Open Bug 1873798 Opened 2 years ago Updated 10 months ago

Assertion failure: GetLastCanHandleEventTarget(aChain) == aChild, at /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:138

Categories

(Core :: DOM: Events, defect)

Product:
Core
Component:
DOM: Events
Type:
defect

Tracking

()

Status:
REOPENED
Milestone:
126 Branch
Tracking Flags:
Tracking Status
firefox-esr115 --- wontfix
firefox123 --- wontfix
firefox125 --- wontfix
firefox126 --- affected
firefox135 --- affected

People

(Reporter: tsmith, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, pernosco, testcase, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(1 file, 1 obsolete file)

testcase.html
476 bytes, text/html
Details
Attached file testcase.html (obsolete) —

Found while fuzzing m-c 20231111-03298dc094d1 (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>

Assertion failure: GetLastCanHandleEventTarget(aChain) == aChild, at /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:138

#0 0x7f4b2060d1bc in mozilla::EventTargetChainItem::Create(nsTArray<mozilla::EventTargetChainItem>&, mozilla::dom::EventTarget*, mozilla::EventTargetChainItem*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:138:5
#1 0x7f4b2060cfb1 in mozilla::EventTargetChainItemForChromeTarget(nsTArray<mozilla::EventTargetChainItem>&, nsINode*, mozilla::EventTargetChainItem*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:731:32
#2 0x7f4b2060d288 in mozilla::MayRetargetToChromeIfCanNotHandleEvent(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPreVisitor&, mozilla::EventTargetChainItem*, mozilla::EventTargetChainItem*, nsINode*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:752:9
#3 0x7f4b2060e6cf in mozilla::EventDispatcher::Dispatch(mozilla::dom::EventTarget*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:1085:22
#4 0x7f4b21eb9602 in mozilla::(anonymous namespace)::AsyncTimeEventRunner::Run() /builds/worker/checkouts/gecko/dom/smil/SMILTimedElement.cpp:96:12
#5 0x7f4b1ce4dd67 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:568:16
#6 0x7f4b1ce434d6 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:895:26
#7 0x7f4b1ce41cb7 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:718:15
#8 0x7f4b1ce42135 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:504:36
#9 0x7f4b1ce51d06 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:222:37
#10 0x7f4b1ce51d06 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548:5
#11 0x7f4b1ce67072 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1199:16
#12 0x7f4b1ce6e1bd in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10
#13 0x7f4b1db41fe5 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#14 0x7f4b1da5b6b1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#15 0x7f4b1da5b6b1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#16 0x7f4b22392748 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
#17 0x7f4b2244f698 in nsAppShell::Run() /builds/worker/checkouts/gecko/widget/gtk/nsAppShell.cpp:470:33
#18 0x7f4b2429a04b in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:721:20
#19 0x7f4b1db42ec6 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
#20 0x7f4b1da5b6b1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#21 0x7f4b1da5b6b1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#22 0x7f4b242998b2 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:656:34
#23 0x55c027085156 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#24 0x55c027085156 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:375:18
#25 0x7f4b31429d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#26 0x7f4b31429e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#27 0x55c02705ae88 in _start (/home/user/workspace/browsers/m-c-20240109162901-fuzzing-debug/firefox-bin+0x58e88) (BuildId: e4c62efaf5851b0d60578cde9670049ea317e982)
Flags: in-testsuite?

Verified bug as reproducible on mozilla-central 20240110045147-33d47d05c368.
Unable to bisect testcase (Testcase reproduces on start build!):

Start: 66c42cef8816a3264963ad03ee2dc74cead27fef (20230111043919)
End: 03298dc094d12359e06605347462a19dcd6a510f (20231111211250)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False, nyx=False)

Whiteboard: [bugmon:bisected,confirmed]
Severity: -- → S3
Keywords: pernosco-wanted

Successfully recorded a pernosco session. A link to the pernosco session will be added here shortly.

Keywords: pernosco-wantedpernosco

A pernosco session for this bug can be found here.

A pernosco session for this bug can be found here.

Testcase crashes using the initial build (mozilla-central 20231111211250-03298dc094d1) but not with tip (mozilla-central 20240405214302-68ef8d3216be.)

The bug appears to have been fixed in the following build range:

Start: 66c42f5f482f7f9ae7486c58600feb344e9fb757 (20240326114144)
End: 8bfc3595e66f8c45af3a35d0489015d7522799d3 (20240326125756)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=66c42f5f482f7f9ae7486c58600feb344e9fb757&tochange=8bfc3595e66f8c45af3a35d0489015d7522799d3

tsmith, can you confirm that the above bisection range is responsible for fixing this issue?
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Flags: needinfo?(twsmith)
Keywords: bugmon

I can no longer reproduce the issue and no new reports have come in.

Status: NEW → RESOLVED
Closed: 1 years ago
Flags: needinfo?(twsmith)
Resolution: --- → FIXED
status-firefox123: affectedwontfix
status-firefox125: --- → wontfix
status-firefox126: --- → fixed
status-firefox-esr115: --- → wontfix
Target Milestone: --- → 126 Branch
Attached file testcase.html

crash-explorer managed to get this to reproduce.

Attachment #9371900 - Attachment is obsolete: true
Status: RESOLVED → REOPENED
status-firefox126: fixedaffected
status-firefox135: --- → affected
Resolution: FIXED → ---
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: