Closed Bug 1514434 Opened 1 year ago Closed 1 year ago

Assertion failure: GetHost() (ShadowRoot always has a host, how did we create this ShadowRoot?), at src/obj-firefox/dist/include/mozilla/dom/ShadowRoot.h:65

Categories

(Core :: DOM: Core & HTML, defect)

Unspecified
Android
defect
Not set

Tracking

()

RESOLVED DUPLICATE of bug 1510848
Tracking Status
geckoview65 --- affected

People

(Reporter: tsmith, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, testcase)

Attachments

(1 file)

Attached file testcase.html
Assertion failure: GetHost() (ShadowRoot always has a host, how did we create this ShadowRoot?), at src/obj-firefox/dist/include/mozilla/dom/ShadowRoot.h:65

0|libxul.so|mozilla::dom::ShadowRoot::Host() const|hg:hg.mozilla.org/mozilla-central:dom/base/ShadowRoot.h:d02d14a3dd6e172c4cc8efb5c749752d3893fc90|63|0x0
1|libxul.so|mozilla::dom::ShadowRoot_Binding::get_host(JSContext*, JS::Handle<JSObject*>, mozilla::dom::ShadowRoot*, JSJitGetterCallArgs)|s3:gecko-generated-sources:9faaeb8764af24979a53b5b0a4a02d13dc43a5138905dfcc1a8c5ac92a0bdabbff39f13639bb6bbc183a90c00ca70ea20cdb6361de489ba87f2dc2b7ac12a12e/dom/bindings/ShadowRootBinding.cpp:|103|0x9
2|libxul.so|bool mozilla::dom::binding_detail::GenericGetter<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*)|hg:hg.mozilla.org/mozilla-central:dom/bindings/BindingUtils.cpp:d02d14a3dd6e172c4cc8efb5c749752d3893fc90|2958|0xd
3|libxul.so|CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:d02d14a3dd6e172c4cc8efb5c749752d3893fc90|443|0xe
4|libxul.so|js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:d02d14a3dd6e172c4cc8efb5c749752d3893fc90|535|0xb
5|libxul.so|InternalCall(JSContext*, js::AnyInvokeArgs const&)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:d02d14a3dd6e172c4cc8efb5c749752d3893fc90|590|0x14
6|libxul.so|js::CallGetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:d02d14a3dd6e172c4cc8efb5c749752d3893fc90|606|0x9
7|libxul.so|bool GetExistingProperty<(js::AllowGC)1>(JSContext*, js::MaybeRooted<JS::Value, (js::AllowGC)1>::HandleType, js::MaybeRooted<js::NativeObject*, (js::AllowGC)1>::HandleType, js::MaybeRooted<js::Shape*, (js::AllowGC)1>::HandleType, js::MaybeRooted<JS::Value, (js::AllowGC)1>::MutableHandleType)|hg:hg.mozilla.org/mozilla-central:js/src/vm/NativeObject.cpp:d02d14a3dd6e172c4cc8efb5c749752d3893fc90|2246|0x1d
8|libxul.so|bool NativeGetPropertyInline<(js::AllowGC)1>(JSContext*, js::MaybeRooted<js::NativeObject*, (js::AllowGC)1>::HandleType, js::MaybeRooted<JS::Value, (js::AllowGC)1>::HandleType, js::MaybeRooted<JS::PropertyKey, (js::AllowGC)1>::HandleType, IsNameLookup, js::MaybeRooted<JS::Value, (js::AllowGC)1>::MutableHandleType)|hg:hg.mozilla.org/mozilla-central:js/src/vm/NativeObject.cpp:d02d14a3dd6e172c4cc8efb5c749752d3893fc90|2547|0x16
9|libxul.so|<name omitted>|hg:hg.mozilla.org/mozilla-central:js/src/vm/NativeObject.cpp:d02d14a3dd6e172c4cc8efb5c749752d3893fc90|2584|0x10
10|libxul.so|js::ForwardingProxyHandler::get(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JS::Value>) const|hg:hg.mozilla.org/mozilla-central:js/src/vm/ObjectOperations-inl.h:d02d14a3dd6e172c4cc8efb5c749752d3893fc90|117|0x1b
11|libxul.so|js::CrossCompartmentWrapper::get(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JS::Value>) const|hg:hg.mozilla.org/mozilla-central:js/src/proxy/CrossCompartmentWrapper.cpp:d02d14a3dd6e172c4cc8efb5c749752d3893fc90|196|0x1c
12|libxul.so|js::Proxy::getInternal(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JS::Value>)|hg:hg.mozilla.org/mozilla-central:js/src/proxy/Proxy.cpp:d02d14a3dd6e172c4cc8efb5c749752d3893fc90|372|0x22
13|libxul.so|js::Proxy::get(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JS::Value>)|hg:hg.mozilla.org/mozilla-central:js/src/proxy/Proxy.cpp:d02d14a3dd6e172c4cc8efb5c749752d3893fc90|380|0x19
14|libxul.so|js::GetProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, js::PropertyName*, JS::MutableHandle<JS::Value>)|hg:hg.mozilla.org/mozilla-central:js/src/vm/ObjectOperations-inl.h:d02d14a3dd6e172c4cc8efb5c749752d3893fc90|114|0x18
15|libxul.so|js::GetProperty(JSContext*, JS::Handle<JS::Value>, JS::Handle<js::PropertyName*>, JS::MutableHandle<JS::Value>)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:d02d14a3dd6e172c4cc8efb5c749752d3893fc90|4739|0x21
16|libxul.so|Interpret(JSContext*, js::RunState&)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:d02d14a3dd6e172c4cc8efb5c749752d3893fc90|215|0x29
17|libxul.so|js::RunScript(JSContext*, js::RunState&)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:d02d14a3dd6e172c4cc8efb5c749752d3893fc90|423|0x9
18|libxul.so|js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:d02d14a3dd6e172c4cc8efb5c749752d3893fc90|563|0xd
19|libxul.so|InternalCall(JSContext*, js::AnyInvokeArgs const&)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:d02d14a3dd6e172c4cc8efb5c749752d3893fc90|590|0x14
20|libxul.so|js::CallGetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:d02d14a3dd6e172c4cc8efb5c749752d3893fc90|606|0x9
21|libxul.so|bool GetExistingProperty<(js::AllowGC)1>(JSContext*, js::MaybeRooted<JS::Value, (js::AllowGC)1>::HandleType, js::MaybeRooted<js::NativeObject*, (js::AllowGC)1>::HandleType, js::MaybeRooted<js::Shape*, (js::AllowGC)1>::HandleType, js::MaybeRooted<JS::Value, (js::AllowGC)1>::MutableHandleType)|hg:hg.mozilla.org/mozilla-central:js/src/vm/NativeObject.cpp:d02d14a3dd6e172c4cc8efb5c749752d3893fc90|2246|0x1d
22|libxul.so|bool NativeGetPropertyInline<(js::AllowGC)1>(JSContext*, js::MaybeRooted<js::NativeObject*, (js::AllowGC)1>::HandleType, js::MaybeRooted<JS::Value, (js::AllowGC)1>::HandleType, js::MaybeRooted<JS::PropertyKey, (js::AllowGC)1>::HandleType, IsNameLookup, js::MaybeRooted<JS::Value, (js::AllowGC)1>::MutableHandleType)|hg:hg.mozilla.org/mozilla-central:js/src/vm/NativeObject.cpp:d02d14a3dd6e172c4cc8efb5c749752d3893fc90|2547|0x16
23|libxul.so|<name omitted>|hg:hg.mozilla.org/mozilla-central:js/src/vm/NativeObject.cpp:d02d14a3dd6e172c4cc8efb5c749752d3893fc90|2584|0x10
24|libxul.so|js::GetProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, js::PropertyName*, JS::MutableHandle<JS::Value>)|hg:hg.mozilla.org/mozilla-central:js/src/vm/ObjectOperations-inl.h:d02d14a3dd6e172c4cc8efb5c749752d3893fc90|117|0x1b
25|libxul.so|js::GetProperty(JSContext*, JS::Handle<JS::Value>, JS::Handle<js::PropertyName*>, JS::MutableHandle<JS::Value>)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:d02d14a3dd6e172c4cc8efb5c749752d3893fc90|4739|0x21
26|libxul.so|Interpret(JSContext*, js::RunState&)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:d02d14a3dd6e172c4cc8efb5c749752d3893fc90|215|0x29
27|libxul.so|js::RunScript(JSContext*, js::RunState&)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:d02d14a3dd6e172c4cc8efb5c749752d3893fc90|423|0x9
28|libxul.so|js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:d02d14a3dd6e172c4cc8efb5c749752d3893fc90|563|0xd
29|libxul.so|InternalCall(JSContext*, js::AnyInvokeArgs const&)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:d02d14a3dd6e172c4cc8efb5c749752d3893fc90|590|0x14
30|libxul.so|<name omitted>|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:d02d14a3dd6e172c4cc8efb5c749752d3893fc90|606|0x7
31|libxul.so|JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>)|hg:hg.mozilla.org/mozilla-central:js/src/jsapi.cpp:d02d14a3dd6e172c4cc8efb5c749752d3893fc90|2649|0x2a
32|libxul.so|mozilla::dom::EventListener::HandleEvent(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&)|s3:gecko-generated-sources:b504f583ed3111ab416617cd63caa012e7478d0516eb5d3bc3cd43cef007715c1a91854c0528b0ec8e85f6341ccebf73a1b2c32556687ebaf4023e3c38ff4197/dom/bindings/EventListenerBinding.cpp:|52|0x24
33|libxul.so|void mozilla::dom::EventListener::HandleEvent<mozilla::dom::EventTarget*>(mozilla::dom::EventTarget* const&, mozilla::dom::Event&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*)|s3:gecko-generated-sources:f3d9c01258576daaac3afc4fb3b283652e7f1168abb5287eff6775451ebd0ab6a0e4c8d88d3a67f7147042501bc091c6dfed25b4b8ccf4e4f420897b8d0ba906/dist/include/mozilla/dom/EventListenerBinding.h:|66|0x17
34|libxul.so|mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*)|hg:hg.mozilla.org/mozilla-central:dom/events/EventListenerManager.cpp:d02d14a3dd6e172c4cc8efb5c749752d3893fc90|1040|0x26
35|libxul.so|mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool)|hg:hg.mozilla.org/mozilla-central:dom/events/EventListenerManager.cpp:d02d14a3dd6e172c4cc8efb5c749752d3893fc90|1239|0x1d
36|libxul.so|mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:d02d14a3dd6e172c4cc8efb5c749752d3893fc90|346|0x18
37|libxul.so|mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:d02d14a3dd6e172c4cc8efb5c749752d3893fc90|584|0x18
38|libxul.so|mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:d02d14a3dd6e172c4cc8efb5c749752d3893fc90|628|0x1d
39|libxul.so|mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:d02d14a3dd6e172c4cc8efb5c749752d3893fc90|1038|0x23
40|libxul.so|mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:d02d14a3dd6e172c4cc8efb5c749752d3893fc90|0|0xb
41|libxul.so|nsINode::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&)|hg:hg.mozilla.org/mozilla-central:dom/base/nsINode.cpp:d02d14a3dd6e172c4cc8efb5c749752d3893fc90|1029|0x21
42|libxul.so|nsContentUtils::DispatchEvent(nsIDocument*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, mozilla::Trusted, bool*, mozilla::ChromeOnlyDispatch)|hg:hg.mozilla.org/mozilla-central:dom/base/nsContentUtils.cpp:d02d14a3dd6e172c4cc8efb5c749752d3893fc90|4073|0xa
43|libxul.so|nsContentUtils::DispatchTrustedEvent(nsIDocument*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, bool*)|hg:hg.mozilla.org/mozilla-central:dom/base/nsContentUtils.cpp:d02d14a3dd6e172c4cc8efb5c749752d3893fc90|4043|0x1c
44|libxul.so|mozilla::PendingFullscreenEvent::Dispatch()|hg:hg.mozilla.org/mozilla-central:dom/events/PendingFullscreenEvent.h:d02d14a3dd6e172c4cc8efb5c749752d3893fc90|52|0x16
45|libxul.so|nsRefreshDriver::RunFullscreenSteps()|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:d02d14a3dd6e172c4cc8efb5c749752d3893fc90|1460|0x8
46|libxul.so|nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp)|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:d02d14a3dd6e172c4cc8efb5c749752d3893fc90|1742|0x8
47|libxul.so|mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&)|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:d02d14a3dd6e172c4cc8efb5c749752d3893fc90|327|0x1e
48|libxul.so|mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp)|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:d02d14a3dd6e172c4cc8efb5c749752d3893fc90|320|0x25
49|libxul.so|mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp)|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:d02d14a3dd6e172c4cc8efb5c749752d3893fc90|726|0x1e
50|libxul.so|mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::ParentProcessVsyncNotifier::Run()|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:d02d14a3dd6e172c4cc8efb5c749752d3893fc90|487|0x1e
51|libxul.so|nsThread::ProcessNextEvent(bool, bool*)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:d02d14a3dd6e172c4cc8efb5c749752d3893fc90|1157|0x8
52|libxul.so|NS_ProcessNextEvent(nsIThread*, bool)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:d02d14a3dd6e172c4cc8efb5c749752d3893fc90|468|0x11
53|libxul.so|mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:d02d14a3dd6e172c4cc8efb5c749752d3893fc90|88|0x10
54|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:d02d14a3dd6e172c4cc8efb5c749752d3893fc90|314|0xb
55|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:d02d14a3dd6e172c4cc8efb5c749752d3893fc90|307|0xb
56|libxul.so|nsBaseAppShell::Run()|hg:hg.mozilla.org/mozilla-central:widget/nsBaseAppShell.cpp:d02d14a3dd6e172c4cc8efb5c749752d3893fc90|137|0x9
57|libxul.so|nsAppStartup::Run()|hg:hg.mozilla.org/mozilla-central:toolkit/components/startup/nsAppStartup.cpp:d02d14a3dd6e172c4cc8efb5c749752d3893fc90|271|0x9
58|libxul.so|XREMain::XRE_mainRun()|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsAppRunner.cpp:d02d14a3dd6e172c4cc8efb5c749752d3893fc90|4616|0x8
59|libxul.so|XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsAppRunner.cpp:d02d14a3dd6e172c4cc8efb5c749752d3893fc90|4754|0x8
60|libxul.so|XRE_main(int, char**, mozilla::BootstrapConfig const&)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsAppRunner.cpp:d02d14a3dd6e172c4cc8efb5c749752d3893fc90|4839|0xf
61|libxul.so|GeckoStart|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsAndroidStartup.cpp:d02d14a3dd6e172c4cc8efb5c749752d3893fc90|47|0xd
62|libxul.so|mozilla::BootstrapImpl::GeckoStart(_JNIEnv*, char**, int, mozilla::StaticXREAppData const&)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/Bootstrap.cpp:d02d14a3dd6e172c4cc8efb5c749752d3893fc90|71|0x11
63|libmozglue.so|Java_org_mozilla_gecko_mozglue_GeckoLoader_nativeRun|hg:hg.mozilla.org/mozilla-central:mozglue/android/APKOpen.cpp:d02d14a3dd6e172c4cc8efb5c749752d3893fc90|371|0x18
64|base.odex||||0x8eeab7
Flags: in-testsuite?
Flags: needinfo?(timdream)
I cannot reproduce this on desktop artifact build... will try other routes.
I cannot produce that on fennec artifact debug build either. What's right configuration to reproduce this? Thanks.

(full-screen-api.allow-trusted-requests-only is set to false already)
Flags: needinfo?(twsmith)
Could this already be fixed by bug 1510848 or bug 1511130 which is also found by fuzzing? They are pushed to autoland around the same time this bug is filed.

Tyson, do you have the infra to reproduce this in a new build on your setup?
I can repro with:
BuildID=20181214220012
SourceStamp=d02d14a3dd6e172c4cc8efb5c749752d3893fc90

but not with:
BuildID=20181217164224
SourceStamp=a7eb50b9dc42dd9ab02c334057fd7558c434b2e9

So I'm guessing you are right. Feel free to close and/or land the test case if you feel it is useful. I can always reopen if the fuzzers hit it again in the future.
Flags: needinfo?(twsmith)
Wonderful. Since the test detects the same problem, let's not land it.
Status: NEW → RESOLVED
Closed: 1 year ago
Flags: needinfo?(timdream)
Resolution: --- → DUPLICATE
Duplicate of bug: 1510848
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.