Open Bug 1993534 Opened 1 day ago Updated 3 hours ago

Assertion failure: aValue.IsLengthUnit(), at /builds/worker/workspace/obj-build/dist/include/mozilla/MappedDeclarationsBuilder.h:134

Categories

(Core :: MathML, defect)

Product:
Core
Component:
MathML
Type:
defect

Tracking

()

Status:
ASSIGNED
Tracking Flags:
Tracking Status
firefox145 --- affected

People

(Reporter: tsmith, Assigned: eri)

References

(Blocks 1 open bug)

Details

(4 keywords, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(2 files)

testcase.html
152 bytes, text/html
Details
Bug 1993534 - Fix IsLengthUnit range r?fredw,emilio
48 bytes, text/x-phabricator-request
Details | Review
Attached file testcase.html

Found while fuzzing 20251008-da5bff21c5c7 (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework --upgrade
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>

Assertion failure: aValue.IsLengthUnit(), at /builds/worker/workspace/obj-build/dist/include/mozilla/MappedDeclarationsBuilder.h:134

#0 0x7afa147faf81 in MOZ_CrashSequence /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:237:3
#1 0x7afa147faf81 in mozilla::MappedDeclarationsBuilder::SetLengthValue(nsCSSPropertyID, nsCSSValue const&) /builds/worker/workspace/obj-build/dist/include/mozilla/MappedDeclarationsBuilder.h:134:5
#2 0x7afa147f997f in mozilla::dom::MathMLElement::MapGlobalMathMLAttributesInto(mozilla::MappedDeclarationsBuilder&) /builds/worker/checkouts/gecko/dom/mathml/MathMLElement.cpp:461:16
#3 0x7afa127a2387 in mozilla::dom::Document::DoResolveScheduledPresAttrs() /builds/worker/checkouts/gecko/dom/base/Document.cpp:9318:7
#4 0x7afa1671006f in ResolveScheduledPresAttrs /builds/worker/workspace/obj-build/dist/include/mozilla/dom/Document.h:1362:5
#5 0x7afa1671006f in mozilla::ServoStyleSet::PreTraverseSync() /builds/worker/checkouts/gecko/layout/style/ServoStyleSet.cpp:335:14
#6 0x7afa167101d8 in mozilla::ServoStyleSet::PreTraverse(mozilla::ServoTraversalFlags, mozilla::dom::Element*) /builds/worker/checkouts/gecko/layout/style/ServoStyleSet.cpp:357:3
#7 0x7afa167083ad in mozilla::ServoStyleSet::StyleDocument(mozilla::ServoTraversalFlags) /builds/worker/checkouts/gecko/layout/style/ServoStyleSet.cpp:803:3
#8 0x7afa16707701 in mozilla::RestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) /builds/worker/checkouts/gecko/layout/style/RestyleManager.cpp:3252:20
#9 0x7afa16709075 in mozilla::RestyleManager::ProcessPendingRestyles() /builds/worker/checkouts/gecko/layout/style/RestyleManager.cpp:3390:3
#10 0x7afa167aefd3 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4622:37
#11 0x7afa144a2311 in FlushPendingNotifications /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:1502:5
#12 0x7afa144a2311 in mozilla::EventStateManager::FlushLayout(nsPresContext*) /builds/worker/checkouts/gecko/dom/events/EventStateManager.cpp:6930:16
#13 0x7afa1449df5f in mozilla::EventStateManager::PreHandleEvent(nsPresContext*, mozilla::WidgetEvent*, nsIFrame*, nsIContent*, nsEventStatus*, nsIContent*) /builds/worker/checkouts/gecko/dom/events/EventStateManager.cpp:1214:7
#14 0x7afa167c5f3c in mozilla::PresShell::EventHandler::DispatchEvent(mozilla::EventStateManager*, mozilla::WidgetEvent*, bool, nsEventStatus*, nsIContent*) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:9408:39
#15 0x7afa167beed5 in mozilla::PresShell::EventHandler::HandleEventWithCurrentEventInfo(mozilla::WidgetEvent*, nsEventStatus*, bool, nsIContent*) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:9375:17
#16 0x7afa167c3eeb in mozilla::PresShell::EventHandler::HandleEventWithTarget(mozilla::WidgetEvent*, nsIFrame*, nsIContent*, nsEventStatus*, bool, nsIContent**, nsIContent*) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:9282:17
#17 0x7afa14544c5d in HandleEventWithTarget /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:679:25
#18 0x7afa14544c5d in mozilla::PointerEventHandler::DispatchPointerFromMouseOrTouch(mozilla::PresShell*, nsIFrame*, nsIContent*, mozilla::dom::Element*, mozilla::WidgetGUIEvent*, bool, nsEventStatus*, nsIContent**) /builds/worker/checkouts/gecko/dom/events/PointerEventHandler.cpp:1350:12
#19 0x7afa167c1071 in mozilla::PresShell::EventHandler::DispatchPrecedingPointerEvent(AutoWeakFrame&, mozilla::WidgetGUIEvent*, mozilla::dom::Element*, bool, mozilla::PresShell::EventHandler::EventTargetData*, nsEventStatus*) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:8299:3
#20 0x7afa167be786 in mozilla::PresShell::EventHandler::HandleEventUsingCoordinates(AutoWeakFrame&, mozilla::WidgetGUIEvent*, nsEventStatus*, bool) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:7921:8
#21 0x7afa167bd377 in mozilla::PresShell::EventHandler::HandleEvent(AutoWeakFrame&, mozilla::WidgetGUIEvent*, bool, nsEventStatus*) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:7803:12
#22 0x7afa167bbe07 in mozilla::PresShell::HandleEvent(nsIFrame*, mozilla::WidgetGUIEvent*, bool, nsEventStatus*) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:7623:23
#23 0x7afa16313ee3 in nsViewManager::DispatchEvent(mozilla::WidgetGUIEvent*, nsView*, nsEventStatus*) /builds/worker/checkouts/gecko/view/nsViewManager.cpp:611:18
#24 0x7afa16313c96 in nsView::HandleEvent(mozilla::WidgetGUIEvent*, bool) /builds/worker/checkouts/gecko/view/nsView.cpp:983:9
#25 0x7afa163581c3 in mozilla::widget::PuppetWidget::DispatchEvent(mozilla::WidgetGUIEvent*, nsEventStatus&) /builds/worker/checkouts/gecko/widget/PuppetWidget.cpp:309:37
#26 0x7afa11c7fc17 in mozilla::layers::APZCCallbackHelper::DispatchWidgetEvent(mozilla::WidgetGUIEvent&) /builds/worker/checkouts/gecko/gfx/layers/apz/util/APZCCallbackHelper.cpp:538:21
#27 0x7afa15b5da6b in DispatchWidgetEventViaAPZ /builds/worker/checkouts/gecko/dom/ipc/BrowserChild.cpp:1849:10
#28 0x7afa15b5da6b in mozilla::dom::BrowserChild::HandleRealMouseButtonEvent(mozilla::WidgetMouseEvent const&, mozilla::layers::ScrollableLayerGuid const&, unsigned long const&) /builds/worker/checkouts/gecko/dom/ipc/BrowserChild.cpp:1806:3
#29 0x7afa15b5f46b in mozilla::dom::BrowserChild::RecvRealMouseButtonEvent(mozilla::WidgetMouseEvent const&, mozilla::layers::ScrollableLayerGuid const&, unsigned long const&) /builds/worker/checkouts/gecko/dom/ipc/BrowserChild.cpp:1757:3
#30 0x7afa15b5f623 in mozilla::dom::BrowserChild::RecvSynthMouseMoveEvent(mozilla::WidgetMouseEvent const&, mozilla::layers::ScrollableLayerGuid const&, unsigned long const&) /builds/worker/checkouts/gecko/dom/ipc/BrowserChild.cpp:1715:8
#31 0x7afa15c7cf21 in mozilla::dom::PBrowserChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBrowserChild.cpp:5305:80
#32 0x7afa15cec543 in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PContentChild.cpp:8446:32
#33 0x7afa114828de in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1797:25
#34 0x7afa1147fe60 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, std::unique_ptr<IPC::Message, std::default_delete<IPC::Message>>) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1723:9
#35 0x7afa11480867 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1512:3
#36 0x7afa11481849 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1614:14
#37 0x7afa1087f527 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:705:16
#38 0x7afa10879e07 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:1325:20
#39 0x7afa10878ab7 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:1148:15
#40 0x7afa10878f35 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:641:36
#41 0x7afa10886396 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:333:37
#42 0x7afa10886396 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:549:5
#43 0x7afa108983b3 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1157:16
#44 0x7afa1089ec6f in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:462:10
#45 0x7afa11488157 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#46 0x7afa113e2a91 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:361:3
#47 0x7afa113e2a91 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:343:3
#48 0x7afa16379bf8 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
#49 0x7afa16447bd4 in nsAppShell::Run() /builds/worker/checkouts/gecko/widget/gtk/nsAppShell.cpp:471:33
#50 0x7afa1746fc8b in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:657:20
#51 0x7afa11489004 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
#52 0x7afa113e2a91 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:361:3
#53 0x7afa113e2a91 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:343:3
#54 0x7afa1746f3e1 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:595:34
#55 0x6476a87b6edc in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:420:22
#56 0x7afa21945d8f in __libc_start_call_main ./csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#57 0x7afa21945e3f in __libc_start_main ./csu/../csu/libc-start.c:392:3
#58 0x6476a878a718 in _start ??:0:0
Flags: in-testsuite?

@Eri: Can you please take a look ? This might be related to bug 1924672.

Flags: needinfo?(eri)
Assignee: nobody → eri
Status: NEW → ASSIGNED

The issue was the IsLengthUnit function. The viewport values were before the absolute ones, but they were removed in D31706. When they were reintroduced in D180619 after the absolute values the IsLengthUnit function wasn't updated with the new range, so it was failing there.

Flags: needinfo?(eri)

Verified bug as reproducible on mozilla-central 20251010092930-a73ff662577c.
The bug appears to have been introduced in the following build range:

Start: 1fdb4a92679c0ccd32bd1b9498a386ece45a2bd0 (20250501152114)
End: 2bd090dba619736456d8c6d23df297f02f650492 (20250501152726)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=1fdb4a92679c0ccd32bd1b9498a386ece45a2bd0&tochange=2bd090dba619736456d8c6d23df297f02f650492

Keywords: regression
Whiteboard: [bugmon:bisected,confirmed]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: