Open Bug 1861999 Opened 2 years ago Updated 1 year ago

Assertion failure: rv (Serialize ##type_## failed), at /builds/worker/workspace/obj-build/dist/include/mozilla/layers/LayersMessageUtils.h:1138

Categories

(Core :: CSS Transitions and Animations, defect)

Product:
Core
Component:
CSS Transitions and Animations
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Tracking Flags:
Tracking Status
firefox-esr115 --- unaffected
firefox119 --- disabled
firefox120 --- disabled
firefox121 --- disabled

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 2 open bugs, Regression)

Details

(4 keywords, Whiteboard: [bugmon:bisected,confirmed])

Crash Data

Attachments

(1 file)

Testcase
403 bytes, text/plain
Details

Testcase found while fuzzing mozilla-central rev 07ff1e2e4f65 (built with: --enable-debug --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build 07ff1e2e4f65 --debug --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

Assertion failure: rv (Serialize ##type_## failed), at /builds/worker/workspace/obj-build/dist/include/mozilla/layers/LayersMessageUtils.h:1138

    ==2890037==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f7eb5ba8d3d bp 0x7fff300527b0 sp 0x7fff30052780 T2890037)
    ==2890037==The signal is caused by a WRITE memory access.
    ==2890037==Hint: address points to the zero page.
        #0 0x7f7eb5ba8d3d in IPC::ParamTraits<mozilla::StyleGenericOffsetPath<mozilla::StyleGenericOffsetPathFunction<mozilla::StyleGenericBasicShape<mozilla::StyleGenericPosition<mozilla::StyleLengthPercentageUnion, mozilla::StyleLengthPercentageUnion>, mozilla::StyleLengthPercentageUnion, mozilla::StyleLengthPercentageUnion, mozilla::StyleGenericInsetRect<mozilla::StyleLengthPercentageUnion, mozilla::StyleLengthPercentageUnion>>, mozilla::StyleGenericRayFunction<mozilla::StyleAngle, mozilla::StyleGenericPosition<mozilla::StyleLengthPercentageUnion, mozilla::StyleLengthPercentageUnion>>, mozilla::StyleComputedUrl>>>::Write(IPC::MessageWriter*, mozilla::StyleGenericOffsetPath<mozilla::StyleGenericOffsetPathFunction<mozilla::StyleGenericBasicShape<mozilla::StyleGenericPosition<mozilla::StyleLengthPercentageUnion, mozilla::StyleLengthPercentageUnion>, mozilla::StyleLengthPercentageUnion, mozilla::StyleLengthPercentageUnion, mozilla::StyleGenericInsetRect<mozilla::StyleLengthPercentageUnion, mozilla::StyleLengthPercentageUnion>>, mozilla::StyleGenericRayFunction<mozilla::StyleAngle, mozilla::StyleGenericPosition<mozilla::StyleLengthPercentageUnion, mozilla::StyleLengthPercentageUnion>>, mozilla::StyleComputedUrl>> const&) /builds/worker/workspace/obj-build/dist/include/mozilla/layers/LayersMessageUtils.h:1138:1
        #1 0x7f7eb5b59404 in WriteParam<const mozilla::layers::Animatable &> /ipc/chromium/src/chrome/common/ipc_message_utils.h:441:3
        #2 0x7f7eb5b59404 in IPC::ParamTraits<mozilla::layers::Animation>::Write(IPC::MessageWriter*, mozilla::layers::Animation const&) /builds/worker/workspace/obj-build/ipc/ipdl/LayersMessages.cpp:2166:5
        #3 0x7f7eb5b5a891 in WriteParam<const mozilla::layers::Animation &> /ipc/chromium/src/chrome/common/ipc_message_utils.h:441:3
        #4 0x7f7eb5b5a891 in WriteSequenceParam<const mozilla::layers::Animation &> /ipc/chromium/src/chrome/common/ipc_message_utils.h:593:7
        #5 0x7f7eb5b5a891 in Write /builds/worker/workspace/obj-build/dist/include/ipc/IPCMessageUtilsSpecializations.h:164:5
        #6 0x7f7eb5b5a891 in WriteParam<const nsTArray<mozilla::layers::Animation> &> /ipc/chromium/src/chrome/common/ipc_message_utils.h:441:3
        #7 0x7f7eb5b5a891 in IPC::ParamTraits<mozilla::layers::CompositorAnimations>::Write(IPC::MessageWriter*, mozilla::layers::CompositorAnimations const&) /builds/worker/workspace/obj-build/ipc/ipdl/LayersMessages.cpp:2412:5
        #8 0x7f7eb5af36ee in WriteParam<const mozilla::layers::WebRenderParentCommand &> /ipc/chromium/src/chrome/common/ipc_message_utils.h:441:3
        #9 0x7f7eb5af36ee in WriteSequenceParam<const mozilla::layers::WebRenderParentCommand &> /ipc/chromium/src/chrome/common/ipc_message_utils.h:593:7
        #10 0x7f7eb5af36ee in Write /builds/worker/workspace/obj-build/dist/include/ipc/IPCMessageUtilsSpecializations.h:164:5
        #11 0x7f7eb5af36ee in WriteParam<nsTArray<mozilla::layers::WebRenderParentCommand> &> /ipc/chromium/src/chrome/common/ipc_message_utils.h:441:3
        #12 0x7f7eb5af36ee in void mozilla::ipc::WriteIPDLParam<nsTArray<mozilla::layers::WebRenderParentCommand>&>(IPC::MessageWriter*, mozilla::ipc::IProtocol*, nsTArray<mozilla::layers::WebRenderParentCommand>&) /builds/worker/workspace/obj-build/dist/include/mozilla/ipc/IPDLParamTraits.h:52:3
        #13 0x7f7eb5af3445 in mozilla::ipc::IPDLParamTraits<mozilla::layers::DisplayListData>::Write(IPC::MessageWriter*, mozilla::ipc::IProtocol*, mozilla::layers::DisplayListData&&) /gfx/layers/wr/RenderRootTypes.cpp:18:3
        #14 0x7f7eb59305a2 in Write<mozilla::layers::DisplayListData> /ipc/chromium/src/chrome/common/ipc_message_utils.h:690:5
        #15 0x7f7eb59305a2 in WriteParam<mozilla::layers::DisplayListData> /ipc/chromium/src/chrome/common/ipc_message_utils.h:441:3
        #16 0x7f7eb59305a2 in mozilla::layers::PWebRenderBridgeChild::SendSetDisplayList(mozilla::layers::DisplayListData&&, mozilla::Span<mozilla::layers::OpDestroy const, 18446744073709551615ul>, unsigned long const&, mozilla::layers::BaseTransactionId<mozilla::layers::TransactionIdType> const&, bool const&, mozilla::layers::BaseTransactionId<mozilla::VsyncIdType> const&, mozilla::TimeStamp const&, mozilla::TimeStamp const&, mozilla::TimeStamp const&, nsTSubstring<char> const&, mozilla::TimeStamp const&, mozilla::Span<mozilla::layers::CompositionPayload const, 18446744073709551615ul>) /builds/worker/workspace/obj-build/ipc/ipdl/PWebRenderBridgeChild.cpp:273:5
        #17 0x7f7eb5af75f1 in mozilla::layers::WebRenderBridgeChild::EndTransaction(mozilla::layers::DisplayListData&&, mozilla::layers::BaseTransactionId<mozilla::layers::TransactionIdType>, bool, mozilla::layers::BaseTransactionId<mozilla::VsyncIdType> const&, mozilla::TimeStamp const&, mozilla::TimeStamp const&, mozilla::TimeStamp const&, nsTString<char> const&) /gfx/layers/wr/WebRenderBridgeChild.cpp:127:20
        #18 0x7f7eb5b472a9 in mozilla::layers::WebRenderLayerManager::EndTransactionWithoutLayer(mozilla::nsDisplayList*, mozilla::nsDisplayListBuilder*, WrFiltersHolder&&, mozilla::layers::WebRenderBackgroundData*, double) /gfx/layers/wr/WebRenderLayerManager.cpp:466:28
        #19 0x7f7eba3029a8 in mozilla::nsDisplayList::PaintRoot(mozilla::nsDisplayListBuilder*, gfxContext*, unsigned int, mozilla::Maybe<double>) /layout/painting/nsDisplayList.cpp:2308:18
        #20 0x7f7eb9f7096e in nsLayoutUtils::PaintFrame(gfxContext*, nsIFrame*, nsRegion const&, unsigned int, mozilla::nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) /layout/base/nsLayoutUtils.cpp:3425:9
        #21 0x7f7eb9ed86bf in mozilla::PresShell::PaintInternal(nsView*, mozilla::PaintInternalFlags) /layout/base/PresShell.cpp:6396:5
        #22 0x7f7eb9a71ac2 in nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*) /view/nsViewManager.cpp:408:18
        #23 0x7f7eb9a7154e in nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) /view/nsViewManager.cpp:343:22
        #24 0x7f7eb9a72bad in nsViewManager::ProcessPendingUpdates() /view/nsViewManager.cpp:916:5
        #25 0x7f7eb9e8e3b5 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) /layout/base/nsRefreshDriver.cpp:2789:11
        #26 0x7f7eb9e97141 in TickDriver /layout/base/nsRefreshDriver.cpp:362:13
        #27 0x7f7eb9e97141 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver>>&) /layout/base/nsRefreshDriver.cpp:340:7
        #28 0x7f7eb9e97040 in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /layout/base/nsRefreshDriver.cpp:356:5
        #29 0x7f7eb9e96edd in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /layout/base/nsRefreshDriver.cpp:923:5
        #30 0x7f7eb9e96229 in mozilla::VsyncRefreshDriverTimer::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /layout/base/nsRefreshDriver.cpp:837:5
        #31 0x7f7eb9e95599 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsyncTimerOnMainThread() /layout/base/nsRefreshDriver.cpp:581:14
        #32 0x7f7eb91db06b in mozilla::dom::VsyncMainChild::RecvNotify(mozilla::VsyncEvent const&, float const&) /dom/ipc/VsyncMainChild.cpp:66:15
        #33 0x7f7eb94d2f1a in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:220:78
        #34 0x7f7eb52ed7a1 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundChild.cpp:5537:32
        #35 0x7f7eb528116f in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /ipc/glue/MessageChannel.cpp:1800:25
        #36 0x7f7eb527dec2 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>) /ipc/glue/MessageChannel.cpp:1725:9
        #37 0x7f7eb527eb42 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /ipc/glue/MessageChannel.cpp:1525:3
        #38 0x7f7eb527fc8f in mozilla::ipc::MessageChannel::MessageTask::Run() /ipc/glue/MessageChannel.cpp:1623:14
        #39 0x7f7eb45ad417 in mozilla::RunnableTask::Run() /xpcom/threads/TaskController.cpp:549:16
        #40 0x7f7eb45a4fe3 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:876:26
        #41 0x7f7eb45a3827 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:699:15
        #42 0x7f7eb45a3c85 in mozilla::TaskController::ProcessPendingMTTask(bool) /xpcom/threads/TaskController.cpp:485:36
        #43 0x7f7eb45b1199 in operator() /xpcom/threads/TaskController.cpp:214:37
        #44 0x7f7eb45b1199 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_1>::Run() /xpcom/threads/nsThreadUtils.h:548:5
        #45 0x7f7eb45c7b32 in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1198:16
        #46 0x7f7eb45cec1d in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:480:10
        #47 0x7f7eb5287083 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:107:5
        #48 0x7f7eb51a10c1 in RunHandler /ipc/chromium/src/base/message_loop.cc:363:3
        #49 0x7f7eb51a10c1 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:345:3
        #50 0x7f7eb9adc198 in nsBaseAppShell::Run() /widget/nsBaseAppShell.cpp:148:27
        #51 0x7f7ebbd161bb in XRE_RunAppShell() /toolkit/xre/nsEmbedFunctions.cpp:721:20
        #52 0x7f7eb5287fb6 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:235:9
        #53 0x7f7eb51a10c1 in RunHandler /ipc/chromium/src/base/message_loop.cc:363:3
        #54 0x7f7eb51a10c1 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:345:3
        #55 0x7f7ebbd15a22 in XRE_InitChildProcess(int, char**, XREChildData const*) /toolkit/xre/nsEmbedFunctions.cpp:656:34
        #56 0x561f7910d276 in content_process_main /browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
        #57 0x561f7910d276 in main /browser/app/nsBrowserApp.cpp:375:18
        #58 0x7f7ec894cd8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
        #59 0x7f7ec894ce3f in __libc_start_main csu/../csu/libc-start.c:392:3
        #60 0x561f790e2fa8 in _start (/home/jkratzer/builds/m-c-20231030095338-fuzzing-debug/firefox-bin+0x58fa8) (BuildId: 5380e0f2759f4e23b646387619f9dd01d6dc3152)
    
    UndefinedBehaviorSanitizer can not provide additional info.
    SUMMARY: UndefinedBehaviorSanitizer: SEGV /builds/worker/workspace/obj-build/dist/include/mozilla/layers/LayersMessageUtils.h:1138:1 in IPC::ParamTraits<mozilla::StyleGenericOffsetPath<mozilla::StyleGenericOffsetPathFunction<mozilla::StyleGenericBasicShape<mozilla::StyleGenericPosition<mozilla::StyleLengthPercentageUnion, mozilla::StyleLengthPercentageUnion>, mozilla::StyleLengthPercentageUnion, mozilla::StyleLengthPercentageUnion, mozilla::StyleGenericInsetRect<mozilla::StyleLengthPercentageUnion, mozilla::StyleLengthPercentageUnion>>, mozilla::StyleGenericRayFunction<mozilla::StyleAngle, mozilla::StyleGenericPosition<mozilla::StyleLengthPercentageUnion, mozilla::StyleLengthPercentageUnion>>, mozilla::StyleComputedUrl>>>::Write(IPC::MessageWriter*, mozilla::StyleGenericOffsetPath<mozilla::StyleGenericOffsetPathFunction<mozilla::StyleGenericBasicShape<mozilla::StyleGenericPosition<mozilla::StyleLengthPercentageUnion, mozilla::StyleLengthPercentageUnion>, mozilla::StyleLengthPercentageUnion, mozilla::StyleLengthPercentageUnion, mozilla::StyleGenericInsetRect<mozilla::StyleLengthPercentageUnion, mozilla::StyleLengthPercentageUnion>>, mozilla::StyleGenericRayFunction<mozilla::StyleAngle, mozilla::StyleGenericPosition<mozilla::StyleLengthPercentageUnion, mozilla::StyleLengthPercentageUnion>>, mozilla::StyleComputedUrl>> const&)
    ==2890037==ABORTING
Attached file Testcase

Got a crash : https://crash-stats.mozilla.org/report/index/a4b0d8fa-66c0-41d0-9edd-e4ce30231030
This may be a IPC bug.

Crash Signature: [@ mozilla::BufferList<T>::IterImpl::Advance ]
Keywords: crash
See Also: → 1595453

Bug 1598158 - Resolve URL to SVG shape elements. r=emilio

Also update offset-path-url-001.html because it seems its ref html is
incorrect per the spec. We are using its <coord-box> (i.e. the reference box
of its containing block) as the viewport and user coordinate system, so its
offset-starting-position should be independent from its current position
from CSS reflow. The SVG shape element always provides the offset starting
position.

So I tweak offset-path-url-001.html a little bit to make it passed for all
browsers, and add some other tests to cover the case mentioned above and
other cases.

Differential Revision: https://phabricator.services.mozilla.com/D184431

Component: Graphics: WebRender → CSS Transitions and Animations
Keywords: regression
Regressed by: 1598158

Set release status flags based on info from the regressing bug 1598158

:boris, since you are the author of the regressor, bug 1598158, could you take a look? Also, could you set the severity field?

For more information, please visit BugBot documentation.

status-firefox119: --- → affected
status-firefox120: --- → affected
status-firefox121: --- → affected
status-firefox-esr115: --- → unaffected
Flags: needinfo?(boris.chiou)

Verified bug as reproducible on mozilla-central 20231030095338-07ff1e2e4f65.
The bug appears to have been introduced in the following build range:

Start: 0d1a783351f683e500d6e8f83d3dc430b2afdcbf (20230807213110)
End: 7053ad5afbc40a1a98d9e4e447c98e2fd6d70f04 (20230808014748)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=0d1a783351f683e500d6e8f83d3dc430b2afdcbf&tochange=7053ad5afbc40a1a98d9e4e447c98e2fd6d70f04

Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]

url() is behind a pref and enabled on Nightly only, so setting S3.

Blocks: motion-1
Severity: -- → S3
Flags: needinfo?(boris.chiou)

(In reply to Mayank Bansal from comment #2)

Got a crash : https://crash-stats.mozilla.org/report/index/a4b0d8fa-66c0-41d0-9edd-e4ce30231030
This may be a IPC bug.

So this is interesting: if follow the instructions from the bug report (with fuzzfetch/grizzly) then I get the assertion failure reported here. And if I load the page in a debug build (non-fuzzing, using ./mach run, from a file: URL), that also reproduces it. But if I use a release build, which doesn't have that MOZ_ASSERT, then I get the crash from bug 1595453 instead, and it seems to be happen reliably. I'm looking into that, and I'll update bug 1595453.

While I'm here: in LayersMessageUtils, this assertion should be something like MOZ_ASSERT(rv, "Serialize " #type_ " failed") so that the actual type name is in the message.

(In reply to Jed Davis [:jld] ⟨⏰|UTC-7⟩ ⟦he/him⟧ from comment #7)

While I'm here: in LayersMessageUtils, this assertion should be something like MOZ_ASSERT(rv, "Serialize " #type_ " failed") so that the actual type name is in the message.

That's my bad. I wrote this assertion too quickly so didn't realize macro doesn't replace the string in the c string. Sorry about the incorrect error message.

Crash Signature: [@ mozilla::BufferList<T>::IterImpl::Advance ] → [@ mozilla::BufferList<T>::IterImpl::Advance ] [@ mozilla::ipc::FatalError | mozilla::ipc::IProtocol::HandleFatalError | IPC::ParamTraits<mozilla::layers::Animatable>::Read]

This still crashes. Signature has changed a bit: https://crash-stats.mozilla.org/report/index/d2db56d5-1e06-4d42-99dd-d22e00240727

Crash Signature: [@ mozilla::BufferList<T>::IterImpl::Advance ] [@ mozilla::ipc::FatalError | mozilla::ipc::IProtocol::HandleFatalError | IPC::ParamTraits<mozilla::layers::Animatable>::Read] → [@ mozilla::BufferList<T>::IterImpl::Advance ] [@ mozilla::ipc::FatalError | mozilla::ipc::IProtocol::HandleFatalError | IPC::ParamTraits<mozilla::layers::Animatable>::Read] [@ IPC::MessageReader::FatalError | IPC::ParamTraits<mozilla::layers::Animatabl…
Duplicate of this bug: 1931885

Copying crash signatures from duplicate bugs.

Crash Signature: IPC::ParamTraits<mozilla::layers::Animatable>::Read | IPC::ParamTraits<mozilla::layers::Animation>::Read | IPC::ReadSequenceParamImpl | IPC::ReadSequenceParam | IPC::ParamTraits<nsTArray<T> >::Read | IPC::ParamTraits<mo... ] → IPC::ParamTraits<mozilla::layers::Animatable>::Read | IPC::ParamTraits<mozilla::layers::Animation>::Read | IPC::ReadSequenceParamImpl | IPC::ReadSequenceParam | IPC::ParamTraits<nsTArray<T> >::Read | IPC::ParamTraits<mo... ] [@ IPC::ParamTraits<mozilla::…
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: