Open Bug 1781293 Opened 3 years ago Updated 5 months ago

Assertion failure: NS_IsMainThread(), at /layout/style/FontFaceSetDocumentImpl.cpp:133

Categories

(Core :: CSS Parsing and Computation, defect, P3)

Product:
Core
Component:
CSS Parsing and Computation
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
ASSIGNED
Tracking Flags:
Tracking Status
firefox-esr128 --- affected
firefox103 --- unaffected
firefox104 --- disabled
firefox105 --- disabled
firefox106 --- wontfix
firefox109 --- wontfix
firefox110 --- wontfix
firefox111 --- wontfix
firefox129 --- wontfix
firefox130 --- wontfix
firefox131 --- wontfix

People

(Reporter: jkratzer, Assigned: aosmond)

References

(Blocks 2 open bugs, Regression,
URL
)

Details

(Keywords: regression, testcase, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(2 files)

Testcase
4.69 KB, application/octet-stream
Details
Bug 1781293 - Include stylo threads in FontFaceSetDocumentImpl thread checks.
48 bytes, text/x-phabricator-request
Details | Review

Testcase found while fuzzing mozilla-central rev 1da938652f57 (built with: --enable-debug --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build 1da938652f57 --debug --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.zip

Assertion failure: NS_IsMainThread(), at /layout/style/FontFaceSetDocumentImpl.cpp:133

    ==2806933==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7faf9fb70432 bp 0x7faf91b3e9c0 sp 0x7faf91b3e9b0 T2806950)
    ==2806933==The signal is caused by a WRITE memory access.
    ==2806933==Hint: address points to the zero page.
        #0 0x7faf9fb70432 in mozilla::dom::FontFaceSetDocumentImpl::GetInnerWindowID() /layout/style/FontFaceSetDocumentImpl.cpp:133:3
        #1 0x7faf9fb76931 in mozilla::dom::FontFaceSetImpl::LogMessage(gfxUserFontEntry*, unsigned int, char const*, unsigned int, nsresult) /layout/style/FontFaceSetImpl.cpp:692:38
        #2 0x7faf9c039987 in gfxUserFontEntry::DoLoadNextSrc(bool) /gfx/thebes/gfxUserFontSet.cpp:587:15
        #3 0x7faf9c032f4a in Load /gfx/thebes/gfxUserFontSet.cpp:789:5
        #4 0x7faf9c032f4a in gfxFontGroup::GetFirstValidFont(unsigned int, mozilla::StyleGenericFontFamily*) /gfx/thebes/gfxTextRun.cpp:2299:16
        #5 0x7faf9fb87082 in Gecko_GetFontMetrics /layout/style/GeckoBindings.cpp:1387:52
        #6 0x7fafa4befae4 in _$LT$style..gecko..wrapper..GeckoFontMetricsProvider$u20$as$u20$style..font_metrics..FontMetricsProvider$GT$::query::h97c3b17416475ce2 /servo/components/style/gecko/wrapper.rs:1026:13
        #7 0x7fafa4ba60eb in style::values::specified::length::FontRelativeLength::reference_font_size_and_length::query_font_metrics::h5f47255662bee656 /servo/components/style/values/specified/length.rs:167:13
        #8 0x7fafa4ba60eb in style::values::specified::length::FontRelativeLength::reference_font_size_and_length::hb1023f4970acdfc9 /servo/components/style/values/specified/length.rs:221:31
        #9 0x7fafa4ba60eb in style::values::specified::length::FontRelativeLength::to_computed_value::heab2d6b01bec5cb0 /servo/components/style/values/specified/length.rs:146:40
        #10 0x7fafa4b1b40e in style::values::computed::length::_$LT$impl$u20$style..values..specified..length..NoCalcLength$GT$::to_computed_value_with_base_size::h0babeb3818ce97dc /servo/components/style/values/computed/length.rs:49:17
        #11 0x7fafa4e055bb in style::values::computed::length::_$LT$impl$u20$style..values..computed..ToComputedValue$u20$for$u20$style..values..specified..length..NoCalcLength$GT$::to_computed_value::h902654f240c8be66 /servo/components/style/values/computed/length.rs:34:9
        #12 0x7fafa4e055bb in style::values::computed::length_percentage::_$LT$impl$u20$style..values..computed..ToComputedValue$u20$for$u20$style..values..specified..length..LengthPercentage$GT$::to_computed_value::h016a8a47835f09d2 /servo/components/style/values/computed/length_percentage.rs:502:46
        #13 0x7fafa4e055bb in _$LT$style..values..generics..NonNegative$LT$T$GT$$u20$as$u20$style..values..computed..ToComputedValue$GT$::to_computed_value::h5f7cca6177b7029c /servo/components/style/values/generics/mod.rs:175:5
        #14 0x7fafa4e055bb in style::properties::longhands::padding_top::cascade_property::h798d0aa6381dd26b /builds/worker/workspace/obj-build/x86_64-unknown-linux-gnu/debug/build/style-d155a5235005b8d8/out/longhands/padding.rs:107:32
        #15 0x7fafa482794c in style::properties::cascade::Cascade::apply_declaration::h1d773e69d1dc18d7 /servo/components/style/properties/cascade.rs:594:9
        #16 0x7fafa482794c in style::properties::cascade::Cascade::apply_properties::hc6312d910746a1c0 /servo/components/style/properties/cascade.rs:699:13
        #17 0x7fafa4826c7a in style::properties::cascade::apply_declarations::h3d94027d3f98ad38 /servo/components/style/properties/cascade.rs:361:5
        #18 0x7fafa4826c7a in style::properties::cascade::cascade_rules::h38076a551b46a6ae /servo/components/style/properties/cascade.rs:192:5
        #19 0x7fafa487af80 in style::properties::cascade::cascade::h733aa775b32b2a0c /servo/components/style/properties/cascade.rs:70:5
        #20 0x7fafa487af80 in style::stylist::Stylist::cascade_style_and_visited::h6d7b3829ece7794e /servo/components/style/stylist.rs:1102:9
        #21 0x7fafa4844197 in style::style_resolver::StyleResolverForElement$LT$E$GT$::cascade_style_and_visited::h8fece58bc8901b74 /servo/components/style/style_resolver.rs:346:22
        #22 0x7fafa4843c8f in style::style_resolver::StyleResolverForElement$LT$E$GT$::cascade_primary_style::h6d84045776834534 /servo/components/style/style_resolver.rs:243:20
        #23 0x7fafa484400a in style::style_resolver::StyleResolverForElement$LT$E$GT$::resolve_primary_style::hbfa3faa8925c120c /servo/components/style/style_resolver.rs:203:9
        #24 0x7fafa484324d in style::style_resolver::StyleResolverForElement$LT$E$GT$::resolve_style::hb864cf621260d70d /servo/components/style/style_resolver.rs:259:29
        #25 0x7fafa4883998 in style::style_resolver::StyleResolverForElement$LT$E$GT$::resolve_style_with_default_parents::_$u7b$$u7b$closure$u7d$$u7d$::h1893ad947bc9eb31 /servo/components/style/style_resolver.rs:294:13
        #26 0x7fafa4883998 in style::style_resolver::with_default_parent_styles::hea5845cf56a5492e /servo/components/style/style_resolver.rs:115:5
        #27 0x7fafa4883998 in style::style_resolver::StyleResolverForElement$LT$E$GT$::resolve_style_with_default_parents::h334628565e561018 /servo/components/style/style_resolver.rs:293:9
        #28 0x7fafa4883998 in style::traversal::compute_style::h2c3c7969c7e17939 /servo/components/style/traversal.rs:610:25
        #29 0x7fafa47d272b in style::traversal::recalc_style_at::ha387f7df225373a3 /servo/components/style/traversal.rs:430:37
        #30 0x7fafa47d272b in _$LT$style..gecko..traversal..RecalcStyleOnly$u20$as$u20$style..traversal..DomTraversal$LT$style..gecko..wrapper..GeckoElement$GT$$GT$::process_preorder::h079063a702757c52 /servo/components/style/gecko/traversal.rs:37:13
        #31 0x7fafa489e746 in style::parallel::top_down_dom::hf4b915d74d662fa4 /servo/components/style/parallel.rs:197:13
        #32 0x7fafa489e746 in style::parallel::traverse_nodes::_$u7b$$u7b$closure$u7d$$u7d$::h5bbd1a06fffa1f1f /servo/components/style/parallel.rs:282:17
        #33 0x7fafa489e746 in rayon_core::scope::ScopeFifo::spawn_fifo::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::ha4e836cb6beb4972 /third_party/rust/rayon-core/src/scope/mod.rs:585:47
        #34 0x7fafa489e746 in _$LT$core..panic..unwind_safe..AssertUnwindSafe$LT$F$GT$$u20$as$u20$core..ops..function..FnOnce$LT$$LP$$RP$$GT$$GT$::call_once::h421cdae508184dcd /rustc/a8314ef7d0ec7b75c336af2c9857bfaf43002bfc/library/core/src/panic/unwind_safe.rs:271:9
        #35 0x7fafa489e746 in std::panicking::try::do_call::h642e17b7b1a43d91 /rustc/a8314ef7d0ec7b75c336af2c9857bfaf43002bfc/library/std/src/panicking.rs:492:40
        #36 0x7fafa489e746 in std::panicking::try::hc24320a046e3cc65 /rustc/a8314ef7d0ec7b75c336af2c9857bfaf43002bfc/library/std/src/panicking.rs:456:19
        #37 0x7fafa489e746 in std::panic::catch_unwind::hfed201d6e270ec8b /rustc/a8314ef7d0ec7b75c336af2c9857bfaf43002bfc/library/std/src/panic.rs:137:14
        #38 0x7fafa489e746 in rayon_core::unwind::halt_unwinding::h25644b0ab10a0db2 /third_party/rust/rayon-core/src/unwind.rs:17:5
        #39 0x7fafa489e746 in rayon_core::scope::ScopeBase::execute_job_closure::h7d7a38909a6dcaa6 /third_party/rust/rayon-core/src/scope/mod.rs:650:15
        #40 0x7fafa489e746 in rayon_core::scope::ScopeBase::execute_job::h62ee817cdf2f64f2 /third_party/rust/rayon-core/src/scope/mod.rs:640:29
        #41 0x7fafa489e746 in rayon_core::scope::ScopeFifo::spawn_fifo::_$u7b$$u7b$closure$u7d$$u7d$::ha045db73b6369caa /third_party/rust/rayon-core/src/scope/mod.rs:585:17
        #42 0x7fafa489e746 in _$LT$rayon_core..job..HeapJob$LT$BODY$GT$$u20$as$u20$rayon_core..job..Job$GT$::execute::h030f90dd02860ecf /third_party/rust/rayon-core/src/job.rs:167:9
        #43 0x7faf9a773a0b in rayon_core::job::JobRef::execute::hf734680ab7eb2184 /third_party/rust/rayon-core/src/job.rs:59:9
        #44 0x7faf9a773a0b in rayon_core::registry::WorkerThread::execute::hf2ca9be448632a1b /third_party/rust/rayon-core/src/registry.rs:752:9
        #45 0x7faf9a773a0b in rayon_core::registry::WorkerThread::wait_until_cold::h577519287ea0ed16 /third_party/rust/rayon-core/src/registry.rs:729:17
        #46 0x7fafa4f30fed in rayon_core::registry::WorkerThread::wait_until::h891eabab251cd95c /third_party/rust/rayon-core/src/registry.rs:703:13
        #47 0x7fafa4f30fed in rayon_core::registry::main_loop::h3d0545cf7050ad66 /third_party/rust/rayon-core/src/registry.rs:836:5
        #48 0x7fafa4f30fed in rayon_core::registry::ThreadBuilder::run::h499de208b7cc24d5 /third_party/rust/rayon-core/src/registry.rs:55:18
        #49 0x7fafa497bd07 in style::global_style_data::thread_spawn::_$u7b$$u7b$closure$u7d$$u7d$::hc7e7abbf594d775f /servo/components/style/global_style_data.rs:65:34
        #50 0x7fafa497bd07 in std::sys_common::backtrace::__rust_begin_short_backtrace::hed402327e913b05a /rustc/a8314ef7d0ec7b75c336af2c9857bfaf43002bfc/library/std/src/sys_common/backtrace.rs:122:18
        #51 0x7fafa49b0f24 in std::thread::Builder::spawn_unchecked_::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::hfb8468403f2120de /rustc/a8314ef7d0ec7b75c336af2c9857bfaf43002bfc/library/std/src/thread/mod.rs:501:17
        #52 0x7fafa49b0f24 in _$LT$core..panic..unwind_safe..AssertUnwindSafe$LT$F$GT$$u20$as$u20$core..ops..function..FnOnce$LT$$LP$$RP$$GT$$GT$::call_once::ha0499efb498bc73c /rustc/a8314ef7d0ec7b75c336af2c9857bfaf43002bfc/library/core/src/panic/unwind_safe.rs:271:9
        #53 0x7fafa49b0f24 in std::panicking::try::do_call::h27e07096ae583ead /rustc/a8314ef7d0ec7b75c336af2c9857bfaf43002bfc/library/std/src/panicking.rs:492:40
        #54 0x7fafa49b0f24 in std::panicking::try::hc0a5dac92b7bf427 /rustc/a8314ef7d0ec7b75c336af2c9857bfaf43002bfc/library/std/src/panicking.rs:456:19
        #55 0x7fafa49b0f24 in std::panic::catch_unwind::he82c60b240bc04a6 /rustc/a8314ef7d0ec7b75c336af2c9857bfaf43002bfc/library/std/src/panic.rs:137:14
        #56 0x7fafa49b0f24 in std::thread::Builder::spawn_unchecked_::_$u7b$$u7b$closure$u7d$$u7d$::hf5cdd7a1dc82831f /rustc/a8314ef7d0ec7b75c336af2c9857bfaf43002bfc/library/std/src/thread/mod.rs:500:30
        #57 0x7fafa49b0f24 in core::ops::function::FnOnce::call_once$u7b$$u7b$vtable.shim$u7d$$u7d$::hce20bb355a09e927 /rustc/a8314ef7d0ec7b75c336af2c9857bfaf43002bfc/library/core/src/ops/function.rs:248:5
        #58 0x7fafa5034e42 in _$LT$alloc..boxed..Box$LT$F$C$A$GT$$u20$as$u20$core..ops..function..FnOnce$LT$Args$GT$$GT$::call_once::hcbca3baf872b7fe4 /rustc/a8314ef7d0ec7b75c336af2c9857bfaf43002bfc/library/alloc/src/boxed.rs:1872:9
        #59 0x7fafa5034e42 in _$LT$alloc..boxed..Box$LT$F$C$A$GT$$u20$as$u20$core..ops..function..FnOnce$LT$Args$GT$$GT$::call_once::h18790338ce1743e2 /rustc/a8314ef7d0ec7b75c336af2c9857bfaf43002bfc/library/alloc/src/boxed.rs:1872:9
        #60 0x7fafa5034e42 in std::sys::unix::thread::Thread::new::thread_start::hb1067183bad48893 /rustc/a8314ef7d0ec7b75c336af2c9857bfaf43002bfc/library/std/src/sys/unix/thread.rs:108:17
        #61 0x7fafb17d2608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477:8
        #62 0x7fafb1399132 in __clone /build/glibc-SzIz7B/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95
    
    UndefinedBehaviorSanitizer can not provide additional info.
    SUMMARY: UndefinedBehaviorSanitizer: SEGV /layout/style/FontFaceSetDocumentImpl.cpp:133:3 in mozilla::dom::FontFaceSetDocumentImpl::GetInnerWindowID()
    ==2806933==ABORTING
Attached file Testcase

Bugmon Analysis
Verified bug as reproducible on mozilla-central 20220726214438-a948931a2595.
The bug appears to have been introduced in the following build range:

Start: 84e1b52befeae94e298c75f6021a2cbcbbcf6b3b (20220628132226)
End: 99bf4f6b114967fac4841f7e0b5438a7e88f7ef3 (20220628143927)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=84e1b52befeae94e298c75f6021a2cbcbbcf6b3b&tochange=99bf4f6b114967fac4841f7e0b5438a7e88f7ef3

Keywords: regression
Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]
status-firefox105: --- → affected
Flags: needinfo?(aosmond)
Regressed by: 1771493

Set release status flags based on info from the regressing bug 1771493

status-firefox103: --- → unaffected
status-firefox104: --- → affected
status-firefox-esr102: --- → unaffected
status-firefox-esr91: --- → unaffected

Only impacts debug asserts so it shouldn't require uplift to beta/release.

Assignee: nobody → aosmond
Severity: -- → S3
Status: NEW → ASSIGNED
Flags: needinfo?(aosmond)
Priority: -- → P3

Set release status flags based on info from the regressing bug 1771493

status-firefox106: --- → affected

Andrew, any update here?

Flags: needinfo?(aosmond)

I'm seeing an always reproducible tab crash in debug builds by loading https://oldbytes.space/@kenshirriff/110209305209920677

Bugmon was unable reproduce this issue.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon
Keywords: bugmon

A change to the Taskcluster build definitions over the weekend caused Bugmon to fail when reproducing issues. This issue has been corrected. Re-enabling bugmon.

Testcase crashes using the initial build (mozilla-central 20220726094428-1da938652f57) but not with tip (mozilla-central 20230609214634-501ade4b55d9.)

The bug appears to have been fixed in the following build range:

Start: fc6056442a0fa16146259cb730d4e34a16656952 (20230526215433)
End: f688d9dff0067381cfc99c49ef1257428b713713 (20230526230602)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=fc6056442a0fa16146259cb730d4e34a16656952&tochange=f688d9dff0067381cfc99c49ef1257428b713713

Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon

This has been detected by live site testing (m-c 20240805-b7131a95dd25).

A Pernosco session is available here: https://pernos.co/debug/lMpghRqr88G9yN1q4XpzPQ/index.html

Blocks: site-scout
URL: http://laptopspirit.fr/
status-firefox131: --- → affected
status-firefox-esr102: unaffected → ---
status-firefox-esr128: --- → affected
status-firefox-esr91: unaffected → ---

:tsmith, was there supposed to be a pernosco link?
:aosmond re-adding the needinfo so you can take a look when you get a chance

Flags: needinfo?(aosmond) → needinfo?(twsmith)
Flags: needinfo?(aosmond)

Thanks, updated.

Flags: needinfo?(twsmith)
status-firefox131: affectedwontfix
Flags: needinfo?(aosmond)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: