Open Bug 1415237 Opened 7 years ago Updated 2 years ago

Assertion failure: !element->HasAnyOfFlags(Element::kAllServoDescendantBits), at /builds/worker/workspace/build/src/dom/base/Element.cpp:4506

Categories

(Core :: DOM: Core & HTML, defect, P2)

Product:
Core
Component:
DOM: Core & HTML
Version:
52 Branch
Type:
defect

Tracking

()

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, testcase)

Attachments

(1 file)

trigger.html
1.24 KB, text/html
Details
Attached file trigger.html
Testcase found while fuzzing mozilla-central rev b2f459b88cab. ==27650==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f29b4a9d735 bp 0x7fffda476b40 sp 0x7fffda476b30 T0) ==27650==The signal is caused by a WRITE memory access. ==27650==Hint: address points to the zero page. #0 0x7f29b4a9d734 in AssertNoBitsPropagatedFrom(nsINode*) /builds/worker/workspace/build/src/dom/base/Element.cpp:4510:1 #1 0x7f29b4a74830 in NoteDirtyElement(mozilla::dom::Element*, unsigned int) /builds/worker/workspace/build/src/dom/base/Element.cpp:4612:3 #2 0x7f29b824fedd in mozilla::ServoRestyleManager::SnapshotFor(mozilla::dom::Element*) /builds/worker/workspace/build/src/layout/base/ServoRestyleManager.cpp:1082:13 #3 0x7f29b82514ac in mozilla::ServoRestyleManager::ContentStateChanged(nsIContent*, mozilla::EventStates) /builds/worker/workspace/build/src/layout/base/ServoRestyleManager.cpp:1299:36 #4 0x7f29b821fb0e in mozilla::PresShell::ContentStateChanged(nsIDocument*, nsIContent*, mozilla::EventStates) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:4305:37 #5 0x7f29b4bffced in nsDocument::ContentStateChanged(nsIContent*, mozilla::EventStates) /builds/worker/workspace/build/src/dom/base/nsDocument.cpp:5755:3 #6 0x7f29b4a58b18 in mozilla::dom::Element::NotifyStateChange(mozilla::EventStates) /builds/worker/workspace/build/src/dom/base/Element.cpp:247:10 #7 0x7f29b4a9586a in mozilla::dom::Element::RemoveStates(mozilla::EventStates) /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/Element.h:649:5 #8 0x7f29b6716875 in mozilla::EventStateManager::UpdateAncestorState(nsIContent*, nsIContent*, mozilla::EventStates, bool) /builds/worker/workspace/build/src/dom/events/EventStateManager.cpp:4977:5 #9 0x7f29b6711b11 in mozilla::EventStateManager::SetContentState(nsIContent*, mozilla::EventStates) /builds/worker/workspace/build/src/dom/events/EventStateManager.cpp:5127:9 #10 0x7f29b6716cf9 in mozilla::EventStateManager::ContentRemoved(nsIDocument*, nsIContent*, nsIContent*) /builds/worker/workspace/build/src/dom/events/EventStateManager.cpp:5184:5 #11 0x7f29b82210fe in mozilla::PresShell::ContentRemoved(nsIDocument*, nsIContent*, nsIContent*, nsIContent*) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:4491:7 #12 0x7f29b4d0672c in nsNodeUtils::ContentRemoved(nsINode*, nsIContent*, nsIContent*) /builds/worker/workspace/build/src/dom/base/nsNodeUtils.cpp:221:3 #13 0x7f29b4cbca34 in nsINode::doRemoveChildAt(unsigned int, bool, nsIContent*, nsAttrAndChildArray&) /builds/worker/workspace/build/src/dom/base/nsINode.cpp:1947:5 #14 0x7f29b4bf49d2 in nsDocument::RemoveChildAt(unsigned int, bool) /builds/worker/workspace/build/src/dom/base/nsDocument.cpp:4517:3 #15 0x7f29b4cbd6ff in nsINode::ReplaceOrInsertBefore(bool, nsINode*, nsINode*, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/base/nsINode.cpp:2259:18 #16 0x7f29b52458e0 in mozilla::dom::NodeBinding::replaceChild(JSContext*, JS::Handle<JSObject*>, nsINode*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/NodeBinding.cpp:955:45 #17 0x7f29b6434b4e in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3040:13 #18 0x7f29bb289d31 in js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) /builds/worker/workspace/build/src/js/src/jscntxtinlines.h:291:15 #19 0x7f29bb28990a in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:472:16 #20 0x7f29bb28a9b5 in InternalCall(JSContext*, js::AnyInvokeArgs const&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:521:12 #21 0x7f29bb27f3b3 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3061:18 #22 0x7f29bb26a824 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:422:12 #23 0x7f29bb28c632 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:705:15 #24 0x7f29bb28d0f2 in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:737:12 #25 0x7f29bbb53d9f in ExecuteScript(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::Value*) /builds/worker/workspace/build/src/js/src/jsapi.cpp:4702:12 #26 0x7f29bbb54606 in ExecuteScript(JSContext*, JS::AutoObjectVector&, JS::Handle<JSScript*>, JS::Value*) /builds/worker/workspace/build/src/js/src/jsapi.cpp:4721:12 #27 0x7f29bbb541ee in JS_ExecuteScript(JSContext*, JS::AutoObjectVector&, JS::Handle<JSScript*>, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:4742:12 #28 0x7f29b4cdb9fb in nsJSUtils::ExecutionContext::CompileAndExec(JS::CompileOptions&, JS::SourceBufferHolder&, JS::MutableHandle<JSScript*>) /builds/worker/workspace/build/src/dom/base/nsJSUtils.cpp:268:8 #29 0x7f29b7b710b1 in mozilla::dom::ScriptLoader::EvaluateScript(mozilla::dom::ScriptLoadRequest*) /builds/worker/workspace/build/src/dom/script/ScriptLoader.cpp:2255:25 #30 0x7f29b7b6df70 in mozilla::dom::ScriptLoader::ProcessRequest(mozilla::dom::ScriptLoadRequest*) /builds/worker/workspace/build/src/dom/script/ScriptLoader.cpp:1895:10 #31 0x7f29b7b5bc7a in mozilla::dom::ScriptLoader::ProcessScriptElement(nsIScriptElement*) /builds/worker/workspace/build/src/dom/script/ScriptLoader.cpp:1596:10 #32 0x7f29b7b5a803 in mozilla::dom::ScriptElement::MaybeProcessScript() /builds/worker/workspace/build/src/dom/script/ScriptElement.cpp:147:18 #33 0x7f29b3e8c90e in nsIScriptElement::AttemptToExecute() /builds/worker/workspace/build/src/obj-firefox/dist/include/nsIScriptElement.h:231:18 #34 0x7f29b3e8b8a6 in nsHtml5TreeOpExecutor::RunScript(nsIContent*) /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:728:22 #35 0x7f29b3e883ed in nsHtml5TreeOpExecutor::RunFlushLoop() /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:532:7 #36 0x7f29b3e91a54 in nsHtml5ExecutorFlusher::Run() /builds/worker/workspace/build/src/parser/html/nsHtml5StreamParser.cpp:130:20 #37 0x7f29b2500e8f in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1037:14 #38 0x7f29b2521aa0 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:513:10 #39 0x7f29b30bdfe5 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21 #40 0x7f29b3010137 in MessageLoop::RunInternal() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10 #41 0x7f29b300ffc9 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299:3 #42 0x7f29b7ca3eda in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:158:27 #43 0x7f29baec3e21 in nsAppStartup::Run() /builds/worker/workspace/build/src/toolkit/components/startup/nsAppStartup.cpp:288:30 #44 0x7f29bb0389a8 in XREMain::XRE_mainRun() /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4675:22 #45 0x7f29bb03a5ca in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4837:8 #46 0x7f29bb03b4f9 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4932:21 #47 0x4ed558 in do_main(int, char**, char**) /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:231:22
Flags: in-testsuite?
The assertion was added by Emilio.
Flags: needinfo?(emilio)
I'm moderately sure that this is a dupe of bug 1415013.
Depends on: 1415013
Flags: needinfo?(emilio)
Priority: -- → P2
Component: DOM → DOM: Core & HTML
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: