Closed Bug 1872309 Opened 1 year ago Closed 1 year ago

Hit MOZ_CRASH(Only accept an unit direction vector to create a quaternion) at servo/components/style/values/animated/transform.rs:346

Categories

(Core :: DOM: Animation, defect)

Product:
Core
Component:
DOM: Animation
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
124 Branch
Tracking Flags:
Tracking Status
firefox-esr115 --- unaffected
firefox121 --- wontfix
firefox122 --- wontfix
firefox123 --- wontfix
firefox124 --- verified

People

(Reporter: tsmith, Assigned: boris)

References

(Blocks 1 open bug, Regressed 1 open bug, Regression)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(2 files)

testcase.html
411 bytes, text/html
Details
Bug 1872309 - Specialize Procedure::Add for rotate property.
48 bytes, text/x-phabricator-request
Details | Review
Attached file testcase.html

Found while fuzzing m-c 20231214-31a1108bee27 (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>

Hit MOZ_CRASH(Only accept an unit direction vector to create a quaternion) at servo/components/style/values/animated/transform.rs:346

#0 0x7fca12b93895 in MOZ_Crash /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:281:3
#1 0x7fca12b93895 in RustMozCrash /builds/worker/checkouts/gecko/mozglue/static/rust/wrappers.cpp:18:3
#2 0x7fca12b9382a in mozglue_static::panic_hook::h868ee14c15c07bc2 /builds/worker/checkouts/gecko/mozglue/static/rust/lib.rs:96:9
#3 0x7fca12b9322b in core::ops::function::Fn::call::h671a47fe2405d294 /rustc/79e9716c980570bfd1f666e3b16ac583f0168962/library/core/src/ops/function.rs:79:5
#4 0x7fca13c517a0 in _$LT$alloc..boxed..Box$LT$F$C$A$GT$$u20$as$u20$core..ops..function..Fn$LT$Args$GT$$GT$::call::h87b887549356728a /rustc/79e9716c980570bfd1f666e3b16ac583f0168962/library/alloc/src/boxed.rs:2021:9
#5 0x7fca13c517a0 in std::panicking::rust_panic_with_hook::hd2f0efd2fec86cb0 /rustc/79e9716c980570bfd1f666e3b16ac583f0168962/library/std/src/panicking.rs:735:13
#6 0x7fca1357979e in std::panicking::begin_panic::_$u7b$$u7b$closure$u7d$$u7d$::hf9b065289bb480fa /rustc/79e9716c980570bfd1f666e3b16ac583f0168962/library/std/src/panicking.rs:639:9
#7 0x7fca135794c8 in std::sys_common::backtrace::__rust_end_short_backtrace::hf303d1bf85d2c336 /rustc/79e9716c980570bfd1f666e3b16ac583f0168962/library/std/src/sys_common/backtrace.rs:170:18
#8 0x7fca1357976c in std::panicking::begin_panic::he146fb5d236cdd4d /rustc/79e9716c980570bfd1f666e3b16ac583f0168962/library/std/src/panicking.rs:638:12
#9 0x7fca13729e4f in style::values::animated::transform::Quaternion::from_direction_and_angle::habc74b1375528034 /builds/worker/checkouts/gecko/servo/components/style/values/animated/transform.rs:346:9
#10 0x7fca13729e4f in style::values::animated::transform::_$LT$impl$u20$style..values..animated..Animate$u20$for$u20$style..values..generics..transform..GenericRotate$LT$f32$C$style..values..computed..angle..Angle$GT$$GT$::animate::h29dabeca2850b1b5 /builds/worker/checkouts/gecko/servo/components/style/values/animated/transform.rs
#11 0x7fca13980690 in _$LT$style..properties..generated..animated_properties..AnimationValue$u20$as$u20$style..values..animated..Animate$GT$::animate::h9d38a372a7896e6a /builds/worker/workspace/obj-build/x86_64-unknown-linux-gnu/debug/build/style-2443da69af4f1712/out/properties.rs:30046:33
#12 0x7fca134e7aa2 in geckoservo::glue::composite_endpoint::hf76fcb607f947e61 /builds/worker/checkouts/gecko/servo/ports/geckolib/glue.rs:475:40
#13 0x7fca134e7ea6 in geckoservo::glue::compose_animation_segment::h95c84a1574cbc7d7 /builds/worker/checkouts/gecko/servo/ports/geckolib/glue.rs:530:37
#14 0x7fca134e8399 in Servo_ComposeAnimationSegment /builds/worker/checkouts/gecko/servo/ports/geckolib/glue.rs:608:18
#15 0x7fca09e255b8 in SampleAnimationForProperty /builds/worker/checkouts/gecko/gfx/layers/AnimationHelper.cpp:290:9
#16 0x7fca09e255b8 in mozilla::layers::AnimationHelper::SampleAnimationForEachNode(mozilla::layers::APZSampler const*, mozilla::layers::LayersId const&, mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&, mozilla::TimeStamp, mozilla::TimeStamp, mozilla::layers::AnimatedValue const*, nsTArray<mozilla::layers::PropertyAnimationGroup>&, nsTArray<RefPtr<mozilla::StyleAnimationValue>>&) /builds/worker/checkouts/gecko/gfx/layers/AnimationHelper.cpp:358:27
#17 0x7fca09e41ee1 in mozilla::layers::CompositorAnimationStorage::SampleAnimations(mozilla::layers::OMTAController const*, mozilla::TimeStamp, mozilla::TimeStamp)::$_1::operator()(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) const /builds/worker/checkouts/gecko/gfx/layers/CompositorAnimationStorage.cpp:317:11
#18 0x7fca09e418cb in CallWithMapLock<(lambda at /builds/worker/checkouts/gecko/gfx/layers/CompositorAnimationStorage.cpp:304:19)> /builds/worker/checkouts/gecko/gfx/layers/apz/src/APZCTreeManager.h:638:5
#19 0x7fca09e418cb in CallWithMapLock<(lambda at /builds/worker/checkouts/gecko/gfx/layers/CompositorAnimationStorage.cpp:304:19)> /builds/worker/workspace/obj-build/dist/include/mozilla/layers/APZSampler.h:115:11
#20 0x7fca09e418cb in mozilla::layers::CompositorAnimationStorage::SampleAnimations(mozilla::layers::OMTAController const*, mozilla::TimeStamp, mozilla::TimeStamp) /builds/worker/checkouts/gecko/gfx/layers/CompositorAnimationStorage.cpp:386:17
#21 0x7fca0a0b7514 in mozilla::layers::OMTASampler::SampleAnimations(mozilla::TimeStamp const&, mozilla::TimeStamp const&) /builds/worker/checkouts/gecko/gfx/layers/wr/OMTASampler.cpp:128:17
#22 0x7fca0a0b6e7a in mozilla::layers::OMTASampler::Sample(mozilla::wr::TransactionWrapper&) /builds/worker/checkouts/gecko/gfx/layers/wr/OMTASampler.cpp:115:29
#23 0x7fca0a0b811b in Sample /builds/worker/checkouts/gecko/gfx/layers/wr/OMTASampler.cpp:68:14
#24 0x7fca0a0b811b in omta_sample /builds/worker/checkouts/gecko/gfx/layers/wr/OMTASampler.cpp:245:3
#25 0x7fca12384332 in _$LT$webrender_bindings..bindings..SamplerCallback$u20$as$u20$webrender..renderer..init..AsyncPropertySampler$GT$::sample::hcb6a4b1423ef5c11 /builds/worker/checkouts/gecko/gfx/webrender_bindings/src/bindings.rs:1060:13
#26 0x7fca1268c7a8 in webrender::render_backend::RenderBackend::update_document::h24c2157008fd269f /builds/worker/checkouts/gecko/gfx/wr/webrender/src/render_backend.rs:1369:39
#27 0x7fca126870ea in webrender::render_backend::RenderBackend::prepare_transactions::h8b39a16c6def3b83 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/render_backend.rs:1283:28
#28 0x7fca126870ea in webrender::render_backend::RenderBackend::process_api_msg::h810d1f0560aaf634 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/render_backend.rs:1136:17
#29 0x7fca12400c69 in webrender::render_backend::RenderBackend::run::h653e9d0fa70bedca /builds/worker/checkouts/gecko/gfx/wr/webrender/src/render_backend.rs:787:21
#30 0x7fca12400c69 in webrender::renderer::init::create_webrender_instance::_$u7b$$u7b$closure$u7d$$u7d$::h31ef2402651dab99 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/renderer/init.rs:685:9
#31 0x7fca12400c69 in std::sys_common::backtrace::__rust_begin_short_backtrace::h7aa1b01a091a0450 /rustc/79e9716c980570bfd1f666e3b16ac583f0168962/library/std/src/sys_common/backtrace.rs:154:18
#32 0x7fca1240f472 in std::thread::Builder::spawn_unchecked_::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::h3319b75450f611b2 /rustc/79e9716c980570bfd1f666e3b16ac583f0168962/library/std/src/thread/mod.rs:529:17
#33 0x7fca1240f472 in _$LT$core..panic..unwind_safe..AssertUnwindSafe$LT$F$GT$$u20$as$u20$core..ops..function..FnOnce$LT$$LP$$RP$$GT$$GT$::call_once::h848b09d6cb0802c0 /rustc/79e9716c980570bfd1f666e3b16ac583f0168962/library/core/src/panic/unwind_safe.rs:271:9
#34 0x7fca1240f472 in std::panicking::try::do_call::h11968f7bac65cd28 /rustc/79e9716c980570bfd1f666e3b16ac583f0168962/library/std/src/panicking.rs:504:40
#35 0x7fca1240f472 in std::panicking::try::h858c8ab2cce62166 /rustc/79e9716c980570bfd1f666e3b16ac583f0168962/library/std/src/panicking.rs:468:19
#36 0x7fca1240f472 in std::panic::catch_unwind::h48a7225ef9d2e60b /rustc/79e9716c980570bfd1f666e3b16ac583f0168962/library/std/src/panic.rs:142:14
#37 0x7fca1240f472 in std::thread::Builder::spawn_unchecked_::_$u7b$$u7b$closure$u7d$$u7d$::h76038f0839a15063 /rustc/79e9716c980570bfd1f666e3b16ac583f0168962/library/std/src/thread/mod.rs:528:30
#38 0x7fca1240f472 in core::ops::function::FnOnce::call_once$u7b$$u7b$vtable.shim$u7d$$u7d$::hf32d8cfab27acc34 /rustc/79e9716c980570bfd1f666e3b16ac583f0168962/library/core/src/ops/function.rs:250:5
#39 0x7fca13c5c304 in _$LT$alloc..boxed..Box$LT$F$C$A$GT$$u20$as$u20$core..ops..function..FnOnce$LT$Args$GT$$GT$::call_once::hfa37c25e0ad051b0 /rustc/79e9716c980570bfd1f666e3b16ac583f0168962/library/alloc/src/boxed.rs:2007:9
#40 0x7fca13c5c304 in _$LT$alloc..boxed..Box$LT$F$C$A$GT$$u20$as$u20$core..ops..function..FnOnce$LT$Args$GT$$GT$::call_once::h9486bed8ab2e65ad /rustc/79e9716c980570bfd1f666e3b16ac583f0168962/library/alloc/src/boxed.rs:2007:9
#41 0x7fca13c5c304 in std::sys::unix::thread::Thread::new::thread_start::hd28b46dbf5673d17 /rustc/79e9716c980570bfd1f666e3b16ac583f0168962/library/std/src/sys/unix/thread.rs:108:17
#42 0x7fca1d494ac2 in start_thread nptl/pthread_create.c:442:8
#43 0x7fca1d52665f  misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
Flags: in-testsuite?

Verified bug as reproducible on mozilla-central 20231229042004-0bd8678e10b6.
The bug appears to have been introduced in the following build range:

Start: d495f0f008a3f8e3744708840003854f68717a05 (20230913083512)
End: 1a4b8c41b3c3efb7f5870fb99730fc6b08a44cc1 (20230913112603)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=d495f0f008a3f8e3744708840003854f68717a05&tochange=1a4b8c41b3c3efb7f5870fb99730fc6b08a44cc1

Keywords: regression
Whiteboard: [bugmon:bisected,confirmed]

Firefox 122 | Regression Engineering Owner (REO)

Hi Emilio,

We are wondering if you may have an idea of which bug in the above pushlog may be the regressing bug.

I am NI'ing you as the reviewer of this patch, instead of Boris, since Boris' bugzilla profile says PTO until Jan. 15.

status-firefox122: affectedwontfix
Flags: needinfo?(emilio)

Hmm, I'm not sure that regression range is correct. Before bug 1850968 some linux build configurations crashed on startup, which probably affects this. Jason how sure are we?

Flags: needinfo?(emilio) → needinfo?(jkratzer)

In any case, most likely from bug 1737209, but given the degenerate numbers in the test-case, and that this is only a debug assert, likely not critical for 122.

Regressed by: 1737209

Set release status flags based on info from the regressing bug 1737209

status-firefox-esr115: --- → unaffected

(In reply to Emilio Cobos Álvarez (:emilio) from comment #3)

Hmm, I'm not sure that regression range is correct. Before bug 1850968 some linux build configurations crashed on startup, which probably affects this. Jason how sure are we?

It looks like you were correct. I ran the bisection again locally and ended up with the following range which includes bug 1737209:
https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=cacd1aee41f8fecb89855a91151319efe6107fe9&tochange=4a10a12f6006582e936c81baefda439d8f078729

Flags: needinfo?(jkratzer)

:boris, since you are the author of the regressor, bug 1737209, could you take a look? Also, could you set the severity field?

For more information, please visit BugBot documentation.

Flags: needinfo?(boris.chiou)
Assignee: nobody → boris.chiou
Flags: needinfo?(boris.chiou)

The severity field is not set for this bug.
:boris, could you have a look please?

For more information, please visit BugBot documentation.

Flags: needinfo?(boris.chiou)
Severity: -- → S3
Flags: needinfo?(boris.chiou)

So looks like we got a (Nan, Nan, Nan) direction vector. Probably we have to avoid calculating the length of this kind of vector.

Set release status flags based on info from the regressing bug 1737209

status-firefox124: --- → affected

Per spec, the Addition of two rotations is different from the
interpolation. We have to covert them into matrices and do matrix
multiplication (i.e. just like a combined transform list). And then
decompose this matrix to get the quaternion vector.

Attachment #9376552 - Attachment description: Bug 1872309 - Specialize Procedure::Add for rotate property (wip). → Bug 1872309 - Specialize Procedure::Add for ComputedRotate (i.e. rotate property).
Attachment #9376552 - Attachment description: Bug 1872309 - Specialize Procedure::Add for ComputedRotate (i.e. rotate property). → Bug 1872309 - Specialize Procedure::Add for rotate property.
Pushed by bchiou@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/d8f0233b7ab5 Specialize Procedure::Add for rotate property. r=zrhoffman

https://hg.mozilla.org/mozilla-central/rev/d8f0233b7ab5

Status: NEW → RESOLVED
Closed: 1 year ago
status-firefox124: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 124 Branch

Verified bug as fixed on rev mozilla-central 20240130045011-49f49182fc50.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
status-firefox124: fixedverified
Keywords: bugmon

The patch landed in nightly and beta is affected.
:boris, is this bug important enough to require an uplift?

  • If yes, please nominate the patch for beta approval.
  • If no, please set status-firefox123 to wontfix.

For more information, please visit BugBot documentation.

Flags: needinfo?(boris.chiou)
status-firefox123: affectedwontfix
Flags: needinfo?(boris.chiou)
Regressions: 1877581
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: