Closed Bug 1785933 Opened 2 years ago Closed 2 years ago

Assertion failure: !mMutationGuard.Mutated(0), at /builds/worker/checkouts/gecko/dom/base/ChildIterator.h:103

Categories

(Core :: CSS Parsing and Computation, defect, P2)

Product:
Core
Component:
CSS Parsing and Computation
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
106 Branch
Tracking Flags:
Tracking Status
firefox-esr91 --- unaffected
firefox-esr102 --- unaffected
firefox104 --- unaffected
firefox105 --- disabled
firefox106 --- fixed

People

(Reporter: tsmith, Assigned: sefeng)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(3 files)

testcase.html
303 bytes, text/html
Details
Stack of the mutation.
8.71 KB, text/plain
Details
Bug 1785933 - Use ScriptRunner to do property update in ImageDocument::UpdateRemoteStyle r=emilio
48 bytes, text/x-phabricator-request
Details | Review
Attached file testcase.html

Found while fuzzing m-c 20220817-ea4e821c2084 (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

Assertion failure: !mMutationGuard.Mutated(0), at /builds/worker/checkouts/gecko/dom/base/ChildIterator.h:103

#0 0x7fb0253184d8 in ~AllChildrenIterator /builds/worker/checkouts/gecko/dom/base/ChildIterator.h:103:28
#1 0x7fb0253184d8 in mozilla::dom::StyleChildrenIterator::~StyleChildrenIterator() /builds/worker/checkouts/gecko/dom/base/ChildIterator.h:193:3
#2 0x7fb0288b7656 in mozilla::RestyleManager::ProcessPostTraversal(mozilla::dom::Element*, mozilla::ServoRestyleState&, mozilla::ServoPostTraversalFlags) /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:2895:3
#3 0x7fb0288b75bb in mozilla::RestyleManager::ProcessPostTraversal(mozilla::dom::Element*, mozilla::ServoRestyleState&, mozilla::ServoPostTraversalFlags) /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:2888:32
#4 0x7fb0288b9160 in mozilla::RestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:3101:28
#5 0x7fb028892240 in mozilla::RestyleManager::ProcessPendingRestyles() /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:3215:3
#6 0x7fb028891995 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4372:39
#7 0x7fb0250eb900 in FlushPendingNotifications /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:1463:5
#8 0x7fb0250eb900 in mozilla::dom::Document::FlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/dom/base/Document.cpp:10718:16
#9 0x7fb025236a64 in mozilla::dom::Selection::ScrollIntoView(short, mozilla::ScrollAxis, mozilla::ScrollAxis, int) /builds/worker/checkouts/gecko/dom/base/Selection.cpp:3038:31
#10 0x7fb02523bc08 in mozilla::dom::Selection::ScrollSelectionIntoViewEvent::Run() /builds/worker/checkouts/gecko/dom/base/Selection.cpp:2971:14
#11 0x7fb028856083 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2452:13
#12 0x7fb02885f890 in TickDriver /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:375:13
#13 0x7fb02885f890 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:353:7
#14 0x7fb02885f793 in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:369:5
#15 0x7fb02885f460 in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:896:5
#16 0x7fb02885eaca in mozilla::VsyncRefreshDriverTimer::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:810:5
#17 0x7fb02885e4b5 in mozilla::VsyncRefreshDriverTimer::NotifyVsyncOnMainThread(mozilla::VsyncEvent const&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:731:5
#18 0x7fb02885e0ea in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsyncTimerOnMainThread() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:594:14
#19 0x7fb02885dcfc in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:551:9
#20 0x7fb027d3905b in mozilla::dom::VsyncMainChild::RecvNotify(mozilla::VsyncEvent const&, float const&) /builds/worker/checkouts/gecko/dom/ipc/VsyncMainChild.cpp:68:15
#21 0x7fb027fc2366 in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:220:78
#22 0x7fb02435afe4 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundChild.cpp:6326:32
#23 0x7fb0242ef531 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1755:25
#24 0x7fb0242ec085 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message> >) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1680:9
#25 0x7fb0242ecc26 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1480:3
#26 0x7fb0242edfb1 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1578:14
#27 0x7fb023728c0e in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:538:16
#28 0x7fb0237012b9 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:851:26
#29 0x7fb0236ffe43 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:683:15
#30 0x7fb0237000b3 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:461:36
#31 0x7fb02372c4d9 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:190:37
#32 0x7fb02372c4d9 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_1>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
#33 0x7fb023715d7f in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1205:16
#34 0x7fb02371c38d in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:465:10
#35 0x7fb0242f4f64 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:107:5
#36 0x7fb02421a697 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
#37 0x7fb02421a5a2 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
#38 0x7fb02421a5a2 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
#39 0x7fb02851e168 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:150:27
#40 0x7fb02a63f8bb in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:893:20
#41 0x7fb0242f5eaa in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
#42 0x7fb02421a697 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
#43 0x7fb02421a5a2 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
#44 0x7fb02421a5a2 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
#45 0x7fb02a63edd3 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:752:34
#46 0x556a36d64429 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#47 0x556a36d64429 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:362:18
#48 0x7fb039f60082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
#49 0x556a36d3a1cc in _start (/home/worker/builds/m-c-20220817154028-fuzzing-debug/firefox-bin+0x161cc) (BuildId: bf8d521f9ce301b5eeb63c84843814d8c997545b)
Flags: in-testsuite?

A Pernosco session is available here: https://pernos.co/debug/PtUgqmnDk6AqgG45t_oRYQ/index.html

Bugmon Analysis
Verified bug as reproducible on mozilla-central 20220818232425-6502583dede7.
The bug appears to have been introduced in the following build range:

Start: b7a953f0120a2a65b3c573d0d7b01c2a6908c132 (20220817124145)
End: ea4e821c2084b1c9e9298534c201261f8bdcba2d (20220817154028)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=b7a953f0120a2a65b3c573d0d7b01c2a6908c132&tochange=ea4e821c2084b1c9e9298534c201261f8bdcba2d

Keywords: regression
Whiteboard: [bugmon:bisected,confirmed]

Bugmon Analysis
Unable to reproduce bug 1785933 using build mozilla-central 20220817154028-ea4e821c2084. Without a baseline, bugmon is unable to analyze this bug.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon
Flags: needinfo?(emilio)
Attached file Stack of the mutation.
Flags: needinfo?(emilio)
Flags: needinfo?(sefeng)
Regressed by: 1595491

Set release status flags based on info from the regressing bug 1595491

status-firefox106: --- → affected
Severity: -- → S3
Priority: -- → P2
Assignee: nobody → sefeng
Status: NEW → ASSIGNED
Flags: needinfo?(sefeng)

Is there a user-facing impact from this bug?

Flags: needinfo?(sefeng)

Not 100% sure the meaning of user-facing impact. I am not sure what will happen when we mutation the DOM while creating frames, I guess some inconsistent frames? However, I don't think this is a huge issue.

Flags: needinfo?(sefeng)

Basically, is this likely to cause noticeable problems for users? Trying to assess whether this is something I need to have on the radar for 105 or if riding 106 is enough.

It's not likely to affect users, if only because browser.opaqueResponseBlocking.syntheticBrowsingContext is pref'd off on non-nightly.

Attachment #9293353 - Attachment description: Bug 1785933 - Use ScriptRunner to do property update in nsSubDocumentFrame::MaybeUpdateRemoteStyle r=emilio → Bug 1785933 - Use ScriptRunner to do property update in ImageDocument::UpdateRemoteStyle r=emilio
Pushed by sefeng@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/27fd683ea816 Use ScriptRunner to do property update in ImageDocument::UpdateRemoteStyle r=emilio

https://hg.mozilla.org/mozilla-central/rev/27fd683ea816

Status: ASSIGNED → RESOLVED
Closed: 2 years ago
status-firefox106: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 106 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: