1932969 - Assertion failure: 0.0f <= intervalProgress && intervalProgress < 1.0f (Interval progress should be in the range [0, 1)), at /builds/worker/checkouts/gecko/dom/smil/SMILAnimationFunction.cpp:408

Status: VERIFIED FIXED

(Core :: SVG, defect)

Description

[Tyson Smith [:tsmith]]

Attachment: testcase.html

Found while fuzzing m-c 20241115-dc5a28b24f94 (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework --upgrade
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>

Assertion failure: 0.0f <= intervalProgress && intervalProgress < 1.0f (Interval progress should be in the range [0, 1)), at /builds/worker/checkouts/gecko/dom/smil/SMILAnimationFunction.cpp:408

#0 0x771d8f4329d9 in mozilla::SMILAnimationFunction::InterpolateResult(FallibleTArray<mozilla::SMILValue> const&, mozilla::SMILValue&, mozilla::SMILValue&) /builds/worker/checkouts/gecko/dom/smil/SMILAnimationFunction.cpp:407:7
#1 0x771d8f431fef in mozilla::SMILAnimationFunction::ComposeResult(mozilla::SMILAttr const&, mozilla::SMILValue&) /builds/worker/checkouts/gecko/dom/smil/SMILAnimationFunction.cpp:246:9
#2 0x771d8f430a38 in mozilla::SMILCompositor::ComposeAttribute(bool&) /builds/worker/checkouts/gecko/dom/smil/SMILCompositor.cpp:108:29
#3 0x771d8f42efff in mozilla::SMILAnimationController::DoSample(bool) /builds/worker/checkouts/gecko/dom/smil/SMILAnimationController.cpp:381:16
#4 0x771d8fc783eb in Resample /builds/worker/workspace/obj-build/dist/include/mozilla/SMILAnimationController.h:73:21
#5 0x771d8fc783eb in FlushResampleRequests /builds/worker/workspace/obj-build/dist/include/mozilla/SMILAnimationController.h:86:5
#6 0x771d8fc783eb in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4419:44
#7 0x771d8bec8f9b in FlushPendingNotifications /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:1456:5
#8 0x771d8bec8f9b in mozilla::dom::Document::FlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/dom/base/Document.cpp:11282:16
#9 0x771d8ae849dd in nsDocLoader::DocLoaderIsEmpty(bool, mozilla::Maybe<nsresult> const&) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:728:14
#10 0x771d8ae85e14 in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:666:5
#11 0x771d90191e6f in nsDocShell::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:13740:23
#12 0x771d8a212e0f in mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:638:22
#13 0x771d8a213fde in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:532:10
#14 0x771d8bece1dc in mozilla::dom::Document::DoUnblockOnload() /builds/worker/checkouts/gecko/dom/base/Document.cpp:12076:18
#15 0x771d8beb42a9 in mozilla::dom::Document::DispatchContentLoadedEvents() /builds/worker/checkouts/gecko/dom/base/Document.cpp:8434:3
#16 0x771d8bf6ae49 in operator()<> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1085:18
#17 0x771d8bf6ae49 in __invoke_impl<void, (lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1084:9)> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/invoke.h:60:14
#18 0x771d8bf6ae49 in __invoke<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1084:9)> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/invoke.h:95:14
#19 0x771d8bf6ae49 in __apply_impl<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1084:9), std::tuple<> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/tuple:1678:14
#20 0x771d8bf6ae49 in apply<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1084:9), std::tuple<> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/tuple:1687:14
#21 0x771d8bf6ae49 in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1083:12
#22 0x771d8bf6ae49 in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1134:13
#23 0x771d89fe17d7 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:618:16
#24 0x771d89fd7039 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:945:26
#25 0x771d89fd5a77 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:768:15
#26 0x771d89fd5ef5 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:554:36
#27 0x771d89fe51b6 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:268:37
#28 0x771d89fe51b6 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548:5
#29 0x771d89ff8adb in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1159:16
#30 0x771d89fff7bf in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10
#31 0x771d8ab92705 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#32 0x771d8aae54e1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:362:3
#33 0x771d8aae54e1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:344:3
#34 0x771d8f8ad0f8 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
#35 0x771d8f95fc98 in nsAppShell::Run() /builds/worker/checkouts/gecko/widget/gtk/nsAppShell.cpp:469:33
#36 0x771d90848e1b in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:646:20
#37 0x771d8ab93556 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
#38 0x771d8aae54e1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:362:3
#39 0x771d8aae54e1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:344:3
#40 0x771d9084824a in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:584:34
#41 0x561d0cfc2e2e in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:397:22

Comment 1

[Bugmon [:jkratzer for issues]]

Verified bug as reproducible on mozilla-central 20241122214930-b89dc7790f33.
Unable to bisect testcase (Testcase reproduces on start build!):

Start: a137631f73ce188671f50c5225295d64d427fec2 (20231125091605)
End: dc5a28b24f94d8fdb17a970843c2c6b88a012d66 (20241115164212)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False, nyx=False)

Successfully recorded a pernosco session. A link to the pernosco session will be added here shortly.

Comment 2

[Bugmon [:jkratzer for issues]]

A pernosco session for this bug can be found here.

Comment 3

[Robert Longson [:longsonr]]

Attachment: Bug 1932969 - Use doubles for intermediate values to prevent float overflow r=dholbert

Comment 4

[Pulsebot]

Pushed by longsonr@gmail.com:
https://hg.mozilla.org/integration/autoland/rev/13fa9935e206
Use doubles for intermediate values to prevent float overflow r=dholbert

Comment 5

[agoloman]

https://hg.mozilla.org/mozilla-central/rev/13fa9935e206

Comment 6

[Bugmon [:jkratzer for issues]]

Verified bug as fixed on rev mozilla-central 20241124094441-3973e4edeb03.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.