Closed
Bug 1982469
Opened 7 months ago
Closed 7 months ago
Assertion failure: aIsRoot == isRootSlow, at /builds/worker/checkouts/gecko/dom/base/nsINode.cpp:275
Categories
(Core :: CSS Parsing and Computation, defect, P3)
Core
CSS Parsing and Computation
Tracking
()
VERIFIED
FIXED
144 Branch
| Tracking | Status | |
|---|---|---|
| firefox-esr115 | --- | unaffected |
| firefox-esr128 | --- | unaffected |
| firefox-esr140 | --- | wontfix |
| firefox142 | --- | wontfix |
| firefox143 | --- | wontfix |
| firefox144 | --- | verified |
People
(Reporter: tsmith, Assigned: emilio)
References
(Blocks 2 open bugs)
Details
(Keywords: assertion, testcase, Whiteboard: [bugmon:bisected,confirmed] [viewtransitions:m2], [wptsync upstream])
Attachments
(2 files)
Found while fuzzing 20250613-017a5fb444d4 (--enable-debug --enable-fuzzing)
To reproduce via Grizzly Replay:
$ pip install fuzzfetch grizzly-framework --upgrade
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid> --no-harness
Assertion failure: aIsRoot == isRootSlow, at /builds/worker/checkouts/gecko/dom/base/nsINode.cpp:275
#0 0x717780a2778e in MOZ_CrashSequence /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:248:3
#1 0x717780a2778e in nsINode::AssertIsRootElementSlow(bool) const /builds/worker/checkouts/gecko/dom/base/nsINode.cpp:275:3
#2 0x7177807e67e1 in IsRootElement /builds/worker/checkouts/gecko/dom/base/nsINode.h:1740:5
#3 0x7177807e67e1 in SearchViewTransitionPseudo /builds/worker/checkouts/gecko/dom/base/Element.cpp:4683:18
#4 0x7177807e67e1 in mozilla::dom::Element::GetPseudoElement(mozilla::PseudoStyleRequest const&) const /builds/worker/checkouts/gecko/dom/base/Element.cpp:4713:25
#5 0x71778048e8db in mozilla::dom::KeyframeEffect::GetPrimaryFrame() const /builds/worker/checkouts/gecko/dom/animation/KeyframeEffect.cpp:1578:33
#6 0x71778048fc10 in mozilla::dom::KeyframeEffect::UnregisterTarget() /builds/worker/checkouts/gecko/dom/animation/KeyframeEffect.cpp:1000:21
#7 0x7177804737c8 in mozilla::dom::KeyframeEffect::NotifyAnimationTimingUpdated(mozilla::PostRestyleMode) /builds/worker/checkouts/gecko/dom/animation/KeyframeEffect.cpp:177:3
#8 0x71778046d48d in UpdateEffect /builds/worker/checkouts/gecko/dom/animation/Animation.cpp:1724:23
#9 0x71778046d48d in mozilla::dom::Animation::Cancel(mozilla::PostRestyleMode) /builds/worker/checkouts/gecko/dom/animation/Animation.cpp:690:3
#10 0x7177845b434d in mozilla::dom::CSSAnimation::CancelFromStyle(mozilla::PostRestyleMode) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/CSSAnimation.h:87:16
#11 0x7177845b4134 in mozilla::AnimationCollection<mozilla::dom::CSSAnimation>::~AnimationCollection() /builds/worker/checkouts/gecko/layout/style/AnimationCollection.cpp:29:29
#12 0x717780487de4 in operator() /builds/worker/workspace/obj-build/dist/include/mozilla/UniquePtr.h:88:5
#13 0x717780487de4 in reset /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/unique_ptr.h:385:4
#14 0x717780487de4 in operator= /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/unique_ptr.h:321:2
#15 0x717780487de4 in mozilla::ElementAnimationData::ClearAllPseudos(bool) /builds/worker/checkouts/gecko/dom/animation/ElementAnimationData.cpp:76:23
#16 0x7177807d80d1 in mozilla::dom::Element::UnbindFromTree(mozilla::dom::UnbindContext&) /builds/worker/checkouts/gecko/dom/base/Element.cpp:2392:13
#17 0x71778270e212 in nsGenericHTMLElement::UnbindFromTree(mozilla::dom::UnbindContext&) /builds/worker/checkouts/gecko/dom/html/nsGenericHTMLElement.cpp:473:20
#18 0x7177826edb70 in mozilla::dom::HTMLSharedElement::UnbindFromTree(mozilla::dom::UnbindContext&) /builds/worker/checkouts/gecko/dom/html/HTMLSharedElement.cpp:197:25
#19 0x717780739ae9 in nsIContent::UnbindFromTree(nsINode*) /builds/worker/checkouts/gecko/dom/base/FragmentOrElement.cpp:153:3
#20 0x717780a36161 in nsINode::RemoveChildNode(nsIContent*, bool, BatchRemovalState const*, nsINode*) /builds/worker/checkouts/gecko/dom/base/nsINode.cpp:2496:9
#21 0x7177807639cc in mozilla::dom::Document::RemoveChildNode(nsIContent*, bool, BatchRemovalState const*, nsINode*) /builds/worker/checkouts/gecko/dom/base/Document.cpp:7821:12
#22 0x717780a3858f in nsINode::ReplaceOrInsertBefore(bool, nsINode*, nsINode*, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/nsINode.cpp:3020:5
#23 0x717780ebf24e in ReplaceChild /builds/worker/checkouts/gecko/dom/base/nsINode.h:2366:12
#24 0x717780ebf24e in mozilla::dom::Node_Binding::replaceChild(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/./NodeBinding.cpp:1025:60
#25 0x717781b9804d in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3308:13
#26 0x717785429d24 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:501:13
#27 0x71778542957f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:597:12
#28 0x717785fae832 in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICFallbackStub*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/jit/BaselineIC.cpp:1705:10
#29 0x39b2fd5c50fe ([anon:js-executable-memory]+0x1c0fe)
Flags: in-testsuite?
|
||
Comment 1•7 months ago
|
||
Verified bug as reproducible on mozilla-central 20250811212651-bba8b54545d1.
Unable to bisect testcase (Testcase does not reproduce on end build!):
Start: 6a2726e60f57ab0a4179b75d229a1c483d207179 (20240813093307)
End: 017a5fb444d4f5e1eb1772cd89db2244afa8cce4 (20250613093648)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False, nyx=False, searchfox=False, afl=False)
Whiteboard: [bugmon:bisected,confirmed]
|
||
Comment 2•7 months ago
|
||
The severity field is not set for this bug.
:emilio, could you have a look please?
For more information, please visit BugBot documentation.
Flags: needinfo?(emilio)
|
Assignee | |
Comment 3•7 months ago
|
||
If we're unbinding the root element, the document might no longer be
able to reach the child element, but IsRootElement might still return
true. In this case at least that's the desired behavior (and I think
it's more correct).
|
||
Updated•7 months ago
|
Assignee: nobody → emilio
Status: NEW → ASSIGNED
|
|
Assignee | |
Updated•7 months ago
|
|
||
Updated•7 months ago
|
Whiteboard: [bugmon:bisected,confirmed] → [bugmon:bisected,confirmed] [viewtransitions:triage]
Pushed by ealvarez@mozilla.com:
https://github.com/mozilla-firefox/firefox/commit/ce86ed5bf979
https://hg.mozilla.org/integration/autoland/rev/10e39f36744c
Make AssertIsRootElementSlow account for mid-unbind situations. r=smaug
Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/54531 for changes under testing/web-platform/tests
Whiteboard: [bugmon:bisected,confirmed] [viewtransitions:triage] → [bugmon:bisected,confirmed] [viewtransitions:triage], [wptsync upstream]
Pushed by amarc@mozilla.com:
https://github.com/mozilla-firefox/firefox/commit/a8840c24950a
https://hg.mozilla.org/integration/autoland/rev/f5958a61c174
Prevent marionette getting confused and timing out.
|
||
Comment 7•7 months ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/10e39f36744c
https://hg.mozilla.org/mozilla-central/rev/f5958a61c174
Status: ASSIGNED → RESOLVED
Closed: 7 months ago
status-firefox144:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 144 Branch
Upstream PR merged by moz-wptsync-bot
Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/54540 for changes under testing/web-platform/tests
|
|
||
Comment 10•7 months ago
|
||
The patch landed in nightly and beta is affected.
:emilio, is this bug important enough to require an uplift?
- If yes, please nominate the patch for beta approval.
- See https://wiki.mozilla.org/Release_Management/Requesting_an_Uplift for documentation on how to request an uplift.
- If no, please set
status-firefox143towontfix.
For more information, please visit BugBot documentation.
Flags: needinfo?(emilio)
|
|
||
Comment 12•7 months ago
|
||
Verified bug as fixed on rev mozilla-central 20250827091530-ad24150c115f.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Upstream PR merged by moz-wptsync-bot
|
|
||
Updated•7 months ago
|
Points: --- → 1
Whiteboard: [bugmon:bisected,confirmed] [viewtransitions:triage], [wptsync upstream] → [bugmon:bisected,confirmed] [viewtransitions:m2], [wptsync upstream]
|
||
Updated•7 months ago
|
status-firefox142:
--- → wontfix
status-firefox-esr115:
--- → unaffected
status-firefox-esr128:
--- → unaffected
status-firefox-esr140:
--- → wontfix
Flags: in-testsuite? → in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•