Closed Bug 1702670 Opened 3 years ago Closed 3 years ago

Hit MOZ_CRASH(Resolving style on <input id="a" ...> (0x55ca50081e60) without current styles: ElementData { ... }) at servo/ports/geckolib/glue.rs:5481

Categories

(Core :: CSS Parsing and Computation, defect)

Product:
Core
Component:
CSS Parsing and Computation
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
89 Branch
Tracking Flags:
Tracking Status
firefox-esr78 --- unaffected
firefox87 --- unaffected
firefox88 --- unaffected
firefox89 --- verified

People

(Reporter: tsmith, Assigned: emilio)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:bisected,confirmed], [wptsync upstream])

Attachments

(4 files)

testcase.html
575 bytes, text/html
Details
Relevant stack.
14.88 KB, text/plain
Details
Test-case that shows the bug.
461 bytes, text/html
Details
Bug 1702670 - Fix state management for "last value change was interactive" for inputs / textareas. r=smaug
48 bytes, text/x-phabricator-request
Details | Review
Attached file testcase.html

Found while fuzzing m-c 20210330-eed530931ca0 (--enable-debug --enable-fuzzing)

Hit MOZ_CRASH(Resolving style on <input id="a" inputmode="latin" maxlength="0" checked="" width="1"> (0x55ca50081e60) without current styles: ElementData { styles: ElementStyles { primary: Some(Some(0x55ca503ee630)), pseudos: EagerPseudoStyles(None) }, damage: GeckoRestyleDamage(nsChangeHint(0)), hint: (empty), flags: (empty) }) at servo/ports/geckolib/glue.rs:5481

#0 0x7f6ab200b155 in MOZ_Crash /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:246:3
#1 0x7f6ab200b155 in RustMozCrash src/mozglue/static/rust/wrappers.cpp:17:3
#2 0x7f6ab200b104 in mozglue_static::panic_hook::h52aa0e5c41eb49de src/mozglue/static/rust/lib.rs:89:9
#3 0x7f6ab200aadb in core::ops::function::Fn::call::h45fce903fef90bf4 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/ops/function.rs:70:5
#4 0x7f6ab302d2a5 in std::panicking::rust_panic_with_hook::hb27ea14285131c61 /rustc/cb75ad5db02783e8b0222fee363c5f63f7e2cf5b/library/std/src/panicking.rs:595:17
#5 0x7f6ab302cdc6 in std::panicking::begin_panic_handler::_$u7b$$u7b$closure$u7d$$u7d$::hc552fcee62aad17f /rustc/cb75ad5db02783e8b0222fee363c5f63f7e2cf5b/library/std/src/panicking.rs:497:13
#6 0x7f6ab30291eb in std::sys_common::backtrace::__rust_end_short_backtrace::hb9f0aa9a78e885a0 /rustc/cb75ad5db02783e8b0222fee363c5f63f7e2cf5b/library/std/src/sys_common/backtrace.rs:141:18
#7 0x7f6ab302cd28 in rust_begin_unwind /rustc/cb75ad5db02783e8b0222fee363c5f63f7e2cf5b/library/std/src/panicking.rs:493:5
#8 0x7f6ab302ccda in std::panicking::begin_panic_fmt::h1b56a0ef7fd4e8be /rustc/cb75ad5db02783e8b0222fee363c5f63f7e2cf5b/library/std/src/panicking.rs:435:5
#9 0x7f6ab297f6fb in Servo_ResolveStyle src/servo/ports/geckolib/glue.rs:5481:5
#10 0x7f6aae468b4a in ResolveServoStyle /builds/worker/workspace/obj-build/dist/include/mozilla/ServoStyleSetInlines.h:22:10
#11 0x7f6aae468b4a in nsCSSFrameConstructor::ResolveComputedStyle(nsIContent*) src/layout/base/nsCSSFrameConstructor.cpp:4538:12
#12 0x7f6aae4728fa in nsCSSFrameConstructor::AddFrameConstructionItems(nsFrameConstructorState&, nsIContent*, bool, nsCSSFrameConstructor::InsertionPoint const&, nsCSSFrameConstructor::FrameConstructionItemList&, mozilla::EnumSet<nsCSSFrameConstructor::ItemFlag, unsigned char>) src/layout/base/nsCSSFrameConstructor.cpp:5063:41
#13 0x7f6aae47317c in nsCSSFrameConstructor::BuildInlineChildItems(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItem&, bool, bool) src/layout/base/nsCSSFrameConstructor.cpp:10966:5
#14 0x7f6aae463ab2 in nsCSSFrameConstructor::AddFrameConstructionItemsInternal(nsFrameConstructorState&, nsIContent*, nsContainerFrame*, bool, mozilla::ComputedStyle*, mozilla::EnumSet<nsCSSFrameConstructor::ItemFlag, unsigned char>, nsCSSFrameConstructor::FrameConstructionItemList&) src/layout/base/nsCSSFrameConstructor.cpp:5397:5
#15 0x7f6aae4657b7 in DoAddFrameConstructionItems src/layout/base/nsCSSFrameConstructor.cpp:5050:3
#16 0x7f6aae4657b7 in AddFrameConstructionItems src/layout/base/nsCSSFrameConstructor.cpp:5064:3
#17 0x7f6aae4657b7 in nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, mozilla::ComputedStyle*, nsContainerFrame*, bool, nsFrameList&, bool, nsIFrame*) src/layout/base/nsCSSFrameConstructor.cpp:9506:9
#18 0x7f6aae4694fe in nsCSSFrameConstructor::ConstructBlock(nsFrameConstructorState&, nsIContent*, nsContainerFrame*, nsContainerFrame*, mozilla::ComputedStyle*, nsContainerFrame**, nsFrameList&, nsIFrame*) src/layout/base/nsCSSFrameConstructor.cpp:10404:3
#19 0x7f6aae46f873 in ConstructNonScrollableBlockWithConstructor src/layout/base/nsCSSFrameConstructor.cpp:4508:3
#20 0x7f6aae46f873 in nsCSSFrameConstructor::ConstructNonScrollableBlock(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItem&, nsContainerFrame*, nsStyleDisplay const*, nsFrameList&) src/layout/base/nsCSSFrameConstructor.cpp:4479:10
#21 0x7f6aae46e605 in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameList&) src/layout/base/nsCSSFrameConstructor.cpp:3568:16
#22 0x7f6aae47348d in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameList&) src/layout/base/nsCSSFrameConstructor.cpp:5557:3
#23 0x7f6aae464bbf in nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsContainerFrame*, bool, nsFrameList&) src/layout/base/nsCSSFrameConstructor.cpp:9359:5
#24 0x7f6aae465a1b in nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, mozilla::ComputedStyle*, nsContainerFrame*, bool, nsFrameList&, bool, nsIFrame*) src/layout/base/nsCSSFrameConstructor.cpp:9524:3
#25 0x7f6aae4694fe in nsCSSFrameConstructor::ConstructBlock(nsFrameConstructorState&, nsIContent*, nsContainerFrame*, nsContainerFrame*, mozilla::ComputedStyle*, nsContainerFrame**, nsFrameList&, nsIFrame*) src/layout/base/nsCSSFrameConstructor.cpp:10404:3
#26 0x7f6aae467c1f in nsCSSFrameConstructor::ConstructDocElementFrame(mozilla::dom::Element*) src/layout/base/nsCSSFrameConstructor.cpp:2354:5
#27 0x7f6aae476b17 in nsCSSFrameConstructor::ContentRangeInserted(nsIContent*, nsIContent*, nsCSSFrameConstructor::InsertionKind) src/layout/base/nsCSSFrameConstructor.cpp:6849:9
#28 0x7f6aae41ecd1 in mozilla::PresShell::ReconstructFrames() src/layout/base/PresShell.cpp:4508:22
#29 0x7f6aae89f331 in nsPrintJob::ReconstructAndReflow(bool) src/layout/printing/nsPrintJob.cpp:1174:16
#30 0x7f6aae89e03c in nsPrintJob::SetupToPrintContent() src/layout/printing/nsPrintJob.cpp:1259:19
#31 0x7f6aae8a1b43 in DocumentReadyForPrinting src/layout/printing/nsPrintJob.cpp:1032:17
#32 0x7f6aae8a1b43 in nsPrintJob::FinishPrintPreview() src/layout/printing/nsPrintJob.cpp:2592:8
#33 0x7f6aae8a16a3 in nsPrintJob::MaybeResumePrintAfterResourcesLoaded(bool) src/layout/printing/nsPrintJob.cpp:1539:10
#34 0x7f6aae8a1eb6 in OnStateChange src/layout/printing/nsPrintJob.cpp:1560:5
#35 0x7f6aae8a1eb6 in non-virtual thunk to nsPrintJob::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) src/layout/printing/nsPrintJob.cpp
#36 0x7f6aaaca7b1c in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) src/uriloader/base/nsDocLoader.cpp:1332:3
#37 0x7f6aaaca6a1a in nsDocLoader::FireOnStateChange(nsIWebProgress*, nsIRequest*, int, nsresult) src/uriloader/base/nsDocLoader.cpp:1295:14
#38 0x7f6aaaca6c00 in nsDocLoader::doStopURLLoad(nsIRequest*, nsresult) src/uriloader/base/nsDocLoader.cpp:899:3
#39 0x7f6aaaca645e in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) src/uriloader/base/nsDocLoader.cpp:622:3
#40 0x7f6aaaca6cec in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsresult) src/uriloader/base/nsDocLoader.cpp
#41 0x7f6aa9bb5d76 in mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) src/netwerk/base/nsLoadGroup.cpp:616:22
#42 0x7f6aa9bb7283 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) src/netwerk/base/nsLoadGroup.cpp:523:10
#43 0x7f6aab424ee8 in imgRequestProxy::RemoveFromLoadGroup() src/image/imgRequestProxy.cpp:371:15
#44 0x7f6aab42aeb8 in imgRequestProxy::OnLoadComplete(bool) src/image/imgRequestProxy.cpp:1004:7
#45 0x7f6aab3fd4ba in operator() src/image/ProgressTracker.cpp:351:13
#46 0x7f6aab3fd4ba in void mozilla::image::ImageObserverNotifier<mozilla::image::ObserverTable const*>::operator()<void mozilla::image::SyncNotifyInternal<mozilla::image::ObserverTable const*>(mozilla::image::ObserverTable const* const&, bool, unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&)::'lambda5'(mozilla::image::IProgressObserver*)>(mozilla::image::ObserverTable const*) src/image/ProgressTracker.cpp:281:9
#47 0x7f6aab3fbc40 in void mozilla::image::SyncNotifyInternal<mozilla::image::ObserverTable const*>(mozilla::image::ObserverTable const* const&, bool, unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) src/image/ProgressTracker.cpp:350:5
#48 0x7f6aab3bc2c6 in operator() src/image/ProgressTracker.cpp:369:5
#49 0x7f6aab3bc2c6 in Read<(lambda at src/image/ProgressTracker.cpp:368:19)> src/image/CopyOnWrite.h:155:12
#50 0x7f6aab3bc2c6 in mozilla::image::ProgressTracker::SyncNotifyProgress(unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) src/image/ProgressTracker.cpp:368:14
#51 0x7f6aab3c4d72 in mozilla::image::RasterImage::NotifyProgress(unsigned int, mozilla::gfx::IntRectTyped<mozilla::UnorientedPixel> const&, mozilla::Maybe<unsigned int> const&, mozilla::image::DecoderFlags, mozilla::image::SurfaceFlags) src/image/RasterImage.cpp:1683:28
#52 0x7f6aab3cc30d in mozilla::image::RasterImage::NotifyForLoadEvent(unsigned int) src/image/RasterImage.cpp:977:3
#53 0x7f6aab3cbfa7 in mozilla::image::RasterImage::OnImageDataComplete(nsIRequest*, nsISupports*, nsresult, bool) src/image/RasterImage.cpp:959:3
#54 0x7f6aab41fc01 in imgRequest::OnStopRequest(nsIRequest*, nsresult) src/image/imgRequest.cpp:785:16
#55 0x7f6aa9fff76f in mozilla::net::HttpChannelChild::DoOnStopRequest(nsIRequest*, nsresult, nsISupports*) src/netwerk/protocol/http/HttpChannelChild.cpp:1055:15
#56 0x7f6aa9fff011 in mozilla::net::HttpChannelChild::OnStopRequest(nsresult const&, mozilla::net::ResourceTimingStructArgs const&, mozilla::net::nsHttpHeaderArray const&) src/netwerk/protocol/http/HttpChannelChild.cpp:933:5
#57 0x7f6aaa05fc7d in operator() src/netwerk/protocol/http/HttpChannelChild.cpp:818:15
#58 0x7f6aaa05fc7d in std::_Function_handler<void (), mozilla::net::HttpChannelChild::ProcessOnStopRequest(nsresult const&, mozilla::net::ResourceTimingStructArgs const&, mozilla::net::nsHttpHeaderArray const&, nsTArray<mozilla::net::ConsoleReportCollected>&&, bool)::$_9>::_M_invoke(std::_Any_data const&) /builds/worker/fetches/clang/bin/../lib/gcc/x86_64-unknown-linux-gnu/7.4.0/../../../../include/c++/7.4.0/bits/std_function.h:316:2
#59 0x7f6aaa1cfe4b in mozilla::net::ChannelEventQueue::FlushQueue() src/netwerk/ipc/ChannelEventQueue.cpp:90:12
#60 0x7f6aaa2075cc in MaybeFlushQueue /builds/worker/workspace/obj-build/dist/include/mozilla/net/ChannelEventQueue.h:330:5
#61 0x7f6aaa2075cc in CompleteResume /builds/worker/workspace/obj-build/dist/include/mozilla/net/ChannelEventQueue.h:309:5
#62 0x7f6aaa2075cc in mozilla::net::ChannelEventQueue::ResumeInternal()::CompleteResumeRunnable::Run() src/netwerk/ipc/ChannelEventQueue.cpp:148:17
#63 0x7f6aa9a09302 in mozilla::SchedulerGroup::Runnable::Run() src/xpcom/threads/SchedulerGroup.cpp:143:20
#64 0x7f6aa9a0f7df in mozilla::RunnableTask::Run() src/xpcom/threads/TaskController.cpp:470:16
#65 0x7f6aa9a0dd60 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) src/xpcom/threads/TaskController.cpp:754:26
#66 0x7f6aa9a0ccc4 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) src/xpcom/threads/TaskController.cpp:609:15
#67 0x7f6aa9a0ce77 in mozilla::TaskController::ProcessPendingMTTask(bool) src/xpcom/threads/TaskController.cpp:393:36
#68 0x7f6aa9a13376 in operator() src/xpcom/threads/TaskController.cpp:133:37
#69 0x7f6aa9a13376 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_3>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:534:5
#70 0x7f6aa9a2481d in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1155:16
#71 0x7f6aa9a2adda in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:548:10
#72 0x7f6aaa35fd36 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:87:21
#73 0x7f6aaa2ca3c3 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:335:10
#74 0x7f6aaa2ca2dd in RunHandler src/ipc/chromium/src/base/message_loop.cc:328:3
#75 0x7f6aaa2ca2dd in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:310:3
#76 0x7f6aae12af88 in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:137:27
#77 0x7f6aaf99dfb3 in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:902:20
#78 0x7f6aaa360c1c in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:237:9
#79 0x7f6aaa2ca3c3 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:335:10
#80 0x7f6aaa2ca2dd in RunHandler src/ipc/chromium/src/base/message_loop.cc:328:3
#81 0x7f6aaa2ca2dd in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:310:3
#82 0x7f6aaf99db83 in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:734:34
#83 0x5581aa697fb6 in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#84 0x5581aa697fb6 in main src/browser/app/nsBrowserApp.cpp:309:18
#85 0x7f6abfa910b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
#86 0x5581aa675d5c in _start (/home/worker/builds/m-c-20210330215136-fuzzing-debug/firefox-bin+0x14d5c)
Flags: in-testsuite?
Flags: needinfo?(emilio)

A Pernosco session is available here: https://pernos.co/debug/yZaRNoQhPlNutbG0b_pU1Q/index.html

Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20210401155139-75221f284379.
The bug appears to have been introduced in the following build range:

Start: 768e04aaea528ec9a0af31c49708cf73ad505a2a (20210324040732)
End: d69774c978c67130b12313703d125ffd80f65483 (20210324041713)
Pushlog: https://hg.mozilla.org/mozilla-unified/pushloghtml?fromchange=768e04aaea528ec9a0af31c49708cf73ad505a2a&tochange=d69774c978c67130b12313703d125ffd80f65483

Whiteboard: [bugmon:bisected,confirmed]
Regressed by: 1220696
Has Regression Range: --- → yes
Attached file Relevant stack.

Seems like an element becomes invalid as a result of UnbindFromFrame which is not something that should happen, and hints at a missing invalidation earlier.

Masayuki, it seems this was introduced in bug 1220696, mind taking a look?

Flags: needinfo?(emilio) → needinfo?(masayuki)

Set release status flags based on info from the regressing bug 1220696

status-firefox87: --- → unaffected
status-firefox88: --- → unaffected
status-firefox-esr78: --- → unaffected

Previously, Document::ExecCommand just does nothing in this case because of no HTMLEditor. Perhaps, if appending an element which has contenteditable attribute into the testcase, it may occur even before bug 1220696. On the other hand, I still don't understand what's occurred in the testcase. Without <input> having focus, Document::ExecCommand keeps does nothing. What does give focus to <input>? And what can cause the MOZ_CRASH from editor side? It looks like not a bug of editor.

Flags: needinfo?(masayuki)

Ok, I'll take a closer look when available but I'm moderately sure that it's a bug in either editor or the HTMLInputElement code :-)

Flags: needinfo?(twsmith)
Flags: needinfo?(twsmith) → needinfo?(emilio)
Attachment #9214354 - Attachment mime type: text/plain → text/html
Flags: needinfo?(emilio)

This and "value changed" affect the "too long" and "too short" validity
states.

The validity state tracking code is quite messy...

Assignee: nobody → emilio
Status: NEW → ASSIGNED
Attachment #9214372 - Attachment description: Bug 1702670 - Fix state management for "last value change was interactive" in HTMLInputElement. r=smaug → Bug 1702670 - Fix state management for "last value change was interactive" for inputs / textareas. r=smaug
Pushed by ealvarez@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/aa3365ae22d9
Fix state management for "last value change was interactive" for inputs / textareas. r=smaug
Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/28417 for changes under testing/web-platform/tests
Whiteboard: [bugmon:bisected,confirmed] → [bugmon:bisected,confirmed], [wptsync upstream]
Pushed by emilio@crisal.io:
https://hg.mozilla.org/integration/autoland/rev/c3bae8c44f84
Fix some orange by keeping the UpdateState() call from SetValueChanged unconditionally.
Upstream PR merged by moz-wptsync-bot

Bugmon Analysis:
Verified bug as fixed on rev mozilla-central 20210409092020-7bc2dd06085f.
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
status-firefox89: fixedverified
Keywords: bugmon
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: