1819239 - Assertion failure: !mForbiddenToFlush (This is bad!), at /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4181

Status: VERIFIED FIXED

(Core :: Layout, defect, P2)

Description

[Tyson Smith [:tsmith]]

Attachment: testcase.html

Found while fuzzing m-c 20230224-25a8668d9243 (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html --xvfb

The test case seems like it might be dependant on the window size but I'm not sure how to improve it.

Assertion failure: !mForbiddenToFlush (This is bad!), at /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4181

#0 0x7f8bdf60f7cb in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4181:3
#1 0x7f8bdba7e3a1 in FlushPendingNotifications /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:1470:5
#2 0x7f8bdba7e3a1 in mozilla::dom::Document::FlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/dom/base/Document.cpp:10737:16
#3 0x7f8bdf511375 in nsEditingSession::SetupEditorOnWindow(nsPIDOMWindowOuter&) /builds/worker/checkouts/gecko/editor/composer/nsEditingSession.cpp:289:10
#4 0x7f8bdf510293 in nsEditingSession::MakeWindowEditable(mozIDOMWindowProxy*, char const*, bool, bool, bool) /builds/worker/checkouts/gecko/editor/composer/nsEditingSession.cpp:165:10
#5 0x7f8bdba50f93 in mozilla::dom::Document::EditingStateChanged() /builds/worker/checkouts/gecko/dom/base/Document.cpp:6087:25
#6 0x7f8bdba5a429 in mozilla::dom::Document::MaybeEditingStateChanged() /builds/worker/checkouts/gecko/dom/base/Document.cpp:5850:7
#7 0x7f8bdba69659 in mozilla::dom::Document::EndUpdate() /builds/worker/checkouts/gecko/dom/base/Document.cpp:7811:3
#8 0x7f8bdbac079d in ~mozAutoDocUpdate /builds/worker/checkouts/gecko/dom/base/mozAutoDocUpdate.h:34:18
#9 0x7f8bdbac079d in mozilla::dom::Element::SetAttr(int, nsAtom*, nsAtom*, nsTSubstring<char16_t> const&, nsIPrincipal*, bool) /builds/worker/checkouts/gecko/dom/base/Element.cpp:2455:1
#10 0x7f8bdf5e5b33 in SetAttr /builds/worker/workspace/obj-build/dist/include/mozilla/dom/Element.h:975:12
#11 0x7f8bdf5e5b33 in SetAttr /builds/worker/workspace/obj-build/dist/include/mozilla/dom/Element.h:971:12
#12 0x7f8bdf5e5b33 in mozilla::AccessibleCaret::SetCaretElementStyle(nsRect const&, float) /builds/worker/checkouts/gecko/layout/base/AccessibleCaret.cpp:318:18
#13 0x7f8bdf5e57ba in mozilla::AccessibleCaret::SetPosition(nsIFrame*, int) /builds/worker/checkouts/gecko/layout/base/AccessibleCaret.cpp:280:3
#14 0x7f8bdf5e8bd9 in operator() /builds/worker/checkouts/gecko/layout/base/AccessibleCaretManager.cpp:330:44
#15 0x7f8bdf5e8bd9 in mozilla::AccessibleCaretManager::UpdateCaretsForSelectionMode(mozilla::EnumSet<mozilla::AccessibleCaretManager::UpdateCaretsHint, unsigned char> const&) /builds/worker/checkouts/gecko/layout/base/AccessibleCaretManager.cpp:349:7
#16 0x7f8bdf5eb789 in mozilla::AccessibleCaretManager::OnScrollPositionChanged() /builds/worker/checkouts/gecko/layout/base/AccessibleCaretManager.cpp
#17 0x7f8be0cb9339 in nsDocShell::NotifyScrollObservers() /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:2430:12
#18 0x7f8be0cb94b6 in non-virtual thunk to nsDocShell::NotifyScrollObservers() /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp
#19 0x7f8bdf793119 in mozilla::ScrollFrameHelper::ScrollToImpl(nsPoint, nsRect const&, mozilla::ScrollOrigin, mozilla::ScrollTriggeredByScript) /builds/worker/checkouts/gecko/layout/generic/nsGfxScrollFrame.cpp:3497:15
#20 0x7f8bdf79350b in mozilla::ScrollFrameHelper::CompleteAsyncScroll(nsPoint const&, nsRect const&, mozilla::UniquePtr<mozilla::ScrollSnapTargetIds, mozilla::DefaultDelete<mozilla::ScrollSnapTargetIds>>, mozilla::ScrollOrigin) /builds/worker/checkouts/gecko/layout/generic/nsGfxScrollFrame.cpp:2542:3
#21 0x7f8bdf78ee2e in mozilla::ScrollFrameHelper::ScrollToWithOrigin(nsPoint, nsRect const*, mozilla::ScrollFrameHelper::ScrollOperationParams&&) /builds/worker/checkouts/gecko/layout/generic/nsGfxScrollFrame.cpp:2702:5
#22 0x7f8bdf794338 in mozilla::ScrollFrameHelper::ScrollToCSSPixels(mozilla::gfx::IntPointTyped<mozilla::CSSPixel> const&, mozilla::ScrollMode) /builds/worker/checkouts/gecko/layout/generic/nsGfxScrollFrame.cpp:2621:3
#23 0x7f8bdb8ac310 in ScrollTo /builds/worker/checkouts/gecko/dom/base/nsGlobalWindowInner.cpp:4072:9
#24 0x7f8bdb8ac310 in nsGlobalWindowInner::Scroll(double, double) /builds/worker/checkouts/gecko/dom/base/nsGlobalWindowInner.cpp:4000:3
#25 0x7f8bdcbb9f3f in mozilla::dom::Window_Binding::scroll(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/WindowBinding.cpp:5033:28
#26 0x7f8bdd1c106c in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::MaybeCrossOriginObjectThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3318:13
#27 0x7f8be172a026 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:459:13
#28 0x7f8be172994f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:547:12
#29 0x7f8be171b58f in CallFromStack /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:619:10
#30 0x7f8be171b58f in Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3362:16
#31 0x7f8be170ec4e in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:431:13
#32 0x7f8be172984b in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:579:13
#33 0x7f8be172ad7c in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:646:8
#34 0x7f8be17e723c in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/CallAndConstruct.cpp:117:10
#35 0x7f8bdce97703 in mozilla::dom::EventListener::HandleEvent(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventListenerBinding.cpp:62:8
#36 0x7f8bdd7d4016 in void mozilla::dom::EventListener::HandleEvent<mozilla::dom::EventTarget*>(mozilla::dom::EventTarget* const&, mozilla::dom::Event&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventListenerBinding.h:65:12
#37 0x7f8bdd7d3d3c in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1308:43
#38 0x7f8bdd7d49e9 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1504:17
#39 0x7f8bdd7c9826 in HandleEvent /builds/worker/checkouts/gecko/dom/events/EventListenerManager.h:395:5
#40 0x7f8bdd7c9826 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:347:17
#41 0x7f8bdd7c8d5b in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:549:16
#42 0x7f8bdd7cb515 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:1122:11
#43 0x7f8bdd7ce0f6 in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp
#44 0x7f8bdbcee42b in nsINode::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/nsINode.cpp:1382:17
#45 0x7f8bdd7db452 in mozilla::dom::EventTarget::DispatchEvent(mozilla::dom::Event&) /builds/worker/checkouts/gecko/dom/events/EventTarget.cpp:180:13
#46 0x7f8bdd78964b in mozilla::AsyncEventDispatcher::Run() /builds/worker/checkouts/gecko/dom/events/AsyncEventDispatcher.cpp:69:12
#47 0x7f8bdb81d694 in nsContentUtils::RemoveScriptBlocker() /builds/worker/checkouts/gecko/dom/base/nsContentUtils.cpp:6005:17
#48 0x7f8bdbcf7723 in ~mozAutoDocUpdate /builds/worker/checkouts/gecko/dom/base/mozAutoDocUpdate.h:36:7
#49 0x7f8bdbcf7723 in nsINode::ReplaceOrInsertBefore(bool, nsINode*, nsINode*, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/nsINode.cpp:2840:1
#50 0x7f8bdf4a0df7 in InsertBefore /builds/worker/workspace/obj-build/dist/include/nsINode.h:2069:12
#51 0x7f8bdf4a0df7 in mozilla::InsertNodeTransaction::DoTransaction() /builds/worker/checkouts/gecko/editor/libeditor/InsertNodeTransaction.cpp:131:14
#52 0x7f8bdf50cf79 in DoTransaction /builds/worker/checkouts/gecko/editor/txmgr/TransactionItem.cpp:80:30
#53 0x7f8bdf50cf79 in mozilla::TransactionManager::BeginTransaction(nsITransaction*, nsISupports*) /builds/worker/checkouts/gecko/editor/txmgr/TransactionManager.cpp:422:34
#54 0x7f8bdf50cd98 in mozilla::TransactionManager::DoTransaction(nsITransaction*) /builds/worker/checkouts/gecko/editor/txmgr/TransactionManager.cpp:74:17
#55 0x7f8bdf344df8 in mozilla::EditorBase::DoTransactionInternal(nsITransaction*) /builds/worker/checkouts/gecko/editor/libeditor/EditorBase.cpp:907:41
#56 0x7f8bdf3625f1 in mozilla::Result<mozilla::CreateNodeResultBase<nsIContent>, nsresult> mozilla::EditorBase::InsertNodeWithTransaction<nsIContent>(nsIContent&, mozilla::EditorDOMPointBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent>> const&) /builds/worker/checkouts/gecko/editor/libeditor/EditorBase.cpp:2026:17
#57 0x7f8bdf3c87be in mozilla::HTMLEditor::InsertContainerWithTransaction(nsIContent&, nsAtom const&, std::function<nsresult (mozilla::HTMLEditor&, mozilla::dom::Element&, mozilla::EditorDOMPointBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent>> const&)> const&) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditor.cpp:4090:9
#58 0x7f8bdf479c90 in mozilla::HTMLEditor::AutoInlineStyleSetter::ApplyStyle(mozilla::HTMLEditor&, nsIContent&) /builds/worker/checkouts/gecko/editor/libeditor/HTMLStyleEditor.cpp:1261:19
#59 0x7f8bdf477931 in mozilla::HTMLEditor::AutoInlineStyleSetter::ApplyStyleToNodeOrChildrenAndRemoveNestedSameStyle(mozilla::HTMLEditor&, nsIContent&) /builds/worker/checkouts/gecko/editor/libeditor/HTMLStyleEditor.cpp:1439:9
#60 0x7f8bdf4d6f50 in nsresult mozilla::HTMLEditor::SetInlinePropertiesAroundRanges<1ul>(mozilla::AutoRangeArray&, AutoTArray<mozilla::EditorInlineStyleAndValue, 1ul> const&, mozilla::dom::Element const&) /builds/worker/checkouts/gecko/editor/libeditor/HTMLStyleEditor.cpp:525:18
#61 0x7f8bdf4739cc in nsresult mozilla::HTMLEditor::SetInlinePropertiesAsSubAction<1ul>(AutoTArray<mozilla::EditorInlineStyleAndValue, 1ul> const&) /builds/worker/checkouts/gecko/editor/libeditor/HTMLStyleEditor.cpp:286:17
#62 0x7f8bdf471467 in mozilla::HTMLEditor::SetInlinePropertyAsAction(nsStaticAtom&, nsStaticAtom*, nsTSubstring<char16_t> const&, nsIPrincipal*) /builds/worker/checkouts/gecko/editor/libeditor/HTMLStyleEditor.cpp:182:8
#63 0x7f8bdf412516 in mozilla::FontColorStateCommand::SetState(mozilla::HTMLEditor*, nsTSubstring<char16_t> const&, nsIPrincipal*) const /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditorCommands.cpp:713:30
#64 0x7f8bdf4117de in mozilla::MultiStateCommandBase::DoCommandParam(mozilla::Command, nsTSubstring<char16_t> const&, mozilla::EditorBase&, nsIPrincipal*) const /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditorCommands.cpp:490:17
#65 0x7f8bdba571b9 in mozilla::dom::Document::ExecCommand(nsTSubstring<char16_t> const&, bool, nsTSubstring<char16_t> const&, nsIPrincipal&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/Document.cpp:5484:27
#66 0x7f8bdce2dacf in mozilla::dom::Document_Binding::execCommand(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/DocumentBinding.cpp:4125:36
#67 0x7f8bdd1bf742 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3318:13
#68 0x7f8be172a026 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:459:13
#69 0x7f8be172994f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:547:12
#70 0x7f8be171b58f in CallFromStack /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:619:10
#71 0x7f8be171b58f in Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3362:16
#72 0x7f8be170ec4e in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:431:13
#73 0x7f8be172984b in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:579:13
#74 0x7f8be172ad7c in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:646:8
#75 0x7f8be17e723c in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/CallAndConstruct.cpp:117:10
#76 0x7f8bdce94c61 in mozilla::dom::EventHandlerNonNull::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventHandlerBinding.cpp:65:37
#77 0x7f8bdd7f40f9 in void mozilla::dom::EventHandlerNonNull::Call<nsCOMPtr<mozilla::dom::EventTarget>>(nsCOMPtr<mozilla::dom::EventTarget> const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventHandlerBinding.h:82:12
#78 0x7f8bdd7f32e6 in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) /builds/worker/checkouts/gecko/dom/events/JSEventHandler.cpp:199:12
#79 0x7f8bdd7d3d7d in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1314:22
#80 0x7f8bdd7d49e9 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1504:17
#81 0x7f8bdd7c9826 in HandleEvent /builds/worker/checkouts/gecko/dom/events/EventListenerManager.h:395:5
#82 0x7f8bdd7c9826 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:347:17
#83 0x7f8bdd7c8d5b in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:549:16
#84 0x7f8bdd7cb515 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:1122:11
#85 0x7f8bdf6858f4 in nsDocumentViewer::LoadComplete(nsresult) /builds/worker/checkouts/gecko/layout/base/nsDocumentViewer.cpp:1082:7
#86 0x7f8be0cd4c70 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:6478:20
#87 0x7f8be0cd421b in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:5871:7
#88 0x7f8be0cd5b16 in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp
#89 0x7f8bdaed5da8 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:1380:3
#90 0x7f8bdaed5392 in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:978:14
#91 0x7f8bdaed3645 in nsDocLoader::DocLoaderIsEmpty(bool, mozilla::Maybe<nsresult> const&) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:797:9
#92 0x7f8bdaed4825 in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:680:5
#93 0x7f8be0d07b5e in nsDocShell::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:13904:23
#94 0x7f8bda14e06f in mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:628:22
#95 0x7f8bda14f593 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:532:10
#96 0x7f8bdba83299 in mozilla::dom::Document::DoUnblockOnload() /builds/worker/checkouts/gecko/dom/base/Document.cpp:11518:18
#97 0x7f8bdba4f5fb in mozilla::dom::Document::UnblockOnload(bool) /builds/worker/checkouts/gecko/dom/base/Document.cpp:11456:9
#98 0x7f8bdba6a3ba in mozilla::dom::Document::DispatchContentLoadedEvents() /builds/worker/checkouts/gecko/dom/base/Document.cpp:7994:3
#99 0x7f8bdbb1ab68 in applyImpl<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1162:12
#100 0x7f8bdbb1ab68 in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1168:12
#101 0x7f8bdbb1ab68 in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1215:13
#102 0x7f8bd9f354d2 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/checkouts/gecko/xpcom/threads/SchedulerGroup.cpp:114:20
#103 0x7f8bd9f3fc05 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:541:16
#104 0x7f8bd9f3ad58 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:855:26
#105 0x7f8bd9f3992a in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:686:15
#106 0x7f8bd9f39c85 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:464:36
#107 0x7f8bd9f436b6 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:188:37
#108 0x7f8bd9f436b6 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_2>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:546:5
#109 0x7f8bd9f59777 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1225:16
#110 0x7f8bd9f5fc2d in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:477:10
#111 0x7f8bdabae1a3 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#112 0x7f8bdaacffb8 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
#113 0x7f8bdaacfec1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
#114 0x7f8bdaacfec1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
#115 0x7f8bdf25be68 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
#116 0x7f8be14df23b in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:742:20
#117 0x7f8bdabaf069 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
#118 0x7f8bdaacffb8 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
#119 0x7f8bdaacfec1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
#120 0x7f8bdaacfec1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
#121 0x7f8be14ded98 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:675:34
#122 0x557007db7d80 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#123 0x557007db7d80 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:353:18
#124 0x7f8bed92ed8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#125 0x7f8bed92ee3f in __libc_start_main csu/../csu/libc-start.c:392:3
#126 0x557007d8e3e8 in _start (/home/user/workspace/browsers/m-c-20230227092207-fuzzing-debug/firefox-bin+0x5b3e8) (BuildId: 35f67b512bd2b6ddfcb1f87c1e5ec05318defd2a)

Comment 1

[Bugmon [:jkratzer for issues]]

Verified bug as reproducible on mozilla-central 20230227214733-226423354980.
The bug appears to have been introduced in the following build range:

Start: 0c3dbe28af6a522bab01e6dee9d93e5307121dce (20221219225510)
End: 61991a0482c40fd469b4338f05297cdf25c0560a (20221220004641)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=0c3dbe28af6a522bab01e6dee9d93e5307121dce&tochange=61991a0482c40fd469b4338f05297cdf25c0560a

Comment 2

[Olli Pettay [:smaug][bugs@pettay.fi]]

( Looks like AccessibleCaret issues are often in Layout component )

Comment 3

[Ting-Yu Lin [:TYLin] (PDT, UTC-7)]

Hi Masayuki,

Per the build range in comment 1, is it possible that this assertion is caused by Bug 1792386?

In the callstack #13 0x7f8bdf5e57ba in mozilla::AccessibleCaret::SetPosition(), there are guards to prevent layout flush calls in AccessibleCaretManager in https://searchfox.org/mozilla-central/rev/aa3ccd258b64abfd4c5ce56c1f512bc7f65b844c/layout/base/AccessibleCaretManager.cpp#745-752, but it looks like dom::Element::SetAttr can still trigger layout flush in editor via a callback. I wonder whether we can avoid that.

Comment 4

[Masayuki Nakano [:masayuki] (he/him)(JST, +0900)(away: 6/25-6/28)]

Although I don't reproduce the assertion failure itself, I think that re-initialization of HTMLEditor should be added as a script runner.

Comment 5

[Masayuki Nakano [:masayuki] (he/him)(JST, +0900)(away: 6/25-6/28)]

Oh, wait, Document::MaybeEditingStateChanged() checks whether it's safe to run script and now PresShell::mForbiddenToFlush is not exposed. So, shouldn't AccessibleCaretManager::OnScrollPositionChanged need to put a script blocker?

Comment 6

[Daniel Veditz [:dveditz]]

Not 100% sure it applies in this case, but allowing scripts to run when they weren't supposed to has led to a lot of sec-high bugs in the past so we'll start there.

Comment 7

[BugBot [:suhaib / :marco/ :calixte]]

The severity field for this bug is set to S3. However, the bug is flagged with the sec-high keyword.
:dholbert, could you consider increasing the severity of this security bug?

For more information, please visit auto_nag documentation.

Comment 8

[Ting-Yu Lin [:TYLin] (PDT, UTC-7)]

I can reproduce this using python3 -m grizzly.replay path-to-firefox testcase.html --xvfb with my local debug firefox build. But I failed to reproduce this when loading the test directly, or running it as a crashtest (headless or not, with AccessibleCaret enabled).

Here's a pernosco trace I captured with the grizzly.replay. https://pernos.co/debug/Exko46IUEAOc5MQSId738A/index.html

Re comment 4:

Oh, wait, Document::MaybeEditingStateChanged() checks whether it's safe to run script and now PresShell::mForbiddenToFlush is not exposed. So, shouldn't AccessibleCaretManager::OnScrollPositionChanged need to put a script blocker?

Yes, I can try to add a script block to all the AccessibleCaretManager callback methods that disallow layout flush, but it won't be enough. In this testcase, ScrollFrameHelper::ScrollToImpl() higher up in the callstack places another PresShell::AutoAssertNoFlush. I think we might need a script block there, too.

Comment 9

[Ting-Yu Lin [:TYLin] (PDT, UTC-7)]

Attachment: Bug 1819239 - Add script blocker to places where we assert no layout flush. r?dholbert,emilio

Comment 10

[Ting-Yu Lin [:TYLin] (PDT, UTC-7)]

Attachment: Bug 1819239 - Add a crashtest. r?dholbert,emilio

Credit to Tyson Smith for providing this testcase that doesn't require Grizzly
to be reproduced locally.

Depends on D171607

Comment 11

[Ting-Yu Lin [:TYLin] (PDT, UTC-7)]

Comment on attachment 9321096 [details]
Bug 1819239 - Add script blocker to places where we assert no layout flush. r?dholbert,emilio

Security Approval Request

• How easily could an exploit be constructed based on the patch?: There is no obvious hint to construct an exploit from the patch.
• Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
• Which older supported branches are affected by this flaw?:
• If not all supported branches, which bug introduced the flaw?: Bug 1792386
• Do you have backports for the affected branches?: Yes
• If not, how different, hard to create, and risky will they be?: The current patch should still apply without needing a separate backport patch.
• How likely is this patch to cause regressions; how much testing does it need?: The patch adds script block to delay script running. Other than that, no functionality is changed. The current automated tests on CI should be sufficient.
• Is Android affected?: Yes

Comment 12

[Ting-Yu Lin [:TYLin] (PDT, UTC-7)]

Hi Masayuki,

I notice there are some warnings related to editors when loading the testcase. Not sure if they demonstrate a real issue, though. Ideally, I should file a new bug, and attached the testcase. But due to the potential security sensitivity of the testcase, I just NI you here as a start. Please feel free to just cancel the NI if these warnings are OK.

[Child 64909, Main Thread] WARNING: '!mDoStack.IsEmpty()', file /home/aethanyc/Projects/gecko/editor/txmgr/TransactionManager.cpp:246
[Child 64909, Main Thread] WARNING: EditorBase::DisableUndoRedo() failed, but ignored: 'disabledUndoRedo', file /home/aethanyc/Projects/gecko/editor/libeditor/EditorBase.cpp:627
[Child 64909, Main Thread] WARNING: Editor was destroyed during an edit action being handled: file /home/aethanyc/Projects/gecko/obj-firefox/dist/include/mozilla/EditorBase.h:991
[Child 64909, Main Thread] WARNING: '!editActionData.CanHandle()', file /home/aethanyc/Projects/gecko/editor/libeditor/HTMLEditor.cpp:486
[Child 64909, Main Thread] WARNING: NS_ENSURE_SUCCESS(rv, rv) failed with result 0xC1F30001 (NS_ERROR_NOT_INITIALIZED): file /home/aethanyc/Projects/gecko/dom/base/Document.cpp:6084

Comment 13

[Masayuki Nakano [:masayuki] (he/him)(JST, +0900)(away: 6/25-6/28)]

Yeah, it's okay because it means that HTMLEditor just fails to initialized due to the tricky case. Sorry for making you confused.

Comment 14

[BugBot [:suhaib / :marco/ :calixte]]

Based on comment #1, this bug contains a bisection range found by bugmon. However, the Regressed by field is still not filled.

:TYLin, if possible, could you fill the Regressed by field and investigate this regression?

For more information, please visit auto_nag documentation.

Comment 15

[Ting-Yu Lin [:TYLin] (PDT, UTC-7)]

Per https://firefox-source-docs.mozilla.org/bug-mgmt/processes/security-approval.html#filing-managing-bugs,

Avoid linking it to non-security bugs with Blocks, Depends, Regressions, or See Also ...

So I suppose we shouldn't set Regressed by field.

Comment 16

[Ryan VanderMeulen [:RyanVM][PTO June 24-28]]

It's OK to set nowadays. Users who can't see this bug won't be able to see the connection in bug 1792386 either. We should update the docs.

Comment 17

[Daniel Holbert [:dholbert]]

(In reply to Ryan VanderMeulen [:RyanVM] from comment #16)

It's OK to set nowadays. Users who can't see this bug won't be able to see the connection in bug 1792386 either.

(This isn't exactly true, per some testing I just did with RyanVM just now. It does seem to be true when I'm logged out, but e.g. in another case, I can (from my logged-in BMO session) see a bug-relationship from a public bug to a sec bug that I don't have access to. But maybe that's because of some privilege bit that I have. In any case: assuming the involved privilege bits are the right ones for "do we trust you to know there's a relationship to a sec bug", then I think this is fine.)

Comment 18

[Ryan VanderMeulen [:RyanVM][PTO June 24-28]]

(In reply to Daniel Holbert [:dholbert] from comment #17)

(This isn't exactly true, per some testing I just did with RyanVM just now. It does seem to be true when I'm logged out, but e.g. in another case, I can (from my logged-in BMO session) see a bug-relationship from a public bug to a sec bug that I don't have access to. But maybe that's because of some privilege bit that I have. In any case: assuming the involved privilege bits are the right ones for "do we trust you to know there's a relationship to a sec bug", then I think this is fine.)

FYI, ^ was due to bug 1692222. The restrictions were purposely relaxed to permit users with editbugs to see those dependencies. I'll defer to Dan on how we want to update the specific wording on the docs, but I will at least note that we've already been giving out guidance for awhile now that it's OK to set dependencies to sec bugs.

Comment 19

[BugBot [:suhaib / :marco/ :calixte]]

Set release status flags based on info from the regressing bug 1792386

Comment 20

[Tom Ritter [:tjr] (OOTO until mid-August)]

Comment on attachment 9321096 [details]
Bug 1819239 - Add script blocker to places where we assert no layout flush. r?dholbert,emilio

Approved to land and uplift. The test will land later in May though

Comment 21

[Tom Ritter [:tjr] (OOTO until mid-August)]

Comment on attachment 9321097 [details]
Bug 1819239 - Add a crashtest. r?dholbert,emilio

The test can land 5/23

Comment 22

[Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)]

Add script blocker to places where we assert no layout flush. r=emilio
https://hg.mozilla.org/integration/autoland/rev/87a8270fdeed9c77a11ae0567b31af962dde95fe
https://hg.mozilla.org/mozilla-central/rev/87a8270fdeed

Comment 23

[BugBot [:suhaib / :marco/ :calixte]]

The patch landed in nightly and beta is affected.
:TYLin, is this bug important enough to require an uplift?

• If yes, please nominate the patch for beta approval.
• If no, please set status-firefox112 to wontfix.

For more information, please visit auto_nag documentation.

Comment 24

[Bugmon [:jkratzer for issues]]

Verified bug as fixed on rev mozilla-central 20230316125715-ca5fed1e3908.

Comment 25

[Ting-Yu Lin [:TYLin] (PDT, UTC-7)]

Comment on attachment 9321096 [details]
Bug 1819239 - Add script blocker to places where we assert no layout flush. r?dholbert,emilio

Beta/Release Uplift Approval Request

• User impact if declined: Arbitrary script can run on a designed testcase.
• Is this code covered by automated tests?: No
• Has the fix been verified in Nightly?: Yes
• Needs manual test from QE?: No
• If yes, steps to reproduce:
• List of other uplifts needed: None
• Risk to taking this patch: Low
• Why is the change risky/not risky? (and alternatives if risky): This patch adds script blockers to delay the script running until it's safe. No functionality is changed. Only affect devices with touch events support (i.e. when AccessibleCaret is enabled).
• String changes made/needed: none
• Is Android affected?: Yes

Comment 26

[Dianna Smith [:diannaS] - on Leave, back on August 9th]

Comment on attachment 9321096 [details]
Bug 1819239 - Add script blocker to places where we assert no layout flush. r?dholbert,emilio

Approved for 112.0b4

Comment 27

[Dianna Smith [:diannaS] - on Leave, back on August 9th]

https://hg.mozilla.org/releases/mozilla-beta/rev/298792b0aefa

Comment 28

[BugBot [:suhaib / :marco/ :calixte]]

2 months ago, Tom Ritter [:tjr] placed a reminder on the bug using the whiteboard tag [reminder-test 2023-05-23] .

TYLin, please refer to the original comment to better understand the reason for the reminder.

Comment 29

[Ting-Yu Lin [:TYLin] (PDT, UTC-7)]

Per comment 21, the reminder is to land the testcase on May 23. I've rebased https://phabricator.services.mozilla.com/D171608, and triggered the landing.

Comment 30

[Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)]

Add a crashtest. r=emilio
https://hg.mozilla.org/integration/autoland/rev/33f94694d05d41fc4de968a7a9fbb5c06f41077a
https://hg.mozilla.org/mozilla-central/rev/33f94694d05d