Closed Bug 1889803 Opened 2 years ago Closed 26 days ago

Hit MOZ_CRASH(Element state change during style refresh (35184372088832)) at /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:3401

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
150 Branch
Tracking Flags:
Tracking Status
firefox-esr140 --- unaffected
firefox148 --- wontfix
firefox149 --- wontfix
firefox150 --- fixed

People

(Reporter: tsmith, Assigned: emilio)

References

(Depends on 1 open bug, Blocks 2 open bugs,
URL
)

Details

(Keywords: assertion, pernosco, testcase, Whiteboard: [bugmon:bisected,confirmed])

Crash Data

Attachments

(1 file)

testcase.html
389 bytes, text/html
Details
Attached file testcase.html

Found while fuzzing m-c 20240213-995a3050d70c (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>

Hit MOZ_CRASH(Element state change during style refresh (35184372088832)) at /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:3401

#0 0x7be366ff0a84 in MOZ_Crash /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:317:3
#1 0x7be366ff0a84 in mozilla::RestyleManager::ElementStateChanged(mozilla::dom::Element*, mozilla::dom::ElementState) /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:3399:5
#2 0x7be366ff05bf in mozilla::PresShell::ElementStateChanged(mozilla::dom::Document*, mozilla::dom::Element*, mozilla::dom::ElementState) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4527:37
#3 0x7be3631c9188 in mozilla::dom::Document::ElementStateChanged(mozilla::dom::Element*, mozilla::dom::ElementState) /builds/worker/checkouts/gecko/dom/base/Document.cpp:8261:3
#4 0x7be36321e733 in mozilla::dom::Element::NotifyStateChange(mozilla::dom::ElementState) /builds/worker/checkouts/gecko/dom/base/Element.cpp:370:10
#5 0x7be36509cc6f in SetStates /builds/worker/workspace/obj-build/dist/include/mozilla/dom/Element.h
#6 0x7be36509cc6f in mozilla::dom::HTMLInputElement::OnValueChanged(mozilla::TextControlElement::ValueChangeKind, bool, nsTSubstring<char16_t> const*) /builds/worker/checkouts/gecko/dom/html/HTMLInputElement.cpp:6979:5
#7 0x7be3651458c6 in OnValueChanged /builds/worker/workspace/obj-build/dist/include/mozilla/TextControlElement.h:199:12
#8 0x7be3651458c6 in mozilla::TextControlState::SetValue(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const*, mozilla::EnumSet<mozilla::TextControlState::ValueSetterOption, unsigned int> const&) /builds/worker/checkouts/gecko/dom/html/TextControlState.cpp:2711:47
#9 0x7be365128810 in SetValue /builds/worker/workspace/obj-build/dist/include/mozilla/TextControlState.h:284:12
#10 0x7be365128810 in mozilla::TextControlState::UnbindFromFrame(nsTextControlFrame*) /builds/worker/checkouts/gecko/dom/html/TextControlState.cpp:2477:26
#11 0x7be3672b32e4 in nsTextControlFrame::Destroy(mozilla::FrameDestroyContext&) /builds/worker/checkouts/gecko/layout/forms/nsTextControlFrame.cpp:137:25
#12 0x7be36711ca33 in nsBlockFrame::DoRemoveFrame(mozilla::FrameDestroyContext&, nsIFrame*, unsigned int) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:6937:20
#13 0x7be36711c330 in nsBlockFrame::RemoveFrame(mozilla::FrameDestroyContext&, mozilla::FrameChildListID, nsIFrame*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:6140:5
#14 0x7be36705dae5 in nsCSSFrameConstructor::ContentRemoved(nsIContent*, nsIContent*, nsCSSFrameConstructor::RemoveFlags) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:7446:5
#15 0x7be3670593b6 in nsCSSFrameConstructor::RecreateFramesForContent(nsIContent*, nsCSSFrameConstructor::InsertionKind) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:8433:7
#16 0x7be367017020 in mozilla::RestyleManager::ProcessRestyledFrames(nsStyleChangeList&) /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:1677:25
#17 0x7be36701ded4 in mozilla::RestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:3283:9
#18 0x7be366fefae5 in mozilla::RestyleManager::ProcessPendingRestyles() /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:3369:3
#19 0x7be366feec27 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4419:39
#20 0x7be3631dca0f in FlushPendingNotifications /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:1480:5
#21 0x7be3631dca0f in mozilla::dom::Document::FlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/dom/base/Document.cpp:10943:16
#22 0x7be3631b2e70 in FlushPendingNotifications /builds/worker/checkouts/gecko/dom/base/Document.cpp:10875:3
#23 0x7be3631b2e70 in mozilla::dom::Document::AutoEditorCommandTarget::AutoEditorCommandTarget(mozilla::dom::Document&, mozilla::dom::Document::InternalCommandData const&) /builds/worker/checkouts/gecko/dom/base/Document.cpp:5183:13
#24 0x7be3631b419e in mozilla::dom::Document::ExecCommand(nsTSubstring<char16_t> const&, bool, nsTSubstring<char16_t> const&, nsIPrincipal&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/Document.cpp:5423:27
#25 0x7be36448f064 in mozilla::dom::Document_Binding::execCommand(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/./DocumentBinding.cpp:3994:36
#26 0x7be36477c9d7 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3269:13
#27 0x7be368d1cad4 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:479:13
#28 0x7be368d1c3ed in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:573:12
#29 0x7be368d2c05a in CallFromStack /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:645:10
#30 0x7be368d2c05a in js::Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3060:16
#31 0x7be368d1b9b2 in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:451:13
#32 0x7be368d1c409 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:605:13
#33 0x7be368d1d8c7 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:672:8
#34 0x7be368e3d0e7 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/CallAndConstruct.cpp:119:10
#35 0x7be36446f788 in mozilla::dom::EventHandlerNonNull::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/./EventHandlerBinding.cpp:65:37
#36 0x7be364e1f389 in void mozilla::dom::EventHandlerNonNull::Call<nsCOMPtr<mozilla::dom::EventTarget>>(nsCOMPtr<mozilla::dom::EventTarget> const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventHandlerBinding.h:82:12
#37 0x7be364e1e457 in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) /builds/worker/checkouts/gecko/dom/events/JSEventHandler.cpp:199:12
#38 0x7be364dfadf5 in mozilla::EventListenerManager::HandleEventSingleListener(mozilla::EventListenerManager::Listener*, nsAtom*, mozilla::WidgetEvent*, mozilla::dom::Event*, mozilla::dom::EventTarget*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1313:22
#39 0x7be364dfbef4 in mozilla::EventListenerManager::HandleEventWithListenerArray(mozilla::EventListenerManager::ListenerArray*, nsAtom*, mozilla::EventMessage, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1630:12
#40 0x7be364dfb769 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1527:35
#41 0x7be364deefaf in HandleEvent /builds/worker/workspace/obj-build/dist/include/mozilla/EventListenerManager.h:465:5
#42 0x7be364deefaf in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:364:17
#43 0x7be364dee6bb in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:642:14
#44 0x7be364df0eff in mozilla::EventDispatcher::Dispatch(mozilla::dom::EventTarget*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:1220:11
#45 0x7be36343cf1a in FocusBlurEvent::Run() /builds/worker/checkouts/gecko/dom/base/nsFocusManager.cpp:2783:12
#46 0x7be362f69689 in nsContentUtils::AddScriptRunner(already_AddRefed<nsIRunnable>) /builds/worker/checkouts/gecko/dom/base/nsContentUtils.cpp:6216:13
#47 0x7be362f698da in nsContentUtils::AddScriptRunner(nsIRunnable*) /builds/worker/checkouts/gecko/dom/base/nsContentUtils.cpp:6222:3
#48 0x7be363423e24 in nsFocusManager::FireFocusOrBlurEvent(mozilla::EventMessage, mozilla::PresShell*, mozilla::dom::EventTarget*, bool, bool, mozilla::dom::EventTarget*) /builds/worker/checkouts/gecko/dom/base/nsFocusManager.cpp:2924:3
#49 0x7be363423129 in nsFocusManager::SendFocusOrBlurEvent(mozilla::EventMessage, mozilla::PresShell*, mozilla::dom::Document*, mozilla::dom::EventTarget*, bool, bool, mozilla::dom::EventTarget*) /builds/worker/checkouts/gecko/dom/base/nsFocusManager.cpp:2895:3
#50 0x7be36341b996 in nsFocusManager::Focus(nsPIDOMWindowOuter*, mozilla::dom::Element*, unsigned int, bool, bool, bool, bool, unsigned long, mozilla::Maybe<nsFocusManager::BlurredElementInfo> const&) /builds/worker/checkouts/gecko/dom/base/nsFocusManager.cpp:2716:9
#51 0x7be3634143e3 in nsFocusManager::SetFocusInner(mozilla::dom::Element*, int, bool, bool) /builds/worker/checkouts/gecko/dom/base/nsFocusManager.cpp:1801:5
#52 0x7be363415d13 in nsFocusManager::SetFocus(mozilla::dom::Element*, unsigned int) /builds/worker/checkouts/gecko/dom/base/nsFocusManager.cpp:477:3
#53 0x7be36321eec8 in mozilla::dom::Element::Focus(mozilla::dom::FocusOptions const&, mozilla::dom::CallerType, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/Element.cpp:466:16
#54 0x7be3646a9ced in mozilla::dom::HTMLElement_Binding::focus(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/./HTMLElementBinding.cpp:9739:24
#55 0x7be36477c9d7 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3269:13
#56 0x7be368d1cad4 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:479:13
#57 0x7be368d1c3ed in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:573:12
#58 0x7be368d2c05a in CallFromStack /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:645:10
#59 0x7be368d2c05a in js::Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3060:16
#60 0x7be368d1b9b2 in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:451:13
#61 0x7be368d1c409 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:605:13
#62 0x7be368d1d8c7 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:672:8
#63 0x7be368e3d0e7 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/CallAndConstruct.cpp:119:10
#64 0x7be364472a62 in mozilla::dom::EventListener::HandleEvent(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/./EventListenerBinding.cpp:62:8
#65 0x7be3666035b3 in mozilla::dom::EventListener::HandleEvent(mozilla::dom::Event&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventListenerBinding.h:80:12
#66 0x7be36660108a in mozilla::dom::EventListener::HandleEvent(mozilla::dom::Event&, char const*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventListenerBinding.h:93:12
#67 0x7be366600cf3 in mozilla::dom::JSWindowActorProtocol::HandleEvent(mozilla::dom::Event*) /builds/worker/checkouts/gecko/dom/ipc/jsactor/JSWindowActorProtocol.cpp:207:18
#68 0x7be364dfadf5 in mozilla::EventListenerManager::HandleEventSingleListener(mozilla::EventListenerManager::Listener*, nsAtom*, mozilla::WidgetEvent*, mozilla::dom::Event*, mozilla::dom::EventTarget*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1313:22
#69 0x7be364dfbef4 in mozilla::EventListenerManager::HandleEventWithListenerArray(mozilla::EventListenerManager::ListenerArray*, nsAtom*, mozilla::EventMessage, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1630:12
#70 0x7be364dfb769 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1527:35
#71 0x7be364deefaf in HandleEvent /builds/worker/workspace/obj-build/dist/include/mozilla/EventListenerManager.h:465:5
#72 0x7be364deefaf in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:364:17
#73 0x7be364dee5a1 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:605:16
#74 0x7be364df0eff in mozilla::EventDispatcher::Dispatch(mozilla::dom::EventTarget*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:1220:11
#75 0x7be364df42e6 in mozilla::EventDispatcher::DispatchDOMEvent(mozilla::dom::EventTarget*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp
#76 0x7be363477f79 in nsINode::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/nsINode.cpp:1430:17
#77 0x7be364e030a2 in mozilla::dom::EventTarget::DispatchEvent(mozilla::dom::Event&) /builds/worker/checkouts/gecko/dom/events/EventTarget.cpp:214:13
#78 0x7be36516bd1e in nsIConstraintValidation::ReportValidity() /builds/worker/checkouts/gecko/dom/html/nsIConstraintValidation.cpp:85:12
#79 0x7be36471c081 in mozilla::dom::HTMLInputElement_Binding::reportValidity(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/./HTMLInputElementBinding.cpp:3449:36
#80 0x7be36477c9d7 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3269:13
#81 0x7be368d1cad4 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:479:13
#82 0x7be368d1c3ed in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:573:12
#83 0x7be368d2c05a in CallFromStack /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:645:10
#84 0x7be368d2c05a in js::Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3060:16
#85 0x7be368d1b9b2 in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:451:13
#86 0x7be368d1c409 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:605:13
#87 0x7be368d1d8c7 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:672:8
#88 0x7be368e3d0e7 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/CallAndConstruct.cpp:119:10
#89 0x7be36446f788 in mozilla::dom::EventHandlerNonNull::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/./EventHandlerBinding.cpp:65:37
#90 0x7be364e1f389 in void mozilla::dom::EventHandlerNonNull::Call<nsCOMPtr<mozilla::dom::EventTarget>>(nsCOMPtr<mozilla::dom::EventTarget> const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventHandlerBinding.h:82:12
#91 0x7be364e1e457 in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) /builds/worker/checkouts/gecko/dom/events/JSEventHandler.cpp:199:12
#92 0x7be364dfadf5 in mozilla::EventListenerManager::HandleEventSingleListener(mozilla::EventListenerManager::Listener*, nsAtom*, mozilla::WidgetEvent*, mozilla::dom::Event*, mozilla::dom::EventTarget*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1313:22
#93 0x7be364dfbef4 in mozilla::EventListenerManager::HandleEventWithListenerArray(mozilla::EventListenerManager::ListenerArray*, nsAtom*, mozilla::EventMessage, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1630:12
#94 0x7be364dfb769 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1527:35
#95 0x7be364deefaf in HandleEvent /builds/worker/workspace/obj-build/dist/include/mozilla/EventListenerManager.h:465:5
#96 0x7be364deefaf in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:364:17
#97 0x7be364dee5a1 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:605:16
#98 0x7be364df0eff in mozilla::EventDispatcher::Dispatch(mozilla::dom::EventTarget*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:1220:11
#99 0x7be36706ec1e in nsDocumentViewer::LoadComplete(nsresult) /builds/worker/checkouts/gecko/layout/base/nsDocumentViewer.cpp:1028:7
#100 0x7be3682cb1e9 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:6267:13
#101 0x7be3682ca661 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:5659:7
#102 0x7be3682cc2c6 in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp
#103 0x7be36257aeb9 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:1356:3
#104 0x7be36257a432 in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:962:14
#105 0x7be36257867b in nsDocLoader::DocLoaderIsEmpty(bool, mozilla::Maybe<nsresult> const&) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:784:9
#106 0x7be3625798e1 in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:667:5
#107 0x7be3683033ff in nsDocShell::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:13723:23
#108 0x7be36176fa1f in mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:632:22
#109 0x7be361770f60 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:536:10
#110 0x7be3631e1c0c in mozilla::dom::Document::DoUnblockOnload() /builds/worker/checkouts/gecko/dom/base/Document.cpp:11731:18
#111 0x7be3631c7cb6 in mozilla::dom::Document::DispatchContentLoadedEvents() /builds/worker/checkouts/gecko/dom/base/Document.cpp:8157:3
#112 0x7be363282dd9 in operator()<> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1085:18
#113 0x7be363282dd9 in __invoke_impl<void, (lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1084:9)> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/invoke.h:60:14
#114 0x7be363282dd9 in __invoke<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1084:9)> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/invoke.h:95:14
#115 0x7be363282dd9 in __apply_impl<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1084:9), std::tuple<> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/tuple:1678:14
#116 0x7be363282dd9 in apply<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1084:9), std::tuple<> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/tuple:1687:14
#117 0x7be363282dd9 in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1083:12
#118 0x7be363282dd9 in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1134:13
#119 0x7be361528e67 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:578:16
#120 0x7be36151e4d6 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:905:26
#121 0x7be36151ccb7 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:728:15
#122 0x7be36151d135 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:514:36
#123 0x7be36152ce06 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:232:37
#124 0x7be36152ce06 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548:5
#125 0x7be361542132 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1199:16
#126 0x7be36154927d in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10
#127 0x7be36222ea35 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#128 0x7be362144991 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#129 0x7be362144991 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#130 0x7be366be1e98 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
#131 0x7be366ca5588 in nsAppShell::Run() /builds/worker/checkouts/gecko/widget/gtk/nsAppShell.cpp:470:33
#132 0x7be368adef4b in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:712:20
#133 0x7be36222f916 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
#134 0x7be362144991 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#135 0x7be362144991 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#136 0x7be368ade772 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:647:34
#137 0x64f618b795c6 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#138 0x64f618b795c6 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:375:18
#139 0x7be376229d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#140 0x7be376229e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#141 0x64f618b4f2f8 in _start (/home/user/workspace/browsers/m-c-20240404213056-fuzzing-debug/firefox-bin+0x592f8) (BuildId: d6c223ce904d3eba4c7d54e2017dc1fbf05033d8)
Flags: in-testsuite?

Verified bug as reproducible on mozilla-central 20240404213056-484d7ed7de7c.
Unable to bisect testcase (Unable to launch the end build!):

Start: 3b54fd2a69ea82b29dc2634f7909a059d967c4bb (20230407094736)
End: 995a3050d70cb954214be8710caa54a1794745ec (20240213052011)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False, nyx=False)

Whiteboard: [bugmon:bisected,confirmed]

This and bug 1889804 seem very similar. In both cases, the state change is happening in code called from nsTextControlFrame::Destroy. Do we actually need to be handling state changes (in this case, VALUE_EMPTY; in bug 1889804 it's VALID/INVALID) for an element we're in the process of destroying?

See Also: → 1889804
Keywords: pernosco-wanted

Successfully recorded a pernosco session. A link to the pernosco session will be added here shortly.

Keywords: pernosco-wantedpernosco

A pernosco session for this bug can be found here.

Duplicate of this bug: 1889804

Note: bug 1793410 is the general bug on this issue, though I think until now it's been in a "we've addressed the ways we're aware of that could cause this, and yet there's still crash volume" holding-pattern. So: it's good news that we've found fuzzer testcases (here and in bug 1889804) that trigger this!

Blocks: 1793410

emilio, you've looked at the other instances of this crash, I think; could you take a look here when you've got cycles, now that we've got a pernosco trace?

Severity: -- → S3
Flags: needinfo?(emilio)
Depends on: 1893532

This bug's 35184372088832 aka VALUE_EMPTY flavor of this diagnostic-assert is responsible for 1669 crashes over the last 6 months, which makes up 90% of the crash volume in the general bug 1793410 over that time period. (822 crashes over the last 3 months, 95% of the crash volume in bug 1793410 over that period.)

Based on bug 1936213 comment 2 (another flavor of this crash signature), the general "Element state change during style refresh" crash-signature is in the Top 10 content process crashes on beta, so we should consider this bug here (which tentatively represents 90% of that volume) to be a topcrash, probably.

(Fortunately it doesn't directly affect release since this is a diagnostic assert, but it seems to be a major source of crashes on beta.)

This would probably be a good one to circle back to when cycles are available.

Crash Signature: [@ mozilla::RestyleManager::ElementStateChanged ]
Keywords: topcrash

:dholbert, could you consider increasing the severity of this top-crash bug?

For more information, please visit BugBot documentation.

Flags: needinfo?(dholbert)

Sure, let's consider it a S2 given that it satisfies topcrash criteria.

(Again, note that this doesn't crash in release -- it's a diagnostic assert, so it only crashes in early-beta-or-earlier. Nonetheless, it's still important to mitigate crashes for that cohort of users [myself included]; and more broadly, presumably it's sorta-bad that we're failing to satisfy the asserted condition, regardless of whether or not we're in a build with asserts enabled.)

Severity: S3 → S2
Flags: needinfo?(dholbert)

Based on the topcrash criteria, the crash signature linked to this bug is not a topcrash signature anymore.

For more information, please visit BugBot documentation.

Keywords: topcrash
Severity: S2 → S3
Flags: needinfo?(emilio)

This issue has also been reported via live site testing.

Blocks: site-scout
URL: http://strengthofthor.online/
See Also: → 1983702

(In reply to Jonathan Kew [:jfkthame] from comment #2)

This and bug 1889804 seem very similar. In both cases, the state change is happening in code called from nsTextControlFrame::Destroy. Do we actually need to be handling state changes (in this case, VALUE_EMPTY; in bug 1889804 it's VALID/INVALID) for an element we're in the process of destroying?

This seems like a good question. (The pernosco trace in Bug 1983702 shows that essentially the same thing is happening there.)

(In reply to BugBot [:suhaib / :marco/ :calixte] from comment #14)

Based on the topcrash criteria, the crash signature linked to this bug is not a topcrash signature anymore.

Breaking news, this signature is apparently back to being a topcrash again, on beta at least [though it won't crash on release per comment 10]. BugBot is trying to note that by adding topcrash keyword to the recently-filed bug 1983702, but that flavor of this crash signature is responsible for very little of the actual crash volume, whereas this bug here is responsible for nearly all of it. Hence, moving the topcrash keyword over here.

Keywords: topcrash
Duplicate of this bug: 1983702

When fixing this, we should take extra care to confirm whether the dupes-that-share-the-same-signature (e.g. bug 1983702) are in fact fixed or should be reopened.

Looking at the last month of crash data for this crash signature, and focusing on Desktop Firefox: it looks like Chinese users may be disproportionately affected.

Specifically:

  • Aggregating by "Useragent locale", 39% of the crash reports (118) have a zh-cn locale. (en-us is the next-most-common, with 38% / 115 crash reports)
  • Aggregating by User Comment to see all the comments: there are only 5 crash reports with comments, all of them in Chinese. They say that they're crashing while entering a search term on Baidu. One of them mentions input method ("Baidu homepage, Baidu input method crashes").

So: in the wild, this crash might typically involve some sort of Chinese-language IME tool which maybe toggles the input element to re-validate when the IME-entered content gets committed to the page, or something like that.

[Expanding on my previous comment]
Looking at the last 6 months of data: the trends are similar -- roughly 40% Chinese-language locale (zh-cn or zh-tw), 40% en-US, with lots of user comments in Chinese.

Japan (ja and ja-jp-macos) represent roughly 6% of crashes -- that's the next most common affected locale after Chinese and US-English.

4 crashes mention the specific string "Baidu Input Method" (in Chinese, 百度输入法) in the user comment.

One other comment (this one in Japanese) also mentioned IME and had a bit more detail -- here's the Google Translate translation:

If you press the Windows key to remove focus while the IME is converting, and then regain focus, the app crashes. This only occurs on Google Search. It is unclear if it works on other pages.

On baidu at least, I can see that their <textarea> changes from overflow:hidden to have overflow-y: auto; (with overflow-x: hidden) when you focus it.

Google also gains overflow-y: auto when you focus their textarea.

Presumably those style changes (when the field gains or loses focus) are causing the frame to get reconstructed, and that's what triggers a similar sort of teardown-and-rebuild flow that the fuzzer testcases are doing. (And I imagine that the aforementioned IME tools might be simultaneously changing the text content and focus state, which might make the relevant edge cases here easier to trigger.)

Depends on: 1987232

Setting the in-the-wild crashes aside and focusing on the testcase for the moment (which uses a datetime widget):
Part of the issue is that SetValueInternal calls AsyncEventDispatcher::RunDOMEventWhenSafe to dispatch a MozDateTimeValueChanged event, and in the pernosco trace here, that gets handled synchronously/immediately, which results in a focus() call (for reasons similar to what's described in bug 1987232) and hence triggers a reentrant call to the testcase's func_0 function (which then replaces the datetime widget's value out from under us, and then when we unwind back up to the outer SetValueInternal call and call OnValueChanged, we're doing so with a stale picture of what the value is. In this case, we think it was empty, but it in fact isn't empty because it's been changed out from under us.)

(In reply to Daniel Holbert [:dholbert] from comment #18)

Breaking news, this signature is apparently back to being a topcrash again, on beta at least

I adjusted the diagnostic to be nightly-only in bug 1987810, so this should no longer impact beta at all.

status-firefox126: affected → ---
Keywords: topcrash

Apparently this is back to being a topcrash (see bug 2007715 comment 5), though it's Nightly-only now per comment 25.

I'm moving the topcrash keyword from that bug over to this bug, per bug 2007715 comment 7, since ~all the recent crash volume has 35184372088832 in the crash reason field.

Keywords: topcrash

Based on the topcrash criteria, the crash signature linked to this bug is not a topcrash signature anymore.

For more information, please visit BugBot documentation.

Keywords: topcrash

Testcase crashes using the initial build (mozilla-central 20250307214355-99620432e3b8) but not with tip (mozilla-central 20260307095200-dea9f10f1bce.)

The bug appears to have been fixed in the following build range:

Start: e0e9052e852859976f50235e11bb919cb83d30ba (20260306041829)
End: 68ace92d6cbc3c389d744f5a802de8618d8bb7d6 (20260306071920)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=e0e9052e852859976f50235e11bb919cb83d30ba&tochange=68ace92d6cbc3c389d744f5a802de8618d8bb7d6

tsmith, can you confirm that the above bisection range is responsible for fixing this issue?
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Flags: needinfo?(twsmith)
Keywords: bugmon

Likely that'd be bug 1989331.

Depends on: 1989331

(grizzly-launched Firefox isn't working for me at the moment, and I can't reproduce the crash in a plain Firefox configuration [including before the patch landed] so I'll defer to Tyson to confirm bugbot's suspicion of this bug being fixed before closing this.)

(It's great news that this is likely-fixed, BTW, because this signature has been a topcrash for a while -- hopefully the topcrash is fixed now!)

Looks good to me. I am no longer able to repro. Fuzzers have also stopped reporting (last report from m-c 20260305-edcea1e99bb9).

Status: NEW → RESOLVED
Closed: 26 days ago
Flags: needinfo?(twsmith)
Resolution: --- → FIXED
Assignee: nobody → emilio
status-firefox148: --- → wontfix
status-firefox149: --- → wontfix
status-firefox150: --- → fixed
status-firefox-esr140: --- → unaffected
Target Milestone: --- → 150 Branch
QA Whiteboard: [qa-triage-done-c151/b150]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: