Assertion failure: aNode->IsRootOfNativeAnonymousSubtree() (What kind of node are we dealing with here?), at /builds/worker/checkouts/gecko/dom/base/nsContentUtils.cpp:11980
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
Tracking | Status | |
---|---|---|
firefox-esr128 | --- | unaffected |
firefox135 | --- | unaffected |
firefox136 | --- | unaffected |
firefox137 | --- | verified |
People
(Reporter: tsmith, Assigned: emilio)
References
(Blocks 1 open bug, Regression)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:bisected,confirmed], [wptsync upstream])
Attachments
(2 files)
Found while fuzzing m-c 20250210-9e1ae12b6d8f (--enable-debug --enable-fuzzing)
To reproduce via Grizzly Replay:
$ pip install fuzzfetch grizzly-framework --upgrade
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>
Assertion failure: aNode->IsRootOfNativeAnonymousSubtree() (What kind of node are we dealing with here?), at /builds/worker/checkouts/gecko/dom/base/nsContentUtils.cpp:11980
#0 0x735769ace741 in MOZ_CrashSequence /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:267:3
#1 0x735769ace741 in int nsContentUtils::CompareTreePosition<(TreeKind)0>(nsINode const*, nsINode const*, nsINode const*)::'lambda'(nsINode const*, mozilla::Maybe<unsigned int> const&)::operator()(nsINode const*, mozilla::Maybe<unsigned int> const&) const /builds/worker/checkouts/gecko/dom/base/nsContentUtils.cpp:11979:5
#2 0x735769acdfef in int nsContentUtils::CompareTreePosition<(TreeKind)0>(nsINode const*, nsINode const*, nsINode const*) /builds/worker/checkouts/gecko/dom/base/nsContentUtils.cpp:12008:10
#3 0x73576bbd1317 in operator() /builds/worker/workspace/obj-build/dist/include/mozilla/dom/TreeOrderedArrayInlines.h:36:14
#4 0x73576bbd1317 in bool mozilla::BinarySearchIf<AutoTArray<mozilla::dom::HTMLImageElement*, 1ul>, mozilla::dom::TreeOrderedArray<mozilla::dom::HTMLImageElement*>::Insert(mozilla::dom::HTMLImageElement&, nsINode*)::PositionComparator>(AutoTArray<mozilla::dom::HTMLImageElement*, 1ul> const&, unsigned long, unsigned long, mozilla::dom::TreeOrderedArray<mozilla::dom::HTMLImageElement*>::Insert(mozilla::dom::HTMLImageElement&, nsINode*)::PositionComparator const&, unsigned long*) /builds/worker/workspace/obj-build/dist/include/mozilla/BinarySearch.h:80:24
#5 0x73576bb9b890 in Insert /builds/worker/workspace/obj-build/dist/include/mozilla/dom/TreeOrderedArrayInlines.h:42:3
#6 0x73576bb9b890 in mozilla::dom::HTMLFormElement::AddElement(nsGenericHTMLFormElement*, bool, bool) /builds/worker/checkouts/gecko/dom/html/HTMLFormElement.cpp:1196:44
#7 0x73576bc7a6bb in nsGenericHTMLFormElement::UpdateFormOwner(bool, mozilla::dom::Element*) /builds/worker/checkouts/gecko/dom/html/nsGenericHTMLElement.cpp:2152:11
#8 0x73576bc7a154 in nsGenericHTMLFormElement::FormIdUpdated(mozilla::dom::Element*, mozilla::dom::Element*, void*) /builds/worker/checkouts/gecko/dom/html/nsGenericHTMLElement.cpp:2018:12
#9 0x735769cc731a in mozilla::IdentifierMapEntry::FireChangeCallbacks(mozilla::dom::Element*, mozilla::dom::Element*, bool) /builds/worker/checkouts/gecko/dom/base/Document.cpp:596:10
#10 0x735769cc77b1 in mozilla::IdentifierMapEntry::RemoveIdElement(mozilla::dom::Element*) /builds/worker/checkouts/gecko/dom/base/Document.cpp:631:5
#11 0x735769cf2450 in mozilla::dom::Document::RemoveFromIdTable(mozilla::dom::Element*, nsAtom*) /builds/worker/checkouts/gecko/dom/base/Document.cpp:4297:10
#12 0x735769d779c8 in mozilla::dom::Element::UnbindFromTree(mozilla::dom::UnbindContext&) /builds/worker/checkouts/gecko/dom/base/Element.cpp:2302:5
#13 0x73576bc73201 in nsGenericHTMLElement::UnbindFromTree(mozilla::dom::UnbindContext&) /builds/worker/checkouts/gecko/dom/html/nsGenericHTMLElement.cpp:563:20
#14 0x73576bb9865b in mozilla::dom::HTMLFormElement::UnbindFromTree(mozilla::dom::UnbindContext&) /builds/worker/checkouts/gecko/dom/html/HTMLFormElement.cpp:501:25
#15 0x735769ce1854 in nsIContent::UnbindFromTree() /builds/worker/checkouts/gecko/dom/base/FragmentOrElement.cpp:157:3
#16 0x735769fd1657 in nsINode::RemoveChildNode(nsIContent*, bool, BatchRemovalState const*) /builds/worker/checkouts/gecko/dom/base/nsINode.cpp:2359:9
#17 0x735769fd3a75 in nsINode::ReplaceOrInsertBefore(bool, nsINode*, nsINode*, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/nsINode.cpp:2883:5
#18 0x735769fcf273 in nsINode::ReplaceWith(mozilla::dom::Sequence<mozilla::dom::OwningNodeOrString> const&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/nsINode.cpp
#19 0x73576ae35158 in mozilla::dom::Element_Binding::replaceWith(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/./ElementBinding.cpp:11724:24
#20 0x73576b0ac49d in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3302:13
#21 0x73576e813eb4 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:494:13
#22 0x73576e81370f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:590:12
#23 0x73576f340452 in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICFallbackStub*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/jit/BaselineIC.cpp:1705:10
Comment 1•5 months ago
|
||
Verified bug as reproducible on mozilla-central 20250223093828-3196f540b6ef.
The bug appears to have been introduced in the following build range:
Start: ad04587bad59ca476a6014b21e0906f900a1cf56 (20250207165728)
End: e2c6d9af001edc07834b90a3985275b7c1162a2d (20250207174117)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=ad04587bad59ca476a6014b21e0906f900a1cf56&tochange=e2c6d9af001edc07834b90a3985275b7c1162a2d
Comment 2•5 months ago
|
||
Set release status flags based on info from the regressing bug 1946399
:emilio, since you are the author of the regressor, bug 1946399, could you take a look? Also, could you set the severity field?
For more information, please visit BugBot documentation.
Assignee | ||
Comment 3•5 months ago
|
||
So the issue here is that we're comparing a node mid unbind, so we find it's parent but not its index.
This is because we effectively have two nested <form id="a">
s, and we remove the outer one from the ID table FireChangeCallbacks
, so that it starts pointing to the inner one. So we try to put the controls into the inner one.
I guess effectively I'm not changing behavior here, but it's a sketchy situation to begin with.
Assignee | ||
Comment 4•5 months ago
|
||
This restores the behavior but it is not great.
Updated•5 months ago
|
Updated•5 months ago
|
Comment 7•5 months ago
|
||
bugherder |
Comment 9•5 months ago
|
||
Verified bug as fixed on rev mozilla-central 20250225214549-74fc528d64f4.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Description
•