Open Bug 1722384 Opened 3 years ago Updated 10 months ago

Assertion failure: false (MOZ_ASSERT_UNREACHABLE: we shouldn't have parsed a negative radius in the style), at /builds/worker/checkouts/gecko/layout/svg/CSSFilterInstance.cpp:292

Categories

(Core :: SVG, defect, P3)

defect

Tracking

()

Tracking Status
firefox92 --- affected

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, bugmon, testcase, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(1 file)

Attached file testcase.html

Testcase found while fuzzing mozilla-central rev 0c272222c17b (built with --enable-debug --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build 0c272222c17b --debug --fuzzing -n mc-debug
$ python -m grizzly.replay ./mc-debug/firefox ./testcase.html
Assertion failure: false (MOZ_ASSERT_UNREACHABLE: we shouldn't have parsed a negative radius in the style), at /builds/worker/checkouts/gecko/layout/svg/CSSFilterInstance.cpp:292

    #0 0x7fa8d6731ba2 in mozilla::CSSFilterInstance::BlurRadiusToFilterSpace(int) /builds/worker/checkouts/gecko/layout/svg/CSSFilterInstance.cpp:290:5
    #1 0x7fa8d67305b0 in mozilla::CSSFilterInstance::SetAttributesForBlur(mozilla::gfx::FilterPrimitiveDescription&) /builds/worker/checkouts/gecko/layout/svg/CSSFilterInstance.cpp:116:7
    #2 0x7fa8d67302ea in mozilla::CSSFilterInstance::BuildPrimitives(nsTArray<mozilla::gfx::FilterPrimitiveDescription>&, bool) /builds/worker/checkouts/gecko/layout/svg/CSSFilterInstance.cpp:52:16
    #3 0x7fa8d6736dd8 in mozilla::FilterInstance::BuildPrimitivesForFilter(mozilla::StyleGenericFilter<mozilla::StyleAngle, float, float, mozilla::StyleCSSPixelLength, mozilla::StyleGenericSimpleShadow<mozilla::StyleGenericColor<mozilla::StyleRGBA>, mozilla::StyleCSSPixelLength, mozilla::StyleCSSPixelLength>, mozilla::StyleComputedUrl> const&, nsIFrame*, bool, nsTArray<mozilla::gfx::FilterPrimitiveDescription>&) /builds/worker/checkouts/gecko/layout/svg/FilterInstance.cpp:595:28
    #4 0x7fa8d6736506 in mozilla::FilterInstance::BuildPrimitives(mozilla::Span<mozilla::StyleGenericFilter<mozilla::StyleAngle, float, float, mozilla::StyleCSSPixelLength, mozilla::StyleGenericSimpleShadow<mozilla::StyleGenericColor<mozilla::StyleRGBA>, mozilla::StyleCSSPixelLength, mozilla::StyleCSSPixelLength>, mozilla::StyleComputedUrl> const, 18446744073709551615ul>, nsIFrame*, bool) /builds/worker/checkouts/gecko/layout/svg/FilterInstance.cpp:552:19
    #5 0x7fa8d6736009 in mozilla::FilterInstance::FilterInstance(nsIFrame*, nsIContent*, mozilla::dom::UserSpaceMetrics const&, mozilla::Span<mozilla::StyleGenericFilter<mozilla::StyleAngle, float, float, mozilla::StyleCSSPixelLength, mozilla::StyleGenericSimpleShadow<mozilla::StyleGenericColor<mozilla::StyleRGBA>, mozilla::StyleCSSPixelLength, mozilla::StyleCSSPixelLength>, mozilla::StyleComputedUrl> const, 18446744073709551615ul>, bool, std::function<void (gfxContext&, nsIFrame*, mozilla::gfx::BaseMatrix<double> const&, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const*, mozilla::image::imgDrawingParams&)> const&, mozilla::gfx::BaseMatrix<double> const&, nsRegion const*, nsRegion const*, nsRect const*, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, double> const*) /builds/worker/checkouts/gecko/layout/svg/FilterInstance.cpp:488:7
    #6 0x7fa8d673550f in mozilla::FilterInstance::GetPostFilterBounds(nsIFrame*, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, double> const*, nsRect const*) /builds/worker/checkouts/gecko/layout/svg/FilterInstance.cpp:423:18
    #7 0x7fa8d67509b2 in mozilla::SVGIntegrationUtils::ComputePostEffectsInkOverflowRect(nsIFrame*, nsRect const&) /builds/worker/checkouts/gecko/layout/svg/SVGIntegrationUtils.cpp:397:7
    #8 0x7fa8d65b9adb in ComputeEffectsRect /builds/worker/checkouts/gecko/layout/generic/nsIFrame.cpp:7542:9
    #9 0x7fa8d65b9adb in nsIFrame::FinishAndStoreOverflow(mozilla::OverflowAreas&, nsSize, nsSize*, nsStyleDisplay const*) /builds/worker/checkouts/gecko/layout/generic/nsIFrame.cpp:9755:7
    #10 0x7fa8d6671329 in nsLineLayout::RelativePositionFrames(nsLineLayout::PerSpanData*, mozilla::OverflowAreas&) /builds/worker/checkouts/gecko/layout/generic/nsLineLayout.cpp:3347:12
    #11 0x7fa8d667115a in nsLineLayout::RelativePositionFrames(nsLineLayout::PerSpanData*, mozilla::OverflowAreas&) /builds/worker/checkouts/gecko/layout/generic/nsLineLayout.cpp:3295:7
    #12 0x7fa8d6562181 in RelativePositionFrames /builds/worker/checkouts/gecko/layout/generic/nsLineLayout.h:117:5
    #13 0x7fa8d6562181 in nsBlockFrame::PlaceLine(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsFloatManager::SavedState*, nsFlowAreaRect&, int&, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:4988:15
    #14 0x7fa8d6560dce in nsBlockFrame::DoReflowInlineFrames(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:4477:12
    #15 0x7fa8d655c810 in nsBlockFrame::ReflowInlineFrames(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:4235:9
    #16 0x7fa8d6558f30 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:3215:5
    #17 0x7fa8d65538eb in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:2749:7
    #18 0x7fa8d654f43b in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:1380:3
    #19 0x7fa8d655f4dc in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) /builds/worker/checkouts/gecko/layout/generic/nsBlockReflowContext.cpp:288:11
    #20 0x7fa8d655b27c in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:3871:11
    #21 0x7fa8d6558fd6 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:3212:5
    #22 0x7fa8d65538eb in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:2749:7
    #23 0x7fa8d654f43b in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:1380:3
    #24 0x7fa8d6572aa0 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:1000:14
    #25 0x7fa8d6571eaa in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsCanvasFrame.cpp:819:7
    #26 0x7fa8d6572aa0 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:1000:14
    #27 0x7fa8d65b7129 in nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput*, bool, bool, mozilla::ReflowOutput*) /builds/worker/checkouts/gecko/layout/generic/nsGfxScrollFrame.cpp:759:3
    #28 0x7fa8d65b7aa9 in nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput*, mozilla::ReflowOutput const&) /builds/worker/checkouts/gecko/layout/generic/nsGfxScrollFrame.cpp:882:3
    #29 0x7fa8d65bbf49 in nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsGfxScrollFrame.cpp:1301:3
    #30 0x7fa8d6544448 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:1040:14
    #31 0x7fa8d6543cec in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/ViewportFrame.cpp:374:7
    #32 0x7fa8d644d23c in mozilla::PresShell::DoReflow(nsIFrame*, bool, mozilla::OverflowChangedTracker*) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:9599:11
    #33 0x7fa8d64571ae in mozilla::PresShell::ProcessReflowCommands(bool) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:9770:24
    #34 0x7fa8d64566ab in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4233:11
    #35 0x7fa8d36ec12e in FlushPendingNotifications /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:1414:5
    #36 0x7fa8d36ec12e in mozilla::dom::Document::FlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/dom/base/Document.cpp:10715:16
    #37 0x7fa8d2cde5b2 in nsDocLoader::DocLoaderIsEmpty(bool, mozilla::Maybe<nsresult> const&) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:732:14
    #38 0x7fa8d2cdf97f in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:670:5
    #39 0x7fa8d75fe828 in nsDocShell::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:13438:23
    #40 0x7fa8d1be3a2a in mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:614:22
    #41 0x7fa8d1be4ea3 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:518:10
    #42 0x7fa8d36ef25d in mozilla::dom::Document::DoUnblockOnload() /builds/worker/checkouts/gecko/dom/base/Document.cpp:11468:18
    #43 0x7fa8d36cc1a0 in mozilla::dom::Document::UnblockOnload(bool) /builds/worker/checkouts/gecko/dom/base/Document.cpp:11398:9
    #44 0x7fa8d36de4b6 in mozilla::dom::Document::DispatchContentLoadedEvents() /builds/worker/checkouts/gecko/dom/base/Document.cpp:7906:3
    #45 0x7fa8d374e416 in applyImpl<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1148:12
    #46 0x7fa8d374e416 in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1154:12
    #47 0x7fa8d374e416 in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1201:13
    #48 0x7fa8d1a28d02 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/checkouts/gecko/xpcom/threads/SchedulerGroup.cpp:144:20
    #49 0x7fa8d1a53b1e in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:502:16
    #50 0x7fa8d1a31869 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:805:26
    #51 0x7fa8d1a306e8 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:641:15
    #52 0x7fa8d1a30963 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:425:36
    #53 0x7fa8d1a57316 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:135:37
    #54 0x7fa8d1a57316 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:532:5
    #55 0x7fa8d1a4348f in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1148:16
    #56 0x7fa8d1a49efa in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:466:10
    #57 0x7fa8d2362ff6 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
    #58 0x7fa8d22bd8c7 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:331:10
    #59 0x7fa8d22bd7e2 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:324:3
    #60 0x7fa8d22bd7e2 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:306:3
    #61 0x7fa8d614cec8 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137:27
    #62 0x7fa8d7b058e3 in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:910:20
    #63 0x7fa8d2363eea in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
    #64 0x7fa8d22bd8c7 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:331:10
    #65 0x7fa8d22bd7e2 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:324:3
    #66 0x7fa8d22bd7e2 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:306:3
    #67 0x7fa8d7b054fe in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:742:34
    #68 0x557b36b989b6 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
    #69 0x557b36b989b6 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:327:18
    #70 0x7fa8e84690b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
Flags: in-testsuite?
Severity: -- → S3
Priority: -- → P3

Bugmon Analysis
Verified bug as reproducible on mozilla-central 20210727152622-edce65311704.
Failed to bisect testcase (Testcase reproduces on start build!):

Start: eba7e3ce93822075543bcc764cef7dbc8e9fc5f1 (20200728094725)
End: 0c272222c17b3edd7190a24d7171c51eb2f009ba (20210726093430)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False)

Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]
No longer blocks: domino
Depends on: domino
Blocks: domino
No longer depends on: domino

Bugmon was unable reproduce this issue.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon

A change to the Taskcluster build definitions over the weekend caused Bugmon to fail when reproducing issues. This issue has been corrected. Re-enabling bugmon.

Keywords: bugmon
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: