Closed
Bug 1415663
Opened 7 years ago
Closed 7 years ago
stylo: Shadow DOM: thread '<unnamed>' panicked at 'assertion failed: `(left == right)`
Categories
(Core :: CSS Parsing and Computation, defect, P4)
Core
CSS Parsing and Computation
Tracking
()
RESOLVED
FIXED
mozilla58
| Tracking | Status | |
|---|---|---|
| firefox-esr52 | --- | unaffected |
| firefox56 | --- | unaffected |
| firefox57 | --- | unaffected |
| firefox58 | --- | fixed |
People
(Reporter: jkratzer, Assigned: emilio)
References
(Blocks 2 open bugs)
Details
(Keywords: assertion, testcase)
Attachments
(1 file)
|
223 bytes,
text/html
|
Details |
Testcase found while fuzzing mozilla-central rev f63559d7e6a5.
thread '<unnamed>' panicked at 'assertion failed: `(left == right)`
left: `0`,
right: `7`', /builds/worker/workspace/build/src/servo/components/style/traversal.rs:666:12
stack backtrace:
0: 0x7f2adb81bb83 - std::sys::imp::backtrace::tracing::imp::unwind_backtrace::hfc7985b08e763a82
1: 0x7f2adb8163c4 - std::sys_common::backtrace::_print::h16a1db02a59ead63
2: 0x7f2adb8292a3 - std::panicking::default_hook::{{closure}}::h48ecee46f2eefc30
3: 0x7f2adb829012 - std::panicking::default_hook::hb4c92ae8d005ca44
4: 0x7f2adb8297a6 - std::panicking::rust_panic_with_hook::h25d461655d60b1a5
5: 0x7f2adb8295c4 - std::panicking::begin_panic::h0f6fdd9abfd7dfb9
6: 0x7f2adb829539 - std::panicking::begin_panic_fmt::ha31e26b280c9e878
7: 0x7f2adb89af12 - style::traversal::compute_style::hb1c18cb61e3b45ed
8: 0x7f2adb1c5925 - <style::gecko::traversal::RecalcStyleOnly<'recalc> as style::traversal::DomTraversal<style::gecko::wrapper::GeckoElement<'le>>>::process_preorder::h8e5b82ff2bd82f37
9: 0x7f2adb8978ee - style::driver::traverse_dom::h25345f88fe7354a4
10: 0x7f2adb1778f2 - geckoservo::glue::traverse_subtree::h185e3a4b911f53a6
11: 0x7f2adb177c8f - Servo_TraverseSubtree
12: 0x7f2ad9825170 - _ZN7mozilla13ServoStyleSet16StyleNewChildrenEPNS_3dom7ElementE
13: 0x7f2ad95605c0 - _ZN20AutoStyleNewChildrenD1Ev
14: 0x7f2ad9579153 - _ZN12nsXBLService12LoadBindingsEP10nsIContentP6nsIURIP12nsIPrincipalPP12nsXBLBindingPb
15: 0x7f2ad9944b20 - _ZN21nsCSSFrameConstructor33AddFrameConstructionItemsInternalER23nsFrameConstructorStateP10nsIContentP16nsContainerFrameP6nsAtomibP14nsStyleContextjP8nsTArrayIN26nsIAnonymousContentCreator11ContentInfoEERNS_25FrameConstructionItemListE
16: 0x7f2ad99461da - _ZN21nsCSSFrameConstructor27DoAddFrameConstructionItemsER23nsFrameConstructorStateP10nsIContentP14nsStyleContextbP16nsContainerFrameP8nsTArrayIN26nsIAnonymousContentCreator11ContentInfoEERNS_25FrameConstructionItemListE
17: 0x7f2ad9946276 - _ZN21nsCSSFrameConstructor25AddFrameConstructionItemsER23nsFrameConstructorStateP10nsIContentbRKNS_14InsertionPointERNS_25FrameConstructionItemListE
18: 0x7f2ad9952ee5 - _ZN21nsCSSFrameConstructor20ContentRangeInsertedEP10nsIContentS1_S1_P21nsILayoutHistoryStateNS_13InsertionKindEP16TreeMatchContext
19: 0x7f2ad99541be - _ZN21nsCSSFrameConstructor24RecreateFramesForContentEP10nsIContentNS_13InsertionKindE
20: 0x7f2ad98fc597 - _ZN7mozilla14RestyleManager21ProcessRestyledFramesER17nsStyleChangeList
21: 0x7f2ad9908577 - _ZN7mozilla19ServoRestyleManager24DoProcessPendingRestylesENS_19ServoTraversalFlagsE
22: 0x7f2ad99095ec - _ZN7mozilla9PresShell27DoFlushPendingNotificationsENS_14ChangesToFlushE
23: 0x7f2ad98d8f3d - _ZN15nsRefreshDriver4TickElN7mozilla9TimeStampE
24: 0x7f2ad98da05b - _ZN7mozilla18RefreshDriverTimer18TickRefreshDriversElNS_9TimeStampER8nsTArrayI6RefPtrI15nsRefreshDriverEE
25: 0x7f2ad98da134 - _ZN7mozilla18RefreshDriverTimer4TickElNS_9TimeStampE
26: 0x7f2ad98da2ee - _ZN7mozilla23VsyncRefreshDriverTimer26RefreshDriverVsyncObserver17TickRefreshDriverENS_9TimeStampE
27: 0x7f2ad98da643 - _ZN7mozilla23VsyncRefreshDriverTimer26RefreshDriverVsyncObserver26ParentProcessVsyncNotifier3RunEv
28: 0x7f2ad7af66cb - _ZN8nsThread16ProcessNextEventEbPb.part.267
29: 0x7f2ad7af7484 - _Z19NS_ProcessNextEventP9nsIThreadb
30: 0x7f2ad7eb558b - _ZN7mozilla3ipc11MessagePump3RunEPN4base11MessagePump8DelegateE
31: 0x7f2ad7e8a9ee - _ZN11MessageLoop11RunInternalEv
32: 0x7f2ad7e8aa1a - _ZN11MessageLoop3RunEv
33: 0x7f2ad96cff5e - _ZN14nsBaseAppShell3RunEv
34: 0x7f2ada60247c - _ZN12nsAppStartup3RunEv
35: 0x7f2ada689a23 - _ZN7XREMain11XRE_mainRunEv
36: 0x7f2ada68a21f - _ZN7XREMain8XRE_mainEiPPcRKN7mozilla15BootstrapConfigE
37: 0x7f2ada68a504 - _Z8XRE_mainiPPcRKN7mozilla15BootstrapConfigE
38: 0x4073ac - _ZL7do_mainiPPcS0_
39: 0x406c5c - main
40: 0x7f2ae8d9682f - __libc_start_main
41: 0x406ebc - <unknown>
Redirecting call to abort() to mozalloc_abort
Flags: in-testsuite?
|
||
Comment 1•7 years ago
|
||
shadow dom is something we haven't supported... so I'm not sure how much we care about this...
|
||
Comment 2•7 years ago
|
||
Are the fuzzers explicitly enabling Shadow DOM? Or is the functionality exposed in Nightly, but just not supported?
status-firefox56:
--- → unaffected
status-firefox57:
--- → wontfix
status-firefox58:
--- → affected
status-firefox-esr52:
--- → unaffected
Priority: -- → P4
Summary: stylo: thread '<unnamed>' panicked at 'assertion failed: `(left == right)` → stylo: Shadow DOM: thread '<unnamed>' panicked at 'assertion failed: `(left == right)`
|
||
Comment 3•7 years ago
|
||
This appears to have been fixed by bug 1415353. Emilio, is this testcase worth landing still or is the crashtest from that bug good enough?
Assignee: nobody → emilio
Status: NEW → RESOLVED
Has Regression Range: --- → yes
Closed: 7 years ago
Depends on: 1415353
Flags: needinfo?(emilio)
Resolution: --- → FIXED
Target Milestone: --- → mozilla58
Version: 52 Branch → Trunk
|
Assignee | |
Comment 4•7 years ago
|
||
(In reply to Xidorn Quan [:xidorn] UTC-8 (less responsive Nov 5 ~ Dec 16) from comment #1)
> shadow dom is something we haven't supported... so I'm not sure how much we
> care about this...
I implemented most of the bits, so we should support it to some extent. I'm trying to find time to actively work on it too :)
(In reply to Ryan VanderMeulen [:RyanVM] from comment #3)
> This appears to have been fixed by bug 1415353. Emilio, is this testcase
> worth landing still or is the crashtest from that bug good enough?
I think it's worth landing, <marquee> is way more gross than <textarea>, I'll keep ni? to land it tomorrow, but feel free to do that if you have the time.
|
|
||
Comment 5•7 years ago
|
||
I'm queueing up some other crashtests anyway. I'll get it :)
Flags: needinfo?(emilio) → needinfo?(ryanvm)
|
|
||
Updated•7 years ago
|
Flags: needinfo?(ryanvm)
Flags: in-testsuite?
Flags: in-testsuite+
Pushed by ryanvm@gmail.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/2557e97345f3
Add crashtest. r=me
|
||
Comment 7•7 years ago
|
||
| bugherder | ||
|
Reporter | |
Comment 8•7 years ago
|
||
(In reply to Chris Peterson [:cpeterson] from comment #2)
> Are the fuzzers explicitly enabling Shadow DOM? Or is the functionality
> exposed in Nightly, but just not supported?
We've recently enabled shadow dom in our default fuzzing prefs. It is not, as far as I'm aware, enabled by default in nightly.
You need to log in
before you can comment on or make changes to this bug.
Description
•