Closed Bug 1402419 Opened 7 years ago Closed 7 years ago

stylo: panicked at 'dtoa may have changed its buffer size'

Categories

(Core :: CSS Parsing and Computation, defect, P2)

Product:
Core
Component:
CSS Parsing and Computation
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla58
Tracking Flags:
Tracking Status
firefox-esr52 --- unaffected
firefox55 --- unaffected
firefox56 --- unaffected
firefox57 --- wontfix
firefox58 --- fixed

People

(Reporter: truber, Assigned: manishearth)

References

(Blocks 2 open bugs)

Details

(Keywords: assertion, testcase)

Attachments

(3 files, 1 obsolete file)

testcase.html
44 bytes, text/html
Details
Bug 1402419 - Update dtoa-short ;
59 bytes, text/x-review-board-request
xidorn
: review+
Details
Bug 1402419 - Add crashtest ;
59 bytes, text/x-review-board-request
xidorn
: review+
Details
Attached file testcase.html 
The attached testcase causes a panic in m-c rev 20170922-5a63d8457a2a

thread '<unnamed>' panicked at 'dtoa may have changed its buffer size', /builds/worker/workspace/build/src/third_party/rust/dtoa-short/src/lib.rs:71
#0: mozalloc_abort, at memory/mozalloc/mozalloc_abort.cpp:33
#1: abort, at memory/mozalloc/mozalloc_abort.cpp:80
#2: panic_abort::__rust_start_panic, at src/libpanic_abort/lib.rs:61
#3: std::panicking::rust_panic, at src/libstd/panicking.rs:580
#4: std::panicking::rust_panic_with_hook, at src/libstd/panicking.rs:565
#5: std::panicking::begin_panic<&str>, at src/libstd/panicking.rs:511
#6: dtoa_short::restrict_prec, at third_party/rust/dtoa-short/src/lib.rs:71
#7: dtoa_short::write_with_prec<collections::string::String,f32>, at third_party/rust/dtoa-short/src/lib.rs:64
#8: cssparser::serializer::write_numeric<collections::string::String>, at third_party/rust/cssparser/src/serializer.rs:44
#9: cssparser::serializer::{{impl}}::to_css<collections::string::String>, at third_party/rust/cssparser/src/serializer.rs:84
#10: cssparser::serializer::ToCss::to_css_string<cssparser::tokenizer::Token>, at third_party/rust/cssparser/src/serializer.rs:26
#11: geckoservo::error_reporter::ErrorString::into_str, at servo/ports/geckolib/error_reporter.rs:56
#12: geckoservo::error_reporter::{{impl}}::report_error::{{closure}}, at servo/ports/geckolib/error_reporter.rs:349
#13: core::option::Option<geckoservo::error_reporter::ErrorString>::map<geckoservo::error_reporter::ErrorString,cssparser::cow_rc_str::CowRcStr,closure>, at src/libcore/option.rs:398
#14: geckoservo::error_reporter::{{impl}}::report_error, at servo/ports/geckolib/error_reporter.rs:349
#15: style::parser::ParserContext::log_css_error<geckoservo::error_reporter::ErrorReporter>, at servo/components/style/parser.rs:131
#16: style::properties::declaration_block::parse_property_declaration_list<geckoservo::error_reporter::ErrorReporter>, at servo/components/style/properties/declaration_block.rs:1086
#17: style::stylesheets::rule_parser::{{impl}}::parse_block<geckoservo::error_reporter::ErrorReporter>, at servo/components/style/stylesheets/rule_parser.rs:583
#18: style::stylesheets::rule_parser::{{impl}}::parse_block<geckoservo::error_reporter::ErrorReporter>, at servo/components/style/stylesheets/rule_parser.rs:298
#19: cssparser::rules_and_declarations::parse_qualified_rule::{{closure}}<style::stylesheets::rule_parser::TopLevelRuleParser<geckoservo::error_reporter::ErrorReporter>,selectors::parser::SelectorParseError<style_traits::StyleParseError>>,
 at third_party/rust/cssparser/src/rules_and_declarations.rs:525
#20: cssparser::parser::Parser::parse_entirely<closure,style::stylesheets::CssRule,selectors::parser::SelectorParseError<style_traits::StyleParseError>>, at third_party/rust/cssparser/src/parser.rs:472
#21: cssparser::parser::parse_nested_block<closure,style::stylesheets::CssRule,selectors::parser::SelectorParseError<style_traits::StyleParseError>>, at third_party/rust/cssparser/src/parser.rs:857
#22: cssparser::rules_and_declarations::parse_qualified_rule<style::stylesheets::rule_parser::TopLevelRuleParser<geckoservo::error_reporter::ErrorReporter>,selectors::parser::SelectorParseError<style_traits::StyleParseError>>, at third_par
ty/rust/cssparser/src/rules_and_declarations.rs:525
#23: cssparser::rules_and_declarations::{{impl}}::next<style::stylesheets::CssRule,style::stylesheets::rule_parser::TopLevelRuleParser<geckoservo::error_reporter::ErrorReporter>,selectors::parser::SelectorParseError<style_traits::StylePars
eError>>, at third_party/rust/cssparser/src/rules_and_declarations.rs:378
#24: style::stylesheets::stylesheet::Stylesheet::parse_rules<geckoservo::error_reporter::ErrorReporter>, at servo/components/style/stylesheets/stylesheet.rs:387
#25: style::stylesheets::stylesheet::StylesheetContents::from_str<geckoservo::error_reporter::ErrorReporter>, at servo/components/style/stylesheets/stylesheet.rs:83
#26: geckoservo::glue::Servo_StyleSheet_FromUTF8Bytes, at servo/ports/geckolib/glue.rs:920
#27: mozilla::ServoStyleSheet::ParseSheet, at layout/style/ServoStyleSheet.cpp:213
#28: mozilla::css::Loader::ParseSheet, at layout/style/Loader.cpp:1653
#29: mozilla::css::Loader::LoadInlineStyle, at layout/style/Loader.cpp:1912
#30: nsStyleLinkElement::DoUpdateStyleSheet, at dom/base/nsStyleLinkElement.cpp:551
#31: nsStyleLinkElement::UpdateStyleSheet, at dom/base/nsStyleLinkElement.cpp:336
#32: nsHtml5DocumentBuilder::UpdateStyleSheet, at parser/html/nsHtml5DocumentBuilder.cpp:85
#33: nsHtml5TreeOperation::Perform, at parser/html/nsHtml5TreeOperation.cpp:959
#34: nsHtml5TreeOpExecutor::RunFlushLoop, at parser/html/nsHtml5TreeOpExecutor.cpp:461
#35: nsHtml5ExecutorFlusher::Run, at parser/html/nsHtml5StreamParser.cpp:130
#36: mozilla::SchedulerGroup::Runnable::Run, at xpcom/threads/SchedulerGroup.cpp:396
#37: nsThread::ProcessNextEvent, at xpcom/threads/nsThread.cpp:1039
#38: NS_ProcessNextEvent, at xpcom/threads/nsThreadUtils.cpp:521
#39: mozilla::ipc::MessagePump::Run, at ipc/glue/MessagePump.cpp:125
#40: MessageLoop::RunInternal, at ipc/chromium/src/base/message_loop.cc:326
#41: MessageLoop::Run, at ipc/chromium/src/base/message_loop.cc:319
#42: nsBaseAppShell::Run, at widget/nsBaseAppShell.cpp:158
#43: XRE_RunAppShell, at toolkit/xre/nsEmbedFunctions.cpp:880
#44: mozilla::ipc::MessagePumpForChildProcess::Run, at ipc/glue/MessagePump.cpp:269
#45: MessageLoop::RunInternal, at ipc/chromium/src/base/message_loop.cc:326
#46: MessageLoop::Run, at ipc/chromium/src/base/message_loop.cc:319
#47: XRE_InitChildProcess, at toolkit/xre/nsEmbedFunctions.cpp:705
#48: content_process_main, at ipc/contentproc/plugin-container.cpp:63
#49: main, at browser/app/nsBrowserApp.cpp:285
#50: libc-2.26.so+0x20f6a
#51: MOZ_ReportAssertionFailure, at mfbt/Assertions.h:165
Flags: in-testsuite?
INFO: Last good revision: fc5fc58f42a3ebab01c6e83901a2dde2435b0933
INFO: First bad revision: 61598569fcdf491c5ccbf24aa59683dc5e0e958e
INFO: Pushlog:
https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=fc5fc58f42a3ebab01c6e83901a2dde2435b0933&tochange=61598569fcdf491c5ccbf24aa59683dc5e0e958e
Has Regression Range: --- → yes
status-firefox55: --- → unaffected
status-firefox56: --- → unaffected
status-firefox-esr52: --- → unaffected
Flags: needinfo?(simon.sapin)
See Also: → https://github.com/servo/servo/pull/18355
Priority: -- → P2
dtoa has *not* changed the buffer size, but this seems to be a bug in dtoa-short.

Can be repro'd with

```
extern crate dtoa_short;

fn main() {
    let f = -8192e17f32;
    let mut dest = "".to_owned();
    let res = dtoa_short::write(&mut dest, f);
    println!("{:?} {:?}", dest, res);
}
```
https://github.com/upsuper/dtoa-short/pull/2

should probably set up fuzz scripts for dtoa and other crates
Assignee: nobody → manishearth
Status: NEW → ASSIGNED
Comment on attachment 8911343 [details]
Bug 1402419 - Update dtoa-short ;

https://reviewboard.mozilla.org/r/182818/#review188054

::: commit-message-97282:1
(Diff revision 1)
> +Bug 1402419 - Update dtoa ; r?xidorn

dtoa-short. and you need a revendor
Attachment #8911343 - Flags: review?(xidorn+moz)
ah. revendor is automatic
Comment on attachment 8911344 [details]
Bug 1402419 - Add crashtest ;

https://reviewboard.mozilla.org/r/182820/#review188056
Attachment #8911344 - Flags: review?(xidorn+moz) → review+
Comment on attachment 8911343 [details]
Bug 1402419 - Update dtoa-short ;

https://reviewboard.mozilla.org/r/182818/#review188058

I still think you should revendor here, though.
Attachment #8911343 - Flags: review?(xidorn+moz) → review+
Comment on attachment 8911353 [details]
Bug 1402419 - Revendor deps;

https://reviewboard.mozilla.org/r/182832/#review188060
Attachment #8911353 - Flags: review?(xidorn+moz) → review+
Attachment #8911353 - Attachment is obsolete: true
Please request Beta approval on this when you get a chance.
Flags: needinfo?(simon.sapin)
Flags: needinfo?(manishearth)
Flags: in-testsuite?
Flags: in-testsuite+
I'm not sure whether it's worth a beta uplift, actually... it is just a debug_assert which doesn't cause any harm even if violated. But maybe it isn't too troublesome to do beta uplift for such thing either :)
Yeah, it's not safety or correctness related, it's a future-proofing debug assert that happened to be incorrect. The crate still works fine with the assert violated.
Flags: needinfo?(manishearth)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: