Closed Bug 1949893 Opened 6 months ago Closed 5 months ago

Assertion failure: aNode->IsRootOfNativeAnonymousSubtree() (What kind of node are we dealing with here?), at /builds/worker/checkouts/gecko/dom/base/nsContentUtils.cpp:11980

Categories

(Core :: DOM: Core & HTML, defect)

defect

Tracking

()

VERIFIED FIXED
137 Branch
Tracking Status
firefox-esr128 --- unaffected
firefox135 --- unaffected
firefox136 --- unaffected
firefox137 --- verified

People

(Reporter: tsmith, Assigned: emilio)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:bisected,confirmed], [wptsync upstream])

Attachments

(2 files)

Attached file testcase.html

Found while fuzzing m-c 20250210-9e1ae12b6d8f (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework --upgrade
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>

Assertion failure: aNode->IsRootOfNativeAnonymousSubtree() (What kind of node are we dealing with here?), at /builds/worker/checkouts/gecko/dom/base/nsContentUtils.cpp:11980

#0 0x735769ace741 in MOZ_CrashSequence /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:267:3
#1 0x735769ace741 in int nsContentUtils::CompareTreePosition<(TreeKind)0>(nsINode const*, nsINode const*, nsINode const*)::'lambda'(nsINode const*, mozilla::Maybe<unsigned int> const&)::operator()(nsINode const*, mozilla::Maybe<unsigned int> const&) const /builds/worker/checkouts/gecko/dom/base/nsContentUtils.cpp:11979:5
#2 0x735769acdfef in int nsContentUtils::CompareTreePosition<(TreeKind)0>(nsINode const*, nsINode const*, nsINode const*) /builds/worker/checkouts/gecko/dom/base/nsContentUtils.cpp:12008:10
#3 0x73576bbd1317 in operator() /builds/worker/workspace/obj-build/dist/include/mozilla/dom/TreeOrderedArrayInlines.h:36:14
#4 0x73576bbd1317 in bool mozilla::BinarySearchIf<AutoTArray<mozilla::dom::HTMLImageElement*, 1ul>, mozilla::dom::TreeOrderedArray<mozilla::dom::HTMLImageElement*>::Insert(mozilla::dom::HTMLImageElement&, nsINode*)::PositionComparator>(AutoTArray<mozilla::dom::HTMLImageElement*, 1ul> const&, unsigned long, unsigned long, mozilla::dom::TreeOrderedArray<mozilla::dom::HTMLImageElement*>::Insert(mozilla::dom::HTMLImageElement&, nsINode*)::PositionComparator const&, unsigned long*) /builds/worker/workspace/obj-build/dist/include/mozilla/BinarySearch.h:80:24
#5 0x73576bb9b890 in Insert /builds/worker/workspace/obj-build/dist/include/mozilla/dom/TreeOrderedArrayInlines.h:42:3
#6 0x73576bb9b890 in mozilla::dom::HTMLFormElement::AddElement(nsGenericHTMLFormElement*, bool, bool) /builds/worker/checkouts/gecko/dom/html/HTMLFormElement.cpp:1196:44
#7 0x73576bc7a6bb in nsGenericHTMLFormElement::UpdateFormOwner(bool, mozilla::dom::Element*) /builds/worker/checkouts/gecko/dom/html/nsGenericHTMLElement.cpp:2152:11
#8 0x73576bc7a154 in nsGenericHTMLFormElement::FormIdUpdated(mozilla::dom::Element*, mozilla::dom::Element*, void*) /builds/worker/checkouts/gecko/dom/html/nsGenericHTMLElement.cpp:2018:12
#9 0x735769cc731a in mozilla::IdentifierMapEntry::FireChangeCallbacks(mozilla::dom::Element*, mozilla::dom::Element*, bool) /builds/worker/checkouts/gecko/dom/base/Document.cpp:596:10
#10 0x735769cc77b1 in mozilla::IdentifierMapEntry::RemoveIdElement(mozilla::dom::Element*) /builds/worker/checkouts/gecko/dom/base/Document.cpp:631:5
#11 0x735769cf2450 in mozilla::dom::Document::RemoveFromIdTable(mozilla::dom::Element*, nsAtom*) /builds/worker/checkouts/gecko/dom/base/Document.cpp:4297:10
#12 0x735769d779c8 in mozilla::dom::Element::UnbindFromTree(mozilla::dom::UnbindContext&) /builds/worker/checkouts/gecko/dom/base/Element.cpp:2302:5
#13 0x73576bc73201 in nsGenericHTMLElement::UnbindFromTree(mozilla::dom::UnbindContext&) /builds/worker/checkouts/gecko/dom/html/nsGenericHTMLElement.cpp:563:20
#14 0x73576bb9865b in mozilla::dom::HTMLFormElement::UnbindFromTree(mozilla::dom::UnbindContext&) /builds/worker/checkouts/gecko/dom/html/HTMLFormElement.cpp:501:25
#15 0x735769ce1854 in nsIContent::UnbindFromTree() /builds/worker/checkouts/gecko/dom/base/FragmentOrElement.cpp:157:3
#16 0x735769fd1657 in nsINode::RemoveChildNode(nsIContent*, bool, BatchRemovalState const*) /builds/worker/checkouts/gecko/dom/base/nsINode.cpp:2359:9
#17 0x735769fd3a75 in nsINode::ReplaceOrInsertBefore(bool, nsINode*, nsINode*, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/nsINode.cpp:2883:5
#18 0x735769fcf273 in nsINode::ReplaceWith(mozilla::dom::Sequence<mozilla::dom::OwningNodeOrString> const&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/nsINode.cpp
#19 0x73576ae35158 in mozilla::dom::Element_Binding::replaceWith(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/./ElementBinding.cpp:11724:24
#20 0x73576b0ac49d in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3302:13
#21 0x73576e813eb4 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:494:13
#22 0x73576e81370f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:590:12
#23 0x73576f340452 in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICFallbackStub*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/jit/BaselineIC.cpp:1705:10
Flags: in-testsuite?

Verified bug as reproducible on mozilla-central 20250223093828-3196f540b6ef.
The bug appears to have been introduced in the following build range:

Start: ad04587bad59ca476a6014b21e0906f900a1cf56 (20250207165728)
End: e2c6d9af001edc07834b90a3985275b7c1162a2d (20250207174117)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=ad04587bad59ca476a6014b21e0906f900a1cf56&tochange=e2c6d9af001edc07834b90a3985275b7c1162a2d

Keywords: regression
Whiteboard: [bugmon:bisected,confirmed]
Regressed by: 1946399

Set release status flags based on info from the regressing bug 1946399

:emilio, since you are the author of the regressor, bug 1946399, could you take a look? Also, could you set the severity field?

For more information, please visit BugBot documentation.

Flags: needinfo?(emilio)

So the issue here is that we're comparing a node mid unbind, so we find it's parent but not its index.

This is because we effectively have two nested <form id="a">s, and we remove the outer one from the ID table FireChangeCallbacks, so that it starts pointing to the inner one. So we try to put the controls into the inner one.

I guess effectively I'm not changing behavior here, but it's a sketchy situation to begin with.

Flags: needinfo?(emilio)

This restores the behavior but it is not great.

Assignee: nobody → emilio
Status: NEW → ASSIGNED
Severity: -- → S3
Pushed by ealvarez@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/f9ea551138cc Paper over node comparison mid unbind. r=smaug
Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/50935 for changes under testing/web-platform/tests
Whiteboard: [bugmon:bisected,confirmed] → [bugmon:bisected,confirmed], [wptsync upstream]
Status: ASSIGNED → RESOLVED
Closed: 5 months ago
Resolution: --- → FIXED
Target Milestone: --- → 137 Branch
Upstream PR merged by moz-wptsync-bot

Verified bug as fixed on rev mozilla-central 20250225214549-74fc528d64f4.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
Keywords: bugmon
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: