Closed Bug 1871194 Opened 1 year ago Closed 1 year ago

SIGILL [@ mozilla::dom::KeyframeEffect::ShouldBlockAsyncTransformAnimations]

Categories

(Core :: DOM: Animation, defect)

Product:
Core
Component:
DOM: Animation
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
123 Branch
Tracking Flags:
Tracking Status
firefox-esr115 --- unaffected
firefox121 --- unaffected
firefox122 --- unaffected
firefox123 blocking fixed

People

(Reporter: tsmith, Assigned: emilio)

References

(Blocks 1 open bug, Regression)

Details

(4 keywords)

Crash Data

Attachments

(1 file)

Bug 1871194 - Improve nsCSSPropertyIDSet interaction with AnimatedPropertyID. r=zrhoffman,#layout,#animation
48 bytes, text/x-phabricator-request
Details | Review

Found with m-c 20231220-7b04f85fcd04 (--enable-address-sanitizer)

This was found by visiting a live website with an ASan build.

This has been triggered by visiting a few different sites so far:

==71067==ERROR: AddressSanitizer: ILL on unknown address 0x7f7ebeab6648 (pc 0x7f7ebeab6648 bp 0x7ffee3222b50 sp 0x7ffee3222a20 T0)
    #0 0x7f7ebeab6648 in HasProperty /builds/worker/checkouts/gecko/layout/style/nsCSSPropertyIDSet.h:65:13
    #1 0x7f7ebeab6648 in mozilla::dom::KeyframeEffect::ShouldBlockAsyncTransformAnimations(nsIFrame const*, nsCSSPropertyIDSet const&, mozilla::AnimationPerformanceWarning::Type&) const /builds/worker/checkouts/gecko/dom/animation/KeyframeEffect.cpp:1731:14
    #2 0x7f7ebeab5679 in mozilla::dom::Animation::ShouldBeSynchronizedWithMainThread(nsCSSPropertyIDSet const&, nsIFrame const*, mozilla::AnimationPerformanceWarning::Type&) const /builds/worker/checkouts/gecko/dom/animation/Animation.cpp:1088:26
    #3 0x7f7ebeadc114 in mozilla::dom::KeyframeEffect::IsMatchForCompositor(nsCSSPropertyIDSet const&, nsIFrame const*, mozilla::EffectSet const&, mozilla::AnimationPerformanceWarning::Type&) const /builds/worker/checkouts/gecko/dom/animation/KeyframeEffect.cpp:1995:19
    #4 0x7f7ebeadb051 in mozilla::FindAnimationsForCompositor(nsIFrame const*, nsCSSPropertyIDSet const&, nsTArray<RefPtr<mozilla::dom::Animation>>*) /builds/worker/checkouts/gecko/dom/animation/EffectCompositor.cpp:155:17
    #5 0x7f7ec7909cd9 in mozilla::nsDisplayTransform::ShouldPrerenderTransformedContent(mozilla::nsDisplayListBuilder*, nsIFrame*, nsRect*) /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:6343:8
    #6 0x7f7ec72e8186 in nsIFrame::BuildDisplayListForStackingContext(mozilla::nsDisplayListBuilder*, mozilla::nsDisplayList*, bool*) /builds/worker/checkouts/gecko/layout/generic/nsIFrame.cpp:3204:21
    #7 0x7f7ec717dd56 in nsIFrame::BuildDisplayListForChild(mozilla::nsDisplayListBuilder*, nsIFrame*, mozilla::nsDisplayListSet const&, mozilla::EnumSet<nsIFrame::DisplayChildFlag, unsigned int>) /builds/worker/checkouts/gecko/layout/generic/nsIFrame.cpp:4254:12
    #8 0x7f7ec71799d3 in nsFlexContainerFrame::BuildDisplayList(mozilla::nsDisplayListBuilder*, mozilla::nsDisplayListSet const&) /builds/worker/checkouts/gecko/layout/generic/nsFlexContainerFrame.cpp:2940:5
    #9 0x7f7ec72eaf1a in nsIFrame::BuildDisplayListForStackingContext(mozilla::nsDisplayListBuilder*, mozilla::nsDisplayList*, bool*) /builds/worker/checkouts/gecko/layout/generic/nsIFrame.cpp:3442:5
    #10 0x7f7ec717dd56 in nsIFrame::BuildDisplayListForChild(mozilla::nsDisplayListBuilder*, nsIFrame*, mozilla::nsDisplayListSet const&, mozilla::EnumSet<nsIFrame::DisplayChildFlag, unsigned int>) /builds/worker/checkouts/gecko/layout/generic/nsIFrame.cpp:4254:12
    #11 0x7f7ec71799d3 in nsFlexContainerFrame::BuildDisplayList(mozilla::nsDisplayListBuilder*, mozilla::nsDisplayListSet const&) /builds/worker/checkouts/gecko/layout/generic/nsFlexContainerFrame.cpp:2940:5
    #12 0x7f7ec72eaf1a in nsIFrame::BuildDisplayListForStackingContext(mozilla::nsDisplayListBuilder*, mozilla::nsDisplayList*, bool*) /builds/worker/checkouts/gecko/layout/generic/nsIFrame.cpp:3442:5
    #13 0x7f7ec717dd56 in nsIFrame::BuildDisplayListForChild(mozilla::nsDisplayListBuilder*, nsIFrame*, mozilla::nsDisplayListSet const&, mozilla::EnumSet<nsIFrame::DisplayChildFlag, unsigned int>) /builds/worker/checkouts/gecko/layout/generic/nsIFrame.cpp:4254:12
    #14 0x7f7ec72ca3ee in nsGridContainerFrame::BuildDisplayList(mozilla::nsDisplayListBuilder*, mozilla::nsDisplayListSet const&) /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:9531:5
    #15 0x7f7ec72eaf1a in nsIFrame::BuildDisplayListForStackingContext(mozilla::nsDisplayListBuilder*, mozilla::nsDisplayList*, bool*) /builds/worker/checkouts/gecko/layout/generic/nsIFrame.cpp:3442:5
    #16 0x7f7ec717dd56 in nsIFrame::BuildDisplayListForChild(mozilla::nsDisplayListBuilder*, nsIFrame*, mozilla::nsDisplayListSet const&, mozilla::EnumSet<nsIFrame::DisplayChildFlag, unsigned int>) /builds/worker/checkouts/gecko/layout/generic/nsIFrame.cpp:4254:12
    #17 0x7f7ec7122148 in DisplayLine(mozilla::nsDisplayListBuilder*, nsLineList_iterator&, bool, mozilla::nsDisplayListSet const&, nsBlockFrame*, mozilla::css::TextOverflow*, unsigned int, int, int&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:7335:13
    #18 0x7f7ec711efd2 in nsBlockFrame::BuildDisplayList(mozilla::nsDisplayListBuilder*, mozilla::nsDisplayListSet const&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:7492:9
    #19 0x7f7ec72eaf1a in nsIFrame::BuildDisplayListForStackingContext(mozilla::nsDisplayListBuilder*, mozilla::nsDisplayList*, bool*) /builds/worker/checkouts/gecko/layout/generic/nsIFrame.cpp:3442:5
    #20 0x7f7ec717dd56 in nsIFrame::BuildDisplayListForChild(mozilla::nsDisplayListBuilder*, nsIFrame*, mozilla::nsDisplayListSet const&, mozilla::EnumSet<nsIFrame::DisplayChildFlag, unsigned int>) /builds/worker/checkouts/gecko/layout/generic/nsIFrame.cpp:4254:12
    #21 0x7f7ec72ca3ee in nsGridContainerFrame::BuildDisplayList(mozilla::nsDisplayListBuilder*, mozilla::nsDisplayListSet const&) /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:9531:5
    #22 0x7f7ec72eaf1a in nsIFrame::BuildDisplayListForStackingContext(mozilla::nsDisplayListBuilder*, mozilla::nsDisplayList*, bool*) /builds/worker/checkouts/gecko/layout/generic/nsIFrame.cpp:3442:5
    #23 0x7f7ec717dd56 in nsIFrame::BuildDisplayListForChild(mozilla::nsDisplayListBuilder*, nsIFrame*, mozilla::nsDisplayListSet const&, mozilla::EnumSet<nsIFrame::DisplayChildFlag, unsigned int>) /builds/worker/checkouts/gecko/layout/generic/nsIFrame.cpp:4254:12
    #24 0x7f7ec7122148 in DisplayLine(mozilla::nsDisplayListBuilder*, nsLineList_iterator&, bool, mozilla::nsDisplayListSet const&, nsBlockFrame*, mozilla::css::TextOverflow*, unsigned int, int, int&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:7335:13
    #25 0x7f7ec711efd2 in nsBlockFrame::BuildDisplayList(mozilla::nsDisplayListBuilder*, mozilla::nsDisplayListSet const&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:7492:9
    #26 0x7f7ec717e7b4 in nsIFrame::BuildDisplayListForChild(mozilla::nsDisplayListBuilder*, nsIFrame*, mozilla::nsDisplayListSet const&, mozilla::EnumSet<nsIFrame::DisplayChildFlag, unsigned int>) /builds/worker/checkouts/gecko/layout/generic/nsIFrame.cpp:4288:14
    #27 0x7f7ec7122148 in DisplayLine(mozilla::nsDisplayListBuilder*, nsLineList_iterator&, bool, mozilla::nsDisplayListSet const&, nsBlockFrame*, mozilla::css::TextOverflow*, unsigned int, int, int&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:7335:13
    #28 0x7f7ec711efd2 in nsBlockFrame::BuildDisplayList(mozilla::nsDisplayListBuilder*, mozilla::nsDisplayListSet const&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:7492:9
    #29 0x7f7ec717e7b4 in nsIFrame::BuildDisplayListForChild(mozilla::nsDisplayListBuilder*, nsIFrame*, mozilla::nsDisplayListSet const&, mozilla::EnumSet<nsIFrame::DisplayChildFlag, unsigned int>) /builds/worker/checkouts/gecko/layout/generic/nsIFrame.cpp:4288:14
    #30 0x7f7ec7122148 in DisplayLine(mozilla::nsDisplayListBuilder*, nsLineList_iterator&, bool, mozilla::nsDisplayListSet const&, nsBlockFrame*, mozilla::css::TextOverflow*, unsigned int, int, int&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:7335:13
    #31 0x7f7ec711efd2 in nsBlockFrame::BuildDisplayList(mozilla::nsDisplayListBuilder*, mozilla::nsDisplayListSet const&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:7492:9
    #32 0x7f7ec717e7b4 in nsIFrame::BuildDisplayListForChild(mozilla::nsDisplayListBuilder*, nsIFrame*, mozilla::nsDisplayListSet const&, mozilla::EnumSet<nsIFrame::DisplayChildFlag, unsigned int>) /builds/worker/checkouts/gecko/layout/generic/nsIFrame.cpp:4288:14
    #33 0x7f7ec7122148 in DisplayLine(mozilla::nsDisplayListBuilder*, nsLineList_iterator&, bool, mozilla::nsDisplayListSet const&, nsBlockFrame*, mozilla::css::TextOverflow*, unsigned int, int, int&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:7335:13
    #34 0x7f7ec711efd2 in nsBlockFrame::BuildDisplayList(mozilla::nsDisplayListBuilder*, mozilla::nsDisplayListSet const&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:7492:9
    #35 0x7f7ec717e313 in nsIFrame::BuildDisplayListForChild(mozilla::nsDisplayListBuilder*, nsIFrame*, mozilla::nsDisplayListSet const&, mozilla::EnumSet<nsIFrame::DisplayChildFlag, unsigned int>) /builds/worker/checkouts/gecko/layout/generic/nsIFrame.cpp:4303:12
    #36 0x7f7ec71799d3 in nsFlexContainerFrame::BuildDisplayList(mozilla::nsDisplayListBuilder*, mozilla::nsDisplayListSet const&) /builds/worker/checkouts/gecko/layout/generic/nsFlexContainerFrame.cpp:2940:5
    #37 0x7f7ec717e7b4 in nsIFrame::BuildDisplayListForChild(mozilla::nsDisplayListBuilder*, nsIFrame*, mozilla::nsDisplayListSet const&, mozilla::EnumSet<nsIFrame::DisplayChildFlag, unsigned int>) /builds/worker/checkouts/gecko/layout/generic/nsIFrame.cpp:4288:14
    #38 0x7f7ec7122148 in DisplayLine(mozilla::nsDisplayListBuilder*, nsLineList_iterator&, bool, mozilla::nsDisplayListSet const&, nsBlockFrame*, mozilla::css::TextOverflow*, unsigned int, int, int&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:7335:13
    #39 0x7f7ec711efd2 in nsBlockFrame::BuildDisplayList(mozilla::nsDisplayListBuilder*, mozilla::nsDisplayListSet const&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:7492:9
    #40 0x7f7ec717e7b4 in nsIFrame::BuildDisplayListForChild(mozilla::nsDisplayListBuilder*, nsIFrame*, mozilla::nsDisplayListSet const&, mozilla::EnumSet<nsIFrame::DisplayChildFlag, unsigned int>) /builds/worker/checkouts/gecko/layout/generic/nsIFrame.cpp:4288:14
    #41 0x7f7ec7122148 in DisplayLine(mozilla::nsDisplayListBuilder*, nsLineList_iterator&, bool, mozilla::nsDisplayListSet const&, nsBlockFrame*, mozilla::css::TextOverflow*, unsigned int, int, int&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:7335:13
    #42 0x7f7ec711efd2 in nsBlockFrame::BuildDisplayList(mozilla::nsDisplayListBuilder*, mozilla::nsDisplayListSet const&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:7492:9
    #43 0x7f7ec717e313 in nsIFrame::BuildDisplayListForChild(mozilla::nsDisplayListBuilder*, nsIFrame*, mozilla::nsDisplayListSet const&, mozilla::EnumSet<nsIFrame::DisplayChildFlag, unsigned int>) /builds/worker/checkouts/gecko/layout/generic/nsIFrame.cpp:4303:12
    #44 0x7f7ec71799d3 in nsFlexContainerFrame::BuildDisplayList(mozilla::nsDisplayListBuilder*, mozilla::nsDisplayListSet const&) /builds/worker/checkouts/gecko/layout/generic/nsFlexContainerFrame.cpp:2940:5
    #45 0x7f7ec717e313 in nsIFrame::BuildDisplayListForChild(mozilla::nsDisplayListBuilder*, nsIFrame*, mozilla::nsDisplayListSet const&, mozilla::EnumSet<nsIFrame::DisplayChildFlag, unsigned int>) /builds/worker/checkouts/gecko/layout/generic/nsIFrame.cpp:4303:12
    #46 0x7f7ec71799d3 in nsFlexContainerFrame::BuildDisplayList(mozilla::nsDisplayListBuilder*, mozilla::nsDisplayListSet const&) /builds/worker/checkouts/gecko/layout/generic/nsFlexContainerFrame.cpp:2940:5
    #47 0x7f7ec717e7b4 in nsIFrame::BuildDisplayListForChild(mozilla::nsDisplayListBuilder*, nsIFrame*, mozilla::nsDisplayListSet const&, mozilla::EnumSet<nsIFrame::DisplayChildFlag, unsigned int>) /builds/worker/checkouts/gecko/layout/generic/nsIFrame.cpp:4288:14
    #48 0x7f7ec7235f70 in nsHTMLScrollFrame::BuildDisplayList(mozilla::nsDisplayListBuilder*, mozilla::nsDisplayListSet const&) /builds/worker/checkouts/gecko/layout/generic/nsGfxScrollFrame.cpp:4188:7
    #49 0x7f7ec717e313 in nsIFrame::BuildDisplayListForChild(mozilla::nsDisplayListBuilder*, nsIFrame*, mozilla::nsDisplayListSet const&, mozilla::EnumSet<nsIFrame::DisplayChildFlag, unsigned int>) /builds/worker/checkouts/gecko/layout/generic/nsIFrame.cpp:4303:12
    #50 0x7f7ec71799d3 in nsFlexContainerFrame::BuildDisplayList(mozilla::nsDisplayListBuilder*, mozilla::nsDisplayListSet const&) /builds/worker/checkouts/gecko/layout/generic/nsFlexContainerFrame.cpp:2940:5
    #51 0x7f7ec717e7b4 in nsIFrame::BuildDisplayListForChild(mozilla::nsDisplayListBuilder*, nsIFrame*, mozilla::nsDisplayListSet const&, mozilla::EnumSet<nsIFrame::DisplayChildFlag, unsigned int>) /builds/worker/checkouts/gecko/layout/generic/nsIFrame.cpp:4288:14
    #52 0x7f7ec7235f70 in nsHTMLScrollFrame::BuildDisplayList(mozilla::nsDisplayListBuilder*, mozilla::nsDisplayListSet const&) /builds/worker/checkouts/gecko/layout/generic/nsGfxScrollFrame.cpp:4188:7
    #53 0x7f7ec72eaf1a in nsIFrame::BuildDisplayListForStackingContext(mozilla::nsDisplayListBuilder*, mozilla::nsDisplayList*, bool*) /builds/worker/checkouts/gecko/layout/generic/nsIFrame.cpp:3442:5
    #54 0x7f7ec717dd56 in nsIFrame::BuildDisplayListForChild(mozilla::nsDisplayListBuilder*, nsIFrame*, mozilla::nsDisplayListSet const&, mozilla::EnumSet<nsIFrame::DisplayChildFlag, unsigned int>) /builds/worker/checkouts/gecko/layout/generic/nsIFrame.cpp:4254:12
    #55 0x7f7ec7122148 in DisplayLine(mozilla::nsDisplayListBuilder*, nsLineList_iterator&, bool, mozilla::nsDisplayListSet const&, nsBlockFrame*, mozilla::css::TextOverflow*, unsigned int, int, int&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:7335:13
    #56 0x7f7ec711efd2 in nsBlockFrame::BuildDisplayList(mozilla::nsDisplayListBuilder*, mozilla::nsDisplayListSet const&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:7492:9
    #57 0x7f7ec717e7b4 in nsIFrame::BuildDisplayListForChild(mozilla::nsDisplayListBuilder*, nsIFrame*, mozilla::nsDisplayListSet const&, mozilla::EnumSet<nsIFrame::DisplayChildFlag, unsigned int>) /builds/worker/checkouts/gecko/layout/generic/nsIFrame.cpp:4288:14
    #58 0x7f7ec7122148 in DisplayLine(mozilla::nsDisplayListBuilder*, nsLineList_iterator&, bool, mozilla::nsDisplayListSet const&, nsBlockFrame*, mozilla::css::TextOverflow*, unsigned int, int, int&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:7335:13
    #59 0x7f7ec711efd2 in nsBlockFrame::BuildDisplayList(mozilla::nsDisplayListBuilder*, mozilla::nsDisplayListSet const&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:7492:9
    #60 0x7f7ec717e7b4 in nsIFrame::BuildDisplayListForChild(mozilla::nsDisplayListBuilder*, nsIFrame*, mozilla::nsDisplayListSet const&, mozilla::EnumSet<nsIFrame::DisplayChildFlag, unsigned int>) /builds/worker/checkouts/gecko/layout/generic/nsIFrame.cpp:4288:14
    #61 0x7f7ec7122148 in DisplayLine(mozilla::nsDisplayListBuilder*, nsLineList_iterator&, bool, mozilla::nsDisplayListSet const&, nsBlockFrame*, mozilla::css::TextOverflow*, unsigned int, int, int&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:7335:13
    #62 0x7f7ec711efd2 in nsBlockFrame::BuildDisplayList(mozilla::nsDisplayListBuilder*, mozilla::nsDisplayListSet const&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:7492:9
    #63 0x7f7ec717e7b4 in nsIFrame::BuildDisplayListForChild(mozilla::nsDisplayListBuilder*, nsIFrame*, mozilla::nsDisplayListSet const&, mozilla::EnumSet<nsIFrame::DisplayChildFlag, unsigned int>) /builds/worker/checkouts/gecko/layout/generic/nsIFrame.cpp:4288:14
    #64 0x7f7ec7122148 in DisplayLine(mozilla::nsDisplayListBuilder*, nsLineList_iterator&, bool, mozilla::nsDisplayListSet const&, nsBlockFrame*, mozilla::css::TextOverflow*, unsigned int, int, int&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:7335:13
    #65 0x7f7ec711efd2 in nsBlockFrame::BuildDisplayList(mozilla::nsDisplayListBuilder*, mozilla::nsDisplayListSet const&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:7492:9
    #66 0x7f7ec717e7b4 in nsIFrame::BuildDisplayListForChild(mozilla::nsDisplayListBuilder*, nsIFrame*, mozilla::nsDisplayListSet const&, mozilla::EnumSet<nsIFrame::DisplayChildFlag, unsigned int>) /builds/worker/checkouts/gecko/layout/generic/nsIFrame.cpp:4288:14
    #67 0x7f7ec712fa93 in nsCanvasFrame::BuildDisplayList(mozilla::nsDisplayListBuilder*, mozilla::nsDisplayListSet const&) /builds/worker/checkouts/gecko/layout/generic/nsCanvasFrame.cpp:589:5
    #68 0x7f7ec717e7b4 in nsIFrame::BuildDisplayListForChild(mozilla::nsDisplayListBuilder*, nsIFrame*, mozilla::nsDisplayListSet const&, mozilla::EnumSet<nsIFrame::DisplayChildFlag, unsigned int>) /builds/worker/checkouts/gecko/layout/generic/nsIFrame.cpp:4288:14
    #69 0x7f7ec7235f70 in nsHTMLScrollFrame::BuildDisplayList(mozilla::nsDisplayListBuilder*, mozilla::nsDisplayListSet const&) /builds/worker/checkouts/gecko/layout/generic/nsGfxScrollFrame.cpp:4188:7
    #70 0x7f7ec717e7b4 in nsIFrame::BuildDisplayListForChild(mozilla::nsDisplayListBuilder*, nsIFrame*, mozilla::nsDisplayListSet const&, mozilla::EnumSet<nsIFrame::DisplayChildFlag, unsigned int>) /builds/worker/checkouts/gecko/layout/generic/nsIFrame.cpp:4288:14
    #71 0x7f7ec70c31c9 in mozilla::ViewportFrame::BuildDisplayList(mozilla::nsDisplayListBuilder*, mozilla::nsDisplayListSet const&) /builds/worker/checkouts/gecko/layout/generic/ViewportFrame.cpp:66:3
    #72 0x7f7ec72eaf1a in nsIFrame::BuildDisplayListForStackingContext(mozilla::nsDisplayListBuilder*, mozilla::nsDisplayList*, bool*) /builds/worker/checkouts/gecko/layout/generic/nsIFrame.cpp:3442:5
    #73 0x7f7ec6fceb4b in nsLayoutUtils::GetFramesForArea(mozilla::RelativeTo, nsRect const&, nsTArray<nsIFrame*>&, nsLayoutUtils::FrameForPointOptions const&) /builds/worker/checkouts/gecko/layout/base/nsLayoutUtils.cpp:2729:10
    #74 0x7f7eca64ecd7 in mozilla::a11y::LocalAccessible::BundleFieldsForCache(unsigned long, mozilla::a11y::CacheUpdateType) /builds/worker/checkouts/gecko/accessible/generic/LocalAccessible.cpp:3288:7
    #75 0x7f7eca64c1a2 in mozilla::a11y::DocAccessible::ProcessQueuedCacheUpdates() /builds/worker/checkouts/gecko/accessible/generic/DocAccessible.cpp:1505:9
    #76 0x7f7eca5a7201 in mozilla::a11y::NotificationController::WillRefresh(mozilla::TimeStamp) /builds/worker/checkouts/gecko/accessible/base/NotificationController.cpp:980:16
    #77 0x7f7ec6df0487 in nsRefreshDriver::TickObserverArray(unsigned int, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2447:10
    #78 0x7f7ec6de730e in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2738:28
    #79 0x7f7ec6dfe1c6 in TickDriver /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:367:13
    #80 0x7f7ec6dfe1c6 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver>>&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:345:7
    #81 0x7f7ec6dfde9e in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:361:5
    #82 0x7f7ec6dfdaf1 in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:951:5
    #83 0x7f7ec6dfc9a4 in mozilla::VsyncRefreshDriverTimer::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:861:5
    #84 0x7f7ec6dfb4d0 in mozilla::VsyncRefreshDriverTimer::NotifyVsyncOnMainThread(mozilla::VsyncEvent const&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:758:5
    #85 0x7f7ec6dfaab2 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsyncTimerOnMainThread() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:592:14
    #86 0x7f7ec6dfa665 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:549:9
    #87 0x7f7ec5156abb in mozilla::dom::VsyncMainChild::RecvNotify(mozilla::VsyncEvent const&, float const&) /builds/worker/checkouts/gecko/dom/ipc/VsyncMainChild.cpp:66:15
    #88 0x7f7ec5768ead in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:227:78
    #89 0x7f7ec551e75f in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PContentChild.cpp:8263:32
    #90 0x7f7ebcdef7e5 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1813:25
    #91 0x7f7ebcdeb1eb in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1732:9
    #92 0x7f7ebcdec599 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1525:3
    #93 0x7f7ebcdedb13 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1623:14
    #94 0x7f7ebb13866a in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:557:16
    #95 0x7f7ebb11f79e in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:884:26
    #96 0x7f7ebb11c388 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:707:15
    #97 0x7f7ebb11ca89 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:493:36
    #98 0x7f7ebb140701 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:211:37
    #99 0x7f7ebb140701 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548:5
    #100 0x7f7ebb168564 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1199:16
    #101 0x7f7ebb1761ea in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10
    #102 0x7f7ebcdf8dee in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
    #103 0x7f7ebcc211ca in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:370:10
    #104 0x7f7ebcc211ca in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
    #105 0x7f7ebcc211ca in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
    #106 0x7f7ec65022d9 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
    #107 0x7f7ec6707372 in nsAppShell::Run() /builds/worker/checkouts/gecko/widget/gtk/nsAppShell.cpp:470:33
    #108 0x7f7ecb594cde in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:721:20
    #109 0x7f7ebcc211ca in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:370:10
    #110 0x7f7ebcc211ca in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
    #111 0x7f7ebcc211ca in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
    #112 0x7f7ecb594283 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:656:34
    #113 0x556d30a80c7c in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
    #114 0x556d30a80c7c in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:375:18
    #115 0x7f7ee3829d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #116 0x7f7ee3829e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #117 0x556d309a4f88 in _start (/home/user/workspace/browsers/m-c-20231220221923-fuzzing-asan-opt/firefox+0xdbf88) (BuildId: 13fe5f70b3225f568b36a3d32a5fc816f1ed7f04)

Make it less error-prone by adding a HasProperty(AnimatedPropertyId&)
overload.

Also make the range checks a diagnostic assert rather than a non-fatal
NS_ASSERTION.

Assignee: nobody → emilio
Status: NEW → ASSIGNED
Assignee: emilio → nobody
Status: ASSIGNED → NEW
Assignee: nobody → emilio
Pushed by ealvarez@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/eaf51dab450d Improve nsCSSPropertyIDSet interaction with AnimatedPropertyID. r=zrhoffman

So this is a Nightly-only regression, right? Thanks.

status-firefox121: --- → unaffected
status-firefox122: --- → unaffected
status-firefox-esr115: --- → unaffected
Flags: needinfo?(emilio)
Keywords: regression, sec-high

Yes

Flags: needinfo?(emilio)
Regressed by: 1846516

https://hg.mozilla.org/mozilla-central/rev/eaf51dab450d

Group: dom-core-security → core-security-release
Severity: -- → S2
Status: NEW → RESOLVED
Closed: 1 year ago
status-firefox123: affectedfixed
tracking-firefox123: --- → blocking
Resolution: --- → FIXED
Target Milestone: --- → 123 Branch
Group: core-security-release
Duplicate of this bug: 1871145

Copying crash signatures from duplicate bugs.

Crash Signature: [@ mozilla::ipc::FatalError | mozilla::dom::ContentChild::FatalErrorIfNotUsingGPUProcess | IPC::ParamTraits<mozilla::layers::AnimationSegment>::Write]
Regressions: 1881412
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: