Closed Bug 1402027 Opened 3 years ago Closed 3 years ago

stylo: Assertion failure: aElement->GetComposedDoc()->GetServoRestyleRoot(), at /builds/worker/workspace/build/src/dom/base/Element.cpp:4367

Categories

(Core :: DOM: Core & HTML, defect, P2)

defect

Tracking

()

RESOLVED WORKSFORME

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 2 open bugs)

Details

(Keywords: assertion, testcase)

Attachments

(2 files)

Attached file trigger.html
Testcase found while fuzzing mozilla-central rev 47f7b6c64265.
Flags: in-testsuite?
Attached file Minidump stack trace
Priority: -- → P2
Summary: Assertion failure: aElement->GetComposedDoc()->GetServoRestyleRoot(), at /builds/worker/workspace/build/src/dom/base/Element.cpp:4367 → stylo: Assertion failure: aElement->GetComposedDoc()->GetServoRestyleRoot(), at /builds/worker/workspace/build/src/dom/base/Element.cpp:4367
Requesting tracking on all outstanding p2 stylo bugs.
I can't reproduce this on a recent linux64 debug build (with domFuzzLite3 installed). Any tips?
Flags: needinfo?(jkratzer)
Me neither, fwiw.
(In reply to Bobby Holley (:bholley) (busy with Stylo) from comment #3)
> I can't reproduce this on a recent linux64 debug build (with domFuzzLite3
> installed). Any tips?

It appears that this testcase only reproduces in it's current form using xvfb.  My guess is that it's due to Firefox's starting window size.
Flags: needinfo?(jkratzer)
I can't repro even if I change the starting window size.
Neither can I, even when I use Xvfb (or Xnest).  I just did "xvfb-run ./mach run /tmp/trigger.html".  (I had trouble installing domFuzzLite3, but I added some C++/WebIDL functions to call that did the same window resize / font zoom stuff the test is doing.)
(In reply to Bobby Holley (:bholley) (busy with Stylo) from comment #2)
> Requesting tracking on all outstanding p2 stylo bugs.

This isn't very helpful, when making a tracking decision it's useful to know the reasoning for the request and impact of each bug.
(In reply to Cameron McCormack (:heycam) from comment #7)
> (I had trouble installing domFuzzLite3, but I added
> some C++/WebIDL functions to call that did the same window resize / font
> zoom stuff the test is doing.)

For future reference, you can do the following:

> git clone https://github.com/MozillaSecurity/domfuzz.git
> cd domfuzz/dom/extension
> make

That should generate an XPI file. You'll then need to twiddle |extension.legacy.enabled| and |xpinstall.signatures.required|, and then you can install the addon.
So I, along with three other engineers in this bug, can't reproduce this.

Here's what I've done:

* Checked out the latest m-c rev: https://hg.mozilla.org/mozilla-central/rev/33b7b8e81b4b
* built with the following .mozconfig https://pastebin.mozilla.org/9068253
* Installed domFuzzLite per comment 9.
* Downloaded the attached testcases, put it in a directory, and launched |python -m SimpleHTTPServer|.
* ./mach run http://localhost:8000/testcase.html
* Whitelisted localhost for popups, ran the above again
* xvfb-run ./mach run http://localhost:8000/testcase.html

This bug was similar to bug 1400936, which landed recently along with a followup (bug 1402684). So it's possible that the fix for those bugs, or other recent fuzz bugs also fixed this.

Jason, can you try reproducing on today's nightly? If you can, can you give some more tips of what we should be doing beyond the above?
Flags: needinfo?(jkratzer)
(In reply to Bobby Holley (:bholley) (busy with Stylo) from comment #10)
> So I, along with three other engineers in this bug, can't reproduce this.
> 
> Here's what I've done:
> 
> * Checked out the latest m-c rev:
> https://hg.mozilla.org/mozilla-central/rev/33b7b8e81b4b
> * built with the following .mozconfig https://pastebin.mozilla.org/9068253
> * Installed domFuzzLite per comment 9.
> * Downloaded the attached testcases, put it in a directory, and launched
> |python -m SimpleHTTPServer|.
> * ./mach run http://localhost:8000/testcase.html
> * Whitelisted localhost for popups, ran the above again
> * xvfb-run ./mach run http://localhost:8000/testcase.html
> 
> This bug was similar to bug 1400936, which landed recently along with a
> followup (bug 1402684). So it's possible that the fix for those bugs, or
> other recent fuzz bugs also fixed this.
> 
> Jason, can you try reproducing on today's nightly? If you can, can you give
> some more tips of what we should be doing beyond the above?

I just tested this against mc-debug rev bc5672989895 and was unable to reproduce the issue.
Flags: needinfo?(jkratzer)
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → WORKSFORME
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.