1929723 - crash at null in [@ Servo_AnimationValue_GetOpacity]

Status: NEW

(Core :: CSS Parsing and Computation, defect)

Description

[Tyson Smith [:tsmith]]

Found with m-c 20241106-8954b5fe5fb5 (--enable-address-sanitizer --enable-fuzzing)

This was found by visiting a live website with an ASan build.

STR:

• Launch browser and visit site

This issue was triggered by visiting http://eloverblik.dk/.

==200632==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fffe9f3d13c bp 0x7ffee7bf94d0 sp 0x7ffee7bf9460 T91)
==200632==The signal is caused by a READ memory access.
==200632==Hint: address points to the zero page.
    #0 0x7fffe9f3d13c in Servo_AnimationValue_GetOpacity /builds/worker/checkouts/gecko/servo/ports/geckolib/glue.rs:772:47
    #1 0x7fffd866b061 in mozilla::layers::CompositorAnimationStorage::StoreAnimatedValue(nsCSSPropertyID, unsigned long, std::unique_ptr<mozilla::layers::AnimationStorageData, std::default_delete<mozilla::layers::AnimationStorageData>> const&, AutoTArray<RefPtr<mozilla::StyleAnimationValue>, 1ul>&&, mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&, RefPtr<mozilla::layers::APZSampler> const&, mozilla::layers::AnimatedValue*, std::unordered_map<mozilla::layers::LayersId, nsTArray<unsigned long>, mozilla::layers::LayersId::HashFn, std::equal_to<mozilla::layers::LayersId>, std::allocator<std::pair<mozilla::layers::LayersId const, nsTArray<unsigned long>>>>&) /builds/worker/checkouts/gecko/gfx/layers/CompositorAnimationStorage.cpp:250:24
    #2 0x7fffd866cdf3 in mozilla::layers::CompositorAnimationStorage::SampleAnimations(mozilla::layers::OMTAController const*, mozilla::TimeStamp, mozilla::TimeStamp)::$_1::operator()(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) const /builds/worker/checkouts/gecko/gfx/layers/CompositorAnimationStorage.cpp
    #3 0x7fffd866c32d in CallWithMapLock<(lambda at /builds/worker/checkouts/gecko/gfx/layers/CompositorAnimationStorage.cpp:332:19)> /builds/worker/checkouts/gecko/gfx/layers/apz/src/APZCTreeManager.h:636:5
    #4 0x7fffd866c32d in CallWithMapLock<(lambda at /builds/worker/checkouts/gecko/gfx/layers/CompositorAnimationStorage.cpp:332:19)> /builds/worker/workspace/obj-build/dist/include/mozilla/layers/APZSampler.h:115:11
    #5 0x7fffd866c32d in mozilla::layers::CompositorAnimationStorage::SampleAnimations(mozilla::layers::OMTAController const*, mozilla::TimeStamp, mozilla::TimeStamp) /builds/worker/checkouts/gecko/gfx/layers/CompositorAnimationStorage.cpp:414:17
    #6 0x7fffd8ae9007 in SampleAnimations /builds/worker/checkouts/gecko/gfx/layers/wr/OMTASampler.cpp:128:17
    #7 0x7fffd8ae9007 in mozilla::layers::OMTASampler::Sample(mozilla::wr::TransactionWrapper&) /builds/worker/checkouts/gecko/gfx/layers/wr/OMTASampler.cpp:115:29
    #8 0x7fffd8ae9f15 in Sample /builds/worker/checkouts/gecko/gfx/layers/wr/OMTASampler.cpp:68:14
    #9 0x7fffd8ae9f15 in omta_sample /builds/worker/checkouts/gecko/gfx/layers/wr/OMTASampler.cpp:245:3
    #10 0x7fffe653a10e in _$LT$webrender_bindings..bindings..SamplerCallback$u20$as$u20$webrender..renderer..init..AsyncPropertySampler$GT$::sample::h4593d6e1ba6e1847 /builds/worker/checkouts/gecko/gfx/webrender_bindings/src/bindings.rs:1105:13
    #11 0x7fffe6ed008b in webrender::render_backend::RenderBackend::update_document::h0c70c1309b40d9e2 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/render_backend.rs:1394:39
    #12 0x7fffe6ec147b in webrender::render_backend::RenderBackend::prepare_transactions::hd57a63e025fead35 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/render_backend.rs:1306:28
    #13 0x7fffe6ec147b in webrender::render_backend::RenderBackend::process_api_msg::he43e06b9dc66cb65 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/render_backend.rs:1153:17
    #14 0x7fffe66a655d in webrender::render_backend::RenderBackend::run::h7acfcab499675042 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/render_backend.rs:802:21
    #15 0x7fffe66a655d in webrender::renderer::init::create_webrender_instance::_$u7b$$u7b$closure$u7d$$u7d$::hc8345339b9753f4d /builds/worker/checkouts/gecko/gfx/wr/webrender/src/renderer/init.rs:715:9
    #16 0x7fffe66a655d in std::sys::backtrace::__rust_begin_short_backtrace::h392bab18e5150e84 /builds/worker/fetches/rust/library/std/src/sys/backtrace.rs:152:18
    #17 0x7fffe66c2bfa in std::thread::Builder::spawn_unchecked_::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::h7ad9eeaba7f2116f /builds/worker/fetches/rust/library/std/src/thread/mod.rs:538:17
    #18 0x7fffe66c2bfa in _$LT$core..panic..unwind_safe..AssertUnwindSafe$LT$F$GT$$u20$as$u20$core..ops..function..FnOnce$LT$$LP$$RP$$GT$$GT$::call_once::h5b0f05d27e688c7d /builds/worker/fetches/rust/library/core/src/panic/unwind_safe.rs:272:9
    #19 0x7fffe66c2bfa in std::panicking::try::do_call::h1a8347fa00e8b218 /builds/worker/fetches/rust/library/std/src/panicking.rs:557:40
    #20 0x7fffe66c2bfa in std::panicking::try::h39381e59fb27ac1b /builds/worker/fetches/rust/library/std/src/panicking.rs:521:19
    #21 0x7fffe66c2bfa in std::panic::catch_unwind::hfc9daf6ca2bb4ea0 /builds/worker/fetches/rust/library/std/src/panic.rs:350:14
    #22 0x7fffe66c2bfa in std::thread::Builder::spawn_unchecked_::_$u7b$$u7b$closure$u7d$$u7d$::h9b750804345c8f55 /builds/worker/fetches/rust/library/std/src/thread/mod.rs:537:30
    #23 0x7fffe66c2bfa in core::ops::function::FnOnce::call_once$u7b$$u7b$vtable.shim$u7d$$u7d$::h7538eaa8e3fc1bc6 /builds/worker/fetches/rust/library/core/src/ops/function.rs:250:5
    #24 0x7fffeb251fea in std::sys::pal::unix::thread::Thread::new::thread_start::h51b652028646be50 std.4dd631fead81e61f-cgu.12
    #25 0x5555556be478 in asan_thread_start(void*) /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_interceptors.cpp:239:28
    #26 0x7ffff7abcac2 in start_thread nptl/pthread_create.c:442:8
    #27 0x7ffff7b4e84f  misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /builds/worker/checkouts/gecko/servo/ports/geckolib/glue.rs:772:47 in Servo_AnimationValue_GetOpacity
Thread T91 created by T47 here:
    #0 0x5555556a7e81 in pthread_create /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_interceptors.cpp:250:3
    #1 0x7fffeb251e21 in std::sys::pal::unix::thread::Thread::new::h26cd317e91072d1d std.4dd631fead81e61f-cgu.12
    #2 0x7fffe6f9a0d8 in std::thread::Builder::spawn_unchecked_::hb490054ee5a47507 /builds/worker/fetches/rust/library/std/src/thread/mod.rs:577:30
    #3 0x7fffe6f9a0d8 in std::thread::Builder::spawn_unchecked::ha415e828319dea40 /builds/worker/fetches/rust/library/std/src/thread/mod.rs:456:32
    #4 0x7fffe6f9a0d8 in std::thread::Builder::spawn::h20cb76f6e21067b9 /builds/worker/fetches/rust/library/std/src/thread/mod.rs:388:18
    #5 0x7fffe6f9a0d8 in webrender::renderer::init::create_webrender_instance::h50194a6e7986573a /builds/worker/checkouts/gecko/gfx/wr/webrender/src/renderer/init.rs:669:57
    #6 0x7fffe65459db in wr_window_new /builds/worker/checkouts/gecko/gfx/webrender_bindings/src/bindings.rs:1801:36
    #7 0x7fffd9399f99 in mozilla::wr::NewRenderer::Run(mozilla::wr::RenderThread&, mozilla::wr::WrWindowId) /builds/worker/checkouts/gecko/gfx/webrender_bindings/WebRenderAPI.cpp:134:10
    #8 0x7fffd9359263 in mozilla::wr::RenderThread::RunEvent(mozilla::wr::WrWindowId, mozilla::UniquePtr<mozilla::wr::RendererEvent, mozilla::DefaultDelete<mozilla::wr::RendererEvent>>, bool) /builds/worker/checkouts/gecko/gfx/webrender_bindings/RenderThread.cpp:754:11
    #9 0x7fffd93755dd in operator()<StoreCopyPassByConstLRef<mozilla::wr::WrWindowId> &, StoreCopyPassByRRef<mozilla::UniquePtr<mozilla::wr::RendererEvent, mozilla::DefaultDelete<mozilla::wr::RendererEvent> > > &, StoreCopyPassByConstLRef<bool> &> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1085:18
    #10 0x7fffd93755dd in __invoke_impl<void, (lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1084:9), StoreCopyPassByConstLRef<mozilla::wr::WrWindowId> &, StoreCopyPassByRRef<mozilla::UniquePtr<mozilla::wr::RendererEvent, mozilla::DefaultDelete<mozilla::wr::RendererEvent> > > &, StoreCopyPassByConstLRef<bool> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/invoke.h:60:14
    #11 0x7fffd93755dd in __invoke<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1084:9), StoreCopyPassByConstLRef<mozilla::wr::WrWindowId> &, StoreCopyPassByRRef<mozilla::UniquePtr<mozilla::wr::RendererEvent, mozilla::DefaultDelete<mozilla::wr::RendererEvent> > > &, StoreCopyPassByConstLRef<bool> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/invoke.h:95:14
    #12 0x7fffd93755dd in __apply_impl<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1084:9), std::tuple<StoreCopyPassByConstLRef<mozilla::wr::WrWindowId>, StoreCopyPassByRRef<mozilla::UniquePtr<mozilla::wr::RendererEvent, mozilla::DefaultDelete<mozilla::wr::RendererEvent> > >, StoreCopyPassByConstLRef<bool> > &, 0UL, 1UL, 2UL> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/tuple:1678:14
    #13 0x7fffd93755dd in apply<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1084:9), std::tuple<StoreCopyPassByConstLRef<mozilla::wr::WrWindowId>, StoreCopyPassByRRef<mozilla::UniquePtr<mozilla::wr::RendererEvent, mozilla::DefaultDelete<mozilla::wr::RendererEvent> > >, StoreCopyPassByConstLRef<bool> > &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/tuple:1687:14
    #14 0x7fffd93755dd in apply<mozilla::wr::RenderThread, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, mozilla::UniquePtr<mozilla::wr::RendererEvent, mozilla::DefaultDelete<mozilla::wr::RendererEvent> >, bool)> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1083:12
    #15 0x7fffd93755dd in mozilla::detail::RunnableMethodImpl<mozilla::wr::RenderThread*, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, mozilla::UniquePtr<mozilla::wr::RendererEvent, mozilla::DefaultDelete<mozilla::wr::RendererEvent>>, bool), true, (mozilla::RunnableKind)0, mozilla::wr::WrWindowId, mozilla::UniquePtr<mozilla::wr::RendererEvent, mozilla::DefaultDelete<mozilla::wr::RendererEvent>>&&, bool>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1134:13
    #16 0x7fffd6250976 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1149:16
    #17 0x7fffd625b328 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10
    #18 0x7fffd7825df5 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:329:5
    #19 0x7fffd770a204 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:369:10
    #20 0x7fffd770a204 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:362:3
    #21 0x7fffd770a204 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:344:3
    #22 0x7fffd62494ec in nsThread::ThreadFunc(void*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:366:10
    #23 0x7ffff73eb5fb in _pt_root /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:191:3
    #24 0x5555556be478 in asan_thread_start(void*) /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_interceptors.cpp:239:28

Thread T47 created by T0 here:
    #0 0x5555556a7e81 in pthread_create /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_interceptors.cpp:250:3
    #1 0x7ffff73dbfb8 in _PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:429:10
    #2 0x7ffff73ca12e in PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:496:10
    #3 0x7fffd624c059 in nsThread::Init(nsTSubstring<char> const&) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:615:20
    #4 0x7fffd6259b86 in nsThreadManager::NewNamedThread(nsTSubstring<char> const&, nsIThreadManager::ThreadCreationOptions, nsIThread**) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadManager.cpp:606:22
    #5 0x7fffd62647c9 in NS_NewNamedThread(nsTSubstring<char> const&, nsIThread**, already_AddRefed<nsIRunnable>, nsIThreadManager::ThreadCreationOptions) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:176:57
    #6 0x7fffd9353dbf in NS_NewNamedThread<9UL> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:76:10
    #7 0x7fffd9353dbf in mozilla::wr::RenderThread::Start(unsigned int) /builds/worker/checkouts/gecko/gfx/webrender_bindings/RenderThread.cpp:141:17
    #8 0x7fffd8ff2a80 in gfxPlatform::InitLayersIPC() /builds/worker/checkouts/gecko/gfx/thebes/gfxPlatform.cpp:1331:7
    #9 0x7fffd8feced2 in gfxPlatform::Init() /builds/worker/checkouts/gecko/gfx/thebes/gfxPlatform.cpp:970:3
    #10 0x7fffe072ac4c in GetPlatform /builds/worker/workspace/obj-build/dist/include/gfxPlatform.h:182:7
    #11 0x7fffe072ac4c in mozilla::widget::GfxInfoBase::GetContentBackend(nsTSubstring<char16_t>&) /builds/worker/checkouts/gecko/widget/GfxInfoBase.cpp:1793:25
    #12 0x7fffd62991bd in NS_InvokeByIndex /builds/worker/checkouts/gecko/xpcom/reflect/xptcall/md/unix/xptcinvoke_asm_x86_64_unix.S:101
    #13 0x7fffd7aeecaa in Invoke /builds/worker/checkouts/gecko/js/xpconnect/src/XPCWrappedNative.cpp:1620:10
    #14 0x7fffd7aeecaa in Call /builds/worker/checkouts/gecko/js/xpconnect/src/XPCWrappedNative.cpp:1174:19
    #15 0x7fffd7aeecaa in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) /builds/worker/checkouts/gecko/js/xpconnect/src/XPCWrappedNative.cpp:1120:23
    #16 0x7fffd7af397c in GetAttribute /builds/worker/checkouts/gecko/js/xpconnect/src/xpcprivate.h:1447:12
    #17 0x7fffd7af397c in XPC_WN_GetterSetter(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1006:10
    #18 0x7fffe28c6f34 in CallJSNative /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:532:13
    #19 0x7fffe28c6f34 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:628:12
    #20 0x7fffe28c8e6c in InternalCall /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:695:10
    #21 0x7fffe28c8e6c in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:727:8
    #22 0x7fffe28cac5a in js::CallGetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:849:10
    #23 0x7fffe2c823ca in CallGetter(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, js::PropertyInfoBase<unsigned int>, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/NativeObject.cpp:2149:12
    #24 0x7fffe2c656d7 in GetExistingProperty<(js::AllowGC)1> /builds/worker/checkouts/gecko/js/src/vm/NativeObject.cpp:2177:12
    #25 0x7fffe2c656d7 in NativeGetPropertyInline<(js::AllowGC)1> /builds/worker/checkouts/gecko/js/src/vm/NativeObject.cpp:2330:14
    #26 0x7fffe2c656d7 in js::NativeGetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/NativeObject.cpp:2360:10
    #27 0x7fffe28e7ec4 in GetProperty /builds/worker/checkouts/gecko/js/src/vm/ObjectOperations-inl.h:117:10
    #28 0x7fffe28e7ec4 in GetObjectElementOperation /builds/worker/checkouts/gecko/js/src/vm/Interpreter-inl.h:394:10
    #29 0x7fffe28e7ec4 in GetElementOperationWithStackIndex /builds/worker/checkouts/gecko/js/src/vm/Interpreter-inl.h:491:10
    #30 0x7fffe28e7ec4 in js::Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3119:12
    #31 0x7fffe28c5e2f in MaybeEnterInterpreterTrampoline /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:433:10
    #32 0x7fffe28c5e2f in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:502:13
    #33 0x7fffe28c70aa in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:660:13
    #34 0x7fffe28c8e6c in InternalCall /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:695:10
    #35 0x7fffe28c8e6c in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:727:8
    #36 0x7fffe28cac5a in js::CallGetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:849:10
    #37 0x7fffe2c823ca in CallGetter(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, js::PropertyInfoBase<unsigned int>, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/NativeObject.cpp:2149:12
    #38 0x7fffe2c656d7 in GetExistingProperty<(js::AllowGC)1> /builds/worker/checkouts/gecko/js/src/vm/NativeObject.cpp:2177:12
    #39 0x7fffe2c656d7 in NativeGetPropertyInline<(js::AllowGC)1> /builds/worker/checkouts/gecko/js/src/vm/NativeObject.cpp:2330:14
    #40 0x7fffe2c656d7 in js::NativeGetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/NativeObject.cpp:2360:10
    #41 0x7fffe28fdaa7 in GetProperty /builds/worker/checkouts/gecko/js/src/vm/ObjectOperations-inl.h:117:10
    #42 0x7fffe28fdaa7 in GetProperty /builds/worker/checkouts/gecko/js/src/vm/ObjectOperations-inl.h:124:10
    #43 0x7fffe28fdaa7 in js::GetProperty(JSContext*, JS::Handle<JS::Value>, JS::Handle<js::PropertyName*>, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:4765:10
    #44 0x7fffe28dca1c in GetPropertyOperation /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:285:10
    #45 0x7fffe28dca1c in js::Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:2984:12
    #46 0x7fffe28c5e2f in MaybeEnterInterpreterTrampoline /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:433:10
    #47 0x7fffe28c5e2f in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:502:13
    #48 0x7fffe28c70aa in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:660:13
    #49 0x7fffe28c8e6c in InternalCall /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:695:10
    #50 0x7fffe28c8e6c in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:727:8
    #51 0x7fffe2a2fe26 in JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/CallAndConstruct.cpp:55:10
    #52 0x7fffd7ae28df in nsXPCWrappedJS::CallMethod(unsigned short, nsXPTMethodInfo const*, nsXPTCMiniVariant*) /builds/worker/checkouts/gecko/js/xpconnect/src/XPCWrappedJSClass.cpp:918:17
    #53 0x7fffd629aa39 in PrepareAndDispatch /builds/worker/checkouts/gecko/xpcom/reflect/xptcall/md/unix/xptcstubs_x86_64_linux.cpp:115:37
    #54 0x7fffd62998ee in SharedStub xptcstubs_x86_64_linux.cpp
    #55 0x7fffd61eedfb in NS_CreateServicesFromCategory(char const*, nsISupports*, char const*, char16_t const*) /builds/worker/checkouts/gecko/xpcom/components/nsCategoryManager.cpp:680:19
    #56 0x7fffe25ff4a0 in nsXREDirProvider::DoStartup() /builds/worker/checkouts/gecko/toolkit/xre/nsXREDirProvider.cpp:652:11
    #57 0x7fffe25e0ed8 in XREMain::XRE_mainRun() /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:5572:18
    #58 0x7fffe25e2e21 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:6029:8
    #59 0x7fffe25e3f53 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:6102:21
    #60 0x555555701ccc in do_main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:232:22
    #61 0x555555701ccc in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:464:16
    #62 0x7ffff7a51d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16

Comment 1

[Tyson Smith [:tsmith]]

A Pernosco session is available here: https://pernos.co/debug/dUptkciDs2Sn9mzIiMoGHQ/index.html

Comment 2

[Daniel Holbert [:dholbert] (PTO until 2/24)]

Boris, perhaps you could take a look at the pernosco trace and see if you can make sense of why we're crashing with a null-deref in Servo_AnimationValue_GetOpacity here?

(Triaging as S3 given crash volume is extremely low, and assuming that a null-deref means this is a safe crash.)

Comment 3

[Daniel Holbert [:dholbert] (PTO until 2/24)]

I found one nullptr value up one level from where we crash:
https://searchfox.org/mozilla-central/rev/6d5be71ac78856ab388a1a5a923c666080f61e6a/gfx/layers/CompositorAnimationStorage.cpp#247-250

case eCSSProperty_opacity: {
  MOZ_ASSERT(aAnimationValues.Length() == 1);
  SetAnimatedValue(aId, aAnimatedValueEntry,
                   Servo_AnimationValue_GetOpacity(aAnimationValues[0]));

At this moment when we crash, that aAnimationValues[0] value is nullptr. Not sure if this is the exact nullptr that we're dereferencing, but maybe it is? I think Rust is expecting something non-null there, if I'm reading https://searchfox.org/mozilla-central/rev/6d5be71ac78856ab388a1a5a923c666080f61e6a/servo/ports/geckolib/glue.rs#770-775 correctly.

On the assumption that that nullptr is the source of badness here, I traced it back a little ways to see where it comes from; I worked back a few steps to a moment (link in pernosco trace) at the start of a loop iteration in CompositorAnimationStorage::SampleAnimations's lambda callback where animationStorageData->mAnimation is an array of length 1, and that one entry has a mBaseStyle which is a null-valued RefPtr, which ends up ultimately getting passed around and ends up being what we call Servo_AnimationValue_GetOpacity on.

(I don't know enough about the code here to know if it's reasonable for mBaseStyle to be nullptr or not; or, if it is reasonable, if we're expecting to have been able to convert/replace that with something else [or bail out] before we make it to calling Servo_AnimationValue_GetOpacity on it.)

Boris: hoping you can take it from there, when time allows. (See the "notebook" pane in pernosco for some relevant timestamps that I marked, mostly the first and last ones are relevant.)