Open Bug 1774470 Opened 2 years ago Updated 11 months ago

Hit MOZ_CRASH(Locked::write_with called with a guard from a read only or unrelated SharedRwLock) at /servo/components/style/shared_lock.rs:250

Categories

(Core :: CSS Parsing and Computation, defect)

Product:
Core
Component:
CSS Parsing and Computation
Platform:
x86_64
Linux
Type:
defect

Tracking

()

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: bugmon, testcase, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(1 file)

Testcase
417 bytes, text/plain
Details

Testcase found while fuzzing mozilla-central rev b1ed2fa50612 (built with: --enable-address-sanitizer --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build b1ed2fa50612 --asan --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

Hit MOZ_CRASH(Locked::write_with called with a guard from a read only or unrelated SharedRwLock) at /servo/components/style/shared_lock.rs:250

    =================================================================
    ==212608==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 (pc 0x7f3de8745348 bp 0x7ffde602c150 sp 0x7ffde602c140 T0)
    ==212608==The signal is caused by a WRITE memory access.
    ==212608==Hint: address points to the zero page.
        #0 0x7f3de8745348 in MOZ_Crash /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:261:3
        #1 0x7f3de8745348 in RustMozCrash /mozglue/static/rust/wrappers.cpp:18:3
        #2 0x7f3de8745266 in mozglue_static::panic_hook::h23040566db4aec3d /mozglue/static/rust/lib.rs:91:9
        #3 0x7f3de8743f95 in core::ops::function::Fn::call::h2371897cbe668d4b /builds/worker/fetches/rust/library/core/src/ops/function.rs:70:5
        #4 0x7f3debd0ae92 in std::panicking::rust_panic_with_hook::h53b24c17f6374599 (/home/jkratzer/builds/mc-asan/libxul.so+0x20fa6e92) (BuildId: af07ee202634a84b6394d571e58e69be2fdf53e8)
        #5 0x7f3de9fc0437 in std::panicking::begin_panic::_$u7b$$u7b$closure$u7d$$u7d$::h69e5a5621e1d931b /builds/worker/fetches/rust/library/std/src/panicking.rs:617:9
        #6 0x7f3de9fbc639 in std::sys_common::backtrace::__rust_end_short_backtrace::h4b13eb494386271d /builds/worker/fetches/rust/library/std/src/sys_common/backtrace.rs:138:18
        #7 0x7f3dd453b8bb in std::panicking::begin_panic::he87866921c459403 /builds/worker/fetches/rust/library/std/src/panicking.rs:616:12
        #8 0x7f3dea3667ca in style::shared_lock::Locked$LT$T$GT$::write_with::h02e7f83ab486be28 /servo/components/style/shared_lock.rs:250:9
        #9 0x7f3dea3667ca in geckoservo::glue::write_locked_arc::h375416bbd232d044 /servo/ports/geckolib/glue.rs:2088:10
        #10 0x7f3dea3667ca in Servo_FontFaceRule_ResetDescriptor /servo/ports/geckolib/glue.rs:3420:5
        #11 0x7f3dd96872b3 in mozilla::dom::CSSStyleDeclaration_Binding::removeProperty(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/CSSStyleDeclarationBinding.cpp:484:24
        #12 0x7f3dda54087f in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /dom/bindings/BindingUtils.cpp:3272:13
        #13 0x7f3de48f5200 in CallJSNative /js/src/vm/Interpreter.cpp:421:13
        #14 0x7f3de48f5200 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:508:12
        #15 0x7f3de48e3862 in InternalCall /js/src/vm/Interpreter.cpp:575:10
        #16 0x7f3de48e3862 in CallFromStack /js/src/vm/Interpreter.cpp:579:10
        #17 0x7f3de48e3862 in Interpret(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:3325:16
        #18 0x7f3de48c8dc9 in js::RunScript(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:390:13
        #19 0x7f3de48f533e in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:540:13
        #20 0x7f3de48f6e1e in InternalCall /js/src/vm/Interpreter.cpp:575:10
        #21 0x7f3de48f6e1e in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /js/src/vm/Interpreter.cpp:606:8
        #22 0x7f3de2fa3565 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /js/src/vm/CallAndConstruct.cpp:117:10
        #23 0x7f3dda160a79 in mozilla::dom::EventListener::HandleEvent(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventListenerBinding.cpp:62:8
        #24 0x7f3ddaf30214 in void mozilla::dom::EventListener::HandleEvent<mozilla::dom::EventTarget*>(mozilla::dom::EventTarget* const&, mozilla::dom::Event&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventListenerBinding.h:65:12
        #25 0x7f3ddaf2fcd0 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /dom/events/EventListenerManager.cpp:1310:43
        #26 0x7f3ddaf31290 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /dom/events/EventListenerManager.cpp:1507:17
        #27 0x7f3ddaf1f40e in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /dom/events/EventDispatcher.cpp:348:17
        #28 0x7f3ddaf1dc71 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /dom/events/EventDispatcher.cpp:550:16
        #29 0x7f3ddaf21e55 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /dom/events/EventDispatcher.cpp:1119:11
        #30 0x7f3dde227812 in nsDocumentViewer::LoadComplete(nsresult) /layout/base/nsDocumentViewer.cpp:1085:7
        #31 0x7f3de1c882e3 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /docshell/base/nsDocShell.cpp:6436:20
        #32 0x7f3de1c875a1 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /docshell/base/nsDocShell.cpp:5828:7
        #33 0x7f3de1c8949f in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /docshell/base/nsDocShell.cpp
        #34 0x7f3dd710c830 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /uriloader/base/nsDocLoader.cpp:1377:3
        #35 0x7f3dd710b234 in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /uriloader/base/nsDocLoader.cpp:975:14
        #36 0x7f3dd7107b82 in nsDocLoader::DocLoaderIsEmpty(bool, mozilla::Maybe<nsresult> const&) /uriloader/base/nsDocLoader.cpp:794:9
        #37 0x7f3dd7109bf1 in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /uriloader/base/nsDocLoader.cpp:677:5
        #38 0x7f3de1cc32cb in nsDocShell::OnStopRequest(nsIRequest*, nsresult) /docshell/base/nsDocShell.cpp:13824:23
        #39 0x7f3dd57c952e in mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) /netwerk/base/nsLoadGroup.cpp:614:22
        #40 0x7f3dd57cbf24 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /netwerk/base/nsLoadGroup.cpp:518:10
        #41 0x7f3dd85e5cc4 in mozilla::dom::Document::DoUnblockOnload() /dom/base/Document.cpp:11668:18
        #42 0x7f3dd85921d0 in mozilla::dom::Document::UnblockOnload(bool) /dom/base/Document.cpp:11606:9
        #43 0x7f3dd85bd539 in mozilla::dom::Document::DispatchContentLoadedEvents() /dom/base/Document.cpp:8141:3
        #44 0x7f3dd86b0ddd in applyImpl<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1147:12
        #45 0x7f3dd86b0ddd in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1153:12
        #46 0x7f3dd86b0ddd in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1200:13
        #47 0x7f3dd54154cf in mozilla::SchedulerGroup::Runnable::Run() /xpcom/threads/SchedulerGroup.cpp:140:20
        #48 0x7f3dd5463012 in mozilla::RunnableTask::Run() /xpcom/threads/TaskController.cpp:475:16
        #49 0x7f3dd5428645 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:788:26
        #50 0x7f3dd54257f8 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:620:15
        #51 0x7f3dd5425f20 in mozilla::TaskController::ProcessPendingMTTask(bool) /xpcom/threads/TaskController.cpp:398:36
        #52 0x7f3dd546bc11 in operator() /xpcom/threads/TaskController.cpp:124:37
        #53 0x7f3dd546bc11 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
        #54 0x7f3dd54493f7 in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1180:16
        #55 0x7f3dd5453824 in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:465:10
        #56 0x7f3dd6bc44cf in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:85:21
        #57 0x7f3dd6a44d61 in RunInternal /ipc/chromium/src/base/message_loop.cc:380:10
        #58 0x7f3dd6a44d61 in RunHandler /ipc/chromium/src/base/message_loop.cc:373:3
        #59 0x7f3dd6a44d61 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:355:3
        #60 0x7f3dddb4d067 in nsBaseAppShell::Run() /widget/nsBaseAppShell.cpp:150:27
        #61 0x7f3de2b2c9f7 in XRE_RunAppShell() /toolkit/xre/nsEmbedFunctions.cpp:875:20
        #62 0x7f3dd6a44d61 in RunInternal /ipc/chromium/src/base/message_loop.cc:380:10
        #63 0x7f3dd6a44d61 in RunHandler /ipc/chromium/src/base/message_loop.cc:373:3
        #64 0x7f3dd6a44d61 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:355:3
        #65 0x7f3de2b2bb5f in XRE_InitChildProcess(int, char**, XREChildData const*) /toolkit/xre/nsEmbedFunctions.cpp:734:34
        #66 0x55f4016616d5 in content_process_main(mozilla::Bootstrap*, int, char**) /browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
        #67 0x55f401661a86 in main /browser/app/nsBrowserApp.cpp:338:18
        #68 0x7f3dfcb45082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
        #69 0x55f4015a1b19 in _start (/home/jkratzer/builds/mc-asan/firefox+0x77b19) (BuildId: 930981df6b352335a47df8a76561e3e80bd3d921)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:261:3 in MOZ_Crash
    ==212608==ABORTING
Attached file Testcase 

    
    

    
  
Hm, I can't reproduce as-is since InspectorUtils seems like some kind of privileged devtools API. As per :jkratzer on Matrix, this is used for triggering certain events, so it could be possible to hit this without using the API.

:jkratzer, can we get a Pernesco trace for this?


Severity: -- → S3
Flags: needinfo?(jkratzer)

    
    

    
  
David, you can find a pernosco session for this bug here.


Flags: needinfo?(jkratzer)

    
    

    
  
Trying to determine how this may happen:


Rust panics because the lock given is read only lock.


In C++ land the associated rule is considered not readonly i.e. ContainingRule()->IsReadOnly() == false, and so we go on and try to delete font-family property

(Rule::mSheet == nullptr implies RW in C++ land, but it's guaranteed nullptr for inspector generated font faces)

(The rule in question was matched here



    
    

    
  
Bugmon Analysis

Verified bug as reproducible on mozilla-central 20220615214908-0e44540919cd.

Unable to bisect testcase (Testcase reproduces on start build!):




Start: b7d44f6d500311bc4f0f889dbd924f790368ca5b (20210617042731)

End: b1ed2fa50612451f8f39fc84c5f64af62cf7fe3a (20220615093700)

BuildFlags: BuildFlags(asan=True, tsan=False, debug=False, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False, nyx=False)




Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]

    
    

    
  
Bugmon was unable reproduce this issue.

Removing bugmon keyword as no further action possible.  Please review the bug and re-add the keyword for further analysis.


Keywords: bugmon

    
    

    
  
A change to the Taskcluster build definitions over the weekend caused Bugmon to fail when reproducing issues.  This issue has been corrected.  Re-enabling bugmon.


Keywords: bugmon

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: