Open Bug 1573847 Opened 8 months ago Updated 7 months ago

Assertion failure: IsResolved() (Resolve() must be called first), at /builds/worker/workspace/build/src/obj-firefox/dist/include/nsStyleStruct.h:189

Categories

(Core :: CSS Parsing and Computation, defect, P3)

defect

Tracking

()

Tracking Status
firefox70 --- affected

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, testcase)

Attachments

(1 file, 3 obsolete files)

Testcase found while fuzzing mozilla-central rev a6ba020c9f7c.

Assertion failure: IsResolved() (Resolve() must be called first), at /builds/worker/workspace/build/src/obj-firefox/dist/include/nsStyleStruct.h:189

rax = 0x0000558a72cd71a0   rdx = 0x0000000000000000
rcx = 0x0000000000000b40   rbx = 0x00007f8448c89f4e
rsi = 0x00007f84545f48b0   rdi = 0x00007f84545f3680
rbp = 0x00007ffd7cb51b90   rsp = 0x00007ffd7cb51a40
r8 = 0x00007f84545f48b0    r9 = 0x00007f845575e780
r10 = 0x0000000000000000   r11 = 0x0000000000000000
r12 = 0x00007f841fe4d730   r13 = 0x00007f841fecb788
r14 = 0x00007f841fe0d0c0   r15 = 0x00007f84219f5400
rip = 0x00007f8444ac6147
OS|Linux|0.0.0 Linux 4.18.0-25-generic #26~18.04.1-Ubuntu SMP Thu Jun 27 07:28:31 UTC 2019 x86_64
CPU|amd64|family 6 model 94 stepping 3|1
GPU|||
Crash|SIGSEGV|0x0|0
0|0|libxul.so|mozilla::EventStateManager::UpdateCursor(nsPresContext*, mozilla::WidgetEvent*, nsIFrame*, nsEventStatus*)|hg:hg.mozilla.org/mozilla-central:dom/events/EventStateManager.cpp:a6ba020c9f7cd1abecd8eb2287020468ec1da6e8|3887|0x10d
0|1|libxul.so|mozilla::EventStateManager::PreHandleEvent(nsPresContext*, mozilla::WidgetEvent*, nsIFrame*, nsIContent*, nsEventStatus*, nsIContent*)|hg:hg.mozilla.org/mozilla-central:dom/events/EventStateManager.cpp:a6ba020c9f7cd1abecd8eb2287020468ec1da6e8|631|0x1a
0|2|libxul.so|mozilla::PresShell::EventHandler::DispatchEvent(mozilla::EventStateManager*, mozilla::WidgetEvent*, bool, nsEventStatus*, nsIContent*)|hg:hg.mozilla.org/mozilla-central:layout/base/PresShell.cpp:a6ba020c9f7cd1abecd8eb2287020468ec1da6e8|7810|0x24
0|3|libxul.so|mozilla::PresShell::EventHandler::HandleEventWithCurrentEventInfo(mozilla::WidgetEvent*, nsEventStatus*, bool, nsIContent*)|hg:hg.mozilla.org/mozilla-central:layout/base/PresShell.cpp:a6ba020c9f7cd1abecd8eb2287020468ec1da6e8|7778|0x19
0|4|libxul.so|mozilla::PresShell::EventHandler::HandleEventUsingCoordinates(nsIFrame*, mozilla::WidgetGUIEvent*, nsEventStatus*, bool)|hg:hg.mozilla.org/mozilla-central:layout/base/PresShell.cpp:a6ba020c9f7cd1abecd8eb2287020468ec1da6e8|6738|0x17
0|5|libxul.so|mozilla::PresShell::EventHandler::HandleEvent(nsIFrame*, mozilla::WidgetGUIEvent*, bool, nsEventStatus*)|hg:hg.mozilla.org/mozilla-central:layout/base/PresShell.cpp:a6ba020c9f7cd1abecd8eb2287020468ec1da6e8|6542|0x15
0|6|libxul.so|mozilla::PresShell::HandleEvent(nsIFrame*, mozilla::WidgetGUIEvent*, bool, nsEventStatus*)|hg:hg.mozilla.org/mozilla-central:layout/base/PresShell.cpp:a6ba020c9f7cd1abecd8eb2287020468ec1da6e8|6468|0x5
0|7|libxul.so|nsViewManager::DispatchEvent(mozilla::WidgetGUIEvent*, nsView*, nsEventStatus*)|hg:hg.mozilla.org/mozilla-central:view/nsViewManager.cpp:a6ba020c9f7cd1abecd8eb2287020468ec1da6e8|751|0x19
0|8|libxul.so|mozilla::PresShell::DispatchSynthMouseMove(mozilla::WidgetGUIEvent*)|hg:hg.mozilla.org/mozilla-central:layout/base/PresShell.cpp:a6ba020c9f7cd1abecd8eb2287020468ec1da6e8|3672|0x21
0|9|libxul.so|mozilla::PresShell::ProcessSynthMouseMoveEvent(bool)|hg:hg.mozilla.org/mozilla-central:layout/base/PresShell.cpp:a6ba020c9f7cd1abecd8eb2287020468ec1da6e8|5472|0x13
0|10|libxul.so|mozilla::PresShell::nsSynthMouseMoveEvent::WillRefresh(mozilla::TimeStamp)|hg:hg.mozilla.org/mozilla-central:layout/base/PresShell.h:a6ba020c9f7cd1abecd8eb2287020468ec1da6e8|1943|0x19
0|11|libxul.so|nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp)|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:a6ba020c9f7cd1abecd8eb2287020468ec1da6e8|1937|0xd
0|12|libxul.so|mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&)|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:a6ba020c9f7cd1abecd8eb2287020468ec1da6e8|349|0xb
0|13|libxul.so|mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp)|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:a6ba020c9f7cd1abecd8eb2287020468ec1da6e8|366|0xf
0|14|libxul.so|mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp)|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:a6ba020c9f7cd1abecd8eb2287020468ec1da6e8|734|0xf
0|15|libxul.so|mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::ParentProcessVsyncNotifier::Run()|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:a6ba020c9f7cd1abecd8eb2287020468ec1da6e8|532|0x15
0|16|libxul.so|nsThread::ProcessNextEvent(bool, bool*)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:a6ba020c9f7cd1abecd8eb2287020468ec1da6e8|1225|0x15
0|17|libxul.so|NS_ProcessNextEvent(nsIThread*, bool)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:a6ba020c9f7cd1abecd8eb2287020468ec1da6e8|486|0x11
0|18|libxul.so|mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:a6ba020c9f7cd1abecd8eb2287020468ec1da6e8|88|0xa
0|19|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:a6ba020c9f7cd1abecd8eb2287020468ec1da6e8|315|0x17
0|20|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:a6ba020c9f7cd1abecd8eb2287020468ec1da6e8|290|0x8
0|21|libxul.so|nsBaseAppShell::Run()|hg:hg.mozilla.org/mozilla-central:widget/nsBaseAppShell.cpp:a6ba020c9f7cd1abecd8eb2287020468ec1da6e8|137|0xd
0|22|libxul.so|nsAppStartup::Run()|hg:hg.mozilla.org/mozilla-central:toolkit/components/startup/nsAppStartup.cpp:a6ba020c9f7cd1abecd8eb2287020468ec1da6e8|276|0xe
0|23|libxul.so|XREMain::XRE_mainRun()|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsAppRunner.cpp:a6ba020c9f7cd1abecd8eb2287020468ec1da6e8|4631|0x11
0|24|libxul.so|XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsAppRunner.cpp:a6ba020c9f7cd1abecd8eb2287020468ec1da6e8|4766|0x8
0|25|libxul.so|XRE_main(int, char**, mozilla::BootstrapConfig const&)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsAppRunner.cpp:a6ba020c9f7cd1abecd8eb2287020468ec1da6e8|4847|0x5
0|26|firefox-bin|do_main|hg:hg.mozilla.org/mozilla-central:browser/app/nsBrowserApp.cpp:a6ba020c9f7cd1abecd8eb2287020468ec1da6e8|213|0x22
0|27|firefox-bin|main|hg:hg.mozilla.org/mozilla-central:browser/app/nsBrowserApp.cpp:a6ba020c9f7cd1abecd8eb2287020468ec1da6e8|295|0xf
0|28|libc-2.27.so||||0x21b97
0|29|firefox-bin|MOZ_ReportCrash|hg:hg.mozilla.org/mozilla-central:mfbt/Assertions.h:a6ba020c9f7cd1abecd8eb2287020468ec1da6e8|184|0x5
Flags: in-testsuite?
Flags: in-testsuite?
Attached file testcase.html (obsolete) —

All three files (testcase.html, fuzzer.js, and objects.js) must be stored within the same directory and served via a local webserver in order to reproduce this issue.

Attached file objects.js (obsolete) —
Attached file fuzzer.js (obsolete) —

The priority flag is not set for this bug.
:emilio, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(emilio)
Attached file Reduced test-case.

(Hover over the text and crash)

The issue is that we don't usually resolve images for text, as they always inherit the image from its parent. Issue is that in this case the parent is display: contents so we don't resolve it either.

Attachment #9085463 - Attachment is obsolete: true
Attachment #9085466 - Attachment is obsolete: true
Attachment #9085468 - Attachment is obsolete: true

This case is pretty unlikely to be hit, though we should fix it...

It's (kinda, see the comment) a matter of removing the isNonText check here: https://searchfox.org/mozilla-central/rev/8ea946dcf51f0d6400362cc1d49c8d4808eeacf1/layout/generic/nsFrame.cpp#1173

Flags: needinfo?(emilio)
Priority: -- → P3
You need to log in before you can comment on or make changes to this bug.