Bug 1832911 Comment 0 Edit History

Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.

Original comment by

Tyson Smith [:tsmith]

on 2023-05-12 16:30:35 PDT

Found while fuzzing m-c 20230312-a8939ff5236d (--enable-address-sanitizer --enable-fuzzing)

To reproduce via Grizzly Replay:
```
$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -a --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html
```
NOTE: Set a reasonable memory limit via ASAN_OPTIONS=hard_rss_limit_mb=# to avoid system OOMs.

The DOM fuzzers are hitting this issue multiple times a day. Issues such as this can destabilize fuzzing infrastructure. If this is not a bug providing the ability for fuzzers to work around this would be ideal (see bug 1815272). Chrome is not affected.

```
HEAP PROFILE at RSS 6132Mb
Live Heap Allocations: 6875527 bytes in 31813 chunks; quarantined: 16179200 bytes in 48933 chunks; 28148 other chunks; total chunks: 108894; showing top 90% (at most 20 unique contexts)
238316 byte(s) (3%) in 77 allocation(s)
    #0 0x55f7ac9d46ae in malloc /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:69:3
    #1 0x7f7eae018868 in ft_mem_qalloc /build/freetype-sW3nZt/freetype-2.11.1+dfsg/./src/base/ftutil.c:75:15
    #2 0x7f7eae018868 in ft_mem_alloc /build/freetype-sW3nZt/freetype-2.11.1+dfsg/./src/base/ftutil.c:54:25

196608 byte(s) (2%) in 1 allocation(s)
    #0 0x55f7ac9d46ae in malloc /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:69:3
    #1 0x7f7e9d6ee99c in mozilla::detail::HashTable<js::WeakHeapPtr<JSAtom*> const, mozilla::HashSet<js::WeakHeapPtr<JSAtom*>, js::AtomHasher, js::SystemAllocPolicy>::SetHashPolicy, js::SystemAllocPolicy>::createTable(js::SystemAllocPolicy&, unsigned int, mozilla::detail::HashTable<js::WeakHeapPtr<JSAtom*> const, mozilla::HashSet<js::WeakHeapPtr<JSAtom*>, js::AtomHasher, js::SystemAllocPolicy>::SetHashPolicy, js::SystemAllocPolicy>::FailureBehavior) /builds/worker/workspace/obj-build/dist/include/mozilla/HashTable.h
    #2 0x7f7e9d6fb716 in changeTableSize /builds/worker/workspace/obj-build/dist/include/mozilla/HashTable.h:1862:22
    #3 0x7f7e9d6fb716 in rehashIfOverloaded /builds/worker/workspace/obj-build/dist/include/mozilla/HashTable.h:1909:12
    #4 0x7f7e9d6fb716 in bool mozilla::detail::HashTable<js::WeakHeapPtr<JSAtom*> const, mozilla::HashSet<js::WeakHeapPtr<JSAtom*>, js::AtomHasher, js::SystemAllocPolicy>::SetHashPolicy, js::SystemAllocPolicy>::add<JSAtom*&>(mozilla::detail::HashTable<js::WeakHeapPtr<JSAtom*> const, mozilla::HashSet<js::WeakHeapPtr<JSAtom*>, js::AtomHasher, js::SystemAllocPolicy>::SetHashPolicy, js::SystemAllocPolicy>::AddPtr&, JSAtom*&) /builds/worker/workspace/obj-build/dist/include/mozilla/HashTable.h:2163:30
    #5 0x7f7e9d6a4e61 in add<JSAtom *&> /builds/worker/workspace/obj-build/dist/include/mozilla/HashTable.h:623:18
    #6 0x7f7e9d6a4e61 in atomizeAndCopyCharsNonStaticValidLength<unsigned char> /builds/worker/checkouts/gecko/js/src/vm/JSAtom.cpp:547:7
    #7 0x7f7e9d6a4e61 in AtomizeAndCopyCharsNonStaticValidLengthFromLookup<unsigned char> /builds/worker/checkouts/gecko/js/src/vm/JSAtom.cpp:480:30
    #8 0x7f7e9d6a4e61 in AtomizeAndCopyChars<unsigned char> /builds/worker/checkouts/gecko/js/src/vm/JSAtom.cpp:575:10
    #9 0x7f7e9d6a4e61 in JSAtom* js::AtomizeChars<unsigned char>(JSContext*, unsigned char const*, unsigned long) /builds/worker/checkouts/gecko/js/src/vm/JSAtom.cpp:832:10
    #10 0x7f7e9f3a0397 in js::StringBuffer::finishAtom() /builds/worker/checkouts/gecko/js/src/util/StringBuffer.cpp:150:20
    #11 0x7f7e9d6d7dba in NameToFunctionName(JSContext*, JS::Handle<JS::Value>, js::FunctionPrefixKind) /builds/worker/checkouts/gecko/js/src/vm/JSFunction.cpp:1819:13
    #12 0x7f7e9d6d74cf in js::IdToFunctionName(JSContext*, JS::Handle<JS::PropertyKey>, js::FunctionPrefixKind) /builds/worker/checkouts/gecko/js/src/vm/JSFunction.cpp:1851:10
    #13 0x7f7e9d805b59 in DefineAccessorPropertyById(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::PropertyKey>, JSNativeWrapper const&, JSNativeWrapper const&, unsigned int) /builds/worker/checkouts/gecko/js/src/vm/PropertyAndElement.cpp:115:30
    #14 0x7f7e9d812ca2 in JS_DefineProperties(JSContext*, JS::Handle<JSObject*>, JSPropertySpec const*) /builds/worker/checkouts/gecko/js/src/vm/PropertyAndElement.cpp:866:14
    #15 0x7f7e926d76ee in Define /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:722:10
    #16 0x7f7e926d76ee in DefinePrefable<const JSPropertySpec> /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:737:12
    #17 0x7f7e926d76ee in mozilla::dom::DefineProperties(JSContext*, JS::Handle<JSObject*>, mozilla::dom::NativePropertiesN<7> const*, mozilla::dom::NativePropertiesN<7> const*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:1018:10
    #18 0x7f7e926d8336 in CreateInterfacePrototypeObject /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:974:9
    #19 0x7f7e926d8336 in mozilla::dom::CreateInterfaceObjects(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSObject*>, JSClass const*, JS::Heap<JSObject*>*, JS::Handle<JSObject*>, JSClass const*, unsigned int, bool, mozilla::dom::LegacyFactoryFunction const*, JS::Heap<JSObject*>*, mozilla::dom::NativePropertiesN<7> const*, mozilla::dom::NativePropertiesN<7> const*, char const*, bool, char const* const*, bool, char const* const*, bool) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:1093:13
    #20 0x7f7e900e8ddc in mozilla::dom::CSS2Properties_Binding::CreateInterfaceObjects(JSContext*, JS::Handle<JSObject*>, mozilla::dom::ProtoAndIfaceCache&, bool) /builds/worker/workspace/obj-build/dom/bindings/CSS2PropertiesBinding.cpp:59657:3
    #21 0x7f7e926ef9e6 in mozilla::dom::GetPerInterfaceObjectHandle(JSContext*, unsigned long, void (*)(JSContext*, JS::Handle<JSObject*>, mozilla::dom::ProtoAndIfaceCache&, bool), bool) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:4301:5
    #22 0x7f7e900e8196 in GetProtoObjectHandle /builds/worker/workspace/obj-build/dist/include/mozilla/dom/CSS2PropertiesBinding.h:47:12
    #23 0x7f7e900e8196 in mozilla::dom::CSS2Properties_Binding::Wrap(JSContext*, nsDOMCSSDeclaration*, nsWrapperCache*, JS::Handle<JSObject*>, JS::MutableHandle<JSObject*>) /builds/worker/workspace/obj-build/dom/bindings/CSS2PropertiesBinding.cpp:59597:42
    #24 0x7f7e97863714 in Wrap<nsDOMCSSDeclaration> /builds/worker/workspace/obj-build/dist/include/mozilla/dom/CSS2PropertiesBinding.h:37:12
    #25 0x7f7e97863714 in WrapObject /builds/worker/checkouts/gecko/layout/style/nsDOMCSSDeclaration.cpp:31:10
    #26 0x7f7e97863714 in non-virtual thunk to nsDOMCSSDeclaration::WrapObject(JSContext*, JS::Handle<JSObject*>) /builds/worker/checkouts/gecko/layout/style/nsDOMCSSDeclaration.cpp
    #27 0x7f7e92461cdf in DoGetOrCreateDOMReflector<nsICSSDeclaration, (mozilla::dom::binding_detail::GetOrCreateReflectorWrapBehavior)0> /builds/worker/workspace/obj-build/dist/include/mozilla/dom/BindingUtils.h:1094:18
    #28 0x7f7e92461cdf in GetOrCreateDOMReflector<nsICSSDeclaration> /builds/worker/workspace/obj-build/dist/include/mozilla/dom/BindingUtils.h:1163:10
    #29 0x7f7e92461cdf in mozilla::dom::HTMLElement_Binding::get_style(JSContext*, JS::Handle<JSObject*>, void*, JSJitGetterCallArgs) /builds/worker/workspace/obj-build/dom/bindings/HTMLElementBinding.cpp:1983:8
    #30 0x7f7e926c3a61 in bool mozilla::dom::binding_detail::GenericGetter<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3217:13
    #31 0x7f7e9d3f3503 in CallJSNative /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:486:13
    #32 0x7f7e9d3f3503 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:580:12
    #33 0x7f7e9d3f5636 in InternalCall /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:647:10
    #34 0x7f7e9d3f5636 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:679:8
    #35 0x7f7e9d3f7486 in js::CallGetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:801:10
    #36 0x7f7e9d7d11a7 in CallGetter /builds/worker/checkouts/gecko/js/src/vm/NativeObject.cpp:2070:12
    #37 0x7f7e9d7d11a7 in GetExistingProperty<(js::AllowGC)1> /builds/worker/checkouts/gecko/js/src/vm/NativeObject.cpp:2098:12
    #38 0x7f7e9d7d11a7 in NativeGetPropertyInline<(js::AllowGC)1> /builds/worker/checkouts/gecko/js/src/vm/NativeObject.cpp:2246:14
    #39 0x7f7e9d7d11a7 in js::NativeGetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/NativeObject.cpp:2277:10
    #40 0x7f7e9d439768 in GetProperty /builds/worker/checkouts/gecko/js/src/vm/ObjectOperations-inl.h:118:10
    #41 0x7f7e9d439768 in GetProperty /builds/worker/checkouts/gecko/js/src/vm/ObjectOperations-inl.h:125:10
    #42 0x7f7e9d439768 in js::GetProperty(JSContext*, JS::Handle<JS::Value>, JS::Handle<js::PropertyName*>, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:4787:10
    #43 0x7f7e9d40cef0 in GetPropertyOperation /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:245:10
    #44 0x7f7e9d40cef0 in js::Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3050:12
    #45 0x7f7e9d3f22a8 in MaybeEnterInterpreterTrampoline /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:400:10
    #46 0x7f7e9d3f22a8 in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:458:13
    #47 0x7f7e9d3f36bc in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:612:13
    #48 0x7f7e9d3f5636 in InternalCall /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:647:10
    #49 0x7f7e9d3f5636 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:679:8
    #50 0x7f7e9d561f5b in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/CallAndConstruct.cpp:117:10
    #51 0x7f7e9206b4c0 in mozilla::dom::EventHandlerNonNull::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventHandlerBinding.cpp:65:37
    #52 0x7f7e9352a576 in void mozilla::dom::EventHandlerNonNull::Call<nsCOMPtr<mozilla::dom::EventTarget>>(nsCOMPtr<mozilla::dom::EventTarget> const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventHandlerBinding.h:82:12
    #53 0x7f7e93528469 in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) /builds/worker/checkouts/gecko/dom/events/JSEventHandler.cpp:199:12
```

Revision 1 by

Tyson Smith [:tsmith]

on 2023-05-12 16:33:11 PDT

Found while fuzzing m-c 20230312-a8939ff5236d (--enable-address-sanitizer --enable-fuzzing)

To reproduce via Grizzly Replay:
```
$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -a --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html --xvfb
```
NOTE: Set a reasonable memory limit via ASAN_OPTIONS=hard_rss_limit_mb=# to avoid system OOMs.

The DOM fuzzers are hitting this issue multiple times a day. Issues such as this can destabilize fuzzing infrastructure. If this is not a bug providing the ability for fuzzers to work around this would be ideal (see bug 1815272). Chrome is not affected.

```
HEAP PROFILE at RSS 6132Mb
Live Heap Allocations: 6875527 bytes in 31813 chunks; quarantined: 16179200 bytes in 48933 chunks; 28148 other chunks; total chunks: 108894; showing top 90% (at most 20 unique contexts)
238316 byte(s) (3%) in 77 allocation(s)
    #0 0x55f7ac9d46ae in malloc /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:69:3
    #1 0x7f7eae018868 in ft_mem_qalloc /build/freetype-sW3nZt/freetype-2.11.1+dfsg/./src/base/ftutil.c:75:15
    #2 0x7f7eae018868 in ft_mem_alloc /build/freetype-sW3nZt/freetype-2.11.1+dfsg/./src/base/ftutil.c:54:25

196608 byte(s) (2%) in 1 allocation(s)
    #0 0x55f7ac9d46ae in malloc /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:69:3
    #1 0x7f7e9d6ee99c in mozilla::detail::HashTable<js::WeakHeapPtr<JSAtom*> const, mozilla::HashSet<js::WeakHeapPtr<JSAtom*>, js::AtomHasher, js::SystemAllocPolicy>::SetHashPolicy, js::SystemAllocPolicy>::createTable(js::SystemAllocPolicy&, unsigned int, mozilla::detail::HashTable<js::WeakHeapPtr<JSAtom*> const, mozilla::HashSet<js::WeakHeapPtr<JSAtom*>, js::AtomHasher, js::SystemAllocPolicy>::SetHashPolicy, js::SystemAllocPolicy>::FailureBehavior) /builds/worker/workspace/obj-build/dist/include/mozilla/HashTable.h
    #2 0x7f7e9d6fb716 in changeTableSize /builds/worker/workspace/obj-build/dist/include/mozilla/HashTable.h:1862:22
    #3 0x7f7e9d6fb716 in rehashIfOverloaded /builds/worker/workspace/obj-build/dist/include/mozilla/HashTable.h:1909:12
    #4 0x7f7e9d6fb716 in bool mozilla::detail::HashTable<js::WeakHeapPtr<JSAtom*> const, mozilla::HashSet<js::WeakHeapPtr<JSAtom*>, js::AtomHasher, js::SystemAllocPolicy>::SetHashPolicy, js::SystemAllocPolicy>::add<JSAtom*&>(mozilla::detail::HashTable<js::WeakHeapPtr<JSAtom*> const, mozilla::HashSet<js::WeakHeapPtr<JSAtom*>, js::AtomHasher, js::SystemAllocPolicy>::SetHashPolicy, js::SystemAllocPolicy>::AddPtr&, JSAtom*&) /builds/worker/workspace/obj-build/dist/include/mozilla/HashTable.h:2163:30
    #5 0x7f7e9d6a4e61 in add<JSAtom *&> /builds/worker/workspace/obj-build/dist/include/mozilla/HashTable.h:623:18
    #6 0x7f7e9d6a4e61 in atomizeAndCopyCharsNonStaticValidLength<unsigned char> /builds/worker/checkouts/gecko/js/src/vm/JSAtom.cpp:547:7
    #7 0x7f7e9d6a4e61 in AtomizeAndCopyCharsNonStaticValidLengthFromLookup<unsigned char> /builds/worker/checkouts/gecko/js/src/vm/JSAtom.cpp:480:30
    #8 0x7f7e9d6a4e61 in AtomizeAndCopyChars<unsigned char> /builds/worker/checkouts/gecko/js/src/vm/JSAtom.cpp:575:10
    #9 0x7f7e9d6a4e61 in JSAtom* js::AtomizeChars<unsigned char>(JSContext*, unsigned char const*, unsigned long) /builds/worker/checkouts/gecko/js/src/vm/JSAtom.cpp:832:10
    #10 0x7f7e9f3a0397 in js::StringBuffer::finishAtom() /builds/worker/checkouts/gecko/js/src/util/StringBuffer.cpp:150:20
    #11 0x7f7e9d6d7dba in NameToFunctionName(JSContext*, JS::Handle<JS::Value>, js::FunctionPrefixKind) /builds/worker/checkouts/gecko/js/src/vm/JSFunction.cpp:1819:13
    #12 0x7f7e9d6d74cf in js::IdToFunctionName(JSContext*, JS::Handle<JS::PropertyKey>, js::FunctionPrefixKind) /builds/worker/checkouts/gecko/js/src/vm/JSFunction.cpp:1851:10
    #13 0x7f7e9d805b59 in DefineAccessorPropertyById(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::PropertyKey>, JSNativeWrapper const&, JSNativeWrapper const&, unsigned int) /builds/worker/checkouts/gecko/js/src/vm/PropertyAndElement.cpp:115:30
    #14 0x7f7e9d812ca2 in JS_DefineProperties(JSContext*, JS::Handle<JSObject*>, JSPropertySpec const*) /builds/worker/checkouts/gecko/js/src/vm/PropertyAndElement.cpp:866:14
    #15 0x7f7e926d76ee in Define /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:722:10
    #16 0x7f7e926d76ee in DefinePrefable<const JSPropertySpec> /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:737:12
    #17 0x7f7e926d76ee in mozilla::dom::DefineProperties(JSContext*, JS::Handle<JSObject*>, mozilla::dom::NativePropertiesN<7> const*, mozilla::dom::NativePropertiesN<7> const*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:1018:10
    #18 0x7f7e926d8336 in CreateInterfacePrototypeObject /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:974:9
    #19 0x7f7e926d8336 in mozilla::dom::CreateInterfaceObjects(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSObject*>, JSClass const*, JS::Heap<JSObject*>*, JS::Handle<JSObject*>, JSClass const*, unsigned int, bool, mozilla::dom::LegacyFactoryFunction const*, JS::Heap<JSObject*>*, mozilla::dom::NativePropertiesN<7> const*, mozilla::dom::NativePropertiesN<7> const*, char const*, bool, char const* const*, bool, char const* const*, bool) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:1093:13
    #20 0x7f7e900e8ddc in mozilla::dom::CSS2Properties_Binding::CreateInterfaceObjects(JSContext*, JS::Handle<JSObject*>, mozilla::dom::ProtoAndIfaceCache&, bool) /builds/worker/workspace/obj-build/dom/bindings/CSS2PropertiesBinding.cpp:59657:3
    #21 0x7f7e926ef9e6 in mozilla::dom::GetPerInterfaceObjectHandle(JSContext*, unsigned long, void (*)(JSContext*, JS::Handle<JSObject*>, mozilla::dom::ProtoAndIfaceCache&, bool), bool) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:4301:5
    #22 0x7f7e900e8196 in GetProtoObjectHandle /builds/worker/workspace/obj-build/dist/include/mozilla/dom/CSS2PropertiesBinding.h:47:12
    #23 0x7f7e900e8196 in mozilla::dom::CSS2Properties_Binding::Wrap(JSContext*, nsDOMCSSDeclaration*, nsWrapperCache*, JS::Handle<JSObject*>, JS::MutableHandle<JSObject*>) /builds/worker/workspace/obj-build/dom/bindings/CSS2PropertiesBinding.cpp:59597:42
    #24 0x7f7e97863714 in Wrap<nsDOMCSSDeclaration> /builds/worker/workspace/obj-build/dist/include/mozilla/dom/CSS2PropertiesBinding.h:37:12
    #25 0x7f7e97863714 in WrapObject /builds/worker/checkouts/gecko/layout/style/nsDOMCSSDeclaration.cpp:31:10
    #26 0x7f7e97863714 in non-virtual thunk to nsDOMCSSDeclaration::WrapObject(JSContext*, JS::Handle<JSObject*>) /builds/worker/checkouts/gecko/layout/style/nsDOMCSSDeclaration.cpp
    #27 0x7f7e92461cdf in DoGetOrCreateDOMReflector<nsICSSDeclaration, (mozilla::dom::binding_detail::GetOrCreateReflectorWrapBehavior)0> /builds/worker/workspace/obj-build/dist/include/mozilla/dom/BindingUtils.h:1094:18
    #28 0x7f7e92461cdf in GetOrCreateDOMReflector<nsICSSDeclaration> /builds/worker/workspace/obj-build/dist/include/mozilla/dom/BindingUtils.h:1163:10
    #29 0x7f7e92461cdf in mozilla::dom::HTMLElement_Binding::get_style(JSContext*, JS::Handle<JSObject*>, void*, JSJitGetterCallArgs) /builds/worker/workspace/obj-build/dom/bindings/HTMLElementBinding.cpp:1983:8
    #30 0x7f7e926c3a61 in bool mozilla::dom::binding_detail::GenericGetter<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3217:13
    #31 0x7f7e9d3f3503 in CallJSNative /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:486:13
    #32 0x7f7e9d3f3503 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:580:12
    #33 0x7f7e9d3f5636 in InternalCall /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:647:10
    #34 0x7f7e9d3f5636 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:679:8
    #35 0x7f7e9d3f7486 in js::CallGetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:801:10
    #36 0x7f7e9d7d11a7 in CallGetter /builds/worker/checkouts/gecko/js/src/vm/NativeObject.cpp:2070:12
    #37 0x7f7e9d7d11a7 in GetExistingProperty<(js::AllowGC)1> /builds/worker/checkouts/gecko/js/src/vm/NativeObject.cpp:2098:12
    #38 0x7f7e9d7d11a7 in NativeGetPropertyInline<(js::AllowGC)1> /builds/worker/checkouts/gecko/js/src/vm/NativeObject.cpp:2246:14
    #39 0x7f7e9d7d11a7 in js::NativeGetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/NativeObject.cpp:2277:10
    #40 0x7f7e9d439768 in GetProperty /builds/worker/checkouts/gecko/js/src/vm/ObjectOperations-inl.h:118:10
    #41 0x7f7e9d439768 in GetProperty /builds/worker/checkouts/gecko/js/src/vm/ObjectOperations-inl.h:125:10
    #42 0x7f7e9d439768 in js::GetProperty(JSContext*, JS::Handle<JS::Value>, JS::Handle<js::PropertyName*>, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:4787:10
    #43 0x7f7e9d40cef0 in GetPropertyOperation /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:245:10
    #44 0x7f7e9d40cef0 in js::Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3050:12
    #45 0x7f7e9d3f22a8 in MaybeEnterInterpreterTrampoline /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:400:10
    #46 0x7f7e9d3f22a8 in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:458:13
    #47 0x7f7e9d3f36bc in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:612:13
    #48 0x7f7e9d3f5636 in InternalCall /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:647:10
    #49 0x7f7e9d3f5636 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:679:8
    #50 0x7f7e9d561f5b in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/CallAndConstruct.cpp:117:10
    #51 0x7f7e9206b4c0 in mozilla::dom::EventHandlerNonNull::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventHandlerBinding.cpp:65:37
    #52 0x7f7e9352a576 in void mozilla::dom::EventHandlerNonNull::Call<nsCOMPtr<mozilla::dom::EventTarget>>(nsCOMPtr<mozilla::dom::EventTarget> const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventHandlerBinding.h:82:12
    #53 0x7f7e93528469 in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) /builds/worker/checkouts/gecko/dom/events/JSEventHandler.cpp:199:12
```

Back to Bug 1832911 Comment 0