Closed Bug 1878579 Opened 5 months ago Closed 4 months ago

[css-nesting] Should handle better contextually-invalid selectors (was: Hit MOZ_CRASH(Someone messed up pseudo-element parsing: :where(.pulsar-preflight, .pulsar-preflight *)) ...)

Categories

(Core :: CSS Parsing and Computation, defect, P3)

Product:
Core
Component:
CSS Parsing and Computation
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
125 Branch
Tracking Flags:
Tracking Status
firefox-esr115 --- wontfix
firefox123 --- wontfix
firefox124 --- wontfix
firefox125 --- fixed

People

(Reporter: tsmith, Assigned: emilio)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, pernosco)

Attachments

(2 files)

Reduced test-case.
123 bytes, text/html
Details
Bug 1878579 - Don't assert stateless pseudo-element selector shape. r=dshin,#style
48 bytes, text/x-phabricator-request
Details | Review

Found with m-c 20240126-19005661ad78 (--enable-debug --enable-fuzzing)

This was found by visiting a live website with a debug build.

STR:

  • Launch browser and visit site

This issue was triggered by visiting http://thefreedictionary.com/.

Hit MOZ_CRASH(Someone messed up pseudo-element parsing: :where(.pulsar-preflight, .pulsar-preflight *)) at /builds/worker/checkouts/gecko/servo/components/selectors/parser.rs:2037

#0 0xee8f9320 in MOZ_Crash /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:301:3
#1 0xee8f9320 in RustMozCrash /builds/worker/checkouts/gecko/mozglue/static/rust/wrappers.cpp:18:3
#2 0xee8f8c2b in mozglue_static::panic_hook::hf8a2caaebd8a2a59 /builds/worker/checkouts/gecko/mozglue/static/rust/lib.rs:96:9
#3 0xee8f8c2b in core::ops::function::Fn::call::h0855086e4e935c06 /rustc/82e1608dfa6e0b5569232559e3d385fea5a93112/library/core/src/ops/function.rs:79:5
#4 0xef94d04a in _$LT$alloc..boxed..Box$LT$F$C$A$GT$$u20$as$u20$core..ops..function..Fn$LT$Args$GT$$GT$::call::h973df9cab3475558 /rustc/82e1608dfa6e0b5569232559e3d385fea5a93112/library/alloc/src/boxed.rs:2021:9
#5 0xef94d04a in std::panicking::rust_panic_with_hook::h7782de95eaf097ae /rustc/82e1608dfa6e0b5569232559e3d385fea5a93112/library/std/src/panicking.rs:783:13
#6 0xef94cdb3 in std::panicking::begin_panic_handler::_$u7b$$u7b$closure$u7d$$u7d$::h8890a8847b78f528 /rustc/82e1608dfa6e0b5569232559e3d385fea5a93112/library/std/src/panicking.rs:657:13
#7 0xef94a334 in std::sys_common::backtrace::__rust_end_short_backtrace::hece1cb40fe5499c5 /rustc/82e1608dfa6e0b5569232559e3d385fea5a93112/library/std/src/sys_common/backtrace.rs:170:18
#8 0xef94caaf in rust_begin_unwind /rustc/82e1608dfa6e0b5569232559e3d385fea5a93112/library/std/src/panicking.rs:645:5
#9 0xef999c36 in core::panicking::panic_fmt::h1bd3715f594baad9 /rustc/82e1608dfa6e0b5569232559e3d385fea5a93112/library/core/src/panicking.rs:72:14
#10 0xef214748 in selectors::parser::Component$LT$Impl$GT$::matches_for_stateless_pseudo_element::h9afc5b0c34615c44 /builds/worker/checkouts/gecko/servo/components/selectors/parser.rs:2037:9
#11 0xef215783 in selectors::parser::SelectorIter$LT$Impl$GT$::matches_for_stateless_pseudo_element_internal::h8f339ff27d175353 /builds/worker/checkouts/gecko/servo/components/selectors/parser.rs:1334:13
#12 0xef1581ac in selectors::parser::SelectorIter$LT$Impl$GT$::matches_for_stateless_pseudo_element::h012c1bad89f1f20c /builds/worker/checkouts/gecko/servo/components/selectors/parser.rs:1329:9
#13 0xef1581ac in selectors::matching::matches_complex_selector::hf9626976168233d1 /builds/worker/checkouts/gecko/servo/components/selectors/matching.rs:371:18
#14 0xef1581ac in selectors::matching::matches_selector::h8698333a8964b9b6 /builds/worker/checkouts/gecko/servo/components/selectors/matching.rs:238:5
#15 0xef1581ac in style::selector_map::SelectorMap$LT$style..stylist..Rule$GT$::get_matching_rules::h4f03d2ac1dc6588f /builds/worker/checkouts/gecko/servo/components/style/selector_map.rs:334:17
#16 0xef15960b in style::selector_map::SelectorMap$LT$style..stylist..Rule$GT$::get_all_matching_rules::h756c3f0357e72df7 /builds/worker/checkouts/gecko/servo/components/style/selector_map.rs:310:9
#17 0xef15eba4 in style::rule_collector::RuleCollector$LT$E$GT$::collect_rules_in_map::he1b7cc0e03880dc1 /builds/worker/checkouts/gecko/servo/components/style/rule_collector.rs:240:9
#18 0xef15eba4 in style::rule_collector::RuleCollector$LT$E$GT$::collect_stylist_rules::_$u7b$$u7b$closure$u7d$$u7d$::hcf63e4cc0ed9fc13 /builds/worker/checkouts/gecko/servo/components/style/rule_collector.rs:173:23
#19 0xef15eba4 in style::rule_collector::RuleCollector$LT$E$GT$::in_tree::hffaf33d95daa12c7 /builds/worker/checkouts/gecko/servo/components/style/rule_collector.rs:144:9
#20 0xef15eba4 in style::rule_collector::RuleCollector$LT$E$GT$::collect_stylist_rules::h1dd79b0389d3333f /builds/worker/checkouts/gecko/servo/components/style/rule_collector.rs:172:9
#21 0xef15cee2 in style::rule_collector::RuleCollector$LT$E$GT$::collect_document_author_rules::h985b6fa9fc49ee74 /builds/worker/checkouts/gecko/servo/components/style/rule_collector.rs:368:9
#22 0xef15cee2 in style::rule_collector::RuleCollector$LT$E$GT$::collect_all::h81108481edd02ed1 /builds/worker/checkouts/gecko/servo/components/style/rule_collector.rs:500:14
#23 0xef16087f in style::stylist::Stylist::push_applicable_declarations::h23b75558496ba9cb /builds/worker/checkouts/gecko/servo/components/style/stylist.rs:1381:9
#24 0xef16087f in style::style_resolver::StyleResolverForElement$LT$E$GT$::match_pseudo::hfb983f9bad5fabd2 /builds/worker/checkouts/gecko/servo/components/style/style_resolver.rs:580:17
#25 0xef1611d4 in style::style_resolver::StyleResolverForElement$LT$E$GT$::resolve_pseudo_style::h457b6af92be556f0 /builds/worker/checkouts/gecko/servo/components/style/style_resolver.rs:431:13
#26 0xef1611d4 in style::style_resolver::StyleResolverForElement$LT$E$GT$::resolve_style::_$u7b$$u7b$closure$u7d$$u7d$::hf3f169e6d8937a9d /builds/worker/checkouts/gecko/servo/components/style/style_resolver.rs:274:36
#27 0xef1611d4 in style::gecko::selector_parser::SelectorImpl::each_eagerly_cascaded_pseudo_element::h063fed0d998c2013 /builds/worker/checkouts/gecko/servo/components/style/gecko/selector_parser.rs:510:13
#28 0xef1611d4 in style::style_resolver::StyleResolverForElement$LT$E$GT$::resolve_style::h22360ce43f82d35d /builds/worker/checkouts/gecko/servo/components/style/style_resolver.rs:273:13
#29 0xef18f3dd in style::style_resolver::StyleResolverForElement$LT$E$GT$::resolve_style_with_default_parents::_$u7b$$u7b$closure$u7d$$u7d$::h53878c9df5f3e49b /builds/worker/checkouts/gecko/servo/components/style/style_resolver.rs:301:13
#30 0xef18f3dd in style::style_resolver::with_default_parent_styles::h844e21b5ca2e74e5 /builds/worker/checkouts/gecko/servo/components/style/style_resolver.rs:119:5
#31 0xef18f3dd in style::style_resolver::StyleResolverForElement$LT$E$GT$::resolve_style_with_default_parents::h3a9209810d92c3d1 /builds/worker/checkouts/gecko/servo/components/style/style_resolver.rs:300:9
#32 0xef18f3dd in style::traversal::compute_style::ha7451ae72edd9700 /builds/worker/checkouts/gecko/servo/components/style/traversal.rs:615:34
#33 0xef18d086 in style::traversal::recalc_style_at::h1f6e7a76e1577838 /builds/worker/checkouts/gecko/servo/components/style/traversal.rs:428:13
#34 0xef18d086 in _$LT$style..gecko..traversal..RecalcStyleOnly$u20$as$u20$style..traversal..DomTraversal$LT$style..gecko..wrapper..GeckoElement$GT$$GT$::process_preorder::h7b56b2e57a960960 /builds/worker/checkouts/gecko/servo/components/style/gecko/traversal.rs:37:13
#35 0xef18d086 in style::parallel::style_trees::hc9693b9b5186e0da /builds/worker/checkouts/gecko/servo/components/style/parallel.rs:158:9
#36 0xef16a3a1 in style::driver::traverse_dom::_$u7b$$u7b$closure$u7d$$u7d$::h69779638690ef52b /builds/worker/checkouts/gecko/servo/components/style/driver.rs:126:9
#37 0xef169a6a in style::driver::with_pool_in_place_scope::h0a54d00977ce6aa6 /builds/worker/checkouts/gecko/servo/components/style/driver.rs:55:9
#38 0xef169a6a in style::driver::traverse_dom::h1cfe83ff7a6e4d8e /builds/worker/checkouts/gecko/servo/components/style/driver.rs:111:5
#39 0xef22b63f in geckoservo::glue::traverse_subtree::h6881d511c538f9ec /builds/worker/checkouts/gecko/servo/ports/geckolib/glue.rs:302:5
#40 0xef22bac8 in Servo_TraverseSubtree /builds/worker/checkouts/gecko/servo/ports/geckolib/glue.rs:362:5
#41 0xea202b76 in mozilla::ServoStyleSet::StyleDocument(mozilla::ServoTraversalFlags) /builds/worker/checkouts/gecko/layout/style/ServoStyleSet.cpp:814:9
#42 0xea2c8c2b in mozilla::RestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:3215:20
#43 0xea29ac0d in mozilla::RestyleManager::ProcessPendingRestyles() /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:3350:3
#44 0xea299d47 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4332:39
#45 0xe651aef0 in FlushPendingNotifications /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:1474:5
#46 0xe651aef0 in mozilla::dom::Document::FlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/dom/base/Document.cpp:10958:16
#47 0xe64f17d5 in mozilla::dom::Document::FlushPendingNotifications(mozilla::FlushType) /builds/worker/checkouts/gecko/dom/base/Document.cpp:10890:3
#48 0xe587a808 in nsDocLoader::DocLoaderIsEmpty(bool, mozilla::Maybe<nsresult> const&) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:729:14
#49 0xe587bbf1 in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:667:5
#50 0xeb5493a0 in nsDocShell::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:13746:23
#51 0xeb54952b in non-virtual thunk to nsDocShell::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp
#52 0xe4a48456 in mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:632:22
#53 0xe4a49841 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:536:10
#54 0xe6520252 in mozilla::dom::Document::DoUnblockOnload() /builds/worker/checkouts/gecko/dom/base/Document.cpp:11746:18
#55 0xe65aabfc in mozilla::dom::nsUnblockOnloadEvent::Run() /builds/worker/checkouts/gecko/dom/base/Document.cpp:11708:11
#56 0xe47f9175 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:578:16
#57 0xe47ee590 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:905:26
#58 0xe47ecc2f in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:728:15
#59 0xe47ed112 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:514:36
#60 0xe47fd2fc in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:232:37
#61 0xe47fd2fc in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548:5
#62 0xe4813a27 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1199:16
#63 0xe481afa2 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10
#64 0xe5532343 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#65 0xe5447bde in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:370:10
#66 0xe5447ada in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#67 0xe5447ada in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#68 0xe9e86116 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
#69 0xe9f4a238 in nsAppShell::Run() /builds/worker/checkouts/gecko/widget/gtk/nsAppShell.cpp:470:33
#70 0xebd0fc14 in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:721:20
#71 0xe55333b0 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
#72 0xe5447bde in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:370:10
#73 0xe5447ada in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#74 0xe5447ada in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#75 0xebd0f44d in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:656:34
#76 0xebd1ec61 in mozilla::BootstrapImpl::XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/Bootstrap.cpp:67:12
#77 0x56606d7f in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#78 0x56606d7f in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:375:18
#79 0xf79ee518  (/lib/i386-linux-gnu/libc.so.6+0x21518) (BuildId: 0598ef3e075d7653ff4d565675d15666ec9b7b31)
#80 0xf79ee5f2 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x215f2) (BuildId: 0598ef3e075d7653ff4d565675d15666ec9b7b31)
#81 0x565d7c20 in _start (/home/worker/build/firefox-bin+0x5cc20) (BuildId: 551d69efc2b095a03b3f211cfdf8792fa70fc996)

A Pernosco session is available here: https://pernos.co/debug/JTev4sndfP1qXqeRd0lWGw/index.html

Keywords: pernosco
Attached file Reduced test-case.

Curious, how is it that fuzzers didn't catch something like comment 2? Are we not fuzzing nested CSS?

Flags: needinfo?(jkratzer)
Blocks: 1648037
Severity: -- → S3
Priority: -- → P3
See Also: → https://github.com/w3c/csswg-drafts/issues/9600
Summary: Hit MOZ_CRASH(Someone messed up pseudo-element parsing: :where(.pulsar-preflight, .pulsar-preflight *)) at /builds/worker/checkouts/gecko/servo/components/selectors/parser.rs:2037 → [css-nesting] Should handle better contextually-invalid selectors (was: Hit MOZ_CRASH(Someone messed up pseudo-element parsing: :where(.pulsar-preflight, .pulsar-preflight *)) ...)

site-scout is also reporting:

  • Hit MOZ_CRASH(Someone messed up pseudo-element parsing: :where(.onward-tailwind-reset, .onward-tailwind-reset *)) at /builds/worker/checkouts/gecko/servo/components/selectors/parser.rs:2044
  • Hit MOZ_CRASH(Someone messed up pseudo-element parsing: :where(.tailwind-preflight, .tailwind-preflight *)) at /builds/worker/checkouts/gecko/servo/components/selectors/parser.rs:2044

emilio do these have the same root case as this issue or should I open new bugs?

Flags: needinfo?(emilio)

Yeah, seems exactly the same. I can fix up the assert for now.

Flags: needinfo?(emilio)

With nesting it might not hold. It still doesn't change the correctness
of that code tho. We might need to rework this a bit more in the future
to handle specificity properly, see linked spec issue.

But for now crashing is not useful at all.

Assignee: nobody → emilio
Status: NEW → ASSIGNED
Pushed by ealvarez@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/769d03d34d3c
Don't assert stateless pseudo-element selector shape. r=dshin
Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/45062 for changes under testing/web-platform/tests

https://hg.mozilla.org/mozilla-central/rev/769d03d34d3c

Status: ASSIGNED → RESOLVED
Closed: 4 months ago
status-firefox125: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 125 Branch
Upstream PR merged by moz-wptsync-bot
Flags: needinfo?(jkratzer) → needinfo?(emilio)
Flags: needinfo?(emilio)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: