Open
Bug 1848457
Opened 10 months ago
Updated 10 months ago
Hit MOZ_CRASH(We were lied to) at /builds/worker/checkouts/gecko/servo/components/style/bloom.rs:356
Categories
(Core :: CSS Parsing and Computation, defect)
Core
CSS Parsing and Computation
Tracking
()
NEW
| Tracking | Status | |
|---|---|---|
| firefox118 | --- | affected |
People
(Reporter: tsmith, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: assertion, bugmon, testcase, Whiteboard: [bugmon:bisected,confirmed])
Crash Data
Attachments
(1 file)
|
469 bytes,
text/html
|
Details |
Found while fuzzing m-c 20230727-de3fd99966b1 (--enable-address-sanitizer --enable-fuzzing)
To reproduce via Grizzly Replay:
$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -a --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html
Hit MOZ_CRASH(We were lied to) at /builds/worker/checkouts/gecko/servo/components/style/bloom.rs:356
#0 0x7f4afc3bcb57 in MOZ_Crash /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:281:3
#1 0x7f4afc3bcb57 in RustMozCrash /builds/worker/checkouts/gecko/mozglue/static/rust/wrappers.cpp:18:3
#2 0x7f4afc3bca28 in mozglue_static::panic_hook::h5dfc9b586b60e89d /builds/worker/checkouts/gecko/mozglue/static/rust/lib.rs:96:9
#3 0x7f4afc3baff5 in core::ops::function::Fn::call::h82e518dc34662806 /builds/worker/fetches/rust/library/core/src/ops/function.rs:79:5
#4 0x7f4afffba36c in std::panicking::rust_panic_with_hook::hf52c4d76e0e0240c std.12ceba9d6cd90b9b-cgu.4
#5 0x7f4afff87376 in std::panicking::begin_panic_handler::_$u7b$$u7b$closure$u7d$$u7d$::h236d656bd85bdded std.12ceba9d6cd90b9b-cgu.10
#6 0x7f4afff87165 in std::sys_common::backtrace::__rust_end_short_backtrace::h88cef5fde7bea4e5 std.12ceba9d6cd90b9b-cgu.10
#7 0x7f4afffb9f11 in rust_begin_unwind std.12ceba9d6cd90b9b-cgu.4
#8 0x7f4b000281a2 in core::panicking::panic_fmt::h20bcbd54b8224199 core.3cdb792aaed62b52-cgu.4
#9 0x7f4b00019612 in core::option::expect_failed::h0736013769828f60 core.3cdb792aaed62b52-cgu.14
#10 0x7f4afe061c1c in core::option::Option$LT$T$GT$::expect::hb669fc3c5f05815f /builds/worker/fetches/rust/library/core/src/option.rs:898:21
#11 0x7f4afe061c1c in style::bloom::StyleBloom$LT$E$GT$::insert_parents_recovering::hd4930f9d0bb9e948 /builds/worker/checkouts/gecko/servo/components/style/bloom.rs:356:62
#12 0x7f4afe061c1c in style::traversal::compute_style::hd4e4c248c7f03910 /builds/worker/checkouts/gecko/servo/components/style/traversal.rs:580:13
#13 0x7f4afe061c1c in style::traversal::recalc_style_at::h8fe41d36b7547699 /builds/worker/checkouts/gecko/servo/components/style/traversal.rs:427:13
#14 0x7f4afe061c1c in _$LT$style..gecko..traversal..RecalcStyleOnly$u20$as$u20$style..traversal..DomTraversal$LT$style..gecko..wrapper..GeckoElement$GT$$GT$::process_preorder::hd798901d02a91216 /builds/worker/checkouts/gecko/servo/components/style/gecko/traversal.rs:37:13
#15 0x7f4afe061c1c in style::parallel::style_trees::hb6f250db463dd397 /builds/worker/checkouts/gecko/servo/components/style/parallel.rs:154:9
#16 0x7f4afdff40ff in style::driver::traverse_dom::_$u7b$$u7b$closure$u7d$$u7d$::h12ecdf5a233eab18 /builds/worker/checkouts/gecko/servo/components/style/driver.rs:122:9
#17 0x7f4afdff1073 in style::driver::with_pool_in_place_scope::_$u7b$$u7b$closure$u7d$$u7d$::h0b2e47b0f8842f35 /builds/worker/checkouts/gecko/servo/components/style/driver.rs:59:13
#18 0x7f4afdff1073 in rayon_core::scope::do_in_place_scope_fifo::_$u7b$$u7b$closure$u7d$$u7d$::hb4078855a3700855 /builds/worker/checkouts/gecko/third_party/rust/rayon-core/src/scope/mod.rs:477:36
#19 0x7f4afdff1073 in _$LT$core..panic..unwind_safe..AssertUnwindSafe$LT$F$GT$$u20$as$u20$core..ops..function..FnOnce$LT$$LP$$RP$$GT$$GT$::call_once::h5f2f1d6cc050424f /builds/worker/fetches/rust/library/core/src/panic/unwind_safe.rs:271:9
#20 0x7f4afdff1073 in std::panicking::try::do_call::h66f7ca8bea520237 /builds/worker/fetches/rust/library/std/src/panicking.rs:500:40
#21 0x7f4afdff1073 in std::panicking::try::h379b6bd36d7649ff /builds/worker/fetches/rust/library/std/src/panicking.rs:464:19
#22 0x7f4afdff1073 in std::panic::catch_unwind::h279f0d325dc26543 /builds/worker/fetches/rust/library/std/src/panic.rs:142:14
#23 0x7f4afdff1073 in rayon_core::unwind::halt_unwinding::h17559717fc15a43f /builds/worker/checkouts/gecko/third_party/rust/rayon-core/src/unwind.rs:17:5
#24 0x7f4afdff1073 in rayon_core::scope::ScopeBase::execute_job_closure::he6ad9fb828dfaa93 /builds/worker/checkouts/gecko/third_party/rust/rayon-core/src/scope/mod.rs:713:15
#25 0x7f4afdff1073 in rayon_core::scope::ScopeBase::complete::h35d9104f66a61f2e /builds/worker/checkouts/gecko/third_party/rust/rayon-core/src/scope/mod.rs:691:31
#26 0x7f4afdff1073 in rayon_core::scope::do_in_place_scope_fifo::ha47dcd787b73658f /builds/worker/checkouts/gecko/third_party/rust/rayon-core/src/scope/mod.rs:477:5
#27 0x7f4afdff1073 in rayon_core::thread_pool::ThreadPool::in_place_scope_fifo::hf2c786d5d9ba5312 /builds/worker/checkouts/gecko/third_party/rust/rayon-core/src/thread_pool/mod.rs:296:9
#28 0x7f4afdff1073 in style::driver::with_pool_in_place_scope::h36fe0266bec1a5f1 /builds/worker/checkouts/gecko/servo/components/style/driver.rs:58:23
#29 0x7f4afdff1073 in style::driver::traverse_dom::h7944af5a59e16c5b /builds/worker/checkouts/gecko/servo/components/style/driver.rs:119:5
#30 0x7f4afe21bd41 in geckoservo::glue::traverse_subtree::h3ca2d9bcd7393b83 /builds/worker/checkouts/gecko/servo/ports/geckolib/glue.rs:285:5
#31 0x7f4afe21c871 in Servo_TraverseSubtree /builds/worker/checkouts/gecko/servo/ports/geckolib/glue.rs:345:5
#32 0x7f4af03783e3 in mozilla::ServoStyleSet::StyleDocument(mozilla::ServoTraversalFlags) /builds/worker/checkouts/gecko/layout/style/ServoStyleSet.cpp:819:9
#33 0x7f4af053461f in mozilla::RestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:3139:20
#34 0x7f4af04e6ee4 in mozilla::RestyleManager::ProcessPendingRestyles() /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:3276:3
#35 0x7f4af04e4fd6 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4328:39
#36 0x7f4ae8470dd4 in FlushPendingNotifications /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:1472:5
#37 0x7f4ae8470dd4 in mozilla::dom::Document::FlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/dom/base/Document.cpp:10934:16
#38 0x7f4af03afb6a in Flush /builds/worker/checkouts/gecko/layout/style/nsComputedDOMStyle.cpp:1003:13
#39 0x7f4af03afb6a in nsComputedDOMStyle::UpdateCurrentStyleSources(nsCSSPropertyID) /builds/worker/checkouts/gecko/layout/style/nsComputedDOMStyle.cpp:1055:5
#40 0x7f4af03ae6cd in nsComputedDOMStyle::GetPropertyValue(nsCSSPropertyID, nsTSubstring<char> const&, nsTSubstring<char>&) /builds/worker/checkouts/gecko/layout/style/nsComputedDOMStyle.cpp:458:3
#41 0x7f4ae8bd5934 in mozilla::dom::CSS2Properties_Binding::GetPropertyValue(JSContext*, JS::Handle<JSObject*>, void*, JSJitGetterCallArgs, nsCSSPropertyID) /builds/worker/workspace/obj-build/dom/bindings/CSS2PropertiesBinding.cpp:57:24
#42 0x7f4aeaf16f80 in bool mozilla::dom::binding_detail::GenericGetter<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3209:13
#43 0x7f4af5c787af in CallJSNative /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:486:13
#44 0x7f4af5c787af in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:580:12
#45 0x7f4af5c7a8d6 in InternalCall /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:647:10
#46 0x7f4af5c7a8d6 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:679:8
#47 0x7f4af5c7c686 in js::CallGetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:801:10
#48 0x7f4af602ed7d in CallGetter /builds/worker/checkouts/gecko/js/src/vm/NativeObject.cpp:2068:12
#49 0x7f4af602ed7d in GetExistingProperty<(js::AllowGC)1> /builds/worker/checkouts/gecko/js/src/vm/NativeObject.cpp:2096:12
#50 0x7f4af602ed7d in NativeGetPropertyInline<(js::AllowGC)1> /builds/worker/checkouts/gecko/js/src/vm/NativeObject.cpp:2244:14
#51 0x7f4af602ed7d in js::NativeGetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/NativeObject.cpp:2275:10
#52 0x7f4af60708b5 in GetProperty /builds/worker/checkouts/gecko/js/src/vm/ObjectOperations-inl.h:117:10
#53 0x7f4af60708b5 in JS_ForwardGetPropertyTo(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/PropertyAndElement.cpp:597:10
#54 0x7f4aeaf34acc in mozilla::dom::GetPropertyOnPrototype(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, bool*, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:2196:10
#55 0x7f4ae8b3def1 in mozilla::dom::CSS2Properties_Binding::DOMProxyHandler::get(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JS::Value>) const /builds/worker/workspace/obj-build/dom/bindings/CSS2PropertiesBinding.cpp:22760:8
#56 0x7f4af655d3bb in getInternal /builds/worker/checkouts/gecko/js/src/proxy/Proxy.cpp:526:19
#57 0x7f4af655d3bb in js::Proxy::get(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/proxy/Proxy.cpp:534:10
#58 0x7f4af5cbf542 in GetProperty /builds/worker/checkouts/gecko/js/src/vm/ObjectOperations-inl.h:114:12
#59 0x7f4af5cbf542 in GetProperty /builds/worker/checkouts/gecko/js/src/vm/ObjectOperations-inl.h:124:10
#60 0x7f4af5cbf542 in js::GetProperty(JSContext*, JS::Handle<JS::Value>, JS::Handle<js::PropertyName*>, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:4787:10
#61 0x7f4af5c91d7c in GetPropertyOperation /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:245:10
#62 0x7f4af5c91d7c in js::Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3050:12
#63 0x7f4af5c7755b in MaybeEnterInterpreterTrampoline /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:400:10
#64 0x7f4af5c7755b in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:458:13
#65 0x7f4af5c78965 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:612:13
#66 0x7f4af5c7a8d6 in InternalCall /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:647:10
#67 0x7f4af5c7a8d6 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:679:8
#68 0x7f4af5dd506b in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/CallAndConstruct.cpp:119:10
#69 0x7f4aea8d25ff in mozilla::dom::EventListener::HandleEvent(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventListenerBinding.cpp:62:8
#70 0x7f4aebd70900 in void mozilla::dom::EventListener::HandleEvent<mozilla::dom::EventTarget*>(mozilla::dom::EventTarget* const&, mozilla::dom::Event&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventListenerBinding.h:65:12
#71 0x7f4aebd701f9 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1251:43
#72 0x7f4aebd7213d in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1453:21
#73 0x7f4aebd591d4 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:342:17
#74 0x7f4aebd56ce6 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:559:18
#75 0x7f4aebd5d508 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:1152:11
#76 0x7f4af05ef229 in nsDocumentViewer::LoadComplete(nsresult) /builds/worker/checkouts/gecko/layout/base/nsDocumentViewer.cpp:1083:7
#77 0x7f4af45e10b8 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:6412:20
#78 0x7f4af45dfc15 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:5805:7
#79 0x7f4af45e2986 in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp
#80 0x7f4ae68985a3 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:1378:3
#81 0x7f4ae6896ded in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:976:14
#82 0x7f4ae68921b8 in nsDocLoader::DocLoaderIsEmpty(bool, mozilla::Maybe<nsresult> const&) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:795:9
#83 0x7f4ae689530a in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:678:5
#84 0x7f4af4636e4a in nsDocShell::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:13901:23
#85 0x7f4ae4a32bf3 in mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:631:22
#86 0x7f4ae4a36114 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:535:10
#87 0x7f4ae84111be in DoUnblockOnload /builds/worker/checkouts/gecko/dom/base/Document.cpp:11719:18
#88 0x7f4ae84111be in mozilla::dom::Document::UnblockOnload(bool) /builds/worker/checkouts/gecko/dom/base/Document.cpp:11657:9
#89 0x7f4ae844902d in mozilla::dom::Document::DispatchContentLoadedEvents() /builds/worker/checkouts/gecko/dom/base/Document.cpp:8168:3
#90 0x7f4ae857c12b in operator()<> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1164:18
#91 0x7f4ae857c12b in __invoke_impl<void, (lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1163:9)> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/invoke.h:60:14
#92 0x7f4ae857c12b in __invoke<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1163:9)> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/invoke.h:95:14
#93 0x7f4ae857c12b in __apply_impl<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1163:9), std::tuple<> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/tuple:1678:14
#94 0x7f4ae857c12b in apply<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1163:9), std::tuple<> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/tuple:1687:14
#95 0x7f4ae857c12b in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1162:12
#96 0x7f4ae857c12b in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1213:13
#97 0x7f4ae45f1c1a in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:559:16
#98 0x7f4ae45dc238 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:886:26
#99 0x7f4ae45d8c47 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:709:15
#100 0x7f4ae45d9529 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:495:36
#101 0x7f4ae45f96c1 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:218:37
#102 0x7f4ae45f96c1 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548:5
#103 0x7f4ae4623e93 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1199:16
#104 0x7f4ae4631c94 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10
#105 0x7f4ae622cb1e in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#106 0x7f4ae605761a in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:370:10
#107 0x7f4ae605761a in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#108 0x7f4ae605761a in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#109 0x7f4aefb12519 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
#110 0x7f4af582e50e in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:717:20
#111 0x7f4ae605761a in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:370:10
#112 0x7f4ae605761a in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#113 0x7f4ae605761a in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#114 0x7f4af582db0a in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:652:34
#115 0x556ffd4b015e in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#116 0x556ffd4b015e in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:375:18
#117 0x7f4b0be29d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#118 0x7f4b0be29e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#119 0x556ffd3d9798 in _start (/home/user/workspace/browsers/m-c-20230811213712-fuzzing-asan-opt/firefox+0x106798) (BuildId: 21331ccee5863d66afbf8076274ceb97fd3ad71d)
Flags: in-testsuite?
|
Reporter | |
Updated•10 months ago
|
Crash Signature: [@ core::option::expect_failed | style::bloom::StyleBloom<T>::insert_parents_recovering ]
|
|
Reporter | |
Comment 1•10 months ago
|
||
With a debug build I see:
Assertion failure: !aNode.GetAssignedSlot() || aNode.GetAssignedSlot() == this (How exactly?), at /builds/worker/checkouts/gecko/dom/html/HTMLSlotElement.cpp:320
#0 0x7f8e2180a98d in mozilla::dom::HTMLSlotElement::RemoveAssignedNode(nsIContent&) /builds/worker/checkouts/gecko/dom/html/HTMLSlotElement.cpp:319:3
#1 0x7f8e21809eab in mozilla::dom::HTMLSlotElement::Assign(mozilla::dom::Sequence<mozilla::dom::OwningElementOrText> const&) /builds/worker/checkouts/gecko/dom/html/HTMLSlotElement.cpp:273:18
#2 0x7f8e20e76b7d in mozilla::dom::HTMLSlotElement_Binding::assign(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/HTMLSlotElementBinding.cpp:770:24
#3 0x7f8e20e9a378 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3327:13
#4 0x7f8e25635564 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:486:13
#5 0x7f8e25634e7d in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:580:12
#6 0x7f8e25649bf6 in CallFromStack /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:652:10
#7 0x7f8e25649bf6 in js::Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3395:16
#8 0x7f8e256343d2 in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:458:13
#9 0x7f8e25634e99 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:612:13
#10 0x7f8e2563633d in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:679:8
#11 0x7f8e25726934 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/CallAndConstruct.cpp:119:10
#12 0x7f8e20b723ec in mozilla::dom::EventListener::HandleEvent(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventListenerBinding.cpp:62:8
#13 0x7f8e214f67a6 in void mozilla::dom::EventListener::HandleEvent<mozilla::dom::EventTarget*>(mozilla::dom::EventTarget* const&, mozilla::dom::Event&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventListenerBinding.h:65:12
#14 0x7f8e214f658a in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1251:43
#15 0x7f8e214f707c in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1453:21
#16 0x7f8e214eb7d0 in HandleEvent /builds/worker/workspace/obj-build/dist/include/mozilla/EventListenerManager.h:412:5
#17 0x7f8e214eb7d0 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:342:17
#18 0x7f8e214ead1a in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:559:18
#19 0x7f8e214ed5b5 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:1152:11
#20 0x7f8e235e4583 in nsDocumentViewer::LoadComplete(nsresult) /builds/worker/checkouts/gecko/layout/base/nsDocumentViewer.cpp:1083:7
#21 0x7f8e24beeff2 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:6412:20
#22 0x7f8e24bee513 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:5805:7
#23 0x7f8e24bf00c6 in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp
#24 0x7f8e1eb48cd9 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:1378:3
#25 0x7f8e1eb48262 in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:976:14
#26 0x7f8e1eb4641b in nsDocLoader::DocLoaderIsEmpty(bool, mozilla::Maybe<nsresult> const&) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:795:9
#27 0x7f8e1eb476b4 in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:678:5
#28 0x7f8e24c261cf in nsDocShell::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:13901:23
#29 0x7f8e1dd705af in mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:631:22
#30 0x7f8e1dd71ad0 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:535:10
#31 0x7f8e1f764f4c in mozilla::dom::Document::DoUnblockOnload() /builds/worker/checkouts/gecko/dom/base/Document.cpp:11719:18
#32 0x7f8e1f74af44 in mozilla::dom::Document::DispatchContentLoadedEvents() /builds/worker/checkouts/gecko/dom/base/Document.cpp:8168:3
#33 0x7f8e1f7f9b29 in operator()<> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1164:18
#34 0x7f8e1f7f9b29 in __invoke_impl<void, (lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1163:9)> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/invoke.h:60:14
#35 0x7f8e1f7f9b29 in __invoke<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1163:9)> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/invoke.h:95:14
#36 0x7f8e1f7f9b29 in __apply_impl<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1163:9), std::tuple<> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/tuple:1678:14
#37 0x7f8e1f7f9b29 in apply<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1163:9), std::tuple<> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/tuple:1687:14
#38 0x7f8e1f7f9b29 in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1162:12
#39 0x7f8e1f7f9b29 in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1213:13
...
|
||
Comment 2•10 months ago
|
||
Verified bug as reproducible on mozilla-central 20230811213712-16838b515ded.
Unable to bisect testcase (Testcase reproduces on start build!):
Start: cbd753d186199d816e1d097631573f601932b96e (20220813092239)
End: de3fd99966b1f7e63bb80655a167ff875cb79f45 (20230727034425)
BuildFlags: BuildFlags(asan=True, tsan=False, debug=False, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False, nyx=False)
Whiteboard: [bugmon:bisected,confirmed]
|
||
Comment 3•10 months ago
|
||
The severity field is not set for this bug.
:jfkthame, could you have a look please?
For more information, please visit BugBot documentation.
Flags: needinfo?(jfkthame)
|
||
Comment 4•10 months ago
|
||
The testcase insta-crashes for me in Nightly (e.g. https://crash-stats.mozilla.org/report/index/a78b3d6d-b725-4c7d-bf79-092f90230831); but at least it looks like a safe crash.
Clearly there's a real issue here, but not a recent regression, not happening widely, and crashing the content process safely, so marking this S3.
Severity: -- → S3
Flags: needinfo?(jfkthame)
|
|
Reporter | |
Comment 5•10 months ago
|
||
If a Pernosco session would be helpful here add the pernosco-wanted keyword and bugmon will do the rest :)
You need to log in
before you can comment on or make changes to this bug.
Description
•