1991486 - Assertion failure: !aElement->GetPrimaryFrame(), at /layout/base/PresShell.cpp:3017

Reporter

Description

•

6 months ago

Testcase found while fuzzing mozilla-central rev 2dfd502d8f50 (built with: --enable-debug --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework --upgrade
$ python -m fuzzfetch --build 2dfd502d8f50 --debug --fuzzing  -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>

Assertion failure: !aElement->GetPrimaryFrame(), at /layout/base/PresShell.cpp:3017

    ==400892==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7b1a205e2dc8 bp 0x7ffd37bda370 sp 0x7ffd37bda350 T400892)
    ==400892==The signal is caused by a WRITE memory access.
    ==400892==Hint: address points to the zero page.
        #0 0x7b1a205e2dc8 in MOZ_CrashSequence /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:238:3
        #1 0x7b1a205e2dc8 in operator() /layout/base/PresShell.cpp:3017:5
        #2 0x7b1a205e2dc8 in ~ScopeExit /builds/worker/workspace/obj-build/dist/include/mozilla/ScopeExit.h:106:7
        #3 0x7b1a205e2dc8 in mozilla::PresShell::DestroyFramesForAndRestyle(mozilla::dom::Element*) /layout/base/PresShell.cpp:3044:1
        #4 0x7b1a205eb051 in mozilla::PresShell::ContentWillBeRemoved(nsIContent*, ContentRemoveInfo const&) /layout/base/PresShell.cpp:4888:7
        #5 0x7b1a1c73662b in operator() /dom/base/MutationObservers.cpp:189:35
        #6 0x7b1a1c73662b in Notify<(NotifyPresShell)1, (lambda at /dom/base/MutationObservers.cpp:189:35)> /dom/base/MutationObservers.cpp:91:7
        #7 0x7b1a1c73662b in mozilla::dom::MutationObservers::NotifyContentWillBeRemoved(nsINode*, nsIContent*, ContentRemoveInfo const&) /dom/base/MutationObservers.cpp:188:3
        #8 0x7b1a1c8e2b89 in nsINode::RemoveChildNode(nsIContent*, bool, BatchRemovalState const*, nsINode*, MutationEffectOnScript) /dom/base/nsINode.cpp:2493:5
        #9 0x7b1a1c8e2626 in nsINode::MoveBefore(nsINode&, nsINode*, mozilla::ErrorResult&) /dom/base/nsINode.cpp:2462:16
        #10 0x7b1a1d8d8b76 in mozilla::dom::Element_Binding::moveBefore(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/./ElementBinding.cpp:12667:24
        #11 0x7b1a1da860ad in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /dom/bindings/BindingUtils.cpp:3308:13
        #12 0x7b1a2142df24 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /js/src/vm/Interpreter.cpp:490:13
        #13 0x7b1a2142d77f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:586:12
        #14 0x7b1a2144134f in CallFromStack /js/src/vm/Interpreter.cpp:658:10
        #15 0x7b1a2144134f in js::Interpret(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:3276:16
        #16 0x7b1a2142cde3 in js::RunScript(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:460:13
        #17 0x7b1a2142d7a5 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:618:13
        #18 0x7b1a2142ebcc in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /js/src/vm/Interpreter.cpp:685:8
        #19 0x7b1a2151506b in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /js/src/vm/CallAndConstruct.cpp:119:10
        #20 0x7b1a1d8544ea in mozilla::dom::EventListener::HandleEvent(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/./EventListenerBinding.cpp:62:8
        #21 0x7b1a1e34a782 in void mozilla::dom::EventListener::HandleEvent<mozilla::dom::EventTarget*>(mozilla::dom::EventTarget* const&, mozilla::dom::Event&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObjectBase::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventListenerBinding.h:65:12
        #22 0x7b1a1e34a162 in mozilla::EventListenerManager::HandleEventSingleListener(mozilla::EventListenerManager::Listener*, nsAtom*, mozilla::WidgetEvent*, mozilla::dom::Event*, mozilla::dom::EventTarget*, bool) /dom/events/EventListenerManager.cpp:1295:43
        #23 0x7b1a1e34b3d9 in mozilla::EventListenerManager::HandleEventWithListenerArray(mozilla::EventListenerManager::ListenerArray*, nsAtom*, mozilla::EventMessage, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, bool) /dom/events/EventListenerManager.cpp:1607:12
        #24 0x7b1a1e34ac6f in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /dom/events/EventListenerManager.cpp:1512:35
        #25 0x7b1a1e33f61e in HandleEvent /builds/worker/workspace/obj-build/dist/include/mozilla/EventListenerManager.h:465:5
        #26 0x7b1a1e33f61e in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /dom/events/EventDispatcher.cpp:365:17
        #27 0x7b1a1e33ecec in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /dom/events/EventDispatcher.cpp:606:16
        #28 0x7b1a1e3414c2 in mozilla::EventDispatcher::Dispatch(mozilla::dom::EventTarget*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /dom/events/EventDispatcher.cpp:1261:11
        #29 0x7b1a2065677e in nsDocumentViewer::LoadComplete(nsresult) /layout/base/nsDocumentViewer.cpp:1024:7
        #30 0x7b1a20ac3183 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /docshell/base/nsDocShell.cpp:6454:13
        #31 0x7b1a20ac268f in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /docshell/base/nsDocShell.cpp:5774:7
        #32 0x7b1a20ac4082 in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /docshell/base/nsDocShell.cpp:0:0
        #33 0x7b1a1b5ed219 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /uriloader/base/nsDocLoader.cpp:1514:3
        #34 0x7b1a1b5ec9d2 in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /uriloader/base/nsDocLoader.cpp:1046:14
        #35 0x7b1a1b5ea34c in nsDocLoader::DocLoaderIsEmpty(bool, mozilla::Maybe<nsresult> const&) /uriloader/base/nsDocLoader.cpp:841:9
        #36 0x7b1a1b5ebe3a in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /uriloader/base/nsDocLoader.cpp:722:5
        #37 0x7b1a20af9edf in nsDocShell::OnStopRequest(nsIRequest*, nsresult) /docshell/base/nsDocShell.cpp:14463:23
        #38 0x7b1a1a9982af in mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) /netwerk/base/nsLoadGroup.cpp:657:22
        #39 0x7b1a1a999456 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /netwerk/base/nsLoadGroup.cpp:541:10
        #40 0x7b1a1c6303ac in mozilla::dom::Document::DoUnblockOnload() /dom/base/Document.cpp:12450:18
        #41 0x7b1a1c616951 in mozilla::dom::Document::DispatchContentLoadedEvents() /dom/base/Document.cpp:8728:3
        #42 0x7b1a1c6de7c5 in operator()<> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1083:18
        #43 0x7b1a1c6de7c5 in __invoke_impl<void, (lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1082:9)> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/bits/invoke.h:60:14
        #44 0x7b1a1c6de7c5 in __invoke<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1082:9)> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/bits/invoke.h:95:14
        #45 0x7b1a1c6de7c5 in __apply_impl<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1082:9), std::tuple<> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/tuple:1740:14
        #46 0x7b1a1c6de7c5 in apply<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1082:9), std::tuple<> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/tuple:1751:14
        #47 0x7b1a1c6de7c5 in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1081:12
        #48 0x7b1a1c6de7c5 in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1132:13
        #49 0x7b1a1a721d37 in mozilla::RunnableTask::Run() /xpcom/threads/TaskController.cpp:705:16
        #50 0x7b1a1a71c617 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:1325:20
        #51 0x7b1a1a71b2c7 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:1148:15
        #52 0x7b1a1a71b745 in mozilla::TaskController::ProcessPendingMTTask(bool) /xpcom/threads/TaskController.cpp:641:36
        #53 0x7b1a1a7286a6 in operator() /xpcom/threads/TaskController.cpp:333:37
        #54 0x7b1a1a7286a6 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /xpcom/threads/nsThreadUtils.h:549:5
        #55 0x7b1a1a73a823 in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1157:16
        #56 0x7b1a1a7410df in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:462:10
        #57 0x7b1a1b31a0d7 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:85:21
        #58 0x7b1a1b274441 in RunHandler /ipc/chromium/src/base/message_loop.cc:361:3
        #59 0x7b1a1b274441 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:343:3
        #60 0x7b1a201b9e18 in nsBaseAppShell::Run() /widget/nsBaseAppShell.cpp:148:27
        #61 0x7b1a20285b84 in nsAppShell::Run() /widget/gtk/nsAppShell.cpp:471:33
        #62 0x7b1a21291e9b in XRE_RunAppShell() /toolkit/xre/nsEmbedFunctions.cpp:657:20
        #63 0x7b1a1b31af84 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:235:9
        #64 0x7b1a1b274441 in RunHandler /ipc/chromium/src/base/message_loop.cc:361:3
        #65 0x7b1a1b274441 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:343:3
        #66 0x7b1a212915f1 in XRE_InitChildProcess(int, char**, XREChildData const*) /toolkit/xre/nsEmbedFunctions.cpp:595:34
        #67 0x5879b2a4d05c in main /browser/app/nsBrowserApp.cpp:420:22
        #68 0x7b1a2b6381c9 in __libc_start_call_main ./csu/../sysdeps/nptl/libc_start_call_main.h:58:16
        #69 0x7b1a2b63828a in __libc_start_main ./csu/../csu/libc-start.c:360:3
        #70 0x5879b2a20898 in _start ??:0:0
    
    ==400892==Register values:
    rax = 0x0000000000000000  rbx = 0x00005879c05cfa60  rcx = 0x0000000000000bc9  rdx = 0x00007b1a2b812563
    rdi = 0x00007b1a2b813700  rsi = 0x0000000000000000  rbp = 0x00007ffd37bda370  rsp = 0x00007ffd37bda350
     r8 = 0x0000000000000000   r9 = 0x0000000000000003  r10 = 0x0000000000000000  r11 = 0x0000000000000293
    r12 = 0x0000000000000000  r13 = 0x00007b1a205eaec0  r14 = 0x00005879c05c1ff0  r15 = 0x0000000000000001
    UndefinedBehaviorSanitizer can not provide additional info.
    SUMMARY: UndefinedBehaviorSanitizer: SEGV (/home/jkratzer/builds/m-c-20250929081533-fuzzing-debug/libxul.so+0xa1e4dc8) (BuildId: 83bad32a41ab9caec670e0e2c425a87b8d770e58)
    ==400892==ABORTING

Jason Kratzer [:jkratzer]

Reporter

Comment 1

•

6 months ago

Attached file Testcase — Details

Jason Kratzer [:jkratzer]

Reporter

Updated

•

6 months ago

Attachment #9516982 - Attachment filename: testcase.html.undefined → testcase.html

Attachment #9516982 - Attachment mime type: text/plain → text/html

Olli Pettay [:smaug][bugs@pettay.fi]

Assignee

Updated

•

6 months ago

Assignee: nobody → smaug

Olli Pettay [:smaug][bugs@pettay.fi]

Assignee

Comment 2

•

6 months ago

Huh, DestroyFramesFor doesn't make any sense o_O

Bugmon [:jkratzer for issues]

Comment 3

•

6 months ago

Verified bug as reproducible on mozilla-central 20250929160404-e0d24a0fe50f.
The bug appears to have been introduced in the following build range:

Start: 9109c36f1b47fe5bebbb653c091caee721c22f15 (20250721163421)
End: 4d9976f639cdeb1ead4e4d0ed597b07cb248ae23 (20250721164045)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=9109c36f1b47fe5bebbb653c091caee721c22f15&tochange=4d9976f639cdeb1ead4e4d0ed597b07cb248ae23

Keywords: regression

Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]

Olli Pettay [:smaug][bugs@pettay.fi]

Assignee

Updated

•

6 months ago

Severity: -- → S3

BugBot [:suhaib / :marco/ :calixte]

Comment 4

•

6 months ago

Based on comment #3, this bug contains a bisection range found by bugmon. However, the Regressed by field is still not filled.

:smaug, if possible, could you fill the Regressed by field and investigate this regression?

For more information, please visit BugBot documentation.

Flags: needinfo?(smaug)

Olli Pettay [:smaug][bugs@pettay.fi]

Assignee

Updated

•

6 months ago

Flags: needinfo?(smaug)

BugBot [:suhaib / :marco/ :calixte]

Comment 5

•

6 months ago

This bug has been marked as a regression. Setting status flag for Nightly to affected.

status-firefox145: --- → affected

Pascal Chevrel:pascalc

Updated

•

6 months ago

status-firefox144: --- → fix-optional

status-firefox145: affected → fix-optional

Regressed by: 1923880

BugBot [:suhaib / :marco/ :calixte]

Comment 6

•

6 months ago

Set release status flags based on info from the regressing bug 1923880

status-firefox-esr140: --- → unaffected

Bugzilla

Assertion failure: !aElement->GetPrimaryFrame(), at /layout/base/PresShell.cpp:3017

Categories

(Core :: DOM: Core & HTML, defect)

Tracking

()

People

(Reporter: jkratzer, Assigned: smaug)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: bugmon, regression, testcase, Whiteboard: [bugmon:bisected,confirmed])

Crash Data

Security

(public)

User Story

Attachments

(1 file)

Description

Comment 1

Updated

Updated

Comment 2

Comment 3

Updated

Comment 4

Updated

Comment 5

Updated

Comment 6

Attachment

General

Description

File Name

Content Type