Closed Bug 1918454 Opened 5 months ago Closed 5 months ago

Hit MOZ_CRASH(attempt to divide by zero) at servo/components/style/values/computed/font.rs:105

Categories

(Core :: CSS Parsing and Computation, defect)

Product:
Core
Component:
CSS Parsing and Computation
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
132 Branch
Tracking Flags:
Tracking Status
firefox-esr115 --- unaffected
firefox-esr128 --- unaffected
firefox130 --- unaffected
firefox131 --- unaffected
firefox132 --- verified

People

(Reporter: tsmith, Assigned: emilio)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:bisected,confirmed][fuzzblocker], [wptsync upstream])

Crash Data

Attachments

(2 files)

testcase.html
61 bytes, text/html
Details
Bug 1918454 - Prevent divide by zero when inverting effective zoom. r=#style,#layout
48 bytes, text/x-phabricator-request
Details | Review
Attached file testcase.html

Found while fuzzing m-c 20240911-606085de1f6c (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework --upgrade
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>

Hit MOZ_CRASH(attempt to divide by zero) at servo/components/style/values/computed/font.rs:105

#0 0x719966c12285 in MOZ_Crash /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:317:3
#1 0x719966c12285 in RustMozCrash /builds/worker/checkouts/gecko/mozglue/static/rust/wrappers.cpp:18:3
#2 0x719966c11f7a in mozglue_static::panic_hook::h49a1e4bfb814af7e /builds/worker/checkouts/gecko/mozglue/static/rust/lib.rs:102:9
#3 0x719966c119cb in core::ops::function::Fn::call::h85943edccac81c64 /rustc/eeb90cda1969383f56a2637cbd3037bdf598841c/library/core/src/ops/function.rs:79:5
#4 0x719967d03c3e in _$LT$alloc..boxed..Box$LT$F$C$A$GT$$u20$as$u20$core..ops..function..Fn$LT$Args$GT$$GT$::call::hce7569f4ca5d1b64 /rustc/eeb90cda1969383f56a2637cbd3037bdf598841c/library/alloc/src/boxed.rs:2084:9
#5 0x719967d03c3e in std::panicking::rust_panic_with_hook::hfe205f6954b2c97b /rustc/eeb90cda1969383f56a2637cbd3037bdf598841c/library/std/src/panicking.rs:808:13
#6 0x719967d03832 in std::panicking::begin_panic_handler::_$u7b$$u7b$closure$u7d$$u7d$::h6cb44b3a50f28c44 /rustc/eeb90cda1969383f56a2637cbd3037bdf598841c/library/std/src/panicking.rs:667:13
#7 0x719967d02688 in std::sys::backtrace::__rust_end_short_backtrace::hf1c1f2a92799bb0e /rustc/eeb90cda1969383f56a2637cbd3037bdf598841c/library/std/src/sys/backtrace.rs:168:18
#8 0x719967d034f3 in rust_begin_unwind /rustc/eeb90cda1969383f56a2637cbd3037bdf598841c/library/std/src/panicking.rs:665:5
#9 0x719967d2ac32 in core::panicking::panic_fmt::h3d8fc78294164da7 /rustc/eeb90cda1969383f56a2637cbd3037bdf598841c/library/core/src/panicking.rs:74:14
#10 0x719967d348c6 in core::panicking::panic_const::panic_const_div_by_zero::h5e45bd48e3e1455d /rustc/eeb90cda1969383f56a2637cbd3037bdf598841c/library/core/src/panicking.rs:181:21
#11 0x7199679b99fb in _$LT$style..values..computed..font..FixedPoint$LT$u16$C$_$GT$$u20$as$u20$core..ops..arith..Div$GT$::div::h52e1a78bb6ceca96 /builds/worker/checkouts/gecko/servo/components/style/values/computed/font.rs:105:20
#12 0x7199679b99fb in style::values::computed::box_::Zoom::inverted::hc0fe3497ab43441c /builds/worker/checkouts/gecko/servo/components/style/values/computed/box.rs:369:14
#13 0x7199679b99fb in style::properties::generated::StyleBuilder::resolved_specified_zoom::hebcc3141492d9bf3 /builds/worker/workspace/obj-build/x86_64-unknown-linux-gnu/debug/build/style-100a774b2af1b7a2/out/properties.rs:170364:45
#14 0x7199679b99fb in style::properties::cascade::Cascade::recompute_font_size_for_zoom_change::hafcf0c4bbf85704d /builds/worker/checkouts/gecko/servo/components/style/properties/cascade.rs:1267:38
#15 0x7199679b99fb in style::properties::cascade::Cascade::apply_prioritary_properties::hc9150624c2f27102 /builds/worker/checkouts/gecko/servo/components/style/properties/cascade.rs:774:13
#16 0x71996751915d in style::properties::cascade::apply_declarations::hf0263b7d31b6fbe2 /builds/worker/checkouts/gecko/servo/components/style/properties/cascade.rs:333:13
#17 0x719967595713 in style::properties::cascade::cascade_rules::hc889ce270e8bf143 /builds/worker/checkouts/gecko/servo/components/style/properties/cascade.rs:198:5
#18 0x719967595713 in style::properties::cascade::cascade::h1626dae5d6f7e473 /builds/worker/checkouts/gecko/servo/components/style/properties/cascade.rs:82:5
#19 0x719967595713 in style::stylist::Stylist::cascade_style_and_visited::hea617485eab10fae /builds/worker/checkouts/gecko/servo/components/style/stylist.rs:1253:9
#20 0x7199675695ce in style::style_resolver::StyleResolverForElement$LT$E$GT$::cascade_style_and_visited::hb22829bfe99e3b5f /builds/worker/checkouts/gecko/servo/components/style/style_resolver.rs:382:22
#21 0x71996756850d in style::style_resolver::StyleResolverForElement$LT$E$GT$::cascade_primary_style::h8e396aaf4f342692 /builds/worker/checkouts/gecko/servo/components/style/style_resolver.rs:277:20
#22 0x71996756910e in style::style_resolver::StyleResolverForElement$LT$E$GT$::resolve_primary_style::hfe29b119a640c8bc /builds/worker/checkouts/gecko/servo/components/style/style_resolver.rs:231:9
#23 0x719967567f8e in style::style_resolver::StyleResolverForElement$LT$E$GT$::resolve_style::h089a9cd0b07367a4 /builds/worker/checkouts/gecko/servo/components/style/style_resolver.rs:295:13
#24 0x71996759e980 in style::style_resolver::StyleResolverForElement$LT$E$GT$::resolve_style_with_default_parents::_$u7b$$u7b$closure$u7d$$u7d$::he3176d6242c7cba8 /builds/worker/checkouts/gecko/servo/components/style/style_resolver.rs:330:13
#25 0x71996759e980 in style::style_resolver::with_default_parent_styles::h0f78114b3da1ddc2 /builds/worker/checkouts/gecko/servo/components/style/style_resolver.rs:139:5
#26 0x71996759e980 in style::style_resolver::StyleResolverForElement$LT$E$GT$::resolve_style_with_default_parents::haae7138f18212a8e /builds/worker/checkouts/gecko/servo/components/style/style_resolver.rs:329:9
#27 0x71996759e980 in style::traversal::compute_style::h804c414ab387f630 /builds/worker/checkouts/gecko/servo/components/style/traversal.rs:619:34
#28 0x71996759bdce in style::traversal::recalc_style_at::haa38b8c519e6525a /builds/worker/checkouts/gecko/servo/components/style/traversal.rs:432:13
#29 0x71996759bdce in _$LT$style..gecko..traversal..RecalcStyleOnly$u20$as$u20$style..traversal..DomTraversal$LT$style..gecko..wrapper..GeckoElement$GT$$GT$::process_preorder::he475cd356a7a8a32 /builds/worker/checkouts/gecko/servo/components/style/gecko/traversal.rs:37:13
#30 0x71996759bdce in style::parallel::style_trees::hd98d83d456289023 /builds/worker/checkouts/gecko/servo/components/style/parallel.rs:158:9
#31 0x719967574a01 in style::driver::traverse_dom::_$u7b$$u7b$closure$u7d$$u7d$::hb4d5323bf381c12f /builds/worker/checkouts/gecko/servo/components/style/driver.rs:138:9
#32 0x719967573c26 in style::driver::with_pool_in_place_scope::hf2c8a83083efbf21 /builds/worker/checkouts/gecko/servo/components/style/driver.rs:57:9
#33 0x719967573c26 in style::driver::traverse_dom::h14e12dd0b71a25d8 /builds/worker/checkouts/gecko/servo/components/style/driver.rs:127:5
#34 0x71996763b334 in geckoservo::glue::traverse_subtree::hfce1181d2ed87ed0 /builds/worker/checkouts/gecko/servo/ports/geckolib/glue.rs:308:5
#35 0x71996763b7e8 in Servo_TraverseSubtree /builds/worker/checkouts/gecko/servo/ports/geckolib/glue.rs:368:5
#36 0x71996337869c in mozilla::ServoStyleSet::StyleNewSubtree(mozilla::dom::Element*) /builds/worker/checkouts/gecko/layout/style/ServoStyleSet.cpp:897:7
#37 0x71996345f96b in nsCSSFrameConstructor::GetAnonymousContent(nsIContent*, nsIFrame*, nsTArray<nsIAnonymousContentCreator::ContentInfo>&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:4043:17
#38 0x71996345b74f in nsCSSFrameConstructor::BeginBuildingScrollContainerFrame(nsFrameConstructorState&, nsIContent*, mozilla::ComputedStyle*, nsContainerFrame*, mozilla::PseudoStyleType, bool, nsContainerFrame*&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:4202:7
#39 0x71996346223e in nsCSSFrameConstructor::ConstructScrollableBlock(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItem&, nsContainerFrame*, nsStyleDisplay const*, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:4451:7
#40 0x7199634631e8 in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:3716:16
#41 0x71996346766f in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:5424:3
#42 0x719963458aa9 in nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsContainerFrame*, bool, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:9435:5
#43 0x71996345a5bb in nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, mozilla::ComputedStyle*, nsContainerFrame*, bool, nsFrameList&, bool, nsIFrame*) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:9722:3
#44 0x719963463870 in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:3844:9
#45 0x71996346766f in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:5424:3
#46 0x719963458aa9 in nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsContainerFrame*, bool, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:9435:5
#47 0x71996346d5a7 in nsCSSFrameConstructor::ContentAppended(nsIContent*, nsCSSFrameConstructor::InsertionKind) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:6576:3
#48 0x71996342cb65 in mozilla::RestyleManager::ProcessRestyledFrames(nsStyleChangeList&) /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:1628:27
#49 0x7199634338f4 in mozilla::RestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:3284:7
#50 0x719963406b65 in mozilla::RestyleManager::ProcessPendingRestyles() /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:3370:3
#51 0x719963405eb6 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4369:37
#52 0x7199633cb3ee in FlushPendingNotifications /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:1455:5
#53 0x7199633cb3ee in nsRefreshDriver::FlushLayoutOnPendingDocsAndFixUpFocus() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2199:31
#54 0x7199633ca2e9 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2782:3
#55 0x7199633d35d1 in TickDriver /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:368:13
#56 0x7199633d35d1 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver>>&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:346:7
#57 0x7199633d34d0 in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:362:5
#58 0x7199633d336d in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:952:5
#59 0x7199633d265c in mozilla::VsyncRefreshDriverTimer::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:862:5
#60 0x7199633d19e9 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsyncTimerOnMainThread() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:593:14
#61 0x71996284648b in mozilla::dom::VsyncMainChild::RecvNotify(mozilla::VsyncEvent const&, float const&) /builds/worker/checkouts/gecko/dom/ipc/VsyncMainChild.cpp:66:15
#62 0x719962ac5b27 in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:235:78
#63 0x7199629fc420 in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PContentChild.cpp:8260:32
#64 0x71995e5c97df in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1785:25
#65 0x71995e5c6762 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1712:9
#66 0x71995e5c73e2 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1503:3
#67 0x71995e5c852f in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1603:14
#68 0x71995da49017 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:618:16
#69 0x71995da3ea86 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:945:26
#70 0x71995da3d497 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:768:15
#71 0x71995da3d915 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:554:36
#72 0x71995da4c986 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:268:37
#73 0x71995da4c986 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548:5
#74 0x71995da600ab in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1155:16
#75 0x71995da66d8f in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10
#76 0x71995e5cf365 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#77 0x71995e522bc1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#78 0x71995e522bc1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#79 0x719963045c68 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
#80 0x7199630f3438 in nsAppShell::Run() /builds/worker/checkouts/gecko/widget/gtk/nsAppShell.cpp:469:33
#81 0x719963fb4f0b in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:710:20
#82 0x71995e5d01b6 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
#83 0x71995e522bc1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#84 0x71995e522bc1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#85 0x719963fb479b in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:645:34
#86 0x57d5d1bb708e in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:403:22
Flags: in-testsuite?

Verified bug as reproducible on mozilla-central 20240912092307-8ea146da980a.
Unable to bisect testcase (Unable to launch the end build!):

Start: 8f5a11c1eb0b7598d1415f6efa9c360191a423f8 (20230914041524)
End: 606085de1f6c8fdf17b9f115aa3ae4e687d7dbf6 (20240911214006)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False, nyx=False)

Whiteboard: [bugmon:bisected,confirmed]

This issue is frequently triggered by browser fuzzers, please prioritize appropriately.

Whiteboard: [bugmon:bisected,confirmed] → [bugmon:bisected,confirmed][fuzzblocker]

Got a crash from the testcase: https://crash-stats.mozilla.org/report/index/6eab6187-4572-45d4-8834-c37820240913

Crash Signature: [@ style::values::computed::font::impl$1::div ]

Bisection:
Bug 1909625 - Ignore CSS zoom and text zoom for canvas. r=gfx-reviewers,lsalzman
Differential Revision: https://phabricator.services.mozilla.com/D221709

Flags: needinfo?(emilio)
Keywords: regression
Regressed by: 1909625

Set release status flags based on info from the regressing bug 1909625

status-firefox130: --- → unaffected
status-firefox131: --- → unaffected
status-firefox-esr115: --- → unaffected
status-firefox-esr128: --- → unaffected
Assignee: nobody → emilio
Status: NEW → ASSIGNED
Flags: needinfo?(emilio)
Pushed by ealvarez@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/e575a9337c4a Prevent divide by zero when inverting effective zoom. r=firefox-style-system-reviewers,layout-reviewers,boris
Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/48168 for changes under testing/web-platform/tests
Whiteboard: [bugmon:bisected,confirmed][fuzzblocker] → [bugmon:bisected,confirmed][fuzzblocker], [wptsync upstream]

https://hg.mozilla.org/mozilla-central/rev/e575a9337c4a

Status: ASSIGNED → RESOLVED
Closed: 5 months ago
status-firefox132: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 132 Branch
Upstream PR merged by moz-wptsync-bot

Verified bug as fixed on rev mozilla-central 20240913214507-b91e1b615932.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
status-firefox132: fixedverified
Keywords: bugmon
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: