1764217 - Hit MOZ_CRASH(assertion failed: self.writing_mode.map_or(true, |wm| wm == writing_mode)) at servo/components/style/rule_cache.rs:40

Status: VERIFIED FIXED

(Core :: CSS Parsing and Computation, defect)

Description

[Tyson Smith [:tsmith]]

Attachment: testcase.html

Found while fuzzing m-c 20220408-0671f5ff7249 (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

Hit MOZ_CRASH(assertion failed: self.writing_mode.map_or(true, |wm| wm == writing_mode)) at servo/components/style/rule_cache.rs:40

#0 0x7fa24bb0b9d5 in MOZ_Crash /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:261:3
#1 0x7fa24bb0b9d5 in RustMozCrash src/mozglue/static/rust/wrappers.cpp:18:3
#2 0x7fa24bb0b834 in mozglue_static::panic_hook::h773f18c382903796 src/mozglue/static/rust/lib.rs:91:9
#3 0x7fa24bb0b39b in core::ops::function::Fn::call::ha1de6d8c8d2b790f /rustc/9d1b2106e23b1abd32fce1f17267604a5102f57a/library/core/src/ops/function.rs:70:5
#4 0x7fa24c8ffdf4 in std::panicking::rust_panic_with_hook::h1a5ea2d6c23051aa /rustc/9d1b2106e23b1abd32fce1f17267604a5102f57a/library/std/src/panicking.rs:610:17
#5 0x7fa24c8ffac1 in std::panicking::begin_panic_handler::_$u7b$$u7b$closure$u7d$$u7d$::h07f549390938b73f /rustc/9d1b2106e23b1abd32fce1f17267604a5102f57a/library/std/src/panicking.rs:500:13
#6 0x7fa24c8fb9d3 in std::sys_common::backtrace::__rust_end_short_backtrace::h5ec3758a92cfb00d /rustc/9d1b2106e23b1abd32fce1f17267604a5102f57a/library/std/src/sys_common/backtrace.rs:139:18
#7 0x7fa24c8ff828 in rust_begin_unwind /rustc/9d1b2106e23b1abd32fce1f17267604a5102f57a/library/std/src/panicking.rs:498:5
#8 0x7fa242232260 in core::panicking::panic_fmt::h3a79a6a99affe1d5 /rustc/9d1b2106e23b1abd32fce1f17267604a5102f57a/library/core/src/panicking.rs:116:14
#9 0x7fa2422321ac in core::panicking::panic::h97167cd315d19cd4 /rustc/9d1b2106e23b1abd32fce1f17267604a5102f57a/library/core/src/panicking.rs:48:5
#10 0x7fa24c683b7a in style::rule_cache::RuleCacheConditions::set_writing_mode_dependency::ha4a3ca88bf0367fd src/servo/components/style/rule_cache.rs:40:9
#11 0x7fa24c683b7a in style::properties::longhands::border_inline_start_color::cascade_property::h0c5a7c7fbe29cad1 /builds/worker/workspace/obj-build/x86_64-unknown-linux-gnu/debug/build/style-634105a02537e548/out/longhands/border.rs:2135:17
#12 0x7fa24c23ae4a in style::properties::cascade::Cascade::apply_declaration::h25f62044f42209f4 src/servo/components/style/properties/cascade.rs:583:9
#13 0x7fa24c23ae4a in style::properties::cascade::Cascade::apply_properties::h9c9963b5ff781df0 src/servo/components/style/properties/cascade.rs:697:13
#14 0x7fa24c23a0f7 in style::properties::cascade::apply_declarations::hde65fbf0fa2c7d5e src/servo/components/style/properties/cascade.rs:344:9
#15 0x7fa24c23a0f7 in style::properties::cascade::cascade_rules::hccb530d0e7074604 src/servo/components/style/properties/cascade.rs:192:5
#16 0x7fa24c1ea03a in style::properties::cascade::cascade::h32620cb9f6a60fbd src/servo/components/style/properties/cascade.rs:70:5
#17 0x7fa24c1ea03a in style::stylist::Stylist::cascade_style_and_visited::h6ad072953ba353ab src/servo/components/style/stylist.rs:1060:9
#18 0x7fa24c1e017a in style::style_resolver::StyleResolverForElement$LT$E$GT$::cascade_style_and_visited::he5d28c50a485f467 src/servo/components/style/style_resolver.rs:346:22
#19 0x7fa24c1df5f3 in style::style_resolver::StyleResolverForElement$LT$E$GT$::cascade_primary_style::h4d5d98ebf01ce2b0 src/servo/components/style/style_resolver.rs:243:20
#20 0x7fa24c1dfade in style::style_resolver::StyleResolverForElement$LT$E$GT$::resolve_style::h753cc76fde92df46 src/servo/components/style/style_resolver.rs:259:29
#21 0x7fa24c1fd6f4 in style::style_resolver::StyleResolverForElement$LT$E$GT$::resolve_style_with_default_parents::_$u7b$$u7b$closure$u7d$$u7d$::h22dcb4e2e0a03df9 src/servo/components/style/style_resolver.rs:294:13
#22 0x7fa24c1fd6f4 in style::style_resolver::with_default_parent_styles::hf33fe12845203f5c src/servo/components/style/style_resolver.rs:115:5
#23 0x7fa24c1fd6f4 in style::style_resolver::StyleResolverForElement$LT$E$GT$::resolve_style_with_default_parents::ha69f2a2e43ab53eb src/servo/components/style/style_resolver.rs:293:9
#24 0x7fa24c1fd6f4 in style::traversal::compute_style::h27bf86aa8dcf04b6 src/servo/components/style/traversal.rs:602:25
#25 0x7fa24c191bf0 in style::traversal::recalc_style_at::h10a576284685bcca src/servo/components/style/traversal.rs:420:37
#26 0x7fa24c191bf0 in _$LT$style..gecko..traversal..RecalcStyleOnly$u20$as$u20$style..traversal..DomTraversal$LT$style..gecko..wrapper..GeckoElement$GT$$GT$::process_preorder::h343c7413a3d2fca4 src/servo/components/style/gecko/traversal.rs:37:13
#27 0x7fa24c191bf0 in style::driver::traverse_dom::h6a5fec8f6247b3a8 src/servo/components/style/driver.rs:112:9
#28 0x7fa24c12b5e6 in geckoservo::glue::traverse_subtree::h59f3527cfc0ea7fd src/servo/ports/geckolib/glue.rs:273:5
#29 0x7fa24c12ba4a in Servo_TraverseSubtree src/servo/ports/geckolib/glue.rs:333:5
#30 0x7fa247532112 in mozilla::ServoStyleSet::StyleDocument(mozilla::ServoTraversalFlags) src/layout/style/ServoStyleSet.cpp:770:9
#31 0x7fa2475e51f8 in mozilla::RestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) src/layout/base/RestyleManager.cpp:3050:20
#32 0x7fa2475be030 in mozilla::RestyleManager::ProcessPendingRestyles() src/layout/base/RestyleManager.cpp:3181:3
#33 0x7fa2475bd5ff in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) src/layout/base/PresShell.cpp:4310:39
#34 0x7fa2475834f0 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) src/layout/base/nsRefreshDriver.cpp:2516:22
#35 0x7fa24758c370 in TickDriver src/layout/base/nsRefreshDriver.cpp:367:13
#36 0x7fa24758c370 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) src/layout/base/nsRefreshDriver.cpp:345:7
#37 0x7fa24758c273 in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:361:5
#38 0x7fa24758c140 in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:895:5
#39 0x7fa24758b7c7 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:770:16
#40 0x7fa24758ae13 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsyncOnMainThread() src/layout/base/nsRefreshDriver.cpp:649:7
#41 0x7fa24758a90c in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) src/layout/base/nsRefreshDriver.cpp:535:9
#42 0x7fa246ad9c7a in mozilla::dom::VsyncMainChild::RecvNotify(mozilla::VsyncEvent const&, float const&) src/dom/ipc/VsyncMainChild.cpp:68:15
#43 0x7fa246d389c6 in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:220:54
#44 0x7fa243203bbc in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundChild.cpp:6518:32
#45 0x7fa243197ff1 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) src/ipc/glue/MessageChannel.cpp:1707:25
#46 0x7fa243195227 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message&&) src/ipc/glue/MessageChannel.cpp:1632:9
#47 0x7fa243195d1d in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) src/ipc/glue/MessageChannel.cpp:1493:3
#48 0x7fa2431968ae in mozilla::ipc::MessageChannel::MessageTask::Run() src/ipc/glue/MessageChannel.cpp:1528:14
#49 0x7fa242601b6e in mozilla::RunnableTask::Run() src/xpcom/threads/TaskController.cpp:467:16
#50 0x7fa2425dc0b6 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) src/xpcom/threads/TaskController.cpp:780:26
#51 0x7fa2425dad53 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) src/xpcom/threads/TaskController.cpp:612:15
#52 0x7fa2425dafc3 in mozilla::TaskController::ProcessPendingMTTask(bool) src/xpcom/threads/TaskController.cpp:390:36
#53 0x7fa242606b96 in operator() src/xpcom/threads/TaskController.cpp:124:37
#54 0x7fa242606b96 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
#55 0x7fa2425f0863 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1187:16
#56 0x7fa2425f728d in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:465:10
#57 0x7fa24319d9a6 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:85:21
#58 0x7fa2430ba627 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:380:10
#59 0x7fa2430ba532 in RunHandler src/ipc/chromium/src/base/message_loop.cc:373:3
#60 0x7fa2430ba532 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:355:3
#61 0x7fa247280ba8 in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:137:27
#62 0x7fa249392ee3 in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:870:20
#63 0x7fa24319e89a in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:235:9
#64 0x7fa2430ba627 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:380:10
#65 0x7fa2430ba532 in RunHandler src/ipc/chromium/src/base/message_loop.cc:373:3
#66 0x7fa2430ba532 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:355:3
#67 0x7fa249392519 in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:729:34
#68 0x56128963d2f7 in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#69 0x56128963d2f7 in main src/browser/app/nsBrowserApp.cpp:327:18
#70 0x7fa2589740b2 in __libc_start_main /build/glibc-sMfBJT/glibc-2.31/csu/../csu/libc-start.c:308:16
#71 0x561289618a7c in _start (/home/worker/builds/m-c-20220408214449-fuzzing-debug/firefox-bin+0x15a7c)

Comment 1

[Tyson Smith [:tsmith]]

A Pernosco session is available here: https://pernos.co/debug/Fl0GikRT429vVUUXdJWbGQ/index.html

Comment 2

[Bugmon [:jkratzer for issues]]

Bugmon Analysis
Verified bug as reproducible on mozilla-central 20220412035701-0bcad14b3c3a.
The bug appears to have been introduced in the following build range:

Start: 85fa29fcf2eeeb8125c5014e6cf9a37463f93542 (20220408143349)
End: 1b885ef9e84d87ade1eb026d27949146a6abfe04 (20220408170900)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=85fa29fcf2eeeb8125c5014e6cf9a37463f93542&tochange=1b885ef9e84d87ade1eb026d27949146a6abfe04

Comment 3

[Emilio Cobos Álvarez (:emilio)]

Attachment: Bug 1764217 - Fix visited handling after bug 1763750. r=hiro,#style,#layout-reviewers

Before bug 1763750, we unconditionally called compute_writing_mode,
which got the writing mode from the cascade mode for visited styles.

However after that bug we only do that if we apply any
writing-mode-related property.

We could just call compute_writing_mode unconditionally, but instead it
seems better to skip all that work for visited cascade and reuse the
mechanism introduced in that bug to only apply the visited-dependent
longhands.

We assert that all visited-dependent longhands are "late" longhands, so
as to also avoid applying the font group and such.

Comment 4

[BugBot [:suhaib / :marco/ :calixte]]

:emilio, since this bug contains a bisection range, could you fill (if possible) the regressed_by field?
For more information, please visit auto_nag documentation.

Comment 5

[Emilio Cobos Álvarez (:emilio)]

Kind of annoying bot.

Comment 6

[BugBot [:suhaib / :marco/ :calixte]]

Set release status flags based on info from the regressing bug 1763750

Comment 7

[Pulsebot]

Pushed by ealvarez@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/49a8beafd0d6
Fix visited handling after bug 1763750. r=hiro

Comment 8

[Web Platform Test Sync Bot (Matrix: #interop:mozilla.org)]

Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/33631 for changes under testing/web-platform/tests

Comment 9

[Iulian Moraru]

https://hg.mozilla.org/mozilla-central/rev/49a8beafd0d6

Comment 10

[Web Platform Test Sync Bot (Matrix: #interop:mozilla.org)]

Upstream PR merged by moz-wptsync-bot

Comment 11

[Bugmon [:jkratzer for issues]]

Bugmon Analysis
Verified bug as fixed on rev mozilla-central 20220414034541-7483423001f5.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.