Open Bug 1788234 Opened 2 years ago Updated 11 months ago

Assertion failure: isRelevant == ((IsCurrent() || IsInEffect()) && mAnimation && mAnimation->ReplaceState() != AnimationReplaceState::Removed) (Out of date Animation::IsRelevant value), at /dom/animation/KeyframeEffect.cpp:95

Categories

(Core :: DOM: Animation, defect)

Product:
Core
Component:
DOM: Animation
Platform:
x86_64
Linux
Type:
defect

Tracking

()

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: bugmon, regression, testcase, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(1 file)

Testcase
687 bytes, text/plain
Details

Testcase found while fuzzing mozilla-central rev 4c76664026b5 (built with: --enable-debug --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build 4c76664026b5 --debug --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

Assertion failure: isRelevant == ((IsCurrent() || IsInEffect()) && mAnimation && mAnimation->ReplaceState() != AnimationReplaceState::Removed) (Out of date Animation::IsRelevant value), at /dom/animation/KeyframeEffect.cpp:95

    ==33610==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f13354d5fc9 bp 0x7ffd2afa8cc0 sp 0x7ffd2afa8c30 T33610)
    ==33610==The signal is caused by a WRITE memory access.
    ==33610==Hint: address points to the zero page.
        #0 0x7f13354d5fc9 in mozilla::dom::KeyframeEffect::UpdateTargetRegistration() /dom/animation/KeyframeEffect.cpp:948:3
        #1 0x7f13354db646 in mozilla::dom::KeyframeEffect::UpdateTarget(mozilla::dom::Element*, mozilla::PseudoStyleType) /dom/animation/KeyframeEffect.cpp:916:5
        #2 0x7f1335d98b58 in SetTarget /builds/worker/workspace/obj-build/dist/include/mozilla/dom/KeyframeEffect.h:167:5
        #3 0x7f1335d98b58 in mozilla::dom::KeyframeEffect_Binding::set_target(JSContext*, JS::Handle<JSObject*>, void*, JSJitSetterCallArgs) /builds/worker/workspace/obj-build/dom/bindings/KeyframeEffectBinding.cpp:717:24
        #4 0x7f1336e4897a in bool mozilla::dom::binding_detail::GenericSetter<mozilla::dom::binding_detail::NormalThisPolicy>(JSContext*, unsigned int, JS::Value*) /dom/bindings/BindingUtils.cpp:3235:8
        #5 0x7f133c3c6e2c in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /js/src/vm/Interpreter.cpp:458:13
        #6 0x7f133c3c6751 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:546:12
        #7 0x7f133c3c7b8c in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /js/src/vm/Interpreter.cpp:645:8
        #8 0x7f133c3c8e7a in js::CallSetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<JS::Value>) /js/src/vm/Interpreter.cpp:789:10
        #9 0x7f133b1b3e44 in SetExistingProperty(JSContext*, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<js::NativeObject*>, js::PropertyResult const&, JS::ObjectOpResult&) /js/src/vm/NativeObject.cpp:2501:8
        #10 0x7f133b1b2f55 in bool js::NativeSetProperty<(js::QualifiedBool)1>(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) /js/src/vm/NativeObject.cpp:2535:14
        #11 0x7f133c3cde76 in SetProperty /js/src/vm/ObjectOperations-inl.h:306:10
        #12 0x7f133c3cde76 in SetObjectElementOperation(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, bool) /js/src/vm/Interpreter.cpp:1860:10
        #13 0x7f133c3bb3b8 in Interpret(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:3120:12
        #14 0x7f133c3b4c5d in js::RunScript(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:430:13
        #15 0x7f133c3c664d in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:578:13
        #16 0x7f133c3c7b8c in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /js/src/vm/Interpreter.cpp:645:8
        #17 0x7f133b04a8dc in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /js/src/vm/CallAndConstruct.cpp:117:10
        #18 0x7f1336bfb950 in mozilla::dom::Function::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, nsTArray<JS::Value> const&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/FunctionBinding.cpp:50:8
        #19 0x7f13358f7512 in void mozilla::dom::Function::Call<nsCOMPtr<nsIGlobalObject> >(nsCOMPtr<nsIGlobalObject> const&, nsTArray<JS::Value> const&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/FunctionBinding.h:71:12
        #20 0x7f13358f72b4 in mozilla::dom::CallbackTimeoutHandler::Call(char const*) /dom/base/TimeoutHandler.cpp:167:29
        #21 0x7f13355c2732 in nsGlobalWindowInner::RunTimeoutHandler(mozilla::dom::Timeout*, nsIScriptContext*) /dom/base/nsGlobalWindowInner.cpp:6471:38
        #22 0x7f13359095aa in mozilla::dom::TimeoutManager::RunTimeout(mozilla::TimeStamp const&, mozilla::TimeStamp const&, bool) /dom/base/TimeoutManager.cpp:903:44
        #23 0x7f13358f4e10 in mozilla::dom::TimeoutExecutor::MaybeExecute() /dom/base/TimeoutExecutor.cpp:179:11
        #24 0x7f13358f53b9 in Notify /dom/base/TimeoutExecutor.cpp:246:5
        #25 0x7f13358f53b9 in non-virtual thunk to mozilla::dom::TimeoutExecutor::Notify(nsITimer*) /dom/base/TimeoutExecutor.cpp
        #26 0x7f1333db6c0c in operator() /xpcom/threads/nsTimerImpl.cpp:657:44
        #27 0x7f1333db6c0c in matchN<mozilla::Variant<nsTimerImpl::UnknownCallback, nsCOMPtr<nsITimerCallback>, nsCOMPtr<nsIObserver>, nsTimerImpl::FuncCallback, nsTimerImpl::ClosureCallback> &, (lambda at /xpcom/threads/nsTimerImpl.cpp:657:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:658:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:661:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:662:7)> /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:309:16
        #28 0x7f1333db6c0c in matchN<mozilla::Variant<nsTimerImpl::UnknownCallback, nsCOMPtr<nsITimerCallback>, nsCOMPtr<nsIObserver>, nsTimerImpl::FuncCallback, nsTimerImpl::ClosureCallback> &, (lambda at /xpcom/threads/nsTimerImpl.cpp:656:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:657:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:658:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:661:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:662:7)> /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:318:14
        #29 0x7f1333db6c0c in matchN<mozilla::Variant<nsTimerImpl::UnknownCallback, nsCOMPtr<nsITimerCallback>, nsCOMPtr<nsIObserver>, nsTimerImpl::FuncCallback, nsTimerImpl::ClosureCallback> &, (lambda at /xpcom/threads/nsTimerImpl.cpp:656:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:657:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:658:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:661:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:662:7)> /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:902:12
        #30 0x7f1333db6c0c in match<(lambda at /xpcom/threads/nsTimerImpl.cpp:656:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:657:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:658:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:661:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:662:7)> /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:857:12
        #31 0x7f1333db6c0c in nsTimerImpl::Fire(int) /xpcom/threads/nsTimerImpl.cpp:655:22
        #32 0x7f1333d8608e in nsTimerEvent::Run() /xpcom/threads/TimerThread.cpp:365:11
        #33 0x7f1333da76ad in mozilla::ThrottledEventQueue::Inner::ExecuteRunnable() /xpcom/threads/ThrottledEventQueue.cpp:254:22
        #34 0x7f1333da1de1 in mozilla::ThrottledEventQueue::Inner::Executor::Run() /xpcom/threads/ThrottledEventQueue.cpp:81:15
        #35 0x7f1333da4f1e in mozilla::RunnableTask::Run() /xpcom/threads/TaskController.cpp:538:16
        #36 0x7f1333d7d5c9 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:851:26
        #37 0x7f1333d7c153 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:683:15
        #38 0x7f1333d7c3c3 in mozilla::TaskController::ProcessPendingMTTask(bool) /xpcom/threads/TaskController.cpp:461:36
        #39 0x7f1333da87e9 in operator() /xpcom/threads/TaskController.cpp:190:37
        #40 0x7f1333da87e9 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_1>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
        #41 0x7f1333d9208f in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1205:16
        #42 0x7f1333d9869d in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:465:10
        #43 0x7f1334973174 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:107:5
        #44 0x7f13348988a7 in MessageLoop::RunInternal() /ipc/chromium/src/base/message_loop.cc:381:10
        #45 0x7f13348987b2 in RunHandler /ipc/chromium/src/base/message_loop.cc:374:3
        #46 0x7f13348987b2 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:356:3
        #47 0x7f1338c46fd8 in nsBaseAppShell::Run() /widget/nsBaseAppShell.cpp:150:27
        #48 0x7f133ad8553b in XRE_RunAppShell() /toolkit/xre/nsEmbedFunctions.cpp:880:20
        #49 0x7f13349740ba in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:235:9
        #50 0x7f13348988a7 in MessageLoop::RunInternal() /ipc/chromium/src/base/message_loop.cc:381:10
        #51 0x7f13348987b2 in RunHandler /ipc/chromium/src/base/message_loop.cc:374:3
        #52 0x7f13348987b2 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:356:3
        #53 0x7f133ad84a53 in XRE_InitChildProcess(int, char**, XREChildData const*) /toolkit/xre/nsEmbedFunctions.cpp:739:34
        #54 0x556982638429 in content_process_main /browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
        #55 0x556982638429 in main /browser/app/nsBrowserApp.cpp:362:18
        #56 0x7f134a70cd8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
        #57 0x7f134a70ce3f in __libc_start_main csu/../csu/libc-start.c:392:3
        #58 0x55698260e1cc in _start (/home/jkratzer/builds/mc-debug/firefox-bin+0x161cc) (BuildId: 0a6eeadf11fd7f5f47958e33f9d922c20460129c)
    
    UndefinedBehaviorSanitizer can not provide additional info.
    SUMMARY: UndefinedBehaviorSanitizer: SEGV /dom/animation/KeyframeEffect.cpp:948:3 in mozilla::dom::KeyframeEffect::UpdateTargetRegistration()
    ==33610==ABORTING
Attached file Testcase 

    
    

    
  
Bugmon Analysis

Verified bug as reproducible on mozilla-central 20220907093209-663615ef7a19.

The bug appears to have been introduced in the following build range:




Start: f609957386ac0f3dc0f921eb731acd5290a0c020 (20220707214915)

End: 3561c62b435cd2dd223423a7d2e58ddf55d63f87 (20220707210957)

Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=f609957386ac0f3dc0f921eb731acd5290a0c020&tochange=3561c62b435cd2dd223423a7d2e58ddf55d63f87




Keywords: regression
Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]

    
    

    
  
The severity field is not set for this bug.

:boris, could you have a look please?


For more information, please visit auto_nag documentation.


Flags: needinfo?(boris.chiou)

    
    

    
  
This is on my radar. However, set S3 now.


Severity: -- → S3
Flags: needinfo?(boris.chiou)

    
    

    
  
Bugmon was unable reproduce this issue.

Removing bugmon keyword as no further action possible.  Please review the bug and re-add the keyword for further analysis.


Keywords: bugmon

    
  
Keywords: bugmon

    
    

    
  
A change to the Taskcluster build definitions over the weekend caused Bugmon to fail when reproducing issues. This issue has been corrected. Re-enabling bugmon.



          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: