Closed Bug 1525831 Opened 10 months ago Closed 10 months ago

Crash in ShadowRoot.cpp

Categories

(Core :: DOM: Core & HTML, defect, P2)

defect

Tracking

()

RESOLVED FIXED
mozilla67
Tracking Status
firefox67 --- fixed

People

(Reporter: fabrice, Assigned: fabrice)

Details

Attachments

(1 file)

I have seen this crash in a js module creating a Custom Element:

#0  0x00007f9eb0b496a0 in __GI___nanosleep
    (requested_time=requested_time@entry=0x7ffc62e8dd30, remaining=remaining@entry=0x7ffc62e8dd30)
    at ../sysdeps/unix/sysv/linux/nanosleep.c:28
#1  0x00007f9eb0b495aa in __sleep (seconds=0) at ../sysdeps/posix/sleep.c:55
#2  0x00007f9ea6699a50 in ah_crap_handler(int) (signum=11)
    at /media/fabrice/c13a996b-93e3-43ce-a1ab-9fb508c2cdbb/dev/gecko-dev/toolkit/xre/nsSigHandlers.cpp:95
#3  0x00007f9ea668186a in nsProfileLock::FatalSignalHandler(int, siginfo_t*, void*)
    (signo=11, info=0x7ffc62e8dff0, context=0x7ffc62e8dec0)
    at /media/fabrice/c13a996b-93e3-43ce-a1ab-9fb508c2cdbb/dev/gecko-dev/toolkit/profile/nsProfileLock.cpp:174
#4  0x00007f9ea74c530b in WasmTrapHandler(int, siginfo_t*, void*)
    (signum=11, info=0x7ffc62e8dff0, context=<optimized out>)
    at /media/fabrice/c13a996b-93e3-43ce-a1ab-9fb508c2cdbb/dev/gecko-dev/js/src/wasm/WasmSignalHandlers.cpp:928
#5  0x00007f9eb0f9edd0 in <signal handler called> () at /lib/x86_64-linux-gnu/libpthread.so.0
#6  0x00007f9ea34ae824 in nsCOMPtr<nsIContent>::operator->() const (this=<optimized out>)
    at /media/fabrice/c13a996b-93e3-43ce-a1ab-9fb508c2cdbb/dev/gecko-dev/obj-quetzal/dist/include/nsCOMPtr.h:842
#7  0x00007f9ea3bc33ef in mozilla::dom::ShadowRoot::GetEventTargetParent(mozilla::EventChainPreVisitor&)
    (this=0x7f9e96e95190, aVisitor=...)
    at /media/fabrice/c13a996b-93e3-43ce-a1ab-9fb508c2cdbb/dev/gecko-dev/dom/base/ShadowRoot.cpp:460
#8  0x00007f9ea4a2a25f in mozilla::EventTargetChainItem::GetEventTargetParent(mozilla::EventChainPreVisitor&) (this=0x7f9e9ef21058, aVisitor=...)
    at /media/fabrice/c13a996b-93e3-43ce-a1ab-9fb508c2cdbb/dev/gecko-dev/dom/events/EventDispatcher.cpp:419
#9  0x00007f9ea4a2ba85 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) (aTarget=<optimized out>, aPresContext=0x7f9e988d8800, aEvent=
    0x7f9e96930e50, aDOMEvent=<optimized out>, aEventStatus=0x7ffc62e8e954, aCallback=0x0, aTargets=0x0)
    at /media/fabrice/c13a996b-93e3-43ce-a1ab-9fb508c2cdbb/dev/gecko-dev/dom/events/EventDispatcher.cpp:959
#10 0x00007f9ea4a2d714 in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*)
    (aTarget=0x7f9e9a769ae0, aEvent=<optimized out>, aDOMEvent=<optimized out>, aPresContext=0x7f9e988d8800, aEventStatus=0x7ffc62e8e954)
    at /media/fabrice/c13a996b-93e3-43ce-a1ab-9fb508c2cdbb/dev/gecko-dev/dom/events/EventDispatcher.cpp:1138
#11 0x00007f9ea3c3c8ec in nsINode::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) (this=0x7f9e9a769ae0, aEvent=..., aCallerType=mozilla::dom::CallerType::System, aRv=...)
    at /media/fabrice/c13a996b-93e3-43ce-a1ab-9fb508c2cdbb/dev/gecko-dev/dom/base/nsINode.cpp:1028
#12 0x00007f9ea3a7e03b in nsContentUtils::DispatchChromeEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, bool*)
    (aDoc=<optimized out>, aTarget=<optimized out>, aEventName=
    ..., aCanBubble=<optimized out>, aCancelable=<optimized out>, aDefaultAction=0x0)
    at /media/fabrice/c13a996b-93e3-43ce-a1ab-9fb508c2cdbb/dev/gecko-dev/dom/base/nsContentUtils.cpp:4248
#13 0x00007f9ea3bfe652 in nsContentSink::NotifyDocElementCreated(mozilla::dom::Document*)
    (aDoc=0x7f9e96b9b000)

I'll see if I can reproduce it with a smaller test case than my current code.

Attached patch shadowroot.patchSplinter Review

That fixes it for me, no idea if that is a symptom of some other issue though.

Assignee: nobody → fabrice
Attachment #9042014 - Flags: review?(bugs)

What JS module? UAWidget thingie? I wouldn't be surprised if UAWidgets cause still more issues.

Comment on attachment 9042014 [details] [diff] [review]
shadowroot.patch

I guess we can take this, but this does hint a problem, probably someone is dispatching an event in a wrong way or something.
Attachment #9042014 - Flags: review?(bugs) → review+

(In reply to Olli Pettay [:smaug] (massive needinfo queue, ping on IRC on anything urgent) from comment #2)

What JS module? UAWidget thingie? I wouldn't be surprised if UAWidgets cause still more issues.

No, that's regular content JS.

Summary: Crash in → Crash in ShadowRoot.cpp

Oh, I see, we're dispatching to document. So there must be shadowDOM somewhere in chrome code.

Priority: -- → P2
Pushed by opettay@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/f6c8336fa7d2
let originaltarget be non-nsIContent in ShadowRoot, r=smaug
Status: NEW → RESOLVED
Closed: 10 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla67
You need to log in before you can comment on or make changes to this bug.