Open Bug 1646812 Opened 4 years ago Updated 9 months ago

Assertion failure: IsPreviousSibling(aSourceElement, this), at /builds/worker/checkouts/gecko/dom/html/HTMLImageElement.cpp:1117

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Type:
defect

Tracking

()

Tracking Flags:
Tracking Status
firefox79 --- affected

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, testcase, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(1 file)

testcase.html
430 bytes, text/html
Details
Attached file testcase.html

Testcase found while fuzzing mozilla-central rev f291dd9e075c (built with --enable-debug).

Assertion failure: IsPreviousSibling(aSourceElement, this), at /builds/worker/checkouts/gecko/dom/html/HTMLImageElement.cpp:1117

rax = 0x00007fed31192bee   rdx = 0x0000000000000000
rcx = 0x000055cbd1767a58   rbx = 0x000055cbd3789ea0
rsi = 0x00007fed4236e8b0   rdi = 0x00007fed4236d680
rbp = 0x00007ffc96f70810   rsp = 0x00007ffc96f70750
r8 = 0x00007fed4236e8b0    r9 = 0x00007fed434d4780
r10 = 0x0000000000000002   r11 = 0x0000000000000000
r12 = 0x0000000000000000   r13 = 0x000055cbd3aefb90
r14 = 0x000055cbd3ac6660   r15 = 0x000055cbd3ac6660
rip = 0x00007fed2ae1e285
OS|Linux|0.0.0 Linux 5.3.0-51-generic #44~18.04.2-Ubuntu SMP Thu Apr 23 14:27:18 UTC 2020 x86_64
CPU|amd64|family 6 model 94 stepping 3|8
GPU|||
Crash|SIGSEGV|0x0|0
0|0|libxul.so|mozilla::dom::HTMLImageElement::SourceElementMatches(mozilla::dom::Element*)|hg:hg.mozilla.org/mozilla-central:dom/html/HTMLImageElement.cpp:f291dd9e075c239586a5b9e266db47750d19af22|1117|0x29
0|1|libxul.so|mozilla::dom::HTMLImageElement::TryCreateResponsiveSelector(mozilla::dom::Element*)|hg:hg.mozilla.org/mozilla-central:dom/html/HTMLImageElement.cpp:f291dd9e075c239586a5b9e266db47750d19af22|1140|0xb
0|2|libxul.so|mozilla::dom::HTMLImageElement::UpdateResponsiveSource()|hg:hg.mozilla.org/mozilla-central:dom/html/HTMLImageElement.cpp:f291dd9e075c239586a5b9e266db47750d19af22|1077|0x15
0|3|libxul.so|mozilla::dom::HTMLImageElement::LoadSelectedImage(bool, bool, bool)|hg:hg.mozilla.org/mozilla-central:dom/html/HTMLImageElement.cpp:f291dd9e075c239586a5b9e266db47750d19af22|893|0x8
0|4|libxul.so|mozilla::dom::ImageLoadTask::Run(mozilla::AutoSlowOperation&)|hg:hg.mozilla.org/mozilla-central:dom/html/HTMLImageElement.cpp:f291dd9e075c239586a5b9e266db47750d19af22|99|0x1e
0|5|libxul.so|mozilla::CycleCollectedJSContext::PerformMicroTaskCheckPoint(bool)|hg:hg.mozilla.org/mozilla-central:xpcom/base/CycleCollectedJSContext.cpp:f291dd9e075c239586a5b9e266db47750d19af22|640|0x14
0|6|libxul.so|mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*)|hg:hg.mozilla.org/mozilla-central:dom/events/EventListenerManager.cpp:f291dd9e075c239586a5b9e266db47750d19af22|1090|0x5
0|7|libxul.so|mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool)|hg:hg.mozilla.org/mozilla-central:dom/events/EventListenerManager.cpp:f291dd9e075c239586a5b9e266db47750d19af22|1279|0x15
0|8|libxul.so|mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:f291dd9e075c239586a5b9e266db47750d19af22|355|0xb
0|9|libxul.so|mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:f291dd9e075c239586a5b9e266db47750d19af22|557|0x19
0|10|libxul.so|mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:f291dd9e075c239586a5b9e266db47750d19af22|1054|0x5
0|11|libxul.so|nsDocumentViewer::LoadComplete(nsresult)|hg:hg.mozilla.org/mozilla-central:layout/base/nsDocumentViewer.cpp:f291dd9e075c239586a5b9e266db47750d19af22|1148|0x1c
0|12|libxul.so|nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult)|hg:hg.mozilla.org/mozilla-central:docshell/base/nsDocShell.cpp:f291dd9e075c239586a5b9e266db47750d19af22|5686|0x18
0|13|libxul.so|nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult)|hg:hg.mozilla.org/mozilla-central:docshell/base/nsDocShell.cpp:f291dd9e075c239586a5b9e266db47750d19af22|5428|0xb
0|14|libxul.so|non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult)|hg:hg.mozilla.org/mozilla-central:docshell/base/nsDocShell.cpp:f291dd9e075c239586a5b9e266db47750d19af22|0|0x10
0|15|libxul.so|nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult)|hg:hg.mozilla.org/mozilla-central:uriloader/base/nsDocLoader.cpp:f291dd9e075c239586a5b9e266db47750d19af22|1367|0x2b
0|16|libxul.so|nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult)|hg:hg.mozilla.org/mozilla-central:uriloader/base/nsDocLoader.cpp:f291dd9e075c239586a5b9e266db47750d19af22|937|0x28
0|17|libxul.so|nsDocLoader::DocLoaderIsEmpty(bool, mozilla::Maybe<nsresult> const&)|hg:hg.mozilla.org/mozilla-central:uriloader/base/nsDocLoader.cpp:f291dd9e075c239586a5b9e266db47750d19af22|757|0xe
0|18|libxul.so|nsDocLoader::OnStopRequest(nsIRequest*, nsresult)|hg:hg.mozilla.org/mozilla-central:uriloader/base/nsDocLoader.cpp:f291dd9e075c239586a5b9e266db47750d19af22|640|0x12
0|19|libxul.so|non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsresult)|hg:hg.mozilla.org/mozilla-central:uriloader/base/nsDocLoader.cpp:f291dd9e075c239586a5b9e266db47750d19af22|0|0xd
0|20|libxul.so|mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult)|hg:hg.mozilla.org/mozilla-central:netwerk/base/nsLoadGroup.cpp:f291dd9e075c239586a5b9e266db47750d19af22|615|0x14
0|21|libxul.so|mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult)|hg:hg.mozilla.org/mozilla-central:netwerk/base/nsLoadGroup.cpp:f291dd9e075c239586a5b9e266db47750d19af22|522|0xe
0|22|libxul.so|imgRequestProxy::RemoveFromLoadGroup()|hg:hg.mozilla.org/mozilla-central:image/imgRequestProxy.cpp:f291dd9e075c239586a5b9e266db47750d19af22|383|0x2d
0|23|libxul.so|imgRequestProxy::OnLoadComplete(bool)|hg:hg.mozilla.org/mozilla-central:image/imgRequestProxy.cpp:f291dd9e075c239586a5b9e266db47750d19af22|1038|0x8
0|24|libxul.so|void mozilla::image::ImageObserverNotifier<mozilla::image::ObserverTable const*>::operator()<void mozilla::image::SyncNotifyInternal<mozilla::image::ObserverTable const*>(mozilla::image::ObserverTable const* const&, bool, unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&)::{lambda(mozilla::image::IProgressObserver*)#7}>(void mozilla::image::SyncNotifyInternal<mozilla::image::ObserverTable const*>(mozilla::image::ObserverTable const* const&, bool, unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&)::{lambda(mozilla::image::IProgressObserver*)#7})|hg:hg.mozilla.org/mozilla-central:image/ProgressTracker.cpp:f291dd9e075c239586a5b9e266db47750d19af22|351|0x18
0|25|libxul.so|void mozilla::image::SyncNotifyInternal<mozilla::image::ObserverTable const*>(mozilla::image::ObserverTable const* const&, bool, unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&)|hg:hg.mozilla.org/mozilla-central:image/ProgressTracker.cpp:f291dd9e075c239586a5b9e266db47750d19af22|350|0x8
0|26|libxul.so|mozilla::image::ProgressTracker::SyncNotifyProgress(unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&)|hg:hg.mozilla.org/mozilla-central:image/ProgressTracker.cpp:f291dd9e075c239586a5b9e266db47750d19af22|368|0x5c
0|27|libxul.so|mozilla::image::RasterImage::NotifyProgress(unsigned int, mozilla::gfx::IntRectTyped<mozilla::UnorientedPixel> const&, mozilla::Maybe<unsigned int> const&, mozilla::image::DecoderFlags, mozilla::image::SurfaceFlags)|hg:hg.mozilla.org/mozilla-central:image/RasterImage.cpp:f291dd9e075c239586a5b9e266db47750d19af22|1692|0xb
0|28|libxul.so|mozilla::image::RasterImage::NotifyForLoadEvent(unsigned int)|hg:hg.mozilla.org/mozilla-central:image/RasterImage.cpp:f291dd9e075c239586a5b9e266db47750d19af22|986|0x26
0|29|libxul.so|mozilla::image::RasterImage::OnImageDataComplete(nsIRequest*, nsISupports*, nsresult, bool)|hg:hg.mozilla.org/mozilla-central:image/RasterImage.cpp:f291dd9e075c239586a5b9e266db47750d19af22|969|0xb
0|30|libxul.so|imgRequest::OnStopRequest(nsIRequest*, nsresult)|hg:hg.mozilla.org/mozilla-central:image/imgRequest.cpp:f291dd9e075c239586a5b9e266db47750d19af22|761|0x3a
0|31|libxul.so|nsJARChannel::OnStopRequest(nsIRequest*, nsresult)|hg:hg.mozilla.org/mozilla-central:modules/libjar/nsJARChannel.cpp:f291dd9e075c239586a5b9e266db47750d19af22|1034|0x17
0|32|libxul.so|non-virtual thunk to nsJARChannel::OnStopRequest(nsIRequest*, nsresult)|hg:hg.mozilla.org/mozilla-central:modules/libjar/nsJARChannel.cpp:f291dd9e075c239586a5b9e266db47750d19af22|0|0xd
0|33|libxul.so|nsInputStreamPump::OnStateStop()|hg:hg.mozilla.org/mozilla-central:netwerk/base/nsInputStreamPump.cpp:f291dd9e075c239586a5b9e266db47750d19af22|649|0x19
0|34|libxul.so|nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream*)|hg:hg.mozilla.org/mozilla-central:netwerk/base/nsInputStreamPump.cpp:f291dd9e075c239586a5b9e266db47750d19af22|397|0x8
0|35|libxul.so|non-virtual thunk to nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream*)|hg:hg.mozilla.org/mozilla-central:netwerk/base/nsInputStreamPump.cpp:f291dd9e075c239586a5b9e266db47750d19af22|0|0xd
0|36|libxul.so|nsInputStreamReadyEvent::Run()|hg:hg.mozilla.org/mozilla-central:xpcom/io/nsStreamUtils.cpp:f291dd9e075c239586a5b9e266db47750d19af22|94|0x15
0|37|libxul.so|nsThread::ProcessNextEvent(bool, bool*)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:f291dd9e075c239586a5b9e266db47750d19af22|1234|0xe
0|38|libxul.so|NS_ProcessNextEvent(nsIThread*, bool)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:f291dd9e075c239586a5b9e266db47750d19af22|501|0xc
0|39|libxul.so|mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:f291dd9e075c239586a5b9e266db47750d19af22|87|0x7
0|40|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:f291dd9e075c239586a5b9e266db47750d19af22|315|0x17
0|41|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:f291dd9e075c239586a5b9e266db47750d19af22|290|0x8
0|42|libxul.so|nsBaseAppShell::Run()|hg:hg.mozilla.org/mozilla-central:widget/nsBaseAppShell.cpp:f291dd9e075c239586a5b9e266db47750d19af22|137|0xd
0|43|libxul.so|XRE_RunAppShell()|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:f291dd9e075c239586a5b9e266db47750d19af22|913|0xe
0|44|libxul.so|mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:f291dd9e075c239586a5b9e266db47750d19af22|237|0x5
0|45|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:f291dd9e075c239586a5b9e266db47750d19af22|315|0x17
0|46|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:f291dd9e075c239586a5b9e266db47750d19af22|290|0x8
0|47|libxul.so|XRE_InitChildProcess(int, char**, XREChildData const*)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:f291dd9e075c239586a5b9e266db47750d19af22|744|0x5
0|48|firefox-bin|content_process_main(mozilla::Bootstrap*, int, char**)|hg:hg.mozilla.org/mozilla-central:ipc/contentproc/plugin-container.cpp:f291dd9e075c239586a5b9e266db47750d19af22|56|0x11
0|49|firefox-bin|main|hg:hg.mozilla.org/mozilla-central:browser/app/nsBrowserApp.cpp:f291dd9e075c239586a5b9e266db47750d19af22|303|0x20
0|50|libc.so.6||||0x21b97
0|51|firefox-bin|<name omitted>|hg:hg.mozilla.org/mozilla-central:mfbt/UniquePtr.h:f291dd9e075c239586a5b9e266db47750d19af22|253|0x17
Flags: in-testsuite?
Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]
Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20200618094105-f291dd9e075c.
Failed to bisect testcase (Start build crashes!):
> Start: a440f0629814ea638bdbee6cf2f1a0425dd04c61 (20190620094631)
> End: f291dd9e075c239586a5b9e266db47750d19af22 (20200618094105)
> BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=False, coverage=False, valgrind=False)
Severity: normal → S3

Bugmon was unable reproduce this issue.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon

A change to the Taskcluster build definitions over the weekend caused Bugmon to fail when reproducing issues. This issue has been corrected. Re-enabling bugmon.

Keywords: bugmon

Unable to reproduce bug 1646812 using build mozilla-central 20220723091444-f69015bf0e0a. Without a baseline, bugmon is unable to analyze this bug.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: