Closed Bug 1405880 Opened 7 years ago Closed 7 years ago

stylo: Assertion failure: !HasAnyOfFlags(kAllServoDescendantBits | NODE_NEEDS_FRAME) in [@ mozilla::dom::Element::UnbindFromTree]

Categories

(Core :: DOM: Core & HTML, defect, P2)

Product:
Core
Component:
DOM: Core & HTML
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1439395
Tracking Flags:
Tracking Status
firefox-esr52 --- unaffected
firefox56 --- unaffected
firefox57 - wontfix
firefox58 --- affected

People

(Reporter: tsmith, Assigned: emilio)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, testcase)

Attachments

(1 file)

test_case.html
687 bytes, text/html
Details
Attached file test_case.html
Assertion failure: !HasAnyOfFlags(kAllServoDescendantBits | NODE_NEEDS_FRAME), at /src/dom/base/Element.cpp:1932 #0 mozilla::dom::Element::UnbindFromTree(bool, bool) /src/dom/base/Element.cpp:1931:7 #1 nsGenericHTMLElement::UnbindFromTree(bool, bool) /src/dom/html/nsGenericHTMLElement.cpp:537:20 #2 nsXBLBinding::UnbindAnonymousContent(nsIDocument*, nsIContent*, bool) /src/dom/xbl/nsXBLBinding.cpp:255:12 #3 nsXBLBinding::ChangeDocument(nsIDocument*, nsIDocument*) /src/dom/xbl/nsXBLBinding.cpp:829:7 #4 nsBindingManager::RemovedFromDocumentInternal(nsIContent*, nsIDocument*, nsBindingManager::DestructorHandling) /src/dom/xbl/nsBindingManager.cpp:216:16 #5 mozilla::dom::RemoveFromBindingManagerRunnable::Run() /src/dom/base/Element.cpp:1829:15 #6 nsContentUtils::RemoveScriptBlocker() /src/dom/base/nsContentUtils.cpp:5661:15 #7 nsDocument::EndUpdate(unsigned int) /src/dom/base/nsDocument.cpp:5332:3 #8 nsHTMLDocument::EndUpdate(unsigned int) /src/dom/html/nsHTMLDocument.cpp:2507:15 #9 mozAutoDocUpdate::~mozAutoDocUpdate() /src/dom/base/mozAutoDocUpdate.h:40:18 #10 nsINode::ReplaceOrInsertBefore(bool, nsINode*, nsINode*, mozilla::ErrorResult&) /src/dom/base/nsINode.cpp:2260:5 #11 mozilla::dom::NodeBinding::appendChild(JSContext*, JS::Handle<JSObject*>, nsINode*, JSJitMethodCallArgs const&) /src/obj-firefox/dom/bindings/NodeBinding.cpp:885:45 #12 mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /src/dom/bindings/BindingUtils.cpp:3053:13 #13 js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) /src/js/src/jscntxtinlines.h:293:15 #14 js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /src/js/src/vm/Interpreter.cpp:495:16 #15 InternalCall(JSContext*, js::AnyInvokeArgs const&) /src/js/src/vm/Interpreter.cpp:540:12 #16 Interpret(JSContext*, js::RunState&) /src/js/src/vm/Interpreter.cpp:3085:18 #17 js::RunScript(JSContext*, js::RunState&) /src/js/src/vm/Interpreter.cpp:435:12 #18 js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /src/js/src/vm/Interpreter.cpp:513:15 #19 InternalCall(JSContext*, js::AnyInvokeArgs const&) /src/js/src/vm/Interpreter.cpp:540:12 #20 js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /src/js/src/vm/Interpreter.cpp:559:10 #21 JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /src/js/src/jsapi.cpp:2975:12 #22 mozilla::dom::EventListener::HandleEvent(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /src/obj-firefox/dom/bindings/EventListenerBinding.cpp:47:8 #23 void mozilla::dom::EventListener::HandleEvent<mozilla::dom::EventTarget*>(mozilla::dom::EventTarget* const&, mozilla::dom::Event&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JSCompartment*) /src/obj-firefox/dist/include/mozilla/dom/EventListenerBinding.h:65:12 #24 mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) /src/dom/events/EventListenerManager.cpp:1109:9 #25 mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) /src/dom/events/EventListenerManager.cpp:1283:20 #26 mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /src/dom/events/EventDispatcher.cpp:313:17 #27 mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /src/dom/events/EventDispatcher.cpp:486:14 #28 mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /src/dom/events/EventDispatcher.cpp:822:9 #29 mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, nsIDOMEvent*, nsPresContext*, nsEventStatus*) /src/dom/events/EventDispatcher.cpp:888:12 #30 nsINode::DispatchEvent(nsIDOMEvent*, bool*) /src/dom/base/nsINode.cpp:1341:5 #31 mozilla::AsyncEventDispatcher::Run() /src/dom/events/AsyncEventDispatcher.cpp:70:12 #32 nsContentUtils::AddScriptRunner(already_AddRefed<nsIRunnable>) /src/dom/base/nsContentUtils.cpp:5732:13 #33 nsContentUtils::AddScriptRunner(nsIRunnable*) /src/dom/base/nsContentUtils.cpp:5739:3 #34 mozilla::AsyncEventDispatcher::RunDOMEventWhenSafe() /src/dom/events/AsyncEventDispatcher.cpp:104:3 #35 nsDocument::MutationEventDispatched(nsINode*) /src/dom/base/nsDocument.cpp:9638:9 #36 mozAutoSubtreeModified::UpdateTarget(nsIDocument*, nsINode*) /src/dom/base/nsIDocument.h:3661:22 #37 mozAutoSubtreeModified::~mozAutoSubtreeModified() /src/dom/base/nsIDocument.h:3655:5 #38 nsGenericHTMLElement::SetInnerText(nsTSubstring<char16_t> const&) /src/dom/html/nsGenericHTMLElement.cpp:3131:1 #39 mozilla::dom::HTMLElementBinding::set_innerText(JSContext*, JS::Handle<JSObject*>, nsGenericHTMLElement*, JSJitSetterCallArgs) /src/obj-firefox/dom/bindings/HTMLElementBinding.cpp:297:9 #40 mozilla::dom::GenericBindingSetter(JSContext*, unsigned int, JS::Value*) /src/dom/bindings/BindingUtils.cpp:3014:8 #41 js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) /src/js/src/jscntxtinlines.h:293:15 #42 js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /src/js/src/vm/Interpreter.cpp:495:16 #43 InternalCall(JSContext*, js::AnyInvokeArgs const&) /src/js/src/vm/Interpreter.cpp:540:12 #44 js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /src/js/src/vm/Interpreter.cpp:559:10 #45 js::CallSetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<JS::Value>) /src/js/src/vm/Interpreter.cpp:688:12 #46 SetExistingProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<js::NativeObject*>, JS::Handle<JS::PropertyResult>, JS::ObjectOpResult&) /src/js/src/vm/NativeObject.cpp:2732:10 #47 bool js::NativeSetProperty<(js::QualifiedBool)1>(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) /src/js/src/vm/NativeObject.cpp:2768:20 #48 js::SetProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) /src/js/src/vm/NativeObject.h:1615:12 #49 SetPropertyOperation(JSContext*, JSOp, JS::Handle<JS::Value>, JS::Handle<jsid>, JS::Handle<JS::Value>) /src/js/src/vm/Interpreter.cpp:269:12 #50 Interpret(JSContext*, js::RunState&) /src/js/src/vm/Interpreter.cpp:2882:10 #51 js::RunScript(JSContext*, js::RunState&) /src/js/src/vm/Interpreter.cpp:435:12 #52 js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /src/js/src/vm/Interpreter.cpp:513:15 #53 InternalCall(JSContext*, js::AnyInvokeArgs const&) /src/js/src/vm/Interpreter.cpp:540:12 #54 js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /src/js/src/vm/Interpreter.cpp:559:10 #55 JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /src/js/src/jsapi.cpp:2975:12 #56 mozilla::dom::EventListener::HandleEvent(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /src/obj-firefox/dom/bindings/EventListenerBinding.cpp:47:8 #57 void mozilla::dom::EventListener::HandleEvent<mozilla::dom::EventTarget*>(mozilla::dom::EventTarget* const&, mozilla::dom::Event&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JSCompartment*) /src/obj-firefox/dist/include/mozilla/dom/EventListenerBinding.h:65:12 #58 mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) /src/dom/events/EventListenerManager.cpp:1109:9 #59 mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) /src/dom/events/EventListenerManager.cpp:1283:20 #60 mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /src/dom/events/EventDispatcher.cpp:313:17 #61 mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /src/dom/events/EventDispatcher.cpp:462:16 #62 mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /src/dom/events/EventDispatcher.cpp:822:9 #63 mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, nsIDOMEvent*, nsPresContext*, nsEventStatus*) /src/dom/events/EventDispatcher.cpp:888:12 #64 nsINode::DispatchEvent(nsIDOMEvent*, bool*) /src/dom/base/nsINode.cpp:1341:5 #65 mozilla::AsyncEventDispatcher::Run() /src/dom/events/AsyncEventDispatcher.cpp:70:12 #66 nsContentUtils::RemoveScriptBlocker() /src/dom/base/nsContentUtils.cpp:5661:15 #67 nsDocument::EndUpdate(unsigned int) /src/dom/base/nsDocument.cpp:5332:3 #68 nsHTMLDocument::EndUpdate(unsigned int) /src/dom/html/nsHTMLDocument.cpp:2507:15 #69 mozAutoDocConditionalContentUpdateBatch::~mozAutoDocConditionalContentUpdateBatch() /src/dom/base/mozAutoDocUpdate.h:83:18 #70 nsresult nsDOMCSSDeclaration::ModifyDeclaration<nsDOMCSSDeclaration::ParsePropertyValue(nsCSSPropertyID, nsTSubstring<char16_t> const&, bool)::$_2, nsDOMCSSDeclaration::ParsePropertyValue(nsCSSPropertyID, nsTSubstring<char16_t> const&, bool)::$_3>(nsDOMCSSDeclaration::ParsePropertyValue(nsCSSPropertyID, nsTSubstring<char16_t> const&, bool)::$_2, nsDOMCSSDeclaration::ParsePropertyValue(nsCSSPropertyID, nsTSubstring<char16_t> const&, bool)::$_3) /src/layout/style/nsDOMCSSDeclaration.cpp:333:1 #71 nsDOMCSSDeclaration::ParsePropertyValue(nsCSSPropertyID, nsTSubstring<char16_t> const&, bool) /src/layout/style/nsDOMCSSDeclaration.cpp:340:10 #72 nsICSSDeclaration::SetProperty(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, mozilla::ErrorResult&) /src/layout/style/nsICSSDeclaration.h:133:10 #73 mozilla::dom::CSSStyleDeclarationBinding::setProperty(JSContext*, JS::Handle<JSObject*>, nsICSSDeclaration*, JSJitMethodCallArgs const&) /src/obj-firefox/dom/bindings/CSSStyleDeclarationBinding.cpp:314:9 #74 mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /src/dom/bindings/BindingUtils.cpp:3053:13 #75 js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) /src/js/src/jscntxtinlines.h:293:15 #76 js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /src/js/src/vm/Interpreter.cpp:495:16 #77 InternalCall(JSContext*, js::AnyInvokeArgs const&) /src/js/src/vm/Interpreter.cpp:540:12 #78 Interpret(JSContext*, js::RunState&) /src/js/src/vm/Interpreter.cpp:3085:18 #79 js::RunScript(JSContext*, js::RunState&) /src/js/src/vm/Interpreter.cpp:435:12 #80 js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /src/js/src/vm/Interpreter.cpp:513:15 #81 InternalCall(JSContext*, js::AnyInvokeArgs const&) /src/js/src/vm/Interpreter.cpp:540:12 #82 js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /src/js/src/vm/Interpreter.cpp:559:10 #83 JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /src/js/src/jsapi.cpp:2975:12 #84 mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /src/obj-firefox/dom/bindings/EventHandlerBinding.cpp:260:37 #85 void mozilla::dom::EventHandlerNonNull::Call<nsISupports*>(nsISupports* const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JSCompartment*) /src/obj-firefox/dist/include/mozilla/dom/EventHandlerBinding.h:362:12 #86 mozilla::JSEventHandler::HandleEvent(nsIDOMEvent*) /src/dom/events/JSEventHandler.cpp:215:12 #87 mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) /src/dom/events/EventListenerManager.cpp:1112:51 #88 mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) /src/dom/events/EventListenerManager.cpp:1283:20 #89 mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /src/dom/events/EventDispatcher.cpp:313:17 #90 mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /src/dom/events/EventDispatcher.cpp:462:16 #91 mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /src/dom/events/EventDispatcher.cpp:822:9 #92 mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, nsIDOMEvent*, nsPresContext*, nsEventStatus*) /src/dom/events/EventDispatcher.cpp:888:12 #93 nsINode::DispatchEvent(nsIDOMEvent*, bool*) /src/dom/base/nsINode.cpp:1341:5 #94 mozilla::AsyncEventDispatcher::Run() /src/dom/events/AsyncEventDispatcher.cpp:70:12 #95 nsThread::ProcessNextEvent(bool, bool*) /src/xpcom/threads/nsThread.cpp:1039:14 #96 NS_ProcessNextEvent(nsIThread*, bool) /src/xpcom/threads/nsThreadUtils.cpp:524:10 #97 mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /src/ipc/glue/MessagePump.cpp:97:21 #98 MessageLoop::RunInternal() /src/ipc/chromium/src/base/message_loop.cc:326:10 #99 MessageLoop::Run() /src/ipc/chromium/src/base/message_loop.cc:299:3 #100 nsBaseAppShell::Run() /src/widget/nsBaseAppShell.cpp:158:27 #101 nsAppStartup::Run() /src/toolkit/components/startup/nsAppStartup.cpp:288:30 #102 XREMain::XRE_mainRun() /src/toolkit/xre/nsAppRunner.cpp:4701:22 #103 XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /src/toolkit/xre/nsAppRunner.cpp:4865:8 #104 XRE_main(int, char**, mozilla::BootstrapConfig const&) /src/toolkit/xre/nsAppRunner.cpp:4960:21 #105 do_main(int, char**, char**) /src/browser/app/nsBrowserApp.cpp:231:22 #106 main /src/browser/app/nsBrowserApp.cpp:304:16 #107 __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291 #108 _start (firefox+0x41eaf4)
Flags: in-testsuite?
Only reproduces with Stylo enabled. INFO: Last good revision: 08e7d627c2017392af5ba26086e682a61cbc88dd INFO: First bad revision: 7f9883dd37feac26fb95b629ad1010107f04603c INFO: Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=08e7d627c2017392af5ba26086e682a61cbc88dd&tochange=7f9883dd37feac26fb95b629ad1010107f04603c
Blocks: 1400936
Has Regression Range: --- → yes
status-firefox56: --- → unaffected
status-firefox57: --- → affected
status-firefox-esr52: --- → unaffected
Flags: needinfo?(emilio)
Summary: Assertion failure: !HasAnyOfFlags(kAllServoDescendantBits | NODE_NEEDS_FRAME) in [@ mozilla::dom::Element::UnbindFromTree] → stylo: Assertion failure: !HasAnyOfFlags(kAllServoDescendantBits | NODE_NEEDS_FRAME) in [@ mozilla::dom::Element::UnbindFromTree]
Priority: -- → P2
Gah, this is particularly annoying. This is due to the flags being in the flat tree and UnbindFromTree working on the light tree. Need to dig into it a bit more to see what's exactly going on.
Assignee: nobody → emilio
[Tracking Requested - why for this release]: Emilio, how serious is this fuzz bug in release builds? Should we try to uplift a fix to Beta 57?
tracking-firefox57: --- → ?
I don't think this is particularly serious, because we clear the flags at the end of UnbindFromTree unconditionally and XBL anon content gets unbound from the doc off a runnable. Also, we clear them as of right now in BindToTree too, which makes this not even a concern. We want to stop doing that, but this needs to get fixed too. I still plan to properly look at this sometime soon, though I've been prioritizing other stuff.
I finally got time to look into this more in depth. I think what needs to happen to be able to fix this properly is bug 1420547, and then moving the ClearServoDataFromSubtree from UnbindFromTree to ServoRestyleManager. That would also simplify a ton of special-casing that we do for notifications that can happen from UnbindFromTree.
Depends on: 1420547
Flags: needinfo?(emilio)
This was fixed by bug 1439395.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: