Closed Bug 1616407 Opened 5 years ago Closed 5 years ago

Assertion failure: !mStyleSets.Contains(aStyleSet) (style set already registered), at src/layout/style/StyleSheet.cpp:451

Categories

(Core :: CSS Parsing and Computation, defect, P3)

defect

Tracking

()

RESOLVED FIXED
mozilla75
Tracking Status
firefox-esr68 --- unaffected
firefox73 --- unaffected
firefox74 --- disabled
firefox75 --- fixed

People

(Reporter: tsmith, Assigned: nordzilla)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, crash, testcase)

Crash Data

Attachments

(2 files)

Attached file testcase.html

Reduced with m-c 20200218-a5e2eb343af7
Requires layout.css.constructable-stylesheets.enabled=true

Assertion failure: !mStyleSets.Contains(aStyleSet) (style set already registered), at src/layout/style/StyleSheet.cpp:451

#0 mozilla::StyleSheet::AddStyleSet(mozilla::ServoStyleSet*) src/layout/style/StyleSheet.cpp:450:3
#1 mozilla::ServoStyleSet::AddDocStyleSheet(mozilla::StyleSheet*) src/layout/style/ServoStyleSet.cpp:652:11
#2 AddStyleSheetToStyleSets src/dom/base/Document.cpp:6555:16
#3 mozilla::dom::Document::AppendAdoptedStyleSheet(mozilla::StyleSheet&) src/dom/base/Document.cpp:2720:5
#4 mozilla::dom::Document::SetAdoptedStyleSheets(mozilla::dom::Sequence<mozilla::OwningNonNull<mozilla::StyleSheet> > const&, mozilla::ErrorResult&) src/dom/base/Document.cpp:16204:5
#5 mozilla::dom::Document_Binding::set_adoptedStyleSheets(JSContext*, JS::Handle<JSObject*>, void*, JSJitSetterCallArgs) src/obj-firefox/dom/bindings/DocumentBinding.cpp:9559:24
#6 bool mozilla::dom::binding_detail::GenericSetter<mozilla::dom::binding_detail::NormalThisPolicy>(JSContext*, unsigned int, JS::Value*) src/dom/bindings/BindingUtils.cpp:3118:8
#7 CallJSNative src/js/src/vm/Interpreter.cpp:477:13
#8 js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) src/js/src/vm/Interpreter.cpp:569:12
#9 InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) src/js/src/vm/Interpreter.cpp:632:10
#10 js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) src/js/src/vm/Interpreter.cpp:649:8
#11 js::CallSetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<JS::Value>) src/js/src/vm/Interpreter.cpp:787:10
#12 SetExistingProperty(JSContext*, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<js::NativeObject*>, JS::Handle<JS::PropertyResult>, JS::ObjectOpResult&) src/js/src/vm/NativeObject.cpp:2956:8
#13 bool js::NativeSetProperty<(js::QualifiedBool)1>(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) src/js/src/vm/NativeObject.cpp:2985:14
#14 js::SetProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) src/js/src/vm/ObjectOperations-inl.h:283:10
#15 js::SetPropertyIgnoringNamedGetter(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyDescriptor>, JS::ObjectOpResult&) src/js/src/proxy/BaseProxyHandler.cpp:166:14
#16 mozilla::dom::DOMProxyHandler::set(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) const src/dom/bindings/DOMJSProxyHandler.cpp:243:10
#17 setInternal src/js/src/proxy/Proxy.cpp:383:19
#18 js::Proxy::set(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) src/js/src/proxy/Proxy.cpp:391:10
#19 JSObject::nonNativeSetProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) src/js/src/vm/JSObject.cpp:1244:10
#20 js::SetProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) src/js/src/vm/ObjectOperations-inl.h:280:12
#21 SetPropertyOperation src/js/src/vm/Interpreter.cpp:272:10
#22 Interpret(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:2806:12
#23 js::RunScript(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:449:10
#24 js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) src/js/src/vm/Interpreter.cpp:604:13
#25 InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) src/js/src/vm/Interpreter.cpp:632:10
#26 js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) src/js/src/vm/Interpreter.cpp:649:8
#27 JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) src/js/src/jsapi.cpp:2797:10
#28 mozilla::dom::EventListener::HandleEvent(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) src/obj-firefox/dom/bindings/EventListenerBinding.cpp:52:8
#29 void mozilla::dom::EventListener::HandleEvent<mozilla::dom::EventTarget*>(mozilla::dom::EventTarget* const&, mozilla::dom::Event&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) src/obj-firefox/dist/include/mozilla/dom/EventListenerBinding.h:66:12
#30 mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) src/dom/events/EventListenerManager.cpp:1073:43
#31 mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) src/dom/events/EventListenerManager.cpp:1271:17
#32 mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) src/dom/events/EventDispatcher.cpp:356:17
#33 mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) src/dom/events/EventDispatcher.cpp:558:16
#34 mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) src/dom/events/EventDispatcher.cpp:1055:11
#35 mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) src/dom/events/EventDispatcher.cpp
#36 nsINode::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) src/dom/base/nsINode.cpp:1269:17
#37 nsContentUtils::DispatchEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, mozilla::Trusted, bool*, mozilla::ChromeOnlyDispatch) src/dom/base/nsContentUtils.cpp:4077:28
#38 nsContentUtils::DispatchTrustedEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, bool*) src/dom/base/nsContentUtils.cpp:4047:10
#39 mozilla::dom::Document::DispatchContentLoadedEvents() src/dom/base/Document.cpp:7249:3
#40 applyImpl<mozilla::dom::Document, void (mozilla::dom::Document::*)()> src/obj-firefox/dist/include/nsThreadUtils.h:1160:12
#41 apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> src/obj-firefox/dist/include/nsThreadUtils.h:1166:12
#42 mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() src/obj-firefox/dist/include/nsThreadUtils.h:1212:13
#43 mozilla::SchedulerGroup::Runnable::Run() src/xpcom/threads/SchedulerGroup.cpp:282:20
#44 nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1220:14
#45 NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:481:10
#46 mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:87:21
#47 RunInternal src/ipc/chromium/src/base/message_loop.cc:315:10
#48 RunHandler src/ipc/chromium/src/base/message_loop.cc:308:3
#49 MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:290:3
#50 nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:137:27
#51 XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:943:20
#52 RunInternal src/ipc/chromium/src/base/message_loop.cc:315:10
#53 RunHandler src/ipc/chromium/src/base/message_loop.cc:308:3
#54 MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:290:3
#55 XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:778:34
#56 content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
#57 main src/browser/app/nsBrowserApp.cpp:303:18
Flags: in-testsuite?

Tyson,

Thank you for submitting this. I am aware of this behavior with the current implementation.

I have an open issue on the Constructable StyleSheets specification to potentially disallow this behavior entirely (which would throw a NotAllowed error in this case).

I think that :heycam is trying to follow up on this issue this week with some of the other folks involved with the specification.

Flags: needinfo?(cam)
Assignee: nobody → enordin
Status: NEW → ASSIGNED
Priority: -- → P3
Pushed by shindli@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/fc45c8fbbb31 Add crash test for fuzzer test case r=emilio
Status: ASSIGNED → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla75
Flags: in-testsuite? → in-testsuite+
Crash Signature: [@ mozilla::StyleSheet::AddStyleSet]
Flags: needinfo?(cam)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: