Open
Bug 1889803
Opened 10 months ago
Updated 1 month ago
Hit MOZ_CRASH(Element state change during style refresh (35184372088832)) at /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:3401
Categories
(Core :: Layout, defect)
Core
Layout
Tracking
()
NEW
| Tracking | Status | |
|---|---|---|
| firefox126 | --- | affected |
People
(Reporter: tsmith, Unassigned, NeedInfo)
References
(Blocks 2 open bugs)
Details
(4 keywords, Whiteboard: [bugmon:bisected,confirmed])
Crash Data
Attachments
(1 file)
|
389 bytes,
text/html
|
Details |
Found while fuzzing m-c 20240213-995a3050d70c (--enable-debug --enable-fuzzing)
To reproduce via Grizzly Replay:
$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>
Hit MOZ_CRASH(Element state change during style refresh (35184372088832)) at /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:3401
#0 0x7be366ff0a84 in MOZ_Crash /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:317:3
#1 0x7be366ff0a84 in mozilla::RestyleManager::ElementStateChanged(mozilla::dom::Element*, mozilla::dom::ElementState) /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:3399:5
#2 0x7be366ff05bf in mozilla::PresShell::ElementStateChanged(mozilla::dom::Document*, mozilla::dom::Element*, mozilla::dom::ElementState) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4527:37
#3 0x7be3631c9188 in mozilla::dom::Document::ElementStateChanged(mozilla::dom::Element*, mozilla::dom::ElementState) /builds/worker/checkouts/gecko/dom/base/Document.cpp:8261:3
#4 0x7be36321e733 in mozilla::dom::Element::NotifyStateChange(mozilla::dom::ElementState) /builds/worker/checkouts/gecko/dom/base/Element.cpp:370:10
#5 0x7be36509cc6f in SetStates /builds/worker/workspace/obj-build/dist/include/mozilla/dom/Element.h
#6 0x7be36509cc6f in mozilla::dom::HTMLInputElement::OnValueChanged(mozilla::TextControlElement::ValueChangeKind, bool, nsTSubstring<char16_t> const*) /builds/worker/checkouts/gecko/dom/html/HTMLInputElement.cpp:6979:5
#7 0x7be3651458c6 in OnValueChanged /builds/worker/workspace/obj-build/dist/include/mozilla/TextControlElement.h:199:12
#8 0x7be3651458c6 in mozilla::TextControlState::SetValue(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const*, mozilla::EnumSet<mozilla::TextControlState::ValueSetterOption, unsigned int> const&) /builds/worker/checkouts/gecko/dom/html/TextControlState.cpp:2711:47
#9 0x7be365128810 in SetValue /builds/worker/workspace/obj-build/dist/include/mozilla/TextControlState.h:284:12
#10 0x7be365128810 in mozilla::TextControlState::UnbindFromFrame(nsTextControlFrame*) /builds/worker/checkouts/gecko/dom/html/TextControlState.cpp:2477:26
#11 0x7be3672b32e4 in nsTextControlFrame::Destroy(mozilla::FrameDestroyContext&) /builds/worker/checkouts/gecko/layout/forms/nsTextControlFrame.cpp:137:25
#12 0x7be36711ca33 in nsBlockFrame::DoRemoveFrame(mozilla::FrameDestroyContext&, nsIFrame*, unsigned int) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:6937:20
#13 0x7be36711c330 in nsBlockFrame::RemoveFrame(mozilla::FrameDestroyContext&, mozilla::FrameChildListID, nsIFrame*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:6140:5
#14 0x7be36705dae5 in nsCSSFrameConstructor::ContentRemoved(nsIContent*, nsIContent*, nsCSSFrameConstructor::RemoveFlags) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:7446:5
#15 0x7be3670593b6 in nsCSSFrameConstructor::RecreateFramesForContent(nsIContent*, nsCSSFrameConstructor::InsertionKind) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:8433:7
#16 0x7be367017020 in mozilla::RestyleManager::ProcessRestyledFrames(nsStyleChangeList&) /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:1677:25
#17 0x7be36701ded4 in mozilla::RestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:3283:9
#18 0x7be366fefae5 in mozilla::RestyleManager::ProcessPendingRestyles() /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:3369:3
#19 0x7be366feec27 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4419:39
#20 0x7be3631dca0f in FlushPendingNotifications /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:1480:5
#21 0x7be3631dca0f in mozilla::dom::Document::FlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/dom/base/Document.cpp:10943:16
#22 0x7be3631b2e70 in FlushPendingNotifications /builds/worker/checkouts/gecko/dom/base/Document.cpp:10875:3
#23 0x7be3631b2e70 in mozilla::dom::Document::AutoEditorCommandTarget::AutoEditorCommandTarget(mozilla::dom::Document&, mozilla::dom::Document::InternalCommandData const&) /builds/worker/checkouts/gecko/dom/base/Document.cpp:5183:13
#24 0x7be3631b419e in mozilla::dom::Document::ExecCommand(nsTSubstring<char16_t> const&, bool, nsTSubstring<char16_t> const&, nsIPrincipal&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/Document.cpp:5423:27
#25 0x7be36448f064 in mozilla::dom::Document_Binding::execCommand(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/./DocumentBinding.cpp:3994:36
#26 0x7be36477c9d7 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3269:13
#27 0x7be368d1cad4 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:479:13
#28 0x7be368d1c3ed in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:573:12
#29 0x7be368d2c05a in CallFromStack /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:645:10
#30 0x7be368d2c05a in js::Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3060:16
#31 0x7be368d1b9b2 in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:451:13
#32 0x7be368d1c409 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:605:13
#33 0x7be368d1d8c7 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:672:8
#34 0x7be368e3d0e7 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/CallAndConstruct.cpp:119:10
#35 0x7be36446f788 in mozilla::dom::EventHandlerNonNull::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/./EventHandlerBinding.cpp:65:37
#36 0x7be364e1f389 in void mozilla::dom::EventHandlerNonNull::Call<nsCOMPtr<mozilla::dom::EventTarget>>(nsCOMPtr<mozilla::dom::EventTarget> const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventHandlerBinding.h:82:12
#37 0x7be364e1e457 in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) /builds/worker/checkouts/gecko/dom/events/JSEventHandler.cpp:199:12
#38 0x7be364dfadf5 in mozilla::EventListenerManager::HandleEventSingleListener(mozilla::EventListenerManager::Listener*, nsAtom*, mozilla::WidgetEvent*, mozilla::dom::Event*, mozilla::dom::EventTarget*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1313:22
#39 0x7be364dfbef4 in mozilla::EventListenerManager::HandleEventWithListenerArray(mozilla::EventListenerManager::ListenerArray*, nsAtom*, mozilla::EventMessage, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1630:12
#40 0x7be364dfb769 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1527:35
#41 0x7be364deefaf in HandleEvent /builds/worker/workspace/obj-build/dist/include/mozilla/EventListenerManager.h:465:5
#42 0x7be364deefaf in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:364:17
#43 0x7be364dee6bb in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:642:14
#44 0x7be364df0eff in mozilla::EventDispatcher::Dispatch(mozilla::dom::EventTarget*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:1220:11
#45 0x7be36343cf1a in FocusBlurEvent::Run() /builds/worker/checkouts/gecko/dom/base/nsFocusManager.cpp:2783:12
#46 0x7be362f69689 in nsContentUtils::AddScriptRunner(already_AddRefed<nsIRunnable>) /builds/worker/checkouts/gecko/dom/base/nsContentUtils.cpp:6216:13
#47 0x7be362f698da in nsContentUtils::AddScriptRunner(nsIRunnable*) /builds/worker/checkouts/gecko/dom/base/nsContentUtils.cpp:6222:3
#48 0x7be363423e24 in nsFocusManager::FireFocusOrBlurEvent(mozilla::EventMessage, mozilla::PresShell*, mozilla::dom::EventTarget*, bool, bool, mozilla::dom::EventTarget*) /builds/worker/checkouts/gecko/dom/base/nsFocusManager.cpp:2924:3
#49 0x7be363423129 in nsFocusManager::SendFocusOrBlurEvent(mozilla::EventMessage, mozilla::PresShell*, mozilla::dom::Document*, mozilla::dom::EventTarget*, bool, bool, mozilla::dom::EventTarget*) /builds/worker/checkouts/gecko/dom/base/nsFocusManager.cpp:2895:3
#50 0x7be36341b996 in nsFocusManager::Focus(nsPIDOMWindowOuter*, mozilla::dom::Element*, unsigned int, bool, bool, bool, bool, unsigned long, mozilla::Maybe<nsFocusManager::BlurredElementInfo> const&) /builds/worker/checkouts/gecko/dom/base/nsFocusManager.cpp:2716:9
#51 0x7be3634143e3 in nsFocusManager::SetFocusInner(mozilla::dom::Element*, int, bool, bool) /builds/worker/checkouts/gecko/dom/base/nsFocusManager.cpp:1801:5
#52 0x7be363415d13 in nsFocusManager::SetFocus(mozilla::dom::Element*, unsigned int) /builds/worker/checkouts/gecko/dom/base/nsFocusManager.cpp:477:3
#53 0x7be36321eec8 in mozilla::dom::Element::Focus(mozilla::dom::FocusOptions const&, mozilla::dom::CallerType, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/Element.cpp:466:16
#54 0x7be3646a9ced in mozilla::dom::HTMLElement_Binding::focus(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/./HTMLElementBinding.cpp:9739:24
#55 0x7be36477c9d7 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3269:13
#56 0x7be368d1cad4 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:479:13
#57 0x7be368d1c3ed in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:573:12
#58 0x7be368d2c05a in CallFromStack /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:645:10
#59 0x7be368d2c05a in js::Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3060:16
#60 0x7be368d1b9b2 in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:451:13
#61 0x7be368d1c409 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:605:13
#62 0x7be368d1d8c7 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:672:8
#63 0x7be368e3d0e7 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/CallAndConstruct.cpp:119:10
#64 0x7be364472a62 in mozilla::dom::EventListener::HandleEvent(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/./EventListenerBinding.cpp:62:8
#65 0x7be3666035b3 in mozilla::dom::EventListener::HandleEvent(mozilla::dom::Event&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventListenerBinding.h:80:12
#66 0x7be36660108a in mozilla::dom::EventListener::HandleEvent(mozilla::dom::Event&, char const*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventListenerBinding.h:93:12
#67 0x7be366600cf3 in mozilla::dom::JSWindowActorProtocol::HandleEvent(mozilla::dom::Event*) /builds/worker/checkouts/gecko/dom/ipc/jsactor/JSWindowActorProtocol.cpp:207:18
#68 0x7be364dfadf5 in mozilla::EventListenerManager::HandleEventSingleListener(mozilla::EventListenerManager::Listener*, nsAtom*, mozilla::WidgetEvent*, mozilla::dom::Event*, mozilla::dom::EventTarget*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1313:22
#69 0x7be364dfbef4 in mozilla::EventListenerManager::HandleEventWithListenerArray(mozilla::EventListenerManager::ListenerArray*, nsAtom*, mozilla::EventMessage, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1630:12
#70 0x7be364dfb769 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1527:35
#71 0x7be364deefaf in HandleEvent /builds/worker/workspace/obj-build/dist/include/mozilla/EventListenerManager.h:465:5
#72 0x7be364deefaf in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:364:17
#73 0x7be364dee5a1 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:605:16
#74 0x7be364df0eff in mozilla::EventDispatcher::Dispatch(mozilla::dom::EventTarget*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:1220:11
#75 0x7be364df42e6 in mozilla::EventDispatcher::DispatchDOMEvent(mozilla::dom::EventTarget*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp
#76 0x7be363477f79 in nsINode::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/nsINode.cpp:1430:17
#77 0x7be364e030a2 in mozilla::dom::EventTarget::DispatchEvent(mozilla::dom::Event&) /builds/worker/checkouts/gecko/dom/events/EventTarget.cpp:214:13
#78 0x7be36516bd1e in nsIConstraintValidation::ReportValidity() /builds/worker/checkouts/gecko/dom/html/nsIConstraintValidation.cpp:85:12
#79 0x7be36471c081 in mozilla::dom::HTMLInputElement_Binding::reportValidity(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/./HTMLInputElementBinding.cpp:3449:36
#80 0x7be36477c9d7 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3269:13
#81 0x7be368d1cad4 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:479:13
#82 0x7be368d1c3ed in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:573:12
#83 0x7be368d2c05a in CallFromStack /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:645:10
#84 0x7be368d2c05a in js::Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3060:16
#85 0x7be368d1b9b2 in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:451:13
#86 0x7be368d1c409 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:605:13
#87 0x7be368d1d8c7 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:672:8
#88 0x7be368e3d0e7 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/CallAndConstruct.cpp:119:10
#89 0x7be36446f788 in mozilla::dom::EventHandlerNonNull::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/./EventHandlerBinding.cpp:65:37
#90 0x7be364e1f389 in void mozilla::dom::EventHandlerNonNull::Call<nsCOMPtr<mozilla::dom::EventTarget>>(nsCOMPtr<mozilla::dom::EventTarget> const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventHandlerBinding.h:82:12
#91 0x7be364e1e457 in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) /builds/worker/checkouts/gecko/dom/events/JSEventHandler.cpp:199:12
#92 0x7be364dfadf5 in mozilla::EventListenerManager::HandleEventSingleListener(mozilla::EventListenerManager::Listener*, nsAtom*, mozilla::WidgetEvent*, mozilla::dom::Event*, mozilla::dom::EventTarget*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1313:22
#93 0x7be364dfbef4 in mozilla::EventListenerManager::HandleEventWithListenerArray(mozilla::EventListenerManager::ListenerArray*, nsAtom*, mozilla::EventMessage, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1630:12
#94 0x7be364dfb769 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1527:35
#95 0x7be364deefaf in HandleEvent /builds/worker/workspace/obj-build/dist/include/mozilla/EventListenerManager.h:465:5
#96 0x7be364deefaf in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:364:17
#97 0x7be364dee5a1 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:605:16
#98 0x7be364df0eff in mozilla::EventDispatcher::Dispatch(mozilla::dom::EventTarget*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:1220:11
#99 0x7be36706ec1e in nsDocumentViewer::LoadComplete(nsresult) /builds/worker/checkouts/gecko/layout/base/nsDocumentViewer.cpp:1028:7
#100 0x7be3682cb1e9 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:6267:13
#101 0x7be3682ca661 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:5659:7
#102 0x7be3682cc2c6 in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp
#103 0x7be36257aeb9 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:1356:3
#104 0x7be36257a432 in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:962:14
#105 0x7be36257867b in nsDocLoader::DocLoaderIsEmpty(bool, mozilla::Maybe<nsresult> const&) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:784:9
#106 0x7be3625798e1 in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:667:5
#107 0x7be3683033ff in nsDocShell::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:13723:23
#108 0x7be36176fa1f in mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:632:22
#109 0x7be361770f60 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:536:10
#110 0x7be3631e1c0c in mozilla::dom::Document::DoUnblockOnload() /builds/worker/checkouts/gecko/dom/base/Document.cpp:11731:18
#111 0x7be3631c7cb6 in mozilla::dom::Document::DispatchContentLoadedEvents() /builds/worker/checkouts/gecko/dom/base/Document.cpp:8157:3
#112 0x7be363282dd9 in operator()<> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1085:18
#113 0x7be363282dd9 in __invoke_impl<void, (lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1084:9)> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/invoke.h:60:14
#114 0x7be363282dd9 in __invoke<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1084:9)> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/invoke.h:95:14
#115 0x7be363282dd9 in __apply_impl<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1084:9), std::tuple<> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/tuple:1678:14
#116 0x7be363282dd9 in apply<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1084:9), std::tuple<> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/tuple:1687:14
#117 0x7be363282dd9 in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1083:12
#118 0x7be363282dd9 in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1134:13
#119 0x7be361528e67 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:578:16
#120 0x7be36151e4d6 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:905:26
#121 0x7be36151ccb7 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:728:15
#122 0x7be36151d135 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:514:36
#123 0x7be36152ce06 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:232:37
#124 0x7be36152ce06 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548:5
#125 0x7be361542132 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1199:16
#126 0x7be36154927d in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10
#127 0x7be36222ea35 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#128 0x7be362144991 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#129 0x7be362144991 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#130 0x7be366be1e98 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
#131 0x7be366ca5588 in nsAppShell::Run() /builds/worker/checkouts/gecko/widget/gtk/nsAppShell.cpp:470:33
#132 0x7be368adef4b in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:712:20
#133 0x7be36222f916 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
#134 0x7be362144991 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#135 0x7be362144991 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#136 0x7be368ade772 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:647:34
#137 0x64f618b795c6 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#138 0x64f618b795c6 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:375:18
#139 0x7be376229d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#140 0x7be376229e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#141 0x64f618b4f2f8 in _start (/home/user/workspace/browsers/m-c-20240404213056-fuzzing-debug/firefox-bin+0x592f8) (BuildId: d6c223ce904d3eba4c7d54e2017dc1fbf05033d8)
Flags: in-testsuite?
|
||
Comment 1•10 months ago
|
||
Verified bug as reproducible on mozilla-central 20240404213056-484d7ed7de7c.
Unable to bisect testcase (Unable to launch the end build!):
Start: 3b54fd2a69ea82b29dc2634f7909a059d967c4bb (20230407094736)
End: 995a3050d70cb954214be8710caa54a1794745ec (20240213052011)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False, nyx=False)
Whiteboard: [bugmon:bisected,confirmed]
|
||
Comment 2•10 months ago
|
||
This and bug 1889804 seem very similar. In both cases, the state change is happening in code called from nsTextControlFrame::Destroy. Do we actually need to be handling state changes (in this case, VALUE_EMPTY; in bug 1889804 it's VALID/INVALID) for an element we're in the process of destroying?
See Also: → 1889804
|
||
Updated•10 months ago
|
Keywords: pernosco-wanted
|
|
||
Comment 3•10 months ago
|
||
Successfully recorded a pernosco session. A link to the pernosco session will be added here shortly.
Keywords: pernosco-wanted → pernosco
|
||
Comment 6•10 months ago
|
||
Note: bug 1793410 is the general bug on this issue, though I think until now it's been in a "we've addressed the ways we're aware of that could cause this, and yet there's still crash volume" holding-pattern. So: it's good news that we've found fuzzer testcases (here and in bug 1889804) that trigger this!
Blocks: 1793410
|
|
||
Comment 7•10 months ago
|
||
emilio, you've looked at the other instances of this crash, I think; could you take a look here when you've got cycles, now that we've got a pernosco trace?
Severity: -- → S3
Flags: needinfo?(emilio)
| Comment hidden (Intermittent Failures Robot) |
| Comment hidden (Intermittent Failures Robot) |
|
|
||
Comment 10•2 months ago
|
||
This bug's 35184372088832 aka VALUE_EMPTY flavor of this diagnostic-assert is responsible for 1669 crashes over the last 6 months, which makes up 90% of the crash volume in the general bug 1793410 over that time period. (822 crashes over the last 3 months, 95% of the crash volume in bug 1793410 over that period.)
Based on bug 1936213 comment 2 (another flavor of this crash signature), the general "Element state change during style refresh" crash-signature is in the Top 10 content process crashes on beta, so we should consider this bug here (which tentatively represents 90% of that volume) to be a topcrash, probably.
(Fortunately it doesn't directly affect release since this is a diagnostic assert, but it seems to be a major source of crashes on beta.)
This would probably be a good one to circle back to when cycles are available.
Crash Signature: [@ mozilla::RestyleManager::ElementStateChanged ]
Keywords: topcrash
|
||
Comment 11•2 months ago
|
||
:dholbert, could you consider increasing the severity of this top-crash bug?
For more information, please visit BugBot documentation.
Flags: needinfo?(dholbert)
|
|
||
Comment 12•2 months ago
|
||
Sure, let's consider it a S2 given that it satisfies topcrash criteria.
(Again, note that this doesn't crash in release -- it's a diagnostic assert, so it only crashes in early-beta-or-earlier. Nonetheless, it's still important to mitigate crashes for that cohort of users [myself included]; and more broadly, presumably it's sorta-bad that we're failing to satisfy the asserted condition, regardless of whether or not we're in a build with asserts enabled.)
Severity: S3 → S2
Flags: needinfo?(dholbert)
| Comment hidden (Intermittent Failures Robot) |
|
|
||
Comment 14•1 month ago
|
||
Based on the topcrash criteria, the crash signature linked to this bug is not a topcrash signature anymore.
For more information, please visit BugBot documentation.
Keywords: topcrash
| Comment hidden (Intermittent Failures Robot) |
You need to log in
before you can comment on or make changes to this bug.
Description
•