Closed
Bug 1934080
Opened 2 months ago
Closed 2 months ago
Assertion failure: isSome(), at /builds/worker/workspace/obj-build/dist/include/mozilla/Maybe.h:989
Categories
(Core :: DOM: Core & HTML, defect)
Core
DOM: Core & HTML
Tracking
()
RESOLVED
DUPLICATE
of bug 1933919
| Tracking | Status | |
|---|---|---|
| firefox135 | --- | affected |
People
(Reporter: tsmith, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: assertion, crash, testcase, Whiteboard: [fuzzblocker])
Attachments
(1 file)
|
185 bytes,
text/html
|
Details |
Found while fuzzing 20241127-4b87a4cb1707 (--enable-address-sanitizer --enable-fuzzing)
To reproduce via Grizzly Replay:
$ pip install fuzzfetch grizzly-framework --upgrade
$ python -m fuzzfetch -a --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>
Assertion failure: isSome(), at /builds/worker/workspace/obj-build/dist/include/mozilla/Maybe.h:989
#0 0x7d5f774c5035 in operator* /builds/worker/workspace/obj-build/dist/include/mozilla/Maybe.h:989:3
#1 0x7d5f774c5035 in SetStart /builds/worker/workspace/obj-build/dist/include/mozilla/TextControlState.h:351:43
#2 0x7d5f774c5035 in mozilla::dom::HTMLTextAreaElement::ContentWillBeRemoved(nsIContent*) /builds/worker/checkouts/gecko/dom/html/HTMLTextAreaElement.cpp:802:11
#3 0x7d5f743c4e0a in operator() /builds/worker/checkouts/gecko/dom/base/MutationObservers.cpp:187:35
#4 0x7d5f743c4e0a in ForEachAncestorObserver<(lambda at /builds/worker/checkouts/gecko/dom/base/MutationObservers.cpp:187:35)> /builds/worker/checkouts/gecko/dom/base/MutationObservers.cpp:60:11
#5 0x7d5f743c4e0a in Notify<(NotifyPresShell)1, (lambda at /builds/worker/checkouts/gecko/dom/base/MutationObservers.cpp:187:35)> /builds/worker/checkouts/gecko/dom/base/MutationObservers.cpp:94:19
#6 0x7d5f743c4e0a in mozilla::dom::MutationObservers::NotifyContentWillBeRemoved(nsINode*, nsIContent*) /builds/worker/checkouts/gecko/dom/base/MutationObservers.cpp:186:3
#7 0x7d5f746371ab in nsINode::RemoveChildNode(nsIContent*, bool) /builds/worker/checkouts/gecko/dom/base/nsINode.cpp:2330:5
#8 0x7d5f73e4f1a9 in nsContentUtils::SetNodeTextContent(nsIContent*, nsTSubstring<char16_t> const&, bool) /builds/worker/checkouts/gecko/dom/base/nsContentUtils.cpp:5882:17
#9 0x7d5f774bfa97 in mozilla::dom::HTMLTextAreaElement::SetDefaultValue(nsTSubstring<char16_t> const&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/html/HTMLTextAreaElement.cpp:325:3
#10 0x7d5f748a3e74 in mozilla::dom::HTMLTextAreaElement_Binding::set_defaultValue(JSContext*, JS::Handle<JSObject*>, void*, JSJitSetterCallArgs) /builds/worker/workspace/obj-build/dom/bindings/./HTMLTextAreaElementBinding.cpp:1107:24
#11 0x7d5f760657de in bool mozilla::dom::binding_detail::GenericSetter<mozilla::dom::binding_detail::NormalThisPolicy>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3238:8
#12 0x7d5f7caf49f4 in CallJSNative /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:532:13
#13 0x7d5f7caf49f4 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:628:12
#14 0x7d5f7caf692c in InternalCall /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:695:10
#15 0x7d5f7caf692c in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:727:8
#16 0x7d5f7caf8a21 in js::CallSetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:858:10
#17 0x7d5f7ce3edfb in SetExistingProperty(JSContext*, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<js::NativeObject*>, js::PropertyResult const&, JS::ObjectOpResult&) /builds/worker/checkouts/gecko/js/src/vm/NativeObject.cpp:2708:8
#18 0x7d5f7ce3c65a in bool js::NativeSetProperty<(js::QualifiedBool)1>(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) /builds/worker/checkouts/gecko/js/src/vm/NativeObject.cpp:2743:14
#19 0x7d5f7db940da in js::jit::DoSetPropFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICFallbackStub*, JS::Value*, JS::Handle<JS::Value>, JS::Handle<JS::Value>) /builds/worker/checkouts/gecko/js/src/jit/BaselineIC.cpp:1515:10
#20 0x35d3f768309a ([anon:js-executable-memory]+0x309a)
Flags: in-testsuite?
|
||
Comment 1•2 months ago
|
||
Unable to reproduce bug 1934080 using build mozilla-central 20241127035800-4b87a4cb1707. Without a baseline, bugmon is unable to analyze this bug.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Keywords: bugmon
|
Reporter | |
Comment 2•2 months ago
|
||
Not sure why bugmon failed to repro this we are seeing it constantly while fuzzing.
emilio: could this be caused by bug 1931301?
Flags: needinfo?(emilio)
|
|
Reporter | |
Comment 3•2 months ago
|
||
Oh I didn't see bug 1933919 so I'm guessing this is a duplicate.
|
||
Comment 4•2 months ago
|
||
Yes. Bug 1933919 has a patch already. The test-case is great, will add it, thanks!
Status: NEW → RESOLVED
Closed: 2 months ago
Duplicate of bug: 1933919
Flags: needinfo?(emilio)
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•