1768096 - Assertion failure: !ServoStyleSet::IsCurrentThreadInServoTraversal(), at src/gfx/thebes/gfxTextRun.cpp:1869

Status: VERIFIED FIXED

(Core :: Graphics: Text, defect, P3)

Description

[Tyson Smith [:tsmith]]

Attachment: testcase.html

Found while fuzzing m-c 20220505-37e7a0dddfb0 (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

Assertion failure: !ServoStyleSet::IsCurrentThreadInServoTraversal(), at src/gfx/thebes/gfxTextRun.cpp:1869

#0 0x7f8da1919cf5 in gfxFontGroup::~gfxFontGroup() src/gfx/thebes/gfxTextRun.cpp:1869:3
#1 0x7f8da1919dc0 in gfxFontGroup::~gfxFontGroup() src/gfx/thebes/gfxTextRun.cpp:1867:31
#2 0x7f8da1514c89 in Release /builds/worker/workspace/obj-build/dist/include/gfxFont.h:625:3
#3 0x7f8da1514c89 in Release /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:50:40
#4 0x7f8da1514c89 in Release /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:381:36
#5 0x7f8da1514c89 in ~RefPtr /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:81:7
#6 0x7f8da1514c89 in nsFontMetrics::~nsFontMetrics() src/gfx/src/nsFontMetrics.cpp:152:1
#7 0x7f8da1514601 in nsFontMetrics::Release() src/gfx/src/nsFontMetrics.h:72:3
#8 0x7f8da1513fd4 in Flush src/gfx/src/nsFontCache.cpp:141:5
#9 0x7f8da1513fd4 in nsFontCache::GetMetricsFor(nsFont const&, nsFontMetrics::Params const&) src/gfx/src/nsFontCache.cpp:82:7
#10 0x7f8da54e806f in GetMetricsFor src/layout/base/nsPresContext.cpp:819:22
#11 0x7f8da54e806f in nsLayoutUtils::GetMetricsFor(nsPresContext*, bool, nsStyleFont const*, mozilla::StyleCSSPixelLength, bool) src/layout/base/nsLayoutUtils.cpp:9561:24
#12 0x7f8da537eae1 in Gecko_GetFontMetrics src/layout/style/GeckoBindings.cpp:1422:30
#13 0x7f8daa2e14a4 in _$LT$style..gecko..wrapper..GeckoFontMetricsProvider$u20$as$u20$style..font_metrics..FontMetricsProvider$GT$::query::h5bd76ed63209476e src/servo/components/style/gecko/wrapper.rs:1019:13
#14 0x7f8daa29799b in style::values::specified::length::FontRelativeLength::reference_font_size_and_length::query_font_metrics::h8ae538f9c243daca src/servo/components/style/values/specified/length.rs:167:13
#15 0x7f8daa29799b in style::values::specified::length::FontRelativeLength::reference_font_size_and_length::h11f1ec95990c239f src/servo/components/style/values/specified/length.rs:221:31
#16 0x7f8daa29799b in style::values::specified::length::FontRelativeLength::to_computed_value::h16bd76a8ee606e5f src/servo/components/style/values/specified/length.rs:146:40
#17 0x7f8daa2128a0 in style::values::computed::length::_$LT$impl$u20$style..values..computed..ToComputedValue$u20$for$u20$style..values..specified..length..NoCalcLength$GT$::to_computed_value::h1e3599fff04ea9ae src/servo/components/style/values/computed/length.rs:37:17
#18 0x7f8daa4c1658 in style::values::computed::length_percentage::_$LT$impl$u20$style..values..computed..ToComputedValue$u20$for$u20$style..values..specified..length..LengthPercentage$GT$::to_computed_value::h369af7b4d600bf53 src/servo/components/style/values/computed/length_percentage.rs:502:46
#19 0x7f8daa4c1658 in _$LT$style..values..generics..NonNegative$LT$T$GT$$u20$as$u20$style..values..computed..ToComputedValue$GT$::to_computed_value::h2c8356c965f876f0 src/servo/components/style/values/generics/mod.rs:175:5
#20 0x7f8daa4c1658 in _$LT$style..values..generics..size..Size2D$LT$L$GT$$u20$as$u20$style..values..computed..ToComputedValue$GT$::to_computed_value::ha576df1a6ce85f01 src/servo/components/style/values/generics/size.rs:26:5
#21 0x7f8daa4c1658 in _$LT$style..values..generics..border..GenericBorderCornerRadius$LT$L$GT$$u20$as$u20$style..values..computed..ToComputedValue$GT$::to_computed_value::h1a2006868cb5b9ec src/servo/components/style/values/generics/border.rs:88:5
#22 0x7f8daa4c1658 in style::properties::longhands::border_top_left_radius::cascade_property::h0b83bf70b07f255f /builds/worker/workspace/obj-build/x86_64-unknown-linux-gnu/debug/build/style-ebc29c6c39a740db/out/longhands/border.rs:2821:32
#23 0x7f8daa076bc6 in style::properties::cascade::Cascade::apply_declaration::h36596c48c40dcb3c src/servo/components/style/properties/cascade.rs:596:9
#24 0x7f8daa076bc6 in style::properties::cascade::Cascade::apply_properties::h26560e2de9b9fc60 src/servo/components/style/properties/cascade.rs:701:13
#25 0x7f8daa075f13 in style::properties::cascade::apply_declarations::hc59ecf546c2fe0e9 src/servo/components/style/properties/cascade.rs:360:5
#26 0x7f8daa075f13 in style::properties::cascade::cascade_rules::h9624256c9ed9471a src/servo/components/style/properties/cascade.rs:192:5
#27 0x7f8daa024cba in style::properties::cascade::cascade::h94742c889c47eaca src/servo/components/style/properties/cascade.rs:70:5
#28 0x7f8daa024cba in style::stylist::Stylist::cascade_style_and_visited::h4ed09d76d1a234a8 src/servo/components/style/stylist.rs:1060:9
#29 0x7f8daa01adbc in style::style_resolver::StyleResolverForElement$LT$E$GT$::cascade_style_and_visited::h3275b5b2cba3839e src/servo/components/style/style_resolver.rs:346:22
#30 0x7f8daa01a278 in style::style_resolver::StyleResolverForElement$LT$E$GT$::cascade_primary_style::h94542651d201f17b src/servo/components/style/style_resolver.rs:243:20
#31 0x7f8daa01b15a in style::style_resolver::StyleResolverForElement$LT$E$GT$::cascade_styles_with_default_parents::_$u7b$$u7b$closure$u7d$$u7d$::hc24ded71b3c914d8 src/servo/components/style/style_resolver.rs:376:17
#32 0x7f8daa01b00c in style::style_resolver::with_default_parent_styles::h3d02f3e948e210bf src/servo/components/style/style_resolver.rs:115:5
#33 0x7f8daa01b00c in style::style_resolver::StyleResolverForElement$LT$E$GT$::cascade_styles_with_default_parents::hedd2cf11081401a7 src/servo/components/style/style_resolver.rs:374:9
#34 0x7f8daa036787 in style::traversal::compute_style::h1df19390daf0a0e8 src/servo/components/style/traversal.rs:629:13
#35 0x7f8da9fc9b90 in style::traversal::recalc_style_at::h4dc3d1cdb2899057 src/servo/components/style/traversal.rs:420:37
#36 0x7f8da9fc9b90 in _$LT$style..gecko..traversal..RecalcStyleOnly$u20$as$u20$style..traversal..DomTraversal$LT$style..gecko..wrapper..GeckoElement$GT$$GT$::process_preorder::h227d806615315028 src/servo/components/style/gecko/traversal.rs:37:13
#37 0x7f8da9fc9b90 in style::driver::traverse_dom::h7c6022eac80e3dd9 src/servo/components/style/driver.rs:112:9
#38 0x7f8da9f66666 in geckoservo::glue::traverse_subtree::h2a3877c800b9ccd0 src/servo/ports/geckolib/glue.rs:273:5
#39 0x7f8da9f66aaa in Servo_TraverseSubtree src/servo/ports/geckolib/glue.rs:323:9
#40 0x7f8da53adf31 in mozilla::ServoStyleSet::StyleDocument(mozilla::ServoTraversalFlags) src/layout/style/ServoStyleSet.cpp:774:9
#41 0x7f8da545fc3c in mozilla::RestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) src/layout/base/RestyleManager.cpp:3066:20
#42 0x7f8da5438d10 in mozilla::RestyleManager::ProcessPendingRestyles() src/layout/base/RestyleManager.cpp:3197:3
#43 0x7f8da54382de in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) src/layout/base/PresShell.cpp:4318:39
#44 0x7f8da53fe5dc in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) src/layout/base/nsRefreshDriver.cpp:2523:22
#45 0x7f8da5407490 in TickDriver src/layout/base/nsRefreshDriver.cpp:368:13
#46 0x7f8da5407490 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) src/layout/base/nsRefreshDriver.cpp:346:7
#47 0x7f8da5407393 in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:362:5
#48 0x7f8da5407060 in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:884:5
#49 0x7f8da54066af in mozilla::VsyncRefreshDriverTimer::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:797:5
#50 0x7f8da5406105 in mozilla::VsyncRefreshDriverTimer::NotifyVsyncOnMainThread(mozilla::VsyncEvent const&) src/layout/base/nsRefreshDriver.cpp:724:5
#51 0x7f8da5405d3a in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsyncTimerOnMainThread() src/layout/base/nsRefreshDriver.cpp:587:14
#52 0x7f8da540594c in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) src/layout/base/nsRefreshDriver.cpp:544:9
#53 0x7f8da494a17b in mozilla::dom::VsyncMainChild::RecvNotify(mozilla::VsyncEvent const&, float const&) src/dom/ipc/VsyncMainChild.cpp:68:15
#54 0x7f8da4ba7e76 in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:220:54
#55 0x7f8da1088e94 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundChild.cpp:6519:32
#56 0x7f8da101db01 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) src/ipc/glue/MessageChannel.cpp:1714:25
#57 0x7f8da101ad86 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message&&) src/ipc/glue/MessageChannel.cpp:1639:9
#58 0x7f8da101b889 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) src/ipc/glue/MessageChannel.cpp:1500:3
#59 0x7f8da101c3d4 in mozilla::ipc::MessageChannel::MessageTask::Run() src/ipc/glue/MessageChannel.cpp:1535:14
#60 0x7f8da047e41e in mozilla::RunnableTask::Run() src/xpcom/threads/TaskController.cpp:467:16
#61 0x7f8da0458dd3 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) src/xpcom/threads/TaskController.cpp:780:26
#62 0x7f8da0457983 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) src/xpcom/threads/TaskController.cpp:612:15
#63 0x7f8da0457bf3 in mozilla::TaskController::ProcessPendingMTTask(bool) src/xpcom/threads/TaskController.cpp:390:36
#64 0x7f8da0481c19 in operator() src/xpcom/threads/TaskController.cpp:127:37
#65 0x7f8da0481c19 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_1>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
#66 0x7f8da046d67f in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1180:16
#67 0x7f8da0473c7d in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:465:10
#68 0x7f8da1023404 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:107:5
#69 0x7f8da0f3f837 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:380:10
#70 0x7f8da0f3f742 in RunHandler src/ipc/chromium/src/base/message_loop.cc:373:3
#71 0x7f8da0f3f742 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:355:3
#72 0x7f8da50e8a78 in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:137:27
#73 0x7f8da72122ab in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:874:20
#74 0x7f8da102434a in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:235:9
#75 0x7f8da0f3f837 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:380:10
#76 0x7f8da0f3f742 in RunHandler src/ipc/chromium/src/base/message_loop.cc:373:3
#77 0x7f8da0f3f742 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:355:3
#78 0x7f8da72118cc in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:733:34
#79 0x562b6b69fe30 in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#80 0x562b6b69fe30 in main src/browser/app/nsBrowserApp.cpp:327:18
#81 0x7f8db7b9e0b2 in __libc_start_main /build/glibc-sMfBJT/glibc-2.31/csu/../csu/libc-start.c:308:16
#82 0x562b6b675bdc in _start (/home/user/workspace/browsers/m-c-20220505161156-fuzzing-debug/firefox-bin+0x15bdc) (BuildId: 65d74aa4395acf32225fcd1a916e700180d5b69d)

Comment 1

[Bugmon [:jkratzer for issues]]

Bugmon Analysis
Verified bug as reproducible on mozilla-central 20220505161156-37e7a0dddfb0.
The bug appears to have been introduced in the following build range:

Start: 6caa30153d0b6e71f31316ca071c3173dc10c89c (20220504210204)
End: d71652d1278bbf55b8079fcd77fc68c3920d954d (20220504224543)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=6caa30153d0b6e71f31316ca071c3173dc10c89c&tochange=d71652d1278bbf55b8079fcd77fc68c3920d954d

Comment 2

[Andrew Osmond [:aosmond] (he/him)]

Probably bug 1759686.

Comment 3

[BugBot [:suhaib / :marco/ :calixte]]

Set release status flags based on info from the regressing bug 1759686

Comment 4

[Jonathan Kew [:jfkthame]]

Ah, I see.... yeah, the change there wasn't correct. The code here used to assert NS_IsMainThread(), which will no longer hold in the offscreen-canvas case, but this isn't the right thing to be asserting either. Leaving needinfo? for now until I look into this properly...

Comment 5

[Jonathan Kew [:jfkthame]]

Attachment: Bug 1768096 - Correct the not-in-stylo-thread assertion in fontgroup destructor. r=lsalzman

Comment 6

[Jonathan Kew [:jfkthame]]

Attachment: Bug 1768096 - Add testcase from report as a crashtest. r=lsalzman

Depends on D145902

Comment 7

[Pascal Chevrel:pascalc]

Jonathan, it seems that the patches are accepted, can they land before the next merge? Thanks

Comment 8

[Jonathan Kew [:jfkthame]]

Oops, I thought I'd lando'd this! Just queued it now.

Comment 9

[Pulsebot]

Pushed by jkew@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/42afce2940b3
Correct the not-in-stylo-thread assertion in fontgroup destructor. r=lsalzman
https://hg.mozilla.org/integration/autoland/rev/80da8c292ef4
Add testcase from report as a crashtest. r=lsalzman

Comment 10

[Cosmin Sabou [:CosminS]]

https://hg.mozilla.org/mozilla-central/rev/42afce2940b3
https://hg.mozilla.org/mozilla-central/rev/80da8c292ef4

Comment 11

[Bugmon [:jkratzer for issues]]

Bugmon Analysis
Verified bug as fixed on rev mozilla-central 20220517040927-1254448a9518.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.