Closed Bug 1535426 Opened 1 year ago Closed 1 year ago

Hit MOZ_CRASH(Expected a stylesheet loader for @import) at src/libcore/option.rs:1008

Categories

(Core :: CSS Parsing and Computation, defect)

defect
Not set

Tracking

()

RESOLVED DUPLICATE of bug 1533783

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, testcase)

Attachments

(1 file)

Attached file testcase.html

Testcase found while fuzzing mozilla-central rev ab709310d23f.

Hit MOZ_CRASH(Expected a stylesheet loader for @import) at src/libcore/option.rs:1008

rax = 0x00005592755a7e40 rdx = 0x0000000000000000
rcx = 0x0000000000000b40 rbx = 0x00007ffe28a3de7a
rsi = 0x00007f4e928168b0 rdi = 0x00007f4e92815680
rbp = 0x00007ffe28a3de60 rsp = 0x00007ffe28a3de50
r8 = 0x00007f4e928168b0 r9 = 0x00007f4e93973740
r10 = 0x0000000000000000 r11 = 0x0000000000000000
r12 = 0x00000000000003f0 r13 = 0x0000000000000015
r14 = 0x00007f4e7819f700 r15 = 0x0000000000000028
rip = 0x00007f4e8335f833
OS|Linux|0.0.0 Linux 4.18.0-16-generic #17~18.04.1-Ubuntu SMP Tue Feb 12 13:35:51 UTC 2019 x86_64
CPU|amd64|family 6 model 94 stepping 3|1
GPU|||
Crash|SIGSEGV /SEGV_MAPERR|0x0|0
0|0|libxul.so|GeckoCrash|hg:hg.mozilla.org/mozilla-central:mfbt/Assertions.h:ab709310d23f9b7b17ba50731c63666aaf67945b|314|0x0
0|1|libxul.so|gkrust_shared::panic_hook|hg:hg.mozilla.org/mozilla-central:toolkit/library/rust/shared/lib.rs:ab709310d23f9b7b17ba50731c63666aaf67945b|234|0x9
0|2|libxul.so|core::ops::function::Fn::call|git:github.com/rust-lang/rust:src/libcore/ops/function.rs:9fda7c2237db910e41d6a712e9a2139b352e558b|78|0x5
0|3|libxul.so|std::panicking::rust_panic_with_hook|git:github.com/rust-lang/rust:src/libstd/panicking.rs:9fda7c2237db910e41d6a712e9a2139b352e558b|495|0x6
0|4|libxul.so|std::panicking::continue_panic_fmt|git:github.com/rust-lang/rust:src/libstd/panicking.rs:9fda7c2237db910e41d6a712e9a2139b352e558b|398|0x18
0|5|libxul.so|rust_begin_unwind|git:github.com/rust-lang/rust:src/libstd/panicking.rs:9fda7c2237db910e41d6a712e9a2139b352e558b|325|0x5
0|6|libxul.so|core::panicking::panic_fmt|git:github.com/rust-lang/rust:src/libcore/panicking.rs:9fda7c2237db910e41d6a712e9a2139b352e558b|95|0x6
0|7|libxul.so|core::option::expect_failed|git:github.com/rust-lang/rust:src/libcore/option.rs:9fda7c2237db910e41d6a712e9a2139b352e558b|1008|0x12
0|8|libxul.so|cssparser::rules_and_declarations::parse_at_rule|git:github.com/rust-lang/rust:src/libcore/option.rs:9fda7c2237db910e41d6a712e9a2139b352e558b|322|0x12
0|9|libxul.so|cssparser::rules_and_declarations::parse_one_rule|hg:hg.mozilla.org/mozilla-central:third_party/rust/cssparser/src/rules_and_declarations.rs:ab709310d23f9b7b17ba50731c63666aaf67945b|439|0xd
0|10|libxul.so|style::stylesheets::CssRule::parse::h23c763e86b89e425|||0x151
0|11|libxul.so|<servo_arc::RawOffsetArc<style::shared_lock::Locked<style::stylesheets::rule_list::CssRules>> as style::stylesheets::rule_list::CssRulesHelpers>::insert_rule|hg:hg.mozilla.org/mozilla-central:servo/components/style/stylesheets/rule_list.rs:ab709310d23f9b7b17ba50731c63666aaf67945b|172|0x17
0|12|libxul.so|Servo_CssRules_InsertRule|hg:hg.mozilla.org/mozilla-central:servo/ports/geckolib/glue.rs:ab709310d23f9b7b17ba50731c63666aaf67945b|1886|0x2e
0|13|libxul.so|mozilla::ServoCSSRuleList::InsertRule(nsTSubstring<char16_t> const&, unsigned int)|hg:hg.mozilla.org/mozilla-central:layout/style/ServoCSSRuleList.cpp:ab709310d23f9b7b17ba50731c63666aaf67945b|166|0x2a
0|14|libxul.so|mozilla::StyleSheet::InsertRuleInternal(nsTSubstring<char16_t> const&, unsigned int, mozilla::ErrorResult&)|hg:hg.mozilla.org/mozilla-central:layout/style/StyleSheet.cpp:ab709310d23f9b7b17ba50731c63666aaf67945b|1114|0x16
0|15|libxul.so|mozilla::dom::CSSStyleSheet_Binding::insertRule|s3:gecko-generated-sources:8f650a4639194fdf1ab771ed4256a9e9669e9ffb005f76fbfc6d371809fa2658b12ae964f7f8ea218175684282884c105964ecce679f7505c8a4a4910e6d4700/dom/bindings/CSSStyleSheetBinding.cpp:|210|0x2a
0|16|libxul.so|bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*)|hg:hg.mozilla.org/mozilla-central:dom/bindings/BindingUtils.cpp:ab709310d23f9b7b17ba50731c63666aaf67945b|3144|0x9
0|17|libxul.so|CallJSNative(JSContext*, bool ()(JSContext, unsigned int, JS::Value*), JS::CallArgs const&)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:ab709310d23f9b7b17ba50731c63666aaf67945b|442|0x6
0|18|libxul.so|js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:ab709310d23f9b7b17ba50731c63666aaf67945b|534|0xf
0|19|libxul.so|InternalCall|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:ab709310d23f9b7b17ba50731c63666aaf67945b|589|0xd
0|20|libxul.so|Interpret|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:ab709310d23f9b7b17ba50731c63666aaf67945b|593|0xf
0|21|libxul.so|js::RunScript(JSContext*, js::RunState&)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:ab709310d23f9b7b17ba50731c63666aaf67945b|422|0xb
0|22|libxul.so|js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:ab709310d23f9b7b17ba50731c63666aaf67945b|562|0xf
0|23|libxul.so|InternalCall|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:ab709310d23f9b7b17ba50731c63666aaf67945b|589|0xd
0|24|libxul.so|js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:ab709310d23f9b7b17ba50731c63666aaf67945b|605|0x5
0|25|libxul.so|JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>)|hg:hg.mozilla.org/mozilla-central:js/src/jsapi.cpp:ab709310d23f9b7b17ba50731c63666aaf67945b|2623|0x1c
0|26|libxul.so|mozilla::dom::EventListener::HandleEvent(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&)|s3:gecko-generated-sources:b504f583ed3111ab416617cd63caa012e7478d0516eb5d3bc3cd43cef007715c1a91854c0528b0ec8e85f6341ccebf73a1b2c32556687ebaf4023e3c38ff4197/dom/bindings/EventListenerBinding.cpp:|52|0x5
0|27|libxul.so|void mozilla::dom::EventListener::HandleEvent<mozilla::dom::EventTarget*>(mozilla::dom::EventTarget* const&, mozilla::dom::Event&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*)|s3:gecko-generated-sources:f3d9c01258576daaac3afc4fb3b283652e7f1168abb5287eff6775451ebd0ab6a0e4c8d88d3a67f7147042501bc091c6dfed25b4b8ccf4e4f420897b8d0ba906/dist/include/mozilla/dom/EventListenerBinding.h:|66|0x1c
0|28|libxul.so|mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*)|hg:hg.mozilla.org/mozilla-central:dom/events/EventListenerManager.cpp:ab709310d23f9b7b17ba50731c63666aaf67945b|1039|0x1e
0|29|libxul.so|mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool)|hg:hg.mozilla.org/mozilla-central:dom/events/EventListenerManager.cpp:ab709310d23f9b7b17ba50731c63666aaf67945b|1239|0x19
0|30|libxul.so|mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&)|hg:hg.mozilla.org/mozilla-central:dom/events/EventListenerManager.h:ab709310d23f9b7b17ba50731c63666aaf67945b|356|0x6
0|31|libxul.so|mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:ab709310d23f9b7b17ba50731c63666aaf67945b|553|0x12
0|32|libxul.so|mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:ab709310d23f9b7b17ba50731c63666aaf67945b|1049|0x1a
0|33|libxul.so|mozilla::EventDispatcher::DispatchDOMEvent(nsISupports
, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:ab709310d23f9b7b17ba50731c63666aaf67945b|1149|0x19
0|34|libxul.so|nsINode::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&)|hg:hg.mozilla.org/mozilla-central:dom/base/nsINode.cpp:ab709310d23f9b7b17ba50731c63666aaf67945b|1025|0x5
0|35|libxul.so|nsContentUtils::DispatchEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, mozilla::Trusted, bool*, mozilla::ChromeOnlyDispatch)|hg:hg.mozilla.org/mozilla-central:dom/base/nsContentUtils.cpp:ab709310d23f9b7b17ba50731c63666aaf67945b|4054|0x30
0|36|libxul.so|nsContentUtils::DispatchTrustedEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, bool*)|hg:hg.mozilla.org/mozilla-central:dom/base/nsContentUtils.cpp:ab709310d23f9b7b17ba50731c63666aaf67945b|4025|0x19
0|37|libxul.so|mozilla::dom::Document::DispatchContentLoadedEvents()|hg:hg.mozilla.org/mozilla-central:dom/base/Document.cpp:ab709310d23f9b7b17ba50731c63666aaf67945b|4698|0x5
0|38|libxul.so|mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::)(), true, (mozilla::RunnableKind)0>::Run()|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.h:ab709310d23f9b7b17ba50731c63666aaf67945b|1122|0x13
0|39|libxul.so|mozilla::SchedulerGroup::Runnable::Run()|hg:hg.mozilla.org/mozilla-central:xpcom/threads/SchedulerGroup.cpp:ab709310d23f9b7b17ba50731c63666aaf67945b|295|0x15
0|40|libxul.so|nsThread::ProcessNextEvent(bool, bool
)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:ab709310d23f9b7b17ba50731c63666aaf67945b|1179|0x15
0|41|libxul.so|NS_ProcessNextEvent(nsIThread*, bool)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:ab709310d23f9b7b17ba50731c63666aaf67945b|482|0x11
0|42|libxul.so|mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:ab709310d23f9b7b17ba50731c63666aaf67945b|88|0xa
0|43|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:ab709310d23f9b7b17ba50731c63666aaf67945b|315|0x17
0|44|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:ab709310d23f9b7b17ba50731c63666aaf67945b|308|0x8
0|45|libxul.so|nsBaseAppShell::Run()|hg:hg.mozilla.org/mozilla-central:widget/nsBaseAppShell.cpp:ab709310d23f9b7b17ba50731c63666aaf67945b|137|0xd
0|46|libxul.so|XRE_RunAppShell()|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:ab709310d23f9b7b17ba50731c63666aaf67945b|933|0x11
0|47|libxul.so|mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:ab709310d23f9b7b17ba50731c63666aaf67945b|238|0x5
0|48|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:ab709310d23f9b7b17ba50731c63666aaf67945b|315|0x17
0|49|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:ab709310d23f9b7b17ba50731c63666aaf67945b|308|0x8
0|50|libxul.so|XRE_InitChildProcess(int, char**, XREChildData const*)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:ab709310d23f9b7b17ba50731c63666aaf67945b|771|0xc
0|51|firefox-bin|content_process_main(mozilla::Bootstrap*, int, char**)|hg:hg.mozilla.org/mozilla-central:ipc/contentproc/plugin-container.cpp:ab709310d23f9b7b17ba50731c63666aaf67945b|56|0x14
0|52|firefox-bin|main|hg:hg.mozilla.org/mozilla-central:browser/app/nsBrowserApp.cpp:ab709310d23f9b7b17ba50731c63666aaf67945b|265|0x11
0|53|libc-2.27.so||||0x21b97
0|54|firefox-bin|MOZ_ReportCrash|hg:hg.mozilla.org/mozilla-central:mfbt/Assertions.h:ab709310d23f9b7b17ba50731c63666aaf67945b|184|0x5

Flags: in-testsuite?

Huh, I'm surprised nobody found this way earlier.

Flags: needinfo?(emilio)

:emilio, same. This is the result of some recent fuzzer changes. Likely also related to bug 1533783.

This is actually exactly the same issue.

Status: NEW → RESOLVED
Closed: 1 year ago
Flags: needinfo?(emilio)
Resolution: --- → DUPLICATE
Duplicate of bug: 1533783
You need to log in before you can comment on or make changes to this bug.