Open Bug 1961376 Opened 25 days ago Updated 16 days ago

Hit MOZ_CRASH(assertion `left == right` failed: invalid cache left: 1 right: 2) at /servo/components/selectors/matching.rs:1448

Categories

(Core :: CSS Parsing and Computation, defect, P3)

Product:
Core
Component:
CSS Parsing and Computation
Platform:
x86_64
Linux
Type:
defect

Tracking

()

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: bugmon, pernosco, testcase, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(1 file)

Testcase
335 bytes, text/html
Details

Testcase found while fuzzing mozilla-central rev d2b2bd27992f (built with: --enable-debug --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework --upgrade
$ python -m fuzzfetch --build d2b2bd27992f --debug --fuzzing  -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>

Hit MOZ_CRASH(assertion `left == right` failed: invalid cache   left: 1  right: 2) at /servo/components/selectors/matching.rs:1448

    ==154039==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7ba9f7fffc3a bp 0x7fff01345e60 sp 0x7fff01345e50 T154039)
    ==154039==The signal is caused by a WRITE memory access.
    ==154039==Hint: address points to the zero page.
        #0 0x7ba9f7fffc3a in MOZ_CrashSequence /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:248:3
        #1 0x7ba9f7fffc3a in MOZ_Crash /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:381:3
        #2 0x7ba9f7fffc3a in RustMozCrash /mozglue/static/rust/wrappers.cpp:18:3
        #3 0x7ba9f7fff7b4 in mozglue_static::panic_hook::h3cca02a701fe6bfa /mozglue/static/rust/lib.rs:99:9
        #4 0x7ba9f7fff26b in core::ops::function::Fn::call::h4d8aff75ae450292 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/ops/function.rs:79:5
        #5 0x7ba9f959ab42 in _$LT$alloc..boxed..Box$LT$F$C$A$GT$$u20$as$u20$core..ops..function..Fn$LT$Args$GT$$GT$::call::h7c356b28a03897d7 /rustc/05f9846f893b09a1be1fc8560e33fc3c815cfecb/library/alloc/src/boxed.rs:1990:9
        #6 0x7ba9f959ab42 in std::panicking::rust_panic_with_hook::h541791bcc774ef34 /rustc/05f9846f893b09a1be1fc8560e33fc3c815cfecb/library/std/src/panicking.rs:839:13
        #7 0x7ba9f959a7f9 in std::panicking::begin_panic_handler::_$u7b$$u7b$closure$u7d$$u7d$::h6479a2f0137c7d19 /rustc/05f9846f893b09a1be1fc8560e33fc3c815cfecb/library/std/src/panicking.rs:704:13
        #8 0x7ba9f95997f8 in std::sys::backtrace::__rust_end_short_backtrace::ha04e7c0fc61ded91 /rustc/05f9846f893b09a1be1fc8560e33fc3c815cfecb/library/std/src/sys/backtrace.rs:168:18
        #9 0x7ba9f959a48c in rust_begin_unwind /rustc/05f9846f893b09a1be1fc8560e33fc3c815cfecb/library/std/src/panicking.rs:695:5
        #10 0x7ba9f95c355f in core::panicking::panic_fmt::h5764ee7030b7a73d /rustc/05f9846f893b09a1be1fc8560e33fc3c815cfecb/library/core/src/panicking.rs:75:14
        #11 0x7ba9f95c39ea in core::panicking::assert_failed_inner::h75e36b16d296c663 /rustc/05f9846f893b09a1be1fc8560e33fc3c815cfecb/library/core/src/panicking.rs
        #12 0x7ba9f957aea7 in core::panicking::assert_failed::he7ee06b5c158f08d /rustc/05f9846f893b09a1be1fc8560e33fc3c815cfecb/library/core/src/panicking.rs:380:5
        #13 0x7ba9f8e55a9b in selectors::matching::matches_generic_nth_child::h1891d539874a2d8e /servo/components/selectors/matching.rs:1448:5
        #14 0x7ba9f8e537df in selectors::matching::matches_simple_selector::_$u7b$$u7b$closure$u7d$$u7d$::h320d2391f2a74e7f /servo/components/selectors/matching.rs:1265:17
        #15 0x7ba9f8e537df in selectors::context::MatchingContext$LT$Impl$GT$::nest::h145e657451cfcbca /servo/components/selectors/context.rs:356:22
        #16 0x7ba9f8e537df in selectors::matching::matches_simple_selector::h7f480e3e093bb162 /servo/components/selectors/matching.rs:1264:20
        #17 0x7ba9f8e5869f in selectors::matching::matches_compound_selector::_$u7b$$u7b$closure$u7d$$u7d$::h8b48254c8387711a /servo/components/selectors/matching.rs:1172:18
        #18 0x7ba9f8e5869f in selectors::kleene_value::KleeneValue::any_value::hd7224fc697dea713 /servo/components/selectors/kleene_value.rs:65:21
        #19 0x7ba9f8e5869f in selectors::kleene_value::KleeneValue::any_false::h713459c4ac756559 /servo/components/selectors/kleene_value.rs:52:9
        #20 0x7ba9f8e5869f in selectors::matching::matches_compound_selector::h8dea03aceb373a4f /servo/components/selectors/matching.rs:1170:5
        #21 0x7ba9f8e5869f in selectors::matching::matches_complex_selector_internal::h6cf8faf1cc125d46 /servo/components/selectors/matching.rs:825:22
        #22 0x7ba9f8d71051 in selectors::matching::matches_complex_selector::h514d26ef80f71020 /servo/components/selectors/matching.rs:445:5
        #23 0x7ba9f8d71051 in selectors::matching::matches_selector_kleene::h53c86113fa1fe853 /servo/components/selectors/matching.rs:295:5
        #24 0x7ba9f8d71051 in selectors::matching::matches_selector::hb652108debe05f28 /servo/components/selectors/matching.rs:265:18
        #25 0x7ba9f8d71051 in style::selector_map::SelectorMap$LT$style..stylist..Rule$GT$::get_matching_rules::h8189cd58606a05bd /servo/components/style/selector_map.rs:339:21
        #26 0x7ba9f8d78d00 in style::selector_map::SelectorMap$LT$style..stylist..Rule$GT$::get_all_matching_rules::h36c14cb05a6b1d4f /servo/components/style/selector_map.rs:310:9
        #27 0x7ba9f8d78d00 in style::rule_collector::RuleCollector$LT$E$GT$::collect_rules_in_map::h6bfe5fa0c7e03ec9 /servo/components/style/rule_collector.rs:252:9
        #28 0x7ba9f8d7923e in style::rule_collector::RuleCollector$LT$E$GT$::collect_stylist_rules::_$u7b$$u7b$closure$u7d$$u7d$::h90bc9968489e0d93 /servo/components/style/rule_collector.rs:171:13
        #29 0x7ba9f8d7923e in style::rule_collector::RuleCollector$LT$E$GT$::in_tree::hd967f4fe3403665f /servo/components/style/rule_collector.rs:144:9
        #30 0x7ba9f8d7923e in style::rule_collector::RuleCollector$LT$E$GT$::collect_stylist_rules::hd0af5638258b2fca /servo/components/style/rule_collector.rs:170:9
        #31 0x7ba9f8d748fb in style::rule_collector::RuleCollector$LT$E$GT$::collect_document_author_rules::h96da4ba69bac373b /servo/components/style/rule_collector.rs:383:9
        #32 0x7ba9f8d748fb in style::rule_collector::RuleCollector$LT$E$GT$::collect_all::h8e74e2650f89e6c8 /servo/components/style/rule_collector.rs:515:9
        #33 0x7ba9f8db4151 in style::stylist::Stylist::push_applicable_declarations::h33cc51f60745dd6d /servo/components/style/stylist.rs:1473:9
        #34 0x7ba9f8d7ae1d in style::style_resolver::StyleResolverForElement$LT$E$GT$::match_primary::hcea334707205d56f /servo/components/style/style_resolver.rs:527:9
        #35 0x7ba9f8d7c341 in style::style_resolver::StyleResolverForElement$LT$E$GT$::resolve_primary_style::he2d255bfffc9d3bf /servo/components/style/style_resolver.rs:222:44
        #36 0x7ba9f8d7b26e in style::style_resolver::StyleResolverForElement$LT$E$GT$::resolve_style::h8c5d9b09ebbde6da /servo/components/style/style_resolver.rs:295:13
        #37 0x7ba9f8dbe4c2 in style::style_resolver::StyleResolverForElement$LT$E$GT$::resolve_style_with_default_parents::_$u7b$$u7b$closure$u7d$$u7d$::h93023ea247961be9 /servo/components/style/style_resolver.rs:331:13
        #38 0x7ba9f8dbe4c2 in style::style_resolver::with_default_parent_styles::h157b51882bcdf9ee /servo/components/style/style_resolver.rs:139:5
        #39 0x7ba9f8dbe4c2 in style::style_resolver::StyleResolverForElement$LT$E$GT$::resolve_style_with_default_parents::hfcd5362bbc49b533 /servo/components/style/style_resolver.rs:330:9
        #40 0x7ba9f8dbe4c2 in style::traversal::compute_style::h6060b4101798cb06 /servo/components/style/traversal.rs:614:25
        #41 0x7ba9f8dbb8b1 in style::traversal::recalc_style_at::h363ebf1f04c70886 /servo/components/style/traversal.rs:428:13
        #42 0x7ba9f8dbb8b1 in _$LT$style..gecko..traversal..RecalcStyleOnly$u20$as$u20$style..traversal..DomTraversal$LT$style..gecko..wrapper..GeckoElement$GT$$GT$::process_preorder::hb01fbf1aba894c53 /servo/components/style/gecko/traversal.rs:37:13
        #43 0x7ba9f8dbb8b1 in style::parallel::style_trees::h27b40aeff4b8adaf /servo/components/style/parallel.rs:158:9
        #44 0x7ba9f8d8c7f6 in style::driver::traverse_dom::_$u7b$$u7b$closure$u7d$$u7d$::h878263eb26d264b6 /servo/components/style/driver.rs:138:9
        #45 0x7ba9f8d8b8a6 in style::driver::with_pool_in_place_scope::_$u7b$$u7b$closure$u7d$$u7d$::h47eea89868640e85 /servo/components/style/driver.rs:68:17
        #46 0x7ba9f8d8b8a6 in rayon_core::scope::do_in_place_scope_fifo::_$u7b$$u7b$closure$u7d$$u7d$::h47a1ef867a7c14d4 /third_party/rust/rayon-core/src/scope/mod.rs:457:36
        #47 0x7ba9f8d8b8a6 in _$LT$core..panic..unwind_safe..AssertUnwindSafe$LT$F$GT$$u20$as$u20$core..ops..function..FnOnce$LT$$LP$$RP$$GT$$GT$::call_once::hbe32182bbd5fbc11 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/panic/unwind_safe.rs:272:9
        #48 0x7ba9f8d8b8a6 in std::panicking::try::do_call::h471d255c88afab85 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panicking.rs:587:40
        #49 0x7ba9f8d8b8a6 in std::panicking::try::h03c892c083635631 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panicking.rs:550:19
        #50 0x7ba9f8d8b8a6 in std::panic::catch_unwind::hcbd8bf79944be645 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panic.rs:358:14
        #51 0x7ba9f8d8b8a6 in rayon_core::unwind::halt_unwinding::h144f954b4e00e01a /third_party/rust/rayon-core/src/unwind.rs:17:5
        #52 0x7ba9f8d8b8a6 in rayon_core::scope::ScopeBase::execute_job_closure::h502781eafc8c3106 /third_party/rust/rayon-core/src/scope/mod.rs:689:28
        #53 0x7ba9f8d8b8a6 in rayon_core::scope::ScopeBase::complete::hfadff19bedcd55e4 /third_party/rust/rayon-core/src/scope/mod.rs:667:31
        #54 0x7ba9f8d8b8a6 in rayon_core::scope::do_in_place_scope_fifo::h7729903ab112a1d0 /third_party/rust/rayon-core/src/scope/mod.rs:457:5
        #55 0x7ba9f8d8b8a6 in rayon_core::thread_pool::ThreadPool::in_place_scope_fifo::h148d8a648afd8f45 /third_party/rust/rayon-core/src/thread_pool/mod.rs:333:9
        #56 0x7ba9f8d8b8a6 in style::driver::with_pool_in_place_scope::ha8827ccfe1972f65 /servo/components/style/driver.rs:60:14
        #57 0x7ba9f8d8b8a6 in style::driver::traverse_dom::h9f350ccc9fe6662d /servo/components/style/driver.rs:127:5
        #58 0x7ba9f8e643d3 in geckoservo::glue::traverse_subtree::hf752590239db18ca /servo/ports/geckolib/glue.rs:316:5
        #59 0x7ba9f8e64898 in Servo_TraverseSubtree /servo/ports/geckolib/glue.rs:376:5
        #60 0x7ba9f402d15c in mozilla::ServoStyleSet::StyleDocument(mozilla::ServoTraversalFlags) /layout/style/ServoStyleSet.cpp:826:9
        #61 0x7ba9f40e7d03 in mozilla::RestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) /layout/base/RestyleManager.cpp:3262:20
        #62 0x7ba9f40bd075 in mozilla::RestyleManager::ProcessPendingRestyles() /layout/base/RestyleManager.cpp:3397:3
        #63 0x7ba9f40bc3e8 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /layout/base/PresShell.cpp:4622:37
        #64 0x7ba9f02b1767 in FlushPendingNotifications /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:1454:5
        #65 0x7ba9f02b1767 in mozilla::dom::Document::FlushPendingNotifications(mozilla::ChangesToFlush) /dom/base/Document.cpp:11448:16
        #66 0x7ba9ef28f070 in nsDocLoader::DocLoaderIsEmpty(bool, mozilla::Maybe<nsresult> const&) /uriloader/base/nsDocLoader.cpp:728:14
        #67 0x7ba9ef290469 in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /uriloader/base/nsDocLoader.cpp:666:5
        #68 0x7ba9f45cefcf in nsDocShell::OnStopRequest(nsIRequest*, nsresult) /docshell/base/nsDocShell.cpp:13834:23
        #69 0x7ba9ee66e64f in mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) /netwerk/base/nsLoadGroup.cpp:636:22
        #70 0x7ba9ee66f7d6 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /netwerk/base/nsLoadGroup.cpp:532:10
        #71 0x7ba9f02b6b7c in mozilla::dom::Document::DoUnblockOnload() /dom/base/Document.cpp:12246:18
        #72 0x7ba9f029d35e in mozilla::dom::Document::DispatchContentLoadedEvents() /dom/base/Document.cpp:8554:3
        #73 0x7ba9f035f605 in operator()<> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1085:18
        #74 0x7ba9f035f605 in __invoke_impl<void, (lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1084:9)> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/invoke.h:60:14
        #75 0x7ba9f035f605 in __invoke<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1084:9)> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/invoke.h:95:14
        #76 0x7ba9f035f605 in __apply_impl<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1084:9), std::tuple<> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/tuple:1678:14
        #77 0x7ba9f035f605 in apply<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1084:9), std::tuple<> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/tuple:1687:14
        #78 0x7ba9f035f605 in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1083:12
        #79 0x7ba9f035f605 in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1134:13
        #80 0x7ba9ee404e67 in mozilla::RunnableTask::Run() /xpcom/threads/TaskController.cpp:703:16
        #81 0x7ba9ee3fe1ee in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:1252:20
        #82 0x7ba9ee3fcf27 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:1075:15
        #83 0x7ba9ee3fd3a5 in mozilla::TaskController::ProcessPendingMTTask(bool) /xpcom/threads/TaskController.cpp:639:36
        #84 0x7ba9ee40bf36 in operator() /xpcom/threads/TaskController.cpp:333:37
        #85 0x7ba9ee40bf36 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /xpcom/threads/nsThreadUtils.h:548:5
        #86 0x7ba9ee41df93 in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1159:16
        #87 0x7ba9ee4246bf in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:480:10
        #88 0x7ba9eefbea97 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:85:21
        #89 0x7ba9eef18ef1 in RunHandler /ipc/chromium/src/base/message_loop.cc:362:3
        #90 0x7ba9eef18ef1 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:344:3
        #91 0x7ba9f3ca8f98 in nsBaseAppShell::Run() /widget/nsBaseAppShell.cpp:148:27
        #92 0x7ba9f3d6f124 in nsAppShell::Run() /widget/gtk/nsAppShell.cpp:539:33
        #93 0x7ba9f4c9ed2b in XRE_RunAppShell() /toolkit/xre/nsEmbedFunctions.cpp:646:20
        #94 0x7ba9eefbf944 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:235:9
        #95 0x7ba9eef18ef1 in RunHandler /ipc/chromium/src/base/message_loop.cc:362:3
        #96 0x7ba9eef18ef1 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:344:3
        #97 0x7ba9f4c9e169 in XRE_InitChildProcess(int, char**, XREChildData const*) /toolkit/xre/nsEmbedFunctions.cpp:584:34
        #98 0x5c9dbaad022e in main /browser/app/nsBrowserApp.cpp:397:22
        #99 0x7ba9fea3d1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
        #100 0x7ba9fea3d28a in __libc_start_main csu/../csu/libc-start.c:360:3
        #101 0x5c9dbaaa3a98 in _start (/home/jkratzer/builds/m-c-20250418091223-fuzzing-debug/firefox-bin+0x5da98) (BuildId: 0dfdcb3b5ac7cd4bdb25306320d412aa97ecbf58)
    
    ==154039==Register values:
    rax = 0x00000000000005a8  rbx = 0x00007fff01346080  rcx = 0x0000000000000000  rdx = 0x00007ba9fec17563  
    rdi = 0x00007ba9fec18700  rsi = 0x0000000000000000  rbp = 0x00007fff01345e60  rsp = 0x00007fff01345e50  
     r8 = 0x0000000000000000   r9 = 0x0000000000000003  r10 = 0x0000000000000000  r11 = 0x0000000000000293  
    r12 = 0x3ecacd956843e7a6  r13 = 0x7dbd9dbbbfd8facb  r14 = 0x00000000000005a8  r15 = 0x00007fff01346080  
    UndefinedBehaviorSanitizer can not provide additional info.
    SUMMARY: UndefinedBehaviorSanitizer: SEGV /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:248:3 in MOZ_CrashSequence
    ==154039==ABORTING
Attached file Testcase
Attachment #9479904 - Attachment filename: testcase.undefined → testcase.html
Attachment #9479904 - Attachment mime type: text/plain → text/html

Verified bug as reproducible on mozilla-central 20250418091223-d2b2bd27992f.
Unable to bisect testcase (Testcase reproduces on start build!):

Start: 99364906cd1d11016d0fc2dc03a8b7fd11705aa4 (20240419094732)
End: d2b2bd27992fb41846f44a0e69a0560ff77e93e6 (20250418091223)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False, nyx=False, searchfox=False, afl=False)

Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]

Probably we're looking up a selector with different matching modes for :visited.

Severity: -- → S3
Keywords: pernosco-wanted
Priority: -- → P3

Successfully recorded a pernosco session. A link to the pernosco session will be added here shortly.

Keywords: pernosco-wantedpernosco

A pernosco session for this bug can be found here.

You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: