Open Bug 1466181 Opened 5 years ago Updated 2 years ago

Assertion failure: !aId.IsEmpty() (Will match random elements), at /builds/worker/workspace/build/src/dom/base/nsContentUtils.cpp:4581

Categories

(Core :: DOM: Core & HTML, defect, P3)

Product:
Core
Component:
DOM: Core & HTML
Version:
59 Branch
Type:
defect

Tracking

()

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, testcase, Whiteboard: [bugmon:confirmed])

Attachments

(1 file)

trigger.html
488 bytes, text/html
Details
Attached file trigger.html 
Testcase found while fuzzing mozilla-central rev 9900cebb1f90.

rax = 0x0000000000000000   rdx = 0x0000000000000000
rcx = 0x00007f237f1112dd   rbx = 0x00007f235c85f4c0
rsi = 0x00007f237f3e0770   rdi = 0x00007f237f3df540
rbp = 0x00007ffd980b9c20   rsp = 0x00007ffd980b9bf0
r8 = 0x00007f237f3e0770    r9 = 0x00007f23804af740
r10 = 0x0000000000000039   r11 = 0x0000000000000000
r12 = 0x00007ffd980b9c48   r13 = 0x00007ffd980b9d60
r14 = 0x00007ffd980ba040   r15 = 0x00007f235c85f4c0
rip = 0x00007f236e016f45
OS|Linux|0.0.0 Linux 4.4.0-127-generic #153-Ubuntu SMP Sat May 19 10:58:46 UTC 2018 x86_64
CPU|amd64|family 6 model 78 stepping 3|1
GPU|||
Crash|SIGSEGV|0x0|0
0|0|libxul.so|nsContentUtils::MatchElementId(nsIContent*, nsTSubstring<char16_t> const&)|hg:hg.mozilla.org/mozilla-central:dom/base/nsContentUtils.cpp:9900cebb1f9000bd05731ba67736b7c51f7eb812|4569|0x18
0|1|libxul.so|mozilla::dom::HTMLLabelElement::GetLabeledElement() const|hg:hg.mozilla.org/mozilla-central:dom/html/HTMLLabelElement.cpp:9900cebb1f9000bd05731ba67736b7c51f7eb812|245|0xb
0|2|libxul.so|mozilla::dom::HTMLLabelElement::GetForm() const|hg:hg.mozilla.org/mozilla-central:dom/html/HTMLLabelElement.h:9900cebb1f9000bd05731ba67736b7c51f7eb812|51|0x5
0|3|libxul.so|mozilla::dom::HTMLLabelElementBinding::get_form|s3:gecko-generated-sources:7574f66a316af79a966536d29fa0b2a20c1db1a226f8a49b41fc77363ac3a63bf3a2a25bad45715ff0cf082a50ab5e398399d287ad3c67f692df713add7ae405/dom/bindings/HTMLLabelElementBinding.cpp:|35|0x8
0|4|libxul.so|bool mozilla::dom::binding_detail::GenericGetter<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*)|hg:hg.mozilla.org/mozilla-central:dom/bindings/BindingUtils.cpp:9900cebb1f9000bd05731ba67736b7c51f7eb812|3161|0x2
0|5|libxul.so|js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&)|hg:hg.mozilla.org/mozilla-central:js/src/vm/JSContext-inl.h:9900cebb1f9000bd05731ba67736b7c51f7eb812|274|0x9
0|6|libxul.so|js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:9900cebb1f9000bd05731ba67736b7c51f7eb812|471|0xf
0|7|libxul.so|InternalCall|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:9900cebb1f9000bd05731ba67736b7c51f7eb812|520|0xd
0|8|libxul.so|js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:9900cebb1f9000bd05731ba67736b7c51f7eb812|539|0x5
0|9|libxul.so|js::CallGetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:9900cebb1f9000bd05731ba67736b7c51f7eb812|654|0x5
0|10|libxul.so|GetExistingProperty<(js::AllowGC)1u>|hg:hg.mozilla.org/mozilla-central:js/src/vm/NativeObject.cpp:9900cebb1f9000bd05731ba67736b7c51f7eb812|2109|0x9
0|11|libxul.so|NativeGetPropertyInline<(js::AllowGC)1u>|hg:hg.mozilla.org/mozilla-central:js/src/vm/NativeObject.cpp:9900cebb1f9000bd05731ba67736b7c51f7eb812|2375|0xf
0|12|libxul.so|js::GetProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>)|hg:hg.mozilla.org/mozilla-central:js/src/vm/NativeObject.h:9900cebb1f9000bd05731ba67736b7c51f7eb812|1679|0x2c
0|13|libxul.so|js::GetProperty(JSContext*, JS::Handle<JS::Value>, JS::Handle<js::PropertyName*>, JS::MutableHandle<JS::Value>)|hg:hg.mozilla.org/mozilla-central:js/src/vm/JSObject.h:9900cebb1f9000bd05731ba67736b7c51f7eb812|799|0xf
0|14|libxul.so|Interpret|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:9900cebb1f9000bd05731ba67736b7c51f7eb812|217|0x5
0|15|libxul.so|js::RunScript(JSContext*, js::RunState&)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:9900cebb1f9000bd05731ba67736b7c51f7eb812|421|0xb
0|16|libxul.so|js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:9900cebb1f9000bd05731ba67736b7c51f7eb812|493|0xf
0|17|libxul.so|InternalCall|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:9900cebb1f9000bd05731ba67736b7c51f7eb812|520|0xd
0|18|libxul.so|js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:9900cebb1f9000bd05731ba67736b7c51f7eb812|539|0x5
0|19|libxul.so|JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>)|hg:hg.mozilla.org/mozilla-central:js/src/jsapi.cpp:9900cebb1f9000bd05731ba67736b7c51f7eb812|2981|0x20
0|20|libxul.so|mozilla::dom::EventListener::HandleEvent(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&)|s3:gecko-generated-sources:ccbadb8791154c00d5d9f3f34300a418cdfa4b3b0b60424e60394883162a95118b3edbfce81cbc7a5b48193d5a2618fc449143e250bd5c61dd1340709a3af189/dom/bindings/EventListenerBinding.cpp:|51|0x5
0|21|libxul.so|void mozilla::dom::EventListener::HandleEvent<mozilla::dom::EventTarget*>(mozilla::dom::EventTarget* const&, mozilla::dom::Event&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*)|s3:gecko-generated-sources:df09d9cc306a083595346f6d0dae2f0ce3f5fd435f6f7a4c0c4316b1859a44f5dd95d604614ce612b37891bd9d49c6084a65a1469d48132cf498398ec46b46ca/dist/include/mozilla/dom/EventListenerBinding.h:|66|0x1c
0|22|libxul.so|mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*)|hg:hg.mozilla.org/mozilla-central:dom/events/EventListenerManager.cpp:9900cebb1f9000bd05731ba67736b7c51f7eb812|1121|0x26
0|23|libxul.so|mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*)|hg:hg.mozilla.org/mozilla-central:dom/events/EventListenerManager.cpp:9900cebb1f9000bd05731ba67736b7c51f7eb812|1298|0x15
0|24|libxul.so|mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&)|hg:hg.mozilla.org/mozilla-central:dom/events/EventListenerManager.h:9900cebb1f9000bd05731ba67736b7c51f7eb812|393|0xa
0|25|libxul.so|mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:9900cebb1f9000bd05731ba67736b7c51f7eb812|620|0x12
0|26|libxul.so|mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:9900cebb1f9000bd05731ba67736b7c51f7eb812|1087|0xb
0|27|libxul.so|nsGlobalWindowInner::PostHandleEvent(mozilla::EventChainPostVisitor&)|hg:hg.mozilla.org/mozilla-central:dom/base/nsGlobalWindowInner.cpp:9900cebb1f9000bd05731ba67736b7c51f7eb812|2099|0x5
0|28|libxul.so|mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:9900cebb1f9000bd05731ba67736b7c51f7eb812|623|0xb
0|29|libxul.so|mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:9900cebb1f9000bd05731ba67736b7c51f7eb812|703|0x5
0|30|libxul.so|mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:9900cebb1f9000bd05731ba67736b7c51f7eb812|1087|0xb
0|31|libxul.so|nsDocumentViewer::LoadComplete(nsresult)|hg:hg.mozilla.org/mozilla-central:layout/base/nsDocumentViewer.cpp:9900cebb1f9000bd05731ba67736b7c51f7eb812|1166|0x2c
0|32|libxul.so|nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult)|hg:hg.mozilla.org/mozilla-central:docshell/base/nsDocShell.cpp:9900cebb1f9000bd05731ba67736b7c51f7eb812|7161|0x18
0|33|libxul.so|nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult)|hg:hg.mozilla.org/mozilla-central:docshell/base/nsDocShell.cpp:9900cebb1f9000bd05731ba67736b7c51f7eb812|6954|0x18
0|34|libxul.so|nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult)|hg:hg.mozilla.org/mozilla-central:uriloader/base/nsDocLoader.cpp:9900cebb1f9000bd05731ba67736b7c51f7eb812|1309|0x2b
0|35|libxul.so|nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult)|hg:hg.mozilla.org/mozilla-central:uriloader/base/nsDocLoader.cpp:9900cebb1f9000bd05731ba67736b7c51f7eb812|852|0x22
0|36|libxul.so|nsDocLoader::DocLoaderIsEmpty(bool)|hg:hg.mozilla.org/mozilla-central:uriloader/base/nsDocLoader.cpp:9900cebb1f9000bd05731ba67736b7c51f7eb812|741|0xf
0|37|libxul.so|nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult)|hg:hg.mozilla.org/mozilla-central:uriloader/base/nsDocLoader.cpp:9900cebb1f9000bd05731ba67736b7c51f7eb812|627|0x16
0|38|libxul.so|mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult)|hg:hg.mozilla.org/mozilla-central:netwerk/base/nsLoadGroup.cpp:9900cebb1f9000bd05731ba67736b7c51f7eb812|629|0x1f
0|39|libxul.so|nsIDocument::DoUnblockOnload()|hg:hg.mozilla.org/mozilla-central:dom/base/nsDocument.cpp:9900cebb1f9000bd05731ba67736b7c51f7eb812|8344|0x20
0|40|libxul.so|nsDocument::UnblockOnload(bool)|hg:hg.mozilla.org/mozilla-central:dom/base/nsDocument.cpp:9900cebb1f9000bd05731ba67736b7c51f7eb812|8266|0x8
0|41|libxul.so|nsIDocument::DispatchContentLoadedEvents()|hg:hg.mozilla.org/mozilla-central:dom/base/nsDocument.cpp:9900cebb1f9000bd05731ba67736b7c51f7eb812|5224|0x11
0|42|libxul.so|mozilla::detail::RunnableMethodImpl<nsIDocument*, void (nsIDocument::*)(), true, (mozilla::RunnableKind)0>::Run()|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.h:9900cebb1f9000bd05731ba67736b7c51f7eb812|1165|0x13
0|43|libxul.so|mozilla::SchedulerGroup::Runnable::Run()|hg:hg.mozilla.org/mozilla-central:xpcom/threads/SchedulerGroup.cpp:9900cebb1f9000bd05731ba67736b7c51f7eb812|337|0x15
0|44|libxul.so|nsThread::ProcessNextEvent(bool, bool*)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:9900cebb1f9000bd05731ba67736b7c51f7eb812|1088|0x15
0|45|libxul.so|NS_ProcessNextEvent(nsIThread*, bool)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:9900cebb1f9000bd05731ba67736b7c51f7eb812|519|0x11
0|46|libxul.so|mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:9900cebb1f9000bd05731ba67736b7c51f7eb812|97|0xa
0|47|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:9900cebb1f9000bd05731ba67736b7c51f7eb812|326|0x17
0|48|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:9900cebb1f9000bd05731ba67736b7c51f7eb812|319|0x8
0|49|libxul.so|nsBaseAppShell::Run()|hg:hg.mozilla.org/mozilla-central:widget/nsBaseAppShell.cpp:9900cebb1f9000bd05731ba67736b7c51f7eb812|157|0xd
0|50|libxul.so|XRE_RunAppShell()|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:9900cebb1f9000bd05731ba67736b7c51f7eb812|893|0x11
0|51|libxul.so|mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:9900cebb1f9000bd05731ba67736b7c51f7eb812|269|0x5
0|52|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:9900cebb1f9000bd05731ba67736b7c51f7eb812|326|0x17
0|53|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:9900cebb1f9000bd05731ba67736b7c51f7eb812|319|0x8
0|54|libxul.so|XRE_InitChildProcess(int, char**, XREChildData const*)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:9900cebb1f9000bd05731ba67736b7c51f7eb812|719|0x8
0|55|firefox|content_process_main(mozilla::Bootstrap*, int, char**)|hg:hg.mozilla.org/mozilla-central:ipc/contentproc/plugin-container.cpp:9900cebb1f9000bd05731ba67736b7c51f7eb812|50|0x14
0|56|firefox|main|hg:hg.mozilla.org/mozilla-central:browser/app/nsBrowserApp.cpp:9900cebb1f9000bd05731ba67736b7c51f7eb812|282|0x11
0|57|libc-2.23.so||||0x20830
0|58|firefox|MOZ_ReportAssertionFailure|hg:hg.mozilla.org/mozilla-central:mfbt/Assertions.h:9900cebb1f9000bd05731ba67736b7c51f7eb812|164|0x5
Flags: in-testsuite?
Priority: -- → P5
Component: DOM → DOM: Core & HTML

Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20210224162107-27f574662450.

Whiteboard: [bugmon:confirmed]
Severity: normal → S4
Priority: P5 → P3

We should care about reproducible assertions.

You need to log in before you can comment on or make changes to this bug.