Closed Bug 1772968 Opened 2 years ago Closed 2 years ago

Assertion failure: slowNode == node (These should always be in sync!), at /builds/worker/checkouts/gecko/dom/base/nsINode.cpp:518

Categories

(Core :: DOM: Core & HTML, defect)

defect

Tracking

()

VERIFIED FIXED
103 Branch
Tracking Status
firefox-esr91 --- unaffected
firefox-esr102 --- unaffected
firefox101 --- unaffected
firefox102 --- unaffected
firefox103 --- verified

People

(Reporter: tsmith, Assigned: emilio)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(5 files)

Attached file testcase.html

Found while fuzzing m-c 20220531-e6db23e10c7b (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html --xvfb

Assertion failure: slowNode == node (These should always be in sync!), at /builds/worker/checkouts/gecko/dom/base/nsINode.cpp:518

#0 0x7fa3cbfebe64 in nsINode::SubtreeRoot() const src/dom/base/nsINode.cpp:518:5
#1 0x7fa3cbdbd47e in Retarget src/dom/base/DocumentOrShadowRoot.cpp:279:14
#2 0x7fa3cbdbd47e in mozilla::dom::DocumentOrShadowRoot::GetFullscreenElement() const src/dom/base/DocumentOrShadowRoot.cpp:320:28
#3 0x7fa3cf52bdcf in nsPresContext::UpdateViewportScrollStylesOverride() src/layout/base/nsPresContext.cpp:1363:46
#4 0x7fa3cbda3fd3 in UpdateViewportScrollbarOverrideForFullscreen src/dom/base/Document.cpp:14543:18
#5 0x7fa3cbda3fd3 in mozilla::dom::Document::PopFullscreenElement() src/dom/base/Document.cpp:14587:3
#6 0x7fa3cbd9133e in mozilla::dom::Document::CleanupFullscreenState() src/dom/base/Document.cpp:14556:10
#7 0x7fa3cbda3a83 in mozilla::dom::ResetFullscreen(mozilla::dom::Document&) src/dom/base/Document.cpp:14328:15
#8 0x7fa3cbd9105c in mozilla::dom::Document::ExitFullscreenInDocTree(mozilla::dom::Document*) src/dom/base/Document.cpp:14402:3
#9 0x7fa3cbdcd13c in mozilla::dom::Element::UnbindFromTree(bool) src/dom/base/Element.cpp:1910:5
#10 0x7fa3cdb3ff3b in nsGenericHTMLElement::UnbindFromTree(bool) src/dom/html/nsGenericHTMLElement.cpp:501:20
#11 0x7fa3cbdcda19 in mozilla::dom::Element::UnbindFromTree(bool) src/dom/base/Element.cpp:2033:12
#12 0x7fa3cdb3ff3b in nsGenericHTMLElement::UnbindFromTree(bool) src/dom/html/nsGenericHTMLElement.cpp:501:20
#13 0x7fa3cdaffca8 in mozilla::dom::HTMLSharedElement::UnbindFromTree(bool) src/dom/html/HTMLSharedElement.cpp:249:25
#14 0x7fa3cbd4a996 in mozilla::dom::Document::DisconnectNodeTree() src/dom/base/Document.cpp:2875:16
#15 0x7fa3cbd81c02 in mozilla::dom::Document::Open(mozilla::dom::Optional<nsTSubstring<char16_t> > const&, mozilla::dom::Optional<nsTSubstring<char16_t> > const&, mozilla::ErrorResult&) src/dom/base/Document.cpp:9725:5
#16 0x7fa3cbd835db in mozilla::dom::Document::WriteCommon(nsTSubstring<char16_t> const&, bool, mozilla::ErrorResult&) src/dom/base/Document.cpp:9959:5
#17 0x7fa3cbd82f06 in mozilla::dom::Document::WriteCommon(mozilla::dom::Sequence<nsTString<char16_t> > const&, bool, mozilla::ErrorResult&) src/dom/base/Document.cpp:9863:5
#18 0x7fa3cd010978 in mozilla::dom::Document_Binding::write(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/DocumentBinding.cpp:3750:24
#19 0x7fa3cd3875cc in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) src/dom/bindings/BindingUtils.cpp:3271:13
#20 0x7fa3d2820990 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) src/js/src/vm/Interpreter.cpp:420:13
#21 0x7fa3d282019a in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) src/js/src/vm/Interpreter.cpp:507:12
#22 0x7fa3d2817576 in CallFromStack src/js/src/vm/Interpreter.cpp:578:10
#23 0x7fa3d2817576 in Interpret(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:3314:16
#24 0x7fa3d280e812 in js::RunScript(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:389:13
#25 0x7fa3d2820096 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) src/js/src/vm/Interpreter.cpp:539:13
#26 0x7fa3d28216c8 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) src/js/src/vm/Interpreter.cpp:605:8
#27 0x7fa3d173f7a6 in js::CallSelfHostedFunction(JSContext*, JS::Handle<js::PropertyName*>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) src/js/src/vm/SelfHosting.cpp:1605:10
#28 0x7fa3d14be761 in AsyncFunctionResume(JSContext*, JS::Handle<js::AsyncFunctionGeneratorObject*>, ResumeKind, JS::Handle<JS::Value>) src/js/src/vm/AsyncFunction.cpp:152:8
#29 0x7fa3d16a7642 in AsyncFunctionPromiseReactionJob src/js/src/builtin/Promise.cpp:2113:12
#30 0x7fa3d16a7642 in PromiseReactionJob(JSContext*, unsigned int, JS::Value*) src/js/src/builtin/Promise.cpp:2176:12
#31 0x7fa3d2820990 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) src/js/src/vm/Interpreter.cpp:420:13
#32 0x7fa3d282019a in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) src/js/src/vm/Interpreter.cpp:507:12
#33 0x7fa3d28216c8 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) src/js/src/vm/Interpreter.cpp:605:8
#34 0x7fa3d14e5651 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) src/js/src/vm/CallAndConstruct.cpp:117:10
#35 0x7fa3cc662b7d in mozilla::dom::PromiseJobCallback::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/PromiseBinding.cpp:35:8
#36 0x7fa3ca2e8935 in mozilla::dom::PromiseJobCallback::Call(mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/PromiseBinding.h:88:12
#37 0x7fa3ca2e7bc3 in Call /builds/worker/workspace/obj-build/dist/include/mozilla/dom/PromiseBinding.h:101:12
#38 0x7fa3ca2e7bc3 in mozilla::PromiseJobRunnable::Run(mozilla::AutoSlowOperation&) src/xpcom/base/CycleCollectedJSContext.cpp:213:18
#39 0x7fa3ca2d5988 in mozilla::CycleCollectedJSContext::PerformMicroTaskCheckPoint(bool) src/xpcom/base/CycleCollectedJSContext.cpp:674:17
#40 0x7fa3ca2d67fc in mozilla::CycleCollectedJSContext::AfterProcessTask(unsigned int) src/xpcom/base/CycleCollectedJSContext.cpp:463:3
#41 0x7fa3cb159b95 in XPCJSContext::AfterProcessTask(unsigned int) src/js/xpconnect/src/XPCJSContext.cpp:1481:28
#42 0x7fa3ca3f90ac in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1217:24
#43 0x7fa3ca3ff2ed in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:465:10
#44 0x7fa3cafc0b86 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:85:21
#45 0x7fa3caee8ea7 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:380:10
#46 0x7fa3caee8db2 in RunHandler src/ipc/chromium/src/base/message_loop.cc:373:3
#47 0x7fa3caee8db2 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:355:3
#48 0x7fa3cf11cde8 in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:137:27
#49 0x7fa3d125fb9b in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:875:20
#50 0x7fa3cafc1a7a in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:235:9
#51 0x7fa3caee8ea7 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:380:10
#52 0x7fa3caee8db2 in RunHandler src/ipc/chromium/src/base/message_loop.cc:373:3
#53 0x7fa3caee8db2 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:355:3
#54 0x7fa3d125f1bc in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:734:34
#55 0x55562c846e90 in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#56 0x55562c846e90 in main src/browser/app/nsBrowserApp.cpp:338:18
#57 0x7fa3e0963082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
#58 0x55562c81cc3c in _start (/home/worker/builds/m-c-20220531040928-fuzzing-debug/firefox-bin+0x15c3c) (BuildId: 17fbecb0bf2714cd2e28449a1b07f242b9b9b67b)
Flags: in-testsuite?

Bug 1771151 touched some code near the top of the stack, and looks like it landed recently. Maybe that's related.

A Pernosco session is available here: https://pernos.co/debug/ZyiyaxH7Nf9cTRZwiQg2lg/index.html

Bugmon Analysis
Verified bug as reproducible on mozilla-central 20220607042349-f3aca6a6c4a4.
The bug appears to have been introduced in the following build range:

Start: 87e39a7da999bfa064f7acfcd4fa01f50f962d37 (20220530140717)
End: e1ebb4a9b8fa3f7d51755f7b65956f8e381b4d99 (20220530133109)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=87e39a7da999bfa064f7acfcd4fa01f50f962d37&tochange=e1ebb4a9b8fa3f7d51755f7b65956f8e381b4d99

Keywords: regression
Whiteboard: [bugmon:bisected,confirmed]
Flags: needinfo?(emilio)

Okay so the good thing is that this is not security sensitive. Can someone clear the relevant flag? I don't have the right permission.

Assignee: nobody → emilio
Flags: needinfo?(emilio)

Casing should be consistent with GetFullscreenElement.

This is mostly an optimization since html/body can't have shadow roots
and we only care about comparing the fullscreen element against those,
but it also avoids the problematic codepath.

The issue is that we call UpdateViewportScrollStylesOverride() in the
middle of UnbindFromTree when the DOM state isn't quite stable.

Before my patch, we only did that once the top layer stack is empty, but
now we do it once for each element we pop, which means that we might hit
this codepath with a fullscreen element mid-unbind.

The following patch fixes it but this seemed worth doing anyways.

Depends on D148490

This also guarantees that we don't call it with fullscreen elements that
might be mid-unbind.

Depends on D148491

:emilio, since this bug contains a bisection range, could you fill (if possible) the regressed_by field?
For more information, please visit auto_nag documentation.

Flags: needinfo?(emilio)

Unhiding per comment 4.

Group: dom-core-security
Flags: needinfo?(emilio)
Regressed by: 1771151

Set release status flags based on info from the regressing bug 1771151

Pushed by ealvarez@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/536bbebf3107 Cleanup naming of GetUnretargetedFullscreenElement. r=edgar https://hg.mozilla.org/integration/autoland/rev/e29b66f257af nsPresContext::UpdateViewportScrollStylesOverride shouldn't look at retargeted elements. r=edgar https://hg.mozilla.org/integration/autoland/rev/d38f4a68a7bb Update viewport scrollbar overrides just once from CleanupFullscreenState(). r=edgar https://hg.mozilla.org/integration/autoland/rev/6159cdf849e3 Clean up a bit more GetUnretargetedFullscreenElement usage. r=edgar
Has Regression Range: --- → yes

Bugmon Analysis
Verified bug as fixed on rev mozilla-central 20220608214824-0cf5c85ddd84.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
Keywords: bugmon

Set release status flags based on info from the regressing bug 1771151

You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: