Closed Bug 1789475 Opened 2 years ago Closed 2 years ago

Assertion failure: !UpdateResponsiveSource() (The image source should be the same because we update the responsive source synchronously), at /builds/worker/checkouts/gecko/dom/html/HTMLImageElement.cpp:889

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
106 Branch
Tracking Flags:
Tracking Status
firefox-esr91 --- unaffected
firefox-esr102 --- unaffected
firefox104 --- unaffected
firefox105 --- unaffected
firefox106 --- verified

People

(Reporter: tsmith, Assigned: boris)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(2 files, 1 obsolete file)

testcase.html
212 bytes, text/html
Details
Bug 1789475 - Run image source selection algorithm synchronously during adopting steps.
48 bytes, text/x-phabricator-request
Details | Review
Attached file testcase.html (obsolete) —

Found while fuzzing m-c 20220904-93ba1d57fd33 (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

Assertion failure: !UpdateResponsiveSource() (The image source should be the same because we update the responsive source synchronously), at /builds/worker/checkouts/gecko/dom/html/HTMLImageElement.cpp:889

#0 0x7effb5bdac43 in mozilla::dom::HTMLImageElement::LoadSelectedImage(bool, bool, bool) /builds/worker/checkouts/gecko/dom/html/HTMLImageElement.cpp:887:3
#1 0x7effb5c017a9 in mozilla::dom::ImageLoadTask::Run(mozilla::AutoSlowOperation&) /builds/worker/checkouts/gecko/dom/html/HTMLImageElement.cpp:99:17
#2 0x7effb22a73d8 in mozilla::CycleCollectedJSContext::PerformMicroTaskCheckPoint(bool) /builds/worker/checkouts/gecko/xpcom/base/CycleCollectedJSContext.cpp:676:17
#3 0x7effb5a0c3ee in LeaveMicroTask /builds/worker/workspace/obj-build/dist/include/mozilla/CycleCollectedJSContext.h:246:7
#4 0x7effb5a0c3ee in ~nsAutoMicroTask /builds/worker/workspace/obj-build/dist/include/mozilla/CycleCollectedJSContext.h:397:13
#5 0x7effb5a0c3ee in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1318:3
#6 0x7effb5a0d037 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1506:17
#7 0x7effb5a01f74 in HandleEvent /builds/worker/checkouts/gecko/dom/events/EventListenerManager.h:395:5
#8 0x7effb5a01f74 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:348:17
#9 0x7effb5a014c2 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:550:16
#10 0x7effb5a03d61 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:1119:11
#11 0x7effb5a067d6 in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp
#12 0x7effb401a94d in nsINode::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/nsINode.cpp:1366:17
#13 0x7effb5a13a02 in mozilla::dom::EventTarget::DispatchEvent(mozilla::dom::Event&) /builds/worker/checkouts/gecko/dom/events/EventTarget.cpp:180:13
#14 0x7effb59c2d6b in mozilla::AsyncEventDispatcher::Run() /builds/worker/checkouts/gecko/dom/events/AsyncEventDispatcher.cpp:69:12
#15 0x7effb3b5e012 in nsContentUtils::AddScriptRunner(already_AddRefed<nsIRunnable>) /builds/worker/checkouts/gecko/dom/base/nsContentUtils.cpp:5942:13
#16 0x7effb3b5e24e in nsContentUtils::AddScriptRunner(nsIRunnable*) /builds/worker/checkouts/gecko/dom/base/nsContentUtils.cpp:5948:3
#17 0x7effb59c32e9 in mozilla::AsyncEventDispatcher::RunDOMEventWhenSafe() /builds/worker/checkouts/gecko/dom/events/AsyncEventDispatcher.cpp:99:3
#18 0x7effb7a805b8 in nsPrintJob::FirePrintPreviewUpdateEvent() /builds/worker/checkouts/gecko/layout/printing/nsPrintJob.cpp:983:11
#19 0x7effb7a7db27 in nsPrintJob::InitPrintDocConstruction(bool) /builds/worker/checkouts/gecko/layout/printing/nsPrintJob.cpp:1009:5
#20 0x7effb7a7ca6b in nsPrintJob::DoCommonPrint(bool, nsIPrintSettings*, nsIWebProgressListener*, mozilla::dom::Document&) /builds/worker/checkouts/gecko/layout/printing/nsPrintJob.cpp:456:3
#21 0x7effb7a7de24 in CommonPrint /builds/worker/checkouts/gecko/layout/printing/nsPrintJob.cpp:343:17
#22 0x7effb7a7de24 in nsPrintJob::PrintPreview(mozilla::dom::Document&, nsIPrintSettings*, nsIWebProgressListener*, std::function<void (mozilla::dom::PrintPreviewResultInfo const&)>&&) /builds/worker/checkouts/gecko/layout/printing/nsPrintJob.cpp:477:17
#23 0x7effb768b53c in nsDocumentViewer::PrintPreview(nsIPrintSettings*, nsIWebProgressListener*, std::function<void (mozilla::dom::PrintPreviewResultInfo const&)>&&) /builds/worker/checkouts/gecko/layout/base/nsDocumentViewer.cpp:2978:27
#24 0x7effb3c34777 in nsGlobalWindowOuter::Print(nsIPrintSettings*, mozilla::layout::RemotePrintJobChild*, nsIWebProgressListener*, nsIDocShell*, nsGlobalWindowOuter::IsPreview, nsGlobalWindowOuter::IsForWindowDotPrint, std::function<void (mozilla::dom::PrintPreviewResultInfo const&)>&&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/nsGlobalWindowOuter.cpp:5278:33
#25 0x7effb3bea5ea in nsGlobalWindowInner::PrintPreview(nsIPrintSettings*, nsIWebProgressListener*, nsIDocShell*, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/nsGlobalWindowInner.cpp:3897:3
#26 0x7effb4e8d422 in mozilla::dom::Window_Binding::printPreview(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/WindowBinding.cpp:3236:59
#27 0x7effb5487ad0 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::MaybeCrossOriginObjectThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3287:13
#28 0x7effbaa4648c in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:458:13
#29 0x7effbaa45db1 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:546:12
#30 0x7effbaa3d218 in CallFromStack /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:618:10
#31 0x7effbaa3d218 in Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3374:16
#32 0x7effbaa342bd in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:430:13
#33 0x7effbaa45cad in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:578:13
#34 0x7effbaa471ec in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:645:8
#35 0x7effb96c385c in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/CallAndConstruct.cpp:117:10
#36 0x7effb5236bb0 in mozilla::dom::Function::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, nsTArray<JS::Value> const&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/FunctionBinding.cpp:50:8
#37 0x7effb3f30e92 in void mozilla::dom::Function::Call<nsCOMPtr<nsIGlobalObject> >(nsCOMPtr<nsIGlobalObject> const&, nsTArray<JS::Value> const&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/FunctionBinding.h:71:12
#38 0x7effb3f30c34 in mozilla::dom::CallbackTimeoutHandler::Call(char const*) /builds/worker/checkouts/gecko/dom/base/TimeoutHandler.cpp:167:29
#39 0x7effb3bfbfb2 in nsGlobalWindowInner::RunTimeoutHandler(mozilla::dom::Timeout*, nsIScriptContext*) /builds/worker/checkouts/gecko/dom/base/nsGlobalWindowInner.cpp:6471:38
#40 0x7effb3f42f2a in mozilla::dom::TimeoutManager::RunTimeout(mozilla::TimeStamp const&, mozilla::TimeStamp const&, bool) /builds/worker/checkouts/gecko/dom/base/TimeoutManager.cpp:903:44
#41 0x7effb3f2e790 in mozilla::dom::TimeoutExecutor::MaybeExecute() /builds/worker/checkouts/gecko/dom/base/TimeoutExecutor.cpp:179:11
#42 0x7effb3f2ec33 in mozilla::dom::TimeoutExecutor::Run() /builds/worker/checkouts/gecko/dom/base/TimeoutExecutor.cpp:234:5
#43 0x7effb23dabef in IdleRunnableWrapper::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:309:22
#44 0x7effb23dd68e in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:538:16
#45 0x7effb23b5d39 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:851:26
#46 0x7effb23b49e9 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:725:15
#47 0x7effb23b4b33 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:461:36
#48 0x7effb23e0ee6 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:187:37
#49 0x7effb23e0ee6 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
#50 0x7effb23ca7ff in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1205:16
#51 0x7effb23d0e0d in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:465:10
#52 0x7effb2fabfd6 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#53 0x7effb2ed19b7 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
#54 0x7effb2ed18c2 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
#55 0x7effb2ed18c2 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
#56 0x7effb729a308 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:150:27
#57 0x7effb93fe64b in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:880:20
#58 0x7effb2faceca in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
#59 0x7effb2ed19b7 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
#60 0x7effb2ed18c2 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
#61 0x7effb2ed18c2 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
#62 0x7effb93fdb63 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:739:34
#63 0x5643ce308429 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#64 0x5643ce308429 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:362:18
#65 0x7effc8d7d082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
#66 0x5643ce2de1cc in _start (/home/worker/builds/m-c-20220904213226-fuzzing-debug/firefox-bin+0x161cc) (BuildId: aac6d7f15f114084e2805da55f40c8d54957a22c)
Flags: in-testsuite?

Hey Boris here is another possible regression from bug 1694741.

Flags: needinfo?(boris.chiou)

Thanks. Checking this now.

Assignee: nobody → boris.chiou
Flags: needinfo?(boris.chiou)

Well, I cannot reproduce this on mac now. Put this in my backlog anyway.

Severity: -- → S3
Attached file testcase.html

This test case does not rely on printing and it seems more reliable.

Attachment #9293337 - Attachment is obsolete: true

A Pernosco session is available here: https://pernos.co/debug/peckccsVyOfeNBu8PbJOLw/index.html

Thanks! This testcase works on my mac.

Bugmon Analysis
Verified bug as reproducible on mozilla-central 20220907093209-663615ef7a19.
The bug appears to have been introduced in the following build range:

Start: 7883889e89742527a40a497ac0458aeca76f8328 (20220822204143)
End: 9dde56bd809b650233532874d876ce4e4e9b75fc (20220822212451)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=7883889e89742527a40a497ac0458aeca76f8328&tochange=9dde56bd809b650233532874d876ce4e4e9b75fc

Keywords: regression
Whiteboard: [bugmon:bisected,confirmed]
Regressed by: 1694741

Set release status flags based on info from the regressing bug 1694741

status-firefox104: --- → unaffected
status-firefox105: --- → unaffected
status-firefox-esr102: --- → unaffected
status-firefox-esr91: --- → unaffected

I suspect we don't react to DOM mutations of image elements for the case, "The element's adopting steps are run.", per https://html.spec.whatwg.org/multipage/images.html#reacting-to-dom-mutations.

For this case, we relied on the asynchronous updating of image responsive source (but we don't call UpdateSourceAndQueueImageLoadTask() in this API. This was done by other image load task queued by the previous DOM mutation, e.g. set srcset attribute, because the microtask was performed after we finish adoptNode). In other words, we have to add the synchronous update of image source when using doucment.adoptNode(HTMLImageElement).

Document.adoptNode() transfers a node from another document into this
method's document. Per spec, we have to react to the DOM mutations when
the elements adopting steps are run. So we have to update the image
responsive source to reflect the change of the environment.

So for adopt, we update the source synchronously, and queue the image
load task if needed.

Also, dropping SetLazyLoading() from HTMLImageElement::NodeInfoChanged()
because it doesn't do anything with false |mLazyLoading|.

Attachment #9293847 - Attachment description: Bug 1789475 - Run image source selection algorithm synchronously when the img element's adopting steps are run. → Bug 1789475 - Run image source selection algorithm synchronously during adopting steps.
Pushed by bchiou@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/f740e2888c85
Run image source selection algorithm synchronously during adopting steps. r=emilio

https://hg.mozilla.org/mozilla-central/rev/f740e2888c85

Status: NEW → RESOLVED
Closed: 2 years ago
status-firefox106: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 106 Branch

Bugmon Analysis
Verified bug as fixed on rev mozilla-central 20220910214526-1b23cc32e5b8.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
status-firefox106: fixedverified
Keywords: bugmon
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: