Closed
Bug 1655814
Opened 3 years ago
Closed 2 years ago
Assertion failure: false (MOZ_ASSERT_UNREACHABLE: Transition effect has unexpected shape), at /builds/worker/checkouts/gecko/dom/animation/CSSTransition.cpp:333
Categories
(Core :: DOM: Animation, defect)
Core
DOM: Animation
Tracking
()
RESOLVED
WORKSFORME
| Tracking | Status | |
|---|---|---|
| firefox81 | --- | affected |
People
(Reporter: jkratzer, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: assertion, testcase, Whiteboard: [bugmon:bisected,confirmed])
Attachments
(1 file)
|
520 bytes,
text/html
|
Details |
Testcase found while fuzzing mozilla-central rev eba7e3ce9382 (built with --enable-debug).
Assertion failure: false (MOZ_ASSERT_UNREACHABLE: Transition effect has unexpected shape), at /builds/worker/checkouts/gecko/dom/animation/CSSTransition.cpp:333
==32715==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f8baf7d224f bp 0x7fffc34e8880 sp 0x7fffc34e8870 T32715)
==32715==The signal is caused by a WRITE memory access.
==32715==Hint: address points to the zero page.
#0 0x7f8baf7d224e in AnnotateMozCrashReason /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:42:19
#1 0x7f8baf7d224e in mozilla::dom::CSSTransition::SetEffectFromStyle(mozilla::dom::AnimationEffect*) /builds/worker/checkouts/gecko/dom/animation/CSSTransition.cpp:333:5
#2 0x7f8bb257b799 in nsTransitionManager::ConsiderInitiatingTransition(nsCSSPropertyID, nsStyleDisplay const&, unsigned int, mozilla::dom::Element*, mozilla::PseudoStyleType, mozilla::AnimationCollection<mozilla::dom::CSSTransition>*&, mozilla::ComputedStyle const&, mozilla::ComputedStyle const&, nsCSSPropertyIDSet&) /builds/worker/checkouts/gecko/layout/style/nsTransitionManager.cpp:465:14
#3 0x7f8bb257a458 in nsTransitionManager::DoUpdateTransitions(nsStyleDisplay const&, mozilla::dom::Element*, mozilla::PseudoStyleType, mozilla::AnimationCollection<mozilla::dom::CSSTransition>*&, mozilla::ComputedStyle const&, mozilla::ComputedStyle const&) /builds/worker/checkouts/gecko/layout/style/nsTransitionManager.cpp:109:23
#4 0x7f8bb257a21a in nsTransitionManager::UpdateTransitions(mozilla::dom::Element*, mozilla::PseudoStyleType, mozilla::ComputedStyle const&, mozilla::ComputedStyle const&) /builds/worker/checkouts/gecko/layout/style/nsTransitionManager.cpp:66:10
#5 0x7f8bb250a0e3 in Gecko_UpdateAnimations /builds/worker/checkouts/gecko/layout/style/GeckoBindings.cpp:557:39
#6 0x7f8bb69998de in _$LT$style..gecko..wrapper..GeckoElement$u20$as$u20$style..dom..TElement$GT$::update_animations::hc4a2a7c5646019ed /builds/worker/checkouts/gecko/servo/components/style/gecko/wrapper.rs:1525:12
#7 0x7f8bb64fc391 in style::context::SequentialTask$LT$E$GT$::execute::h3ead55993245767f /builds/worker/checkouts/gecko/servo/components/style/context.rs:499:16
#8 0x7f8bb64fc391 in _$LT$style..context..SequentialTaskList$LT$E$GT$$u20$as$u20$core..ops..drop..Drop$GT$::drop::h1e97044cb59a7918 /builds/worker/checkouts/gecko/servo/components/style/context.rs:627:12
#9 0x7f8bb64fc391 in core::ptr::drop_in_place::hdec7a0ae80c9a005 /rustc/4fb7144ed159f94491249e86d5bbd033b5d60550/src/libcore/ptr/mod.rs:177
#10 0x7f8bb64fc391 in core::ptr::drop_in_place::h80ad286a7268e5f4 /rustc/4fb7144ed159f94491249e86d5bbd033b5d60550/src/libcore/ptr/mod.rs:177
#11 0x7f8bb66c623e in style::driver::traverse_dom::h3fed35a49d465215 /builds/worker/checkouts/gecko/servo/components/style/driver.rs:193
#12 0x7f8bb66c623e in geckoservo::glue::traverse_subtree::h1bdb4fe07f2c7405 /builds/worker/checkouts/gecko/servo/ports/geckolib/glue.rs:259:4
#13 0x7f8bb66c72c0 in Servo_TraverseSubtree /builds/worker/checkouts/gecko/servo/ports/geckolib/glue.rs:319:4
#14 0x7f8bb2538e70 in mozilla::ServoStyleSet::StyleDocument(mozilla::ServoTraversalFlags) /builds/worker/checkouts/gecko/layout/style/ServoStyleSet.cpp:732:9
#15 0x7f8bb25e3dc8 in mozilla::RestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:2986:20
#16 0x7f8bb25be3a5 in ProcessPendingRestyles /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:3116:3
#17 0x7f8bb25be3a5 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4190:39
#18 0x7f8baf97624b in FlushPendingNotifications /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:1421:5
#19 0x7f8baf97624b in mozilla::dom::Document::FlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/dom/base/Document.cpp:10091:16
#20 0x7f8baefadb1d in nsDocLoader::DocLoaderIsEmpty(bool, mozilla::Maybe<nsresult> const&) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:702:14
#21 0x7f8baefaebe8 in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:640:5
#22 0x7f8baefaf43c in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp
#23 0x7f8badbbf306 in mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:615:22
#24 0x7f8badbc0803 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:522:10
#25 0x7f8baf978c1f in mozilla::dom::Document::DoUnblockOnload() /builds/worker/checkouts/gecko/dom/base/Document.cpp:10789:18
#26 0x7f8baf9581a0 in mozilla::dom::Document::UnblockOnload(bool) /builds/worker/checkouts/gecko/dom/base/Document.cpp:10719:9
#27 0x7f8bb2523ea5 in UnblockOnload /builds/worker/checkouts/gecko/layout/style/Loader.cpp:2244:16
#28 0x7f8bb2523ea5 in mozilla::css::SheetLoadData::FireLoadEvent(nsIThreadInternal*) /builds/worker/checkouts/gecko/layout/style/Loader.cpp:450:12
#29 0x7f8bb252404c in AfterProcessNextEvent /builds/worker/checkouts/gecko/layout/style/Loader.cpp:423:3
#30 0x7f8bb252404c in non-virtual thunk to mozilla::css::SheetLoadData::AfterProcessNextEvent(nsIThreadInternal*, bool) /builds/worker/checkouts/gecko/layout/style/Loader.cpp
#31 0x7f8bada47bc8 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1258:3
#32 0x7f8bada4d41a in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:513:10
#33 0x7f8bae35956f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:87:21
#34 0x7f8bae2ca823 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:334:10
#35 0x7f8bae2ca73d in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:327:3
#36 0x7f8bae2ca73d in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:309:3
#37 0x7f8bb230f6a8 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137:27
#38 0x7f8bb3b21f33 in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:913:20
#39 0x7f8bae35a337 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:237:9
#40 0x7f8bae2ca823 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:334:10
#41 0x7f8bae2ca73d in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:327:3
#42 0x7f8bae2ca73d in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:309:3
#43 0x7f8bb3b21a27 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:744:34
#44 0x55b627e5ffb8 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
#45 0x55b627e5ffb8 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:303:18
#46 0x7f8bc90bdb96 in __libc_start_main /build/glibc-2ORdQG/glibc-2.27/csu/../csu/libc-start.c:310
UndefinedBehaviorSanitizer can not provide additional info.
Flags: in-testsuite?
|
||
Comment 1•3 years ago
|
||
This is probably worth looking into. It's unexpected and hopefully easy to fix.
|
Reporter | |
Updated•3 years ago
|
Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]
|
|
Reporter | |
Comment 2•3 years ago
|
||
Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20200804091327-7cb90fa4f485.
The bug appears to have been introduced in the following build range:
> Start: 6dfc866efa7af78eaa72d42b806dc118ccf8c8ce (20200722043241)
> End: 870a3fac5d60675752e827ecd2cd131b9a899c9b (20200722004513)
> Pushlog: https://hg.mozilla.org/mozilla-unified/pushloghtml?fromchange=6dfc866efa7af78eaa72d42b806dc118ccf8c8ce&tochange=870a3fac5d60675752e827ecd2cd131b9a899c9b|
|
||
Comment 3•3 years ago
|
||
The regression range given here appears to be empty.
Flags: needinfo?(jkratzer)
|
|
Reporter | |
Comment 4•3 years ago
|
||
When I tried to bisect locally, I got a different bisection range:
Start: 1854ba884fc687f2dff6ea1b9356035524ff4b43 (20200722080338)
End: 1b33cf4206f6a303ac860c1a94068f6bb35b2321 (20200722082135)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=1854ba884fc687f2dff6ea1b9356035524ff4b43&tochange=1b33cf4206f6a303ac860c1a94068f6bb35b2321
I'm assuming that one of the builds failed in automation.
Flags: needinfo?(jkratzer)
|
||
Comment 5•2 years ago
|
||
The attached testcase no longer reproduces the issue. The fuzzers last reported this issue while fuzzing m-c 20210224-27f574662450.
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → WORKSFORME
|
|
Reporter | |
Comment 6•2 years ago
|
||
Bugmon Analysis
No valid actions for resolution (WORKSFORME)
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Keywords: bugmon
You need to log in
before you can comment on or make changes to this bug.
Description
•