Assertion failure: slowNode == node (These should always be in sync!), at /builds/worker/checkouts/gecko/dom/base/nsINode.cpp:518
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
Tracking | Status | |
---|---|---|
firefox-esr91 | --- | unaffected |
firefox-esr102 | --- | unaffected |
firefox101 | --- | unaffected |
firefox102 | --- | unaffected |
firefox103 | --- | verified |
People
(Reporter: tsmith, Assigned: emilio)
References
(Blocks 1 open bug, Regression)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:bisected,confirmed])
Attachments
(5 files)
Found while fuzzing m-c 20220531-e6db23e10c7b (--enable-debug --enable-fuzzing)
To reproduce via Grizzly Replay:
$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html --xvfb
Assertion failure: slowNode == node (These should always be in sync!), at /builds/worker/checkouts/gecko/dom/base/nsINode.cpp:518
#0 0x7fa3cbfebe64 in nsINode::SubtreeRoot() const src/dom/base/nsINode.cpp:518:5
#1 0x7fa3cbdbd47e in Retarget src/dom/base/DocumentOrShadowRoot.cpp:279:14
#2 0x7fa3cbdbd47e in mozilla::dom::DocumentOrShadowRoot::GetFullscreenElement() const src/dom/base/DocumentOrShadowRoot.cpp:320:28
#3 0x7fa3cf52bdcf in nsPresContext::UpdateViewportScrollStylesOverride() src/layout/base/nsPresContext.cpp:1363:46
#4 0x7fa3cbda3fd3 in UpdateViewportScrollbarOverrideForFullscreen src/dom/base/Document.cpp:14543:18
#5 0x7fa3cbda3fd3 in mozilla::dom::Document::PopFullscreenElement() src/dom/base/Document.cpp:14587:3
#6 0x7fa3cbd9133e in mozilla::dom::Document::CleanupFullscreenState() src/dom/base/Document.cpp:14556:10
#7 0x7fa3cbda3a83 in mozilla::dom::ResetFullscreen(mozilla::dom::Document&) src/dom/base/Document.cpp:14328:15
#8 0x7fa3cbd9105c in mozilla::dom::Document::ExitFullscreenInDocTree(mozilla::dom::Document*) src/dom/base/Document.cpp:14402:3
#9 0x7fa3cbdcd13c in mozilla::dom::Element::UnbindFromTree(bool) src/dom/base/Element.cpp:1910:5
#10 0x7fa3cdb3ff3b in nsGenericHTMLElement::UnbindFromTree(bool) src/dom/html/nsGenericHTMLElement.cpp:501:20
#11 0x7fa3cbdcda19 in mozilla::dom::Element::UnbindFromTree(bool) src/dom/base/Element.cpp:2033:12
#12 0x7fa3cdb3ff3b in nsGenericHTMLElement::UnbindFromTree(bool) src/dom/html/nsGenericHTMLElement.cpp:501:20
#13 0x7fa3cdaffca8 in mozilla::dom::HTMLSharedElement::UnbindFromTree(bool) src/dom/html/HTMLSharedElement.cpp:249:25
#14 0x7fa3cbd4a996 in mozilla::dom::Document::DisconnectNodeTree() src/dom/base/Document.cpp:2875:16
#15 0x7fa3cbd81c02 in mozilla::dom::Document::Open(mozilla::dom::Optional<nsTSubstring<char16_t> > const&, mozilla::dom::Optional<nsTSubstring<char16_t> > const&, mozilla::ErrorResult&) src/dom/base/Document.cpp:9725:5
#16 0x7fa3cbd835db in mozilla::dom::Document::WriteCommon(nsTSubstring<char16_t> const&, bool, mozilla::ErrorResult&) src/dom/base/Document.cpp:9959:5
#17 0x7fa3cbd82f06 in mozilla::dom::Document::WriteCommon(mozilla::dom::Sequence<nsTString<char16_t> > const&, bool, mozilla::ErrorResult&) src/dom/base/Document.cpp:9863:5
#18 0x7fa3cd010978 in mozilla::dom::Document_Binding::write(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/DocumentBinding.cpp:3750:24
#19 0x7fa3cd3875cc in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) src/dom/bindings/BindingUtils.cpp:3271:13
#20 0x7fa3d2820990 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) src/js/src/vm/Interpreter.cpp:420:13
#21 0x7fa3d282019a in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) src/js/src/vm/Interpreter.cpp:507:12
#22 0x7fa3d2817576 in CallFromStack src/js/src/vm/Interpreter.cpp:578:10
#23 0x7fa3d2817576 in Interpret(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:3314:16
#24 0x7fa3d280e812 in js::RunScript(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:389:13
#25 0x7fa3d2820096 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) src/js/src/vm/Interpreter.cpp:539:13
#26 0x7fa3d28216c8 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) src/js/src/vm/Interpreter.cpp:605:8
#27 0x7fa3d173f7a6 in js::CallSelfHostedFunction(JSContext*, JS::Handle<js::PropertyName*>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) src/js/src/vm/SelfHosting.cpp:1605:10
#28 0x7fa3d14be761 in AsyncFunctionResume(JSContext*, JS::Handle<js::AsyncFunctionGeneratorObject*>, ResumeKind, JS::Handle<JS::Value>) src/js/src/vm/AsyncFunction.cpp:152:8
#29 0x7fa3d16a7642 in AsyncFunctionPromiseReactionJob src/js/src/builtin/Promise.cpp:2113:12
#30 0x7fa3d16a7642 in PromiseReactionJob(JSContext*, unsigned int, JS::Value*) src/js/src/builtin/Promise.cpp:2176:12
#31 0x7fa3d2820990 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) src/js/src/vm/Interpreter.cpp:420:13
#32 0x7fa3d282019a in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) src/js/src/vm/Interpreter.cpp:507:12
#33 0x7fa3d28216c8 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) src/js/src/vm/Interpreter.cpp:605:8
#34 0x7fa3d14e5651 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) src/js/src/vm/CallAndConstruct.cpp:117:10
#35 0x7fa3cc662b7d in mozilla::dom::PromiseJobCallback::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/PromiseBinding.cpp:35:8
#36 0x7fa3ca2e8935 in mozilla::dom::PromiseJobCallback::Call(mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/PromiseBinding.h:88:12
#37 0x7fa3ca2e7bc3 in Call /builds/worker/workspace/obj-build/dist/include/mozilla/dom/PromiseBinding.h:101:12
#38 0x7fa3ca2e7bc3 in mozilla::PromiseJobRunnable::Run(mozilla::AutoSlowOperation&) src/xpcom/base/CycleCollectedJSContext.cpp:213:18
#39 0x7fa3ca2d5988 in mozilla::CycleCollectedJSContext::PerformMicroTaskCheckPoint(bool) src/xpcom/base/CycleCollectedJSContext.cpp:674:17
#40 0x7fa3ca2d67fc in mozilla::CycleCollectedJSContext::AfterProcessTask(unsigned int) src/xpcom/base/CycleCollectedJSContext.cpp:463:3
#41 0x7fa3cb159b95 in XPCJSContext::AfterProcessTask(unsigned int) src/js/xpconnect/src/XPCJSContext.cpp:1481:28
#42 0x7fa3ca3f90ac in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1217:24
#43 0x7fa3ca3ff2ed in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:465:10
#44 0x7fa3cafc0b86 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:85:21
#45 0x7fa3caee8ea7 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:380:10
#46 0x7fa3caee8db2 in RunHandler src/ipc/chromium/src/base/message_loop.cc:373:3
#47 0x7fa3caee8db2 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:355:3
#48 0x7fa3cf11cde8 in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:137:27
#49 0x7fa3d125fb9b in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:875:20
#50 0x7fa3cafc1a7a in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:235:9
#51 0x7fa3caee8ea7 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:380:10
#52 0x7fa3caee8db2 in RunHandler src/ipc/chromium/src/base/message_loop.cc:373:3
#53 0x7fa3caee8db2 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:355:3
#54 0x7fa3d125f1bc in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:734:34
#55 0x55562c846e90 in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#56 0x55562c846e90 in main src/browser/app/nsBrowserApp.cpp:338:18
#57 0x7fa3e0963082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
#58 0x55562c81cc3c in _start (/home/worker/builds/m-c-20220531040928-fuzzing-debug/firefox-bin+0x15c3c) (BuildId: 17fbecb0bf2714cd2e28449a1b07f242b9b9b67b)
Comment 1•2 years ago
|
||
Bug 1771151 touched some code near the top of the stack, and looks like it landed recently. Maybe that's related.
Reporter | ||
Comment 2•2 years ago
|
||
A Pernosco session is available here: https://pernos.co/debug/ZyiyaxH7Nf9cTRZwiQg2lg/index.html
Comment 3•2 years ago
|
||
Bugmon Analysis
Verified bug as reproducible on mozilla-central 20220607042349-f3aca6a6c4a4.
The bug appears to have been introduced in the following build range:
Start: 87e39a7da999bfa064f7acfcd4fa01f50f962d37 (20220530140717)
End: e1ebb4a9b8fa3f7d51755f7b65956f8e381b4d99 (20220530133109)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=87e39a7da999bfa064f7acfcd4fa01f50f962d37&tochange=e1ebb4a9b8fa3f7d51755f7b65956f8e381b4d99
Assignee | ||
Updated•2 years ago
|
Assignee | ||
Comment 4•2 years ago
|
||
Okay so the good thing is that this is not security sensitive. Can someone clear the relevant flag? I don't have the right permission.
Assignee | ||
Comment 5•2 years ago
|
||
Casing should be consistent with GetFullscreenElement.
Assignee | ||
Comment 6•2 years ago
|
||
This is mostly an optimization since html/body can't have shadow roots
and we only care about comparing the fullscreen element against those,
but it also avoids the problematic codepath.
The issue is that we call UpdateViewportScrollStylesOverride() in the
middle of UnbindFromTree when the DOM state isn't quite stable.
Before my patch, we only did that once the top layer stack is empty, but
now we do it once for each element we pop, which means that we might hit
this codepath with a fullscreen element mid-unbind.
The following patch fixes it but this seemed worth doing anyways.
Depends on D148490
Assignee | ||
Comment 7•2 years ago
|
||
This also guarantees that we don't call it with fullscreen elements that
might be mid-unbind.
Depends on D148491
Assignee | ||
Comment 8•2 years ago
|
||
Comment 9•2 years ago
|
||
:emilio, since this bug contains a bisection range, could you fill (if possible) the regressed_by field?
For more information, please visit auto_nag documentation.
Comment 11•2 years ago
|
||
Set release status flags based on info from the regressing bug 1771151
Comment 12•2 years ago
|
||
Updated•2 years ago
|
Comment 13•2 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/536bbebf3107
https://hg.mozilla.org/mozilla-central/rev/e29b66f257af
https://hg.mozilla.org/mozilla-central/rev/d38f4a68a7bb
https://hg.mozilla.org/mozilla-central/rev/6159cdf849e3
Comment 14•2 years ago
|
||
Bugmon Analysis
Verified bug as fixed on rev mozilla-central 20220608214824-0cf5c85ddd84.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Comment 15•2 years ago
|
||
Set release status flags based on info from the regressing bug 1771151
Description
•