1887974 - Assertion failure: nextNode (No next sibling!?! This could mean deadlock!), at /builds/worker/checkouts/gecko/dom/base/ContentIterator.cpp:1205

Status: VERIFIED FIXED

(Core :: DOM: Selection, defect)

Description

[Tyson Smith [:tsmith]]

Attachment: testcase.html

Found while fuzzing m-c 20240326-f76227b1c05f (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>

Assertion failure: nextNode (No next sibling!?! This could mean deadlock!), at /builds/worker/checkouts/gecko/dom/base/ContentIterator.cpp:1205

#0 0x7059500b874d in mozilla::ContentSubtreeIterator::Next() /builds/worker/checkouts/gecko/dom/base/ContentIterator.cpp:1205:3
#1 0x70595048ff93 in RangeSubtreeIterator::Next() /builds/worker/checkouts/gecko/dom/base/nsRange.cpp:1572:19
#2 0x705950491194 in nsRange::CutContents(mozilla::dom::DocumentFragment**, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/nsRange.cpp:1828:10
#3 0x705950b88ef7 in mozilla::dom::Range_Binding::deleteContents(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/./RangeBinding.cpp:764:24
#4 0x705951767527 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3269:13
#5 0x705955cd9434 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:479:13
#6 0x705955cd8d52 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:573:12
#7 0x705955ce8baa in CallFromStack /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:645:10
#8 0x705955ce8baa in js::Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3060:16
#9 0x705955cd82f2 in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:451:13
#10 0x705955cd8d6e in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:605:13
#11 0x705955cda157 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:672:8
#12 0x705955df9be7 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/CallAndConstruct.cpp:119:10
#13 0x705951499a78 in mozilla::dom::EventHandlerNonNull::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/./EventHandlerBinding.cpp:65:37
#14 0x705951e03179 in void mozilla::dom::EventHandlerNonNull::Call<nsCOMPtr<mozilla::dom::EventTarget>>(nsCOMPtr<mozilla::dom::EventTarget> const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventHandlerBinding.h:82:12
#15 0x705951e02247 in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) /builds/worker/checkouts/gecko/dom/events/JSEventHandler.cpp:199:12
#16 0x705951ddec05 in mozilla::EventListenerManager::HandleEventSingleListener(mozilla::EventListenerManager::Listener*, nsAtom*, mozilla::WidgetEvent*, mozilla::dom::Event*, mozilla::dom::EventTarget*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1346:22
#17 0x705951ddfd04 in mozilla::EventListenerManager::HandleEventWithListenerArray(mozilla::EventListenerManager::ListenerArray*, nsAtom*, mozilla::EventMessage, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1661:12
#18 0x705951ddf579 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1558:35
#19 0x705951dd2acf in HandleEvent /builds/worker/workspace/obj-build/dist/include/mozilla/EventListenerManager.h:465:5
#20 0x705951dd2acf in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:364:17
#21 0x705951dd2081 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:605:16
#22 0x705951dd4a86 in mozilla::EventDispatcher::Dispatch(mozilla::dom::EventTarget*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:1222:11
#23 0x705954029cee in nsDocumentViewer::LoadComplete(nsresult) /builds/worker/checkouts/gecko/layout/base/nsDocumentViewer.cpp:1028:7
#24 0x7059552926f9 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:6303:13
#25 0x705955291b71 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:5695:7
#26 0x7059552937d6 in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp
#27 0x70594f56b889 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:1356:3
#28 0x70594f56ae02 in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:962:14
#29 0x70594f56904b in nsDocLoader::DocLoaderIsEmpty(bool, mozilla::Maybe<nsresult> const&) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:784:9
#30 0x70594f56b00a in ChildDoneWithOnload /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.h:216:5
#31 0x70594f56b00a in nsDocLoader::NotifyDoneWithOnload(nsDocLoader*) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:856:14
#32 0x70594f569056 in nsDocLoader::DocLoaderIsEmpty(bool, mozilla::Maybe<nsresult> const&) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:786:9
#33 0x70594f56a2b1 in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:667:5
#34 0x7059552ca90f in nsDocShell::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:13759:23
#35 0x70594e75bcef in mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:632:22
#36 0x70594e75d230 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:536:10
#37 0x7059501b7d2c in mozilla::dom::Document::DoUnblockOnload() /builds/worker/checkouts/gecko/dom/base/Document.cpp:11715:18
#38 0x70595005e72a in mozilla::LoadBlockingAsyncEventDispatcher::~LoadBlockingAsyncEventDispatcher() /builds/worker/workspace/obj-build/dist/include/mozilla/AsyncEventDispatcher.h:202:54
#39 0x70595005e887 in mozilla::LoadBlockingAsyncEventDispatcher::~LoadBlockingAsyncEventDispatcher() /builds/worker/workspace/obj-build/dist/include/mozilla/AsyncEventDispatcher.h:202:39
#40 0x70594e51c707 in mozilla::Runnable::Release() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:66:1
#41 0x705953efcd00 in Release /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:49:40
#42 0x705953efcd00 in Release /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:409:36
#43 0x705953efcd00 in ~RefPtr /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:80:7
#44 0x705953efcd00 in mozilla::css::Loader::NotifyObservers(mozilla::css::SheetLoadData&, nsresult) /builds/worker/checkouts/gecko/layout/style/Loader.cpp:1715:1
#45 0x705953f1a394 in mozilla::SharedStyleSheetCache::LoadCompleted(mozilla::SharedStyleSheetCache*, mozilla::css::SheetLoadData&, nsresult) /builds/worker/checkouts/gecko/layout/style/SharedStyleSheetCache.cpp:68:20
#46 0x705953f0b93d in operator() /builds/worker/checkouts/gecko/layout/style/Loader.cpp:1661:30
#47 0x705953f0b93d in InvokeMethod<(lambda at /builds/worker/checkouts/gecko/layout/style/Loader.cpp:1659:11), void ((lambda at /builds/worker/checkouts/gecko/layout/style/Loader.cpp:1659:11)::*)(bool) const, bool> /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:651:12
#48 0x705953f0b93d in InvokeCallbackMethod<false, (lambda at /builds/worker/checkouts/gecko/layout/style/Loader.cpp:1659:11), void ((lambda at /builds/worker/checkouts/gecko/layout/style/Loader.cpp:1659:11)::*)(bool) const, bool, RefPtr<mozilla::MozPromise<bool, bool, true>::Private> > /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:682:5
#49 0x705953f0b93d in mozilla::MozPromise<bool, bool, true>::ThenValue<mozilla::css::Loader::ParseSheet(nsTSubstring<char> const&, RefPtr<nsMainThreadPtrHolder<mozilla::css::SheetLoadData>> const&, mozilla::css::Loader::AllowAsyncParse)::$_0, mozilla::css::Loader::ParseSheet(nsTSubstring<char> const&, RefPtr<nsMainThreadPtrHolder<mozilla::css::SheetLoadData>> const&, mozilla::css::Loader::AllowAsyncParse)::$_1>::DoResolveOrRejectInternal(mozilla::MozPromise<bool, bool, true>::ResolveOrRejectValue&) /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:856:9
#50 0x705950265992 in mozilla::MozPromise<bool, bool, true>::ThenValueBase::ResolveOrRejectRunnable::Run() /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:487:21
#51 0x70594e513727 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:578:16
#52 0x70594e508d96 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:905:26
#53 0x70594e507577 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:728:15
#54 0x70594e5079f5 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:514:36
#55 0x70594e5176c6 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:232:37
#56 0x70594e5176c6 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548:5
#57 0x70594e52c9a2 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1199:16
#58 0x70594e533aed in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10
#59 0x70594f21f205 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#60 0x70594f134fc1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#61 0x70594f134fc1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#62 0x705953b9d0a8 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
#63 0x705953c605e8 in nsAppShell::Run() /builds/worker/checkouts/gecko/widget/gtk/nsAppShell.cpp:470:33
#64 0x705955a9f80b in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:712:20
#65 0x70594f2200e6 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
#66 0x70594f134fc1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#67 0x70594f134fc1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#68 0x705955a9f072 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:647:34
#69 0x567cee865496 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#70 0x567cee865496 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:375:18
#71 0x705963a29d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#72 0x705963a29e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#73 0x567cee83b1c8 in _start (/home/user/workspace/browsers/m-c-20240326095207-fuzzing-debug/firefox-bin+0x591c8) (BuildId: 029ee0b176d80845d30b7dda01c8579ad5573961)

Comment 1

[Bugmon [:jkratzer for issues]]

Verified bug as reproducible on mozilla-central 20240326211853-a93eeb987e4a.
The bug appears to have been introduced in the following build range:

Start: 5969005dae85cc8ac486b2f0bdbb7454b660f252 (20240325134037)
End: 19dcff1ee3fcbb431110e0639c80a3ba51ee0a34 (20240325140555)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=5969005dae85cc8ac486b2f0bdbb7454b660f252&tochange=19dcff1ee3fcbb431110e0639c80a3ba51ee0a34

Comment 2

[BugBot [:suhaib / :marco/ :calixte]]

Set release status flags based on info from the regressing bug 1867058

:sefeng, since you are the author of the regressor, bug 1867058, could you take a look? Also, could you set the severity field?

For more information, please visit BugBot documentation.

Comment 3

[Sean Feng [:sefeng]]

Attachment: Bug 1887974 - Allow nextNode to be null in ContentSubtreeIterator::Next r=#dom-core,jjaschke,smaug

This is actually reverting the assertion to the version before we
add the initial ShadowDOM selection support.

The issue is that nsRange::CutContents allows scripts to run
while iterating the nodes, and scripts can possibly changes DOM
tree. So the mStart and mEnd of ContentSubtreeIterator may stop
making sense, hence nextNode becomes null.

This is an old bug, not related to ShadowDOM selection, so I am
just revering the assertion.

Comment 4

[Donal Meehan [:dmeehan]]

:sefeng the Fx126 soft code freeze starts next week.
This patch is reviewed, if there's anything else blocking you from landing it?

Comment 5

[Sean Feng [:sefeng]]

Nothing prevents me from landing, I am going to try landing it again.

Comment 6

[Pulsebot]

Pushed by sefeng@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/827762d9b80b
Allow nextNode to be null in ContentSubtreeIterator::Next r=smaug

Comment 7

[Cristian Tuns]

Backed out for causing reftest failures in 1887974.html

• Backout link
• Push with failures
• Failure Log
• Failure line: REFTEST TEST-UNEXPECTED-FAIL | dom/base/crashtests/1887974.html | assertion count 1 is more than expected 0 assertions

Comment 8

[Pulsebot]

Pushed by sefeng@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/af163918fc00
Allow nextNode to be null in ContentSubtreeIterator::Next r=jjaschke,smaug,dom-core

Comment 9

[pstanciu]

https://hg.mozilla.org/mozilla-central/rev/af163918fc00

Comment 10

[Bugmon [:jkratzer for issues]]

Verified bug as fixed on rev mozilla-central 20240403093409-c720e2e99bf3.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.