Closed
Bug 1569648
Opened 5 years ago
Closed 5 years ago
Assertion failure: false (MOZ_ASSERT_UNREACHABLE: an StyleFilter of type URL should have a non-null URL), at /builds/worker/workspace/build/src/layout/svg/nsSVGFilterInstance.cpp:142
Categories
(Core :: CSS Parsing and Computation, defect, P3)
Core
CSS Parsing and Computation
Tracking
()
RESOLVED
FIXED
mozilla70
| Tracking | Status | |
|---|---|---|
| firefox-esr60 | --- | unaffected |
| firefox-esr68 | --- | unaffected |
| firefox68 | --- | unaffected |
| firefox69 | --- | wontfix |
| firefox70 | --- | fixed |
People
(Reporter: jkratzer, Assigned: emilio)
References
(Blocks 1 open bug)
Details
(Keywords: assertion, testcase)
Attachments
(2 files)
Testcase found while fuzzing mozilla-central rev 50df4b75c9b6.
Assertion failure: false (MOZ_ASSERT_UNREACHABLE: an StyleFilter of type URL should have a non-null URL), at /builds/worker/workspace/build/src/layout/svg/nsSVGFilterInstance.cpp:142
rax = 0x00005557ce386180 rdx = 0x0000000000000000
rcx = 0x00007f1e117fb53b rbx = 0x00007ffe9a1ee318
rsi = 0x00007f1e1cf4f8b0 rdi = 0x00007f1e1cf4e680
rbp = 0x00007ffe9a1ee2c0 rsp = 0x00007ffe9a1ee250
r8 = 0x00007f1e1cf4f8b0 r9 = 0x00007f1e1e0b9780
r10 = 0x0000000000000000 r11 = 0x0000000000000000
r12 = 0x00007ffe9a1ee250 r13 = 0x00007ffe9a1ee258
r14 = 0x00007f1e02ebea00 r15 = 0x00007ffe9a1ee678
rip = 0x00007f1e0ded367b
OS|Linux|0.0.0 Linux 4.18.0-25-generic #26~18.04.1-Ubuntu SMP Thu Jun 27 07:28:31 UTC 2019 x86_64
CPU|amd64|family 6 model 94 stepping 3|1
GPU|||
Crash|SIGSEGV|0x0|0
0|0|libxul.so|nsSVGFilterInstance::GetFilterFrame(nsIFrame*)|hg:hg.mozilla.org/mozilla-central:layout/svg/nsSVGFilterInstance.cpp:50df4b75c9b6c7fec8c8c4685fd188634d193e75|141|0x29
0|1|libxul.so|nsSVGFilterInstance::nsSVGFilterInstance(mozilla::StyleGenericFilter<mozilla::StyleAngle, float, float, mozilla::StyleCSSPixelLength, mozilla::StyleGenericSimpleShadow<mozilla::StyleGenericColor<mozilla::StyleRGBA>, mozilla::StyleCSSPixelLength, mozilla::StyleCSSPixelLength>, mozilla::StyleComputedUrl> const&, nsIFrame*, nsIContent*, mozilla::dom::UserSpaceMetrics const&, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, double> const&, mozilla::gfx::SizeTyped<mozilla::gfx::UnknownUnits, double> const&)|hg:hg.mozilla.org/mozilla-central:layout/svg/nsSVGFilterInstance.cpp:50df4b75c9b6c7fec8c8c4685fd188634d193e75|43|0x5
0|2|libxul.so|nsFilterInstance::BuildPrimitivesForFilter(mozilla::StyleGenericFilter<mozilla::StyleAngle, float, float, mozilla::StyleCSSPixelLength, mozilla::StyleGenericSimpleShadow<mozilla::StyleGenericColor<mozilla::StyleRGBA>, mozilla::StyleCSSPixelLength, mozilla::StyleCSSPixelLength>, mozilla::StyleComputedUrl> const&, nsIFrame*, bool, nsTArray<mozilla::gfx::FilterPrimitiveDescription>&)|hg:hg.mozilla.org/mozilla-central:layout/svg/nsFilterInstance.cpp:50df4b75c9b6c7fec8c8c4685fd188634d193e75|590|0x2a
0|3|libxul.so|nsFilterInstance::BuildPrimitives(mozilla::Span<mozilla::StyleGenericFilter<mozilla::StyleAngle, float, float, mozilla::StyleCSSPixelLength, mozilla::StyleGenericSimpleShadow<mozilla::StyleGenericColor<mozilla::StyleRGBA>, mozilla::StyleCSSPixelLength, mozilla::StyleCSSPixelLength>, mozilla::StyleComputedUrl> const, 18446744073709551615ul>, nsIFrame*, bool)|hg:hg.mozilla.org/mozilla-central:layout/svg/nsFilterInstance.cpp:50df4b75c9b6c7fec8c8c4685fd188634d193e75|568|0xe
0|4|libxul.so|nsFilterInstance::nsFilterInstance(nsIFrame*, nsIContent*, mozilla::dom::UserSpaceMetrics const&, mozilla::Span<mozilla::StyleGenericFilter<mozilla::StyleAngle, float, float, mozilla::StyleCSSPixelLength, mozilla::StyleGenericSimpleShadow<mozilla::StyleGenericColor<mozilla::StyleRGBA>, mozilla::StyleCSSPixelLength, mozilla::StyleCSSPixelLength>, mozilla::StyleComputedUrl> const, 18446744073709551615ul>, bool, nsSVGFilterPaintCallback*, mozilla::gfx::BaseMatrix<double> const&, nsRegion const*, nsRegion const*, nsRect const*, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, double> const*)|hg:hg.mozilla.org/mozilla-central:layout/svg/nsFilterInstance.cpp:50df4b75c9b6c7fec8c8c4685fd188634d193e75|503|0x21
0|5|libxul.so|nsFilterInstance::GetFilterDescription(nsIContent*, mozilla::Span<mozilla::StyleGenericFilter<mozilla::StyleAngle, float, float, mozilla::StyleCSSPixelLength, mozilla::StyleGenericSimpleShadow<mozilla::StyleGenericColor<mozilla::StyleRGBA>, mozilla::StyleCSSPixelLength, mozilla::StyleCSSPixelLength>, mozilla::StyleComputedUrl> const, 18446744073709551615ul>, bool, mozilla::dom::UserSpaceMetrics const&, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, double> const&, nsTArray<RefPtr<mozilla::gfx::SourceSurface> >&)|hg:hg.mozilla.org/mozilla-central:layout/svg/nsFilterInstance.cpp:50df4b75c9b6c7fec8c8c4685fd188634d193e75|46|0x4c
0|6|libxul.so|mozilla::dom::CanvasRenderingContext2D::UpdateFilter()|hg:hg.mozilla.org/mozilla-central:dom/canvas/CanvasRenderingContext2D.cpp:50df4b75c9b6c7fec8c8c4685fd188634d193e75|2416|0x30
0|7|libxul.so|mozilla::dom::CanvasRenderingContext2D::SetFilter(nsTSubstring<char16_t> const&, mozilla::ErrorResult&)|hg:hg.mozilla.org/mozilla-central:dom/canvas/CanvasRenderingContext2D.cpp:50df4b75c9b6c7fec8c8c4685fd188634d193e75|2351|0x8
0|8|libxul.so|mozilla::dom::CanvasRenderingContext2D_Binding::set_filter|s3:gecko-generated-sources:0867d4b79b9687fb6f0be54e37d3b1a289a572bba9df5fd0e585a5904d8d50ad47bb4dcb5fd10cc5087e45a8588eb2fed7802aa362f4ac09860a0a6e0a38abca/dom/bindings/CanvasRenderingContext2DBinding.cpp:|4046|0x12
0|9|libxul.so|bool mozilla::dom::binding_detail::GenericSetter<mozilla::dom::binding_detail::NormalThisPolicy>(JSContext*, unsigned int, JS::Value*)|hg:hg.mozilla.org/mozilla-central:dom/bindings/BindingUtils.cpp:50df4b75c9b6c7fec8c8c4685fd188634d193e75|3134|0x1d
0|10|libxul.so|CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:50df4b75c9b6c7fec8c8c4685fd188634d193e75|448|0x16
0|11|libxul.so|js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:50df4b75c9b6c7fec8c8c4685fd188634d193e75|540|0x12
0|12|libxul.so|InternalCall|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:50df4b75c9b6c7fec8c8c4685fd188634d193e75|595|0xd
0|13|libxul.so|js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:50df4b75c9b6c7fec8c8c4685fd188634d193e75|611|0x5
0|14|libxul.so|js::CallSetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<JS::Value>)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:50df4b75c9b6c7fec8c8c4685fd188634d193e75|749|0x21
0|15|libxul.so|SetExistingProperty|hg:hg.mozilla.org/mozilla-central:js/src/vm/NativeObject.cpp:50df4b75c9b6c7fec8c8c4685fd188634d193e75|2932|0x1a
0|16|libxul.so|bool js::NativeSetProperty<(js::QualifiedBool)1>(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&)|hg:hg.mozilla.org/mozilla-central:js/src/vm/NativeObject.cpp:50df4b75c9b6c7fec8c8c4685fd188634d193e75|2961|0x2d
0|17|libxul.so|Interpret|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:50df4b75c9b6c7fec8c8c4685fd188634d193e75|2849|0x4b
0|18|libxul.so|js::RunScript(JSContext*, js::RunState&)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:50df4b75c9b6c7fec8c8c4685fd188634d193e75|425|0xb
0|19|libxul.so|js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:50df4b75c9b6c7fec8c8c4685fd188634d193e75|568|0xf
0|20|libxul.so|InternalCall|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:50df4b75c9b6c7fec8c8c4685fd188634d193e75|595|0xd
0|21|libxul.so|js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:50df4b75c9b6c7fec8c8c4685fd188634d193e75|611|0x5
0|22|libxul.so|JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>)|hg:hg.mozilla.org/mozilla-central:js/src/jsapi.cpp:50df4b75c9b6c7fec8c8c4685fd188634d193e75|2660|0x1c
0|23|libxul.so|mozilla::dom::Function::Call(JSContext*, JS::Handle<JS::Value>, nsTArray<JS::Value> const&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&)|s3:gecko-generated-sources:a7c2e5fbc8d754dda6a548b7b47f3620d4c9b10ea79911d63eee97dce3943509e5dac2b094e8f79cc317b469bbff7142455a8edf1bb906af40be582eb3c8ce34/dom/bindings/FunctionBinding.cpp:|41|0x5
0|24|libxul.so|void mozilla::dom::Function::Call<nsCOMPtr<nsIGlobalObject> >(nsCOMPtr<nsIGlobalObject> const&, nsTArray<JS::Value> const&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*)|s3:gecko-generated-sources:46fb03c1a8c0e11d34f5e031c89d1a474e669ef986de20768612085e4233f6871c6674b6fc7e076da097557e955e8fa4dd7337ed126d39cecea8d5c6e05d7972/dist/include/mozilla/dom/FunctionBinding.h:|73|0x23
0|25|libxul.so|mozilla::dom::CallbackTimeoutHandler::Call(char const*)|hg:hg.mozilla.org/mozilla-central:dom/base/TimeoutHandler.cpp:50df4b75c9b6c7fec8c8c4685fd188634d193e75|182|0xe
0|26|libxul.so|nsGlobalWindowInner::RunTimeoutHandler(mozilla::dom::Timeout*, nsIScriptContext*)|hg:hg.mozilla.org/mozilla-central:dom/base/nsGlobalWindowInner.cpp:50df4b75c9b6c7fec8c8c4685fd188634d193e75|5930|0x14
0|27|libxul.so|mozilla::dom::TimeoutManager::RunTimeout(mozilla::TimeStamp const&, mozilla::TimeStamp const&, bool)|hg:hg.mozilla.org/mozilla-central:dom/base/TimeoutManager.cpp:50df4b75c9b6c7fec8c8c4685fd188634d193e75|971|0x13
0|28|libxul.so|mozilla::dom::TimeoutExecutor::MaybeExecute()|hg:hg.mozilla.org/mozilla-central:dom/base/TimeoutExecutor.cpp:50df4b75c9b6c7fec8c8c4685fd188634d193e75|179|0x13
0|29|libxul.so|mozilla::dom::TimeoutExecutor::Notify(nsITimer*)|hg:hg.mozilla.org/mozilla-central:dom/base/TimeoutExecutor.cpp:50df4b75c9b6c7fec8c8c4685fd188634d193e75|246|0x5
0|30|libxul.so|nsTimerImpl::Fire(int)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsTimerImpl.cpp:50df4b75c9b6c7fec8c8c4685fd188634d193e75|564|0xe
0|31|libxul.so|nsTimerEvent::Run()|hg:hg.mozilla.org/mozilla-central:xpcom/threads/TimerThread.cpp:50df4b75c9b6c7fec8c8c4685fd188634d193e75|260|0x18
0|32|libxul.so|mozilla::ThrottledEventQueue::Inner::ExecuteRunnable()|hg:hg.mozilla.org/mozilla-central:xpcom/threads/ThrottledEventQueue.cpp:50df4b75c9b6c7fec8c8c4685fd188634d193e75|252|0x11
0|33|libxul.so|mozilla::ThrottledEventQueue::Inner::Executor::Run()|hg:hg.mozilla.org/mozilla-central:xpcom/threads/ThrottledEventQueue.cpp:50df4b75c9b6c7fec8c8c4685fd188634d193e75|80|0xd
0|34|libxul.so|mozilla::SchedulerGroup::Runnable::Run()|hg:hg.mozilla.org/mozilla-central:xpcom/threads/SchedulerGroup.cpp:50df4b75c9b6c7fec8c8c4685fd188634d193e75|295|0x15
0|35|libxul.so|nsThread::ProcessNextEvent(bool, bool*)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:50df4b75c9b6c7fec8c8c4685fd188634d193e75|1224|0x15
0|36|libxul.so|NS_ProcessNextEvent(nsIThread*, bool)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:50df4b75c9b6c7fec8c8c4685fd188634d193e75|486|0x11
0|37|libxul.so|mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:50df4b75c9b6c7fec8c8c4685fd188634d193e75|110|0xd
0|38|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:50df4b75c9b6c7fec8c8c4685fd188634d193e75|315|0x17
0|39|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:50df4b75c9b6c7fec8c8c4685fd188634d193e75|290|0x8
0|40|libxul.so|nsBaseAppShell::Run()|hg:hg.mozilla.org/mozilla-central:widget/nsBaseAppShell.cpp:50df4b75c9b6c7fec8c8c4685fd188634d193e75|137|0xd
0|41|libxul.so|XRE_RunAppShell()|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:50df4b75c9b6c7fec8c8c4685fd188634d193e75|919|0x11
0|42|libxul.so|mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:50df4b75c9b6c7fec8c8c4685fd188634d193e75|238|0x5
0|43|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:50df4b75c9b6c7fec8c8c4685fd188634d193e75|315|0x17
0|44|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:50df4b75c9b6c7fec8c8c4685fd188634d193e75|290|0x8
0|45|libxul.so|XRE_InitChildProcess(int, char**, XREChildData const*)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:50df4b75c9b6c7fec8c8c4685fd188634d193e75|754|0xc
0|46|firefox-bin|content_process_main(mozilla::Bootstrap*, int, char**)|hg:hg.mozilla.org/mozilla-central:ipc/contentproc/plugin-container.cpp:50df4b75c9b6c7fec8c8c4685fd188634d193e75|56|0x14
0|47|firefox-bin|main|hg:hg.mozilla.org/mozilla-central:browser/app/nsBrowserApp.cpp:50df4b75c9b6c7fec8c8c4685fd188634d193e75|267|0x12
0|48|libc-2.27.so||||0x21b97
0|49|firefox-bin|MOZ_ReportCrash|hg:hg.mozilla.org/mozilla-central:mfbt/Assertions.h:50df4b75c9b6c7fec8c8c4685fd188634d193e75|184|0x5
Flags: in-testsuite?
|
||
Comment 1•5 years ago
|
||
The priority flag is not set for this bug.
:dholbert, could you have a look please?
For more information, please visit auto_nag documentation.
Flags: needinfo?(dholbert)
|
||
Comment 2•5 years ago
•
|
||
Looks like we handle this unexpected condition safely -- we return null, which is the same behavior as if the filter references a nonexistent element:
https://searchfox.org/mozilla-central/rev/c7e8bc4996f979e5876b33afae3de3b1ab4f3ae1/layout/svg/nsSVGFilterInstance.cpp#140-143
So, this is non-scary (--> P3) but it probably indicates that we're doing something wrong (unless the semantics of URL nullness changed at some point).
I'm guessing this may have been fallout from bug 1552878 and/or bug 1552708 which I think changed filter/URI parsing. (Or perhaps this was possible further back, and we only just stumbled on a testcase that triggers it.)
Component: SVG → CSS Parsing and Computation
Flags: needinfo?(dholbert)
Priority: -- → P3
|
|
||
Comment 3•5 years ago
|
||
(violet.bugreport, if you're looking for a bug to work on, this might be up your alley. :) No pressure though. Also, I'm guessing emilio and cbrewster may have the most recent experience working with our filter parsing code -- hence, CC'ing them.)
|
Assignee | |
Comment 4•5 years ago
|
||
Happy to put it on my queue, though please steal if you find the time.
|
|
Assignee | |
Updated•5 years ago
|
Flags: needinfo?(emilio)
|
|
Assignee | |
Updated•5 years ago
|
Assignee: nobody → emilio
|
|
Assignee | |
Comment 6•5 years ago
|
||
There's no guarantee at all that the filter URI is valid, it just so happens
that for regular CSS filters we bail out earlier.
A bogus base URI makes relative uris just invalid, which triggers this assert.
The assert was gracefully handled anyway, so no big deal.
Pushed by ealvarez@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/dee7db615c4e Remove a bogus assertion. r=dholbert
|
||
Comment 8•5 years ago
|
||
| bugherder | ||
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla70
|
||
Updated•5 years ago
|
status-firefox68:
--- → unaffected
status-firefox69:
--- → wontfix
status-firefox-esr60:
--- → unaffected
status-firefox-esr68:
--- → unaffected
Flags: in-testsuite? → in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•