1655541 - Hit MOZ_CRASH(animate should only be used for interpolating or accumulating transforms) at servo/components/style/values/animated/transform.rs:394

Status: NEW

(Core :: DOM: Animation, defect)

Description

[Jason Kratzer [:jkratzer]]

Attachment: testcase.html

Testcase found while fuzzing mozilla-central rev 798bdad605b9 (built with --enable-debug).

Hit MOZ_CRASH(animate should only be used for interpolating or accumulating transforms) at servo/components/style/values/animated/transform.rs:394

==27286==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f09bbf6c6c5 bp 0x7f095ad1af30 sp 0x7f095ad1af20 T27374)
==27286==The signal is caused by a WRITE memory access.
==27286==Hint: address points to the zero page.
    #0 0x7f09bbf6c6c4 in AnnotateMozCrashReason /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:42:19
    #1 0x7f09bbf6c6c4 in MOZ_Crash /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:331:3
    #2 0x7f09bbf6c6c4 in RustMozCrash /builds/worker/checkouts/gecko/mozglue/static/rust/wrappers.cpp:17:3
    #3 0x7f09bbf6c674 in mozglue_static::panic_hook::h718309d1c883b225 /builds/worker/checkouts/gecko/mozglue/static/rust/lib.rs:89:8
    #4 0x7f09bbf6bf6b in core::ops::function::Fn::call::hff608039b849de82 /rustc/4fb7144ed159f94491249e86d5bbd033b5d60550/src/libcore/ops/function.rs:72:4
    #5 0x7f09bd335d04 in std::panicking::rust_panic_with_hook::hb976084785e50594 /rustc/4fb7144ed159f94491249e86d5bbd033b5d60550/src/libstd/panicking.rs:474:16
    #6 0x7f09bccaaf4e in std::panicking::begin_panic::hab324b481fea21bb /rustc/4fb7144ed159f94491249e86d5bbd033b5d60550/src/libstd/panicking.rs:397:4
    #7 0x7f09bce177b1 in _$LT$style..values..animated..transform..Quaternion$u20$as$u20$style..values..animated..Animate$GT$::animate::h9208df1e10fa9e47 /builds/worker/checkouts/gecko/servo/components/style/values/animated/transform.rs:394:8
    #8 0x7f09bce1dc6a in style::values::animated::transform::_$LT$impl$u20$style..values..animated..Animate$u20$for$u20$style..values..generics..transform..GenericRotate$LT$f32$C$style..values..computed..angle..Angle$GT$$GT$::animate::h680b46dae05ae214 /builds/worker/checkouts/gecko/servo/components/style/values/animated/transform.rs:1301:25
    #9 0x7f09bd045a84 in _$LT$style..properties..animated_properties..AnimationValue$u20$as$u20$style..values..animated..Animate$GT$::animate::h208526a52e3eb34e /builds/worker/workspace/obj-build/x86_64-unknown-linux-gnu/debug/build/style-7dc4fd49ad11a7de/out/properties.rs:31316:32
    #10 0x7f09bcc3230f in geckoservo::glue::compose_animation_segment::hd375a973c894f5a0 /builds/worker/checkouts/gecko/servo/ports/geckolib/glue.rs:570:10
    #11 0x7f09bcc32580 in Servo_ComposeAnimationSegment /builds/worker/checkouts/gecko/servo/ports/geckolib/glue.rs:598:17
    #12 0x7f09b57ae192 in mozilla::layers::AnimationHelper::SampleAnimationForEachNode(mozilla::TimeStamp, mozilla::TimeStamp, mozilla::layers::AnimatedValue const*, nsTArray<mozilla::layers::PropertyAnimationGroup>&, nsTArray<RefPtr<RawServoAnimationValue> >&) /builds/worker/checkouts/gecko/gfx/layers/AnimationHelper.cpp:184:9
    #13 0x7f09b57d7c8a in operator() /builds/worker/checkouts/gecko/gfx/layers/CompositorAnimationStorage.cpp:540:9
    #14 0x7f09b57d7c8a in _ZN7mozilla6layersL11ForEachNodeINS0_15ForwardIteratorEPNS0_5LayerEZNS0_26CompositorAnimationStorage16SampleAnimationsES4_PNS0_22CompositorBridgeParentENS_9TimeStampES8_E4$_10ZNS0_11ForEachNodeIS2_S4_S9_EENSt9enable_ifIXsr3stdE9is_same_vIDTclfp0_fp_EEvEEvE4typeET0_RKT1_EUlS4_E_EENSB_IXaasr3stdE9is_same_vISC_vEsr3stdE9is_same_vIDTclfp1_fp_EEvEEvE4typeESF_SI_RKT2_ /builds/worker/checkouts/gecko/gfx/layers/TreeTraversal.h:139:3
    #15 0x7f09b57d852a in _ZN7mozilla6layersL11ForEachNodeINS0_15ForwardIteratorEPNS0_5LayerEZNS0_26CompositorAnimationStorage16SampleAnimationsES4_PNS0_22CompositorBridgeParentENS_9TimeStampES8_E4$_10ZNS0_11ForEachNodeIS2_S4_S9_EENSt9enable_ifIXsr3stdE9is_same_vIDTclfp0_fp_EEvEEvE4typeET0_RKT1_EUlS4_E_EENSB_IXaasr3stdE9is_same_vISC_vEsr3stdE9is_same_vIDTclfp1_fp_EEvEEvE4typeESF_SI_RKT2_ /builds/worker/checkouts/gecko/gfx/layers/TreeTraversal.h:143:5
    #16 0x7f09b57d852a in _ZN7mozilla6layersL11ForEachNodeINS0_15ForwardIteratorEPNS0_5LayerEZNS0_26CompositorAnimationStorage16SampleAnimationsES4_PNS0_22CompositorBridgeParentENS_9TimeStampES8_E4$_10ZNS0_11ForEachNodeIS2_S4_S9_EENSt9enable_ifIXsr3stdE9is_same_vIDTclfp0_fp_EEvEEvE4typeET0_RKT1_EUlS4_E_EENSB_IXaasr3stdE9is_same_vISC_vEsr3stdE9is_same_vIDTclfp1_fp_EEvEEvE4typeESF_SI_RKT2_ /builds/worker/checkouts/gecko/gfx/layers/TreeTraversal.h:143:5
    #17 0x7f09b57d852a in _ZN7mozilla6layersL11ForEachNodeINS0_15ForwardIteratorEPNS0_5LayerEZNS0_26CompositorAnimationStorage16SampleAnimationsES4_PNS0_22CompositorBridgeParentENS_9TimeStampES8_E4$_10ZNS0_11ForEachNodeIS2_S4_S9_EENSt9enable_ifIXsr3stdE9is_same_vIDTclfp0_fp_EEvEEvE4typeET0_RKT1_EUlS4_E_EENSB_IXaasr3stdE9is_same_vISC_vEsr3stdE9is_same_vIDTclfp1_fp_EEvEEvE4typeESF_SI_RKT2_ /builds/worker/checkouts/gecko/gfx/layers/TreeTraversal.h:143:5
    #18 0x7f09b57cdf8e in ForEachNode<mozilla::layers::ForwardIterator, mozilla::layers::Layer *, (lambda at /builds/worker/checkouts/gecko/gfx/layers/CompositorAnimationStorage.cpp:528:39)> /builds/worker/checkouts/gecko/gfx/layers/TreeTraversal.h:166:3
    #19 0x7f09b57cdf8e in mozilla::layers::CompositorAnimationStorage::SampleAnimations(mozilla::layers::Layer*, mozilla::layers::CompositorBridgeParent*, mozilla::TimeStamp, mozilla::TimeStamp) /builds/worker/checkouts/gecko/gfx/layers/CompositorAnimationStorage.cpp:528:3
    #20 0x7f09b59eea2c in SampleAnimations /builds/worker/checkouts/gecko/gfx/layers/composite/AsyncCompositionManager.cpp:563:19
    #21 0x7f09b59eea2c in mozilla::layers::AsyncCompositionManager::TransformShadowTree(mozilla::TimeStamp, mozilla::BaseTimeDuration<mozilla::TimeDurationValueCalculator>, mozilla::layers::CompositorBridgeParentBase::TransformsToSkip) /builds/worker/checkouts/gecko/gfx/layers/composite/AsyncCompositionManager.cpp:1238:24
    #22 0x7f09b5a6c6b4 in mozilla::layers::CompositorBridgeParent::CompositeToTarget(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::gfx::DrawTarget*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const*) /builds/worker/checkouts/gecko/gfx/layers/ipc/CompositorBridgeParent.cpp:1012:28
    #23 0x7f09b5a846c5 in mozilla::layers::CompositorVsyncScheduler::Composite(mozilla::VsyncEvent const&) /builds/worker/checkouts/gecko/gfx/layers/ipc/CompositorVsyncScheduler.cpp:268:27
    #24 0x7f09b5aaa408 in applyImpl<mozilla::layers::CompositorVsyncScheduler, void (mozilla::layers::CompositorVsyncScheduler::*)(const mozilla::VsyncEvent &), StoreCopyPassByConstLRef<mozilla::VsyncEvent> , 0> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1188:12
    #25 0x7f09b5aaa408 in apply<mozilla::layers::CompositorVsyncScheduler, void (mozilla::layers::CompositorVsyncScheduler::*)(const mozilla::VsyncEvent &)> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1194:12
    #26 0x7f09b5aaa408 in mozilla::detail::RunnableMethodImpl<mozilla::layers::CompositorVsyncScheduler*, void (mozilla::layers::CompositorVsyncScheduler::*)(mozilla::VsyncEvent const&), true, (mozilla::RunnableKind)1, mozilla::VsyncEvent>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1240:13
    #27 0x7f09b3fb58f9 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1234:14
    #28 0x7f09b3fbb41a in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:513:10
    #29 0x7f09b48c867c in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:332:5
    #30 0x7f09b4838733 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:334:10
    #31 0x7f09b483864d in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:327:3
    #32 0x7f09b483864d in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:309:3
    #33 0x7f09b3fb1c8a in nsThread::ThreadFunc(void*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:447:10
    #34 0x7f09d09ed53b in _pt_root /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:201:5
    #35 0x7f09d05f16da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)
    #36 0x7f09cf5cfa3e in clone /build/glibc-2ORdQG/glibc-2.27/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95

UndefinedBehaviorSanitizer can not provide additional info.

Comment 1

[Jason Kratzer [:jkratzer]]

Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20200804091327-7cb90fa4f485.
Failed to bisect testcase (Start build crashes!):
> Start: e8b7c48d4e7ed1b63aeedff379b51e566ea499d9 (20191107015224)
> End: 56082fc4acfacba40993e47ef8302993c59e264e (20200727033000)
> BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=False, coverage=False, valgrind=False)

Comment 2

[Bugmon [:jkratzer for issues]]

Bugmon was unable reproduce this issue.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Comment 3

[Jason Kratzer [:jkratzer]]

A change to the Taskcluster build definitions over the weekend caused Bugmon to fail when reproducing issues. This issue has been corrected. Re-enabling bugmon.

Comment 4

[Bugmon [:jkratzer for issues]]

Unable to reproduce bug 1655541 using build mozilla-central 20220723091444-f69015bf0e0a. Without a baseline, bugmon is unable to analyze this bug.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.