1851730 - Hit MOZ_CRASH(Element state change during style refresh (35184372088832)) at /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:3311

Status: VERIFIED FIXED

(Core :: CSS Parsing and Computation, defect)

Description

[Tyson Smith [:tsmith]]

Attachment: testcase.html

Found while fuzzing m-c 20230830-01e6745f9ba2 (--enable-address-sanitizer --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -a --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

Hit MOZ_CRASH(Element state change during style refresh (35184372088832)) at /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:3311

#0 0x7f5af1f70f9d in MOZ_Crash /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:281:3
#1 0x7f5af1f70f9d in mozilla::RestyleManager::ElementStateChanged(mozilla::dom::Element*, mozilla::dom::ElementState) /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:3309:5
#2 0x7f5af1f708c9 in mozilla::PresShell::ElementStateChanged(mozilla::dom::Document*, mozilla::dom::Element*, mozilla::dom::ElementState) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4459:37
#3 0x7f5ae9e9de14 in mozilla::dom::Document::ElementStateChanged(mozilla::dom::Element*, mozilla::dom::ElementState) /builds/worker/checkouts/gecko/dom/base/Document.cpp:8268:3
#4 0x7f5ae9f3c5aa in mozilla::dom::Element::NotifyStateChange(mozilla::dom::ElementState) /builds/worker/checkouts/gecko/dom/base/Element.cpp:362:10
#5 0x7f5aedf05fb5 in SetStates /builds/worker/workspace/obj-build/dist/include/mozilla/dom/Element.h
#6 0x7f5aedf05fb5 in mozilla::dom::HTMLTextAreaElement::OnValueChanged(mozilla::TextControlElement::ValueChangeKind, bool, nsTSubstring<char16_t> const*) /builds/worker/checkouts/gecko/dom/html/HTMLTextAreaElement.cpp:1135:5
#7 0x7f5aedf36e15 in OnValueChanged /builds/worker/workspace/obj-build/dist/include/mozilla/TextControlElement.h:191:12
#8 0x7f5aedf36e15 in mozilla::TextControlState::SetValue(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const*, mozilla::EnumSet<mozilla::TextControlState::ValueSetterOption, unsigned int> const&) /builds/worker/checkouts/gecko/dom/html/TextControlState.cpp:2697:47
#9 0x7f5aedef6d9c in SetValue /builds/worker/workspace/obj-build/dist/include/mozilla/TextControlState.h:284:12
#10 0x7f5aedef6d9c in mozilla::TextControlState::UnbindFromFrame(nsTextControlFrame*) /builds/worker/checkouts/gecko/dom/html/TextControlState.cpp:2461:26
#11 0x7f5af25f0f60 in nsTextControlFrame::DestroyFrom(nsIFrame*, mozilla::PostFrameDestroyData&) /builds/worker/checkouts/gecko/layout/forms/nsTextControlFrame.cpp:138:25
#12 0x7f5af24b18ea in nsLineBox::DeleteLineList(nsPresContext*, nsLineList&, nsIFrame*, nsFrameList*, mozilla::PostFrameDestroyData&) /builds/worker/checkouts/gecko/layout/generic/nsLineBox.cpp:369:14
#13 0x7f5af21cd777 in nsBlockFrame::DestroyFrom(nsIFrame*, mozilla::PostFrameDestroyData&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:482:3
#14 0x7f5af220f86c in nsBlockFrame::DoRemoveFrameInternal(nsIFrame*, unsigned int, mozilla::PostFrameDestroyData&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:6562:20
#15 0x7f5af220b7ce in DoRemoveFrame /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.h:556:5
#16 0x7f5af220b7ce in nsBlockFrame::RemoveFrame(mozilla::FrameChildListID, nsIFrame*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:5861:5
#17 0x7f5af204dae2 in RemoveFrame /builds/worker/checkouts/gecko/layout/base/nsFrameManager.cpp:119:18
#18 0x7f5af204dae2 in nsCSSFrameConstructor::ContentRemoved(nsIContent*, nsIContent*, nsCSSFrameConstructor::RemoveFlags) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:7534:5
#19 0x7f5af204400b in nsCSSFrameConstructor::RecreateFramesForContent(nsIContent*, nsCSSFrameConstructor::InsertionKind) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:8524:7
#20 0x7f5af204f63b in ReframeContainingBlock /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp
#21 0x7f5af204f63b in nsCSSFrameConstructor::MaybeRecreateContainerForFrameRemoval(nsIFrame*) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:8261:5
#22 0x7f5af2043fb2 in nsCSSFrameConstructor::RecreateFramesForContent(nsIContent*, nsCSSFrameConstructor::InsertionKind) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:8513:16
#23 0x7f5af1fb22a1 in mozilla::RestyleManager::ProcessRestyledFrames(nsStyleChangeList&) /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:1612:25
#24 0x7f5af1fbdef8 in mozilla::RestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:3194:9
#25 0x7f5af1f6f904 in mozilla::RestyleManager::ProcessPendingRestyles() /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:3279:3
#26 0x7f5af1f6d9f6 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4351:39
#27 0x7f5ae9ec3374 in FlushPendingNotifications /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:1474:5
#28 0x7f5ae9ec3374 in mozilla::dom::Document::FlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/dom/base/Document.cpp:10929:16
#29 0x7f5aed7284fb in InitBasic /builds/worker/checkouts/gecko/dom/events/ContentEventHandler.cpp:348:16
#30 0x7f5aed7284fb in mozilla::ContentEventHandler::InitCommon(mozilla::EventMessage, mozilla::SelectionType, bool) /builds/worker/checkouts/gecko/dom/events/ContentEventHandler.cpp:421:17
#31 0x7f5aed728de4 in mozilla::ContentEventHandler::Init(mozilla::WidgetQueryContentEvent*) /builds/worker/checkouts/gecko/dom/events/ContentEventHandler.cpp:493:17
#32 0x7f5aed73566e in mozilla::ContentEventHandler::OnQuerySelectedText(mozilla::WidgetQueryContentEvent*) /builds/worker/checkouts/gecko/dom/events/ContentEventHandler.cpp:1487:17
#33 0x7f5aed80b347 in mozilla::IMEContentObserver::UpdateSelectionCache(bool) /builds/worker/checkouts/gecko/dom/events/IMEContentObserver.cpp:1353:11
#34 0x7f5aed810133 in mozilla::IMEContentObserver::IMENotificationSender::SendSelectionChange() /builds/worker/checkouts/gecko/dom/events/IMEContentObserver.cpp:1888:7
#35 0x7f5aed80dd84 in mozilla::IMEContentObserver::IMENotificationSender::Run() /builds/worker/checkouts/gecko/dom/events/IMEContentObserver.cpp:1752:7
#36 0x7f5ae605f20a in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:559:16
#37 0x7f5ae6049828 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:886:26
#38 0x7f5ae6046237 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:709:15
#39 0x7f5ae6046b19 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:495:36
#40 0x7f5ae6066cb1 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:218:37
#41 0x7f5ae6066cb1 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548:5
#42 0x7f5ae6091483 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1199:16
#43 0x7f5ae609f284 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10
#44 0x7f5ae7ca84be in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#45 0x7f5ae7ad3a6a in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:370:10
#46 0x7f5ae7ad3a6a in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#47 0x7f5ae7ad3a6a in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#48 0x7f5af15986b9 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
#49 0x7f5af6fa249b in nsAppStartup::Run() /builds/worker/checkouts/gecko/toolkit/components/startup/nsAppStartup.cpp:295:30
#50 0x7f5af729c46f in XREMain::XRE_mainRun() /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:5685:22
#51 0x7f5af729e624 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:5886:8
#52 0x7f5af729f821 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:5942:21
#53 0x56172763de03 in do_main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:227:22
#54 0x56172763de03 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:445:16
#55 0x7f5b0e029d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#56 0x7f5b0e029e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#57 0x5617275677f8 in _start (/home/user/workspace/browsers/m-c-20230905215534-fuzzing-asan-opt/firefox+0x1067f8) (BuildId: bc3e0b8be764ceedfdb30e5cad382b2df28a00a4)

Comment 1

[Bugmon [:jkratzer for issues]]

Verified bug as reproducible on mozilla-central 20230906035121-ff7e2e9adbc1.
The bug appears to have been introduced in the following build range:

Start: a9b52fdbc20f032b083bdecb106fcaf54b999f07 (20230515171352)
End: f62bd71b6825afd300936e2d3dff4ce7bacc0163 (20230515191908)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=a9b52fdbc20f032b083bdecb106fcaf54b999f07&tochange=f62bd71b6825afd300936e2d3dff4ce7bacc0163

Successfully recorded a pernosco session. A link to the pernosco session will be added here shortly.

Comment 2

[Bugmon [:jkratzer for issues]]

A pernosco session for this bug can be found here.

Comment 3

[Emilio Cobos Álvarez (:emilio)]

Technically regressed by bug 1833181, though it highlights a deeper issue.

Comment 4

[BugBot [:suhaib / :marco/ :calixte]]

Set release status flags based on info from the regressing bug 1833181

Comment 5

[Emilio Cobos Álvarez (:emilio)]

In here we store "" as the cached value, while setting "A" as the setting value. I have a fix for that I believe.

Comment 6

[Emilio Cobos Álvarez (:emilio)]

Attachment: Bug 1851730 - Pass known value to PrepareEditor() when deferring preparation. r=masayuki

Comment 7

[Pulsebot]

Pushed by ealvarez@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/72ea7455c255
Pass known value to PrepareEditor() when deferring preparation. r=masayuki

Comment 8

[Cosmin Sabou [:CosminS]]

https://hg.mozilla.org/mozilla-central/rev/72ea7455c255

Comment 9

[Bugmon [:jkratzer for issues]]

Verified bug as fixed on rev mozilla-central 20230913205335-69d5beb77da0.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Comment 10

[BugBot [:suhaib / :marco/ :calixte]]

The patch landed in nightly and beta is affected.
:emilio, is this bug important enough to require an uplift?

• If yes, please nominate the patch for beta approval.
• If no, please set status-firefox118 to wontfix.

For more information, please visit BugBot documentation.

Comment 11

[Web Platform Test Sync Bot [:wpt-sync] (Matrix: #interop:mozilla.org)]

Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/42018 for changes under testing/web-platform/tests

Comment 12

[Web Platform Test Sync Bot [:wpt-sync] (Matrix: #interop:mozilla.org)]

Upstream PR merged by moz-wptsync-bot