Assertion failure: radioGroup->mRequiredRadioCount != 0 (mRequiredRadioCount about to wrap below 0!), at /builds/worker/checkouts/gecko/dom/base/RadioGroupManager.cpp:139
Categories
(Core :: DOM: Forms, defect)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr78 | --- | unaffected |
| firefox88 | --- | unaffected |
| firefox89 | --- | unaffected |
| firefox90 | --- | verified |
People
(Reporter: jkratzer, Assigned: saschanaz)
References
(Blocks 1 open bug, Regression)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:bisected,confirmed], [wptsync upstream])
Attachments
(2 files)
Testcase found while fuzzing mozilla-central rev b5b42ed4d6a0 (built with --enable-debug --enable-fuzzing).
Testcase can be reproduced using the following commands:
$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build b5b42ed4d6a0 --debug --fuzzing -n mc-debug
$ python -m grizzly.replay --xvfb ./mc-debug/firefox ./testcase.html
Assertion failure: radioGroup->mRequiredRadioCount != 0 (mRequiredRadioCount about to wrap below 0!), at /builds/worker/checkouts/gecko/dom/base/RadioGroupManager.cpp:139
#0 0x7ff236d3f56a in mozilla::dom::RadioGroupManager::RemoveFromRadioGroup(nsTSubstring<char16_t> const&, mozilla::dom::HTMLInputElement*) /builds/worker/checkouts/gecko/dom/base/RadioGroupManager.cpp:138:5
#1 0x7ff23851e7d4 in mozilla::dom::HTMLInputElement::WillRemoveFromRadioGroup() /builds/worker/checkouts/gecko/dom/html/HTMLInputElement.cpp:6134:14
#2 0x7ff238549170 in mozilla::dom::HTMLInputElement::UnbindFromTree(bool) /builds/worker/checkouts/gecko/dom/html/HTMLInputElement.cpp:4267:5
#3 0x7ff236cc2d1d in mozilla::dom::Element::UnbindFromTree(bool) /builds/worker/checkouts/gecko/dom/base/Element.cpp:1961:12
#4 0x7ff2385f3be2 in nsGenericHTMLElement::UnbindFromTree(bool) /builds/worker/checkouts/gecko/dom/html/nsGenericHTMLElement.cpp:496:20
#5 0x7ff2385b5288 in mozilla::dom::HTMLSharedElement::UnbindFromTree(bool) /builds/worker/checkouts/gecko/dom/html/HTMLSharedElement.cpp:249:25
#6 0x7ff236c6c8c4 in mozilla::dom::Document::cycleCollection::Unlink(void*) /builds/worker/checkouts/gecko/dom/base/Document.cpp:2482:12
#7 0x7ff234fb5cfe in nsCycleCollector::CollectWhite() /builds/worker/checkouts/gecko/xpcom/base/nsCycleCollector.cpp:3081:26
#8 0x7ff234fb719b in nsCycleCollector::Collect(ccType, js::SliceBudget&, nsICycleCollectorListener*, bool) /builds/worker/checkouts/gecko/xpcom/base/nsCycleCollector.cpp:3435:26
#9 0x7ff234fb6ea7 in nsCycleCollector::ShutdownCollect() /builds/worker/checkouts/gecko/xpcom/base/nsCycleCollector.cpp:3350:20
#10 0x7ff234fb80e6 in nsCycleCollector::Shutdown(bool) /builds/worker/checkouts/gecko/xpcom/base/nsCycleCollector.cpp:3644:5
#11 0x7ff234fb9b42 in nsCycleCollector_shutdown(bool) /builds/worker/checkouts/gecko/xpcom/base/nsCycleCollector.cpp:3959:18
#12 0x7ff2350df4de in mozilla::ShutdownXPCOM(nsIServiceManager*) /builds/worker/checkouts/gecko/xpcom/build/XPCOMInit.cpp:707:3
#13 0x7ff23afd240c in XRE_TermEmbedding() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:214:3
#14 0x7ff2359d666e in mozilla::ipc::ScopedXREEmbed::Stop() /builds/worker/checkouts/gecko/ipc/glue/ScopedXREEmbed.cpp:90:5
#15 0x7ff23afd29f7 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:742:16
#16 0x56366ae35b36 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#17 0x56366ae35b36 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:309:18
#18 0x7ff24a1ab0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
|
||
Updated•3 years ago
|
|
Assignee | |
Updated•3 years ago
|
|
||
Comment 1•3 years ago
|
||
Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20210430153451-0db412525773.
The bug appears to have been introduced in the following build range:
Start: 9d6c4c937d91e599150a9f8c747271831f620631 (20210428134331)
End: 4b0e47de2e6bf6f1718ef00ad6b2b1965f2d5417 (20210428183540)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=9d6c4c937d91e599150a9f8c747271831f620631&tochange=4b0e47de2e6bf6f1718ef00ad6b2b1965f2d5417
|
|
Assignee | |
Comment 2•3 years ago
|
||
To be fair I think it's an existing bug and just found by converting NS_WARNING to MOZ_ASSERT. Anyway let's mark it as a regression.
|
||
Updated•3 years ago
|
|
|
Assignee | |
Updated•3 years ago
|
|
||
Updated•3 years ago
|
|
||
Comment 3•3 years ago
|
||
The component has been changed since the backlog priority was decided, so we're resetting it.
For more information, please visit auto_nag documentation.
|
|
Assignee | |
Comment 4•3 years ago
|
||
The previous assumption was that mType would be updated before AfterSetAttr(), but that assumption is invalidated by bug 1347640. This patch moves the radio group addition part to the position after HandleTypeChange() is called.
Pushed by krosylight@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/0801f8d2da14 Add to radio group after handling type change r=edgar
Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/28786 for changes under testing/web-platform/tests
|
|
||
Comment 7•3 years ago
|
||
Set release status flags based on info from the regressing bug 1707126
|
||
Comment 8•3 years ago
|
||
| bugherder | ||
|
|
||
Comment 9•3 years ago
|
||
Bugmon Analysis:
Verified bug as fixed on rev mozilla-central 20210503153234-cdcfe2f59d26.
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.
Upstream PR merged by moz-wptsync-bot
Description
•