1539742 - Assertion failure: aElement->HasServoData() (Element without Servo data on a post-traversal? How?)

Status: RESOLVED FIXED

(Core :: Layout, defect)

Description

[Nils]

Attachment: mini.svg

The following testcase crashes the latest ASAN build of Firefox 68.0a1. It requires the attached mini.svg file.

crash.html:
<script>
function spin() {
var x=new XMLHttpRequest();
x.open("POST","https://mozilla.org/",false);
try{x.send("X");}catch(e){}
}

function start() {
o22=document.createElementNS('http://www.w3.org/2000/svg', 'foreignObject');
o476=(new DOMParser()).parseFromString(unescape(''),'text/html');
o1034=document.documentElement;
o1208=function() {let x=o476.querySelectorAll(':not([id])');return x[x.length-1]}();
document.replaceChild(o476.documentElement,document.documentElement);
document.documentElement.appendChild(o1034);
o1495=document.createElement('style');;
o1208.appendChild(o1495);
o1705=document.createElement('iframe');;
o1705.src='mini.svg';
window.top.document.body.appendChild(o1705);
o1495.innerHTML='{ }\n{ ; display: block;';
o1892=document.createElement('style');;
o1893=document.createTextNode('@keyframes key7{ from{ font-size-adjust: none }}\n* { animation-name: key7;');;;
o1892.appendChild(o1893);
o1034.appendChild(o1892);
spin();
o2348=window.top.frames[0];;
o2349=o2348.document;;
o2350=o2349.documentElement;;
document.documentElement.appendChild(o2350);
location.reload();
}
</script>
<body onload="start()"></body>

ASAN output:
Assertion failure: aElement->HasServoData() (Element without Servo data on a post-traversal? How?), at /builds/worker/workspace/build/src/layout/base/RestyleManager.cpp:2694
AddressSanitizer:DEADLYSIGNAL

==19581==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 (pc 0x7fed904e6a91 bp 0x7ffec8d34070 sp 0x7ffec8d33d00 T0)
==19581==The signal is caused by a WRITE memory access.
==19581==Hint: address points to the zero page.
#0 0x7fed904e6a90 in Type /builds/worker/workspace/build/src/layout/generic/nsIFrame.h:2800:12
#1 0x7fed904e6a90 in IsBlockFrame /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/FrameTypeList.h:12
#2 0x7fed904e6a90 in IsBlockOutside /builds/worker/workspace/build/src/layout/style/nsStyleStructInlines.h:74
#3 0x7fed904e6a90 in IsBlockOutside /builds/worker/workspace/build/src/layout/generic/nsIFrameInlines.h:66
#4 0x7fed904e6a90 in IsColumnSpan /builds/worker/workspace/build/src/layout/generic/nsIFrameInlines.h:74
#5 0x7fed904e6a90 in IsColumnSpanInMulticolSubtree /builds/worker/workspace/build/src/layout/generic/nsIFrameInlines.h:78
#6 0x7fed904e6a90 in mozilla::RestyleManager::ProcessPostTraversal(mozilla::dom::Element*, mozilla::ComputedStyle*, mozilla::ServoRestyleState&, mozilla::ServoPostTraversalFlags) /builds/worker/workspace/build/src/layout/base/RestyleManager.cpp:2705
#7 0x7fed904e5419 in mozilla::RestyleManager::ProcessPostTraversal(mozilla::dom::Element*, mozilla::ComputedStyle*, mozilla::ServoRestyleState&, mozilla::ServoPostTraversalFlags) /builds/worker/workspace/build/src/layout/base/RestyleManager.cpp:2888:13
#8 0x7fed904e8e73 in mozilla::RestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) /builds/worker/workspace/build/src/layout/base/RestyleManager.cpp:3089:28
#9 0x7fed9047d729 in ProcessPendingRestyles /builds/worker/workspace/build/src/layout/base/RestyleManager.cpp:3178:3
#10 0x7fed9047d729 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:4122
#11 0x7fed903e74b5 in FlushPendingNotifications /builds/worker/workspace/build/src/layout/base/nsIPresShell.h:580:5
#12 0x7fed903e74b5 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:1893
#13 0x7fed903fbdc9 in TickDriver /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:342:13
#14 0x7fed903fbdc9 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:319
#15 0x7fed903fb6b8 in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:336:5
#16 0x7fed903ffb2f in RunRefreshDrivers /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:783:5
#17 0x7fed903ffb2f in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:703
#18 0x7fed903febec in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:598:9
#19 0x7fed90ef4295 in mozilla::layout::VsyncChild::RecvNotify(mozilla::VsyncEvent const&) /builds/worker/workspace/build/src/layout/ipc/VsyncChild.cpp:65:16
#20 0x7fed875a8d2b in mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PVsyncChild.cpp:168:54
#21 0x7fed871566f7 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PBackgroundChild.cpp:2828:28
#22 0x7fed8699f7b9 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2151:21
#23 0x7fed8699b4fa in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2078:9
#24 0x7fed8699d737 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1937:3
#25 0x7fed8699e4c7 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1968:13
#26 0x7fed856cac71 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1180:14
#27 0x7fed856d307d in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:482:10
#28 0x7fed8f81c044 in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/workspace/build/src/dom/xhr/XMLHttpRequestMainThread.cpp:2939:31)> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:348:25
#29 0x7fed8f81c044 in mozilla::dom::XMLHttpRequestMainThread::SendInternal(mozilla::dom::BodyExtractorBase const*, bool) /builds/worker/workspace/build/src/dom/xhr/XMLHttpRequestMainThread.cpp:2939
#30 0x7fed8f819baa in mozilla::dom::XMLHttpRequestMainThread::Send(JSContext*, mozilla::dom::Nullable<mozilla::dom::DocumentOrBlobOrArrayBufferViewOrArrayBufferOrFormDataOrURLSearchParamsOrUSVString> const&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/xhr/XMLHttpRequestMainThread.cpp:2757:11
#31 0x7fed8c0788c6 in mozilla::dom::XMLHttpRequest_Binding::send(JSContext*, JS::Handle<JSObject*>, mozilla::dom::XMLHttpRequest*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/XMLHttpRequestBinding.cpp:1342:9
#32 0x7fed8ce4fe61 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3144:13
#33 0x7fed945e1137 in CallJSNative /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:442:13
#34 0x7fed945e1137 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:534
#35 0x7fed945c954a in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:593:10
#36 0x7fed945c954a in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3075
#37 0x7fed945ab578 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:422:10
#38 0x7fed945e1aa6 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:562:13
#39 0x7fed945e36f2 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:605:8
#40 0x7fed951d9929 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:2621:10
#41 0x7fed8c452a19 in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/EventHandlerBinding.cpp:266:37
#42 0x7fed8d718cc2 in Call<nsCOMPtr<mozilla::dom::EventTarget> > /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/EventHandlerBinding.h:363:12
#43 0x7fed8d718cc2 in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) /builds/worker/workspace/build/src/dom/events/JSEventHandler.cpp:205
#44 0x7fed8d6caf0a in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1044:22
#45 0x7fed8d6cd4e3 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1239:17
#46 0x7fed8d6ad590 in HandleEvent /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/EventListenerManager.h:355:5
#47 0x7fed8d6ad590 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:351
#48 0x7fed8d6ab7b8 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:553:16
#49 0x7fed8d6b2403 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:1048:11
#50 0x7fed905ad198 in nsDocumentViewer::LoadComplete(nsresult) /builds/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:1102:7
#51 0x7fed9346cb5c in nsDocShell::EndPageLoad(nsIWebProgress, nsIChannel*, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:6596:21
#52 0x7fed9346bc88 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:6397:7
#53 0x7fed934717f7 in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp
#54 0x7fed88197905 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:1312:3
#55 0x7fed881964ec in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:871:14
#56 0x7fed88190b21 in nsDocLoader::DocLoaderIsEmpty(bool) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:709:9
#57 0x7fed88194740 in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:597:5
#58 0x7fed88196014 in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp
#59 0x7fed859697e7 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/workspace/build/src/netwerk/base/nsLoadGroup.cpp:568:22
#60 0x7fed89a15cfa in DoUnblockOnload /builds/worker/workspace/build/src/dom/base/Document.cpp:7743:18
#61 0x7fed89a15cfa in mozilla::dom::Document::UnblockOnload(bool) /builds/worker/workspace/build/src/dom/base/Document.cpp:7675
#62 0x7fed89a1475f in mozilla::dom::Document::DispatchContentLoadedEvents() /builds/worker/workspace/build/src/dom/base/Document.cpp:4816:3
#63 0x7fed89b1905b in applyImpl<mozilla::dom::Document, void (mozilla::dom::Document::)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1122:12
#64 0x7fed89b1905b in apply<mozilla::dom::Document, void (mozilla::dom::Document::)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1128
#65 0x7fed89b1905b in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1174
#66 0x7fed8568b2f5 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:295:32
#67 0x7fed856cac71 in nsThread::ProcessNextEvent(bool, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1180:14
#68 0x7fed856d307d in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:482:10
#69 0x7fed869a8bbf in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:88:21
#70 0x7fed8687f08e in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
#71 0x7fed8687f08e in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308
#72 0x7fed8687f08e in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290
#73 0x7fed8fd03023 in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:137:27
#74 0x7fed942f78be in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:933:20
#75 0x7fed8687f08e in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
#76 0x7fed8687f08e in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308
#77 0x7fed8687f08e in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290
#78 0x7fed942f6a4c in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:771:34
#79 0x559ef4751834 in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
#80 0x559ef4751834 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:263
#81 0x7feda9234b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
#82 0x559ef4676ebc in _start (/home/nils/browser/firefox/firefox/firefox+0x2debc)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /builds/worker/workspace/build/src/layout/generic/nsIFrame.h:2800:12 in Type
==19581==ABORTING

Comment 1

[Emilio Cobos Álvarez (:emilio)]

Will take a look, thanks Nils :)

Comment 2

[Emilio Cobos Álvarez (:emilio)]

I wasn't able to repro this, both serving the page from a local server and without serving it.

Also, I'm a bit confused about the report, the ASAN stack points to a null dereference in nsIFrame::Type(), but the bug title is an assertion failure.

Is there any pref needed to trigger this crash that I might be missing?

Comment 3

[Emilio Cobos Álvarez (:emilio)]

Attachment: Bug 1539742 - Notify of appends to the right document when parsing into an already-adopted node. r=hsivonen,bzbarsky

nsContentSink used to decide that it was fine to not notify of silent appends to
a document from the parser if the node was not on our document already.

That's not ok, since if styling or layout have happened already on the document
we're getting inserted into nobody notices them, which is wrong.

Comment 4

[Pulsebot]

Pushed by ealvarez@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/cf6cfe334766
Notify of appends to the right document when parsing into an already-adopted node. r=bzbarsky

Comment 5

[Oana Pop-Rus]

https://hg.mozilla.org/mozilla-central/rev/cf6cfe334766

Comment 6

[Web Platform Test Sync Bot (Matrix: #interop:mozilla.org)]

Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/16286 for changes under testing/web-platform/tests