Closed Bug 1453206 Opened 2 years ago Closed 2 years ago

Assertion failure: IsInAnonymousSubtree(), at /builds/worker/workspace/build/src/dom/base/Element.cpp:1885

Categories

(Core :: DOM: Core & HTML, defect)

59 Branch
defect
Not set

Tracking

()

RESOLVED FIXED
mozilla61
Tracking Status
firefox-esr52 --- unaffected
firefox59 --- unaffected
firefox60 --- unaffected
firefox61 --- fixed

People

(Reporter: jkratzer, Assigned: emilio)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, testcase)

Attachments

(3 files)

Testcase found while fuzzing mozilla-central rev a8061a09cd70.

rax = 0x0000000000000000   rdx = 0x0000000000000000
rcx = 0x00007fe4948822dd   rbx = 0x00007fe473971520
rsi = 0x00007fe494b51770   rdi = 0x00007fe494b50540
rbp = 0x00007ffcd4c726d0   rsp = 0x00007ffcd4c72680
r8 = 0x00007fe494b51770    r9 = 0x00007fe495c1b740
r10 = 0x0000000000000039   r11 = 0x0000000000000000
r12 = 0x00007fe47b5b9000   r13 = 0x0000000000000000
r14 = 0x0000000000000001   r15 = 0x00007ffcd4c72901
rip = 0x00007fe4838aa58a
OS|Linux|0.0.0 Linux 4.4.0-119-generic #143-Ubuntu SMP Mon Apr 2 16:08:24 UTC 2018 x86_64
CPU|amd64|family 6 model 78 stepping 3|1
GPU|||
Crash|SIGSEGV|0x0|0
0|0|libxul.so|mozilla::dom::Element::UnbindFromTree|hg:hg.mozilla.org/mozilla-central:dom/base/Element.cpp:a8061a09cd7064a8783ca9e67979d77fb52e001e|1885|0x18
0|1|libxul.so|nsXMLElement::UnbindFromTree|hg:hg.mozilla.org/mozilla-central:dom/xml/nsXMLElement.cpp:a8061a09cd7064a8783ca9e67979d77fb52e001e|52|0x10
0|2|libxul.so|mozilla::dom::Element::UnbindFromTree|hg:hg.mozilla.org/mozilla-central:dom/base/Element.cpp:a8061a09cd7064a8783ca9e67979d77fb52e001e|2041|0xb
0|3|libxul.so|nsGenericHTMLElement::UnbindFromTree|hg:hg.mozilla.org/mozilla-central:dom/html/nsGenericHTMLElement.cpp:a8061a09cd7064a8783ca9e67979d77fb52e001e|472|0x10
0|4|libxul.so|mozilla::dom::Element::UnbindFromTree|hg:hg.mozilla.org/mozilla-central:dom/base/Element.cpp:a8061a09cd7064a8783ca9e67979d77fb52e001e|2041|0xb
0|5|libxul.so|nsGenericHTMLElement::UnbindFromTree|hg:hg.mozilla.org/mozilla-central:dom/html/nsGenericHTMLElement.cpp:a8061a09cd7064a8783ca9e67979d77fb52e001e|472|0x10
0|6|libxul.so|mozilla::dom::Element::UnbindFromTree|hg:hg.mozilla.org/mozilla-central:dom/base/Element.cpp:a8061a09cd7064a8783ca9e67979d77fb52e001e|2041|0xb
0|7|libxul.so|nsGenericHTMLElement::UnbindFromTree|hg:hg.mozilla.org/mozilla-central:dom/html/nsGenericHTMLElement.cpp:a8061a09cd7064a8783ca9e67979d77fb52e001e|472|0x10
0|8|libxul.so|mozilla::dom::Element::UnbindFromTree|hg:hg.mozilla.org/mozilla-central:dom/base/Element.cpp:a8061a09cd7064a8783ca9e67979d77fb52e001e|2041|0xb
0|9|libxul.so|nsGenericHTMLElement::UnbindFromTree|hg:hg.mozilla.org/mozilla-central:dom/html/nsGenericHTMLElement.cpp:a8061a09cd7064a8783ca9e67979d77fb52e001e|472|0x10
0|10|libxul.so|nsXBLBinding::UnbindAnonymousContent|hg:hg.mozilla.org/mozilla-central:dom/xbl/nsXBLBinding.cpp:a8061a09cd7064a8783ca9e67979d77fb52e001e|251|0x14
0|11|libxul.so|nsXBLBinding::ChangeDocument|hg:hg.mozilla.org/mozilla-central:dom/xbl/nsXBLBinding.cpp:a8061a09cd7064a8783ca9e67979d77fb52e001e|801|0x11
0|12|libxul.so|nsBindingManager::RemovedFromDocumentInternal|hg:hg.mozilla.org/mozilla-central:dom/xbl/nsBindingManager.cpp:a8061a09cd7064a8783ca9e67979d77fb52e001e|216|0x15
0|13|libxul.so|mozilla::dom::FragmentOrElement::DestroyContent|hg:hg.mozilla.org/mozilla-central:dom/xbl/nsBindingManager.h:a8061a09cd7064a8783ca9e67979d77fb52e001e|77|0x11
0|14|libxul.so|mozilla::dom::FragmentOrElement::DestroyContent|hg:hg.mozilla.org/mozilla-central:dom/base/FragmentOrElement.cpp:a8061a09cd7064a8783ca9e67979d77fb52e001e|1267|0x11
0|15|libxul.so|mozilla::dom::FragmentOrElement::DestroyContent|hg:hg.mozilla.org/mozilla-central:dom/base/FragmentOrElement.cpp:a8061a09cd7064a8783ca9e67979d77fb52e001e|1267|0x11
0|16|libxul.so|nsDocument::Destroy|hg:hg.mozilla.org/mozilla-central:dom/base/nsDocument.cpp:a8061a09cd7064a8783ca9e67979d77fb52e001e|8200|0x11
0|17|libxul.so|nsDocumentViewer::Destroy|hg:hg.mozilla.org/mozilla-central:layout/base/nsDocumentViewer.cpp:a8061a09cd7064a8783ca9e67979d77fb52e001e|1775|0x18
0|18|libxul.so|nsDocumentViewer::Show|hg:hg.mozilla.org/mozilla-central:layout/base/nsDocumentViewer.cpp:a8061a09cd7064a8783ca9e67979d77fb52e001e|2106|0x18
0|19|libxul.so|nsPresContext::EnsureVisible|hg:hg.mozilla.org/mozilla-central:layout/base/nsPresContext.cpp:a8061a09cd7064a8783ca9e67979d77fb52e001e|2156|0x14
0|20|libxul.so|mozilla::PresShell::UnsuppressAndInvalidate|hg:hg.mozilla.org/mozilla-central:layout/base/PresShell.cpp:a8061a09cd7064a8783ca9e67979d77fb52e001e|3948|0x11
0|21|libxul.so|nsDocumentViewer::Stop|hg:hg.mozilla.org/mozilla-central:layout/base/nsDocumentViewer.cpp:a8061a09cd7064a8783ca9e67979d77fb52e001e|1835|0x14
0|22|libxul.so|nsDocShell::Stop|hg:hg.mozilla.org/mozilla-central:docshell/base/nsDocShell.cpp:a8061a09cd7064a8783ca9e67979d77fb52e001e|5176|0x14
0|23|libxul.so|nsDocShell::InternalLoad|hg:hg.mozilla.org/mozilla-central:docshell/base/nsDocShell.cpp:a8061a09cd7064a8783ca9e67979d77fb52e001e|10281|0xd
0|24|libxul.so|nsDocShell::LoadHistoryEntry|hg:hg.mozilla.org/mozilla-central:docshell/base/nsDocShell.cpp:a8061a09cd7064a8783ca9e67979d77fb52e001e|12467|0x74
0|25|libxul.so|nsDocShell::Reload|hg:hg.mozilla.org/mozilla-central:docshell/base/nsDocShell.cpp:a8061a09cd7064a8783ca9e67979d77fb52e001e|5075|0xe
0|26|libxul.so|mozilla::dom::Location::Reload|hg:hg.mozilla.org/mozilla-central:dom/base/Location.cpp:a8061a09cd7064a8783ca9e67979d77fb52e001e|887|0x6
0|27|libxul.so|mozilla::dom::LocationBinding::reload|hg:hg.mozilla.org/mozilla-central:dom/base/Location.h:a8061a09cd7064a8783ca9e67979d77fb52e001e|56|0x8
0|28|libxul.so|mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>|hg:hg.mozilla.org/mozilla-central:dom/bindings/BindingUtils.cpp:a8061a09cd7064a8783ca9e67979d77fb52e001e|3191|0x9
0|29|libxul.so|js::CallJSNative|hg:hg.mozilla.org/mozilla-central:js/src/vm/JSContext-inl.h:a8061a09cd7064a8783ca9e67979d77fb52e001e|290|0x6
0|30|libxul.so|js::InternalCallOrConstruct|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:a8061a09cd7064a8783ca9e67979d77fb52e001e|467|0xf
0|31|libxul.so|InternalCall|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:a8061a09cd7064a8783ca9e67979d77fb52e001e|516|0xd
0|32|libxul.so|Interpret|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:a8061a09cd7064a8783ca9e67979d77fb52e001e|522|0xf
0|33|libxul.so|js::RunScript|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:a8061a09cd7064a8783ca9e67979d77fb52e001e|417|0xb
0|34|libxul.so|js::InternalCallOrConstruct|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:a8061a09cd7064a8783ca9e67979d77fb52e001e|489|0xf
0|35|libxul.so|InternalCall|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:a8061a09cd7064a8783ca9e67979d77fb52e001e|516|0xd
0|36|libxul.so|js::Call|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:a8061a09cd7064a8783ca9e67979d77fb52e001e|535|0x5
0|37|libxul.so|JS::Call|hg:hg.mozilla.org/mozilla-central:js/src/jsapi.cpp:a8061a09cd7064a8783ca9e67979d77fb52e001e|3003|0x20
0|38|libxul.so|mozilla::dom::EventListener::HandleEvent|s3:gecko-generated-sources:ccbadb8791154c00d5d9f3f34300a418cdfa4b3b0b60424e60394883162a95118b3edbfce81cbc7a5b48193d5a2618fc449143e250bd5c61dd1340709a3af189/dom/bindings/EventListenerBinding.cpp:|51|0x5
0|39|libxul.so|mozilla::dom::EventListener::HandleEvent<mozilla::dom::EventTarget*>|s3:gecko-generated-sources:0502cca494d7ae0441ada14535523caade9340fdd09934cf6d31cc421267c319ae3d6f5b43b2730d0b36ae1c87480f3b426c5fa4fec57d51047d83a51acde602/dist/include/mozilla/dom/EventListenerBinding.h:|66|0x1c
0|40|libxul.so|mozilla::EventListenerManager::HandleEventSubType|hg:hg.mozilla.org/mozilla-central:dom/events/EventListenerManager.cpp:a8061a09cd7064a8783ca9e67979d77fb52e001e|1120|0x36
0|41|libxul.so|mozilla::EventListenerManager::HandleEventInternal|hg:hg.mozilla.org/mozilla-central:dom/events/EventListenerManager.cpp:a8061a09cd7064a8783ca9e67979d77fb52e001e|1292|0x19
0|42|libxul.so|mozilla::EventTargetChainItem::HandleEvent|hg:hg.mozilla.org/mozilla-central:dom/events/EventListenerManager.h:a8061a09cd7064a8783ca9e67979d77fb52e001e|378|0xa
0|43|libxul.so|mozilla::EventTargetChainItem::HandleEventTargetChain|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:a8061a09cd7064a8783ca9e67979d77fb52e001e|527|0xf
0|44|libxul.so|mozilla::EventDispatcher::Dispatch|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:a8061a09cd7064a8783ca9e67979d77fb52e001e|934|0xb
0|45|libxul.so|mozilla::EventDispatcher::DispatchDOMEvent|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:a8061a09cd7064a8783ca9e67979d77fb52e001e|1016|0x19
0|46|libxul.so|nsINode::DispatchEvent|hg:hg.mozilla.org/mozilla-central:dom/base/nsINode.cpp:a8061a09cd7064a8783ca9e67979d77fb52e001e|1084|0x5
0|47|libxul.so|nsContentUtils::DispatchEvent|hg:hg.mozilla.org/mozilla-central:dom/base/nsContentUtils.cpp:a8061a09cd7064a8783ca9e67979d77fb52e001e|4480|0x28
0|48|libxul.so|nsContentUtils::DispatchTrustedEvent|hg:hg.mozilla.org/mozilla-central:dom/base/nsContentUtils.cpp:a8061a09cd7064a8783ca9e67979d77fb52e001e|4449|0xf
0|49|libxul.so|nsIDocument::DispatchContentLoadedEvents|hg:hg.mozilla.org/mozilla-central:dom/base/nsDocument.cpp:a8061a09cd7064a8783ca9e67979d77fb52e001e|5221|0x5
0|50|libxul.so|mozilla::detail::RunnableMethodImpl<nsIDocument*, void (nsIDocument::*)(), true, (mozilla::RunnableKind)0u>::Run|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.h:a8061a09cd7064a8783ca9e67979d77fb52e001e|1164|0x13
0|51|libxul.so|mozilla::SchedulerGroup::Runnable::Run|hg:hg.mozilla.org/mozilla-central:xpcom/threads/SchedulerGroup.cpp:a8061a09cd7064a8783ca9e67979d77fb52e001e|337|0x15
0|52|libxul.so|nsThread::ProcessNextEvent|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:a8061a09cd7064a8783ca9e67979d77fb52e001e|1096|0x15
0|53|libxul.so|NS_ProcessNextEvent|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:a8061a09cd7064a8783ca9e67979d77fb52e001e|519|0x11
0|54|libxul.so|mozilla::ipc::MessagePump::Run|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:a8061a09cd7064a8783ca9e67979d77fb52e001e|97|0xa
0|55|libxul.so|MessageLoop::RunInternal|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:a8061a09cd7064a8783ca9e67979d77fb52e001e|326|0x17
0|56|libxul.so|MessageLoop::Run|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:a8061a09cd7064a8783ca9e67979d77fb52e001e|319|0x8
0|57|libxul.so|nsBaseAppShell::Run|hg:hg.mozilla.org/mozilla-central:widget/nsBaseAppShell.cpp:a8061a09cd7064a8783ca9e67979d77fb52e001e|157|0xd
0|58|libxul.so|XRE_RunAppShell|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:a8061a09cd7064a8783ca9e67979d77fb52e001e|893|0x11
0|59|libxul.so|mozilla::ipc::MessagePumpForChildProcess::Run|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:a8061a09cd7064a8783ca9e67979d77fb52e001e|269|0x5
0|60|libxul.so|MessageLoop::RunInternal|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:a8061a09cd7064a8783ca9e67979d77fb52e001e|326|0x17
0|61|libxul.so|MessageLoop::Run|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:a8061a09cd7064a8783ca9e67979d77fb52e001e|319|0x8
0|62|libxul.so|XRE_InitChildProcess|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:a8061a09cd7064a8783ca9e67979d77fb52e001e|719|0x8
0|63|firefox|content_process_main|hg:hg.mozilla.org/mozilla-central:ipc/contentproc/plugin-container.cpp:a8061a09cd7064a8783ca9e67979d77fb52e001e|50|0x14
0|64|firefox|main|hg:hg.mozilla.org/mozilla-central:browser/app/nsBrowserApp.cpp:a8061a09cd7064a8783ca9e67979d77fb52e001e|280|0x11
0|65|libc-2.23.so||||0x20830
0|66|firefox|MOZ_ReportAssertionFailure|hg:hg.mozilla.org/mozilla-central:mfbt/Assertions.h:a8061a09cd7064a8783ca9e67979d77fb52e001e|164|0x5
Flags: in-testsuite?
No test-case?
Flags: needinfo?(jkratzer)
Attached file trigger.html
My apologies.  Looks like I forgot to attach it.
Flags: needinfo?(jkratzer)
Thanks!
Flags: needinfo?(emilio)
This is XBL in shadow dom getting really confused.
Assignee: nobody → emilio
Flags: needinfo?(emilio)
Comment on attachment 8967820 [details]
Bug 1453206: Look in XBL anon content too for stale style data.

https://reviewboard.mozilla.org/r/236504/#review242300
Attachment #8967820 - Flags: review?(bugs) → review+
Comment on attachment 8967821 [details]
Bug 1453206: Fix IsInAnonymousSubtree to account for XBL in Shadow DOM.

https://reviewboard.mozilla.org/r/236506/#review242310
Attachment #8967821 - Flags: review?(bugs) → review+
Pushed by ecoal95@gmail.com:
https://hg.mozilla.org/integration/autoland/rev/b12b7c5b8178
Look in XBL anon content too for stale style data. r=smaug
https://hg.mozilla.org/integration/autoland/rev/1844a120acda
Fix IsInAnonymousSubtree to account for XBL in Shadow DOM. r=smaug
Pushed by ecoal95@gmail.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/b8c5eb9fb1e6
Fix IsInAnonymousSubtree to account for XBL in Shadow DOM. r=smaug
Will move the first patch to another bug.
Flags: needinfo?(emilio)
Blocks: 1454157
Pushed by ecoal95@gmail.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/7aad6439880b
Look in XBL anon content too for stale style data. r=smaug
https://hg.mozilla.org/mozilla-central/rev/b8c5eb9fb1e6
https://hg.mozilla.org/mozilla-central/rev/7aad6439880b
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla61
Flags: in-testsuite? → in-testsuite+
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.