1932796 - Assertion '!(__hi < __lo)' failed. [@ ComputeHotspot]

Status: VERIFIED FIXED

(Core :: DOM: Events, defect)

Description

[Tyson Smith [:tsmith]]

Attachment: testcase.html

Found while fuzzing m-c 20241115-dc5a28b24f94 (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework --upgrade
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>

/builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/stl_algo.h:3721: const _Tp &std::clamp(const _Tp &, const _Tp &, const _Tp &) [_Tp = int]: Assertion '!(__hi < __lo)' failed.

#0 0x7b75ab2969fc in __pthread_kill_implementation nptl/pthread_kill.c:44:76
#1 0x7b75ab2969fc in __pthread_kill_internal nptl/pthread_kill.c:78:10
#2 0x7b75ab2969fc in pthread_kill nptl/pthread_kill.c:89:10
#3 0x7b75ab242475 in gsignal signal/../sysdeps/posix/raise.c:26:13
#4 0x7b75ab2287f2 in abort stdlib/abort.c:79:7
#5 0x7b759f07bc50 in __replacement_assert /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/x86_64-linux-gnu/c++/8/bits/c++config.h:447:5
#6 0x7b759f07bc50 in clamp<int> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/stl_algo.h:3721:7
#7 0x7b759f07bc50 in ComputeHotspot /builds/worker/checkouts/gecko/dom/events/EventStateManager.cpp
#8 0x7b759f07bc50 in ComputeCustomCursor /builds/worker/checkouts/gecko/dom/events/EventStateManager.cpp:4672:29
#9 0x7b759f07bc50 in mozilla::EventStateManager::UpdateCursor(nsPresContext*, mozilla::WidgetMouseEvent*, nsIFrame*, nsEventStatus*) /builds/worker/checkouts/gecko/dom/events/EventStateManager.cpp:4713:9
#10 0x7b759f077e85 in mozilla::EventStateManager::PreHandleEvent(nsPresContext*, mozilla::WidgetEvent*, nsIFrame*, nsIContent*, nsEventStatus*, nsIContent*) /builds/worker/checkouts/gecko/dom/events/EventStateManager.cpp:1130:7
#11 0x7b75a1290cdd in mozilla::PresShell::EventHandler::DispatchEvent(mozilla::EventStateManager*, mozilla::WidgetEvent*, bool, nsEventStatus*, nsIContent*) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:8640:39
#12 0x7b75a1289d37 in mozilla::PresShell::EventHandler::HandleEventWithCurrentEventInfo(mozilla::WidgetEvent*, nsEventStatus*, bool, nsIContent*) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:8607:17
#13 0x7b75a1289513 in mozilla::PresShell::EventHandler::HandleEventUsingCoordinates(nsIFrame*, mozilla::WidgetGUIEvent*, nsEventStatus*, bool) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:7407:30
#14 0x7b75a1287f48 in mozilla::PresShell::EventHandler::HandleEvent(nsIFrame*, mozilla::WidgetGUIEvent*, bool, nsEventStatus*) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:7211:12
#15 0x7b75a12872f4 in mozilla::PresShell::HandleEvent(nsIFrame*, mozilla::WidgetGUIEvent*, bool, nsEventStatus*) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:7154:23
#16 0x7b75a0e42bbe in nsViewManager::DispatchEvent(mozilla::WidgetGUIEvent*, nsView*, nsEventStatus*) /builds/worker/checkouts/gecko/view/nsViewManager.cpp:652:18
#17 0x7b75a0e42919 in nsView::HandleEvent(mozilla::WidgetGUIEvent*, bool) /builds/worker/checkouts/gecko/view/nsView.cpp:1010:9
#18 0x7b75a0e8684d in mozilla::widget::PuppetWidget::DispatchEvent(mozilla::WidgetGUIEvent*, nsEventStatus&) /builds/worker/checkouts/gecko/widget/PuppetWidget.cpp:311:37
#19 0x7b759c9b601b in mozilla::layers::APZCCallbackHelper::DispatchWidgetEvent(mozilla::WidgetGUIEvent&) /builds/worker/checkouts/gecko/gfx/layers/apz/util/APZCCallbackHelper.cpp:508:21
#20 0x7b75a068e642 in DispatchWidgetEventViaAPZ /builds/worker/checkouts/gecko/dom/ipc/BrowserChild.cpp:1706:10
#21 0x7b75a068e642 in mozilla::dom::BrowserChild::HandleRealMouseButtonEvent(mozilla::WidgetMouseEvent const&, mozilla::layers::ScrollableLayerGuid const&, unsigned long const&) /builds/worker/checkouts/gecko/dom/ipc/BrowserChild.cpp:1663:3
#22 0x7b75a068fd9b in mozilla::dom::BrowserChild::RecvRealMouseButtonEvent(mozilla::WidgetMouseEvent const&, mozilla::layers::ScrollableLayerGuid const&, unsigned long const&) /builds/worker/checkouts/gecko/dom/ipc/BrowserChild.cpp:1616:3
#23 0x7b75a068ff08 in mozilla::dom::BrowserChild::RecvSynthMouseMoveEvent(mozilla::WidgetMouseEvent const&, mozilla::layers::ScrollableLayerGuid const&, unsigned long const&) /builds/worker/checkouts/gecko/dom/ipc/BrowserChild.cpp:1581:8
#24 0x7b75a07c4dd7 in mozilla::dom::PBrowserChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBrowserChild.cpp:5471:80
#25 0x7b75a08372d0 in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PContentChild.cpp:8677:32
#26 0x7b759c18cb7f in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1727:25
#27 0x7b759c189b02 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1654:9
#28 0x7b759c18a782 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1445:3
#29 0x7b759c18b8cf in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1545:14
#30 0x7b759b5e17d7 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:618:16
#31 0x7b759b5d7039 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:945:26
#32 0x7b759b5d5a77 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:768:15
#33 0x7b759b5d5ef5 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:554:36
#34 0x7b759b5e5219 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:271:37
#35 0x7b759b5e5219 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_1>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548:5
#36 0x7b759b5f8adb in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1159:16
#37 0x7b759b5ff7bf in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10
#38 0x7b759c1926b3 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:107:5
#39 0x7b759c0e54e1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:362:3
#40 0x7b759c0e54e1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:344:3
#41 0x7b75a0ead0f8 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
#42 0x7b75a0f5fc98 in nsAppShell::Run() /builds/worker/checkouts/gecko/widget/gtk/nsAppShell.cpp:469:33
#43 0x7b75a1e48e1b in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:646:20
#44 0x7b759c193556 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
#45 0x7b759c0e54e1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:362:3
#46 0x7b759c0e54e1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:344:3
#47 0x7b75a1e4824a in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:584:34
#48 0x5c7b20afde2e in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:397:22

Comment 1

[Bugmon [:jkratzer for issues]]

Verified bug as reproducible on mozilla-central 20241121215254-463ac8a449fa.
The bug appears to have been introduced in the following build range:

Start: 2df700c66768b23751cbf93a1fdcc829df6cb80b (20241115074717)
End: 4a5eae7388b8e75af04a3a5505d6e52ba2a9e79e (20241115091009)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=2df700c66768b23751cbf93a1fdcc829df6cb80b&tochange=4a5eae7388b8e75af04a3a5505d6e52ba2a9e79e

Comment 2

[BugBot [:suhaib / :marco/ :calixte]]

Set release status flags based on info from the regressing bug 1929270

:sergesanspaille, since you are the author of the regressor, bug 1929270, could you take a look? Also, could you set the severity field?

For more information, please visit BugBot documentation.

Comment 4

[Emilio Cobos Álvarez (:emilio)]

Wrong dup? (The dup is the regressor)

Comment 5

[Bugmon [:jkratzer for issues]]

No valid actions for resolution (DUPLICATE).
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Comment 6

[[:sergesanspaille]]

Indeed, I should just have set fixed has the regressor have been fixed, I guess.

Comment 7

[Emilio Cobos Álvarez (:emilio)]

But... I'm confused. https://searchfox.org/mozilla-central/rev/7987501f2c2ed1914e5c682bd328ace9c4a7c6cd/dom/events/EventStateManager.cpp#4623 still uses std::clamp and still asserts for imageWidth=0 doesn't it? So how is this fixed?

Comment 8

[Tyson Smith [:tsmith]]

This is still reproducible with the attached test case and m-c 20241128-671bec590e6f.

Comment 9

[BugBot [:suhaib / :marco/ :calixte]]

Set release status flags based on info from the regressing bug 1929270

Comment 10

[[:sergesanspaille]]

Attachment: Bug 1932796 - Partially revert #1929270 r=emilio

Comment 11

[Pulsebot]

Pushed by sguelton@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/8a0070a970c2
Partially revert #1929270 r=emilio

Comment 12

[Sandor Molnar[:smolnar]]

https://hg.mozilla.org/mozilla-central/rev/8a0070a970c2

Comment 13

[BugBot [:suhaib / :marco/ :calixte]]

The patch landed in nightly and beta is affected.
:sergesanspaille, is this bug important enough to require an uplift?

• If yes, please nominate the patch for beta approval.
• If no, please set status-firefox134 to wontfix.

For more information, please visit BugBot documentation.

Comment 14

[[:sergesanspaille]]

Attachment: Bug 1932796 - Partially revert #1929270

Original Revision: https://phabricator.services.mozilla.com/D230647

Comment 15

[Phabricator Automation]

beta Uplift Approval Request

• User impact if declined: regression not fixed: invalid behavior at boundaries
• Code covered by automated testing: yes
• Fix verified in Nightly: yes
• Needs manual QE test: no
• Steps to reproduce for manual QE testing: see test case attached to #1932796
• Risk associated with taking this patch: None
• Explanation of risk level: validated manually
• String changes made/needed: no
• Is Android affected?: yes

Comment 16

[Pulsebot]

https://hg.mozilla.org/releases/mozilla-beta/rev/d1f16bd56434

Comment 17

[Bugmon [:jkratzer for issues]]

Verified bug as fixed on rev mozilla-central 20241130210919-51087836c42d.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.