Closed Bug 1707720 Opened 4 years ago Closed 4 years ago

Hit MOZ_CRASH(attempt to add with overflow) at servo/components/style/values/computed/font.rs:838

Categories

(Core :: Layout: Text and Fonts, defect, P3)

defect

Tracking

()

VERIFIED FIXED
90 Branch
Tracking Status
firefox-esr78 --- unaffected
firefox88 --- wontfix
firefox89 --- wontfix
firefox90 --- verified

People

(Reporter: tsmith, Assigned: emilio)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, testcase, Whiteboard: [bugmon:bisected,confirmed], [wptsync upstream])

Attachments

(2 files)

Attached file testcase.html

Found while fuzzing m-c 20210424-89a07f1b7f85 (--enable-debug --enable-fuzzing)

Hit MOZ_CRASH(attempt to add with overflow) at servo/components/style/values/computed/font.rs:838

#0 0x7f845081a575 in MOZ_Crash /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:256:3
#1 0x7f845081a575 in RustMozCrash src/mozglue/static/rust/wrappers.cpp:17:3
#2 0x7f845081a524 in mozglue_static::panic_hook::h478557d7509e77f5 src/mozglue/static/rust/lib.rs:89:9
#3 0x7f8450819efb in core::ops::function::Fn::call::h3d42afac2264c64f /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/ops/function.rs:70:5
#4 0x7f845183bef5 in std::panicking::rust_panic_with_hook::h71e6a073d87de1f5 /rustc/2fd73fabe469357a12c2c974c140f67e7cdd76d0/library/std/src/panicking.rs:595:17
#5 0x7f845183b9e6 in std::panicking::begin_panic_handler::_$u7b$$u7b$closure$u7d$$u7d$::hd549436f6bb6dbb8 /rustc/2fd73fabe469357a12c2c974c140f67e7cdd76d0/library/std/src/panicking.rs:495:13
#6 0x7f8451837bdb in std::sys_common::backtrace::__rust_end_short_backtrace::h4e5f4b72b04174c3 /rustc/2fd73fabe469357a12c2c974c140f67e7cdd76d0/library/std/src/sys_common/backtrace.rs:141:18
#7 0x7f845183b978 in rust_begin_unwind /rustc/2fd73fabe469357a12c2c974c140f67e7cdd76d0/library/std/src/panicking.rs:493:5
#8 0x7f84518a4af0 in core::panicking::panic_fmt::hcd56f7f635f62c74 /rustc/2fd73fabe469357a12c2c974c140f67e7cdd76d0/library/core/src/panicking.rs:92:14
#9 0x7f84518a4a3c in core::panicking::panic::h07405d6be4bce887 /rustc/2fd73fabe469357a12c2c974c140f67e7cdd76d0/library/core/src/panicking.rs:50:5
#10 0x7f845161e9d5 in style::values::computed::font::_$LT$impl$u20$style..values..computed..ToComputedValue$u20$for$u20$style..values..specified..font..MathDepth$GT$::to_computed_value::hb635b480f4a9ce3d src/servo/components/style/values/computed/font.rs:838:17
#11 0x7f845161e9d5 in style::properties::longhands::math_depth::cascade_property::hb5d59dd3f63d558e /builds/worker/workspace/obj-build/x86_64-unknown-linux-gnu/debug/build/style-34948fbd3e9247eb/out/longhands/font.rs:2693:32
#12 0x7f8450ffef72 in style::properties::cascade::Cascade::apply_declaration::h8a2eb97ffe5ce087 src/servo/components/style/properties/cascade.rs:557:9
#13 0x7f8450ffef72 in style::properties::cascade::Cascade::apply_properties::h49e4f2311b5c209d src/servo/components/style/properties/cascade.rs:677:13
#14 0x7f8450ffe3c2 in style::properties::cascade::apply_declarations::ha32faffcf1d8e1f1 src/servo/components/style/properties/cascade.rs:329:9
#15 0x7f8450ffe3c2 in style::properties::cascade::cascade_rules::heef5c4d804db638a src/servo/components/style/properties/cascade.rs:214:5
#16 0x7f845106c684 in style::properties::cascade::cascade::h09fc6e5415cd743b src/servo/components/style/properties/cascade.rs:94:5
#17 0x7f845106c684 in style::stylist::Stylist::cascade_style_and_visited::h637cc5bae6d258bb src/servo/components/style/stylist.rs:1013:9
#18 0x7f8451027f71 in style::style_resolver::StyleResolverForElement$LT$E$GT$::cascade_style_and_visited::hca20db2da55ed4be src/servo/components/style/style_resolver.rs:346:22
#19 0x7f845102735b in style::style_resolver::StyleResolverForElement$LT$E$GT$::cascade_primary_style::hd8552e5bc3c5d549 src/servo/components/style/style_resolver.rs:243:20
#20 0x7f8451026f7e in style::style_resolver::StyleResolverForElement$LT$E$GT$::resolve_style::h2b029254b431d04b src/servo/components/style/style_resolver.rs:259:29
#21 0x7f84510795e1 in style::style_resolver::StyleResolverForElement$LT$E$GT$::resolve_style_with_default_parents::_$u7b$$u7b$closure$u7d$$u7d$::hba14c4e1e0ef359d src/servo/components/style/style_resolver.rs:294:13
#22 0x7f84510795e1 in style::style_resolver::with_default_parent_styles::h9e6d67c1d76ca656 src/servo/components/style/style_resolver.rs:115:5
#23 0x7f84510795e1 in style::style_resolver::StyleResolverForElement$LT$E$GT$::resolve_style_with_default_parents::h7747315d7570e01f src/servo/components/style/style_resolver.rs:293:9
#24 0x7f84510795e1 in style::traversal::compute_style::h3cf3231344c17905 src/servo/components/style/traversal.rs:602:25
#25 0x7f8451050826 in style::traversal::recalc_style_at::h2b09ca851852c36d src/servo/components/style/traversal.rs:420:37
#26 0x7f8451050826 in _$LT$style..gecko..traversal..RecalcStyleOnly$u20$as$u20$style..traversal..DomTraversal$LT$style..gecko..wrapper..GeckoElement$GT$$GT$::process_preorder::hdfb38f93f4c4a143 src/servo/components/style/gecko/traversal.rs:37:13
#27 0x7f8451050826 in style::driver::traverse_dom::h9a6b906b750091d2 src/servo/components/style/driver.rs:112:9
#28 0x7f845114ec11 in geckoservo::glue::traverse_subtree::hca6b4760c18d9f98 src/servo/ports/geckolib/glue.rs:265:5
#29 0x7f845114f07e in Servo_TraverseSubtree src/servo/ports/geckolib/glue.rs:325:5
#30 0x7f844cb26e70 in mozilla::ServoStyleSet::StyleDocument(mozilla::ServoTraversalFlags) src/layout/style/ServoStyleSet.cpp:734:9
#31 0x7f844cbd6e97 in mozilla::RestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) src/layout/base/RestyleManager.cpp:2997:20
#32 0x7f844cbb11c1 in ProcessPendingRestyles src/layout/base/RestyleManager.cpp:3127:3
#33 0x7f844cbb11c1 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) src/layout/base/PresShell.cpp:4202:39
#34 0x7f8449e3bf5e in FlushPendingNotifications /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:1406:5
#35 0x7f8449e3bf5e in mozilla::dom::Document::FlushPendingNotifications(mozilla::ChangesToFlush) src/dom/base/Document.cpp:10573:16
#36 0x7f844946231b in nsDocLoader::DocLoaderIsEmpty(bool, mozilla::Maybe<nsresult> const&) src/uriloader/base/nsDocLoader.cpp:718:14
#37 0x7f84494634f4 in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) src/uriloader/base/nsDocLoader.cpp:656:5
#38 0x7f844dc12de8 in nsDocShell::OnStopRequest(nsIRequest*, nsresult) src/docshell/base/nsDocShell.cpp:13692:23
#39 0x7f84483cf3aa in mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) src/netwerk/base/nsLoadGroup.cpp:625:22
#40 0x7f84483d08f3 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) src/netwerk/base/nsLoadGroup.cpp:529:10
#41 0x7f8449e3ef81 in mozilla::dom::Document::DoUnblockOnload() src/dom/base/Document.cpp:11313:18
#42 0x7f8449e1c3d0 in mozilla::dom::Document::UnblockOnload(bool) src/dom/base/Document.cpp:11243:9
#43 0x7f8449e2e2c6 in mozilla::dom::Document::DispatchContentLoadedEvents() src/dom/base/Document.cpp:7791:3
#44 0x7f8449ea0e96 in applyImpl<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1148:12
#45 0x7f8449ea0e96 in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1154:12
#46 0x7f8449ea0e96 in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1201:13
#47 0x7f844821beb2 in mozilla::SchedulerGroup::Runnable::Run() src/xpcom/threads/SchedulerGroup.cpp:143:20
#48 0x7f84482473b3 in mozilla::RunnableTask::Run() src/xpcom/threads/TaskController.cpp:473:16
#49 0x7f8448224ba9 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) src/xpcom/threads/TaskController.cpp:757:26
#50 0x7f8448223b14 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) src/xpcom/threads/TaskController.cpp:612:15
#51 0x7f8448223ca3 in mozilla::TaskController::ProcessPendingMTTask(bool) src/xpcom/threads/TaskController.cpp:396:36
#52 0x7f844824acd6 in operator() src/xpcom/threads/TaskController.cpp:135:37
#53 0x7f844824acd6 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:534:5
#54 0x7f84482369d0 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1159:16
#55 0x7f844823d6ca in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:548:10
#56 0x7f8448b76fa6 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:85:21
#57 0x7f8448ae19f3 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:335:10
#58 0x7f8448ae190d in RunHandler src/ipc/chromium/src/base/message_loop.cc:328:3
#59 0x7f8448ae190d in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:310:3
#60 0x7f844c8bbf48 in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:137:27
#61 0x7f844e13d983 in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:906:20
#62 0x7f8448b77e8c in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:235:9
#63 0x7f8448ae19f3 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:335:10
#64 0x7f8448ae190d in RunHandler src/ipc/chromium/src/base/message_loop.cc:328:3
#65 0x7f8448ae190d in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:310:3
#66 0x7f844e13d55f in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:738:34
#67 0x560e4ad29396 in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#68 0x560e4ad29396 in main src/browser/app/nsBrowserApp.cpp:309:18
#69 0x7f845d2420b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
#70 0x560e4ad0713c in _start (/home/worker/builds/m-c-20210424155423-fuzzing-debug/firefox-bin+0x1513c)
Flags: in-testsuite?
Component: Graphics: WebRender → Layout: Text and Fonts

A Pernosco session is available here: https://pernos.co/debug/O70NVVYZi-zweCmfFvzlGQ/index.html

Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20210426213158-6f8320a4798f.
Failed to bisect testcase (Testcase reproduces on start build!):

Start: cdd14a1df784642f8741b0f76041e92ba99ec9df (20200428035455)
End: 89a07f1b7f853f12ce5e97ecfb67edaa2946752c (20210424155423)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=True, coverage=False, valgrind=False)

Whiteboard: [bugmon:bisected,confirmed]

We should use saturating addition for that property at least.

Severity: -- → S3
Flags: needinfo?(twsmith)
Priority: -- → P3

Err...

Flags: needinfo?(twsmith) → needinfo?(emilio)
Assignee: nobody → emilio
Flags: needinfo?(emilio)
Pushed by ealvarez@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/f549080b24c3 Use saturating addition for math-depth. r=fredw
Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/28793 for changes under testing/web-platform/tests
Whiteboard: [bugmon:bisected,confirmed] → [bugmon:bisected,confirmed], [wptsync upstream]
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → 90 Branch

Bugmon Analysis:
Verified bug as fixed on rev mozilla-central 20210503153234-cdcfe2f59d26.
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
Keywords: bugmon
Upstream PR merged by moz-wptsync-bot
Flags: in-testsuite? → in-testsuite+

:emilio, since this bug contains a bisection range, could you fill (if possible) the regressed_by field?
For more information, please visit auto_nag documentation.

Flags: needinfo?(emilio)

Sorry, bug in the bot.

Flags: needinfo?(emilio)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: