Closed Bug 1940212 Opened 26 days ago Closed 24 days ago

Firefox crashes with the following CSS ::marker {:has(&){}}

Categories

(Core :: CSS Parsing and Computation, defect)

Product:
Core
Component:
CSS Parsing and Computation
Version:
Firefox 133
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
136 Branch
Tracking Flags:
Tracking Status
firefox-esr115 --- unaffected
firefox-esr128 --- wontfix
firefox134 --- wontfix
firefox135 --- fixed
firefox136 --- fixed

People

(Reporter: xiaozj, Assigned: dshin)

References

(Regression)

Details

(Keywords: regression)

Crash Data

Attachments

(5 files)

Reporters_standalone_testcase.html
192 bytes, text/html
Details
about:support
42.95 KB, text/plain
Details
about:support (correct ver)
40.32 KB, text/plain
Details
Reporters_standalone_testcase(Corrected).html
286 bytes, text/html
Details
Bug 1940212: Avoid crashing trying to invalidate from pseudo-element in :has introduced through nesting. r=#style
48 bytes, text/x-phabricator-request
RyanVM
: approval-mozilla-beta+
Details | Review

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:133.0) Gecko/20100101 Firefox/133.0

Steps to reproduce:

I can crash Firefox with a single line of CSS:

::marker {:has(&){}}

I realize :has() cannot contain pseudo-element so the above is invalid anyways, but the issue is it should just silent fail, not crash the entire browser.

https://codepen.io/Miragecraft/pen/YPKYeKo

Actual results:

Browser crashes.

Expected results:

Invalid CSS should silently fail.

The Bugbug bot thinks this bug should belong to the 'Core::Layout' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.

Component: Untriaged → Layout
Product: Firefox → Core
Crash Signature: https://crash-stats.mozilla.org/report/index/f575be6e-8a76-46d7-8faf-ade870250107
Status: UNCONFIRMED → NEW
Ever confirmed: true
Crash Signature: https://crash-stats.mozilla.org/report/index/f575be6e-8a76-46d7-8faf-ade870250107 → [@ style::invalidation::element::relative_selector::RelativeSelectorInnerInvalidationProcessor<T>::note_dependency ]
Component: Layout → CSS Parsing and Computation

Crashes with my regular profile, but not in a new profile.
Doing some testing.
Edit: It crashes with the Ruffle - flash emulator addon installed.
Edit:
Bisection:
https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=fada0a57f99d5b5fc87e6e746df5d5b55781f57d&tochange=6453cd78e4f187bc198e83900dd9937c3cc6d0fc
Suspects: Bug 1852965 / Bug 1854757

Hi Shaw,
Can you type "about:support" in your Firefox browser and copy-paste its contents here?

Flags: needinfo?(xiaozj)
Summary: Firefox crashes with the following CSS ::marker {:has(&){}} → With the Ruffle - flash emulator installed, Firefox crashes with the following CSS ::marker {:has(&){}}
Flags: needinfo?(dshin)
Attached file about:support
Sorry, the previous file was from the wrong browser (desktop), I experienced the issue on my laptop. Here's the correct about:support file.

Update: I double checked and my desktop Firefox crashes on this CSS too.

Flags: needinfo?(xiaozj)

I just noticed your "Reporters_standalone_testcase.html" file.

I tried it and it did not trigger the crash, however when I moved the style element into the <head> Firefox crashes immediately.

<!DOCTYPE html>
<html lang="en"><head>
<meta http-equiv="content-type" content="text/html; charset=windows-1252">
<style>
::marker {:has(&){}}
</style>
</head>
<body><p>Firefox crashes on this page with a single line of CSS:</p>
<code>::marker {:has(&){}}</code>
</body></html>

Keywords: regression
Regressed by: 1852965
Summary: With the Ruffle - flash emulator installed, Firefox crashes with the following CSS ::marker {:has(&){}} → Firefox crashes with the following CSS ::marker {:has(&){}}

The testcase in comment 9 is the primary testcase/STR from the OP which crashes on Nightly without any other dependency.
It may also be worthwhile to check a different STR from comment 2 (i.e, Install Ruffle Flash emulator and run the testcase in comment 4)

Set release status flags based on info from the regressing bug 1852965

status-firefox134: --- → affected
status-firefox135: --- → affected
status-firefox136: --- → affected
status-firefox-esr128: --- → affected

Regression window simply points to when :has selector's inner selector invalidation is implemented.

Crash also happens with ::part() and ::slotted(), and suspect with other pseudo-elements as well.

Flags: needinfo?(dshin)
Severity: -- → S3
Assignee: nobody → dshin
Status: NEW → ASSIGNED
Pushed by dshin@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/44f971223b37 Avoid crashing trying to invalidate from pseudo-element in :has introduced through nesting. r=firefox-style-system-reviewers,emilio
Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/49974 for changes under testing/web-platform/tests

https://hg.mozilla.org/mozilla-central/rev/44f971223b37

Status: ASSIGNED → RESOLVED
Closed: 24 days ago
status-firefox136: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 136 Branch
Upstream PR merged by moz-wptsync-bot

The patch landed in nightly and beta is affected.
:dshin, is this bug important enough to require an uplift?

  • If yes, please nominate the patch for beta approval.
  • If no, please set status-firefox135 to wontfix.

For more information, please visit BugBot documentation.

Flags: needinfo?(dshin)

Comment on attachment 9446337 [details]
Bug 1940212: Avoid crashing trying to invalidate from pseudo-element in :has introduced through nesting. r=#style

Beta/Release Uplift Approval Request

  • User impact if declined/Reason for urgency: Potential crash for given selector
  • Is this code covered by automated tests?: Yes
  • Has the fix been verified in Nightly?: Yes
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Small change that removes an assert, no invalidation added downstream.
    Covered by WPTs has-nested-pseudo-*-crash.html. Regression coverage robust through other WPTs under /css/selectors/invalidation/has*, etc
    Verified on mozregression --launch 2024-01-09
  • String changes made/needed: None
  • Is Android affected?: Yes
Flags: needinfo?(dshin)
Attachment #9446337 - Flags: approval-mozilla-beta?

Comment on attachment 9446337 [details]
Bug 1940212: Avoid crashing trying to invalidate from pseudo-element in :has introduced through nesting. r=#style

Approved for 135.0b3.

Attachment #9446337 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
See Also: → 1941651
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: