Assertion failure: false (MOZ_ASSERT_UNREACHABLE: we shouldn't have parsed a negative radius in the style), at /builds/worker/checkouts/gecko/layout/svg/CSSFilterInstance.cpp:292
Categories
(Core :: SVG, defect, P3)
Tracking
()
Tracking | Status | |
---|---|---|
firefox92 | --- | affected |
People
(Reporter: jkratzer, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: assertion, bugmon, testcase, Whiteboard: [bugmon:bisected,confirmed])
Attachments
(1 file)
747 bytes,
text/html
|
Details |
Testcase found while fuzzing mozilla-central rev 0c272222c17b (built with --enable-debug --enable-fuzzing).
Testcase can be reproduced using the following commands:
$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build 0c272222c17b --debug --fuzzing -n mc-debug
$ python -m grizzly.replay ./mc-debug/firefox ./testcase.html
Assertion failure: false (MOZ_ASSERT_UNREACHABLE: we shouldn't have parsed a negative radius in the style), at /builds/worker/checkouts/gecko/layout/svg/CSSFilterInstance.cpp:292
#0 0x7fa8d6731ba2 in mozilla::CSSFilterInstance::BlurRadiusToFilterSpace(int) /builds/worker/checkouts/gecko/layout/svg/CSSFilterInstance.cpp:290:5
#1 0x7fa8d67305b0 in mozilla::CSSFilterInstance::SetAttributesForBlur(mozilla::gfx::FilterPrimitiveDescription&) /builds/worker/checkouts/gecko/layout/svg/CSSFilterInstance.cpp:116:7
#2 0x7fa8d67302ea in mozilla::CSSFilterInstance::BuildPrimitives(nsTArray<mozilla::gfx::FilterPrimitiveDescription>&, bool) /builds/worker/checkouts/gecko/layout/svg/CSSFilterInstance.cpp:52:16
#3 0x7fa8d6736dd8 in mozilla::FilterInstance::BuildPrimitivesForFilter(mozilla::StyleGenericFilter<mozilla::StyleAngle, float, float, mozilla::StyleCSSPixelLength, mozilla::StyleGenericSimpleShadow<mozilla::StyleGenericColor<mozilla::StyleRGBA>, mozilla::StyleCSSPixelLength, mozilla::StyleCSSPixelLength>, mozilla::StyleComputedUrl> const&, nsIFrame*, bool, nsTArray<mozilla::gfx::FilterPrimitiveDescription>&) /builds/worker/checkouts/gecko/layout/svg/FilterInstance.cpp:595:28
#4 0x7fa8d6736506 in mozilla::FilterInstance::BuildPrimitives(mozilla::Span<mozilla::StyleGenericFilter<mozilla::StyleAngle, float, float, mozilla::StyleCSSPixelLength, mozilla::StyleGenericSimpleShadow<mozilla::StyleGenericColor<mozilla::StyleRGBA>, mozilla::StyleCSSPixelLength, mozilla::StyleCSSPixelLength>, mozilla::StyleComputedUrl> const, 18446744073709551615ul>, nsIFrame*, bool) /builds/worker/checkouts/gecko/layout/svg/FilterInstance.cpp:552:19
#5 0x7fa8d6736009 in mozilla::FilterInstance::FilterInstance(nsIFrame*, nsIContent*, mozilla::dom::UserSpaceMetrics const&, mozilla::Span<mozilla::StyleGenericFilter<mozilla::StyleAngle, float, float, mozilla::StyleCSSPixelLength, mozilla::StyleGenericSimpleShadow<mozilla::StyleGenericColor<mozilla::StyleRGBA>, mozilla::StyleCSSPixelLength, mozilla::StyleCSSPixelLength>, mozilla::StyleComputedUrl> const, 18446744073709551615ul>, bool, std::function<void (gfxContext&, nsIFrame*, mozilla::gfx::BaseMatrix<double> const&, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const*, mozilla::image::imgDrawingParams&)> const&, mozilla::gfx::BaseMatrix<double> const&, nsRegion const*, nsRegion const*, nsRect const*, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, double> const*) /builds/worker/checkouts/gecko/layout/svg/FilterInstance.cpp:488:7
#6 0x7fa8d673550f in mozilla::FilterInstance::GetPostFilterBounds(nsIFrame*, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, double> const*, nsRect const*) /builds/worker/checkouts/gecko/layout/svg/FilterInstance.cpp:423:18
#7 0x7fa8d67509b2 in mozilla::SVGIntegrationUtils::ComputePostEffectsInkOverflowRect(nsIFrame*, nsRect const&) /builds/worker/checkouts/gecko/layout/svg/SVGIntegrationUtils.cpp:397:7
#8 0x7fa8d65b9adb in ComputeEffectsRect /builds/worker/checkouts/gecko/layout/generic/nsIFrame.cpp:7542:9
#9 0x7fa8d65b9adb in nsIFrame::FinishAndStoreOverflow(mozilla::OverflowAreas&, nsSize, nsSize*, nsStyleDisplay const*) /builds/worker/checkouts/gecko/layout/generic/nsIFrame.cpp:9755:7
#10 0x7fa8d6671329 in nsLineLayout::RelativePositionFrames(nsLineLayout::PerSpanData*, mozilla::OverflowAreas&) /builds/worker/checkouts/gecko/layout/generic/nsLineLayout.cpp:3347:12
#11 0x7fa8d667115a in nsLineLayout::RelativePositionFrames(nsLineLayout::PerSpanData*, mozilla::OverflowAreas&) /builds/worker/checkouts/gecko/layout/generic/nsLineLayout.cpp:3295:7
#12 0x7fa8d6562181 in RelativePositionFrames /builds/worker/checkouts/gecko/layout/generic/nsLineLayout.h:117:5
#13 0x7fa8d6562181 in nsBlockFrame::PlaceLine(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsFloatManager::SavedState*, nsFlowAreaRect&, int&, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:4988:15
#14 0x7fa8d6560dce in nsBlockFrame::DoReflowInlineFrames(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:4477:12
#15 0x7fa8d655c810 in nsBlockFrame::ReflowInlineFrames(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:4235:9
#16 0x7fa8d6558f30 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:3215:5
#17 0x7fa8d65538eb in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:2749:7
#18 0x7fa8d654f43b in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:1380:3
#19 0x7fa8d655f4dc in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) /builds/worker/checkouts/gecko/layout/generic/nsBlockReflowContext.cpp:288:11
#20 0x7fa8d655b27c in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:3871:11
#21 0x7fa8d6558fd6 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:3212:5
#22 0x7fa8d65538eb in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:2749:7
#23 0x7fa8d654f43b in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:1380:3
#24 0x7fa8d6572aa0 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:1000:14
#25 0x7fa8d6571eaa in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsCanvasFrame.cpp:819:7
#26 0x7fa8d6572aa0 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:1000:14
#27 0x7fa8d65b7129 in nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput*, bool, bool, mozilla::ReflowOutput*) /builds/worker/checkouts/gecko/layout/generic/nsGfxScrollFrame.cpp:759:3
#28 0x7fa8d65b7aa9 in nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput*, mozilla::ReflowOutput const&) /builds/worker/checkouts/gecko/layout/generic/nsGfxScrollFrame.cpp:882:3
#29 0x7fa8d65bbf49 in nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsGfxScrollFrame.cpp:1301:3
#30 0x7fa8d6544448 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:1040:14
#31 0x7fa8d6543cec in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/ViewportFrame.cpp:374:7
#32 0x7fa8d644d23c in mozilla::PresShell::DoReflow(nsIFrame*, bool, mozilla::OverflowChangedTracker*) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:9599:11
#33 0x7fa8d64571ae in mozilla::PresShell::ProcessReflowCommands(bool) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:9770:24
#34 0x7fa8d64566ab in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4233:11
#35 0x7fa8d36ec12e in FlushPendingNotifications /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:1414:5
#36 0x7fa8d36ec12e in mozilla::dom::Document::FlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/dom/base/Document.cpp:10715:16
#37 0x7fa8d2cde5b2 in nsDocLoader::DocLoaderIsEmpty(bool, mozilla::Maybe<nsresult> const&) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:732:14
#38 0x7fa8d2cdf97f in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:670:5
#39 0x7fa8d75fe828 in nsDocShell::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:13438:23
#40 0x7fa8d1be3a2a in mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:614:22
#41 0x7fa8d1be4ea3 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:518:10
#42 0x7fa8d36ef25d in mozilla::dom::Document::DoUnblockOnload() /builds/worker/checkouts/gecko/dom/base/Document.cpp:11468:18
#43 0x7fa8d36cc1a0 in mozilla::dom::Document::UnblockOnload(bool) /builds/worker/checkouts/gecko/dom/base/Document.cpp:11398:9
#44 0x7fa8d36de4b6 in mozilla::dom::Document::DispatchContentLoadedEvents() /builds/worker/checkouts/gecko/dom/base/Document.cpp:7906:3
#45 0x7fa8d374e416 in applyImpl<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1148:12
#46 0x7fa8d374e416 in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1154:12
#47 0x7fa8d374e416 in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1201:13
#48 0x7fa8d1a28d02 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/checkouts/gecko/xpcom/threads/SchedulerGroup.cpp:144:20
#49 0x7fa8d1a53b1e in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:502:16
#50 0x7fa8d1a31869 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:805:26
#51 0x7fa8d1a306e8 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:641:15
#52 0x7fa8d1a30963 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:425:36
#53 0x7fa8d1a57316 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:135:37
#54 0x7fa8d1a57316 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:532:5
#55 0x7fa8d1a4348f in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1148:16
#56 0x7fa8d1a49efa in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:466:10
#57 0x7fa8d2362ff6 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#58 0x7fa8d22bd8c7 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:331:10
#59 0x7fa8d22bd7e2 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:324:3
#60 0x7fa8d22bd7e2 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:306:3
#61 0x7fa8d614cec8 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137:27
#62 0x7fa8d7b058e3 in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:910:20
#63 0x7fa8d2363eea in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
#64 0x7fa8d22bd8c7 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:331:10
#65 0x7fa8d22bd7e2 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:324:3
#66 0x7fa8d22bd7e2 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:306:3
#67 0x7fa8d7b054fe in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:742:34
#68 0x557b36b989b6 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#69 0x557b36b989b6 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:327:18
#70 0x7fa8e84690b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
Updated•3 years ago
|
Comment 1•3 years ago
|
||
Bugmon Analysis
Verified bug as reproducible on mozilla-central 20210727152622-edce65311704.
Failed to bisect testcase (Testcase reproduces on start build!):
Start: eba7e3ce93822075543bcc764cef7dbc8e9fc5f1 (20200728094725)
End: 0c272222c17b3edd7190a24d7171c51eb2f009ba (20210726093430)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False)
Reporter | ||
Updated•3 years ago
|
Reporter | ||
Updated•3 years ago
|
Comment 2•1 year ago
|
||
Bugmon was unable reproduce this issue.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Reporter | ||
Comment 3•1 year ago
|
||
A change to the Taskcluster build definitions over the weekend caused Bugmon to fail when reproducing issues. This issue has been corrected. Re-enabling bugmon.
Description
•