Closed Bug 1400436 Opened 3 years ago Closed 3 years ago

Assertion failure: aDelta > 0 || s->mEditableDescendantCount >= (uint32_t) (-1 * aDelta)

Categories

(Core :: DOM: Core & HTML, defect, P3)

52 Branch
defect

Tracking

()

RESOLVED WONTFIX
Tracking Status
firefox-esr52 --- wontfix
firefox55 --- fixed
firefox56 --- fixed
firefox57 --- fixed

People

(Reporter: tsmith, Assigned: catalinb)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, testcase)

Attachments

(1 file)

Attached file test_case.html
Assertion failure: aDelta > 0 || s->mEditableDescendantCount >= (uint32_t) (-1 * aDelta), at /home/worker/workspace/build/src/dom/base/nsINode.cpp:1372

#0 0x7f46d5599c78 in nsINode::ChangeEditableDescendantCount(int) /dom/base/nsINode.cpp:1371:3
#1 0x7f46d535065a in mozilla::dom::Element::UnbindFromTree(bool, bool) /dom/base/Element.cpp:1823:11
#2 0x7f46d715f95f in nsGenericHTMLElement::UnbindFromTree(bool, bool) /dom/html/nsGenericHTMLElement.cpp:516:3
#3 0x7f46d7188c3e in nsGenericHTMLFormElement::UnbindFromTree(bool, bool) /dom/html/nsGenericHTMLElement.cpp:1917:3
#4 0x7f46d559c2e8 in nsINode::doRemoveChildAt(unsigned int, bool, nsIContent*, nsAttrAndChildArray&) /dom/base/nsINode.cpp:1929:3
#5 0x7f46d5393f0e in mozilla::dom::FragmentOrElement::RemoveChildAt(unsigned int, bool) /dom/base/FragmentOrElement.cpp:1113:5
#6 0x7f46d5595d3d in nsINode::RemoveChild(nsINode&, mozilla::ErrorResult&) /dom/base/nsINode.cpp:581:3
#7 0x7f46d5abf801 in mozilla::dom::NodeBinding::removeChild(JSContext*, JS::Handle<JSObject*>, nsINode*, JSJitMethodCallArgs const&) /obj-firefox/dom/bindings/NodeBinding.cpp:809:39
#8 0x7f46d6bee8c6 in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /dom/bindings/BindingUtils.cpp:2904:13
#9 0x7f46db8c4e9e in js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) /js/src/jscntxtinlines.h:239:15
#10 0x7f46db8c49ff in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /js/src/vm/Interpreter.cpp:447:16
#11 0x7f46db8c535e in InternalCall(JSContext*, js::AnyInvokeArgs const&) /js/src/vm/Interpreter.cpp:504:12
#12 0x7f46db8b411a in Interpret(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:2922:18
#13 0x7f46db8a8a1a in js::RunScript(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:405:12
#14 0x7f46db8c4b42 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /js/src/vm/Interpreter.cpp:477:15
#15 0x7f46db8c535e in InternalCall(JSContext*, js::AnyInvokeArgs const&) /js/src/vm/Interpreter.cpp:504:12
#16 0x7f46db8c5591 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /js/src/vm/Interpreter.cpp:523:10
#17 0x7f46db4763b9 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /js/src/jsapi.cpp:2828:12
#18 0x7f46d66cddfc in mozilla::dom::EventListener::HandleEvent(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /obj-firefox/dom/bindings/EventListenerBinding.cpp:47:8
#19 0x7f46d6f0f6c1 in void mozilla::dom::EventListener::HandleEvent<mozilla::dom::EventTarget*>(mozilla::dom::EventTarget* const&, mozilla::dom::Event&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JSCompartment*) /obj-firefox/dist/include/mozilla/dom/EventListenerBinding.h:64:12
#20 0x7f46d6f0f216 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) /dom/events/EventListenerManager.cpp:1130:7
#21 0x7f46d6f10310 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) /dom/events/EventListenerManager.cpp:1287:17
#22 0x7f46d6f030c4 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /dom/events/EventDispatcher.cpp:275:7
#23 0x7f46d6f02892 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /dom/events/EventDispatcher.cpp:380:5
#24 0x7f46d6f043d6 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /dom/events/EventDispatcher.cpp:711:9
#25 0x7f46d6f05461 in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, nsIDOMEvent*, nsPresContext*, nsEventStatus*) /dom/events/EventDispatcher.cpp:777:12
#26 0x7f46d559985e in nsINode::DispatchEvent(nsIDOMEvent*, bool*) /dom/base/nsINode.cpp:1309:5
#27 0x7f46d6ebe310 in mozilla::AsyncEventDispatcher::Run() /dom/events/AsyncEventDispatcher.cpp:54:3
#28 0x7f46d51e46fd in nsContentUtils::RemoveScriptBlocker() /dom/base/nsContentUtils.cpp:5195:5
#29 0x7f46d49af42d in nsAutoScriptBlocker::~nsAutoScriptBlocker() /dom/base/nsContentUtils.h:2865:5
#30 0x7f46d5352747 in mozilla::dom::Element::SetAttr(int, nsIAtom*, nsIAtom*, nsAString_internal const&, bool) /dom/base/Element.cpp:2387:1
#31 0x7f46d718472b in nsGenericHTMLElement::SetAttr(int, nsIAtom*, nsIAtom*, nsAString_internal const&, bool) /dom/html/nsGenericHTMLElement.cpp:825:17
#32 0x7f46d711a222 in mozilla::dom::HTMLObjectElement::SetAttr(int, nsIAtom*, nsIAtom*, nsAString_internal const&, bool) /dom/html/HTMLObjectElement.cpp:305:17
#33 0x7f46d534ce51 in mozilla::dom::Element::SetAttribute(nsAString_internal const&, nsAString_internal const&, mozilla::ErrorResult&) /dom/base/Element.cpp:1246:14
#34 0x7f46d675d7e5 in mozilla::dom::ElementBinding::setAttribute(JSContext*, JS::Handle<JSObject*>, mozilla::dom::Element*, JSJitMethodCallArgs const&) /obj-firefox/dom/bindings/ElementBinding.cpp:723:3
#35 0x7f46d6bee8c6 in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /dom/bindings/BindingUtils.cpp:2904:13
#36 0x7f46db8c4e9e in js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) /js/src/jscntxtinlines.h:239:15
#37 0x7f46db8c49ff in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /js/src/vm/Interpreter.cpp:447:16
#38 0x7f46db8c535e in InternalCall(JSContext*, js::AnyInvokeArgs const&) /js/src/vm/Interpreter.cpp:504:12
#39 0x7f46db8b411a in Interpret(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:2922:18
#40 0x7f46db8a8a1a in js::RunScript(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:405:12
#41 0x7f46db8c4b42 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /js/src/vm/Interpreter.cpp:477:15
#42 0x7f46db8c535e in InternalCall(JSContext*, js::AnyInvokeArgs const&) /js/src/vm/Interpreter.cpp:504:12
#43 0x7f46db8c5591 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /js/src/vm/Interpreter.cpp:523:10
#44 0x7f46db4763b9 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /js/src/jsapi.cpp:2828:12
#45 0x7f46d66cc419 in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /obj-firefox/dom/bindings/EventHandlerBinding.cpp:259:37
#46 0x7f46d6f320b0 in void mozilla::dom::EventHandlerNonNull::Call<nsISupports*>(nsISupports* const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JSCompartment*) /obj-firefox/dist/include/mozilla/dom/EventHandlerBinding.h:361:12
#47 0x7f46d6f30898 in mozilla::JSEventHandler::HandleEvent(nsIDOMEvent*) /dom/events/JSEventHandler.cpp:214:3
#48 0x7f46d6f0f273 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) /dom/events/EventListenerManager.cpp:1134:16
#49 0x7f46d6f10310 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) /dom/events/EventListenerManager.cpp:1287:17
#50 0x7f46d6f030c4 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /dom/events/EventDispatcher.cpp:275:7
#51 0x7f46d6f02892 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /dom/events/EventDispatcher.cpp:380:5
#52 0x7f46d6f043d6 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /dom/events/EventDispatcher.cpp:711:9
#53 0x7f46d87e61d2 in nsDocumentViewer::LoadComplete(nsresult) /layout/base/nsDocumentViewer.cpp:1047:7
#54 0x7f46d92b11da in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /docshell/base/nsDocShell.cpp:7635:5
#55 0x7f46d92ae7eb in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /docshell/base/nsDocShell.cpp:7439:7
#56 0x7f46d92b28ff in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /docshell/base/nsDocShell.cpp:7336:13
#57 0x7f46d4862d1d in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /uriloader/base/nsDocLoader.cpp:1255:3
#58 0x7f46d4862399 in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /uriloader/base/nsDocLoader.cpp:840:5
#59 0x7f46d485fdb6 in nsDocLoader::DocLoaderIsEmpty(bool) /uriloader/base/nsDocLoader.cpp:730:9
#60 0x7f46d4861500 in nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /uriloader/base/nsDocLoader.cpp:612:5
#61 0x7f46d4861ecc in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /uriloader/base/nsDocLoader.cpp:468:14
#62 0x7f46d342611b in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /netwerk/base/nsLoadGroup.cpp:633:18
#63 0x7f46d54fd1ab in nsDocument::DoUnblockOnload() /dom/base/nsDocument.cpp:8647:7
#64 0x7f46d54fce87 in nsDocument::UnblockOnload(bool) /dom/base/nsDocument.cpp:8575:9
#65 0x7f46d54e1d06 in nsDocument::DispatchContentLoadedEvents() /dom/base/nsDocument.cpp:5061:3
#66 0x7f46d556cc04 in mozilla::detail::RunnableMethodImpl<void (nsDocument::*)(), true, false>::Run() /obj-firefox/dist/include/nsThreadUtils.h:810:7
#67 0x7f46d325eb62 in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1216:7
#68 0x7f46d32eaca0 in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/glue/nsThreadUtils.cpp:361:10
#69 0x7f46d3d96589 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:96:21
#70 0x7f46d3d04287 in MessageLoop::RunInternal() /ipc/chromium/src/base/message_loop.cc:232:3
#71 0x7f46d3d04119 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:205:3
#72 0x7f46d81b8a9a in nsBaseAppShell::Run() /widget/nsBaseAppShell.cpp:156:3
#73 0x7f46d995930c in nsAppStartup::Run() /toolkit/components/startup/nsAppStartup.cpp:283:19
#74 0x7f46d9a770bd in XREMain::XRE_mainRun() /toolkit/xre/nsAppRunner.cpp:4488:10
#75 0x7f46d9a78707 in XREMain::XRE_main(int, char**, nsXREAppData const*) /toolkit/xre/nsAppRunner.cpp:4621:8
#76 0x7f46d9a792f2 in XRE_main /toolkit/xre/nsAppRunner.cpp:4712:16
#77 0x4e03e9 in do_main(int, char**, char**, nsIFile*) /browser/app/nsBrowserApp.cpp:282:10
#78 0x4dfac5 in main /browser/app/nsBrowserApp.cpp:415:16
#79 0x7f46eff9982f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291
#80 0x41c274 in _start (/home/user/workspace/browsers/m-e-1505415248-asan-debug/firefox+0x41c274)
Flags: in-testsuite?
Catalin has recently been looking at code in this area so he may have thoughts. I'm mostly curious if this is a big deal and/or how urgently we should fix it. Thanks!
Flags: needinfo?(catalin.badea392)
I can't reproduce the assert on local debug builds or nightly asan debug builds. :tsmith, are there any special conditions for reproducing this?

:overholt, this doesn't look like it can lead to a crash. I think this is a P3.
Points: --- → 3
Flags: needinfo?(catalin.badea392) → needinfo?(twsmith)
Points: 3 → ---
Priority: -- → P3
(In reply to Cătălin Badea (:catalinb) from comment #2)
> I can't reproduce the assert on local debug builds or nightly asan debug
> builds. :tsmith, are there any special conditions for reproducing this?

At the moment our fuzzers are only hitting this on ESR52.
Flags: needinfo?(twsmith)
(In reply to Tyson Smith [:tsmith] from comment #3)
> (In reply to Cătălin Badea (:catalinb) from comment #2)
> > I can't reproduce the assert on local debug builds or nightly asan debug
> > builds. :tsmith, are there any special conditions for reproducing this?
> 
> At the moment our fuzzers are only hitting this on ESR52.

That's a bit concerning as it'll be ESR until 59. Catalin, can you take a look again with ESR52?
Flags: needinfo?(catalin.badea392)
Will take another look tomorrow.
Assignee: nobody → catalin.badea392
Flags: needinfo?(catalin.badea392)
This happens (in esr52) because we run script before updating the editable descendants count. I think this was fixed in bug 1365092 in the patch that moves the side effects of nsGenericHTMLElement::SetAttr to BeforeSetAttr/AfterSetAttr.

I couldn't come up with an easy fix. We could try to uplift the first patch from bug 1365092 or ask Kirk to have a look, but isn't this outside the scope of fixes we uplift to ESR?
Flags: needinfo?(overholt)
This does indeed seem like it's outside the scope of fixes we uplift to ESR and given comment 2 ("this doesn't look like it can lead to a crash"), I'm OK WONTFIXing this in ESR. Tyson, is that ok?
Flags: needinfo?(overholt) → needinfo?(twsmith)
If it is not in scope of course I support your decision.
Flags: needinfo?(twsmith)
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → WONTFIX
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.