1837487 - Assertion failure: false (MOZ_ASSERT_UNREACHABLE: Unknown unit type), at /builds/worker/checkouts/gecko/dom/svg/SVGGeometryProperty.cpp:49

Status: RESOLVED FIXED

(Core :: SVG, defect)

Description

[Tyson Smith [:tsmith]]

Attachment: testcase.html

Found while fuzzing m-c 20230526-d49f009b89ad (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

Assertion failure: false (MOZ_ASSERT_UNREACHABLE: Unknown unit type), at /builds/worker/checkouts/gecko/dom/svg/SVGGeometryProperty.cpp:49

#0 0x7f4b56819aa6 in mozilla::dom::SVGGeometryProperty::SpecifiedUnitTypeToCSSUnit(unsigned char) /builds/worker/checkouts/gecko/dom/svg/SVGGeometryProperty.cpp:49:7
#1 0x7f4b567fad30 in mozilla::dom::SVGElement::UpdateDeclarationBlockFromLength(mozilla::DeclarationBlock&, nsCSSPropertyID, mozilla::SVGAnimatedLength const&, mozilla::dom::SVGElement::ValToUse) /builds/worker/checkouts/gecko/dom/svg/SVGElement.cpp:1064:23
#2 0x7f4b567fb598 in TellStyleAlreadyParsedResult /builds/worker/checkouts/gecko/dom/svg/SVGElement.cpp:1205:3
#3 0x7f4b567fb598 in mozilla::dom::SVGElement::UpdateContentDeclarationBlock() /builds/worker/checkouts/gecko/dom/svg/SVGElement.cpp:1248:26
#4 0x7f4b5394dab9 in mozilla::dom::Document::ResolveScheduledSVGPresAttrs() /builds/worker/checkouts/gecko/dom/base/Document.cpp:8690:10
#5 0x7f4b5769de9c in ResolveMappedAttrDeclarationBlocks /builds/worker/checkouts/gecko/layout/style/ServoStyleSet.cpp:329:14
#6 0x7f4b5769de9c in mozilla::ServoStyleSet::PreTraverseSync() /builds/worker/checkouts/gecko/layout/style/ServoStyleSet.cpp:344:3
#7 0x7f4b5769e008 in mozilla::ServoStyleSet::PreTraverse(mozilla::ServoTraversalFlags, mozilla::dom::Element*) /builds/worker/checkouts/gecko/layout/style/ServoStyleSet.cpp:368:3
#8 0x7f4b5769fec9 in mozilla::ServoStyleSet::StyleDocument(mozilla::ServoTraversalFlags) /builds/worker/checkouts/gecko/layout/style/ServoStyleSet.cpp:811:3
#9 0x7f4b577668f6 in mozilla::RestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:3127:20
#10 0x7f4b5773b210 in mozilla::RestyleManager::ProcessPendingRestyles() /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:3264:3
#11 0x7f4b5773a2ed in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4329:39
#12 0x7f4b5395e10e in FlushPendingNotifications /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:1464:5
#13 0x7f4b5395e10e in mozilla::dom::Document::FlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/dom/base/Document.cpp:10887:16
#14 0x7f4b52d733ce in nsDocLoader::DocLoaderIsEmpty(bool, mozilla::Maybe<nsresult> const&) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:742:14
#15 0x7f4b52d74894 in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:680:5
#16 0x7f4b58ea503f in nsDocShell::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:13848:23
#17 0x7f4b51fb4eff in mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:631:22
#18 0x7f4b51fb6420 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:535:10
#19 0x7f4b5396329c in mozilla::dom::Document::DoUnblockOnload() /builds/worker/checkouts/gecko/dom/base/Document.cpp:11675:18
#20 0x7f4b53949714 in mozilla::dom::Document::DispatchContentLoadedEvents() /builds/worker/checkouts/gecko/dom/base/Document.cpp:8145:3
#21 0x7f4b53a00709 in operator()<> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1164:18
#22 0x7f4b53a00709 in __invoke_impl<void, (lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1163:9)> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/invoke.h:60:14
#23 0x7f4b53a00709 in __invoke<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1163:9)> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/invoke.h:95:14
#24 0x7f4b53a00709 in __apply_impl<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1163:9), std::tuple<> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/tuple:1678:14
#25 0x7f4b53a00709 in apply<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1163:9), std::tuple<> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/tuple:1687:14
#26 0x7f4b53a00709 in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1162:12
#27 0x7f4b53a00709 in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1213:13
#28 0x7f4b51d68912 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/checkouts/gecko/xpcom/threads/SchedulerGroup.cpp:114:20
#29 0x7f4b51d73b37 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:555:16
#30 0x7f4b51d6ebea in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:879:26
#31 0x7f4b51d6d557 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:702:15
#32 0x7f4b51d6d9b5 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:491:36
#33 0x7f4b51d771a6 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:218:37
#34 0x7f4b51d771a6 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548:5
#35 0x7f4b51d8e12a in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1240:16
#36 0x7f4b51d94fdd in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:479:10
#37 0x7f4b52a42715 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#38 0x7f4b5295e931 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#39 0x7f4b5295e931 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#40 0x7f4b57350048 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
#41 0x7f4b59678b8b in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:717:20
#42 0x7f4b52a435f6 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
#43 0x7f4b5295e931 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#44 0x7f4b5295e931 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#45 0x7f4b59678452 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:652:34
#46 0x55a5f68e3526 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#47 0x55a5f68e3526 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:375:18
#48 0x7f4b65a29d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#49 0x7f4b65a29e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#50 0x55a5f68ba7c8 in _start (/home/user/workspace/browsers/m-c-20230607214358-fuzzing-debug/firefox-bin+0x587c8) (BuildId: a51cce1359e84ee61fddf883ec41bc4b4d57e313)

Comment 1

[Robert Longson [:longsonr]]

Attachment: Bug 1837487 - stop asserting when Q units are used r=emilio

Comment 2

[Robert Longson [:longsonr]]

https://treeherder.mozilla.org/jobs?repo=try&revision=f53e1aa7fedbc23a8a462767f26e029f89857b10

Comment 3

[Pulsebot]

Pushed by longsonr@gmail.com:
https://hg.mozilla.org/integration/autoland/rev/09d4beafb940
stop asserting when Q units are used r=emilio

Comment 4

[Atila Butkovits]

https://hg.mozilla.org/mozilla-central/rev/09d4beafb940

Comment 5

[Bugmon [:jkratzer for issues]]

Unable to reproduce bug 1837487 using build mozilla-central 20230526040655-d49f009b89ad. Without a baseline, bugmon is unable to analyze this bug.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.