Closed Bug 1575926 Opened 5 years ago Closed 5 years ago

Assertion failure: mIsSome, at /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/Maybe.h:488

Categories

(Core :: DOM: Animation, defect, P3)

Product:
Core
Component:
DOM: Animation
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla70
Tracking Flags:
Tracking Status
firefox-esr60 --- unaffected
firefox-esr68 --- wontfix
firefox68 --- wontfix
firefox69 --- wontfix
firefox70 --- fixed

People

(Reporter: jkratzer, Assigned: emilio)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: crash, regression, testcase)

Attachments

(2 files)

testcase.html
784 bytes, text/html
Details
Bug 1575926 - Check that we have a target in CalculateCumulativeChangeHint. r=hiro,birtles,boris
47 bytes, text/x-phabricator-request
Details | Review

Testcase found while fuzzing mozilla-central rev 9229fd85bc05. I'm currently reducing the testcase and attach it shortly.

==129633==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 (pc 0x7f30b943f67c bp 0x7ffd346c6bf0 sp 0x7ffd346c6a60 T0)
==129633==The signal is caused by a WRITE memory access.
==129633==Hint: address points to the zero page.
    #0 0x7f30b943f67b in operator-> /src/obj-firefox/dist/include/mozilla/Maybe.h:488:3
    #1 0x7f30b943f67b in mozilla::dom::KeyframeEffect::CalculateCumulativeChangeHint(mozilla::ComputedStyle const*) /src/dom/animation/KeyframeEffect.cpp:1609
    #2 0x7f30b9428fe8 in mozilla::dom::KeyframeEffect::UpdateProperties(mozilla::ComputedStyle const*) /src/dom/animation/KeyframeEffect.cpp:419:3
    #3 0x7f30bef5ae0e in SetKeyframes /src/layout/style/nsAnimationManager.cpp:332:13
    #4 0x7f30bef5ae0e in UpdateOldAnimationPropertiesWithNew /src/layout/style/nsAnimationManager.cpp:392
    #5 0x7f30bef5ae0e in BuildAnimation /src/layout/style/nsAnimationManager.cpp:465
    #6 0x7f30bef5ae0e in BuildAnimations /src/layout/style/nsAnimationManager.cpp:518
    #7 0x7f30bef5ae0e in nsAnimationManager::DoUpdateAnimations(mozilla::NonOwningAnimationTarget const&, nsStyleDisplay const&, ServoCSSAnimationBuilder&) /src/layout/style/nsAnimationManager.cpp:580
    #8 0x7f30bef58ef4 in nsAnimationManager::UpdateAnimations(mozilla::dom::Element*, mozilla::PseudoStyleType, mozilla::ComputedStyle const*) /src/layout/style/nsAnimationManager.cpp:556:3
    #9 0x7f30beedcde2 in Gecko_UpdateAnimations /src/layout/style/GeckoBindings.cpp:541:38
    #10 0x7f30c52675b1 in _$LT$style..gecko..wrapper..GeckoElement$u20$as$u20$style..dom..TElement$GT$::update_animations::hf9a9104bc5708cce /src/servo/components/style/gecko/wrapper.rs:1597:12
    #11 0x7f30c52675b1 in style::context::SequentialTask$LT$E$GT$::execute::hb7a1dda0f494eed4 /src/servo/components/style/context.rs:516
    #12 0x7f30c52675b1 in _$LT$style..context..SequentialTaskList$LT$E$GT$$u20$as$u20$core..ops..drop..Drop$GT$::drop::h88d5c52d1476ae6b /src/servo/components/style/context.rs:644
    #13 0x7f30c52675b1 in core::ptr::real_drop_in_place::h19f7a45e03b7a10b /rustc/61d1607e0f6a18bb4897d6f9b10abeac9e11eb8e/src/libcore/ptr/mod.rs:197
    #14 0x7f30c52675b1 in core::ptr::real_drop_in_place::h8543d21cdcb6b17a /rustc/61d1607e0f6a18bb4897d6f9b10abeac9e11eb8e/src/libcore/ptr/mod.rs:197
    #15 0x7f30c52606b9 in style::driver::traverse_dom::h3a347f4e8c6c2406 /src/servo/components/style/driver.rs:189
    #16 0x7f30c52606b9 in geckoservo::glue::traverse_subtree::h60f56c4ad0212bc9 /src/servo/ports/geckolib/glue.rs:262
    #17 0x7f30c525edd9 in Servo_TraverseSubtree /src/servo/ports/geckolib/glue.rs:322:4
    #18 0x7f30bef3b7c8 in mozilla::ServoStyleSet::StyleDocument(mozilla::ServoTraversalFlags) /src/layout/style/ServoStyleSet.cpp:730:9
    #19 0x7f30bf0d9cf8 in mozilla::RestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) /src/layout/base/RestyleManager.cpp:3058:20
    #20 0x7f30bf087a89 in ProcessPendingRestyles /src/layout/base/RestyleManager.cpp:3191:3
    #21 0x7f30bf087a89 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /src/layout/base/PresShell.cpp:4119
    #22 0x7f30b9810b69 in FlushPendingNotifications /src/obj-firefox/dist/include/mozilla/PresShell.h:1445:5
    #23 0x7f30b9810b69 in mozilla::dom::Document::FlushPendingNotifications(mozilla::ChangesToFlush) /src/dom/base/Document.cpp:9966
    #24 0x7f30b8124350 in nsDocLoader::DocLoaderIsEmpty(bool) /src/uriloader/base/nsDocLoader.cpp:675:14
    #25 0x7f30b8127596 in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /src/uriloader/base/nsDocLoader.cpp:614:5
    #26 0x7f30b81286fc in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /src/uriloader/base/nsDocLoader.cpp
    #27 0x7f30b5a1edf0 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /src/netwerk/base/nsLoadGroup.cpp:568:22
    #28 0x7f30b97c0e88 in DoUnblockOnload /src/dom/base/Document.cpp:10655:18
    #29 0x7f30b97c0e88 in mozilla::dom::Document::UnblockOnload(bool) /src/dom/base/Document.cpp:10587
    #30 0x7f30b97ec614 in mozilla::dom::Document::DispatchContentLoadedEvents() /src/dom/base/Document.cpp:7151:3
    #31 0x7f30b98d1b74 in applyImpl<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /src/obj-firefox/dist/include/nsThreadUtils.h:1124:12
    #32 0x7f30b98d1b74 in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /src/obj-firefox/dist/include/nsThreadUtils.h:1130
    #33 0x7f30b98d1b74 in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /src/obj-firefox/dist/include/nsThreadUtils.h:1176
    #34 0x7f30b576a830 in nsThread::ProcessNextEvent(bool, bool*) /src/xpcom/threads/nsThread.cpp:1225:14
    #35 0x7f30b5770c48 in NS_ProcessNextEvent(nsIThread*, bool) /src/xpcom/threads/nsThreadUtils.cpp:486:10
    #36 0x7f30b696614f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /src/ipc/glue/MessagePump.cpp:88:21
    #37 0x7f30b6861752 in RunInternal /src/ipc/chromium/src/base/message_loop.cc:315:10
    #38 0x7f30b6861752 in RunHandler /src/ipc/chromium/src/base/message_loop.cc:308
    #39 0x7f30b6861752 in MessageLoop::Run() /src/ipc/chromium/src/base/message_loop.cc:290
    #40 0x7f30bea8df99 in nsBaseAppShell::Run() /src/widget/nsBaseAppShell.cpp:137:27
    #41 0x7f30c26d9740 in nsAppStartup::Run() /src/toolkit/components/startup/nsAppStartup.cpp:276:30
    #42 0x7f30c2982113 in XREMain::XRE_mainRun() /src/toolkit/xre/nsAppRunner.cpp:4631:22
    #43 0x7f30c2984223 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /src/toolkit/xre/nsAppRunner.cpp:4766:8
    #44 0x7f30c2985ace in XRE_main(int, char**, mozilla::BootstrapConfig const&) /src/toolkit/xre/nsAppRunner.cpp:4847:21
    #45 0x555b35323b74 in do_main /src/browser/app/nsBrowserApp.cpp:213:22
    #46 0x555b35323b74 in main /src/browser/app/nsBrowserApp.cpp:295
    #47 0x7f30d6fe3b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #48 0x555b3524544c in _start (/home/worker/builds/m-c-20190816013708-fuzzing-asan-opt/firefox+0x4544c)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /src/obj-firefox/dist/include/mozilla/Maybe.h:488:3 in operator->
==129633==ABORTING
Flags: in-testsuite?

Bisection could not be performed because testcase triggers back further than a year.

CalculateCumulativeChangeHint. Probably worth looking into once there is a test case.

Priority: -- → P3
Attached file testcase.html

Bugbug thinks this bug is a regression, but please revert this change in case of error.

Keywords: regression

So it seems you can null out the effect's target of a CSS animation... Brian is that expected?

Flags: needinfo?(brian)

(In reply to Emilio Cobos Álvarez (:emilio) from comment #5)

So it seems you can null out the effect's target of a CSS animation... Brian is that expected?

If I recall correctly, the answer is yes. We initialize the target to the object of a CSS animation, and the user can use Web animation API to make it null. The effect's target of all kind of animations (e.g. CSS animation, CSS transition, and script animation) could be null by Web animation API.

i.e. Web animation APIs could be used on CSS animations and transitions, too.

(In reply to Boris Chiou [:boris] from comment #6)

(In reply to Emilio Cobos Álvarez (:emilio) from comment #5)

So it seems you can null out the effect's target of a CSS animation... Brian is that expected?

If I recall correctly, the answer is yes. We initialize the target to the object of a CSS animation, and the user can use Web animation API to make it null. The effect's target of all kind of animations (e.g. CSS animation, CSS transition, and script animation) could be null by Web animation API.

Yes, that's correct.

Flags: needinfo?(brian)

I guess this is a regression from bug 1452080 then.

Regressed by: 1452080
Assignee: nobody → emilio
Flags: needinfo?(emilio)

Seems we'll update the change hint properly via SetTarget if we get a new
target.

Flags: needinfo?(emilio)
Pushed by ealvarez@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/5885e492eaaf
Check that we have a target in CalculateCumulativeChangeHint. r=hiro

https://hg.mozilla.org/mozilla-central/rev/5885e492eaaf

Status: NEW → RESOLVED
Closed: 5 years ago
status-firefox70: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla70
status-firefox68: --- → wontfix
status-firefox69: --- → wontfix
status-firefox-esr60: --- → unaffected
status-firefox-esr68: --- → wontfix
Flags: in-testsuite? → in-testsuite+
Has Regression Range: --- → yes
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: