Open Bug 1547053 Opened 5 years ago Updated 3 years ago

Assertion failure: false (MOZ_ASSERT_UNREACHABLE: No target found?), at /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:1349

Categories

(Core :: DOM: Events, defect, P3)

defect

Tracking

()

Tracking Status
firefox68 --- affected

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, testcase, Whiteboard: [bugmon:confirmed])

Attachments

(2 files)

Testcase found while fuzzing mozilla-central rev 0ec836eceb96.

Assertion failure: false (MOZ_ASSERT_UNREACHABLE: No target found?), at /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:1349

rax = 0x0000556519877e40 rdx = 0x0000000000000000
rcx = 0x0000000000000b40 rbx = 0x00007ff7800915a2
rsi = 0x00007ff78b1d58b0 rdi = 0x00007ff78b1d4680
rbp = 0x00007ffd067aac50 rsp = 0x00007ffd067aabf0
r8 = 0x00007ff78b1d58b0 r9 = 0x00007ff78c33f740
r10 = 0x0000000000000000 r11 = 0x0000000000000000
r12 = 0x00007ffd067ac2a8 r13 = 0x0000000000000000
r14 = 0x00007ffd067aaca0 r15 = 0x00007ff758ddec00
rip = 0x00007ff77bf8ebe8
OS|Linux|0.0.0 Linux 4.18.0-17-generic #18~18.04.1-Ubuntu SMP Fri Mar 15 15:27:12 UTC 2019 x86_64
CPU|amd64|family 6 model 94 stepping 3|1
GPU|||
Crash|SIGSEGV /SEGV_MAPERR|0x0|0
0|0|libxul.so|mozilla::EventDispatcher::GetComposedPathFor(mozilla::WidgetEvent*, nsTArray<RefPtr<mozilla::dom::EventTarget> >&)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:0ec836eceb969c548067cee6de2ea213513a43d5|1369|0x3e
0|1|libxul.so|mozilla::dom::Event_Binding::composedPath|s3:gecko-generated-sources:864de070aac922224520db037a1485fb08cd2efc444497c6e30e13e3248aa77520c1000fec3fe01b13e65930534751fa529c54a6f1c57e9c238ff80c31665248/dom/bindings/EventBinding.cpp:|377|0xf
0|2|libxul.so|bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*)|hg:hg.mozilla.org/mozilla-central:dom/bindings/BindingUtils.cpp:0ec836eceb969c548067cee6de2ea213513a43d5|3153|0x24
0|3|libxul.so|CallJSNative(JSContext*, bool ()(JSContext, unsigned int, JS::Value*), JS::CallArgs const&)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:0ec836eceb969c548067cee6de2ea213513a43d5|443|0x13
0|4|libxul.so|js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:0ec836eceb969c548067cee6de2ea213513a43d5|535|0x12
0|5|libxul.so|InternalCall|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:0ec836eceb969c548067cee6de2ea213513a43d5|590|0xd
0|6|libxul.so|Interpret|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:0ec836eceb969c548067cee6de2ea213513a43d5|594|0xf
0|7|libxul.so|js::RunScript(JSContext*, js::RunState&)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:0ec836eceb969c548067cee6de2ea213513a43d5|423|0xb
0|8|libxul.so|js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:0ec836eceb969c548067cee6de2ea213513a43d5|563|0xf
0|9|libxul.so|InternalCall|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:0ec836eceb969c548067cee6de2ea213513a43d5|590|0xd
0|10|libxul.so|js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:0ec836eceb969c548067cee6de2ea213513a43d5|606|0x5
0|11|libxul.so|JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>)|hg:hg.mozilla.org/mozilla-central:js/src/jsapi.cpp:0ec836eceb969c548067cee6de2ea213513a43d5|2636|0x1c
0|12|libxul.so|mozilla::dom::OnBeforeUnloadEventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, nsTString<char16_t>&, mozilla::ErrorResult&)|s3:gecko-generated-sources:07034a91c20d743b6b1cb0050fb45856e506111933106e79effdb8dcee60d394334ccec99923dca240d02a8a2423627e46882951c1689b39a2e7f0665bac7e9b/dom/bindings/EventHandlerBinding.cpp:|313|0x5
0|13|libxul.so|mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*)|hg:hg.mozilla.org/mozilla-central:dom/events/JSEventHandler.cpp:0ec836eceb969c548067cee6de2ea213513a43d5|176|0x12f
0|14|libxul.so|mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*)|hg:hg.mozilla.org/mozilla-central:dom/events/EventListenerManager.cpp:0ec836eceb969c548067cee6de2ea213513a43d5|1045|0xc
0|15|libxul.so|mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool)|hg:hg.mozilla.org/mozilla-central:dom/events/EventListenerManager.cpp:0ec836eceb969c548067cee6de2ea213513a43d5|1240|0x19
0|16|libxul.so|mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:0ec836eceb969c548067cee6de2ea213513a43d5|351|0x6
0|17|libxul.so|mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:0ec836eceb969c548067cee6de2ea213513a43d5|551|0x12
0|18|libxul.so|mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:0ec836eceb969c548067cee6de2ea213513a43d5|1047|0x1a
0|19|libxul.so|mozilla::EventDispatcher::DispatchDOMEvent(nsISupports
, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:0ec836eceb969c548067cee6de2ea213513a43d5|1147|0x19
0|20|libxul.so|nsDocumentViewer::PermitUnloadInternal(unsigned int*, bool*)|hg:hg.mozilla.org/mozilla-central:layout/base/nsDocumentViewer.cpp:0ec836eceb969c548067cee6de2ea213513a43d5|1263|0x5
0|21|libxul.so|nsDocumentViewer::PermitUnload(unsigned int, bool*)|hg:hg.mozilla.org/mozilla-central:layout/base/nsDocumentViewer.cpp:0ec836eceb969c548067cee6de2ea213513a43d5|1189|0x9
0|22|libxul.so|nsGlobalWindowOuter::CanClose()|hg:hg.mozilla.org/mozilla-central:dom/base/nsGlobalWindowOuter.cpp:0ec836eceb969c548067cee6de2ea213513a43d5|6110|0x16
0|23|libxul.so|nsGlobalWindowOuter::CloseOuter(bool)|hg:hg.mozilla.org/mozilla-central:dom/base/nsGlobalWindowOuter.cpp:0ec836eceb969c548067cee6de2ea213513a43d5|6167|0x16
0|24|libxul.so|mozilla::dom::Window_Binding::close|s3:gecko-generated-sources:9a7636554a2bd98f73e6ee643cd1c252ade94b2ce25e1e06713b02b9aeb4c3ab6d1f8aeacb2e461997d42382d96d64994bd4bf4bf120094a6bbfb48244030801/dom/bindings/WindowBinding.cpp:|2089|0x19
0|25|libxul.so|bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::CrossOriginThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*)|hg:hg.mozilla.org/mozilla-central:dom/bindings/BindingUtils.cpp:0ec836eceb969c548067cee6de2ea213513a43d5|3153|0x24
0|26|libxul.so|CallJSNative(JSContext*, bool ()(JSContext, unsigned int, JS::Value*), JS::CallArgs const&)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:0ec836eceb969c548067cee6de2ea213513a43d5|443|0x13
0|27|libxul.so|js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:0ec836eceb969c548067cee6de2ea213513a43d5|535|0x12
0|28|libxul.so|InternalCall|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:0ec836eceb969c548067cee6de2ea213513a43d5|590|0xd
0|29|libxul.so|Interpret|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:0ec836eceb969c548067cee6de2ea213513a43d5|594|0xf
0|30|libxul.so|js::RunScript(JSContext*, js::RunState&)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:0ec836eceb969c548067cee6de2ea213513a43d5|423|0xb
0|31|libxul.so|js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:0ec836eceb969c548067cee6de2ea213513a43d5|563|0xf
0|32|libxul.so|InternalCall|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:0ec836eceb969c548067cee6de2ea213513a43d5|590|0xd
0|33|libxul.so|js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:0ec836eceb969c548067cee6de2ea213513a43d5|606|0x5
0|34|libxul.so|JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>)|hg:hg.mozilla.org/mozilla-central:js/src/jsapi.cpp:0ec836eceb969c548067cee6de2ea213513a43d5|2636|0x1c
0|35|libxul.so|mozilla::dom::EventListener::HandleEvent(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&)|s3:gecko-generated-sources:9ca8646d8042e9b4b76d2e1b358b984be17743b71b832c0897d61bb500e0fecbe38fa54273dc522878c87fcb2c9bfd274a8190c7bc56fbbb58cb3ca68462e527/dom/bindings/EventListenerBinding.cpp:|52|0x5
0|36|libxul.so|void mozilla::dom::EventListener::HandleEvent<mozilla::dom::EventTarget*>(mozilla::dom::EventTarget* const&, mozilla::dom::Event&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*)|s3:gecko-generated-sources:f3d9c01258576daaac3afc4fb3b283652e7f1168abb5287eff6775451ebd0ab6a0e4c8d88d3a67f7147042501bc091c6dfed25b4b8ccf4e4f420897b8d0ba906/dist/include/mozilla/dom/EventListenerBinding.h:|66|0x1c
0|37|libxul.so|mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*)|hg:hg.mozilla.org/mozilla-central:dom/events/EventListenerManager.cpp:0ec836eceb969c548067cee6de2ea213513a43d5|1040|0x1e
0|38|libxul.so|mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool)|hg:hg.mozilla.org/mozilla-central:dom/events/EventListenerManager.cpp:0ec836eceb969c548067cee6de2ea213513a43d5|1240|0x19
0|39|libxul.so|mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:0ec836eceb969c548067cee6de2ea213513a43d5|351|0x6
0|40|libxul.so|mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:0ec836eceb969c548067cee6de2ea213513a43d5|551|0x12
0|41|libxul.so|mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:0ec836eceb969c548067cee6de2ea213513a43d5|1047|0x1a
0|42|libxul.so|mozilla::EventDispatcher::DispatchDOMEvent(nsISupports
, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:0ec836eceb969c548067cee6de2ea213513a43d5|1147|0x19
0|43|libxul.so|nsINode::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&)|hg:hg.mozilla.org/mozilla-central:dom/base/nsINode.cpp:0ec836eceb969c548067cee6de2ea213513a43d5|1028|0x5
0|44|libxul.so|nsContentUtils::DispatchEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, mozilla::Trusted, bool*, mozilla::ChromeOnlyDispatch)|hg:hg.mozilla.org/mozilla-central:dom/base/nsContentUtils.cpp:0ec836eceb969c548067cee6de2ea213513a43d5|4062|0x30
0|45|libxul.so|nsContentUtils::DispatchTrustedEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, bool*)|hg:hg.mozilla.org/mozilla-central:dom/base/nsContentUtils.cpp:0ec836eceb969c548067cee6de2ea213513a43d5|4033|0x19
0|46|libxul.so|mozilla::dom::Document::DispatchContentLoadedEvents()|hg:hg.mozilla.org/mozilla-central:dom/base/Document.cpp:0ec836eceb969c548067cee6de2ea213513a43d5|4981|0x40
0|47|libxul.so|mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::)(), true, (mozilla::RunnableKind)0>::Run()|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.h:0ec836eceb969c548067cee6de2ea213513a43d5|1174|0x13
0|48|libxul.so|nsThread::ProcessNextEvent(bool, bool
)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:0ec836eceb969c548067cee6de2ea213513a43d5|1180|0x15
0|49|libxul.so|NS_ProcessNextEvent(nsIThread*, bool)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:0ec836eceb969c548067cee6de2ea213513a43d5|486|0x11
0|50|libxul.so|nsThread::Shutdown()|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:0ec836eceb969c548067cee6de2ea213513a43d5|882|0xd
0|51|libxul.so|mozilla::CryptoTask::Run()|hg:hg.mozilla.org/mozilla-central:security/manager/ssl/CryptoTask.cpp:0ec836eceb969c548067cee6de2ea213513a43d5|46|0x12
0|52|libxul.so|nsThread::ProcessNextEvent(bool, bool*)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:0ec836eceb969c548067cee6de2ea213513a43d5|1180|0x15
0|53|libxul.so|NS_ProcessNextEvent(nsIThread*, bool)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:0ec836eceb969c548067cee6de2ea213513a43d5|486|0x11
0|54|libxul.so|mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:0ec836eceb969c548067cee6de2ea213513a43d5|88|0xa
0|55|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:0ec836eceb969c548067cee6de2ea213513a43d5|315|0x17
0|56|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:0ec836eceb969c548067cee6de2ea213513a43d5|290|0x8
0|57|libxul.so|nsBaseAppShell::Run()|hg:hg.mozilla.org/mozilla-central:widget/nsBaseAppShell.cpp:0ec836eceb969c548067cee6de2ea213513a43d5|137|0xd
0|58|libxul.so|nsAppStartup::Run()|hg:hg.mozilla.org/mozilla-central:toolkit/components/startup/nsAppStartup.cpp:0ec836eceb969c548067cee6de2ea213513a43d5|270|0xe
0|59|libxul.so|XREMain::XRE_mainRun()|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsAppRunner.cpp:0ec836eceb969c548067cee6de2ea213513a43d5|4584|0x11
0|60|libxul.so|XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsAppRunner.cpp:0ec836eceb969c548067cee6de2ea213513a43d5|4722|0x8
0|61|libxul.so|XRE_main(int, char**, mozilla::BootstrapConfig const&)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsAppRunner.cpp:0ec836eceb969c548067cee6de2ea213513a43d5|4803|0x5
0|62|firefox-bin|do_main|hg:hg.mozilla.org/mozilla-central:browser/app/nsBrowserApp.cpp:0ec836eceb969c548067cee6de2ea213513a43d5|212|0x22
0|63|firefox-bin|main|hg:hg.mozilla.org/mozilla-central:browser/app/nsBrowserApp.cpp:0ec836eceb969c548067cee6de2ea213513a43d5|291|0xd
0|64|libc-2.27.so|__libc_start_main|||0xe7
0|65|firefox-bin|_start|||0x29

Flags: in-testsuite?
Flags: needinfo?(emilio)
Priority: -- → P2

There's no test-case attached?

Flags: needinfo?(emilio) → needinfo?(jkratzer)
Attached file testcase.html

Oops! My mistake. I've attached it here.

Flags: needinfo?(jkratzer)

Thanks!

Flags: needinfo?(emilio)

I haven't been able to reproduce this at all, with and without chaos mode and e10s. Is there some special pref I need for this to reproduce?

Flags: needinfo?(emilio) → needinfo?(jkratzer)
Attached file prefs.js

Emilio, I can reproduce it reliably using the attached prefs.

Via ffpuppet (https://github.com/MozillaSecurity/ffpuppet/tree/master/ffpuppet):
python -m ffpuppet -p prefs.js --xvfb -d -l log ~/mc-debug/firefox -u testcase.html

Flags: needinfo?(jkratzer)

Thanks!

Flags: needinfo?(emilio)

So, what's happening here is that the inner window for the current outer (which is the Event::mCurrentTarget) changes while dispatching the event due to the XHR.

mCurrentTarget is the outer window:

https://searchfox.org/mozilla-central/rev/b756e6d00728dda4121f8278a744381d8643317a/widget/BasicEvents.h#566

But when we get to here:

https://searchfox.org/mozilla-central/rev/b756e6d00728dda4121f8278a744381d8643317a/dom/events/EventDispatcher.cpp#1363

The result of GetTargetForEventTargetChain is already another window (and thus not in the current path).

Olli, Anne, should I just return the empty event path for this case? Store the result of GetTargetForEventTargetChain before dispatching the event? Something else?

Flags: needinfo?(emilio)
Flags: needinfo?(bugs)
Flags: needinfo?(annevk)

Per the standard this cannot arise as nested event loops of this kind are not really supported. I think it would be best if JavaScript continued to see "window", even if the underlying object changed, as to JavaScript object identity will have been preserved.

Flags: needinfo?(annevk)
Severity: normal → S3
Flags: needinfo?(bugs)
Priority: P2 → P3

Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20210224215151-69be3221f49a.

Whiteboard: [bugmon:confirmed]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: