Closed Bug 1949899 Opened 8 months ago Closed 8 months ago

Assertion failure: GetRepeatDuration().IsDefinite() (Attempting to sample fill value of an active animation with an indefinite repeat duration), at /builds/worker/checkouts/gecko/dom/smil/SMILTimedElement.cpp:1939

Categories

(Core :: SVG, defect)

Product:
Core
Component:
SVG
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
137 Branch
Tracking Flags:
Tracking Status
firefox-esr115 --- wontfix
firefox-esr128 --- wontfix
firefox136 --- wontfix
firefox137 --- verified

People

(Reporter: tsmith, Assigned: longsonr)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, testcase, Whiteboard: [bugmon:bisected,confirmed], [wptsync upstream])

Attachments

(2 files)

testcase.html
193 bytes, text/html
Details
Bug 1949899 - don't assert if the repeat duration is indefinite if we're trying to sample a fill in an active state r=emilio
48 bytes, text/x-phabricator-request
Details | Review
Attached file testcase.html

Found while fuzzing m-c 20241230-1542f650101a (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework --upgrade
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>

Assertion failure: GetRepeatDuration().IsDefinite() (Attempting to sample fill value of an active animation with an indefinite repeat duration), at /builds/worker/checkouts/gecko/dom/smil/SMILTimedElement.cpp:1939

#0 0x725b7f456b56 in MOZ_CrashSequence /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:267:3
#1 0x725b7f456b56 in mozilla::SMILTimedElement::SampleFillValue() /builds/worker/checkouts/gecko/dom/smil/SMILTimedElement.cpp:1941:5
#2 0x725b7f45787b in mozilla::SMILTimedElement::SetFillMode(nsTSubstring<char16_t> const&) /builds/worker/checkouts/gecko/dom/smil/SMILTimedElement.cpp:1015:5
#3 0x725b7f4575cd in mozilla::SMILTimedElement::SetAttr(nsAtom*, nsTSubstring<char16_t> const&, nsAttrValue&, mozilla::dom::Element&, nsresult*) /builds/worker/checkouts/gecko/dom/smil/SMILTimedElement.cpp:773:19
#4 0x725b7ee4dffd in mozilla::dom::SVGAnimationElement::ParseAttribute(int, nsAtom*, nsTSubstring<char16_t> const&, nsIPrincipal*, nsAttrValue&) /builds/worker/checkouts/gecko/dom/svg/SVGAnimationElement.cpp:199:25
#5 0x725b7bf71140 in mozilla::dom::Element::SetAttr(int, nsAtom*, nsAtom*, nsTSubstring<char16_t> const&, nsIPrincipal*, bool) /builds/worker/checkouts/gecko/dom/base/Element.cpp:2841:8
#6 0x725b7bf72140 in SetAttr /builds/worker/workspace/obj-build/dist/include/mozilla/dom/Element.h:1031:12
#7 0x725b7bf72140 in mozilla::dom::Element::SetAttribute(nsTSubstring<char16_t> const&, mozilla::dom::TrustedHTMLOrTrustedScriptOrTrustedScriptURLOrString const&, nsIPrincipal*, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/Element.cpp:1700:14
#8 0x725b7d029bb7 in mozilla::dom::Element_Binding::setAttribute(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/./ElementBinding.cpp:2596:24
#9 0x725b7d2ac49d in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3302:13
#10 0x725b80a13eb4 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:494:13
#11 0x725b80a1370f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:590:12
#12 0x725b81540452 in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICFallbackStub*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/jit/BaselineIC.cpp:1705:10
Flags: in-testsuite?

Verified bug as reproducible on mozilla-central 20250222091445-0af7a39fb3e1.
Unable to bisect testcase (Testcase reproduces on start build!):

Start: dba8ff89abb9be706021b6ff359c87e58dda45ce (20240224093754)
End: 1542f650101aac965e1b6cb9dc6162fe2b5e35b3 (20241230205200)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False, nyx=False, searchfox=False, afl=False)

Whiteboard: [bugmon:bisected,confirmed]
Assignee: nobody → longsonr
Status: NEW → ASSIGNED
Severity: -- → S3
Pushed by longsonr@gmail.com: https://hg.mozilla.org/integration/autoland/rev/250080179d49 don't assert if the repeat duration is indefinite if we're trying to sample a fill in an active state r=emilio
Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/50940 for changes under testing/web-platform/tests
Whiteboard: [bugmon:bisected,confirmed] → [bugmon:bisected,confirmed], [wptsync upstream]

https://hg.mozilla.org/mozilla-central/rev/250080179d49

Status: ASSIGNED → RESOLVED
Closed: 8 months ago
status-firefox137: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 137 Branch
Upstream PR merged by moz-wptsync-bot

Verified bug as fixed on rev mozilla-central 20250225214549-74fc528d64f4.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
status-firefox137: fixedverified
Keywords: bugmon
status-firefox136: --- → wontfix
status-firefox-esr115: --- → wontfix
status-firefox-esr128: --- → wontfix
Flags: in-testsuite? → in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: