Open Bug 1780802 Opened 2 years ago Updated 3 months ago

Assertion failure: leaf == newLeaf || (aState == ElementState::ACTIVE && !leaf && !CanContentHaveActiveState(*newLeaf)), at /dom/events/EventStateManager.cpp:5791

Categories

(Core :: DOM: Events, defect, P3)

Product:
Core
Component:
DOM: Events
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Tracking Flags:
Tracking Status
firefox123 --- wontfix
firefox132 --- affected

People

(Reporter: jkratzer, Unassigned, NeedInfo)

References

(Blocks 2 open bugs,
URL
)

Details

(Keywords: assertion, testcase, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(1 file)

Testcase for comment 1
475 bytes, text/plain
Details

Testcase found while fuzzing mozilla-central rev be11d2aa123a (built with: --enable-debug --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build be11d2aa123a --debug --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

Assertion failure: leaf == newLeaf || (aState == ElementState::ACTIVE && !leaf && !CanContentHaveActiveState(*newLeaf)), at /dom/events/EventStateManager.cpp:5791

    ==1706876==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fb023691108 bp 0x7fff45d50220 sp 0x7fff45d501e0 T1706876)
    ==1706876==The signal is caused by a WRITE memory access.
    ==1706876==Hint: address points to the zero page.
        #0 0x7fb023691108 in mozilla::EventStateManager::RemoveNodeFromChainIfNeeded(mozilla::dom::ElementState, nsIContent*, bool) /dom/events/EventStateManager.cpp:5790:3
        #1 0x7fb023691436 in mozilla::EventStateManager::ContentRemoved(mozilla::dom::Document*, nsIContent*) /dom/events/EventStateManager.cpp:5845:3
        #2 0x7fb0252a0fbf in mozilla::PresShell::ContentRemoved(nsIContent*, nsIContent*) /layout/base/PresShell.cpp:4546:38
        #3 0x7fb021c45af7 in operator() /dom/base/MutationObservers.cpp:196:3
        #4 0x7fb021c45af7 in Notify<IsRemoval::Yes, ShouldAssert::Yes, (lambda at /dom/base/MutationObservers.cpp:196:3), (lambda at /dom/base/MutationObservers.cpp:196:3)> /dom/base/MutationObservers.cpp:91:5
        #5 0x7fb021c45af7 in mozilla::dom::MutationObservers::NotifyContentRemoved(nsINode*, nsIContent*, nsIContent*) /dom/base/MutationObservers.cpp:197:3
        #6 0x7fb021b19ecc in mozilla::dom::Document::DisconnectNodeTree() /dom/base/Document.cpp:2878:7
        #7 0x7fb021b50c92 in mozilla::dom::Document::Open(mozilla::dom::Optional<nsTSubstring<char16_t> > const&, mozilla::dom::Optional<nsTSubstring<char16_t> > const&, mozilla::ErrorResult&) /dom/base/Document.cpp:9726:5
        #8 0x7fb021b5266b in mozilla::dom::Document::WriteCommon(nsTSubstring<char16_t> const&, bool, mozilla::ErrorResult&) /dom/base/Document.cpp:9960:5
        #9 0x7fb021b51f96 in mozilla::dom::Document::WriteCommon(mozilla::dom::Sequence<nsTString<char16_t> > const&, bool, mozilla::ErrorResult&) /dom/base/Document.cpp:9864:5
        #10 0x7fb022deaa18 in mozilla::dom::Document_Binding::write(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/DocumentBinding.cpp:3728:24
        #11 0x7fb02316524c in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /dom/bindings/BindingUtils.cpp:3285:13
        #12 0x7fb028673ad0 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /js/src/vm/Interpreter.cpp:417:13
        #13 0x7fb02867333a in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:504:12
        #14 0x7fb02866a82c in CallFromStack /js/src/vm/Interpreter.cpp:575:10
        #15 0x7fb02866a82c in Interpret(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:3313:16
        #16 0x7fb028661ba2 in js::RunScript(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:389:13
        #17 0x7fb028673236 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:536:13
        #18 0x7fb0286747f8 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /js/src/vm/Interpreter.cpp:602:8
        #19 0x7fb02754e8e7 in js::CallSelfHostedFunction(JSContext*, JS::Handle<js::PropertyName*>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /js/src/vm/SelfHosting.cpp:1572:10
        #20 0x7fb0272fe2f1 in AsyncFunctionResume(JSContext*, JS::Handle<js::AsyncFunctionGeneratorObject*>, ResumeKind, JS::Handle<JS::Value>) /js/src/vm/AsyncFunction.cpp:153:8
        #21 0x7fb0274e7562 in AsyncFunctionPromiseReactionJob /js/src/builtin/Promise.cpp:2112:12
        #22 0x7fb0274e7562 in PromiseReactionJob(JSContext*, unsigned int, JS::Value*) /js/src/builtin/Promise.cpp:2175:12
        #23 0x7fb028673ad0 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /js/src/vm/Interpreter.cpp:417:13
        #24 0x7fb02867333a in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:504:12
        #25 0x7fb0286747f8 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /js/src/vm/Interpreter.cpp:602:8
        #26 0x7fb0273291d1 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /js/src/vm/CallAndConstruct.cpp:117:10
        #27 0x7fb02243a60d in mozilla::dom::PromiseJobCallback::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/PromiseBinding.cpp:35:8
        #28 0x7fb020083515 in mozilla::dom::PromiseJobCallback::Call(mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/PromiseBinding.h:88:12
        #29 0x7fb0200827a3 in Call /builds/worker/workspace/obj-build/dist/include/mozilla/dom/PromiseBinding.h:101:12
        #30 0x7fb0200827a3 in mozilla::PromiseJobRunnable::Run(mozilla::AutoSlowOperation&) /xpcom/base/CycleCollectedJSContext.cpp:213:18
        #31 0x7fb020070418 in mozilla::CycleCollectedJSContext::PerformMicroTaskCheckPoint(bool) /xpcom/base/CycleCollectedJSContext.cpp:676:17
        #32 0x7fb02007128c in mozilla::CycleCollectedJSContext::AfterProcessTask(unsigned int) /xpcom/base/CycleCollectedJSContext.cpp:463:3
        #33 0x7fb020f08a85 in XPCJSContext::AfterProcessTask(unsigned int) /js/xpconnect/src/XPCJSContext.cpp:1485:28
        #34 0x7fb02019321c in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1242:24
        #35 0x7fb02019946d in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:465:10
        #36 0x7fb020d68db6 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:85:21
        #37 0x7fb020c8f267 in MessageLoop::RunInternal() /ipc/chromium/src/base/message_loop.cc:380:10
        #38 0x7fb020c8f172 in RunHandler /ipc/chromium/src/base/message_loop.cc:373:3
        #39 0x7fb020c8f172 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:355:3
        #40 0x7fb024f3bac8 in nsBaseAppShell::Run() /widget/nsBaseAppShell.cpp:150:27
        #41 0x7fb0270682fb in XRE_RunAppShell() /toolkit/xre/nsEmbedFunctions.cpp:875:20
        #42 0x7fb020d69caa in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:235:9
        #43 0x7fb020c8f267 in MessageLoop::RunInternal() /ipc/chromium/src/base/message_loop.cc:380:10
        #44 0x7fb020c8f172 in RunHandler /ipc/chromium/src/base/message_loop.cc:373:3
        #45 0x7fb020c8f172 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:355:3
        #46 0x7fb02706791c in XRE_InitChildProcess(int, char**, XREChildData const*) /toolkit/xre/nsEmbedFunctions.cpp:734:34
        #47 0x55e214b3b120 in content_process_main /browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
        #48 0x55e214b3b120 in main /browser/app/nsBrowserApp.cpp:338:18
        #49 0x7fb037a59082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
        #50 0x55e214b10ecc in _start (/home/jkratzer/builds/mc-debug/firefox-bin+0x15ecc) (BuildId: 0647b35399483c22aafabff58bae1d6ebc486851)
    
    UndefinedBehaviorSanitizer can not provide additional info.
    SUMMARY: UndefinedBehaviorSanitizer: SEGV /dom/events/EventStateManager.cpp:5790:3 in mozilla::EventStateManager::RemoveNodeFromChainIfNeeded(mozilla::dom::ElementState, nsIContent*, bool)
    ==1706876==ABORTING

Bugmon Analysis
Bugmon was unable to identify a testcase that reproduces this issue.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon

testcase not attached?

Flags: needinfo?(jkratzer)
Attached file Testcase for comment 1
Flags: needinfo?(jkratzer)
Keywords: bugmon

Bugmon Analysis
Unable to reproduce bug 1780802 using build mozilla-central 20220722085933-be11d2aa123a. Without a baseline, bugmon is unable to analyze this bug.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon

Hey Sean, would you like to take a look and figure out what's up here?

Flags: needinfo?(sefeng)

I can't reproduce it with latest m-c.

Jason, is it still reproducible? Looks like bugmon also had troubles to reproduce it, mind fix that?

Flags: needinfo?(sefeng) → needinfo?(jkratzer)

Hrmm. Not sure why Bugmon failed in automation. I can reproduce the testcase locally on Ubuntu 20.04 both with and without Bugmon. I'm running a bisection now.

:sefeng, are you unable to reproduce the issue using the STR in comment 0?

Flags: needinfo?(jkratzer)

Bugmon Analysis
Verified bug as reproducible on mozilla-central 20220803155441-8751d33bcf88.
Unable to bisect testcase (Testcase reproduces on start build!):

Start: 4fc8a87590356bbef37b510d3b9f06663ee540b4 (20210804035633)
End: be11d2aa123af1bff9a001e28fdeec030a1642bb (20220722085933)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False, nyx=False)

Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]

The severity field is not set for this bug.
:hsinyi, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(htsai)

(In reply to Jason Kratzer [:jkratzer] from comment #8)

Hrmm. Not sure why Bugmon failed in automation. I can reproduce the testcase locally on Ubuntu 20.04 both with and without Bugmon. I'm running a bisection now.

:sefeng, are you unable to reproduce the issue using the STR in comment 0?

Adding NI to Sean.
FWIW, I am unable to reproduce using STR, either.

(In reply to Jason Kratzer [:jkratzer] from comment #9)

Bugmon Analysis
Verified bug as reproducible on mozilla-central 20220803155441-8751d33bcf88.
Unable to bisect testcase (Testcase reproduces on start build!):

Start: 4fc8a87590356bbef37b510d3b9f06663ee540b4 (20210804035633)
End: be11d2aa123af1bff9a001e28fdeec030a1642bb (20220722085933)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False, nyx=False)

Flags: needinfo?(htsai) → needinfo?(sefeng)

So I tried with 4fc8a87590356bbef37b510d3b9f06663ee540b4, but still didn't reproduce the crash.

I can't run the STR in comment 0 because I am having trouble to build Firefox with ac_add_options --enable-fuzzing.

Jason, if you just build a local debug build Firefox with 4fc8a87590356bbef37b510d3b9f06663ee540b4 and ./mach run testcase.html, does it crash for you? I am also on Linux, so I should have the same environment as you.

Thanks

(Keeping my NI)

Flags: needinfo?(sefeng) → needinfo?(jkratzer)
Flags: needinfo?(sefeng)

:sefeng, I can't build 4fc8a87590356bbef37b510d3b9f06663ee540b4 because of bootstrap failures. However, a few things to note. I can reproduce on a local build (tip) using ./mach run testcase.html. Also note, that --enable-fuzzing is not required to reproduce this issue, only that it was used on the original build where this issue was discovered. For nearly all DOM related bugs filed by the fuzzing team, --enable-fuzzing is only needed if there is a call to FuzzingFunctions in JS.

Flags: needinfo?(jkratzer)

(Yeah I also hit that and ended up building it with ac_add_options --disable-bootstrap). Thanks for explaning --enable-fuzzing!

So I managed to reproduce the crash only with python -m grizzly.replay . So this happens when we disconnect the HTML element from the document by doing document.write. I debugged it a bit and it seems that there was synthetic mouse move event dispatched to the HTML element which made it gained ElementState::Hover state, then newLeaf was null, so it crashed.

My instinct is the code path is legit so we should just tweak the assertion, however I am not sure. Here's a pernosco recording https://pernos.co/debug/Y9Zz2-eTDZkN_SRjgn9xzQ/index.html. I think Emilio knows this assertion..

Emilio, might take a look?

Flags: needinfo?(sefeng) → needinfo?(emilio)
See Also: → 1792061
Severity: -- → S3
Priority: -- → P3

This is low volume but consistently reported by the fuzzers. The test case is a bit flaky but does repro consistently with a few reloads.

status-firefox123: --- → affected
Flags: in-testsuite?
Keywords: assertion

This has been detected by live site-testing.

Blocks: site-scout
URL: http://audible.com/
status-firefox132: --- → affected
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: