1903671 - Hit MOZ_CRASH(Why bothering?) at /builds/worker/checkouts/gecko/servo/components/style/gecko/snapshot_helpers.rs:210

Status: VERIFIED FIXED

(Core :: CSS Parsing and Computation, defect)

Description

[Tyson Smith [:tsmith]]

Attachment: testcase.html

Found while fuzzing m-c 20240613-bfd01427a5e8 (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework --upgrade
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>

Hit MOZ_CRASH(Why bothering?) at /builds/worker/checkouts/gecko/servo/components/style/gecko/snapshot_helpers.rs:210

#0 0x74c2de92ce25 in MOZ_Crash /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:317:3
#1 0x74c2de92ce25 in RustMozCrash /builds/worker/checkouts/gecko/mozglue/static/rust/wrappers.cpp:18:3
#2 0x74c2de92c8e3 in mozglue_static::panic_hook::h3b8994b60553acad /builds/worker/checkouts/gecko/mozglue/static/rust/lib.rs:98:9
#3 0x74c2de92c29b in core::ops::function::Fn::call::h15345cefc67bbeff /rustc/129f3b9964af4d4a709d1383930ade12dfe7c081/library/core/src/ops/function.rs:79:5
#4 0x74c2dfbaa275 in _$LT$alloc..boxed..Box$LT$F$C$A$GT$$u20$as$u20$core..ops..function..Fn$LT$Args$GT$$GT$::call::ha9c3bc81d312fd83 /rustc/129f3b9964af4d4a709d1383930ade12dfe7c081/library/alloc/src/boxed.rs:2036:9
#5 0x74c2dfbaa275 in std::panicking::rust_panic_with_hook::hac8bdceee1e4fe2c /rustc/129f3b9964af4d4a709d1383930ade12dfe7c081/library/std/src/panicking.rs:799:13
#6 0x74c2df2cf36e in std::panicking::begin_panic::_$u7b$$u7b$closure$u7d$$u7d$::h7ed49115da8e0a86 /rustc/129f3b9964af4d4a709d1383930ade12dfe7c081/library/std/src/panicking.rs:694:9
#7 0x74c2df2ce368 in std::sys_common::backtrace::__rust_end_short_backtrace::ha9f06b1e3ce7e817 /rustc/129f3b9964af4d4a709d1383930ade12dfe7c081/library/std/src/sys_common/backtrace.rs:171:18
#8 0x74c2df2cf33c in std::panicking::begin_panic::h82d164b24795fa02 /rustc/129f3b9964af4d4a709d1383930ade12dfe7c081/library/std/src/panicking.rs:693:12
#9 0x74c2df37464e in style::gecko::snapshot_helpers::classes_changed::hb685e0bd9ae09e06 /builds/worker/checkouts/gecko/servo/components/style/gecko/snapshot_helpers.rs:210:5
#10 0x74c2df49648f in geckoservo::glue::Servo_StyleSet_MightHaveNthOfClassDependency::_$u7b$$u7b$closure$u7d$$u7d$::hc50be34bb1fb4eec /builds/worker/checkouts/gecko/servo/ports/geckolib/glue.rs:6953:9
#11 0x74c2df495d05 in style::stylist::Stylist::any_applicable_rule_data::h2599ade41d191977 /builds/worker/checkouts/gecko/servo/components/style/stylist.rs:959:12
#12 0x74c2df495d05 in Servo_StyleSet_MightHaveNthOfClassDependency /builds/worker/checkouts/gecko/servo/ports/geckolib/glue.rs:6952:5
#13 0x74c2daeb059d in mozilla::RestyleManager::MaybeRestyleForNthOfAttribute(mozilla::dom::Element*, nsAtom*, nsAttrValue const*) /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:3709:41
#14 0x74c2dae83130 in mozilla::RestyleManager::AttributeChanged(mozilla::dom::Element*, int, nsAtom*, int, nsAttrValue const*) /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:3635:3
#15 0x74c2dae82f40 in mozilla::PresShell::AttributeChanged(mozilla::dom::Element*, int, nsAtom*, int, nsAttrValue const*) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4491:37
#16 0x74c2d72e187f in operator() /builds/worker/checkouts/gecko/dom/base/MutationObservers.cpp:149:10
#17 0x74c2d72e187f in Notify<(NotifyPresShell)2, (lambda at /builds/worker/checkouts/gecko/dom/base/MutationObservers.cpp:149:10)> /builds/worker/checkouts/gecko/dom/base/MutationObservers.cpp:99:7
#18 0x74c2d72e187f in mozilla::dom::MutationObservers::NotifyAttributeChanged(mozilla::dom::Element*, int, nsAtom*, int, nsAttrValue const*) /builds/worker/checkouts/gecko/dom/base/MutationObservers.cpp:148:3
#19 0x74c2d722faf7 in mozilla::dom::Element::SetAttrAndNotify(int, nsAtom*, nsAtom*, nsAttrValue const*, nsAttrValue&, nsIPrincipal*, unsigned char, bool, bool, bool, mozilla::dom::Document*, mozAutoDocUpdate const&) /builds/worker/checkouts/gecko/dom/base/Element.cpp:2761:5
#20 0x74c2d72288ba in mozilla::dom::Element::SetAttr(int, nsAtom*, nsAtom*, nsTSubstring<char16_t> const&, nsIPrincipal*, bool) /builds/worker/checkouts/gecko/dom/base/Element.cpp:2604:10
#21 0x74c2d7229090 in mozilla::dom::Element::SetAttributeNS(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsIPrincipal*, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/Element.cpp:1632:12
#22 0x74c2d83231bc in mozilla::dom::Element_Binding::setAttributeNS(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/./ElementBinding.cpp:2053:24
#23 0x74c2d8562817 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3268:13
#24 0x74c2dbd380e4 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:487:13
#25 0x74c2dbd378cf in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:581:12
#26 0x74c2dc86bc36 in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICFallbackStub*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/jit/BaselineIC.cpp:1670:10
#27 0x156d18b29a5e  ([anon:js-executable-memory]+0xba5e)

Comment 1

[Bugmon [:jkratzer for issues]]

Verified bug as reproducible on mozilla-central 20240619213942-7999d1a5d574.
The bug appears to have been introduced in the following build range:

Start: 38b06f0c751021f94bebb032242b2326666ec476 (20230705214733)
End: 4613dfbe6bc2e60b1159da46db2edee3018423e1 (20230705143806)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=38b06f0c751021f94bebb032242b2326666ec476&tochange=4613dfbe6bc2e60b1159da46db2edee3018423e1

Comment 2

[Donal Meehan [:dmeehan]]

Setting Bug 1824886 as the possible regressor based on the pushlog in Comment 1. Please correct if needed.

Comment 3

[Emilio Cobos Álvarez (:emilio)]

Attachment: Test-case that doesn't involve inspectorUtils APIs

Comment 4

[Emilio Cobos Álvarez (:emilio)]

Attachment: Bug 1903671 - Check for namespace properly when looking for class / id attributes for invalidation. r=#style,zrhoffman,dshin

Comment 5

[Pulsebot]

Pushed by ealvarez@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/00e7a7ac992c
Check for namespace properly when looking for class / id attributes for invalidation. r=zrhoffman,dshin,firefox-style-system-reviewers

Comment 6

[Web Platform Test Sync Bot [:wpt-sync] (Matrix: #interop:mozilla.org)]

Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/46871 for changes under testing/web-platform/tests

Comment 7

[Cristina Horotan [:chorotan]]

https://hg.mozilla.org/mozilla-central/rev/00e7a7ac992c

Comment 8

[Bugmon [:jkratzer for issues]]

Verified bug as fixed on rev mozilla-central 20240623094005-ae642c157034.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Comment 9

[Web Platform Test Sync Bot [:wpt-sync] (Matrix: #interop:mozilla.org)]

Upstream PR merged by moz-wptsync-bot

Comment 10

[Web Platform Test Sync Bot [:wpt-sync] (Matrix: #interop:mozilla.org)]

Upstream PR merged by moz-wptsync-bot

Comment 11

[BugBot [:suhaib / :marco/ :calixte]]

Set release status flags based on info from the regressing bug 1824886