Closed Bug 1856669 Opened 2 years ago Closed 2 years ago

Crash in [@ style::properties::generated::longhands::font_weight::cascade_property]

Categories

(Core :: CSS Parsing and Computation, defect)

Product:
Core
Component:
CSS Parsing and Computation
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
120 Branch
Tracking Flags:
Tracking Status
thunderbird_esr115 --- unaffected
firefox-esr115 --- unaffected
firefox118 --- unaffected
firefox119 + verified
firefox120 + verified

People

(Reporter: diannaS, Assigned: emilio)

References

(Regression)

Details

(Keywords: crash, regression, topcrash)

Crash Data

Attachments

(1 file)

Bug 1856669 - Check for overflow when tracking prioritary declarations. r=dshin,dholbert,#style,#layout
48 bytes, text/x-phabricator-request
dmeehan
: approval-mozilla-beta+
Details | Review

Crash report: https://crash-stats.mozilla.org/report/index/33480320-e9f7-4bb5-9809-913600231002

MOZ_CRASH Reason: entered the wrong cascade_property() implementation

Top 10 frames of crashing thread:

0  XUL  MOZ_Crash  mfbt/Assertions.h:281
0  XUL  RustMozCrash  mozglue/static/rust/wrappers.cpp:18
1  XUL  mozglue_static::panic_hook  mozglue/static/rust/lib.rs:96
2  XUL  core::ops::function::Fn::call  library/core/src/ops/function.rs:79
3  XUL  <alloc::boxed::Box<F, A> as core::ops::function::Fn<Args>>::call  library/alloc/src/boxed.rs:2007
3  XUL  std::panicking::rust_panic_with_hook  library/std/src/panicking.rs:709
4  XUL  std::panicking::begin_panic::{{closure}}  library/std/src/panicking.rs:626
5  XUL  std::sys_common::backtrace::__rust_end_short_backtrace  library/std/src/sys_common/backtrace.rs:151
6  XUL  std::panicking::begin_panic  library/std/src/panicking.rs:625
7  XUL  style::properties::generated::longhands::font_weight::cascade_property  aarch64-apple-darwin/release/build/style-90da6b7010f3bdb1/out/longhands/font.rs:436

The bug is linked to a topcrash signature, which matches the following criteria:

  • Top 20 desktop browser crashes on beta
  • Top 10 content process crashes on beta

For more information, please visit BugBot documentation.

Keywords: topcrash

The bug is marked as tracked for firefox119 (beta) and tracked for firefox120 (nightly). However, the bug still isn't assigned.

:fgriffith, could you please find an assignee for this tracked bug? If you disagree with the tracking decision, please talk with the release managers.

For more information, please visit BugBot documentation.

Flags: needinfo?(fgriffith)

Looks like it's a cross-platform crash; we've got reports on Windows, macOS, and Android, at least.

Many of the crash reports are for URLs on https://jobs.smartrecruiters.com (from what looks like a handful of different users). So far, I'm not able to trigger the crash when I load and interact with the URLs in the crash reports, though.

Calling this S2 given that it's a recent spike (and a topcrash).

Given that this is in stylo code, tripping an (old) assertion from bug 1491622, I suspect emilio's a good initial assignee here. Emilio, could you see if you can make sense of this?

Assignee: nobody → emilio
Severity: -- → S2
Flags: needinfo?(fgriffith) → needinfo?(emilio)

Have fuzzers seen anything like this? I don't see how this can happen realistically. Timing matches bug 1853206, but lacking an index being wrong or something I don't see how this can happen.

Flags: needinfo?(jkratzer)
See Also: → 1856670
Depends on: 1857048

I'm adding some more diagnostic info here but short of memory issues I don't know what might be going on.

Flags: needinfo?(emilio)

I think I just reproduced the bug on MacOS
USing one of the links : https://jobs.smartrecruiters.com/oneclick-ui/company/AdtalemGlobalEducation/publication/399d6ab9-bba9-4e89-abcd-eb52a14a4fd4?dcr_ci=AdtalemGlobalEducation

Went to the link above
In the Education Section Clicked +Add
In the School location , I typed three letters and I waited for a list then i Clicked "Cannot find you city?" at the bottom
This will make a School location drop down appear
Click on the drop down to select the country
CRASH! https://crash-stats.mozilla.org/report/index/4bea8976-05ab-463c-9081-4ebbe0231004

Flags: needinfo?(emilio)

I was able to reproduce (in Linux Nightly) with those same STR. Nice sleuthing, Dianna!

(In reply to Emilio Cobos Álvarez (:emilio) from comment #5)

Timing matches bug 1853206

I confirmed that that's the regressor, using mozregression for the autoland builds of that commit vs. its parent.
Reproduces: mozregression --repo autoland --launch 68b06857f48d8ebfcb58df8817595e0b1c505ea2
Doesn't repro: mozregression --repo autoland --launch efbef24015df2d09f399aa394b0ed7c0de2106a3

In a debug build, I crash slightly sooner -- when I focus the "School Location" field in DiannaS's STR.

In a clean debug build, I get:
Hit MOZ_CRASH(entered the wrong cascade_property() implementation) at $OBJ/x86_64-unknown-linux-gnu/debug/build/style-c9e09bfb937ca648/out/longhands/font.rs:436

In a build with the added diagnostic from bug 1857048, there's a little more info:
Hit MOZ_CRASH(Entered the wrong cascade_property implementation: border-top-color: rgb(171, 171, 171)) at $OBJ/x86_64-unknown-linux-gnu/debug/build/style-c9e09bfb937ca648/out/properties.rs:4769

I see what's going on.

Flags: needinfo?(emilio)

Just give up applying them.

It's better than crashing and if you're over 65k declarations applying
to the same element I think we're on our right to ignore you :)

Pushed by ealvarez@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/ae8f0ec8638b Check for overflow when tracking prioritary declarations. r=dholbert
Duplicate of this bug: 1856670

Comment on attachment 9356716 [details]
Bug 1856669 - Check for overflow when tracking prioritary declarations. r=dshin,dholbert,#style,#layout

Beta/Release Uplift Approval Request

  • User impact if declined: comment 0
  • Is this code covered by automated tests?: Yes
  • Has the fix been verified in Nightly?: Yes
  • Needs manual test from QE?: Yes
  • If yes, steps to reproduce: comment 7
  • List of other uplifts needed: none
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Trivial fix.
  • String changes made/needed: none
  • Is Android affected?: Yes
Attachment #9356716 - Flags: approval-mozilla-beta?
Flags: qe-verify+
Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/42348 for changes under testing/web-platform/tests

Copying crash signatures from duplicate bugs.

Crash Signature: [@ style::properties::generated::longhands::font_weight::cascade_property] → [@ style::properties::generated::longhands::font_weight::cascade_property] [@ style::properties::generated::longhands::font_stretch::cascade_property]

https://hg.mozilla.org/mozilla-central/rev/ae8f0ec8638b

Status: NEW → RESOLVED
Closed: 2 years ago
status-firefox120: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 120 Branch
Crash Signature: [@ style::properties::generated::longhands::font_weight::cascade_property] [@ style::properties::generated::longhands::font_stretch::cascade_property] → [@ style::properties::generated::longhands::font_weight::cascade_property] [@ style::properties::generated::longhands::font_stretch::cascade_property]
QA Whiteboard: [qa-triaged]

Comment on attachment 9356716 [details]
Bug 1856669 - Check for overflow when tracking prioritary declarations. r=dshin,dholbert,#style,#layout

Approved for 119.0b6

Attachment #9356716 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
status-firefox119: affectedfixed
Flags: in-testsuite+
Upstream PR merged by moz-wptsync-bot

I’ve reproduced the crash signature with Fx 120.0a1 (2023-10-04) on macOS 13.
Verified fixed with treeherder builds Fx 120.0a1 (2023-10-05) and Fx 119.0b6 on macOS 13, Ubuntu 22 and Windows 10.

Status: RESOLVED → VERIFIED
status-firefox119: fixedverified
status-firefox120: fixedverified
Flags: qe-verify+
Flags: needinfo?(jkratzer)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: