Open Bug 1821222 Opened 2 years ago Updated 1 year ago

Hit MOZ_CRASH(Should be ordered (instead CascadePriority { cascade_level: AuthorImportant { ... at servo/components/style/rule_tree/core.rs:559

Categories

(Core :: CSS Parsing and Computation, defect, P3)

Product:
Core
Component:
CSS Parsing and Computation
Type:
defect

Tracking

()

Tracking Flags:
Tracking Status
firefox112 --- affected

People

(Reporter: tsmith, Unassigned, NeedInfo)

References

(Blocks 1 open bug)

Details

(4 keywords, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(1 file)

testcase.html
591 bytes, text/html
Details
Attached file testcase.html

Found while fuzzing m-c 20230107-8e2b1cbec006 (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

Hit MOZ_CRASH(Should be ordered (instead CascadePriority { cascade_level: AuthorImportant { shadow_cascade_order: ShadowCascadeOrder(0) }, layer_order: LayerOrder(0) } > CascadePriority { cascade_level: AuthorImportant { shadow_cascade_order: ShadowCascadeOrder(0) }, layer_order: LayerOrder(65534) }), from Some(StyleSource(First(ArcBorrow(StyleRule { selectors: SelectorList([Selector(*, specificity = 0x0, flags = (empty))]), block: [align-self: baseline, position: absolute, background-position-y: bottom, bottom 38%, tex) at servo/components/style/rule_tree/core.rs:559

#0 0x7f483cbca3e5 in MOZ_Crash /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:261:3
#1 0x7f483cbca3e5 in RustMozCrash /builds/worker/checkouts/gecko/mozglue/static/rust/wrappers.cpp:18:3
#2 0x7f483cbca35f in mozglue_static::panic_hook::hef68bc1b778da820 /builds/worker/checkouts/gecko/mozglue/static/rust/lib.rs:91:9
#3 0x7f483cbc9d8b in core::ops::function::Fn::call::h42a394326fa8f33d /rustc/fc594f15669680fa70d255faec3ca3fb507c3405/library/core/src/ops/function.rs:161:5
#4 0x7f483db6fccc in _$LT$alloc..boxed..Box$LT$F$C$A$GT$$u20$as$u20$core..ops..function..Fn$LT$Args$GT$$GT$::call::ha7dbb2d260f78172 /rustc/fc594f15669680fa70d255faec3ca3fb507c3405/library/alloc/src/boxed.rs:2032:9
#5 0x7f483db6fccc in std::panicking::rust_panic_with_hook::hdb4da1ae79c845a5 /rustc/fc594f15669680fa70d255faec3ca3fb507c3405/library/std/src/panicking.rs:692:13
#6 0x7f483db6fa48 in std::panicking::begin_panic_handler::_$u7b$$u7b$closure$u7d$$u7d$::h02b5b35b126d5cf2 /rustc/fc594f15669680fa70d255faec3ca3fb507c3405/library/std/src/panicking.rs:579:13
#7 0x7f483db6ce2b in std::sys_common::backtrace::__rust_end_short_backtrace::h6c6853376cf416d1 /rustc/fc594f15669680fa70d255faec3ca3fb507c3405/library/std/src/sys_common/backtrace.rs:137:18
#8 0x7f483db6f751 in rust_begin_unwind /rustc/fc594f15669680fa70d255faec3ca3fb507c3405/library/std/src/panicking.rs:575:5
#9 0x7f483dbcbb72 in core::panicking::panic_fmt::hfd9e949092070b66 /rustc/fc594f15669680fa70d255faec3ca3fb507c3405/library/core/src/panicking.rs:64:14
#10 0x7f483d60ba93 in style::rule_tree::core::StrongRuleNode::ensure_child::h1093d15241195479 /builds/worker/checkouts/gecko/servo/components/style/rule_tree/core.rs:559:9
#11 0x7f483d610dcc in style::rule_tree::_$LT$impl$u20$style..rule_tree..core..RuleTree$GT$::update_rule_at_level::h09335bac994e4bf2 /builds/worker/checkouts/gecko/servo/components/style/rule_tree/mod.rs:264:31
#12 0x7f483d3ce7b0 in style::matching::PrivateMatchMethods::replace_single_rule_node::h519b03b808f44195 /builds/worker/checkouts/gecko/servo/components/style/matching.rs:108:24
#13 0x7f483d3ce7b0 in style::matching::PrivateMatchMethods::replace_rules_internal::h1c98f040e51ae3dd /builds/worker/checkouts/gecko/servo/components/style/matching.rs:159:27
#14 0x7f483d3d070f in style::matching::MatchMethods::replace_rules::hd6640ecea9595b19 /builds/worker/checkouts/gecko/servo/components/style/matching.rs:1069:19
#15 0x7f483d3d070f in style::traversal::compute_style::hb24e7f13926b82c5 /builds/worker/checkouts/gecko/servo/components/style/traversal.rs:627:39
#16 0x7f483d3ae8ac in style::traversal::recalc_style_at::h72ec4d838d96c505 /builds/worker/checkouts/gecko/servo/components/style/traversal.rs:429:37
#17 0x7f483d3ae8ac in _$LT$style..gecko..traversal..RecalcStyleOnly$u20$as$u20$style..traversal..DomTraversal$LT$style..gecko..wrapper..GeckoElement$GT$$GT$::process_preorder::h48fa7e6efa3a3a3b /builds/worker/checkouts/gecko/servo/components/style/gecko/traversal.rs:37:13
#18 0x7f483d3ae8ac in style::driver::traverse_dom::ha4f1d8078f09ad25 /builds/worker/checkouts/gecko/servo/components/style/driver.rs:112:9
#19 0x7f483d45d1ff in geckoservo::glue::traverse_subtree::h057e3a6a5aaa7b6a /builds/worker/checkouts/gecko/servo/ports/geckolib/glue.rs:288:5
#20 0x7f483d45d689 in Servo_TraverseSubtree /builds/worker/checkouts/gecko/servo/ports/geckolib/glue.rs:348:5
#21 0x7f4838543a15 in mozilla::ServoStyleSet::StyleDocument(mozilla::ServoTraversalFlags) /builds/worker/checkouts/gecko/layout/style/ServoStyleSet.cpp:829:9
#22 0x7f48385ffb76 in mozilla::RestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:3116:20
#23 0x7f48385d8260 in mozilla::RestyleManager::ProcessPendingRestyles() /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:3253:3
#24 0x7f48385d77c9 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4335:39
#25 0x7f483859aea3 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2623:22
#26 0x7f48385aabe2 in operator() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:1780:25
#27 0x7f48385aabe2 in mozilla::detail::RunnableFunction<nsRefreshDriver::EnsureTimerStarted(nsRefreshDriver::EnsureTimerStartedFlags)::$_1>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:547:5
#28 0x7f4832ede9f5 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:553:16
#29 0x7f4832ed9b48 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:867:26
#30 0x7f4832ed874a in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:698:15
#31 0x7f4832ed8aa5 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:464:36
#32 0x7f4832ee23f6 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:188:37
#33 0x7f4832ee23f6 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_3>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:547:5
#34 0x7f4832ef85d7 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1239:16
#35 0x7f4832efea8d in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:477:10
#36 0x7f4833b51853 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#37 0x7f4833a73218 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
#38 0x7f4833a73121 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
#39 0x7f4833a73121 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
#40 0x7f4838221da8 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
#41 0x7f483a48753b in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:738:20
#42 0x7f4833b52719 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
#43 0x7f4833a73218 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
#44 0x7f4833a73121 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
#45 0x7f4833a73121 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
#46 0x7f483a487098 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:671:34
#47 0x55ae10533df0 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#48 0x55ae10533df0 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:353:18
#49 0x7f48483afd8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#50 0x7f48483afe3f in __libc_start_main csu/../csu/libc-start.c:392:3
#51 0x55ae1050a458 in _start (/home/user/workspace/browsers/m-c-20230308094825-fuzzing-debug/firefox-bin+0x5b458) (BuildId: f7ea1ee45272be95005714a4364acde5f7231cca)
Flags: in-testsuite?

Verified bug as reproducible on mozilla-central 20230308094825-64b0a4a734ea.
Unable to bisect testcase (Unable to launch the start build!):

Start: 446c2fcf0c0b317aeca92bd4ee2182543e722c31 (20220310172356)
End: 8e2b1cbec006b1666d8278bb02f313284ecd66e9 (20230107212716)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False, nyx=False)

Whiteboard: [bugmon:bisected,confirmed]

Is this the right thing to get a pernosco recording now? :)

Keywords: pernosco-wanted

Successfully recorded a pernosco session. A link to the pernosco session will be added here shortly.

Keywords: pernosco-wantedpernosco

A pernosco session for this bug can be found here.

The severity field is not set for this bug.
:jfkthame, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(jfkthame)
Severity: -- → S3
status-firefox111: --- → fixed
status-firefox113: --- → fixed
status-firefox-esr102: --- → fixed
status-thunderbird_esr102: --- → fixed
status-thunderbird_esr91: --- → fixed
Flags: needinfo?(jfkthame) → needinfo?(emilio)
Priority: -- → P3

Bugmon was unable reproduce this issue.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon
Keywords: bugmon

A change to the Taskcluster build definitions over the weekend caused Bugmon to fail when reproducing issues. This issue has been corrected. Re-enabling bugmon.

You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: