Found while fuzzing m-c 20240509-8f49349eeb0e (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework --upgrade
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>

Assertion failure: mXTextScale == aNewData.mXTextScale (expected -x-text-scale to be the same on both nsStyleFonts), at /builds/worker/checkouts/gecko/layout/style/nsStyleStruct.cpp:265

#0 0x7cd687a312da in nsStyleFont::CalcDifference(nsStyleFont const&) const /builds/worker/checkouts/gecko/layout/style/nsStyleStruct.cpp:264:3
#1 0x7cd6879a11ef in mozilla::ComputedStyle::CalcStyleDifference(mozilla::ComputedStyle const&, unsigned int*) const /builds/worker/checkouts/gecko/layout/style/ComputedStyle.cpp:171:3
#2 0x7cd6879c3717 in Gecko_CalcStyleDifference /builds/worker/checkouts/gecko/layout/style/GeckoBindings.cpp:333:18
#3 0x7cd68d05dd10 in style::gecko::restyle_damage::GeckoRestyleDamage::compute_style_difference::h673888dfc2d82098 /builds/worker/checkouts/gecko/servo/components/style/gecko/restyle_damage.rs:53:13
#4 0x7cd68cc5e02c in style::matching::MatchMethods::compute_style_difference::hed1f5eba2f50a29a /builds/worker/checkouts/gecko/servo/components/style/matching.rs:1246:9
#5 0x7cd68cc5e02c in style::matching::PrivateMatchMethods::accumulate_damage_for::h4457384f73838f49 /builds/worker/checkouts/gecko/servo/components/style/matching.rs:874:26
#6 0x7cd68cc64629 in style::matching::MatchMethods::finish_restyle::h68370a7940cc1a13 /builds/worker/checkouts/gecko/servo/components/style/matching.rs:1157:13
#7 0x7cd68cc64629 in style::traversal::compute_style::h8417ce1cd1a79983 /builds/worker/checkouts/gecko/servo/components/style/traversal.rs:698:5
#8 0x7cd68cc5ee41 in style::traversal::recalc_style_at::hef7494796478d76a /builds/worker/checkouts/gecko/servo/components/style/traversal.rs:432:13
#9 0x7cd68cc5ee41 in _$LT$style..gecko..traversal..RecalcStyleOnly$u20$as$u20$style..traversal..DomTraversal$LT$style..gecko..wrapper..GeckoElement$GT$$GT$::process_preorder::h8709890d84226e09 /builds/worker/checkouts/gecko/servo/components/style/gecko/traversal.rs:37:13
#10 0x7cd68cc5ee41 in style::parallel::style_trees::hc1457eae8c974b1d /builds/worker/checkouts/gecko/servo/components/style/parallel.rs:157:9
#11 0x7cd68cc3bb36 in style::driver::traverse_dom::_$u7b$$u7b$closure$u7d$$u7d$::h40a68335aac13a17 /builds/worker/checkouts/gecko/servo/components/style/driver.rs:137:9
#12 0x7cd68cc3b133 in style::driver::with_pool_in_place_scope::_$u7b$$u7b$closure$u7d$$u7d$::h966ced914dfac2ec /builds/worker/checkouts/gecko/servo/components/style/driver.rs:67:17
#13 0x7cd68cc3b133 in rayon_core::scope::do_in_place_scope_fifo::_$u7b$$u7b$closure$u7d$$u7d$::h34e102562ca491c1 /builds/worker/checkouts/gecko/third_party/rust/rayon-core/src/scope/mod.rs:457:36
#14 0x7cd68cc3b133 in _$LT$core..panic..unwind_safe..AssertUnwindSafe$LT$F$GT$$u20$as$u20$core..ops..function..FnOnce$LT$$LP$$RP$$GT$$GT$::call_once::hcaa91de2a53bc6b3 /rustc/25ef9e3d85d934b27d9dada2f9dd52b1dc63bb04/library/core/src/panic/unwind_safe.rs:272:9
#15 0x7cd68cc3b133 in std::panicking::try::do_call::h877305a8756e32b5 /rustc/25ef9e3d85d934b27d9dada2f9dd52b1dc63bb04/library/std/src/panicking.rs:554:40
#16 0x7cd68cc3b133 in std::panicking::try::hdfa5bb876d9b684d /rustc/25ef9e3d85d934b27d9dada2f9dd52b1dc63bb04/library/std/src/panicking.rs:518:19
#17 0x7cd68cc3b133 in std::panic::catch_unwind::h8389ba7ede5957ac /rustc/25ef9e3d85d934b27d9dada2f9dd52b1dc63bb04/library/std/src/panic.rs:142:14
#18 0x7cd68cc3b133 in rayon_core::unwind::halt_unwinding::hbc4713c42d58a8aa /builds/worker/checkouts/gecko/third_party/rust/rayon-core/src/unwind.rs:17:5
#19 0x7cd68cc3b133 in rayon_core::scope::ScopeBase::execute_job_closure::h202461705a5be8ca /builds/worker/checkouts/gecko/third_party/rust/rayon-core/src/scope/mod.rs:689:28
#20 0x7cd68cc3b133 in rayon_core::scope::ScopeBase::complete::hca399799339cf827 /builds/worker/checkouts/gecko/third_party/rust/rayon-core/src/scope/mod.rs:667:31
#21 0x7cd68cc3b133 in rayon_core::scope::do_in_place_scope_fifo::hc4cbba705ec26bda /builds/worker/checkouts/gecko/third_party/rust/rayon-core/src/scope/mod.rs:457:5
#22 0x7cd68cc3b133 in rayon_core::thread_pool::ThreadPool::in_place_scope_fifo::h264f2eb8d5da0c68 /builds/worker/checkouts/gecko/third_party/rust/rayon-core/src/thread_pool/mod.rs:296:9
#23 0x7cd68cc3b133 in style::driver::with_pool_in_place_scope::ha5c3f8a250fbe66c /builds/worker/checkouts/gecko/servo/components/style/driver.rs:59:14
#24 0x7cd68cc3b133 in style::driver::traverse_dom::hc95621eec93d37bb /builds/worker/checkouts/gecko/servo/components/style/driver.rs:126:5
#25 0x7cd68ccf923b in geckoservo::glue::traverse_subtree::hdf2dc9cafec57de6 /builds/worker/checkouts/gecko/servo/ports/geckolib/glue.rs:308:5
#26 0x7cd68ccf97a1 in Servo_TraverseSubtree /builds/worker/checkouts/gecko/servo/ports/geckolib/glue.rs:368:5
#27 0x7cd6879fd35b in mozilla::ServoStyleSet::StyleDocument(mozilla::ServoTraversalFlags) /builds/worker/checkouts/gecko/layout/style/ServoStyleSet.cpp:817:9
#28 0x7cd687ac0f97 in mozilla::RestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:3234:20
#29 0x7cd687a92fb5 in mozilla::RestyleManager::ProcessPendingRestyles() /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:3367:3
#30 0x7cd687a920f7 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4419:39
#31 0x7cd687a8877a in FlushPendingNotifications /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:1480:5
#32 0x7cd687a8877a in DoFlushPendingNotifications /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4238:3
#33 0x7cd687a8877a in FlushPendingNotifications /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:1471:5
#34 0x7cd687a8877a in HandlePostedReflowCallbacks /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4206:5
#35 0x7cd687a8877a in mozilla::PresShell::DidDoReflow(bool) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:9755:3
#36 0x7cd687ab2477 in mozilla::PresShell::ProcessReflowCommands(bool) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:10158:5
#37 0x7cd687a921c3 in DoFlushLayout /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:10183:10
#38 0x7cd687a921c3 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4436:11
#39 0x7cd687614b97 in nsViewManager::CallWillPaintOnObservers() /builds/worker/checkouts/gecko/view/nsViewManager.cpp:963:20
#40 0x7cd6876140fc in nsViewManager::ProcessPendingUpdates() /builds/worker/checkouts/gecko/view/nsViewManager.cpp:913:5
#41 0x7cd687610f63 in nsViewManager::WillPaintWindow(nsIWidget*) /builds/worker/checkouts/gecko/view/nsViewManager.cpp:574:7
#42 0x7cd687610e54 in nsView::WillPaintWindow(nsIWidget*) /builds/worker/checkouts/gecko/view/nsView.cpp:1041:7
#43 0x7cd687650ed7 in mozilla::widget::PuppetWidget::Paint() /builds/worker/checkouts/gecko/widget/PuppetWidget.cpp:968:31
#44 0x7cd687650e01 in mozilla::widget::PuppetWidget::WidgetPaintTask::Run() /builds/worker/checkouts/gecko/widget/PuppetWidget.cpp:956:14
#45 0x7cd681f5fe07 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:580:16
#46 0x7cd681f55476 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:907:26
#47 0x7cd681f53c57 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:730:15
#48 0x7cd681f540d5 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:516:36
#49 0x7cd681f63da6 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:234:37
#50 0x7cd681f63da6 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548:5
#51 0x7cd681f790d2 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1199:16
#52 0x7cd681f8021d in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10
#53 0x7cd682c89d45 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#54 0x7cd682b9fbb1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#55 0x7cd682b9fbb1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#56 0x7cd68767e3f8 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
#57 0x7cd687740a08 in nsAppShell::Run() /builds/worker/checkouts/gecko/widget/gtk/nsAppShell.cpp:470:33
#58 0x7cd68959a17b in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:712:20
#59 0x7cd682c8ac26 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
#60 0x7cd682b9fbb1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#61 0x7cd682b9fbb1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#62 0x7cd6895999a2 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:647:34
#63 0x59eae9701496 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#64 0x59eae9701496 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:378:18
#65 0x7cd696c29d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#66 0x7cd696c29e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#67 0x59eae96d71c8 in _start (/home/user/workspace/browsers/m-c-20240509094442-fuzzing-debug/firefox-bin+0x591c8) (BuildId: b78e3ca5ece73f5abd762005d6af6243a318d5bc)

Verified bug as reproducible on mozilla-central 20240512212637-45d7400ced7e.
Unable to bisect testcase (Testcase reproduces on start build!):

Start: a74c95816b36cc52e0812c931e4a7cffb5cea14a (20230515094256)
End: 8f49349eeb0ec5df0e1dd3ddd98423138921a029 (20240509212246)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False, nyx=False)

Successfully recorded a pernosco session. A link to the pernosco session will be added here shortly.

A pernosco session for this bug can be found here.