Assertion failure: !mPresShell, at /builds/worker/checkouts/gecko/dom/base/Document.cpp:11531
Categories
(Core :: DOM: Core & HTML, defect, P5)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr115 | --- | unaffected |
| firefox121 | --- | unaffected |
| firefox122 | --- | fixed |
| firefox123 | --- | fixed |
| firefox124 | --- | fixed |
People
(Reporter: tsmith, Assigned: smaug)
References
(Blocks 1 open bug, Regression)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:bisected,confirmed])
Attachments
(2 files)
Found while fuzzing m-c 20231228-10aa74237898 (--enable-debug --enable-fuzzing)
To reproduce via Grizzly Replay:
$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>
I think this only affect fuzzing builds since it is using printPreview().
Assertion failure: !mPresShell, at /builds/worker/checkouts/gecko/dom/base/Document.cpp:11531
#0 0x7fca12b93895 in MOZ_Crash /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:281:3
#1 0x7fca12b93895 in RustMozCrash /builds/worker/checkouts/gecko/mozglue/static/rust/wrappers.cpp:18:3
#2 0x7fca12b9382a in mozglue_static::panic_hook::h868ee14c15c07bc2 /builds/worker/checkouts/gecko/mozglue/static/rust/lib.rs:96:9
#3 0x7fca12b9322b in core::ops::function::Fn::call::h671a47fe2405d294 /rustc/79e9716c980570bfd1f666e3b16ac583f0168962/library/core/src/ops/function.rs:79:5
#4 0x7fca13c517a0 in _$LT$alloc..boxed..Box$LT$F$C$A$GT$$u20$as$u20$core..ops..function..Fn$LT$Args$GT$$GT$::call::h87b887549356728a /rustc/79e9716c980570bfd1f666e3b16ac583f0168962/library/alloc/src/boxed.rs:2021:9
#5 0x7fca13c517a0 in std::panicking::rust_panic_with_hook::hd2f0efd2fec86cb0 /rustc/79e9716c980570bfd1f666e3b16ac583f0168962/library/std/src/panicking.rs:735:13
#6 0x7fca1357979e in std::panicking::begin_panic::_$u7b$$u7b$closure$u7d$$u7d$::hf9b065289bb480fa /rustc/79e9716c980570bfd1f666e3b16ac583f0168962/library/std/src/panicking.rs:639:9
#7 0x7fca135794c8 in std::sys_common::backtrace::__rust_end_short_backtrace::hf303d1bf85d2c336 /rustc/79e9716c980570bfd1f666e3b16ac583f0168962/library/std/src/sys_common/backtrace.rs:170:18
#8 0x7fca1357976c in std::panicking::begin_panic::he146fb5d236cdd4d /rustc/79e9716c980570bfd1f666e3b16ac583f0168962/library/std/src/panicking.rs:638:12
#9 0x7fca13729e4f in style::values::animated::transform::Quaternion::from_direction_and_angle::habc74b1375528034 /builds/worker/checkouts/gecko/servo/components/style/values/animated/transform.rs:346:9
#10 0x7fca13729e4f in style::values::animated::transform::_$LT$impl$u20$style..values..animated..Animate$u20$for$u20$style..values..generics..transform..GenericRotate$LT$f32$C$style..values..computed..angle..Angle$GT$$GT$::animate::h29dabeca2850b1b5 /builds/worker/checkouts/gecko/servo/components/style/values/animated/transform.rs
#11 0x7fca13980690 in _$LT$style..properties..generated..animated_properties..AnimationValue$u20$as$u20$style..values..animated..Animate$GT$::animate::h9d38a372a7896e6a /builds/worker/workspace/obj-build/x86_64-unknown-linux-gnu/debug/build/style-2443da69af4f1712/out/properties.rs:30046:33
#12 0x7fca134e7aa2 in geckoservo::glue::composite_endpoint::hf76fcb607f947e61 /builds/worker/checkouts/gecko/servo/ports/geckolib/glue.rs:475:40
#13 0x7fca134e7ea6 in geckoservo::glue::compose_animation_segment::h95c84a1574cbc7d7 /builds/worker/checkouts/gecko/servo/ports/geckolib/glue.rs:530:37
#14 0x7fca134e8399 in Servo_ComposeAnimationSegment /builds/worker/checkouts/gecko/servo/ports/geckolib/glue.rs:608:18
#15 0x7fca09e255b8 in SampleAnimationForProperty /builds/worker/checkouts/gecko/gfx/layers/AnimationHelper.cpp:290:9
#16 0x7fca09e255b8 in mozilla::layers::AnimationHelper::SampleAnimationForEachNode(mozilla::layers::APZSampler const*, mozilla::layers::LayersId const&, mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&, mozilla::TimeStamp, mozilla::TimeStamp, mozilla::layers::AnimatedValue const*, nsTArray<mozilla::layers::PropertyAnimationGroup>&, nsTArray<RefPtr<mozilla::StyleAnimationValue>>&) /builds/worker/checkouts/gecko/gfx/layers/AnimationHelper.cpp:358:27
#17 0x7fca09e41ee1 in mozilla::layers::CompositorAnimationStorage::SampleAnimations(mozilla::layers::OMTAController const*, mozilla::TimeStamp, mozilla::TimeStamp)::$_1::operator()(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) const /builds/worker/checkouts/gecko/gfx/layers/CompositorAnimationStorage.cpp:317:11
#18 0x7fca09e418cb in CallWithMapLock<(lambda at /builds/worker/checkouts/gecko/gfx/layers/CompositorAnimationStorage.cpp:304:19)> /builds/worker/checkouts/gecko/gfx/layers/apz/src/APZCTreeManager.h:638:5
#19 0x7fca09e418cb in CallWithMapLock<(lambda at /builds/worker/checkouts/gecko/gfx/layers/CompositorAnimationStorage.cpp:304:19)> /builds/worker/workspace/obj-build/dist/include/mozilla/layers/APZSampler.h:115:11
#20 0x7fca09e418cb in mozilla::layers::CompositorAnimationStorage::SampleAnimations(mozilla::layers::OMTAController const*, mozilla::TimeStamp, mozilla::TimeStamp) /builds/worker/checkouts/gecko/gfx/layers/CompositorAnimationStorage.cpp:386:17
#21 0x7fca0a0b7514 in mozilla::layers::OMTASampler::SampleAnimations(mozilla::TimeStamp const&, mozilla::TimeStamp const&) /builds/worker/checkouts/gecko/gfx/layers/wr/OMTASampler.cpp:128:17
#22 0x7fca0a0b6e7a in mozilla::layers::OMTASampler::Sample(mozilla::wr::TransactionWrapper&) /builds/worker/checkouts/gecko/gfx/layers/wr/OMTASampler.cpp:115:29
#23 0x7fca0a0b811b in Sample /builds/worker/checkouts/gecko/gfx/layers/wr/OMTASampler.cpp:68:14
#24 0x7fca0a0b811b in omta_sample /builds/worker/checkouts/gecko/gfx/layers/wr/OMTASampler.cpp:245:3
#25 0x7fca12384332 in _$LT$webrender_bindings..bindings..SamplerCallback$u20$as$u20$webrender..renderer..init..AsyncPropertySampler$GT$::sample::hcb6a4b1423ef5c11 /builds/worker/checkouts/gecko/gfx/webrender_bindings/src/bindings.rs:1060:13
#26 0x7fca1268c7a8 in webrender::render_backend::RenderBackend::update_document::h24c2157008fd269f /builds/worker/checkouts/gecko/gfx/wr/webrender/src/render_backend.rs:1369:39
#27 0x7fca126870ea in webrender::render_backend::RenderBackend::prepare_transactions::h8b39a16c6def3b83 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/render_backend.rs:1283:28
#28 0x7fca126870ea in webrender::render_backend::RenderBackend::process_api_msg::h810d1f0560aaf634 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/render_backend.rs:1136:17
#29 0x7fca12400c69 in webrender::render_backend::RenderBackend::run::h653e9d0fa70bedca /builds/worker/checkouts/gecko/gfx/wr/webrender/src/render_backend.rs:787:21
#30 0x7fca12400c69 in webrender::renderer::init::create_webrender_instance::_$u7b$$u7b$closure$u7d$$u7d$::h31ef2402651dab99 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/renderer/init.rs:685:9
#31 0x7fca12400c69 in std::sys_common::backtrace::__rust_begin_short_backtrace::h7aa1b01a091a0450 /rustc/79e9716c980570bfd1f666e3b16ac583f0168962/library/std/src/sys_common/backtrace.rs:154:18
#32 0x7fca1240f472 in std::thread::Builder::spawn_unchecked_::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::h3319b75450f611b2 /rustc/79e9716c980570bfd1f666e3b16ac583f0168962/library/std/src/thread/mod.rs:529:17
#33 0x7fca1240f472 in _$LT$core..panic..unwind_safe..AssertUnwindSafe$LT$F$GT$$u20$as$u20$core..ops..function..FnOnce$LT$$LP$$RP$$GT$$GT$::call_once::h848b09d6cb0802c0 /rustc/79e9716c980570bfd1f666e3b16ac583f0168962/library/core/src/panic/unwind_safe.rs:271:9
#34 0x7fca1240f472 in std::panicking::try::do_call::h11968f7bac65cd28 /rustc/79e9716c980570bfd1f666e3b16ac583f0168962/library/std/src/panicking.rs:504:40
#35 0x7fca1240f472 in std::panicking::try::h858c8ab2cce62166 /rustc/79e9716c980570bfd1f666e3b16ac583f0168962/library/std/src/panicking.rs:468:19
#36 0x7fca1240f472 in std::panic::catch_unwind::h48a7225ef9d2e60b /rustc/79e9716c980570bfd1f666e3b16ac583f0168962/library/std/src/panic.rs:142:14
#37 0x7fca1240f472 in std::thread::Builder::spawn_unchecked_::_$u7b$$u7b$closure$u7d$$u7d$::h76038f0839a15063 /rustc/79e9716c980570bfd1f666e3b16ac583f0168962/library/std/src/thread/mod.rs:528:30
#38 0x7fca1240f472 in core::ops::function::FnOnce::call_once$u7b$$u7b$vtable.shim$u7d$$u7d$::hf32d8cfab27acc34 /rustc/79e9716c980570bfd1f666e3b16ac583f0168962/library/core/src/ops/function.rs:250:5
#39 0x7fca13c5c304 in _$LT$alloc..boxed..Box$LT$F$C$A$GT$$u20$as$u20$core..ops..function..FnOnce$LT$Args$GT$$GT$::call_once::hfa37c25e0ad051b0 /rustc/79e9716c980570bfd1f666e3b16ac583f0168962/library/alloc/src/boxed.rs:2007:9
#40 0x7fca13c5c304 in _$LT$alloc..boxed..Box$LT$F$C$A$GT$$u20$as$u20$core..ops..function..FnOnce$LT$Args$GT$$GT$::call_once::h9486bed8ab2e65ad /rustc/79e9716c980570bfd1f666e3b16ac583f0168962/library/alloc/src/boxed.rs:2007:9
#41 0x7fca13c5c304 in std::sys::unix::thread::Thread::new::thread_start::hd28b46dbf5673d17 /rustc/79e9716c980570bfd1f666e3b16ac583f0168962/library/std/src/sys/unix/thread.rs:108:17
#42 0x7fca1d494ac2 in start_thread nptl/pthread_create.c:442:8
#43 0x7fca1d52665f misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
|
||
Comment 1•2 years ago
|
||
Bugmon was unable reproduce this issue.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
|
|
||
Comment 4•2 years ago
|
||
Verified bug as reproducible on mozilla-central 20231231213038-30b0d1ecdc26.
The bug appears to have been introduced in the following build range:
Start: 797281d7e3b5fdd5f6a033248fec7bd885227546 (20231207214148)
End: c34126c5e2a85c81e511c7c4017e7f2694ddce13 (20231207225627)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=797281d7e3b5fdd5f6a033248fec7bd885227546&tochange=c34126c5e2a85c81e511c7c4017e7f2694ddce13
|
||
Comment 5•2 years ago
|
||
This bug has been marked as a regression. Setting status flag for Nightly to affected.
|
|
||
Comment 6•2 years ago
|
||
Set release status flags based on info from the regressing bug 1868746
:smaug, since you are the author of the regressor, bug 1868746, could you take a look? Also, could you set the severity field?
For more information, please visit BugBot documentation.
|
Assignee | |
Comment 7•2 years ago
|
||
|
||
Updated•2 years ago
|
|
|
Assignee | |
Comment 8•2 years ago
|
||
The testcase is doing stuff which isn't possible for web pages and shouldn't be supported. Could we limit what the fuzzer tries to do with print(preview) documents?
|
|
Assignee | |
Updated•2 years ago
|
|
Reporter | |
Comment 9•2 years ago
•
|
||
(In reply to Olli Pettay [:smaug][bugs@pettay.fi] from comment #8)
Could we limit what the fuzzer tries to do with print(preview) documents?
jkratzer: Can you please make the required changes to domino when you have a chance? This has only been reported once so far.
|
||
Comment 10•2 years ago
|
||
(In reply to Olli Pettay [:smaug][bugs@pettay.fi] from comment #8)
The testcase is doing stuff which isn't possible for web pages and shouldn't be supported. Could we limit what the fuzzer tries to do with print(preview) documents?
What should we limit here? Should we prevent calls to printPreview() entirely? Unfortunately, it's not currently possibly to limit what the fuzzer does with objects resulting from a call after the fact.
|
|
Assignee | |
Comment 11•2 years ago
|
||
I think modifications to the window/document printPreview() returns could be disabled, if possible.
|
|
||
Comment 12•2 years ago
|
||
Unfortunately this isn't something we can easily do. I'll open an issue for it but it may be a while before I can implement it. We'll do our best to not file issues that target this specific area however.
|
||
Updated•2 years ago
|
|
||
Comment 13•2 years ago
|
||
:smaug based on Comment 8, will this be resolved as invalid?
Wondering if you plan on tracking anything here
|
|
Assignee | |
Comment 14•2 years ago
|
||
Not sure. If this is currently somehow blocking some fuzzing work, we could perhaps land the patch, since that is rather trivial, but the patch just shouldn't be needed if fuzzers didn't test things which aren't exposed to the web.
Perhaps Jason has an opinion?
|
|
||
Comment 15•2 years ago
|
||
(In reply to Olli Pettay [:smaug][bugs@pettay.fi] from comment #14)
Not sure. If this is currently somehow blocking some fuzzing work, we could perhaps land the patch, since that is rather trivial, but the patch just shouldn't be needed if fuzzers didn't test things which aren't exposed to the web.
Perhaps Jason has an opinion?
The volume for this crash is very low at the moment so it's certainly not a priority. Though, if it's trivial, it may be worth landing for now just until I can get around to adding the ability to exclude these types of tests from the fuzzer.
|
|
||
Updated•2 years ago
|
|
|
||
Comment 16•2 years ago
|
||
Set release status flags based on info from the regressing bug 1868746
|
|
||
Comment 17•2 years ago
|
||
Testcase crashes using the initial build (mozilla-central 20231228170344-10aa74237898) but not with tip (mozilla-central 20240126214724-19005661ad78.)
The bug appears to have been fixed in the following build range:
Start: e0ed03857de1a530d83fbe6ff4c74e38ac8a53a3 (20240125205834)
End: 2c81833f355660a43fe44b70082de0154f2bd82f (20240126004419)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=e0ed03857de1a530d83fbe6ff4c74e38ac8a53a3&tochange=2c81833f355660a43fe44b70082de0154f2bd82f
tsmith, can you confirm that the above bisection range is responsible for fixing this issue?
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
|
|
Reporter | |
Updated•2 years ago
|
|
||
Updated•2 years ago
|
|
|
||
Updated•2 years ago
|
Description
•