Closed
Bug 1871513
Opened 6 months ago
Closed 6 months ago
MOZ_CRASH(assertion `left == right` failed left: Display(517) right: Display(514)) at servo/components/style/style_adjuster.rs:632
Categories
(Core :: CSS Parsing and Computation, defect)
Core
CSS Parsing and Computation
Tracking
()
VERIFIED
FIXED
123 Branch
| Tracking | Status | |
|---|---|---|
| firefox-esr115 | --- | unaffected |
| firefox121 | --- | wontfix |
| firefox122 | --- | wontfix |
| firefox123 | --- | verified |
People
(Reporter: tsmith, Assigned: emilio)
References
(Regression)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:bisected,confirmed], [wptsync upstream])
Attachments
(2 files)
Found while fuzzing m-c 20231107-5d6699b34edc (--enable-debug --enable-fuzzing)
To reproduce via Grizzly Replay:
$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>
Hit MOZ_CRASH(assertion left == right failed
left: Display(517)
right: Display(514)) at servo/components/style/style_adjuster.rs:632
#0 0x7f087494cfe5 in MOZ_Crash /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:281:3
#1 0x7f087494cfe5 in RustMozCrash /builds/worker/checkouts/gecko/mozglue/static/rust/wrappers.cpp:18:3
#2 0x7f087494cf7a in mozglue_static::panic_hook::h868ee14c15c07bc2 /builds/worker/checkouts/gecko/mozglue/static/rust/lib.rs:96:9
#3 0x7f087494c97b in core::ops::function::Fn::call::h671a47fe2405d294 /rustc/79e9716c980570bfd1f666e3b16ac583f0168962/library/core/src/ops/function.rs:79:5
#4 0x7f0875a09c90 in _$LT$alloc..boxed..Box$LT$F$C$A$GT$$u20$as$u20$core..ops..function..Fn$LT$Args$GT$$GT$::call::h87b887549356728a /rustc/79e9716c980570bfd1f666e3b16ac583f0168962/library/alloc/src/boxed.rs:2021:9
#5 0x7f0875a09c90 in std::panicking::rust_panic_with_hook::hd2f0efd2fec86cb0 /rustc/79e9716c980570bfd1f666e3b16ac583f0168962/library/std/src/panicking.rs:735:13
#6 0x7f0875a09a10 in std::panicking::begin_panic_handler::_$u7b$$u7b$closure$u7d$$u7d$::h3651b7fc4f61d784 /rustc/79e9716c980570bfd1f666e3b16ac583f0168962/library/std/src/panicking.rs:609:13
#7 0x7f0875a06cc5 in std::sys_common::backtrace::__rust_end_short_backtrace::hbc468e4b98c7ae04 /rustc/79e9716c980570bfd1f666e3b16ac583f0168962/library/std/src/sys_common/backtrace.rs:170:18
#8 0x7f0875a09761 in rust_begin_unwind /rustc/79e9716c980570bfd1f666e3b16ac583f0168962/library/std/src/panicking.rs:597:5
#9 0x7f0875a68834 in core::panicking::panic_fmt::h979245e2fdb2fabd /rustc/79e9716c980570bfd1f666e3b16ac583f0168962/library/core/src/panicking.rs:72:14
#10 0x7f0875a68d4a in core::panicking::assert_failed_inner::h717c029df0cb454b /rustc/79e9716c980570bfd1f666e3b16ac583f0168962/library/core/src/panicking.rs
#11 0x7f087538288e in core::panicking::assert_failed::hf4a55adaf1a015ba /rustc/79e9716c980570bfd1f666e3b16ac583f0168962/library/core/src/panicking.rs:270:5
#12 0x7f08754894dc in style::style_adjuster::StyleAdjuster::adjust_for_fieldset_content::h7965921f3f23a62e /builds/worker/checkouts/gecko/servo/components/style/style_adjuster.rs:632:9
#13 0x7f08751c8f22 in style::style_adjuster::StyleAdjuster::adjust::hbc8bb4ea21201102 /builds/worker/checkouts/gecko/servo/components/style/style_adjuster.rs:970:13
#14 0x7f0875182ef4 in style::properties::cascade::apply_declarations::hc51c3169801ad04b /builds/worker/checkouts/gecko/servo/components/style/properties/cascade.rs:360:9
#15 0x7f08751f4593 in style::properties::cascade::cascade_rules::h32902ad00c344732 /builds/worker/checkouts/gecko/servo/components/style/properties/cascade.rs:195:5
#16 0x7f08751f4593 in style::properties::cascade::cascade::h219f5ceadc50d22f /builds/worker/checkouts/gecko/servo/components/style/properties/cascade.rs:79:5
#17 0x7f08751f4593 in style::stylist::Stylist::cascade_style_and_visited::h91628b9203d7eb4e /builds/worker/checkouts/gecko/servo/components/style/stylist.rs:1197:9
#18 0x7f08752dbdf0 in Servo_ReparentStyle /builds/worker/checkouts/gecko/servo/ports/geckolib/glue.rs:6054:5
#19 0x7f08701b60d0 in mozilla::ServoStyleSet::ReparentComputedStyle(mozilla::ComputedStyle*, mozilla::ComputedStyle*, mozilla::ComputedStyle*, mozilla::dom::Element*) /builds/worker/checkouts/gecko/layout/style/ServoStyleSet.cpp:1482:10
#20 0x7f0870275fcb in mozilla::RestyleManager::DoReparentComputedStyleForFirstLine(nsIFrame*, mozilla::ServoStyleSet&) /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:3817:46
#21 0x7f08702762d6 in mozilla::RestyleManager::ReparentFrameDescendants(nsIFrame*, nsIFrame*, mozilla::ServoStyleSet&) /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:3863:9
#22 0x7f0870276038 in mozilla::RestyleManager::DoReparentComputedStyleForFirstLine(nsIFrame*, mozilla::ServoStyleSet&) /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:3849:3
#23 0x7f08702ba495 in ReparentFrame /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:350:22
#24 0x7f08702ba495 in ReparentFrames /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:360:5
#25 0x7f08702ba495 in nsCSSFrameConstructor::WrapFramesInFirstLineFrame(nsFrameConstructorState&, nsIContent*, nsContainerFrame*, nsFirstLineFrame*, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:9892:3
#26 0x7f08702b170f in nsCSSFrameConstructor::ContentAppended(nsIContent*, nsCSSFrameConstructor::InsertionKind) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:6733:5
#27 0x7f087026d995 in mozilla::RestyleManager::ProcessRestyledFrames(nsStyleChangeList&) /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:1630:27
#28 0x7f0870274924 in mozilla::RestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:3255:9
#29 0x7f0870247605 in mozilla::RestyleManager::ProcessPendingRestyles() /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:3340:3
#30 0x7f087024673c in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4326:39
#31 0x7f086c5adf7f in FlushPendingNotifications /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:1474:5
#32 0x7f086c5adf7f in mozilla::dom::Document::FlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/dom/base/Document.cpp:10899:16
#33 0x7f086b96661e in nsDocLoader::DocLoaderIsEmpty(bool, mozilla::Maybe<nsresult> const&) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:740:14
#34 0x7f086b967af1 in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:678:5
#35 0x7f087158a66f in nsDocShell::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:13839:23
#36 0x7f086ab7ea6f in mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:631:22
#37 0x7f086ab7ffb0 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:535:10
#38 0x7f086c5b336c in mozilla::dom::Document::DoUnblockOnload() /builds/worker/checkouts/gecko/dom/base/Document.cpp:11688:18
#39 0x7f086c599336 in mozilla::dom::Document::DispatchContentLoadedEvents() /builds/worker/checkouts/gecko/dom/base/Document.cpp:8157:3
#40 0x7f086c64d239 in operator()<> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1164:18
#41 0x7f086c64d239 in __invoke_impl<void, (lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1163:9)> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/invoke.h:60:14
#42 0x7f086c64d239 in __invoke<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1163:9)> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/invoke.h:95:14
#43 0x7f086c64d239 in __apply_impl<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1163:9), std::tuple<> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/tuple:1678:14
#44 0x7f086c64d239 in apply<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1163:9), std::tuple<> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/tuple:1687:14
#45 0x7f086c64d239 in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1162:12
#46 0x7f086c64d239 in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1213:13
#47 0x7f086a93a6a7 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:557:16
#48 0x7f086a9302b3 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:884:26
#49 0x7f086a92eaa7 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:707:15
#50 0x7f086a92ef25 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:493:36
#51 0x7f086a93e616 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:211:37
#52 0x7f086a93e616 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548:5
#53 0x7f086a953942 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1199:16
#54 0x7f086a95aa6d in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10
#55 0x7f086b62b785 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#56 0x7f086b5452c1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#57 0x7f086b5452c1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#58 0x7f086fe44148 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
#59 0x7f086ff01208 in nsAppShell::Run() /builds/worker/checkouts/gecko/widget/gtk/nsAppShell.cpp:470:33
#60 0x7f0871d3442b in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:721:20
#61 0x7f086b62c666 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
#62 0x7f086b5452c1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#63 0x7f086b5452c1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#64 0x7f0871d33c92 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:656:34
#65 0x559937c08fb6 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#66 0x559937c08fb6 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:375:18
#67 0x7f087f029d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#68 0x7f087f029e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#69 0x559937bdece8 in _start (/home/user/workspace/browsers/m-c-20231220221923-fuzzing-debug/firefox-bin+0x58ce8) (BuildId: d8075fcffb8b144f37fd2099263e37b6bc504a3a)
Flags: in-testsuite?
|
||
Comment 1•6 months ago
|
||
Verified bug as reproducible on mozilla-central 20231221170215-8b474eeffbe0.
The bug appears to have been introduced in the following build range:
Start: 5f2146e877365f3c6d90fb153879a4808bb6e11d (20230707152714)
End: 43977d30a10af8e193044a9aa578f2bc8b33edf7 (20230707165144)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=5f2146e877365f3c6d90fb153879a4808bb6e11d&tochange=43977d30a10af8e193044a9aa578f2bc8b33edf7
Keywords: regression
Whiteboard: [bugmon:bisected,confirmed]
|
||
Comment 2•6 months ago
|
||
Set release status flags based on info from the regressing bug 1841128
:emilio, since you are the author of the regressor, bug 1841128, could you take a look? Also, could you set the severity field?
For more information, please visit BugBot documentation.
status-firefox121:
--- → affected
status-firefox122:
--- → affected
status-firefox-esr115:
--- → unaffected
Flags: needinfo?(emilio)
|
Assignee | |
Updated•6 months ago
|
Assignee: nobody → emilio
Flags: needinfo?(emilio)
|
|
Assignee | |
Comment 3•6 months ago
|
||
After the regressing bug, first-line reparenting starts off with the
to-be-reparented style, so the display value is already the expected
(grid) rather than block.
Pushed by ealvarez@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/3e05dc8db1ec Remove an assert that doesn't hold anymore with first-line reparenting. r=dholbert
Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/43834 for changes under testing/web-platform/tests
Whiteboard: [bugmon:bisected,confirmed] → [bugmon:bisected,confirmed], [wptsync upstream]
|
||
Updated•6 months ago
|
Flags: in-testsuite? → in-testsuite+
|
||
Comment 6•6 months ago
|
||
| bugherder | ||
Status: NEW → RESOLVED
Closed: 6 months ago
Resolution: --- → FIXED
Target Milestone: --- → 123 Branch
|
|
||
Comment 7•6 months ago
|
||
Verified bug as fixed on rev mozilla-central 20240102161658-4207f08a0248.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Upstream PR merged by moz-wptsync-bot
You need to log in
before you can comment on or make changes to this bug.
Description
•