1810264 - Assertion failure: !listElem->isInList(), at /builds/worker/workspace/obj-build/dist/include/mozilla/LinkedList.h:333

Status: NEW

(Core :: DOM: Animation, defect)

Description

[Tyson Smith [:tsmith]]

Attachment: testcase.html

Found while fuzzing m-c 20230101-492f77863dcc (--enable-address-sanitizer --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -a --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

Assertion failure: !listElem->isInList(), at /builds/worker/workspace/obj-build/dist/include/mozilla/LinkedList.h:333

#0 0x7f9a7b506a45 in mozilla::LinkedListElement<mozilla::dom::Animation>::setPreviousUnsafe(mozilla::dom::Animation*) /builds/worker/workspace/obj-build/dist/include/mozilla/LinkedList.h:333:5
#1 0x7f9a7b4b425d in insertBack /builds/worker/workspace/obj-build/dist/include/mozilla/LinkedList.h:482:45
#2 0x7f9a7b4b425d in mozilla::dom::AnimationTimeline::NotifyAnimationUpdated(mozilla::dom::Animation&) /builds/worker/checkouts/gecko/dom/animation/AnimationTimeline.cpp:78:23
#3 0x7f9a7b4bcbf2 in mozilla::dom::DocumentTimeline::NotifyAnimationUpdated(mozilla::dom::Animation&) /builds/worker/checkouts/gecko/dom/animation/DocumentTimeline.cpp:157:22
#4 0x7f9a7b4a6453 in mozilla::dom::Animation::Tick() /builds/worker/checkouts/gecko/dom/animation/Animation.cpp:954:3
#5 0x7f9a7b4ba034 in mozilla::dom::CSSTransition::Tick() /builds/worker/checkouts/gecko/dom/animation/CSSTransition.cpp:193:14
#6 0x7f9a7b4b3be1 in mozilla::dom::AnimationTimeline::Tick() /builds/worker/checkouts/gecko/dom/animation/AnimationTimeline.cpp:58:16
#7 0x7f9a7b4bce41 in mozilla::dom::DocumentTimeline::MostRecentRefreshTimeUpdated() /builds/worker/checkouts/gecko/dom/animation/DocumentTimeline.cpp:178:17
#8 0x7f9a81629be5 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2550:12
#9 0x7f9a81638296 in TickDriver /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:374:13
#10 0x7f9a81638296 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver>>&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:352:7
#11 0x7f9a81637ffe in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:368:5
#12 0x7f9a81637d85 in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:912:5
#13 0x7f9a8163701f in mozilla::VsyncRefreshDriverTimer::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:826:5
#14 0x7f9a81636271 in mozilla::VsyncRefreshDriverTimer::NotifyVsyncOnMainThread(mozilla::VsyncEvent const&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:747:5
#15 0x7f9a81635a8b in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsyncTimerOnMainThread() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:593:14
#16 0x7f9a81635628 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:550:9
#17 0x7f9a8020d1ec in mozilla::dom::VsyncMainChild::RecvNotify(mozilla::VsyncEvent const&, float const&) /builds/worker/checkouts/gecko/dom/ipc/VsyncMainChild.cpp:68:15
#18 0x7f9a8067a1bf in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:220:78
#19 0x7f9a8049e9e6 in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PContentChild.cpp:8716:32
#20 0x7f9a79e369b9 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1800:25
#21 0x7f9a79e33b0d in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1725:9
#22 0x7f9a79e346de in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1525:3
#23 0x7f9a79e3590e in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1623:14
#24 0x7f9a7869a259 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:539:16
#25 0x7f9a78691077 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:852:26
#26 0x7f9a7868e2f8 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:684:15
#27 0x7f9a7868ea20 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:462:36
#28 0x7f9a786a0361 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:188:37
#29 0x7f9a786a0361 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_2>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:546:5
#30 0x7f9a786c34c4 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1197:16
#31 0x7f9a786cd8b4 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:473:10
#32 0x7f9a79e3e5be in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#33 0x7f9a79cbdaf7 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
#34 0x7f9a79cbdaf7 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
#35 0x7f9a79cbdaf7 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
#36 0x7f9a8102e899 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
#37 0x7f9a85fb4908 in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:743:20
#38 0x7f9a79cbdaf7 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
#39 0x7f9a79cbdaf7 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
#40 0x7f9a79cbdaf7 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
#41 0x7f9a85fb409f in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:676:34
#42 0x55e0f910c4d4 in content_process_main(mozilla::Bootstrap*, int, char**) /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#43 0x55e0f910c997 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:359:18
#44 0x7f9a9aba8d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#45 0x7f9a9aba8e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#46 0x55e0f904af58 in _start (/home/user/workspace/browsers/m-c-20230113213947-fuzzing-asan-opt/firefox+0x111f58) (BuildId: 4c3b45179460421de0ad9bd64e2f6c39b4437d9d)

Comment 1

[Bugmon [:jkratzer for issues]]

Unable to reproduce bug 1810264 using build mozilla-central 20230101212612-492f77863dcc. Without a baseline, bugmon is unable to analyze this bug.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Comment 2

[Tyson Smith [:tsmith]]

I am able to reproduce. I'm not sure what is blocking bugmon.

A Pernosco session is available here: https://pernos.co/debug/Ut0UJ3UYA7E7jjwf-0hYXA/index.html

Comment 3

[BugBot [:suhaib / :marco/ :calixte]]

The severity field is not set for this bug.
:boris, could you have a look please?

For more information, please visit auto_nag documentation.

Comment 4

[Boris Chiou [:boris]]

After enabling dom.security.setHTML.enabled, I still can not reproduce this, for now. Perhaps we need to enable other preferences.

Comment 5

[Tyson Smith [:tsmith]]

Attachment: prefs.js

(In reply to Boris Chiou [:boris] from comment #4)

After enabling dom.security.setHTML.enabled, I still can not reproduce this, for now. Perhaps we need to enable other preferences.

Here is the prefs.js file the fuzzers are currently using.