Assertion failure: aState == (mozilla::EventStates(mozilla::EventStates::InternalType(1) << 0)) || aState == (mozilla::EventStates(mozilla::EventStates::InternalType(1) << 2)) || aState == (mozilla::EventStates(mozilla::EventStates::InternalType(1) << 26)
Categories
(Core :: Layout, defect)
Tracking
()
People
(Reporter: jkratzer, Assigned: emilio)
References
(Blocks 1 open bug)
Details
(Keywords: assertion, testcase, Whiteboard: [fuzzblocker])
Attachments
(2 files)
Testcase found while fuzzing mozilla-central rev 4a692c812a3f. In order to reproduce this issue, a build with --enable-fuzzing must be used.
Assertion failure: aState == (mozilla::EventStates(mozilla::EventStates::InternalType(1) << 0)) || aState == (mozilla::EventStates(mozilla::EventStates::InternalType(1) << 2)) || aState == (mozilla::EventStates(mozilla::EventStates::InternalType(1) << 26)) || aState == (mozilla::EventStates(mozilla::EventStates::InternalType(1) << 8)) (Unexpected state), at /builds/worker/workspace/build/src/dom/events/EventStateManager.cpp:5249
rax = 0x0000557238d66e40 rdx = 0x0000000000000000
rcx = 0x00007fe7346b7299 rbx = 0x00007fffb2011fe0
rsi = 0x00007fe73f77a8b0 rdi = 0x00007fe73f779680
rbp = 0x00007fffb2011fc0 rsp = 0x00007fffb2011f40
r8 = 0x00007fe73f77a8b0 r9 = 0x00007fe7408d7740
r10 = 0x0000000000000000 r11 = 0x0000000000000000
r12 = 0x0000000000000001 r13 = 0x0000000000000008
r14 = 0x00007fffb20120a0 r15 = 0x00007fffb2012078
rip = 0x00007fe730607f7b
OS|Linux|0.0.0 Linux 4.18.0-16-generic #17~18.04.1-Ubuntu SMP Tue Feb 12 13:35:51 UTC 2019 x86_64
CPU|amd64|family 6 model 94 stepping 3|1
GPU|||
Crash|SIGSEGV /SEGV_MAPERR|0x0|0
0|0|libxul.so|mozilla::EventStateManager::SetContentState(nsIContent*, mozilla::EventStates)|hg:hg.mozilla.org/mozilla-central:dom/events/EventStateManager.cpp:4a692c812a3fe2f893d2a6e25b9490b38415c907|5245|0x0
0|1|libxul.so|mozilla::dom::InspectorUtils::SetContentState(mozilla::dom::GlobalObject&, mozilla::dom::Element&, unsigned long, mozilla::ErrorResult&)|hg:hg.mozilla.org/mozilla-central:layout/inspector/InspectorUtils.cpp:4a692c812a3fe2f893d2a6e25b9490b38415c907|555|0x16
0|2|libxul.so|mozilla::dom::InspectorUtils_Binding::setContentState|s3:gecko-generated-sources:7c99fcabae9f879cad43f55f79d0baea0a1e0843411367862b74e867384667e26964c7a90f0f305af4624cf8bf27ea8a320da648a4f431275515461493bfbaed/dom/bindings/InspectorUtilsBinding.cpp:|3932|0x11
0|3|libxul.so|CallJSNative(JSContext*, bool ()(JSContext, unsigned int, JS::Value*), JS::CallArgs const&)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:4a692c812a3fe2f893d2a6e25b9490b38415c907|442|0x6
0|4|libxul.so|js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:4a692c812a3fe2f893d2a6e25b9490b38415c907|534|0xf
0|5|libxul.so|InternalCall|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:4a692c812a3fe2f893d2a6e25b9490b38415c907|589|0xd
0|6|libxul.so|Interpret|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:4a692c812a3fe2f893d2a6e25b9490b38415c907|593|0xf
0|7|libxul.so|js::RunScript(JSContext*, js::RunState&)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:4a692c812a3fe2f893d2a6e25b9490b38415c907|422|0xb
0|8|libxul.so|js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:4a692c812a3fe2f893d2a6e25b9490b38415c907|562|0xf
0|9|libxul.so|InternalCall|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:4a692c812a3fe2f893d2a6e25b9490b38415c907|589|0xd
0|10|libxul.so|js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:4a692c812a3fe2f893d2a6e25b9490b38415c907|605|0x5
0|11|libxul.so|JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>)|hg:hg.mozilla.org/mozilla-central:js/src/jsapi.cpp:4a692c812a3fe2f893d2a6e25b9490b38415c907|2621|0x1c
0|12|libxul.so|mozilla::dom::EventListener::HandleEvent(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&)|s3:gecko-generated-sources:b504f583ed3111ab416617cd63caa012e7478d0516eb5d3bc3cd43cef007715c1a91854c0528b0ec8e85f6341ccebf73a1b2c32556687ebaf4023e3c38ff4197/dom/bindings/EventListenerBinding.cpp:|52|0x5
0|13|libxul.so|void mozilla::dom::EventListener::HandleEvent<mozilla::dom::EventTarget*>(mozilla::dom::EventTarget* const&, mozilla::dom::Event&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*)|s3:gecko-generated-sources:f3d9c01258576daaac3afc4fb3b283652e7f1168abb5287eff6775451ebd0ab6a0e4c8d88d3a67f7147042501bc091c6dfed25b4b8ccf4e4f420897b8d0ba906/dist/include/mozilla/dom/EventListenerBinding.h:|66|0x1c
0|14|libxul.so|mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*)|hg:hg.mozilla.org/mozilla-central:dom/events/EventListenerManager.cpp:4a692c812a3fe2f893d2a6e25b9490b38415c907|1039|0x1e
0|15|libxul.so|mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool)|hg:hg.mozilla.org/mozilla-central:dom/events/EventListenerManager.cpp:4a692c812a3fe2f893d2a6e25b9490b38415c907|1239|0x19
0|16|libxul.so|mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&)|hg:hg.mozilla.org/mozilla-central:dom/events/EventListenerManager.h:4a692c812a3fe2f893d2a6e25b9490b38415c907|356|0x6
0|17|libxul.so|mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:4a692c812a3fe2f893d2a6e25b9490b38415c907|553|0x12
0|18|libxul.so|mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:4a692c812a3fe2f893d2a6e25b9490b38415c907|1049|0x1a
0|19|libxul.so|nsDocumentViewer::LoadComplete(nsresult)|hg:hg.mozilla.org/mozilla-central:layout/base/nsDocumentViewer.cpp:4a692c812a3fe2f893d2a6e25b9490b38415c907|1102|0x25
0|20|libxul.so|nsDocShell::EndPageLoad(nsIWebProgress, nsIChannel*, nsresult)|hg:hg.mozilla.org/mozilla-central:docshell/base/nsDocShell.cpp:4a692c812a3fe2f893d2a6e25b9490b38415c907|6596|0x18
0|21|libxul.so|nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult)|hg:hg.mozilla.org/mozilla-central:docshell/base/nsDocShell.cpp:4a692c812a3fe2f893d2a6e25b9490b38415c907|6397|0x18
0|22|libxul.so|nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult)|hg:hg.mozilla.org/mozilla-central:uriloader/base/nsDocLoader.cpp:4a692c812a3fe2f893d2a6e25b9490b38415c907|1312|0x2b
0|23|libxul.so|nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult)|hg:hg.mozilla.org/mozilla-central:uriloader/base/nsDocLoader.cpp:4a692c812a3fe2f893d2a6e25b9490b38415c907|871|0x22
0|24|libxul.so|nsDocLoader::DocLoaderIsEmpty(bool)|hg:hg.mozilla.org/mozilla-central:uriloader/base/nsDocLoader.cpp:4a692c812a3fe2f893d2a6e25b9490b38415c907|709|0x15
0|25|libxul.so|nsDocLoader::OnStopRequest(nsIRequest*, nsresult)|hg:hg.mozilla.org/mozilla-central:uriloader/base/nsDocLoader.cpp:4a692c812a3fe2f893d2a6e25b9490b38415c907|597|0x16
0|26|libxul.so|mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult)|hg:hg.mozilla.org/mozilla-central:netwerk/base/nsLoadGroup.cpp:4a692c812a3fe2f893d2a6e25b9490b38415c907|568|0x17
0|27|libxul.so|mozilla::dom::Document::DoUnblockOnload()|hg:hg.mozilla.org/mozilla-central:dom/base/Document.cpp:4a692c812a3fe2f893d2a6e25b9490b38415c907|7743|0x20
0|28|libxul.so|mozilla::dom::Document::UnblockOnload(bool)|hg:hg.mozilla.org/mozilla-central:dom/base/Document.cpp:4a692c812a3fe2f893d2a6e25b9490b38415c907|7675|0x8
0|29|libxul.so|mozilla::dom::Document::DispatchContentLoadedEvents()|hg:hg.mozilla.org/mozilla-central:dom/base/Document.cpp:4a692c812a3fe2f893d2a6e25b9490b38415c907|4816|0xd
0|30|libxul.so|mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::)(), true, (mozilla::RunnableKind)0>::Run()|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.h:4a692c812a3fe2f893d2a6e25b9490b38415c907|1122|0x13
0|31|libxul.so|mozilla::SchedulerGroup::Runnable::Run()|hg:hg.mozilla.org/mozilla-central:xpcom/threads/SchedulerGroup.cpp:4a692c812a3fe2f893d2a6e25b9490b38415c907|295|0x15
0|32|libxul.so|nsThread::ProcessNextEvent(bool, bool)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:4a692c812a3fe2f893d2a6e25b9490b38415c907|1180|0x15
0|33|libxul.so|NS_ProcessNextEvent(nsIThread*, bool)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:4a692c812a3fe2f893d2a6e25b9490b38415c907|482|0x11
0|34|libxul.so|mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:4a692c812a3fe2f893d2a6e25b9490b38415c907|88|0xa
0|35|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:4a692c812a3fe2f893d2a6e25b9490b38415c907|315|0x17
0|36|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:4a692c812a3fe2f893d2a6e25b9490b38415c907|308|0x8
0|37|libxul.so|nsBaseAppShell::Run()|hg:hg.mozilla.org/mozilla-central:widget/nsBaseAppShell.cpp:4a692c812a3fe2f893d2a6e25b9490b38415c907|137|0xd
0|38|libxul.so|XRE_RunAppShell()|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:4a692c812a3fe2f893d2a6e25b9490b38415c907|933|0x11
0|39|libxul.so|mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:4a692c812a3fe2f893d2a6e25b9490b38415c907|238|0x5
0|40|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:4a692c812a3fe2f893d2a6e25b9490b38415c907|315|0x17
0|41|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:4a692c812a3fe2f893d2a6e25b9490b38415c907|308|0x8
0|42|libxul.so|XRE_InitChildProcess(int, char**, XREChildData const*)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:4a692c812a3fe2f893d2a6e25b9490b38415c907|771|0xc
0|43|firefox-bin|content_process_main(mozilla::Bootstrap*, int, char**)|hg:hg.mozilla.org/mozilla-central:ipc/contentproc/plugin-container.cpp:4a692c812a3fe2f893d2a6e25b9490b38415c907|56|0x14
0|44|firefox-bin|main|hg:hg.mozilla.org/mozilla-central:browser/app/nsBrowserApp.cpp:4a692c812a3fe2f893d2a6e25b9490b38415c907|263|0x11
0|45|libc-2.27.so||||0x21b97
0|46|firefox-bin|MOZ_ReportCrash|hg:hg.mozilla.org/mozilla-central:mfbt/Assertions.h:4a692c812a3fe2f893d2a6e25b9490b38415c907|184|0x5
|
||
Updated•6 years ago
|
|
Reporter | |
Updated•6 years ago
|
|
Assignee | |
Comment 1•6 years ago
|
||
Had missed this, sorry, will get to it. Jason, feel free to ni? an all the layout-ish bugs that block you.
|
|
Assignee | |
Comment 2•6 years ago
|
||
|
||
Comment 4•6 years ago
|
||
| bugherder | ||
|
||
Updated•6 years ago
|
Description
•