Open Bug 1511329 Opened 6 years ago Updated 2 years ago

Assertion failure: aElement->HasServoData() (Element without Servo data on a post-traversal? How?)

Categories

(Core :: Layout, defect, P2)

Product:
Core
Component:
Layout
Type:
defect

Tracking

()

Tracking Flags:
Tracking Status
firefox-esr60 --- unaffected
firefox63 --- wontfix
firefox64 --- wontfix
firefox65 --- affected
firefox66 --- affected

People

(Reporter: nils, Assigned: emilio)

References

Details

(Keywords: assertion, crash)

Crash Data

Attachments

(5 files)

svg.svg
281 bytes, image/svg+xml
Details
crash.html (minimised testcase)
796 bytes, text/html
Details
ASAN output
9.19 KB, text/plain
Details
Stack where the bug happens.
5.88 KB, text/plain
Details
Stack where the initial styling happens.
5.64 KB, text/plain
Details
Attached image svg.svg 
The latest ASAN build of Firefox 65.0a1 (SourceStamp=5972866ac7daab2749b0fc47378169e210367a7f) crashes with the following assertion when loading the testcase. It requires the attached svg file served from the same HTTP server. 

Assertion failure: aElement->HasServoData() (Element without Servo data on a post-traversal? How?), at /builds/worker/workspace/build/src/layout/base/RestyleManager.cpp:2695

crash.html:
<script>
function spin() {
        var x=new XMLHttpRequest();
        x.open("POST","https://mozilla.org",false);
        try{x.send("X");}catch(e){}
}

function start() {
	o9=window.document;;
	o83=o9.createElementNS('http://www.w3.org/1999/xhtml','iframe');
	o83.src='svg.svg';
	window.top.document.body.appendChild(o83);
	spin();
	o106=window.top.frames[0].document;
	o124=o106.firstChild;
	o140=o106.createElementNS('http://www.w3.org/2000/svg','filter');
	o144=o106.createElementNS('http://www.w3.org/2000/svg','feDiffuseLighting');
	o140.appendChild(o144);
	o124.appendChild(o140);
	document.documentElement.appendChild(o124);
	o261=o106.createElementNS('http://www.w3.org/2000/svg','animateMotion');
	o144.appendChild(o261);
	location.reload();
}
</script>
<body onload="start()"></body>

ASAN stack:
Assertion failure: aElement->HasServoData() (Element without Servo data on a post-traversal? How?), at /builds/worker/workspace/build/src/layout/base/RestyleManager.cpp:2695
AddressSanitizer:DEADLYSIGNAL
=================================================================
==18799==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 (pc 0x7f97483f2afa bp 0x7ffc76ea2930 sp 0x7ffc76ea2580 T0)
==18799==The signal is caused by a WRITE memory access.
==18799==Hint: address points to the zero page.
    #0 0x7f97483f2af9 in WritePoisonAtOffset<4> /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/Maybe.h:44:5
    #1 0x7f97483f2af9 in poison /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/Maybe.h:54
    #2 0x7f97483f2af9 in poison /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/Maybe.h:55
    #3 0x7f97483f2af9 in poison /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/Maybe.h:55
    #4 0x7f97483f2af9 in poison /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/Maybe.h:55
    #5 0x7f97483f2af9 in poison /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/Maybe.h:55
    #6 0x7f97483f2af9 in PoisonObject<mozilla::ServoRestyleState> /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/Maybe.h:85
    #7 0x7f97483f2af9 in poison /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/Maybe.h:99
    #8 0x7f97483f2af9 in poisonData /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/Maybe.h:175
    #9 0x7f97483f2af9 in reset /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/Maybe.h:491
    #10 0x7f97483f2af9 in ~Maybe /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/Maybe.h:184
    #11 0x7f97483f2af9 in mozilla::RestyleManager::ProcessPostTraversal(mozilla::dom::Element*, mozilla::ComputedStyle*, mozilla::ServoRestyleState&, mozilla::ServoPostTraversalFlags) /builds/worker/workspace/build/src/layout/base/RestyleManager.cpp:2940
    #12 0x7f97483f1306 in mozilla::RestyleManager::ProcessPostTraversal(mozilla::dom::Element*, mozilla::ComputedStyle*, mozilla::ServoRestyleState&, mozilla::ServoPostTraversalFlags) /builds/worker/workspace/build/src/layout/base/RestyleManager.cpp:2886:32
    #13 0x7f97483f50df in mozilla::RestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) /builds/worker/workspace/build/src/layout/base/RestyleManager.cpp:3093:28
    #14 0x7f974839586a in ProcessPendingRestyles /builds/worker/workspace/build/src/layout/base/RestyleManager.cpp:3187:3
    #15 0x7f974839586a in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:4358
    #16 0x7f9741da3afe in FlushPendingNotifications /builds/worker/workspace/build/src/layout/base/nsIPresShell.h:591:5
    #17 0x7f9741da3afe in nsIDocument::FlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/workspace/build/src/dom/base/nsDocument.cpp:7790
    #18 0x7f9747428c58 in nsSMILAnimationController::DoSample(bool) /builds/worker/workspace/build/src/dom/smil/nsSMILAnimationController.cpp:439:15
    #19 0x7f9748394e7e in Resample /builds/worker/workspace/build/src/obj-firefox/dist/include/nsSMILAnimationController.h:73:21
    #20 0x7f9748394e7e in FlushResampleRequests /builds/worker/workspace/build/src/obj-firefox/dist/include/nsSMILAnimationController.h:89
    #21 0x7f9748394e7e in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:4340
    #22 0x7f9745644919 in FlushPendingNotifications /builds/worker/workspace/build/src/obj-firefox/dist/include/nsIPresShell.h:582:5
    #23 0x7f9745644919 in FlushPendingEvents /builds/worker/workspace/build/src/dom/events/EventStateManager.cpp:5721
    #24 0x7f9745644919 in mozilla::EventStateManager::PreHandleEvent(nsPresContext*, mozilla::WidgetEvent*, nsIFrame*, nsIContent*, nsEventStatus*, nsIContent*) /builds/worker/workspace/build/src/dom/events/EventStateManager.cpp:690
    #25 0x7f97483cab33 in mozilla::PresShell::HandleEventInternal(mozilla::WidgetEvent*, nsEventStatus*, bool, nsIContent*) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:7701:19
    #26 0x7f97483c596d in mozilla::PresShell::HandleEvent(nsIFrame*, mozilla::WidgetGUIEvent*, bool, nsEventStatus*) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:7346:17
    #27 0x7f9747b22c6d in nsViewManager::DispatchEvent(mozilla::WidgetGUIEvent*, nsView*, nsEventStatus*) /builds/worker/workspace/build/src/view/nsViewManager.cpp:812:14
    #28 0x7f9747b22454 in nsView::HandleEvent(mozilla::WidgetGUIEvent*, bool) /builds/worker/workspace/build/src/view/nsView.cpp:1141:9
    #29 0x7f9747bcac00 in mozilla::widget::PuppetWidget::DispatchEvent(mozilla::WidgetGUIEvent*, nsEventStatus&) /builds/worker/workspace/build/src/widget/PuppetWidget.cpp:409:35
    #30 0x7f9740e90e5a in mozilla::layers::APZCCallbackHelper::DispatchWidgetEvent(mozilla::WidgetGUIEvent&) /builds/worker/workspace/build/src/gfx/layers/apz/util/APZCCallbackHelper.cpp:542:21
    #31 0x7f974728807c in DispatchWidgetEventViaAPZ /builds/worker/workspace/build/src/dom/ipc/TabChild.cpp:1728:10
    #32 0x7f974728807c in mozilla::dom::TabChild::HandleRealMouseButtonEvent(mozilla::WidgetMouseEvent const&, mozilla::layers::ScrollableLayerGuid const&, unsigned long const&) /builds/worker/workspace/build/src/dom/ipc/TabChild.cpp:1659
    #33 0x7f97472895df in mozilla::dom::TabChild::RecvRealMouseButtonEvent(mozilla::WidgetMouseEvent const&, mozilla::layers::ScrollableLayerGuid const&, unsigned long const&) /builds/worker/workspace/build/src/dom/ipc/TabChild.cpp:1631:3
    #34 0x7f97472898d0 in RecvSynthMouseMoveEvent /builds/worker/workspace/build/src/dom/ipc/TabChild.cpp:1592:8
    #35 0x7f97472898d0 in non-virtual thunk to mozilla::dom::TabChild::RecvSynthMouseMoveEvent(mozilla::WidgetMouseEvent const&, mozilla::layers::ScrollableLayerGuid const&, unsigned long const&) /builds/worker/workspace/build/src/dom/ipc/TabChild.cpp
    #36 0x7f973f9e2a68 in mozilla::dom::PBrowserChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PBrowserChild.cpp:3530:20
    #37 0x7f973ef68bd6 in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PContentChild.cpp:5438:28
    #38 0x7f973ec7d0b9 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2245:25
    #39 0x7f973ec78a3a in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2172:17
    #40 0x7f973ec7ac41 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2009:5
    #41 0x7f973ec7bb07 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2042:15
    #42 0x7f973d9c44e5 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:337:32
    #43 0x7f973da01928 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1244:14
    #44 0x7f973da0a6dd in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:530:10
    #45 0x7f973ec8646f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21
    #46 0x7f973eb7dc0e in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:325:10
    #47 0x7f973eb7dc0e in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:318
    #48 0x7f973eb7dc0e in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:298
    #49 0x7f9747c1ba93 in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:158:27
    #50 0x7f974c66cc8e in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:951:22
    #51 0x7f973eb7dc0e in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:325:10
    #52 0x7f973eb7dc0e in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:318
    #53 0x7f973eb7dc0e in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:298
    #54 0x7f974c66bcde in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:777:34
    #55 0x55f031121864 in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30
    #56 0x55f031121864 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:287
    #57 0x7f97612d0b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #58 0x55f031046eec in _start (/home/nils/fuzzer3/firefox/firefox+0x2deec)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/Maybe.h:44:5 in WritePoisonAtOffset<4>
==18799==ABORTING

    
    

    
  

      
      
      
      

        Attached file
          
        ASAN output
      

    


  

    
    

    
  
INFO: Last good revision: f3350af3387d7bbed6c617f45a4e666b7ee1e4d2
INFO: First bad revision: 12a824f8d55a8fb0396fb2132974f8223c6a9606
INFO: Pushlog:
https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=f3350af3387d7bbed6c617f45a4e666b7ee1e4d2&tochange=12a824f8d55a8fb0396fb2132974f8223c6a9606

Note that on older builds, it was hitting the Rust panic added by the upstream commit autolanded one commit prior (https://hg.mozilla.org/integration/autoland/rev/f3350af3387d) instead of the assertion originally noted by the reporter:
WARN 2018-11-30T17:16:44Z: geckoservo::glue: Trying to get change hint from unstyled element
INFO: thread '<unnamed>' panicked at 'Invoking Servo_Element_IsDisplayContents on unstyled element', libcore/option.rs:917:5

It become the filed assertion when said assertion landed.
https://hg.mozilla.org/integration/mozilla-inbound/rev/4ca67a1ab5b2

Also crashes opt builds:
https://crash-stats.mozilla.com/report/index/11bd4033-ad79-4b74-9f90-f6e390181130
Blocks: 1303605
Group: core-security → layout-core-security
Crash Signature: [@ mozilla::RestyleManager::ProcessPostTraversal ]
Has Regression Range: --- → yes
Has STR: --- → irrelevant

          status-firefox63:
          --- → wontfix

          status-firefox64:
          --- → wontfix

          status-firefox-esr60:
          --- → unaffected
Flags: needinfo?(emilio)
Keywords: assertion, 
          
            crash
Version: 65 Branch → unspecified

    
    

    
  
Per IRC discussion with Emilio, this isn't s-s.
Group: layout-core-security

    
    

    
  
In particular it was wallpapered in bug 1458556, so I don't think this should crash a release build. But I still want to look at this test-case, since the only other test-case we had for this was XBL-unsoundness, and this doesn't seem to have any XBL stuff.
Priority: -- → P2

    
    

    
  
Adding 66 as affected since I see crashes in crash stats there as well.



          status-firefox66:
          --- → affected

    
    

    
  
Ok, I finally got some mental space to take a look at this.


Assignee: nobody → emilio

    
    

    
  


  
The issue is that, at the time this runs, the parent element has been styled and laid out already, but the parser appends kids without notifying.



    
  
Flags: needinfo?(emilio)

    
  
Severity: normal → S3

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: