1831410 - Assertion failure: *aDuration >= zeroDuration && aIterations >= 0.0 (Both animation duration and ieration count should be greater than zero), at /builds/worker/workspace/obj-build/dist/include/mozilla/TimingParams.h:137

Status: VERIFIED FIXED

(Core :: CSS Transitions and Animations, defect)

Description

[Jason Kratzer [:jkratzer]]

Testcase found while fuzzing mozilla-central rev f99ee8082b68 (built with: --enable-debug --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build f99ee8082b68 --debug --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

Assertion failure: *aDuration >= zeroDuration && aIterations >= 0.0 (Both animation duration and ieration count should be greater than zero), at /builds/worker/workspace/obj-build/dist/include/mozilla/TimingParams.h:137

    ==35431==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f4572eb6b25 bp 0x7ffe43e263e0 sp 0x7ffe43e263c0 T35431)
    ==35431==The signal is caused by a WRITE memory access.
    ==35431==Hint: address points to the zero page.
        #0 0x7f4572eb6b25 in CalcActiveDuration /builds/worker/workspace/obj-build/dist/include/mozilla/TimingParams.h:135:5
        #1 0x7f4572eb6b25 in Update /builds/worker/workspace/obj-build/dist/include/mozilla/TimingParams.h:239:23
        #2 0x7f4572eb6b25 in mozilla::TimingParams::TimingParams(float, float, float, mozilla::dom::PlaybackDirection, mozilla::dom::FillMode) /builds/worker/workspace/obj-build/dist/include/mozilla/TimingParams.h:39:5
        #3 0x7f4572ece287 in TimingParamsFromCSSParams /layout/style/AnimationCommon.h:177:10
        #4 0x7f4572ece287 in nsTransitionManager::ConsiderInitiatingTransition(nsCSSPropertyID, nsStyleUIReset const&, unsigned int, mozilla::dom::Element*, mozilla::PseudoStyleType, mozilla::AnimationCollection<mozilla::dom::CSSTransition>*&, mozilla::ComputedStyle const&, mozilla::ComputedStyle const&, nsCSSPropertyIDSet&) /layout/style/nsTransitionManager.cpp:442:25
        #5 0x7f4572ecd5df in nsTransitionManager::DoUpdateTransitions(nsStyleUIReset const&, mozilla::dom::Element*, mozilla::PseudoStyleType, mozilla::AnimationCollection<mozilla::dom::CSSTransition>*&, mozilla::ComputedStyle const&, mozilla::ComputedStyle const&) /layout/style/nsTransitionManager.cpp:112:23
        #6 0x7f4572ecd237 in nsTransitionManager::UpdateTransitions(mozilla::dom::Element*, mozilla::PseudoStyleType, mozilla::ComputedStyle const&, mozilla::ComputedStyle const&) /layout/style/nsTransitionManager.cpp:69:10
        #7 0x7f4572e540d6 in Gecko_UpdateAnimations /layout/style/GeckoBindings.cpp:592:39
        #8 0x7f4577fbaa0b in _$LT$style..gecko..wrapper..GeckoElement$u20$as$u20$style..dom..TElement$GT$::update_animations::h00b535354f0d5e6d /servo/components/style/gecko/wrapper.rs:1465:13
        #9 0x7f4577b96a15 in style::context::SequentialTask$LT$E$GT$::execute::h755ec9122bbd1f62 /servo/components/style/context.rs:491:17
        #10 0x7f4577b96a15 in _$LT$style..context..SequentialTaskList$LT$E$GT$$u20$as$u20$core..ops..drop..Drop$GT$::drop::h493ff4e0949569f5 /servo/components/style/context.rs:560:13
        #11 0x7f4577b96a15 in core::ptr::drop_in_place$LT$style..context..SequentialTaskList$LT$style..gecko..wrapper..GeckoElement$GT$$GT$::h341c9bb9ab2b23da /rustc/84c898d65adf2f39a5a98507f1fe0ce10a2b8dbc/library/core/src/ptr/mod.rs:490:1
        #12 0x7f4577b96a15 in core::ptr::drop_in_place$LT$style..context..ThreadLocalStyleContext$LT$style..gecko..wrapper..GeckoElement$GT$$GT$::hba5cd269f5d8a5a1 /rustc/84c898d65adf2f39a5a98507f1fe0ce10a2b8dbc/library/core/src/ptr/mod.rs:490:1
        #13 0x7f4577bfb0f0 in style::driver::traverse_dom::ha40a018a007be423 /servo/components/style/driver.rs:191:1
        #14 0x7f4577ca566f in geckoservo::glue::traverse_subtree::h669f9ff5484c47e1 /servo/ports/geckolib/glue.rs:289:5
        #15 0x7f4577ca5af9 in Servo_TraverseSubtree /servo/ports/geckolib/glue.rs:349:5
        #16 0x7f4572e878fd in mozilla::ServoStyleSet::StyleDocument(mozilla::ServoTraversalFlags) /layout/style/ServoStyleSet.cpp:831:9
        #17 0x7f4572f44976 in mozilla::RestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) /layout/base/RestyleManager.cpp:3127:20
        #18 0x7f4572f1cd70 in mozilla::RestyleManager::ProcessPendingRestyles() /layout/base/RestyleManager.cpp:3264:3
        #19 0x7f4572f1c2fd in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /layout/base/PresShell.cpp:4343:39
        #20 0x7f456f3c362e in FlushPendingNotifications /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:1470:5
        #21 0x7f456f3c362e in mozilla::dom::Document::FlushPendingNotifications(mozilla::ChangesToFlush) /dom/base/Document.cpp:10881:16
        #22 0x7f456e82478e in nsDocLoader::DocLoaderIsEmpty(bool, mozilla::Maybe<nsresult> const&) /uriloader/base/nsDocLoader.cpp:742:14
        #23 0x7f456e825b87 in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /uriloader/base/nsDocLoader.cpp:680:5
        #24 0x7f4574620a4f in nsDocShell::OnStopRequest(nsIRequest*, nsresult) /docshell/base/nsDocShell.cpp:13847:23
        #25 0x7f456dabf6ef in mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) /netwerk/base/nsLoadGroup.cpp:631:22
        #26 0x7f456dac0c10 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /netwerk/base/nsLoadGroup.cpp:535:10
        #27 0x7f456f3c85dc in mozilla::dom::Document::DoUnblockOnload() /dom/base/Document.cpp:11669:18
        #28 0x7f4572e69df6 in UnblockOnload /layout/style/Loader.cpp:2357:16
        #29 0x7f4572e69df6 in mozilla::css::SheetLoadData::FireLoadEvent(nsIThreadInternal*) /layout/style/Loader.cpp:466:12
        #30 0x7f4572e69f6c in AfterProcessNextEvent /layout/style/Loader.cpp:425:3
        #31 0x7f4572e69f6c in non-virtual thunk to mozilla::css::SheetLoadData::AfterProcessNextEvent(nsIThreadInternal*, bool) /layout/style/Loader.cpp
        #32 0x7f456d8c8d65 in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1264:3
        #33 0x7f456d8ceffd in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:479:10
        #34 0x7f456e50eed5 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:85:21
        #35 0x7f456e430a71 in RunHandler /ipc/chromium/src/base/message_loop.cc:362:3
        #36 0x7f456e430a71 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:344:3
        #37 0x7f4572b66a78 in nsBaseAppShell::Run() /widget/nsBaseAppShell.cpp:148:27
        #38 0x7f4574df52fb in XRE_RunAppShell() /toolkit/xre/nsEmbedFunctions.cpp:738:20
        #39 0x7f456e50fd86 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:235:9
        #40 0x7f456e430a71 in RunHandler /ipc/chromium/src/base/message_loop.cc:362:3
        #41 0x7f456e430a71 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:344:3
        #42 0x7f4574df4bc2 in XRE_InitChildProcess(int, char**, XREChildData const*) /toolkit/xre/nsEmbedFunctions.cpp:673:34
        #43 0x5649daabb396 in content_process_main /browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
        #44 0x5649daabb396 in main /browser/app/nsBrowserApp.cpp:375:18
        #45 0x7f4581029d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
        #46 0x7f4581029e3f in __libc_start_main csu/../csu/libc-start.c:392:3
        #47 0x5649daa92618 in _start (/home/jkratzer/builds/m-c-20230503214103-fuzzing-debug/firefox-bin+0x58618) (BuildId: 876bd9249d8992236bee8a5eab784a3dde626fe9)
    
    UndefinedBehaviorSanitizer can not provide additional info.
    SUMMARY: UndefinedBehaviorSanitizer: SEGV /builds/worker/workspace/obj-build/dist/include/mozilla/TimingParams.h:135:5 in CalcActiveDuration
    ==35431==ABORTING

Comment 1

[Jason Kratzer [:jkratzer]]

Attachment: Testcase

Comment 2

[Bugmon [:jkratzer for issues]]

Verified bug as reproducible on mozilla-central 20230504215417-f4a38c1b661a.
The bug appears to have been introduced in the following build range:

Start: 8fb31906e84c42f2e2694e4ad599f326ebefd7a0 (20220818080047)
End: 1facaa986f25ac4bf2dad6fa7d9e15c5e36e11f1 (20220818095450)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=8fb31906e84c42f2e2694e4ad599f326ebefd7a0&tochange=1facaa986f25ac4bf2dad6fa7d9e15c5e36e11f1

Comment 3

[BugBot [:suhaib / :marco/ :calixte]]

Based on comment #2, this bug contains a bisection range found by bugmon. However, the Regressed by field is still not filled.

:emilio, since you are the author of the changes in the range, if possible, could you fill the Regressed by field and investigate this regression?

For more information, please visit BugBot documentation.

Comment 4

[Emilio Cobos Álvarez (:emilio)]

Attachment: Bug 1831410 - Deal with infinite transition durations / delays. r=#firefox-animation-reviewers

If duration or delay are infinite, and the value portion is zero, we
could end up with a nan duration (multiplying inf by 0).

Comment 5

[Pulsebot]

Pushed by ealvarez@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/718958b745cd
Deal with infinite transition durations / delays. r=boris

Comment 6

[Web Platform Test Sync Bot [:wpt-sync] (Matrix: #interop:mozilla.org)]

Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/39885 for changes under testing/web-platform/tests

Comment 7

[Iulian Moraru]

https://hg.mozilla.org/mozilla-central/rev/718958b745cd

Comment 8

[Web Platform Test Sync Bot [:wpt-sync] (Matrix: #interop:mozilla.org)]

Upstream PR merged by moz-wptsync-bot

Comment 9

[Bugmon [:jkratzer for issues]]

Verified bug as fixed on rev mozilla-central 20230508214159-faf51404785d.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.