Assertion failure: isSome(), at /builds/worker/workspace/obj-build/dist/include/mozilla/Maybe.h:1018
Categories
(Core :: DOM: Animation, defect)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox152 | --- | affected |
People
(Reporter: tsmith, Unassigned)
References
(Depends on 1 open bug, Blocks 2 open bugs)
Details
(Keywords: ai-involved, assertion, crash, Whiteboard: [scrollanimation:triage])
Crash Data
Attachments
(1 file)
|
887 bytes,
text/html
|
Details |
Found while fuzzing m-c 20260429-5444ab34b79d (--enable-address-sanitizer --enable-fuzzing)
To reproduce via Grizzly Replay:
$ pip install fuzzfetch grizzly-framework --upgrade
$ python -m fuzzfetch -a --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid> --repeat 10
The testcase is not 100% reliable and may take 4 or 5 reloads.
Assertion failure: isSome(), at /builds/worker/workspace/obj-build/dist/include/mozilla/Maybe.h:1018
#0 0x7bffd463e441 in MOZ_CrashSequence /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:261:3
#1 0x7bffd463e441 in ref /builds/worker/workspace/obj-build/dist/include/mozilla/Maybe.h:1018:3
#2 0x7bffd463e441 in Value /builds/worker/workspace/obj-build/dist/include/mozilla/dom/Nullable.h:65:30
#3 0x7bffd463e441 in mozilla::dom::Animation::UpdatePlaybackRate(double) /builds/worker/workspace/obj-build/dom/animation/./../../../../checkouts/gecko/dom/animation/Animation.cpp:692:41
#4 0x7bffd50f7337 in mozilla::dom::Animation_Binding::updatePlaybackRate(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/./AnimationBinding.cpp:1192:24
#5 0x7bffd6b7d581 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/obj-build/dom/bindings/./../../../../checkouts/gecko/dom/bindings/BindingUtils.cpp:3217:13
#6 0x7bffdfde424d in CallJSNative /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:488:13
#7 0x7bffdfde424d in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:584:12
#8 0x7bffdefeac30 in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICFallbackStub*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) /builds/worker/workspace/obj-build/js/src/jit/./../../../../../checkouts/gecko/js/src/jit/BaselineIC.cpp:1713:10
#9 0x1eed8bcd18f3 ([anon:js-executable-memory]+0x28f3)
|
Reporter | |
Comment 1•2 days ago
|
||
Debug builds report: Assertion failure: mTimeline && !mTimeline->GetCurrentTimeAsDuration().IsNull() (If we have no active timeline, we should be idle or paused), at checkouts/gecko/dom/animation/Animation.cpp:683
|
||
Updated•2 days ago
|
|
||
Comment 2•2 days ago
|
||
One of my local patches fixes this assertion. Though the patch is not complete since there's a new wpt failure (you can see it on https://treeherder.mozilla.org/jobs?repo=try&revision=a38fd36ba58cdb9f4f3f1b5b39a021373050d30e&selectedTaskRun=JXpMhdXcRBqlLuMhIDhnRA.0).
Anyways, I am going to file a new bug and post patches there. Note that the patch depends on bug 2006258 and I've modified the patch for bug 2006258.
|
||
Comment 3•2 days ago
|
||
I get a crash from the testcase on Nightly: https://crash-stats.mozilla.org/report/index/7763daf3-e214-4118-ac09-f4dff0260514#tab-bugzilla
|
||
Comment 4•1 day ago
|
||
Unable to reproduce bug 2039708 using build mozilla-central 20260429091901-5444ab34b79d. Without a baseline, bugmon is unable to analyze this bug.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Description
•