1957178 - Assertion failure: !aCmp(*(aBegin + a), *(aBegin + b)) (Your comparator is not a valid strict-weak ordering) [@ mozilla::SMILCompositor::ComposeAttribute]

Status: VERIFIED FIXED

(Core :: SVG, defect)

Description

[Tyson Smith [:tsmith]]

Attachment: testcase.html

Found while fuzzing m-c 20250328-6ae189025cfa (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework --upgrade
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>

Assertion failure: !aCmp(*(aBegin + a), *(aBegin + b)) (Your comparator is not a valid strict-weak ordering), at /builds/worker/workspace/obj-build/dist/include/nsTArray.h:310

#0 0x7fb10c53f533 in MOZ_CrashSequence /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:267:3
#1 0x7fb10c53f533 in void detail::AssertStrictWeakOrder<mozilla::SMILAnimationFunction**, void nsTArray_Impl<mozilla::SMILAnimationFunction*, nsTArrayInfallibleAllocator>::Sort<mozilla::SMILAnimationFunction::Comparator>(mozilla::SMILAnimationFunction::Comparator const&)::'lambda'(mozilla::SMILAnimationFunction::Comparator const&, auto const&)>(mozilla::SMILAnimationFunction::Comparator, mozilla::SMILAnimationFunction::Comparator, auto const&) /builds/worker/workspace/obj-build/dist/include/nsTArray.h:309:9
#2 0x7fb10c5341ef in Sort<mozilla::SMILAnimationFunction::Comparator> /builds/worker/workspace/obj-build/dist/include/nsTArray.h:2389:5
#3 0x7fb10c5341ef in mozilla::SMILCompositor::ComposeAttribute(bool&) /builds/worker/checkouts/gecko/dom/smil/SMILCompositor.cpp:87:23
#4 0x7fb10c5325df in mozilla::SMILAnimationController::DoSample(bool) /builds/worker/checkouts/gecko/dom/smil/SMILAnimationController.cpp:393:16
#5 0x7fb10cdd6e76 in Resample /builds/worker/workspace/obj-build/dist/include/mozilla/SMILAnimationController.h:75:21
#6 0x7fb10cdd6e76 in FlushResampleRequests /builds/worker/workspace/obj-build/dist/include/mozilla/SMILAnimationController.h:88:5
#7 0x7fb10cdd6e76 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4577:44
#8 0x7fb10abc8711 in FlushPendingNotifications /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:1467:5
#9 0x7fb10abc8711 in mozilla::EventStateManager::FlushLayout(nsPresContext*) /builds/worker/checkouts/gecko/dom/events/EventStateManager.cpp:6706:16
#10 0x7fb10abc4e0c in mozilla::EventStateManager::PreHandleEvent(nsPresContext*, mozilla::WidgetEvent*, nsIFrame*, nsIContent*, nsEventStatus*, nsIContent*) /builds/worker/checkouts/gecko/dom/events/EventStateManager.cpp:1167:7
#11 0x7fb10cdedfc2 in mozilla::PresShell::EventHandler::DispatchEvent(mozilla::EventStateManager*, mozilla::WidgetEvent*, bool, nsEventStatus*, nsIContent*) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:8815:39
#12 0x7fb10cde7ca7 in mozilla::PresShell::EventHandler::HandleEventWithCurrentEventInfo(mozilla::WidgetEvent*, nsEventStatus*, bool, nsIContent*) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:8782:17
#13 0x7fb10cde7515 in mozilla::PresShell::EventHandler::HandleEventUsingCoordinates(nsIFrame*, mozilla::WidgetGUIEvent*, nsEventStatus*, bool) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:7586:30
#14 0x7fb10cde5ed7 in mozilla::PresShell::EventHandler::HandleEvent(nsIFrame*, mozilla::WidgetGUIEvent*, bool, nsEventStatus*) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:7394:12
#15 0x7fb10cde52ed in mozilla::PresShell::HandleEvent(nsIFrame*, mozilla::WidgetGUIEvent*, bool, nsEventStatus*) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:7313:23
#16 0x7fb10c95fb33 in nsViewManager::DispatchEvent(mozilla::WidgetGUIEvent*, nsView*, nsEventStatus*) /builds/worker/checkouts/gecko/view/nsViewManager.cpp:611:18
#17 0x7fb10c95f8e6 in nsView::HandleEvent(mozilla::WidgetGUIEvent*, bool) /builds/worker/checkouts/gecko/view/nsView.cpp:974:9
#18 0x7fb10c9a0c63 in mozilla::widget::PuppetWidget::DispatchEvent(mozilla::WidgetGUIEvent*, nsEventStatus&) /builds/worker/checkouts/gecko/widget/PuppetWidget.cpp:311:37
#19 0x7fb1084c58a7 in mozilla::layers::APZCCallbackHelper::DispatchWidgetEvent(mozilla::WidgetGUIEvent&) /builds/worker/checkouts/gecko/gfx/layers/apz/util/APZCCallbackHelper.cpp:538:21
#20 0x7fb10c1a0ec6 in DispatchWidgetEventViaAPZ /builds/worker/checkouts/gecko/dom/ipc/BrowserChild.cpp:1708:10
#21 0x7fb10c1a0ec6 in mozilla::dom::BrowserChild::HandleRealMouseButtonEvent(mozilla::WidgetMouseEvent const&, mozilla::layers::ScrollableLayerGuid const&, unsigned long const&) /builds/worker/checkouts/gecko/dom/ipc/BrowserChild.cpp:1665:3
#22 0x7fb10c1a25ab in mozilla::dom::BrowserChild::RecvRealMouseButtonEvent(mozilla::WidgetMouseEvent const&, mozilla::layers::ScrollableLayerGuid const&, unsigned long const&) /builds/worker/checkouts/gecko/dom/ipc/BrowserChild.cpp:1618:3
#23 0x7fb10c1a2713 in mozilla::dom::BrowserChild::RecvSynthMouseMoveEvent(mozilla::WidgetMouseEvent const&, mozilla::layers::ScrollableLayerGuid const&, unsigned long const&) /builds/worker/checkouts/gecko/dom/ipc/BrowserChild.cpp:1583:8
#24 0x7fb10c2d0169 in mozilla::dom::PBrowserChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBrowserChild.cpp:5480:80
#25 0x7fb10c3407a0 in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PContentChild.cpp:8822:32
#26 0x7fb107ccf3b9 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1789:25
#27 0x7fb107ccc5b2 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1716:9
#28 0x7fb107ccd190 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1507:3
#29 0x7fb107cce299 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1607:14
#30 0x7fb10714c5f7 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:703:16
#31 0x7fb10714597e in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:1252:20
#32 0x7fb1071446b7 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:1075:15
#33 0x7fb107144b35 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:639:36
#34 0x7fb1071536c6 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:333:37
#35 0x7fb1071536c6 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548:5
#36 0x7fb107165723 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1159:16
#37 0x7fb10716bd4f in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10
#38 0x7fb107cd46e7 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#39 0x7fb107c2f651 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:362:3
#40 0x7fb107c2f651 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:344:3
#41 0x7fb10c9c5958 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
#42 0x7fb10ca8b754 in nsAppShell::Run() /builds/worker/checkouts/gecko/widget/gtk/nsAppShell.cpp:539:33
#43 0x7fb10d9a5b7b in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:646:20
#44 0x7fb107cd5594 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
#45 0x7fb107c2f651 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:362:3
#46 0x7fb107c2f651 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:344:3
#47 0x7fb10d9a4fb9 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:584:34
#48 0x622ce618c0ae in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:397:22

Comment 1

[Emilio Cobos Álvarez (:emilio)]

This one is this code not dealing with shadow DOM. At the very least should be using CompareTreePosition (ideally with ShadowIncludingDOM order, and some caching)

Comment 2

[Bugmon [:jkratzer for issues]]

Verified bug as reproducible on mozilla-central 20250328212938-f31082d6f90f.
The bug appears to have been introduced in the following build range:

Start: 931a44705ab388cc72fd492e051ceda0a2827743 (20250327123715)
End: 9a82ba2065505026e26c67a7bf58bfdce0a16b89 (20250327134432)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=931a44705ab388cc72fd492e051ceda0a2827743&tochange=9a82ba2065505026e26c67a7bf58bfdce0a16b89

Comment 3

[Daniel Holbert [:dholbert]]

(In reply to Bugmon [:jkratzer for issues] from comment #2)

The bug appears to have been introduced in the following build range

From the perspective of "do we assert", this is a regression from bug 1956780 in that range (which where we added the assertion that's failing here). But as emilio notes in comment 1, this new assertion is really just highlighting a problem that goes back much further.

Comment 4

[Daniel Holbert [:dholbert]]

I think the outcome of this defect is just that we might process our SVG animation elements in the wrong order, potentially producing the wrong animated result. (If we have two animation elements targeting the same element, then the later one "stacks" its animation on top of the earlier one, replacing or building-upon its animated value. And this assertion is highlighting a case where we might get confused about which animation stacks on top of the other one, if I'm understanding correctly.)

Comment 5

[Jens Stutte [:jstutte]]

I think the outcome of this defect is just that we might process our SVG animation elements in the wrong order, potentially producing the wrong animated result.

Note that std::sort can also react badly on non-stable comparators and worst case crash, which is one good reason for having these checks.

Comment 6

[BugBot [:suhaib / :marco/ :calixte]]

:tsmith, since this bug is a regression, could you fill (if possible) the regressed_by field?
For more information, please visit BugBot documentation.

Comment 7

[Daniel Holbert [:dholbert]]

(In reply to BugBot [:suhaib / :marco/ :calixte] from comment #6)

:tsmith, since this bug is a regression, could you fill (if possible) the regressed_by field?

See comment 3. This isn't a recent user-facing regression, and I don't think it really makes sense to track it as a regression.

If it's useful for the fuzzing team to have it tracked as a regression for some reason, though, we could mark it as a regression from bug 216462 (where we added this nsSMILAnimationFunction::CompareTo function in question) or bug 1956780 (where we added the debug-only assertion that's telling us that there's a problem).

Comment 8

[Robert Longson [:longsonr]]

Attachment: Bug 1957178 - SMIL node sorting should account for shadow dom elements r=emilio

Comment 9

[Robert Longson [:longsonr]]

https://www.google.com/url?q=https://treeherder.mozilla.org/%23/jobs?repo%3Dtry%26revision%3Ddc5bb377dbfe217735a791a0f3c8bf6177969b31&source=gmail&ust=1750419971746000&usg=AOvVaw3vQkFJYx01WutJYTpCBSQM

Comment 10

[BugBot [:suhaib / :marco/ :calixte]]

Based on comment #2, this bug contains a bisection range found by bugmon. However, the Regressed by field is still not filled.

:longsonr, if possible, could you fill the Regressed by field and investigate this regression?

For more information, please visit BugBot documentation.

Comment 11

[Pulsebot]

Pushed by longsonr@gmail.com:
https://github.com/mozilla-firefox/firefox/commit/2f4ce082760b
https://hg.mozilla.org/integration/autoland/rev/b6406f937125
SMIL node sorting should account for shadow dom elements r=emilio

Comment 12

[Pulsebot]

Pushed by amarc@mozilla.com:
https://github.com/mozilla-firefox/firefox/commit/6e119216eebd
https://hg.mozilla.org/integration/autoland/rev/d827994b21c1
Revert "Bug 1957178 - SMIL node sorting should account for shadow dom elements r=emilio" for causing build bustages @ SMILAnimationFunction.h

Comment 13

[amarc]

Backed out for causing build bustages @ SMILAnimationFunction.h

• Backout link
• Push with failures
• Failure Log

Comment 14

[Robert Longson [:longsonr]]

https://treeherder.mozilla.org/jobs?repo=try&revision=d81f7fa66888db1dfed3185a52e643eb9cb32a03

Comment 15

[Pulsebot]

Pushed by longsonr@gmail.com:
https://github.com/mozilla-firefox/firefox/commit/e2be00f7b70e
https://hg.mozilla.org/integration/autoland/rev/272a0b7231fd
SMIL node sorting should account for shadow dom elements r=emilio

Comment 16

[Web Platform Test Sync Bot [:wpt-sync] (Matrix: #interop:mozilla.org)]

Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/53318 for changes under testing/web-platform/tests

Comment 17

[Sandor Molnar[:smolnar]]

https://hg.mozilla.org/mozilla-central/rev/272a0b7231fd

Comment 18

[Web Platform Test Sync Bot [:wpt-sync] (Matrix: #interop:mozilla.org)]

Upstream PR merged by moz-wptsync-bot

Comment 19

[Bugmon [:jkratzer for issues]]

Verified bug as fixed on rev mozilla-central 20250623212838-d06391b8fd49.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.