Open Bug 1935785 Opened 2 months ago Updated 17 days ago

Hit MOZ_CRASH(assertion failed: self.has_data()) at servo/components/style/gecko/wrapper.rs:1367

Categories

(Core :: CSS Parsing and Computation, defect)

Product:
Core
Component:
CSS Parsing and Computation
Type:
defect

Tracking

()

Tracking Flags:
Tracking Status
firefox-esr115 --- unaffected
firefox-esr128 --- affected
firefox133 --- wontfix
firefox134 --- wontfix
firefox135 --- fix-optional

People

(Reporter: tsmith, Unassigned, NeedInfo)

References

(Blocks 2 open bugs, Regression)

Details

(4 keywords, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(1 file)

testcase.html
609 bytes, text/html
Details
Attached file testcase.html

Found while fuzzing m-c 20241202-250be4ca3c66 (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework --upgrade
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>

Hit MOZ_CRASH(assertion failed: self.has_data()) at servo/components/style/gecko/wrapper.rs:1367

#0 0x77c2d8672af5 in MOZ_Crash /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:337:3
#1 0x77c2d8672af5 in RustMozCrash /builds/worker/checkouts/gecko/mozglue/static/rust/wrappers.cpp:18:3
#2 0x77c2d8672654 in mozglue_static::panic_hook::h4f780977c3361aa5 /builds/worker/checkouts/gecko/mozglue/static/rust/lib.rs:102:9
#3 0x77c2d867210b in core::ops::function::Fn::call::h77b30e9f337e5e27 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/ops/function.rs:79:5
#4 0x77c2d9a33897 in _$LT$alloc..boxed..Box$LT$F$C$A$GT$$u20$as$u20$core..ops..function..Fn$LT$Args$GT$$GT$::call::h9455091b6b06f9fb /rustc/90b35a6239c3d8bdabc530a6a0816f7ff89a0aaf/library/alloc/src/boxed.rs:2468:9
#5 0x77c2d9a33897 in std::panicking::rust_panic_with_hook::h8942133a8b252070 /rustc/90b35a6239c3d8bdabc530a6a0816f7ff89a0aaf/library/std/src/panicking.rs:809:13
#6 0x77c2d9a33625 in std::panicking::begin_panic_handler::_$u7b$$u7b$closure$u7d$$u7d$::hb5f5963570096b29 /rustc/90b35a6239c3d8bdabc530a6a0816f7ff89a0aaf/library/std/src/panicking.rs:667:13
#7 0x77c2d9a328b8 in std::sys::backtrace::__rust_end_short_backtrace::h6208cedc1922feda /rustc/90b35a6239c3d8bdabc530a6a0816f7ff89a0aaf/library/std/src/sys/backtrace.rs:170:18
#8 0x77c2d9a332eb in rust_begin_unwind /rustc/90b35a6239c3d8bdabc530a6a0816f7ff89a0aaf/library/std/src/panicking.rs:665:5
#9 0x77c2d9a5b01f in core::panicking::panic_fmt::h0c3082644d1bf418 /rustc/90b35a6239c3d8bdabc530a6a0816f7ff89a0aaf/library/core/src/panicking.rs:74:14
#10 0x77c2d9a5b0ab in core::panicking::panic::h957f98c65a3b3074 /rustc/90b35a6239c3d8bdabc530a6a0816f7ff89a0aaf/library/core/src/panicking.rs:148:5
#11 0x77c2d96ebe3e in _$LT$style..gecko..wrapper..GeckoElement$u20$as$u20$style..dom..TElement$GT$::set_dirty_descendants::h420f284db831ea98 /builds/worker/checkouts/gecko/servo/components/style/gecko/wrapper.rs:1367:9
#12 0x77c2d93573e7 in geckoservo::glue::on_siblings_invalidated::h43200b5660311839 /builds/worker/checkouts/gecko/servo/ports/geckolib/glue.rs:7112:9
#13 0x77c2d93573e7 in geckoservo::glue::restyle_for_nth_of::h612dd692673c00b6 /builds/worker/checkouts/gecko/servo/ports/geckolib/glue.rs:7141:5
#14 0x77c2d4b6c0cf in RestyleSiblingsForNthOf /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:3714:15
#15 0x77c2d4b6c0cf in MaybeRestyleForNthOfState /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:3539:5
#16 0x77c2d4b6c0cf in mozilla::RestyleManager::ElementStateChanged(mozilla::dom::Element*, mozilla::dom::ElementState) /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:3485:3
#17 0x77c2d4b6bc00 in mozilla::PresShell::ElementStateChanged(mozilla::dom::Document*, mozilla::dom::Element*, mozilla::dom::ElementState) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4502:37
#18 0x77c2d0d40edd in mozilla::dom::Document::ElementStateChanged(mozilla::dom::Element*, mozilla::dom::ElementState) /builds/worker/checkouts/gecko/dom/base/Document.cpp:8566:3
#19 0x77c2d0d9aa53 in mozilla::dom::Element::NotifyStateChange(mozilla::dom::ElementState) /builds/worker/checkouts/gecko/dom/base/Element.cpp:383:10
#20 0x77c2d2ccd684 in MakeContentDescendantsEditable(nsIContent*) /builds/worker/checkouts/gecko/dom/html/nsGenericHTMLElement.cpp:2498:12
#21 0x77c2d2ccd6a7 in MakeContentDescendantsEditable(nsIContent*) /builds/worker/checkouts/gecko/dom/html/nsGenericHTMLElement.cpp:2504:7
#22 0x77c2d2ccd6a7 in MakeContentDescendantsEditable(nsIContent*) /builds/worker/checkouts/gecko/dom/html/nsGenericHTMLElement.cpp:2504:7
#23 0x77c2d2cc6ba4 in nsGenericHTMLElement::ChangeEditableState(int) /builds/worker/checkouts/gecko/dom/html/nsGenericHTMLElement.cpp:2525:3
#24 0x77c2d2cc6467 in nsGenericHTMLElement::AfterSetAttr(int, nsAtom*, nsAttrValue const*, nsAttrValue const*, nsIPrincipal*, bool) /builds/worker/checkouts/gecko/dom/html/nsGenericHTMLElement.cpp:858:7
#25 0x77c2d0d500b6 in mozilla::dom::Element::UnsetAttr(int, nsAtom*, bool) /builds/worker/checkouts/gecko/dom/base/Element.cpp:3317:3
#26 0x77c2d0da2f9b in mozilla::dom::Element::RemoveAttribute(nsTSubstring<char16_t> const&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/Element.cpp:1598:12
#27 0x77c2d1e7b939 in mozilla::dom::Element_Binding::removeAttribute(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/./ElementBinding.cpp:2716:24
#28 0x77c2d20e98dd in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3290:13
#29 0x77c2d58ef8fa in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:532:13
#30 0x77c2d58ef0d3 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:628:12
#31 0x77c2d64603ee in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICFallbackStub*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/jit/BaselineIC.cpp:1701:10
#32 0x0c18038f6e0e  ([anon:js-executable-memory]+0xc18038f6e0e)
Flags: in-testsuite?

Verified bug as reproducible on mozilla-central 20241207091049-78d8afbe5767.
The bug appears to have been introduced in the following build range:

Start: 99bd3eeb6ed504f433837a067962aa5b15aeee49 (20240118163339)
End: 68ff26df33468fe750b39f175b43b8507718ece4 (20240118132123)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=99bd3eeb6ed504f433837a067962aa5b15aeee49&tochange=68ff26df33468fe750b39f175b43b8507718ece4

Keywords: regression
Whiteboard: [bugmon:bisected,confirmed]

Bug 1875137 maybe?

Flags: needinfo?(emilio)

Yes, I don't think that assertion holds in the presence of :has() nowadays... We should probably not set the dirty bits down the display: none subtree. I'm mostly on PTO this week fwiw, so probably won't dig on it right now. But also it's probably not super-harmful.

Regressed by: 1875137

Set release status flags based on info from the regressing bug 1875137

status-firefox133: --- → affected
status-firefox134: --- → affected
status-firefox-esr128: --- → affected
Severity: -- → S3
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: