reported: 2009-11-09 16:39 PST by Jing
Modified: 2017-02-08 13:07 PST (History)
10 users (show)

See Also:

simple testcase (453 bytes, application/xhtml+xml)
2009-11-09 18:02 PST, Dean Jackson
no flags Details
Testcase that shows that position:fixed on svg is busted (491 bytes, application/xhtml+xml)
2009-11-09 19:31 PST, Simon Fraser (smfr)
no flags Details
Patch update (1.49 KB, patch)
2015-03-11 21:59 PDT, Sylvain Galineau
no flags Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Jing 2009-11-09 16:39:38 PST
Loading the URL gives the following assertion:
(WebCore/rendering/RenderSVGRoot.cpp:269 virtual void WebCore::RenderSVGRoot::mapLocalToContainer(WebCore::RenderBoxModelObject*, bool, bool, WebCore::TransformState&) const)
Comment 1 Dean Jackson 2009-11-09 16:56:02 PST
Assertion comes because the page has position:fixed on the svg diagram used in the page footer. The page works fine in release builds, and the fixed position element is rendered correctly, so I'm not sure why the ASSERT is there.
Comment 2 Dean Jackson 2009-11-09 18:02:58 PST
Created attachment 42819 [details]
simple testcase

Notice that the test has both position:fixed and a CSS transform on the svg element.

Removing the ASSERT(!fixed) will cause the 2nd ASSERT to fire. Removing that will have the correct behaviour, but only when the CSS transform is not present.
Comment 3 Simon Fraser (smfr) 2009-11-09 19:31:12 PST
Created attachment 42843 [details]
Testcase that shows that position:fixed on svg is busted
Comment 4 Simon Fraser (smfr) 2009-11-09 19:37:19 PST
Comment on attachment 42843 [details]
Testcase that shows that position:fixed on svg is busted

Never mind; that's currently expected with -webkit-transform and position:fixed (bug 31283).
Comment 5 Simon Fraser (smfr) 2009-11-09 19:48:03 PST
I think there are two issues here:
1. We haven't cleaned up the "fixed inside of transformed" codepath. I don' think the code in convertToLayerCoords() is doing the right thing there now by just calling localToAbsolute() ignoring transforms.

2. There needs to be some explicit hand-off code in the interface between SVG and HTML (in both directions), that maps the expectations of one into those of the other.
Comment 6 Michael Gratton 2011-03-30 03:20:09 PDT
Something similar is happening on YouTube HTML5 video embeds.

For an example: disable Flash, visit http://www.trackosaurusrex.com/pblog/comments.php?y=11&m=03&entry=entry110329-122230 and click the play button in comment #3.

Segfault in trunk rev 82358, webkitgtk/gtk3, caused by an assertion:

Source/WebCore/rendering/svg/RenderSVGRoot.cpp(300) : virtual void WebCore::RenderSVGRoot::mapLocalToContainer(WebCore::RenderBoxModelObject*, bool, bool, WebCore::TransformState&) const
Comment 7 Dirk Schulze 2014-05-12 07:21:46 PDT
*** Bug 52961 has been marked as a duplicate of this bug. ***
Comment 8 Sylvain Galineau 2015-03-11 21:59:38 PDT
Created attachment 248491 [details]
Patch update

The ASSERT seems obsolete since RenderReplaced::mapLocalToContainer() does apply transforms.
Comment 9 Said Abou-Hallawa 2015-03-16 11:09:11 PDT
Comment on attachment 248491 [details]
Patch update

View in context: https://bugs.webkit.org/attachment.cgi?id=248491&action=review

> Source/WebCore/rendering/svg/RenderSVGRoot.cpp:379
>      ASSERT(mode & ~IsFixed); // We should have no fixed content in the SVG rendering tree.

I think this comment is wrong. I think the assertion means that, the mode should have UseTransforms and/or ApplyContainerFlip. And if it does, it does not matter whether it has IsFixed or not. So it can be deleted if we decide to keep ASSERT(mode & UseTransforms) as it is right now.

> Source/WebCore/rendering/svg/RenderSVGRoot.cpp:-380
> -    ASSERT(mode & UseTransforms); // mapping a point through SVG w/o respecting trasnforms is useless.

I do not think this is correct. The assertion is there to confirm that all the callers are passing the UseTransform flag always. If the caller does not pass this flag, the mapping from local to container will not include the css transformation. You can see the problem if apply your patch and open the attached test case and set a breakpoint in RenderSVGRoot::mapLocalToContainer() and wait for the following call stack.

#0	0x0000000106ac3831 in WebCore::RenderSVGRoot::mapLocalToContainer(WebCore::RenderLayerModelObject const*, WebCore::TransformState&, unsigned int, bool*) const at /Volumes/Data/WebKit/OpenSource/Source/WebCore/rendering/svg/RenderSVGRoot.cpp:382
#1	0x0000000106a69f4a in WebCore::RenderObject::localToAbsolute(WebCore::FloatPoint const&, unsigned int) const at /Volumes/Data/WebKit/OpenSource/Source/WebCore/rendering/RenderObject.cpp:1585
#2	0x00000001069a91fe in WebCore::accumulateOffsetTowardsAncestor(WebCore::RenderLayer const*, WebCore::RenderLayer const*, WebCore::LayoutPoint&, WebCore::RenderLayer::ColumnOffsetAdjustment) at /Volumes/Data/WebKit/OpenSource/Source/WebCore/rendering/RenderLayer.cpp:2009
#3	0x00000001069a9061 in WebCore::RenderLayer::convertToLayerCoords(WebCore::RenderLayer const*, WebCore::LayoutPoint const&, WebCore::RenderLayer::ColumnOffsetAdjustment) const at /Volumes/Data/WebKit/OpenSource/Source/WebCore/rendering/RenderLayer.cpp:2125
#4	0x00000001069a2062 in WebCore::RenderLayer::offsetFromAncestor(WebCore::RenderLayer const*) const at /Volumes/Data/WebKit/OpenSource/Source/WebCore/rendering/RenderLayer.cpp:2131
#5	0x00000001069b6ca9 in WebCore::performOverlapTests(WTF::HashMap<WebCore::OverlapTestRequestClient*, WebCore::IntRect, WTF::PtrHash<WebCore::OverlapTestRequestClient*>, WTF::HashTraits<WebCore::OverlapTestRequestClient*>, WTF::HashTraits<WebCore::IntRect> >&, WebCore::RenderLayer const*, WebCore::RenderLayer const*) at /Volumes/Data/WebKit/OpenSource/Source/WebCore/rendering/RenderLayer.cpp:3818

Because mode is equal to 5, the mapLocalToContainer() does not apply the transformation. In WebCore::performOverlapTests(), if you look at the final value of boundingBox.location(), you will see that it is set to (8,42) which is the fixed value of the svg as if there were no css transform applied to it.  The actual value should be (108,142) which is fixed position translated by the css transform.
Comment 10 Sylvain Galineau 2015-03-17 17:20:33 PDT
I clearly misunderstood what the flag meant. Thanks for the clarification.

smfr points out the issue seems to be that WebRenderObject::WebRenderObject() does not set UseTransforms thus triggering the ASSERT.

I am unsure why the former doesn't though.
Comment 11 Simon Fraser (smfr) 2015-03-17 17:29:20 PDT
WebRenderObject::WebRenderObject() is just stupid Safari-only debug code. We should make it a bit less stupid.
Comment 12 Said Abou-Hallawa 2017-02-08 10:30:27 PST
*** Bug 120903 has been marked as a duplicate of this bug. ***
Comment 13 Said Abou-Hallawa 2017-02-08 10:30:55 PST
*** Bug 104636 has been marked as a duplicate of this bug. ***
Comment 14 Said Abou-Hallawa 2017-02-08 13:07:25 PST