Open Bug 1771505 Opened 10 months ago Updated 7 months ago

Assertion failure: (!aAnimation.mOriginTime.IsNull() && aAnimation.mStartTime.isSome()) || aAnimation.mIsNotPlaying (If we are playing, we should have an origin time and a start time), at /gfx/layers/AnimationHelper.cpp:97

Categories

(Core :: DOM: Animation, defect)

Product:
Core
Component:
DOM: Animation
Platform:
x86_64
Linux
Type:
defect

Tracking

()

People

(Reporter: jkratzer, Assigned: boris)

References

(Blocks 1 open bug)

Details

(Keywords: bugmon, testcase, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(1 file)

Testcase
558 bytes, text/plain
Details

Testcase found while fuzzing mozilla-central rev 914ead848de4 (built with: --enable-debug --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build 914ead848de4 --debug --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

Assertion failure: (!aAnimation.mOriginTime.IsNull() && aAnimation.mStartTime.isSome()) || aAnimation.mIsNotPlaying (If we are playing, we should have an origin time and a start time), at /gfx/layers/AnimationHelper.cpp:97

    ==3028670==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f577d4da13f bp 0x7f56f3df9a10 sp 0x7f56f3df9810 T3028798)
    ==3028670==The signal is caused by a WRITE memory access.
    ==3028670==Hint: address points to the zero page.
        #0 0x7f577d4da13f in CalculateElapsedTime /gfx/layers/AnimationHelper.cpp:94:3
        #1 0x7f577d4da13f in SampleAnimationForProperty /gfx/layers/AnimationHelper.cpp:173:51
        #2 0x7f577d4da13f in mozilla::layers::AnimationHelper::SampleAnimationForEachNode(mozilla::layers::APZSampler const*, mozilla::layers::LayersId const&, mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&, mozilla::TimeStamp, mozilla::TimeStamp, mozilla::layers::AnimatedValue const*, nsTArray<mozilla::layers::PropertyAnimationGroup>&, nsTArray<RefPtr<RawServoAnimationValue> >&) /gfx/layers/AnimationHelper.cpp:313:27
        #3 0x7f577d4f5a81 in mozilla::layers::CompositorAnimationStorage::SampleAnimations(mozilla::layers::OMTAController const*, mozilla::TimeStamp, mozilla::TimeStamp)::$_9::operator()(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) const /gfx/layers/CompositorAnimationStorage.cpp:234:11
        #4 0x7f577d4f54c1 in CallWithMapLock<(lambda at /gfx/layers/CompositorAnimationStorage.cpp:223:19)> /gfx/layers/apz/src/APZCTreeManager.h:578:5
        #5 0x7f577d4f54c1 in CallWithMapLock<(lambda at /gfx/layers/CompositorAnimationStorage.cpp:223:19)> /builds/worker/workspace/obj-build/dist/include/mozilla/layers/APZSampler.h:115:11
        #6 0x7f577d4f54c1 in mozilla::layers::CompositorAnimationStorage::SampleAnimations(mozilla::layers::OMTAController const*, mozilla::TimeStamp, mozilla::TimeStamp) /gfx/layers/CompositorAnimationStorage.cpp:339:17
        #7 0x7f577d7227b7 in mozilla::layers::OMTASampler::SampleAnimations(mozilla::TimeStamp const&, mozilla::TimeStamp const&) /gfx/layers/wr/OMTASampler.cpp:128:17
        #8 0x7f577d722111 in mozilla::layers::OMTASampler::Sample(mozilla::wr::TransactionWrapper&) /gfx/layers/wr/OMTASampler.cpp:115:29
        #9 0x7f577d7233ed in Sample /gfx/layers/wr/OMTASampler.cpp:68:14
        #10 0x7f577d7233ed in omta_sample /gfx/layers/wr/OMTASampler.cpp:245:3
        #11 0x7f5785072c67 in _$LT$webrender_bindings..bindings..SamplerCallback$u20$as$u20$webrender..renderer..AsyncPropertySampler$GT$::sample::hcad372a11ffca69d /gfx/webrender_bindings/src/bindings.rs:1057:13
        #12 0x7f5785307d01 in webrender::render_backend::RenderBackend::update_document::h3942776e450b1ad4 /gfx/wr/webrender/src/render_backend.rs:1322:39
        #13 0x7f57853002ee in webrender::render_backend::RenderBackend::prepare_transactions::h765c0dc086b40391 /gfx/wr/webrender/src/render_backend.rs:1239:28
        #14 0x7f57853002ee in webrender::render_backend::RenderBackend::process_api_msg::hf9a46b35deb4bab0 /gfx/wr/webrender/src/render_backend.rs:1092:17
        #15 0x7f57853444fc in webrender::render_backend::RenderBackend::run::he8c5c016d6d3473f /gfx/wr/webrender/src/render_backend.rs:756:21
        #16 0x7f57853444fc in webrender::renderer::Renderer::new::_$u7b$$u7b$closure$u7d$$u7d$::hdd279e1252bdb24a /gfx/wr/webrender/src/renderer/mod.rs:1337:13
        #17 0x7f57853444fc in std::sys_common::backtrace::__rust_begin_short_backtrace::h3fc15b0fd538079c /rustc/7737e0b5c4103216d6fd8cf941b7ab9bdbaace7c/library/std/src/sys_common/backtrace.rs:122:18
        #18 0x7f57850c5bce in std::thread::Builder::spawn_unchecked_::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::hc5e4e8c5207be9fc /rustc/7737e0b5c4103216d6fd8cf941b7ab9bdbaace7c/library/std/src/thread/mod.rs:498:17
        #19 0x7f57850c5bce in _$LT$core..panic..unwind_safe..AssertUnwindSafe$LT$F$GT$$u20$as$u20$core..ops..function..FnOnce$LT$$LP$$RP$$GT$$GT$::call_once::hb6fe521d14f0d523 /rustc/7737e0b5c4103216d6fd8cf941b7ab9bdbaace7c/library/core/src/panic/unwind_safe.rs:271:9
        #20 0x7f57850c5bce in std::panicking::try::do_call::hd172353aff5e6782 /rustc/7737e0b5c4103216d6fd8cf941b7ab9bdbaace7c/library/std/src/panicking.rs:492:40
        #21 0x7f57850c5bce in std::panicking::try::hdd5867bd309629dd /rustc/7737e0b5c4103216d6fd8cf941b7ab9bdbaace7c/library/std/src/panicking.rs:456:19
        #22 0x7f57850c5bce in std::panic::catch_unwind::had2d17623c35f7da /rustc/7737e0b5c4103216d6fd8cf941b7ab9bdbaace7c/library/std/src/panic.rs:137:14
        #23 0x7f57850c5bce in std::thread::Builder::spawn_unchecked_::_$u7b$$u7b$closure$u7d$$u7d$::h667b5281025cc4ad /rustc/7737e0b5c4103216d6fd8cf941b7ab9bdbaace7c/library/std/src/thread/mod.rs:497:30
        #24 0x7f57850c5bce in core::ops::function::FnOnce::call_once$u7b$$u7b$vtable.shim$u7d$$u7d$::hd6637db685d6d525 /rustc/7737e0b5c4103216d6fd8cf941b7ab9bdbaace7c/library/core/src/ops/function.rs:227:5
        #25 0x7f5786710512 in _$LT$alloc..boxed..Box$LT$F$C$A$GT$$u20$as$u20$core..ops..function..FnOnce$LT$Args$GT$$GT$::call_once::hf70ac038171e3e1a /rustc/7737e0b5c4103216d6fd8cf941b7ab9bdbaace7c/library/alloc/src/boxed.rs:1853:9
        #26 0x7f5786710512 in _$LT$alloc..boxed..Box$LT$F$C$A$GT$$u20$as$u20$core..ops..function..FnOnce$LT$Args$GT$$GT$::call_once::he6690128792365ad /rustc/7737e0b5c4103216d6fd8cf941b7ab9bdbaace7c/library/alloc/src/boxed.rs:1853:9
        #27 0x7f5786710512 in std::sys::unix::thread::Thread::new::thread_start::ha07928d93d5a5ec9 /rustc/7737e0b5c4103216d6fd8cf941b7ab9bdbaace7c/library/std/src/sys/unix/thread.rs:108:17
        #28 0x7f5793e75608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477:8
        #29 0x7f5793a3c132 in __clone /build/glibc-SzIz7B/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95
    
    UndefinedBehaviorSanitizer can not provide additional info.
    SUMMARY: UndefinedBehaviorSanitizer: SEGV /gfx/layers/AnimationHelper.cpp:94:3 in CalculateElapsedTime
    ==3028670==ABORTING
Attached file Testcase 

    
    

    
  
Bugmon Analysis

Verified bug as reproducible on mozilla-central 20220527092603-914ead848de4.

Unable to bisect testcase (Testcase reproduces on start build!):




Start: 6adf3e04d40e2a9a1a69dc06fe101dc5a54ef615 (20210528214803)

End: 914ead848de431dcd0f42c2fda013018704b29b9 (20220527092603)

BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False)




Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]

    
    

    
  
I suspect this may be related to the set timeline API.



    
    

    
  
The severity field is not set for this bug.

:boris, could you have a look please?


For more information, please visit auto_nag documentation.


Flags: needinfo?(boris.chiou)

    
  
Severity: -- → S3
Flags: needinfo?(boris.chiou)

    
    

    
  
This is still reproducible. I will check this assertion.


Assignee: nobody → boris.chiou

    
    

    
  
Well, looks like there is an underflow happen in DocumentTimeline::ToTimeStamp():

e.g.

In this testcase, I set the origin time of the DocumentTimeline to -138971787, and my log said:

timing->GetNavigationStartTimeStamp() returns a TimeStamp whose mValue is 1716455938319, and the DocumentTimeline::mOriginTime is -3335322888000. We are trying to add these two values, so 1716455938319 + (-3335322888000) < 0. This is an underflow because TimeStamp::mValue is an unsigned int. This makes DocumentTimeline::ToTimeStamp() return a null TimeStamp, so we pass this null TimeStamp and hit the assertion.


Perhaps we should skip this animation if its document timeline time is null but it is playing.



          You need to log in
          before you can comment on or make changes to this bug.