Closed Bug 1534399 Opened 1 year ago Closed 1 year ago

Assertion failure: aSheet->IsApplicable(), at /builds/worker/workspace/build/src/layout/style/ServoStyleSet.cpp:624

Categories

(Core :: Layout, defect, P3)

defect

Tracking

()

RESOLVED FIXED
mozilla68
Tracking Status
firefox-esr60 --- unaffected
firefox66 --- wontfix
firefox67 --- wontfix
firefox68 --- fixed

People

(Reporter: jkratzer, Assigned: heycam)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, testcase)

Attachments

(2 files)

Attached file testcase.html

Testcase found while fuzzing mozilla-central rev f4c23517cec8.

Assertion failure: aSheet->IsApplicable(), at /builds/worker/workspace/build/src/layout/style/ServoStyleSet.cpp:624

rax = 0x000055aa02deee40 rdx = 0x0000000000000000
rcx = 0x00007faf09875ad6 rbx = 0x00007faefada1580
rsi = 0x00007faf163048b0 rdi = 0x00007faf16303680
rbp = 0x00007fff85536110 rsp = 0x00007fff855360f0
r8 = 0x00007faf163048b0 r9 = 0x00007faf17461740
r10 = 0x0000000000000000 r11 = 0x0000000000000000
r12 = 0x00007faefd741d40 r13 = 0x0000000000000000
r14 = 0x00007faefad2e140 r15 = 0x00007faefada4288
rip = 0x00007faf060f17d8
OS|Linux|0.0.0 Linux 4.18.0-16-generic #17~18.04.1-Ubuntu SMP Tue Feb 12 13:35:51 UTC 2019 x86_64
CPU|amd64|family 6 model 94 stepping 3|1
GPU|||
Crash|SIGSEGV /SEGV_MAPERR|0x0|0
0|0|libxul.so|mozilla::ServoStyleSet::AppendStyleSheet(mozilla::SheetType, mozilla::StyleSheet*)|hg:hg.mozilla.org/mozilla-central:layout/style/ServoStyleSet.cpp:f4c23517cec8626038a915bfe3bc7c0e1f6af55d|624|0x0
0|1|libxul.so|nsDocumentViewer::CreateStyleSet(mozilla::dom::Document*)|hg:hg.mozilla.org/mozilla-central:layout/base/nsDocumentViewer.cpp:f4c23517cec8626038a915bfe3bc7c0e1f6af55d|2317|0x22
0|2|libxul.so|nsDocumentViewer::InitPresentationStuff(bool)|hg:hg.mozilla.org/mozilla-central:layout/base/nsDocumentViewer.cpp:f4c23517cec8626038a915bfe3bc7c0e1f6af55d|730|0xf
0|3|libxul.so|nsDocumentViewer::InitInternal(nsIWidget*, nsISupports*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, bool, bool, bool)|hg:hg.mozilla.org/mozilla-central:layout/base/nsDocumentViewer.cpp:f4c23517cec8626038a915bfe3bc7c0e1f6af55d|977|0x13
0|4|libxul.so|nsDocumentViewer::Init(nsIWidget*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&)|hg:hg.mozilla.org/mozilla-central:layout/base/nsDocumentViewer.cpp:f4c23517cec8626038a915bfe3bc7c0e1f6af55d|712|0xb
0|5|libxul.so|nsDocShell::SetupNewViewer(nsIContentViewer*)|hg:hg.mozilla.org/mozilla-central:docshell/base/nsDocShell.cpp:f4c23517cec8626038a915bfe3bc7c0e1f6af55d|8299|0x18
0|6|libxul.so|nsDocShell::Embed(nsIContentViewer*, char const*, nsISupports*)|hg:hg.mozilla.org/mozilla-central:docshell/base/nsDocShell.cpp:f4c23517cec8626038a915bfe3bc7c0e1f6af55d|6259|0xc
0|7|libxul.so|nsDocShell::CreateContentViewer(nsTSubstring<char> const&, nsIRequest*, nsIStreamListener**)|hg:hg.mozilla.org/mozilla-central:docshell/base/nsDocShell.cpp:f4c23517cec8626038a915bfe3bc7c0e1f6af55d|8110|0x15
0|8|libxul.so|nsDSURIContentListener::DoContent(nsTSubstring<char> const&, bool, nsIRequest*, nsIStreamListener**, bool*)|hg:hg.mozilla.org/mozilla-central:docshell/base/nsDSURIContentListener.cpp:f4c23517cec8626038a915bfe3bc7c0e1f6af55d|183|0x17
0|9|libxul.so|nsDocumentOpenInfo::TryContentListener(nsIURIContentListener*, nsIChannel*)|hg:hg.mozilla.org/mozilla-central:uriloader/base/nsURILoader.cpp:f4c23517cec8626038a915bfe3bc7c0e1f6af55d|750|0x2
0|10|libxul.so|nsDocumentOpenInfo::DispatchContent(nsIRequest*, nsISupports*)|hg:hg.mozilla.org/mozilla-central:uriloader/base/nsURILoader.cpp:f4c23517cec8626038a915bfe3bc7c0e1f6af55d|421|0x14
0|11|libxul.so|nsDocumentOpenInfo::OnStartRequest(nsIRequest*)|hg:hg.mozilla.org/mozilla-central:uriloader/base/nsURILoader.cpp:f4c23517cec8626038a915bfe3bc7c0e1f6af55d|299|0xd
0|12|libxul.so|nsBaseChannel::OnStartRequest(nsIRequest*)|hg:hg.mozilla.org/mozilla-central:netwerk/base/nsBaseChannel.cpp:f4c23517cec8626038a915bfe3bc7c0e1f6af55d|763|0x19
0|13|libxul.so|nsInputStreamPump::OnStateStart()|hg:hg.mozilla.org/mozilla-central:netwerk/base/nsInputStreamPump.cpp:f4c23517cec8626038a915bfe3bc7c0e1f6af55d|487|0x15
0|14|libxul.so|nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream*)|hg:hg.mozilla.org/mozilla-central:netwerk/base/nsInputStreamPump.cpp:f4c23517cec8626038a915bfe3bc7c0e1f6af55d|396|0x8
0|15|libxul.so|nsInputStreamReadyEvent::Run()|hg:hg.mozilla.org/mozilla-central:xpcom/io/nsStreamUtils.cpp:f4c23517cec8626038a915bfe3bc7c0e1f6af55d|91|0x15
0|16|libxul.so|mozilla::SchedulerGroup::Runnable::Run()|hg:hg.mozilla.org/mozilla-central:xpcom/threads/SchedulerGroup.cpp:f4c23517cec8626038a915bfe3bc7c0e1f6af55d|295|0x15
0|17|libxul.so|nsThread::ProcessNextEvent(bool, bool*)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:f4c23517cec8626038a915bfe3bc7c0e1f6af55d|1179|0x15
0|18|libxul.so|NS_ProcessNextEvent(nsIThread*, bool)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:f4c23517cec8626038a915bfe3bc7c0e1f6af55d|482|0x11
0|19|libxul.so|mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:f4c23517cec8626038a915bfe3bc7c0e1f6af55d|88|0xa
0|20|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:f4c23517cec8626038a915bfe3bc7c0e1f6af55d|315|0x17
0|21|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:f4c23517cec8626038a915bfe3bc7c0e1f6af55d|308|0x8
0|22|libxul.so|nsBaseAppShell::Run()|hg:hg.mozilla.org/mozilla-central:widget/nsBaseAppShell.cpp:f4c23517cec8626038a915bfe3bc7c0e1f6af55d|137|0xd
0|23|libxul.so|XRE_RunAppShell()|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:f4c23517cec8626038a915bfe3bc7c0e1f6af55d|911|0x11
0|24|libxul.so|mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:f4c23517cec8626038a915bfe3bc7c0e1f6af55d|238|0x5
0|25|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:f4c23517cec8626038a915bfe3bc7c0e1f6af55d|315|0x17
0|26|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:f4c23517cec8626038a915bfe3bc7c0e1f6af55d|308|0x8
0|27|libxul.so|XRE_InitChildProcess(int, char**, XREChildData const*)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:f4c23517cec8626038a915bfe3bc7c0e1f6af55d|749|0xc
0|28|firefox-bin|content_process_main(mozilla::Bootstrap*, int, char**)|hg:hg.mozilla.org/mozilla-central:ipc/contentproc/plugin-container.cpp:f4c23517cec8626038a915bfe3bc7c0e1f6af55d|49|0x14
0|29|firefox-bin|main|hg:hg.mozilla.org/mozilla-central:browser/app/nsBrowserApp.cpp:f4c23517cec8626038a915bfe3bc7c0e1f6af55d|265|0x11
0|30|libc-2.27.so||||0x21b97
0|31|firefox-bin|MOZ_ReportCrash|hg:hg.mozilla.org/mozilla-central:mfbt/Assertions.h:f4c23517cec8626038a915bfe3bc7c0e1f6af55d|184|0x5

Flags: in-testsuite?
Component: Inspector: Layout → Layout
Product: DevTools → Core

I should add the test...

Assignee: nobody → cam
Status: NEW → ASSIGNED
Priority: -- → P3
Pushed by cmccormack@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/fddd0d8d0be5
Don't allow disabling non-author sheets. r=emilio
Status: ASSIGNED → RESOLVED
Closed: 1 year ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla68

Is there a user impact which justifies Beta consideration or can this just ride the trains?

Flags: needinfo?(cam)
Flags: in-testsuite?
Flags: in-testsuite+

No, this is just a null pointer dereference, and only triggerable by typing things into the browser console.

Flags: needinfo?(cam)
You need to log in before you can comment on or make changes to this bug.