1877581 - Hit MOZ_CRASH(Invalid cosine value) at servo/components/style/values/animated/transform.rs:1512

Status: NEW

(Core :: CSS Parsing and Computation, defect)

Description

[Tyson Smith [:tsmith]]

Attachment: testcase.html

Found while fuzzing m-c 20240130-49f49182fc50 (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>

Hit MOZ_CRASH(Invalid cosine value) at servo/components/style/values/animated/transform.rs:1512

#0 0x7fb908a1a695 in MOZ_Crash /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:301:3
#1 0x7fb908a1a695 in RustMozCrash /builds/worker/checkouts/gecko/mozglue/static/rust/wrappers.cpp:18:3
#2 0x7fb908a19f81 in mozglue_static::panic_hook::hcde8c41b666cd4bd /builds/worker/checkouts/gecko/mozglue/static/rust/lib.rs:96:9
#3 0x7fb908a19f81 in core::ops::function::Fn::call::hbc1a9607fd1e5256 /rustc/82e1608dfa6e0b5569232559e3d385fea5a93112/library/core/src/ops/function.rs:79:5
#4 0x7fb909a40557 in _$LT$alloc..boxed..Box$LT$F$C$A$GT$$u20$as$u20$core..ops..function..Fn$LT$Args$GT$$GT$::call::h1f8f335eaa9cfaee /rustc/82e1608dfa6e0b5569232559e3d385fea5a93112/library/alloc/src/boxed.rs:2021:9
#5 0x7fb909a40557 in std::panicking::rust_panic_with_hook::h2b5517d590cab22e /rustc/82e1608dfa6e0b5569232559e3d385fea5a93112/library/std/src/panicking.rs:783:13
#6 0x7fb9093d460e in std::panicking::begin_panic::_$u7b$$u7b$closure$u7d$$u7d$::h4ad56a0b1787866a /rustc/82e1608dfa6e0b5569232559e3d385fea5a93112/library/std/src/panicking.rs:687:9
#7 0x7fb9093d4338 in std::sys_common::backtrace::__rust_end_short_backtrace::h0a2d6056adc3c459 /rustc/82e1608dfa6e0b5569232559e3d385fea5a93112/library/std/src/sys_common/backtrace.rs:170:18
#8 0x7fb9093d45dc in std::panicking::begin_panic::hc8343ec780e89c33 /rustc/82e1608dfa6e0b5569232559e3d385fea5a93112/library/std/src/panicking.rs:686:12
#9 0x7fb909567b4b in style::values::animated::transform::_$LT$impl$u20$style..values..animated..Animate$u20$for$u20$style..values..generics..transform..GenericRotate$LT$f32$C$style..values..computed..angle..Angle$GT$$GT$::animate::h4566fec75eb3c516 /builds/worker/checkouts/gecko/servo/components/style/values/animated/transform.rs:1512:17
#10 0x7fb9097745e9 in _$LT$style..properties..generated..animated_properties..AnimationValue$u20$as$u20$style..values..animated..Animate$GT$::animate::h8932d7a9a321e4bf /builds/worker/workspace/obj-build/x86_64-unknown-linux-gnu/debug/build/style-943818a2481c0da1/out/properties.rs:30121:33
#11 0x7fb909686251 in style::gecko::wrapper::GeckoElement::needs_transitions_update_per_property::h97350d5f1573f3e5 /builds/worker/checkouts/gecko/servo/components/style/gecko/wrapper.rs:893:13
#12 0x7fb909686251 in _$LT$style..gecko..wrapper..GeckoElement$u20$as$u20$style..dom..TElement$GT$::needs_transitions_update::h7af3b7ae2490a0a0 /builds/worker/checkouts/gecko/servo/components/style/gecko/wrapper.rs:1564:16
#13 0x7fb90929c4bb in style::matching::PrivateMatchMethods::process_animations::hade52c61cf10d144 /builds/worker/checkouts/gecko/servo/components/style/matching.rs:459:17
#14 0x7fb90929c4bb in style::matching::MatchMethods::finish_restyle::h3c37af5d82f97f29 /builds/worker/checkouts/gecko/servo/components/style/matching.rs:907:9
#15 0x7fb90929c4bb in style::traversal::compute_style::hc38477f53c5b7010 /builds/worker/checkouts/gecko/servo/components/style/traversal.rs:688:5
#16 0x7fb909296fc1 in style::traversal::recalc_style_at::hedb2542e62c0d381 /builds/worker/checkouts/gecko/servo/components/style/traversal.rs:428:13
#17 0x7fb909296fc1 in _$LT$style..gecko..traversal..RecalcStyleOnly$u20$as$u20$style..traversal..DomTraversal$LT$style..gecko..wrapper..GeckoElement$GT$$GT$::process_preorder::h388d262593830907 /builds/worker/checkouts/gecko/servo/components/style/gecko/traversal.rs:37:13
#18 0x7fb909296fc1 in style::parallel::style_trees::h56a02b96e3e69ffb /builds/worker/checkouts/gecko/servo/components/style/parallel.rs:158:9
#19 0x7fb909270d33 in style::driver::traverse_dom::_$u7b$$u7b$closure$u7d$$u7d$::h222c6a2c3eff6453 /builds/worker/checkouts/gecko/servo/components/style/driver.rs:126:9
#20 0x7fb909270379 in style::driver::with_pool_in_place_scope::_$u7b$$u7b$closure$u7d$$u7d$::hce8d0df36615aca1 /builds/worker/checkouts/gecko/servo/components/style/driver.rs:58:42
#21 0x7fb909270379 in rayon_core::scope::do_in_place_scope_fifo::_$u7b$$u7b$closure$u7d$$u7d$::h75f4f8767b6da51e /builds/worker/checkouts/gecko/third_party/rust/rayon-core/src/scope/mod.rs:457:36
#22 0x7fb909270379 in _$LT$core..panic..unwind_safe..AssertUnwindSafe$LT$F$GT$$u20$as$u20$core..ops..function..FnOnce$LT$$LP$$RP$$GT$$GT$::call_once::hedebf6e1b2ce6839 /rustc/82e1608dfa6e0b5569232559e3d385fea5a93112/library/core/src/panic/unwind_safe.rs:272:9
#23 0x7fb909270379 in std::panicking::try::do_call::h812631a9f64aef57 /rustc/82e1608dfa6e0b5569232559e3d385fea5a93112/library/std/src/panicking.rs:552:40
#24 0x7fb909270379 in std::panicking::try::h508ef3799af3d95c /rustc/82e1608dfa6e0b5569232559e3d385fea5a93112/library/std/src/panicking.rs:516:19
#25 0x7fb909270379 in std::panic::catch_unwind::h3f52da7f9b529c28 /rustc/82e1608dfa6e0b5569232559e3d385fea5a93112/library/std/src/panic.rs:142:14
#26 0x7fb909270379 in rayon_core::unwind::halt_unwinding::h579be71dd5ee8928 /builds/worker/checkouts/gecko/third_party/rust/rayon-core/src/unwind.rs:17:5
#27 0x7fb909270379 in rayon_core::scope::ScopeBase::execute_job_closure::h3453c5cf4dcbd8b5 /builds/worker/checkouts/gecko/third_party/rust/rayon-core/src/scope/mod.rs:689:28
#28 0x7fb909270379 in rayon_core::scope::ScopeBase::complete::haf290e667b909d02 /builds/worker/checkouts/gecko/third_party/rust/rayon-core/src/scope/mod.rs:667:31
#29 0x7fb909270379 in rayon_core::scope::do_in_place_scope_fifo::h2e7dcd7ba238e8cd /builds/worker/checkouts/gecko/third_party/rust/rayon-core/src/scope/mod.rs:457:5
#30 0x7fb909270379 in rayon_core::thread_pool::ThreadPool::in_place_scope_fifo::h8e3dc80d75939e40 /builds/worker/checkouts/gecko/third_party/rust/rayon-core/src/thread_pool/mod.rs:296:9
#31 0x7fb909270379 in style::driver::with_pool_in_place_scope::h7cabc562ae925fc1 /builds/worker/checkouts/gecko/servo/components/style/driver.rs:58:14
#32 0x7fb909270379 in style::driver::traverse_dom::h1881a395e17140a9 /builds/worker/checkouts/gecko/servo/components/style/driver.rs:111:5
#33 0x7fb909338019 in geckoservo::glue::traverse_subtree::hcfcf52dcbfde4a41 /builds/worker/checkouts/gecko/servo/ports/geckolib/glue.rs:302:5
#34 0x7fb9093384b8 in Servo_TraverseSubtree /builds/worker/checkouts/gecko/servo/ports/geckolib/glue.rs:362:5
#35 0x7fb90431a85b in mozilla::ServoStyleSet::StyleDocument(mozilla::ServoTraversalFlags) /builds/worker/checkouts/gecko/layout/style/ServoStyleSet.cpp:814:9
#36 0x7fb9043dc677 in mozilla::RestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:3215:20
#37 0x7fb9043af605 in mozilla::RestyleManager::ProcessPendingRestyles() /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:3350:3
#38 0x7fb9043ae747 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4332:39
#39 0x7fb904372c39 in FlushPendingNotifications /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:1474:5
#40 0x7fb904372c39 in nsRefreshDriver::TickObserverArray(unsigned int, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2502:20
#41 0x7fb90436f608 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2736:28
#42 0x7fb904378fa1 in TickDriver /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:367:13
#43 0x7fb904378fa1 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver>>&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:345:7
#44 0x7fb904378ea0 in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:361:5
#45 0x7fb904378d3d in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:951:5
#46 0x7fb904377fdc in mozilla::VsyncRefreshDriverTimer::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:861:5
#47 0x7fb904377249 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsyncTimerOnMainThread() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:592:14
#48 0x7fb9036951cb in mozilla::dom::VsyncMainChild::RecvNotify(mozilla::VsyncEvent const&, float const&) /builds/worker/checkouts/gecko/dom/ipc/VsyncMainChild.cpp:66:15
#49 0x7fb90398515d in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:237:78
#50 0x7fb8ff7c0c11 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundChild.cpp:5555:32
#51 0x7fb8ff75450f in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1813:25
#52 0x7fb8ff751262 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1732:9
#53 0x7fb8ff751ee2 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1525:3
#54 0x7fb8ff75302f in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1623:14
#55 0x7fb8fea62957 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:578:16
#56 0x7fb8fea580c6 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:905:26
#57 0x7fb8fea568a7 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:728:15
#58 0x7fb8fea56d25 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:514:36
#59 0x7fb8fea66969 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:235:37
#60 0x7fb8fea66969 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_1>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548:5
#61 0x7fb8fea7bc62 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1199:16
#62 0x7fb8fea82dad in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10
#63 0x7fb8ff75a423 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:107:5
#64 0x7fb8ff674601 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#65 0x7fb8ff674601 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#66 0x7fb903fa99d8 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
#67 0x7fb904066af8 in nsAppShell::Run() /builds/worker/checkouts/gecko/widget/gtk/nsAppShell.cpp:470:33
#68 0x7fb905eb77cb in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:721:20
#69 0x7fb8ff75b356 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
#70 0x7fb8ff674601 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#71 0x7fb8ff674601 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#72 0x7fb905eb7032 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:656:34
#73 0x556eafc8f3b6 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#74 0x556eafc8f3b6 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:375:18
#75 0x7fb914629d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#76 0x7fb914629e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#77 0x556eafc650e8 in _start (/home/user/workspace/browsers/m-c-20240130045011-fuzzing-debug/firefox-bin+0x590e8) (BuildId: 8b4260c49fa0e4a550e8ab337ee32580d78e08ad)

Comment 1

[Bugmon [:jkratzer for issues]]

Verified bug as reproducible on mozilla-central 20240130214506-1ac69623ae79.
The bug appears to have been introduced in the following build range:

Start: 8f145181f73b28746798c66110730052d9b37669 (20240129201738)
End: 57a27d8b6d2a7f1f5c1ec710e4a09422fb9c05e1 (20240129212115)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=8f145181f73b28746798c66110730052d9b37669&tochange=57a27d8b6d2a7f1f5c1ec710e4a09422fb9c05e1

Comment 2

[Boris Chiou [:boris]]

Just a debug assertion and I added this for catching this undefined behavior. Shouldn't crash on release. So S3.

Comment 3

[Tyson Smith [:tsmith]]

This has been detected by live site testing.