Open Bug 1614211 Opened 2 months ago Updated 18 days ago

Add crashtest for Assertion failure: !aParam || aParam->EverAttached(), at src/docshell/base/BrowsingContext.cpp:1508

Categories

(Core :: DOM: Navigation, defect, P2)

defect

Tracking

()

Fission Milestone M5b
Tracking Status
firefox74 --- disabled
firefox75 --- affected

People

(Reporter: tsmith, Assigned: kmag)

References

(Blocks 2 open bugs)

Details

(4 keywords)

Attachments

(2 files)

Attached file testcase.html

Reproduced with m-c: 20200209-be2a7d1a4d0d

Assertion failure: !aParam || aParam->EverAttached(), at src/docshell/base/BrowsingContext.cpp:1508

#0 mozilla::ipc::IPDLParamTraits<mozilla::dom::BrowsingContext*>::Write(IPC::Message*, mozilla::ipc::IProtocol*, mozilla::dom::BrowsingContext*) src/docshell/base/BrowsingContext.cpp:1509:12
#1 mozilla::dom::PContentChild::SendCommitBrowsingContextTransaction(mozilla::dom::BrowsingContext*, mozilla::dom::syncedcontext::Transaction<mozilla::dom::BrowsingContext> const&, unsigned long const&) src/obj-firefox/ipc/ipdl/PContentChild.cpp:7276:5
#2 mozilla::dom::BrowsingContext::SendCommitTransaction(mozilla::dom::ContentChild*, mozilla::dom::syncedcontext::Transaction<mozilla::dom::BrowsingContext> const&, unsigned long) src/docshell/base/BrowsingContext.cpp:1244:11
#3 mozilla::dom::syncedcontext::Transaction<mozilla::dom::BrowsingContext>::Commit(mozilla::dom::BrowsingContext*) src/obj-firefox/dist/include/mozilla/dom/SyncedContextInlines.h:41:13
#4 void mozilla::dom::BrowsingContext::SetSandboxFlags<unsigned int&>(unsigned int&) src/obj-firefox/dist/include/mozilla/dom/BrowsingContext.h:128:3
#5 nsFrameLoader::ApplySandboxFlags(unsigned int) src/dom/base/nsFrameLoader.cpp:3068:21
#6 mozilla::dom::HTMLIFrameElement::AfterSetAttr(int, nsAtom*, nsAttrValue const*, nsAttrValue const*, nsIPrincipal*, bool) src/dom/html/HTMLIFrameElement.cpp:170:23
#7 mozilla::dom::Element::SetAttrAndNotify(int, nsAtom*, nsAtom*, nsAttrValue const*, nsAttrValue&, nsIPrincipal*, unsigned char, bool, bool, bool, mozilla::dom::Document*, mozAutoDocUpdate const&) src/dom/base/Element.cpp:2352:10
#8 mozilla::dom::Element::SetAttr(int, nsAtom*, nsAtom*, nsTSubstring<char16_t> const&, nsIPrincipal*, bool) src/dom/base/Element.cpp:2212:10
#9 mozilla::dom::Element::SetAttribute(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsIPrincipal*, mozilla::ErrorResult&) src/dom/base/Element.cpp:1284:12
#10 mozilla::dom::Element_Binding::setAttribute(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) src/obj-firefox/dom/bindings/ElementBinding.cpp:1305:24
#11 bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) src/dom/bindings/BindingUtils.cpp:3170:13
#12 CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) src/js/src/vm/Interpreter.cpp:470:13
#13 js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) src/js/src/vm/Interpreter.cpp:562:12
#14 InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) src/js/src/vm/Interpreter.cpp:625:10
#15 Interpret(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:3042:16
#16 js::RunScript(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:442:10
#17 js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) src/js/src/vm/Interpreter.cpp:597:13
#18 InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) src/js/src/vm/Interpreter.cpp:625:10
#19 js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) src/js/src/vm/Interpreter.cpp:642:8
#20 JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) src/js/src/jsapi.cpp:2797:10
#21 mozilla::dom::EventListener::HandleEvent(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) src/obj-firefox/dom/bindings/EventListenerBinding.cpp:52:8
#22 void mozilla::dom::EventListener::HandleEvent<mozilla::dom::EventTarget*>(mozilla::dom::EventTarget* const&, mozilla::dom::Event&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) src/obj-firefox/dist/include/mozilla/dom/EventListenerBinding.h:66:12
#23 mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) src/dom/events/EventListenerManager.cpp:1073:43
#24 mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) src/dom/events/EventListenerManager.cpp:1271:17
#25 mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) src/dom/events/EventDispatcher.cpp:356:17
#26 mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) src/dom/events/EventDispatcher.cpp:558:16
#27 mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) src/dom/events/EventDispatcher.cpp:1055:11
#28 mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) src/dom/events/EventDispatcher.cpp
#29 nsINode::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) src/dom/base/nsINode.cpp:1259:17
#30 mozilla::dom::EventTarget::DispatchEvent(mozilla::dom::Event&) src/dom/events/EventTarget.cpp:178:13
#31 mozilla::AsyncEventDispatcher::Run() src/dom/events/AsyncEventDispatcher.cpp:69:12
#32 nsContentUtils::RemoveScriptBlocker() src/dom/base/nsContentUtils.cpp:5376:15
#33 mozilla::dom::Document::EndUpdate() src/dom/base/Document.cpp:7116:3
#34 mozAutoDocUpdate::~mozAutoDocUpdate() src/dom/base/mozAutoDocUpdate.h:34:18
#35 mozilla::dom::Element::SetAttr(int, nsAtom*, nsAtom*, nsTSubstring<char16_t> const&, nsIPrincipal*, bool) src/dom/base/Element.cpp:2216:1
#36 mozilla::dom::Element::SetAttr(int, nsAtom*, nsTSubstring<char16_t> const&, nsIPrincipal*, bool) src/obj-firefox/dist/include/mozilla/dom/Element.h:834:12
#37 mozilla::dom::Element::SetAttribute(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsIPrincipal*, mozilla::ErrorResult&) src/dom/base/Element.cpp:1279:14
#38 mozilla::dom::Element_Binding::setAttribute(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) src/obj-firefox/dom/bindings/ElementBinding.cpp:1305:24
#39 bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) src/dom/bindings/BindingUtils.cpp:3170:13
#40 CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) src/js/src/vm/Interpreter.cpp:470:13
#41 js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) src/js/src/vm/Interpreter.cpp:562:12
#42 InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) src/js/src/vm/Interpreter.cpp:625:10
#43 Interpret(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:3042:16
#44 js::RunScript(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:442:10
#45 js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) src/js/src/vm/Interpreter.cpp:597:13
#46 InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) src/js/src/vm/Interpreter.cpp:625:10
#47 js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) src/js/src/vm/Interpreter.cpp:642:8
#48 JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) src/js/src/jsapi.cpp:2797:10
#49 mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) src/obj-firefox/dom/bindings/EventHandlerBinding.cpp:267:37
#50 void mozilla::dom::EventHandlerNonNull::Call<nsCOMPtr<mozilla::dom::EventTarget> >(nsCOMPtr<mozilla::dom::EventTarget> const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) src/obj-firefox/dist/include/mozilla/dom/EventHandlerBinding.h:364:12
#51 mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) src/dom/events/JSEventHandler.cpp:201:12
#52 mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) src/dom/events/EventListenerManager.cpp:1079:22
#53 mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) src/dom/events/EventListenerManager.cpp:1271:17
#54 mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) src/dom/events/EventDispatcher.cpp:356:17
#55 mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) src/dom/events/EventDispatcher.cpp:558:16
#56 mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) src/dom/events/EventDispatcher.cpp:1055:11
#57 nsDocumentViewer::LoadComplete(nsresult) src/layout/base/nsDocumentViewer.cpp:1143:7
#58 nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) src/docshell/base/nsDocShell.cpp:6102:20
#59 nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) src/docshell/base/nsDocShell.cpp:5885:7
#60 non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) src/docshell/base/nsDocShell.cpp
#61 nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) src/uriloader/base/nsDocLoader.cpp:1347:3
#62 nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) src/uriloader/base/nsDocLoader.cpp:906:14
#63 nsDocLoader::DocLoaderIsEmpty(bool) src/uriloader/base/nsDocLoader.cpp:726:9
#64 nsDocLoader::NotifyDoneWithOnload(nsDocLoader*) src/uriloader/base/nsDocLoader.cpp:800:14
#65 nsDocLoader::DocLoaderIsEmpty(bool) src/uriloader/base/nsDocLoader.cpp:728:9
#66 nsDocLoader::OnStopRequest(nsIRequest*, nsresult) src/uriloader/base/nsDocLoader.cpp:614:5
#67 non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsresult) src/uriloader/base/nsDocLoader.cpp
#68 mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) src/netwerk/base/nsLoadGroup.cpp:604:22
#69 mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) src/netwerk/base/nsLoadGroup.cpp:511:10
#70 mozilla::dom::Document::DoUnblockOnload() src/dom/base/Document.cpp:10712:18
#71 mozilla::dom::Document::UnblockOnload(bool) src/dom/base/Document.cpp:10644:9
#72 mozilla::dom::Document::DispatchContentLoadedEvents() src/dom/base/Document.cpp:7312:3
#73 mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() src/obj-firefox/dist/include/nsThreadUtils.h:1215:13
#74 mozilla::SchedulerGroup::Runnable::Run() src/xpcom/threads/SchedulerGroup.cpp:282:20
#75 nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1220:14
#76 NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:486:10
#77 mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:87:21
#78 MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:315:10
#79 MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:290:3
#80 nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:137:27
#81 XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:943:20
#82 mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:237:9
#83 MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:315:10
#84 MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:290:3
#85 XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:778:34
#86 content_process_main(mozilla::Bootstrap*, int, char**) src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
#87 main src/browser/app/nsBrowserApp.cpp:303:18
Flags: in-testsuite?
Summary: Assertion failure: !aParam → Assertion failure: !aParam || aParam->EverAttached(), at src/docshell/base/BrowsingContext.cpp:1508

A Pernosco session is available here: https://pernos.co/debug/KC5ahAc8r--YOiHsoNP75A/index.html

The priority flag is not set for this bug.
:kmag, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(kmaglione+bmo)

fixed by bug 1615480

We should add this fuzz test as a crashtest.

M5

Fission Milestone: --- → M5
Flags: needinfo?(kmaglione+bmo)
Priority: -- → P2
Summary: Assertion failure: !aParam || aParam->EverAttached(), at src/docshell/base/BrowsingContext.cpp:1508 → Add crash test for Assertion failure: !aParam || aParam->EverAttached(), at src/docshell/base/BrowsingContext.cpp:1508

kmag asked me to assign this bug to him. He added the assertion.

Assignee: nobody → kmaglione+bmo
Summary: Add crash test for Assertion failure: !aParam || aParam->EverAttached(), at src/docshell/base/BrowsingContext.cpp:1508 → Add crashtest for Assertion failure: !aParam || aParam->EverAttached(), at src/docshell/base/BrowsingContext.cpp:1508

Landing the crashtest, not sure if kmag wants to do more with this bug.

Keywords: leave-open

Moving P2 M5 bugs to M5b milestone

Fission Milestone: M5 → M5b
You need to log in before you can comment on or make changes to this bug.