Closed
Bug 1979163
Opened 9 months ago
Closed 9 months ago
Assertion failure: sInServoTraversal || NS_IsMainThread(), at /builds/worker/workspace/obj-build/dist/include/mozilla/ServoUtils.h:33
Categories
(Core :: CSS Parsing and Computation, defect)
Core
CSS Parsing and Computation
Tracking
()
RESOLVED
FIXED
143 Branch
| Tracking | Status | |
|---|---|---|
| firefox-esr115 | --- | unaffected |
| firefox-esr128 | --- | unaffected |
| firefox-esr140 | 142+ | fixed |
| firefox141 | --- | wontfix |
| firefox142 | + | fixed |
| firefox143 | + | fixed |
People
(Reporter: tsmith, Assigned: emilio)
References
(Blocks 2 open bugs, Regression, )
Details
(4 keywords, Whiteboard: [bugmon:bisected,confirmed][adv-main142+r][adv-esr140.2+r])
Attachments
(2 files)
|
666 bytes,
text/html
|
Details | |
|
48 bytes,
text/x-phabricator-request
|
diannaS
:
approval-mozilla-beta+
pascalc
:
approval-mozilla-release-
diannaS
:
approval-mozilla-esr140+
|
Details | Review |
Found while fuzzing 20250524-a795f9ea4abe (--enable-debug --enable-fuzzing)
To reproduce via Grizzly Replay:
$ pip install fuzzfetch grizzly-framework --upgrade
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>
Assertion failure: sInServoTraversal || NS_IsMainThread(), at /builds/worker/workspace/obj-build/dist/include/mozilla/ServoUtils.h:33
5|0|libxul.so|gfxFontUtils::IsInServoTraversal()|hg:hg.mozilla.org/mozilla-central:gfx/thebes/gfxFontUtils.cpp:b2a061d1d75adbd5d6347c2583d9841c1e04b25a|1828|0xcf
5|1|libxul.so|gfxFontGroup::EnsureFontList()|hg:hg.mozilla.org/mozilla-central:gfx/thebes/gfxTextRun.cpp:b2a061d1d75adbd5d6347c2583d9841c1e04b25a|1920|0xc2
5|2|libxul.so|gfxFontGroup::GetFirstValidFont(unsigned int, mozilla::StyleGenericFontFamily*, bool*)|hg:hg.mozilla.org/mozilla-central:gfx/thebes/gfxTextRun.cpp:b2a061d1d75adbd5d6347c2583d9841c1e04b25a|2267|0x37
5|3|libxul.so|gfxFontGroup::GetMetricsForCSSUnits(nsFontMetrics::FontOrientation, mozilla::StyleQueryFontMetricsFlags)|hg:hg.mozilla.org/mozilla-central:gfx/thebes/gfxTextRun.cpp:b2a061d1d75adbd5d6347c2583d9841c1e04b25a|3937|0x41
5|4|libxul.so|Gecko_GetFontMetrics|hg:hg.mozilla.org/mozilla-central:layout/style/GeckoBindings.cpp:b2a061d1d75adbd5d6347c2583d9841c1e04b25a|1333|0xe4
5|5|libxul.so|style::gecko::media_queries::Device::query_font_metrics|hg:hg.mozilla.org/mozilla-central:servo/components/style/gecko/media_queries.rs:b2a061d1d75adbd5d6347c2583d9841c1e04b25a|240|0x52
5|6|libxul.so|style::values::computed::Context::query_font_metrics|hg:hg.mozilla.org/mozilla-central:servo/components/style/values/computed/mod.rs:b2a061d1d75adbd5d6347c2583d9841c1e04b25a|398|0x12e
5|7|libxul.so|style::values::specified::length::FontRelativeLength::to_computed_value|hg:hg.mozilla.org/mozilla-central:servo/components/style/values/specified/length.rs:b2a061d1d75adbd5d6347c2583d9841c1e04b25a|214|0x185
5|8|libxul.so|style::values::computed::length::<impl style::values::specified::length::NoCalcLength>::to_computed_value_with_base_size|hg:hg.mozilla.org/mozilla-central:servo/components/style/values/computed/length.rs:b2a061d1d75adbd5d6347c2583d9841c1e04b25a|59|0xc0
5|9|libxul.so|<style::values::generics::length::GenericSize<LengthPercent> as style::values::computed::ToComputedValue>::to_computed_value|hg:hg.mozilla.org/mozilla-central:servo/components/style/values/generics/length.rs:b2a061d1d75adbd5d6347c2583d9841c1e04b25a|149|0x5d
5|10|libxul.so|style::properties::generated::longhands::max_width::cascade_property|s3:gecko-generated-sources:58f7852b8e80e73bdb9c3ed15bff2f50f26f2d082ab2c17aac5274e09e3c1ff8fbf12b37e6d2f841986ce7bc586fa21366c4890d821dcfa9f2ddd8b79aeefb51/x86_64-unknown-linux-gnu/debug/build/style-986aa5c42440e502/out/properties.rs:|36655|0x78
5|11|libxul.so|style::properties::cascade::Cascade::apply_one_longhand|hg:hg.mozilla.org/mozilla-central:servo/components/style/properties/cascade.rs:b2a061d1d75adbd5d6347c2583d9841c1e04b25a|969|0x9ab
5|12|libxul.so|style::properties::cascade::Cascade::apply_non_prioritary_properties|hg:hg.mozilla.org/mozilla-central:servo/components/style/properties/cascade.rs:b2a061d1d75adbd5d6347c2583d9841c1e04b25a|864|0x97
5|13|libxul.so|style::properties::cascade::cascade_rules|hg:hg.mozilla.org/mozilla-central:servo/components/style/properties/cascade.rs:b2a061d1d75adbd5d6347c2583d9841c1e04b25a|198|0x7af
5|14|libxul.so|style::style_resolver::StyleResolverForElement<E>::cascade_style_and_visited|hg:hg.mozilla.org/mozilla-central:servo/components/style/style_resolver.rs:b2a061d1d75adbd5d6347c2583d9841c1e04b25a|383|0x11e
5|15|libxul.so|style::style_resolver::StyleResolverForElement<E>::cascade_primary_style|hg:hg.mozilla.org/mozilla-central:servo/components/style/style_resolver.rs:b2a061d1d75adbd5d6347c2583d9841c1e04b25a|277|0x49e
5|16|libxul.so|style::style_resolver::StyleResolverForElement<E>::cascade_styles_with_default_parents::{{closure}}|hg:hg.mozilla.org/mozilla-central:servo/components/style/style_resolver.rs:b2a061d1d75adbd5d6347c2583d9841c1e04b25a|412|0x68
5|17|libxul.so|style::style_resolver::StyleResolverForElement<E>::cascade_styles_with_default_parents|hg:hg.mozilla.org/mozilla-central:servo/components/style/style_resolver.rs:b2a061d1d75adbd5d6347c2583d9841c1e04b25a|411|0x172
5|18|libxul.so|style::traversal::compute_style|hg:hg.mozilla.org/mozilla-central:servo/components/style/traversal.rs:b2a061d1d75adbd5d6347c2583d9841c1e04b25a|656|0x291
5|19|libxul.so|style::parallel::style_trees|hg:hg.mozilla.org/mozilla-central:servo/components/style/parallel.rs:b2a061d1d75adbd5d6347c2583d9841c1e04b25a|158|0x31e
5|20|libxul.so|<rayon_core::job::HeapJob<BODY> as rayon_core::job::Job>::execute|hg:hg.mozilla.org/mozilla-central:third_party/rust/rayon-core/src/job.rs:b2a061d1d75adbd5d6347c2583d9841c1e04b25a|169|0x17a
5|21|libxul.so|rayon_core::registry::WorkerThread::wait_until_cold|hg:hg.mozilla.org/mozilla-central:third_party/rust/rayon-core/src/registry.rs:b2a061d1d75adbd5d6347c2583d9841c1e04b25a|786|0x61
5|22|libxul.so|rayon_core::registry::ThreadBuilder::run|hg:hg.mozilla.org/mozilla-central:third_party/rust/rayon-core/src/registry.rs:b2a061d1d75adbd5d6347c2583d9841c1e04b25a|53|0x3ee
5|23|libxul.so|std::sys::backtrace::__rust_begin_short_backtrace|/builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/sys/backtrace.rs|152|0x48
5|24|libxul.so|core::ops::function::FnOnce::call_once{{vtable.shim}}|/builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/ops/function.rs|250|0xcc
5|25|libxul.so|std::sys::pal::unix::thread::Thread::new::thread_start|git:github.com/rust-lang/rust:library/std/src/sys/pal/unix/thread.rs:05f9846f893b09a1be1fc8560e33fc3c815cfecb|106|0x2a
5|26|firefox-bin|set_alt_signal_stack_and_start(PthreadCreateParams*)|hg:hg.mozilla.org/mozilla-central:mozglue/interposers/pthread_create_interposer.cpp:b2a061d1d75adbd5d6347c2583d9841c1e04b25a|81|0x10c
|
Reporter | |
Comment 1•9 months ago
|
||
This issue is frequently reported by live site testing.
Blocks: site-scout
URL: http://paypal.com/
|
||
Comment 2•9 months ago
|
||
Verified bug as reproducible on mozilla-central 20250724212906-2c28b9cc7958.
Unable to bisect testcase (Testcase does not reproduce on end build!):
Start: 69a2460cfcb3a816edaf95e35971cdabc9ce13b7 (20240726035627)
End: a795f9ea4abe1ed0da391aa3800c3d51b5563b7b (20250524200639)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False, nyx=False, searchfox=False, afl=False)
Whiteboard: [bugmon:bisected,confirmed]
|
Assignee | |
Updated•9 months ago
|
Keywords: regression
Regressed by: 1967507
|
|
Assignee | |
Comment 3•9 months ago
|
||
Bug 1967507 made the AutoPrepareTraversal scope smaller, but missed this
loop.
|
||
Updated•9 months ago
|
Assignee: nobody → emilio
Status: NEW → ASSIGNED
|
||
Comment 4•9 months ago
|
||
Set release status flags based on info from the regressing bug 1967507
status-firefox141:
--- → affected
status-firefox142:
--- → affected
status-firefox-esr128:
--- → unaffected
status-firefox-esr140:
--- → affected
Pushed by ealvarez@mozilla.com:
https://github.com/mozilla-firefox/firefox/commit/86957807a75c
https://hg.mozilla.org/integration/autoland/rev/cd04ff88e80b
Add missing AutoPrepareTraversal. r=firefox-style-system-reviewers,dshin
|
||
Comment 6•9 months ago
|
||
| bugherder | ||
Status: ASSIGNED → RESOLVED
Closed: 9 months ago
Resolution: --- → FIXED
Target Milestone: --- → 143 Branch
|
|
||
Comment 7•9 months ago
|
||
Testcase crashes using the initial build (mozilla-central 20250524200639-a795f9ea4abe) but not with tip (mozilla-central 20250726091124-37783a3d0d3f.)
Unable to bisect testcase (Start build didn't crash!):
Start: a795f9ea4abe1ed0da391aa3800c3d51b5563b7b (20250524200639)
End: 37783a3d0d3fc3751c8a96c702df7210591bb524 (20250726091124)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False, nyx=False, searchfox=False, afl=False)
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Keywords: bugmon
|
|
||
Comment 8•9 months ago
|
||
The patch landed in nightly and beta is affected.
:emilio, is this bug important enough to require an uplift?
- If yes, please nominate the patch for beta approval.
- See https://wiki.mozilla.org/Release_Management/Requesting_an_Uplift for documentation on how to request an uplift.
- If no, please set
status-firefox142towontfix.
For more information, please visit BugBot documentation.
Flags: needinfo?(emilio)
|
|
Assignee | |
Comment 9•9 months ago
|
||
Comment on attachment 9502972 [details]
Bug 1979163 - Add missing AutoPrepareTraversal. r=#style
ESR Uplift Approval Request
- If this is not a sec:{high,crit} bug, please state case for ESR consideration: While I can't prove this fix has security implications, the fact that we use this mechanism to do main-thread-only post traversal tasks makes me a bit worried. Given the fix is trivial I think we should take it.
- User impact if declined: see above
- Fix Landed on Version: 143
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): Oneliner
Flags: needinfo?(emilio)
Attachment #9502972 -
Flags: approval-mozilla-release?
Attachment #9502972 -
Flags: approval-mozilla-esr140?
Attachment #9502972 -
Flags: approval-mozilla-beta?
|
|
Assignee | |
Updated•9 months ago
|
Group: layout-core-security
|
||
Comment 10•9 months ago
|
||
Comment on attachment 9502972 [details]
Bug 1979163 - Add missing AutoPrepareTraversal. r=#style
Approved for 142.0b5
Attachment #9502972 -
Flags: approval-mozilla-beta? → approval-mozilla-beta+
|
|
||
Updated•9 months ago
|
|
||
Comment 11•9 months ago
|
||
| uplift | ||
|
||
Updated•9 months ago
|
Group: layout-core-security → core-security-release
status-firefox-esr115:
--- → unaffected
tracking-firefox142:
--- → +
tracking-firefox143:
--- → +
tracking-firefox-esr140:
--- → 142+
|
|
||
Comment 12•9 months ago
|
||
Comment on attachment 9502972 [details]
Bug 1979163 - Add missing AutoPrepareTraversal. r=#style
Approved for 140.2.0esr
Attachment #9502972 -
Flags: approval-mozilla-esr140? → approval-mozilla-esr140+
|
|
||
Updated•9 months ago
|
|
|
||
Comment 13•9 months ago
|
||
| uplift | ||
|
||
Updated•9 months ago
|
Attachment #9502972 -
Flags: approval-mozilla-release? → approval-mozilla-release-
|
||
Comment 15•9 months ago
|
||
Guessing sec-low since there wasn't a sec-approval request.
Keywords: sec-low
Whiteboard: [bugmon:bisected,confirmed] → [bugmon:bisected,confirmed][adv-main142+r][adv-esr140.2+r]
|
||
Updated•9 months ago
|
QA Whiteboard: [sec] [uplift] [qa-triage-done-c143/b142]
Flags: qe-verify-
|
|
||
Updated•19 days ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•