Closed Bug 1489877 Opened 7 years ago Closed 4 years ago

Assertion failure: !mMutationGuard.Mutated(0), at src/dom/base/ChildIterator.h:234

Categories

(Core :: CSS Parsing and Computation, defect, P3)

Product:
Core
Component:
CSS Parsing and Computation
Type:
defect

Tracking

()

Status:
RESOLVED WORKSFORME
Tracking Flags:
Tracking Status
firefox63 --- wontfix
firefox64 --- wontfix
firefox66 --- wontfix
firefox67 --- affected
firefox68 --- affected

People

(Reporter: tsmith, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, testcase)

Attachments

(3 files)

testcase.html
236 bytes, text/html
Details
prefs.js
11.80 KB, application/x-javascript
Details
Stack of the mutation.
12.96 KB, text/plain
Details
Attached file testcase.html
Reduced with m-c: BuildID=20180830165914 SourceStamp=c317d6b31d9c951c9357fb9a49d2686a3efcfe2f Assertion failure: !mMutationGuard.Mutated(0), at src/dom/base/ChildIterator.h:234 #0 mozilla::dom::AllChildrenIterator::~AllChildrenIterator() src/dom/base/ChildIterator.h:234:28 #1 nsCSSFrameConstructor::ContentRemoved(nsIContent*, nsIContent*, nsCSSFrameConstructor::RemoveFlags) src/layout/base/nsCSSFrameConstructor.cpp:7834:3 #2 mozilla::PresShell::ContentRemoved(nsIContent*, nsIContent*) src/layout/base/PresShell.cpp:4557:22 #3 nsNodeUtils::ContentRemoved(nsINode*, nsIContent*, nsIContent*) src/dom/base/nsNodeUtils.cpp:230:3 #4 nsINode::RemoveChildNode(nsIContent*, bool) src/dom/base/nsINode.cpp:1941:5 #5 nsINode::ReplaceOrInsertBefore(bool, nsINode*, nsINode*, mozilla::ErrorResult&) src/dom/base/nsINode.cpp:2246:18 #6 mozilla::dom::Node_Binding::appendChild(JSContext*, JS::Handle<JSObject*>, nsINode*, JSJitMethodCallArgs const&) src/obj-firefox/dom/bindings/NodeBinding.cpp:944:45 #7 bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) src/dom/bindings/BindingUtils.cpp:3296:13 #8 CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) src/js/src/vm/Interpreter.cpp:449:15 #9 js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:537:16 #10 InternalCall(JSContext*, js::AnyInvokeArgs const&) src/js/src/vm/Interpreter.cpp:588:12 #11 Interpret(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:3266:18 #12 js::RunScript(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:429:12 #13 js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:561:15 #14 InternalCall(JSContext*, js::AnyInvokeArgs const&) src/js/src/vm/Interpreter.cpp:588:12 #15 js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) src/js/src/vm/Interpreter.cpp:607:10 #16 JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) src/js/src/jsapi.cpp:2917:12 #17 mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) src/obj-firefox/dom/bindings/EventHandlerBinding.cpp:264:37 #18 void mozilla::dom::EventHandlerNonNull::Call<nsISupports*>(nsISupports* const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) src/obj-firefox/dist/include/mozilla/dom/EventHandlerBinding.h:363:12 #19 mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) src/dom/events/JSEventHandler.cpp:214:12 #20 mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) src/dom/events/EventListenerManager.cpp:1111:52 #21 mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) src/dom/events/EventListenerManager.cpp:1342:20 #22 mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) src/dom/events/EventDispatcher.cpp:420:17 #23 mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) src/dom/events/EventDispatcher.cpp:637:16 #24 mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) src/dom/events/EventDispatcher.cpp:1112:9 #25 nsGlobalWindowInner::PostHandleEvent(mozilla::EventChainPostVisitor&) src/dom/base/nsGlobalWindowInner.cpp:2096:7 #26 mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) src/dom/events/EventDispatcher.cpp:640:16 #27 mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) src/dom/events/EventDispatcher.cpp:717:5 #28 mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) src/dom/events/EventDispatcher.cpp:1112:9 #29 nsDocumentViewer::LoadComplete(nsresult) src/layout/base/nsDocumentViewer.cpp:1169:7 #30 nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) src/docshell/base/nsDocShell.cpp:7056:21 #31 nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) src/docshell/base/nsDocShell.cpp:6849:7 #32 non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) src/docshell/base/nsDocShell.cpp #33 nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) src/uriloader/base/nsDocLoader.cpp:1313:3 #34 nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) src/uriloader/base/nsDocLoader.cpp:856:14 #35 nsDocLoader::DocLoaderIsEmpty(bool) src/uriloader/base/nsDocLoader.cpp:745:9 #36 nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) src/uriloader/base/nsDocLoader.cpp:631:5 #37 non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) src/uriloader/base/nsDocLoader.cpp #38 mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) src/netwerk/base/nsLoadGroup.cpp:629:28 #39 nsIDocument::DoUnblockOnload() src/dom/base/nsDocument.cpp:8299:18 #40 nsDocument::UnblockOnload(bool) src/dom/base/nsDocument.cpp:8221:9 #41 nsIDocument::DispatchContentLoadedEvents() src/dom/base/nsDocument.cpp:5093:3 #42 mozilla::detail::RunnableMethodImpl<nsIDocument*, void (nsIDocument::*)(), true, (mozilla::RunnableKind)0>::Run() src/obj-firefox/dist/include/nsThreadUtils.h:1219:13 #43 mozilla::SchedulerGroup::Runnable::Run() src/xpcom/threads/SchedulerGroup.cpp:337:32 #44 nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1167:14 #45 NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:519:10 #46 mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:97:21 #47 MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:325:10 #48 MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:298:3 #49 nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:158:27 #50 XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:944:22 #51 mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:269:9 #52 MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:325:10 #53 MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:298:3 #54 XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:770:34 #55 content_process_main(mozilla::Bootstrap*, int, char**) src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30 #56 main src/browser/app/nsBrowserApp.cpp:287:18 #57 __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291 #58 _start (firefox+0x423d84)
Flags: in-testsuite?
Attached file prefs.js
Flags: needinfo?(emilio)
(FWIW I can't reproduce this.)
Priority: -- → P3
Attached file Stack of the mutation.
Needs layout.accessiblecaret.enabled = true;
Flags: needinfo?(emilio)
Not sure why this is in style component. The stack doesn't seem to contain any function from the style system?
Component: CSS Parsing and Computation → Layout
So the problematic code is here: https://searchfox.org/mozilla-central/rev/de7676288a78b70d2b9927c79493adbf294faad5/layout/base/nsCSSFrameConstructor.cpp#7818-7833 I see why it's style system now.
Component: Layout → CSS Parsing and Computation
As the stack shown in comment 3, the issue is that during StyleChildrenIterator in [1], we end up destroy the <iframe> and hence the PresShell and AccessibleCaretEventHub. Therefore AccessibleCaret does its final duty to remove the caret elements [2] that causes the DOM mutation. [1] https://searchfox.org/mozilla-central/rev/de7676288a78b70d2b9927c79493adbf294faad5/layout/base/nsCSSFrameConstructor.cpp#7818-7833 [2] https://searchfox.org/mozilla-central/rev/de7676288a78b70d2b9927c79493adbf294faad5/layout/base/AccessibleCaret.cpp#242-255
I think we should just do the frameLoader->Hide() call at [1] off a script runner just like nsHideViewer does, fwiw. [1]: https://searchfox.org/mozilla-central/rev/de7676288a78b70d2b9927c79493adbf294faad5/layout/generic/nsSubDocumentFrame.cpp#1035

The attached test case no longer reproduces the issue. This issue was last reported by fuzzers running m-c 20191219-8e1b11b00157.

Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: