Closed
Bug 1891296
Opened 3 months ago
Closed 2 months ago
Hit MOZ_CRASH(Got the math wrong: Selector(.Masthead .glide__slide.inactive ::part(content), specificity = 0xc01, flags = HAS_PART | HAS_NON_FEATURELESS_COMPONENT) | [::part(content), , , .glide__slide, .inactive, , .Masthead] | 5 5)...
Categories
(Core :: CSS Parsing and Computation, defect)
Core
CSS Parsing and Computation
Tracking
()
RESOLVED
FIXED
127 Branch
People
(Reporter: tsmith, Assigned: emilio)
References
(Blocks 1 open bug, )
Details
(Keywords: assertion, pernosco)
Attachments
(2 files)
Found with m-c 20240412-be4463b26a49 (--enable-address-sanitizer --enable-fuzzing)
This was found by visiting a live website with a debug build.
STR:
- Launch browser and visit site
- click right arrow on page (advance slide)
This issue was triggered by visiting http://blizzard.com/.
Hit MOZ_CRASH(Got the math wrong: Selector(.Masthead .glide__slide.inactive ::part(content), specificity = 0xc01, flags = HAS_PART | HAS_NON_FEATURELESS_COMPONENT) | [::part(content), , , .glide__slide, .inactive, , .Masthead] | 5 5) at /builds/worker/checkouts/gecko/servo/components/selectors/matching.rs:364
#0 0x7e50aa831ea5 in MOZ_Crash /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:317:3
#1 0x7e50aa831ea5 in RustMozCrash /builds/worker/checkouts/gecko/mozglue/static/rust/wrappers.cpp:18:3
#2 0x7e50aa83135d in mozglue_static::panic_hook::h43eaefe9eb9c21c7 /builds/worker/checkouts/gecko/mozglue/static/rust/lib.rs:98:9
#3 0x7e50aa83135d in core::ops::function::Fn::call::h428b5e23b1db83db /rustc/25ef9e3d85d934b27d9dada2f9dd52b1dc63bb04/library/core/src/ops/function.rs:79:5
#4 0x7e50ab91f2c5 in _$LT$alloc..boxed..Box$LT$F$C$A$GT$$u20$as$u20$core..ops..function..Fn$LT$Args$GT$$GT$::call::h4dd5cc3b5605ae1a /rustc/25ef9e3d85d934b27d9dada2f9dd52b1dc63bb04/library/alloc/src/boxed.rs:2029:9
#5 0x7e50ab91f2c5 in std::panicking::rust_panic_with_hook::hb164d19c0c1e71d4 /rustc/25ef9e3d85d934b27d9dada2f9dd52b1dc63bb04/library/std/src/panicking.rs:785:13
#6 0x7e50ab91f011 in std::panicking::begin_panic_handler::_$u7b$$u7b$closure$u7d$$u7d$::h0369088c533c20e9 /rustc/25ef9e3d85d934b27d9dada2f9dd52b1dc63bb04/library/std/src/panicking.rs:659:13
#7 0x7e50ab91c505 in std::sys_common::backtrace::__rust_end_short_backtrace::hc11d910daf35ac2e /rustc/25ef9e3d85d934b27d9dada2f9dd52b1dc63bb04/library/std/src/sys_common/backtrace.rs:171:18
#8 0x7e50ab91ed63 in rust_begin_unwind /rustc/25ef9e3d85d934b27d9dada2f9dd52b1dc63bb04/library/std/src/panicking.rs:647:5
#9 0x7e50ab96af74 in core::panicking::panic_fmt::ha6effc2775a0749c /rustc/25ef9e3d85d934b27d9dada2f9dd52b1dc63bb04/library/core/src/panicking.rs:72:14
#10 0x7e50ab1df227 in selectors::matching::matches_compound_selector_from::h534721b03c4faccd /builds/worker/checkouts/gecko/servo/components/selectors/matching.rs:364:5
#11 0x7e50ab10035c in style::invalidation::element::invalidator::TreeStyleInvalidator$LT$E$C$P$GT$::process_invalidation::h99d420760b8e84c3 /builds/worker/checkouts/gecko/servo/components/style/invalidation/element/invalidator.rs:908:13
#12 0x7e50ab10768c in style::invalidation::element::invalidator::TreeStyleInvalidator$LT$E$C$P$GT$::process_descendant_invalidations::h22df4a54b819c700 /builds/worker/checkouts/gecko/servo/components/style/invalidation/element/invalidator.rs:863:26
#13 0x7e50ab0fd171 in style::invalidation::element::invalidator::TreeStyleInvalidator$LT$E$C$P$GT$::invalidate_child::h4a620f99bd372e56 /builds/worker/checkouts/gecko/servo/components/style/invalidation/element/invalidator.rs:565:34
#14 0x7e50ab1046f5 in style::invalidation::element::invalidator::TreeStyleInvalidator$LT$E$C$P$GT$::invalidate_dom_descendants_of::hae90a684fce2245d /builds/worker/checkouts/gecko/servo/components/style/invalidation/element/invalidator.rs:618:31
#15 0x7e50ab1046f5 in style::invalidation::element::invalidator::TreeStyleInvalidator$LT$E$C$P$GT$::invalidate_non_slotted_descendants::h1a78e4ab9a0dd7af /builds/worker/checkouts/gecko/servo/components/style/invalidation/element/invalidator.rs:761:27
#16 0x7e50ab1046f5 in style::invalidation::element::invalidator::TreeStyleInvalidator$LT$E$C$P$GT$::invalidate_descendants::hed2e62a54e2a9d6b /builds/worker/checkouts/gecko/servo/components/style/invalidation/element/invalidator.rs:800:27
#17 0x7e50ab12c141 in style::invalidation::element::invalidator::TreeStyleInvalidator$LT$E$C$P$GT$::invalidate::h8865fb351dd1b448 /builds/worker/checkouts/gecko/servo/components/style/invalidation/element/invalidator.rs:460:39
#18 0x7e50ab12c141 in style::data::ElementData::invalidate_style_if_needed::h0235cc08cdbe7c3e /builds/worker/checkouts/gecko/servo/components/style/data.rs:320:22
#19 0x7e50ab1579bb in style::traversal::note_children::hc2bee16fb687e9a6 /builds/worker/checkouts/gecko/servo/components/style/traversal.rs:783:13
#20 0x7e50ab1579bb in style::traversal::recalc_style_at::h1b4776173fa98d75 /builds/worker/checkouts/gecko/servo/components/style/traversal.rs:521:9
#21 0x7e50ab1579bb in _$LT$style..gecko..traversal..RecalcStyleOnly$u20$as$u20$style..traversal..DomTraversal$LT$style..gecko..wrapper..GeckoElement$GT$$GT$::process_preorder::h74e9734009438efb /builds/worker/checkouts/gecko/servo/components/style/gecko/traversal.rs:37:13
#22 0x7e50ab1579bb in style::parallel::style_trees::h973a3f7e3bfd5fcc /builds/worker/checkouts/gecko/servo/components/style/parallel.rs:157:9
#23 0x7e50ab133b16 in style::driver::traverse_dom::_$u7b$$u7b$closure$u7d$$u7d$::hf04ccb73d53f2aa7 /builds/worker/checkouts/gecko/servo/components/style/driver.rs:137:9
#24 0x7e50ab133113 in style::driver::with_pool_in_place_scope::_$u7b$$u7b$closure$u7d$$u7d$::hf8416748799d758c /builds/worker/checkouts/gecko/servo/components/style/driver.rs:67:17
#25 0x7e50ab133113 in rayon_core::scope::do_in_place_scope_fifo::_$u7b$$u7b$closure$u7d$$u7d$::h4a1a6de09898a668 /builds/worker/checkouts/gecko/third_party/rust/rayon-core/src/scope/mod.rs:457:36
#26 0x7e50ab133113 in _$LT$core..panic..unwind_safe..AssertUnwindSafe$LT$F$GT$$u20$as$u20$core..ops..function..FnOnce$LT$$LP$$RP$$GT$$GT$::call_once::hf5fdf39741f49616 /rustc/25ef9e3d85d934b27d9dada2f9dd52b1dc63bb04/library/core/src/panic/unwind_safe.rs:272:9
#27 0x7e50ab133113 in std::panicking::try::do_call::h467abb9f4afd6a85 /rustc/25ef9e3d85d934b27d9dada2f9dd52b1dc63bb04/library/std/src/panicking.rs:554:40
#28 0x7e50ab133113 in std::panicking::try::h9b8c790d8c6b41cc /rustc/25ef9e3d85d934b27d9dada2f9dd52b1dc63bb04/library/std/src/panicking.rs:518:19
#29 0x7e50ab133113 in std::panic::catch_unwind::h8f32e58a0e0d662a /rustc/25ef9e3d85d934b27d9dada2f9dd52b1dc63bb04/library/std/src/panic.rs:142:14
#30 0x7e50ab133113 in rayon_core::unwind::halt_unwinding::h6786cc54eb2d405a /builds/worker/checkouts/gecko/third_party/rust/rayon-core/src/unwind.rs:17:5
#31 0x7e50ab133113 in rayon_core::scope::ScopeBase::execute_job_closure::h2ea5316439ad07aa /builds/worker/checkouts/gecko/third_party/rust/rayon-core/src/scope/mod.rs:689:28
#32 0x7e50ab133113 in rayon_core::scope::ScopeBase::complete::he7d34c50a60b9a83 /builds/worker/checkouts/gecko/third_party/rust/rayon-core/src/scope/mod.rs:667:31
#33 0x7e50ab133113 in rayon_core::scope::do_in_place_scope_fifo::ha766a057cd9033e4 /builds/worker/checkouts/gecko/third_party/rust/rayon-core/src/scope/mod.rs:457:5
#34 0x7e50ab133113 in rayon_core::thread_pool::ThreadPool::in_place_scope_fifo::h56bfbb00552c5f59 /builds/worker/checkouts/gecko/third_party/rust/rayon-core/src/thread_pool/mod.rs:296:9
#35 0x7e50ab133113 in style::driver::with_pool_in_place_scope::hbd0414e573991be2 /builds/worker/checkouts/gecko/servo/components/style/driver.rs:59:14
#36 0x7e50ab133113 in style::driver::traverse_dom::h3fd9c9c4c92f14b2 /builds/worker/checkouts/gecko/servo/components/style/driver.rs:126:5
#37 0x7e50ab1ee21b in geckoservo::glue::traverse_subtree::ha026d593d94d485d /builds/worker/checkouts/gecko/servo/ports/geckolib/glue.rs:310:5
#38 0x7e50ab1ee781 in Servo_TraverseSubtree /builds/worker/checkouts/gecko/servo/ports/geckolib/glue.rs:370:5
#39 0x7e50a5f9930b in mozilla::ServoStyleSet::StyleDocument(mozilla::ServoTraversalFlags) /builds/worker/checkouts/gecko/layout/style/ServoStyleSet.cpp:816:9
#40 0x7e50a605d1a7 in mozilla::RestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:3234:20
#41 0x7e50a602f235 in mozilla::RestyleManager::ProcessPendingRestyles() /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:3369:3
#42 0x7e50a602e377 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4419:39
#43 0x7e50a2202c4f in FlushPendingNotifications /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:1480:5
#44 0x7e50a2202c4f in mozilla::dom::Document::FlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/dom/base/Document.cpp:10946:16
#45 0x7e50a2244002 in FlushPendingNotifications /builds/worker/checkouts/gecko/dom/base/Document.cpp:10878:3
#46 0x7e50a2244002 in nsIContent::GetPrimaryFrame(mozilla::FlushType) /builds/worker/checkouts/gecko/dom/base/Element.cpp:261:10
#47 0x7e50a417f0e1 in nsGenericHTMLElement::GetOffsetRect(mozilla::gfx::IntRectTyped<mozilla::CSSPixel>&) /builds/worker/checkouts/gecko/dom/html/nsGenericHTMLElement.cpp:396:8
#48 0x7e50a36dcd85 in OffsetWidth /builds/worker/checkouts/gecko/dom/html/nsGenericHTMLElement.h:285:5
#49 0x7e50a36dcd85 in mozilla::dom::HTMLElement_Binding::get_offsetWidth(JSContext*, JS::Handle<JSObject*>, void*, JSJitGetterCallArgs) /builds/worker/workspace/obj-build/dom/bindings/./HTMLElementBinding.cpp:1755:39
#50 0x7e50a37a051c in bool mozilla::dom::binding_detail::GenericGetter<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3151:13
#51 0x7e50a7d6eae4 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:479:13
#52 0x7e50a7d6e3fd in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:573:12
#53 0x7e50a7d6f8d7 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:672:8
#54 0x7e50a7d70a43 in js::CallGetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:794:10
#55 0x7e50a801d11a in CallGetter /builds/worker/checkouts/gecko/js/src/vm/NativeObject.cpp:2143:12
#56 0x7e50a801d11a in bool GetExistingProperty<(js::AllowGC)1>(JSContext*, js::MaybeRooted<JS::Value, (js::AllowGC)1>::HandleType, js::MaybeRooted<js::NativeObject*, (js::AllowGC)1>::HandleType, js::MaybeRooted<JS::PropertyKey, (js::AllowGC)1>::HandleType, js::PropertyInfoBase<unsigned int>, js::MaybeRooted<JS::Value, (js::AllowGC)1>::MutableHandleType) /builds/worker/checkouts/gecko/js/src/vm/NativeObject.cpp:2171:12
#57 0x7e50a801d9e7 in bool NativeGetPropertyInline<(js::AllowGC)1>(JSContext*, js::MaybeRooted<js::NativeObject*, (js::AllowGC)1>::HandleType, js::MaybeRooted<JS::Value, (js::AllowGC)1>::HandleType, js::MaybeRooted<JS::PropertyKey, (js::AllowGC)1>::HandleType, IsNameLookup, js::MaybeRooted<JS::Value, (js::AllowGC)1>::MutableHandleType) /builds/worker/checkouts/gecko/js/src/vm/NativeObject.cpp:2319:14
#58 0x7e50a7cfdc7f in js::GetProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, js::PropertyName*, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/ObjectOperations-inl.h:124:10
#59 0x7e50a7d95518 in js::GetProperty(JSContext*, JS::Handle<JS::Value>, JS::Handle<js::PropertyName*>, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:4510:10
#60 0x7e50a897db05 in js::jit::DoGetPropFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICFallbackStub*, JS::MutableHandle<JS::Value>, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/jit/BaselineIC.cpp:1283:8
#61 0x3ca752068a4a ([anon:js-executable-memory]+0xca4a)
|
Reporter | |
Comment 1•3 months ago
|
||
A Pernosco session is available here: https://pernos.co/debug/wIkQr2_Nc_3AHHR_kZnSKA/index.html
Keywords: pernosco
|
||
Comment 2•2 months ago
|
||
The failing assert is here:
https://searchfox.org/mozilla-central/rev/c7df16ffad1f12a19c81c16bce0b65e4a15304d0/servo/components/selectors/matching.rs#364-376
debug_assert!(
iter.clone().next().is_some() ||
(from_offset != selector.len() &&
matches!(
selector.combinator_at_parse_order(from_offset),
Combinator::SlotAssignment | Combinator::PseudoElement
)),
"Got the math wrong: {:?} | {:?} | {} {}",
selector,
selector.iter_raw_match_order().as_slice(),
from_offset,
start_offset
);
Looks like the hg-blame is pretty old for that code, but emilio is noted on some of it. emilio, could you take a look here?
(Triaging as S3 assuming that the outcome for release builds isn't too bad, possibly a theoretical correctness issue; but please adjust if you think it should be higher.)
Severity: -- → S3
Flags: needinfo?(emilio)
|
Assignee | |
Comment 3•2 months ago
|
||
|
|
Assignee | |
Comment 4•2 months ago
|
||
We can have combinator sequences like [>, <part>], and they are fine.
Add a test to make sure they're handled correctly.
|
||
Updated•2 months ago
|
Assignee: nobody → emilio
Status: NEW → ASSIGNED
|
|
Assignee | |
Updated•2 months ago
|
Flags: needinfo?(emilio)
Pushed by ealvarez@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/c6154fb40c2e Fix an assertion in selector-matching. r=dshin
Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/45918 for changes under testing/web-platform/tests
|
||
Comment 7•2 months ago
|
||
| bugherder | ||
Status: ASSIGNED → RESOLVED
Closed: 2 months ago
status-firefox127:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 127 Branch
Upstream PR merged by moz-wptsync-bot
Upstream PR merged by moz-wptsync-bot
|
||
Comment 10•2 months ago
|
||
The patch landed in nightly and beta is affected.
:emilio, is this bug important enough to require an uplift?
- If yes, please nominate the patch for beta approval.
- If no, please set
status-firefox126towontfix.
For more information, please visit BugBot documentation.
Flags: needinfo?(emilio)
|
|
Assignee | |
Updated•2 months ago
|
Flags: needinfo?(emilio)
|
||
Updated•2 months ago
|
You need to log in
before you can comment on or make changes to this bug.
Description
•