Closed Bug 1508845 Opened 6 years ago Closed 6 years ago

Assertion failure: (last == doc) == wasInComposedDoc || (IsRemoveNotification::No == IsRemoveNotification::Yes && !strcmp("ContentAppended", "NativeAnonymousChildListChange")), at /builds/worker/workspace/build/src/dom/base/nsNodeUtils.cpp:194

Categories

(Core :: DOM: Core & HTML, defect, P2)

Product:
Core
Component:
DOM: Core & HTML
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla65
Tracking Flags:
Tracking Status
firefox-esr60 --- unaffected
firefox63 --- wontfix
firefox64 --- wontfix
firefox65 --- fixed

People

(Reporter: tsmith, Assigned: emilio)

References

(Blocks 2 open bugs)

Details

(Keywords: assertion, crash, testcase)

Attachments

(3 files)

testcase.html
291 bytes, text/html
Details
A testcase without <video> (with a normal shadow tree).
565 bytes, text/plain
Details
Bug 1508845 - Make BlastSubtreeToPieces handle Shadow DOM.
47 bytes, text/x-phabricator-request
Details | Review
Attached file testcase.html 
Reduced with m-c:
BuildID=20181120164749
SourceStamp=8eff0a4f5d8f4442ce233d492185a90c460846ef

Assertion failure: (last == doc) == wasInComposedDoc || (IsRemoveNotification::No == IsRemoveNotification::Yes && !strcmp("ContentAppended", "NativeAnonymousChildListChange")), at src/dom/base/nsNodeUtils.cpp:194

#0 nsNodeUtils::ContentAppended(nsIContent*, nsIContent*) src/dom/base/nsNodeUtils.cpp:192:3
#1 nsINode::InsertChildBefore(nsIContent*, nsIContent*, bool) src/dom/base/nsINode.cpp:1467:7
#2 nsINode::ReplaceOrInsertBefore(bool, nsINode*, nsINode*, mozilla::ErrorResult&) src/dom/base/nsINode.cpp:2638:14
#3 mozilla::dom::ShadowRoot::ImportNodeAndAppendChildAt(nsINode&, nsINode&, bool, mozilla::ErrorResult&) src/dom/base/ShadowRoot.cpp:634:22
#4 mozilla::dom::ShadowRoot_Binding::importNodeAndAppendChildAt(JSContext*, JS::Handle<JSObject*>, mozilla::dom::ShadowRoot*, JSJitMethodCallArgs const&) src/obj-firefox/dom/bindings/ShadowRootBinding.cpp:440:45
#5 bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) src/dom/bindings/BindingUtils.cpp:3376:13
#6 CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) src/js/src/vm/Interpreter.cpp:468:15
#7 js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:560:16
#8 InternalCall(JSContext*, js::AnyInvokeArgs const&) src/js/src/vm/Interpreter.cpp:614:12
#9 Interpret(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:3462:18
#10 js::RunScript(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:447:12
#11 js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:587:15
#12 InternalConstruct(JSContext*, js::AnyConstructArgs const&) src/js/src/vm/Interpreter.cpp:664:14
#13 js::Construct(JSContext*, JS::Handle<JS::Value>, js::AnyConstructArgs const&, JS::Handle<JS::Value>, JS::MutableHandle<JSObject*>) src/js/src/vm/Interpreter.cpp:720:10
#14 js::ForwardingProxyHandler::construct(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const src/js/src/proxy/Wrapper.cpp:198:10
#15 js::CrossCompartmentWrapper::construct(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const src/js/src/proxy/CrossCompartmentWrapper.cpp:378:23
#16 xpc::JSXrayTraits::construct(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&, js::Wrapper const&) src/js/xpconnect/wrappers/XrayWrapper.cpp
#17 xpc::XrayWrapper<js::CrossCompartmentWrapper, xpc::JSXrayTraits>::construct(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const src/js/xpconnect/wrappers/XrayWrapper.cpp:2304:12
#18 js::Proxy::construct(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) src/js/src/proxy/Proxy.cpp:581:21
#19 InternalConstruct(JSContext*, js::AnyConstructArgs const&) src/js/src/vm/Interpreter.cpp:674:16
#20 js::ConstructFromStack(JSContext*, JS::CallArgs const&) src/js/src/vm/Interpreter.cpp:707:12
#21 Interpret(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:3453:18
#22 js::RunScript(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:447:12
#23 js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:587:15
#24 InternalCall(JSContext*, js::AnyInvokeArgs const&) src/js/src/vm/Interpreter.cpp:614:12
#25 js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) src/js/src/vm/Interpreter.cpp:633:10
#26 js::jit::InvokeFunction(JSContext*, JS::Handle<JSObject*>, bool, bool, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) src/js/src/jit/VMFunctions.cpp:112:12
#27 js::jit::InvokeFromInterpreterStub(JSContext*, js::jit::InterpreterStubExitFrameLayout*) src/js/src/jit/VMFunctions.cpp:142:10
#28 0x2e9234a8f39e  (<unknown module>)
Flags: in-testsuite?
The same test case with an ASan opt build triggers:

==46747==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 (pc 0x7fecc36f66f5 bp 0x7ffcb050f2f0 sp 0x7ffcb050efa0 T0)
==46747==The signal is caused by a WRITE memory access.
==46747==Hint: address points to the zero page.
    #0 0x7fecc36f66f4 in slotRef src/obj-firefox/dist/include/jsfriendapi.h:622:16
    #1 0x7fecc36f66f4 in GetReservedSlot src/obj-firefox/dist/include/jsfriendapi.h:770
    #2 0x7fecc36f66f4 in mozilla::dom::XMLDocument_Binding::Wrap(JSContext*, mozilla::dom::XMLDocument*, nsWrapperCache*, JS::Handle<JSObject*>, JS::MutableHandle<JSObject*>) src/obj-firefox/dom/bindings/XMLDocumentBinding.cpp:512
    #3 0x7fecc6b9d788 in Wrap<mozilla::dom::XMLDocument> src/obj-firefox/dist/include/mozilla/dom/XMLDocumentBinding.h:42:12
    #4 0x7fecc6b9d788 in mozilla::dom::XMLDocument::WrapNode(JSContext*, JS::Handle<JSObject*>) src/dom/xml/XMLDocument.cpp:635
    #5 0x7fecc150a598 in nsINode::WrapObject(JSContext*, JS::Handle<JSObject*>) src/dom/base/nsINode.cpp:2929:34
    #6 0x7fecc1438193 in DoGetOrCreateDOMReflector<nsIDocument, mozilla::dom::binding_detail::eWrapIntoContextCompartment> src/obj-firefox/dist/include/mozilla/dom/BindingUtils.h:1081:18
    #7 0x7fecc1438193 in GetOrCreateDOMReflector<nsIDocument> src/obj-firefox/dist/include/mozilla/dom/BindingUtils.h:1148
    #8 0x7fecc1438193 in GetOrCreate src/obj-firefox/dist/include/mozilla/dom/BindingUtils.h:1799
    #9 0x7fecc1438193 in GetOrCreateDOMReflector<nsIDocument> src/obj-firefox/dist/include/mozilla/dom/BindingUtils.h:1809
    #10 0x7fecc1438193 in ToJSValue<nsIDocument> src/obj-firefox/dist/include/mozilla/dom/ToJSValue.h:155
    #11 0x7fecc1438193 in ToJSValue<nsIDocument *> src/obj-firefox/dist/include/mozilla/dom/ToJSValue.h:382
    #12 0x7fecc1438193 in MaybeSomething<nsIDocument *> src/obj-firefox/dist/include/mozilla/dom/Promise.h:265
    #13 0x7fecc1438193 in void mozilla::dom::Promise::MaybeResolve<nsIDocument*>(nsIDocument*&&) src/obj-firefox/dist/include/mozilla/dom/Promise.h:90
    #14 0x7fecc13f8323 in nsIDocument::MaybeResolveReadyForIdle() src/dom/base/nsDocument.cpp:10378:19
    #15 0x7fecc13f697b in nsIDocument::DispatchContentLoadedEvents() src/dom/base/nsDocument.cpp:5210:5
    #16 0x7fecc13f9646 in nsIDocument::UnblockDOMContentLoaded() src/dom/base/nsDocument.cpp:5449:5
    #17 0x7fecc13f9040 in nsDocument::EndLoad() src/dom/base/nsDocument.cpp:5421:3
    #18 0x7fecc6b9cbe4 in mozilla::dom::XMLDocument::EndLoad() src/dom/xml/XMLDocument.cpp:590:15
    #19 0x7fecc6ba37c8 in nsXMLContentSink::DidBuildModel(bool) src/dom/xml/nsXMLContentSink.cpp:338:16
    #20 0x7fecbfb876d2 in DidBuildModel src/parser/htmlparser/nsParser.cpp:492:37
    #21 0x7fecbfb876d2 in nsParser::ResumeParse(bool, bool, bool) src/parser/htmlparser/nsParser.cpp:1102
    #22 0x7fecbfb8ce8e in nsParser::OnStopRequest(nsIRequest*, nsISupports*, nsresult) src/parser/htmlparser/nsParser.cpp:1477:10
    #23 0x7fecc110513a in mozilla::dom::DOMParser::ParseFromStream(nsIInputStream*, nsTSubstring<char16_t> const&, int, mozilla::dom::SupportedType, mozilla::ErrorResult&) src/dom/base/DOMParser.cpp:229:18
    #24 0x7fecc1103b80 in mozilla::dom::DOMParser::ParseFromString(nsTSubstring<char16_t> const&, mozilla::dom::SupportedType, mozilla::ErrorResult&) src/dom/base/DOMParser.cpp:104:10
    #25 0x7fecc3a6e1d3 in mozilla::dom::DOMParser_Binding::parseFromString(JSContext*, JS::Handle<JSObject*>, mozilla::dom::DOMParser*, JSJitMethodCallArgs const&) src/obj-firefox/dom/bindings/DOMParserBinding.cpp:82:49
    #26 0x7fecc4540744 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) src/dom/bindings/BindingUtils.cpp:3376:13
    #27 0x7feccd93c2ad in CallJSNative src/js/src/vm/Interpreter.cpp:468:15
    #28 0x7feccd93c2ad in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:560
    #29 0x7feccd925f07 in CallFromStack src/js/src/vm/Interpreter.cpp:620:12
    #30 0x7feccd925f07 in Interpret(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:3462
    #31 0x7feccd9094a6 in js::RunScript(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:447:12
    #32 0x7feccd93cc51 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:587:15
    #33 0x7feccd93eea5 in InternalConstruct(JSContext*, js::AnyConstructArgs const&) src/js/src/vm/Interpreter.cpp:664:14
    #34 0x7feccd940611 in js::Construct(JSContext*, JS::Handle<JS::Value>, js::AnyConstructArgs const&, JS::Handle<JS::Value>, JS::MutableHandle<JSObject*>) src/js/src/vm/Interpreter.cpp:720:10
    #35 0x7feccc9d881f in js::ForwardingProxyHandler::construct(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const src/js/src/proxy/Wrapper.cpp:198:10
    #36 0x7feccc98fd44 in js::CrossCompartmentWrapper::construct(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const src/js/src/proxy/CrossCompartmentWrapper.cpp:378:23
    #37 0x7fecbf2fb2b0 in xpc::JSXrayTraits::construct(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&, js::Wrapper const&) src/js/xpconnect/wrappers/XrayWrapper.cpp
    #38 0x7feccc9b5871 in js::Proxy::construct(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) src/js/src/proxy/Proxy.cpp:581:21
    #39 0x7feccd93ef5b in InternalConstruct(JSContext*, js::AnyConstructArgs const&) src/js/src/vm/Interpreter.cpp:674:16
    #40 0x7feccd925dd6 in Interpret(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:3453:18
    #41 0x7feccd9094a6 in js::RunScript(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:447:12
    #42 0x7feccd93cc51 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:587:15
    #43 0x7feccd93e8d2 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) src/js/src/vm/Interpreter.cpp:633:10
    #44 0x7fecccea77ff in js::jit::InvokeFunction(JSContext*, JS::Handle<JSObject*>, bool, bool, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) src/js/src/jit/VMFunctions.cpp:112:12
    #45 0x7fecccea8c18 in js::jit::InvokeFromInterpreterStub(JSContext*, js::jit::InterpreterStubExitFrameLayout*) src/js/src/jit/VMFunctions.cpp:142:10
    #46 0x3a77390d3f93  (<unknown module>)
Keywords: crash
Flags: needinfo?(emilio)
Priority: -- → P2
So, in my build this hits this other assertion:

  https://searchfox.org/mozilla-central/rev/55895c49f55073d82d977cb74ec1d3a71ae4b25f/dom/base/Element.cpp#1663

What's going on is that we're adopting a shadow host (the <video> element), but we're running very close to the stack limit because of the NodeRemoved event invoking itself recursively.

So we hit this failure path:

  https://searchfox.org/mozilla-central/rev/55895c49f55073d82d977cb74ec1d3a71ae4b25f/dom/base/nsNodeUtils.cpp#570

Note that there newNodeInfo is actually the _old_ node info, since we had called swap already. The failure path from CloneAndAdopt effectively leaves a tree in an inconsistent state, where some of the ancestors are adopted by one document, but some of the descendants aren't.

We deal with this failure case when there's no shadow DOM in:

  https://searchfox.org/mozilla-central/rev/55895c49f55073d82d977cb74ec1d3a71ae4b25f/dom/base/nsDocument.cpp#7196

But we need to deal with it somehow when there's a ShadowRoot.
Assignee: nobody → emilio
Blocks: shadowdom
Flags: needinfo?(emilio)
We can use the unattach shadow stuff because BlastSubtreeToPieces will remove
all the slots.
Pushed by ealvarez@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/95a0973a3735
Make BlastSubtreeToPieces handle Shadow DOM. r=smaug
https://hg.mozilla.org/mozilla-central/rev/95a0973a3735
Status: NEW → RESOLVED
Closed: 6 years ago
status-firefox65: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla65
status-firefox63: --- → wontfix
status-firefox64: --- → wontfix
status-firefox-esr60: --- → unaffected
Flags: in-testsuite? → in-testsuite+
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: