Assertion failure: Type() == eString (wrong type), at /builds/worker/checkouts/gecko/dom/base/nsAttrValue.cpp:772
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr140 | --- | unaffected |
| firefox144 | --- | unaffected |
| firefox145 | --- | unaffected |
| firefox146 | + | fixed |
People
(Reporter: tsmith, Unassigned)
References
(Blocks 1 open bug, Regression)
Details
(5 keywords, Whiteboard: [bugmon:bisected,confirmed])
Crash Data
Attachments
(1 file)
|
166 bytes,
text/html
|
Details |
Found while fuzzing 20251030-a9b1de7c0585 (--enable-debug --enable-fuzzing)
To reproduce via Grizzly Replay:
$ pip install fuzzfetch grizzly-framework --upgrade
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>
Assertion failure: Type() == eString (wrong type), at /builds/worker/checkouts/gecko/dom/base/nsAttrValue.cpp:772
#0 0x7b07e2e79ba4 in MOZ_CrashSequence /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:237:3
#1 0x7b07e2e79ba4 in nsAttrValue::GetStringValue() const /builds/worker/checkouts/gecko/dom/base/nsAttrValue.cpp:772:3
#2 0x7b07e4c728a5 in mozilla::dom::HTMLLinkElement::AfterSetAttr(int, nsAtom*, nsAttrValue const*, nsAttrValue const*, nsIPrincipal*, bool) /builds/worker/checkouts/gecko/dom/html/HTMLLinkElement.cpp:226:32
#3 0x7b07e2cd644a in mozilla::dom::Element::SetAttrAndNotify(int, nsAtom*, nsAtom*, nsAttrValue const*, nsAttrValue&, nsIPrincipal*, AttrModType, bool, bool, mozilla::dom::Document*, mozAutoDocUpdate const&) /builds/worker/checkouts/gecko/dom/base/Element.cpp:3054:5
#4 0x7b07e2cd6b99 in SetAttrInternal<(lambda at /builds/worker/checkouts/gecko/dom/base/Element.cpp:2867:26)> /builds/worker/checkouts/gecko/dom/base/Element.cpp:2912:10
#5 0x7b07e2cd6b99 in mozilla::dom::Element::SetAttr(int, nsAtom*, nsAtom*, nsAtom*, nsIPrincipal*, bool) /builds/worker/checkouts/gecko/dom/base/Element.cpp:2865:10
#6 0x7b07e1d8fab1 in nsHtml5TreeOperation::SetHTMLElementAttributes(mozilla::dom::Element*, nsAtom*, nsHtml5HtmlAttributes*) /builds/worker/checkouts/gecko/parser/html/nsHtml5TreeOperation.cpp:472:17
#7 0x7b07e1d8fd9a in nsHtml5TreeOperation::CreateHTMLElement(nsAtom*, nsHtml5HtmlAttributes*, mozilla::dom::FromParser, nsNodeInfoManager*, nsHtml5DocumentBuilder*, nsGenericHTMLElement* (*)(already_AddRefed<mozilla::dom::NodeInfo>&&, mozilla::dom::FromParser))::$_0::operator()(nsGenericHTMLElement* (*)(already_AddRefed<mozilla::dom::NodeInfo>&&, mozilla::dom::FromParser)) const /builds/worker/checkouts/gecko/parser/html/nsHtml5TreeOperation.cpp:533:5
#8 0x7b07e1d82e0f in nsHtml5TreeOperation::CreateHTMLElement(nsAtom*, nsHtml5HtmlAttributes*, mozilla::dom::FromParser, nsNodeInfoManager*, nsHtml5DocumentBuilder*, nsGenericHTMLElement* (*)(already_AddRefed<mozilla::dom::NodeInfo>&&, mozilla::dom::FromParser)) /builds/worker/checkouts/gecko/parser/html/nsHtml5TreeOperation.cpp:549:10
#9 0x7b07e1d777b1 in nsHtml5TreeBuilder::createElement(int, nsAtom*, nsHtml5HtmlAttributes*, void*, nsHtml5ContentCreatorFunction) /builds/worker/checkouts/gecko/parser/html/nsHtml5TreeBuilderCppSupplement.h:154:14
#10 0x7b07e1d7af37 in nsHtml5TreeBuilder::appendVoidElementToCurrentMayFoster(nsHtml5ElementName*, nsHtml5HtmlAttributes*) /builds/worker/checkouts/gecko/parser/html/nsHtml5TreeBuilder.cpp:4422:11
#11 0x7b07e1d53d39 in nsHtml5TreeBuilder::startTag(nsHtml5ElementName*, nsHtml5HtmlAttributes*, bool) /builds/worker/checkouts/gecko/parser/html/nsHtml5TreeBuilder.cpp:0:0
#12 0x7b07e1d4f3da in nsHtml5Tokenizer::emitCurrentTagToken(bool, int) /builds/worker/checkouts/gecko/parser/html/nsHtml5Tokenizer.cpp:331:21
#13 0x7b07e1d69c32 in int nsHtml5Tokenizer::stateLoop<nsHtml5FastestPolicySIMD>(int, char16_t, int, char16_t*, bool, int, int) /builds/worker/checkouts/gecko/parser/html/nsHtml5Tokenizer.h:0:0
#14 0x7b07e1d4a761 in StateLoopFastestSIMD /builds/worker/checkouts/gecko/parser/html/nsHtml5TokenizerSIMD.cpp:13:10
#15 0x7b07e1d4a761 in nsHtml5Tokenizer::tokenizeBuffer(nsHtml5UTF16Buffer*) /builds/worker/checkouts/gecko/parser/html/nsHtml5Tokenizer.cpp:458:11
#16 0x7b07e1d4d8eb in nsHtml5StringParser::Tokenize(nsTSubstring<char16_t> const&, mozilla::dom::Document*, bool, bool) /builds/worker/checkouts/gecko/parser/html/nsHtml5StringParser.cpp:129:33
#17 0x7b07e29e05c3 in nsContentUtils::ParseFragmentHTML(nsTSubstring<char16_t> const&, nsIContent*, nsAtom*, int, bool, bool, int) /builds/worker/checkouts/gecko/dom/base/nsContentUtils.cpp:6303:38
#18 0x7b07e2cdf635 in mozilla::dom::FragmentOrElement::SetInnerHTMLInternal(nsTSubstring<char16_t> const&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/FragmentOrElement.cpp:1985:14
#19 0x7b07e2cdf167 in mozilla::dom::Element::SetInnerHTML(mozilla::dom::TrustedHTMLOrNullIsEmptyString const&, nsIPrincipal*, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/Element.cpp:4355:3
#20 0x7b07e3f32c61 in mozilla::dom::Element_Binding::set_innerHTML(JSContext*, JS::Handle<JSObject*>, void*, JSJitSetterCallArgs) /builds/worker/workspace/obj-build/dom/bindings/./ElementBinding.cpp:5066:24
#21 0x7b07e40d92cd in bool mozilla::dom::binding_detail::GenericSetter<mozilla::dom::binding_detail::NormalThisPolicy>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3253:10
#22 0x7b07e7b1abb4 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:490:13
#23 0x7b07e7b1a40f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:586:12
#24 0x7b07e7b1b85c in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:685:8
#25 0x7b07e7b1caf4 in js::CallSetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:816:10
#26 0x7b07e7dc8810 in SetExistingProperty(JSContext*, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<js::NativeObject*>, js::PropertyResult const&, JS::ObjectOpResult&) /builds/worker/checkouts/gecko/js/src/vm/NativeObject.cpp:2716:8
#27 0x7b07e7dc7742 in bool js::NativeSetProperty<(js::QualifiedBool)1>(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) /builds/worker/checkouts/gecko/js/src/vm/NativeObject.cpp:2751:14
#28 0x7b07e869995b in js::jit::DoSetPropFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICFallbackStub*, JS::Value*, JS::Handle<JS::Value>, JS::Handle<JS::Value>) /builds/worker/checkouts/gecko/js/src/jit/BaselineIC.cpp:1511:10
#29 0x1503f13190e5 ([anon:js-executable-memory]+0x1e0e5)
|
||
Comment 1•1 month ago
|
||
Got crash on nightly with the testcase: https://crash-stats.mozilla.org/report/index/5937870a-594a-433d-8494-1e9210251031#tab-bugzilla
|
|
||
Comment 2•1 month ago
|
||
Bisection:
Bug 1995614: Atomize ATTR_TYPE strings and any single digit strings during tokenization. r=hsivonen
Differential Revision: https://phabricator.services.mozilla.com/D269859
|
||
Comment 3•1 month ago
|
||
Set release status flags based on info from the regressing bug 1995614
|
||
Comment 4•1 month ago
|
||
Looks like there are plenty of element types where we're expecting a StringBuffer but we're passing through an atom. I have a fix for a few of them, including this case, but I'm concerned there are other places where a string is still being expected.
|
||
Comment 5•1 month ago
|
||
Verified bug as reproducible on mozilla-central 20251031042638-7481c44fceaf.
Unable to bisect testcase (Unable to launch the start build!):
Start: 8b099f2b18f3af46c2624ade20b2b0bbd2417ebb (20241101051853)
End: a9b1de7c0585b7f4b77990b2e6f51f796ed3e4e4 (20251030214318)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False, nyx=False, searchfox=False, afl=False)
|
||
Updated•1 month ago
|
|
|
||
Comment 6•1 month ago
|
||
backout of regressor hasn't landed on main yet(only autoland), will close as fixed when the merge happens
|
|
||
Comment 7•1 month ago
|
||
Testcase crashes using the initial build (mozilla-central 20251030214318-a9b1de7c0585) but not with tip (mozilla-central 20251031205128-90470f136143.)
The bug appears to have been fixed in the following build range:
Start: f60abfee0f3556b8fe548fc18199dfab24a25abd (20251031142621)
End: 90470f1361431a99abb4526828c12b7adc2296cb (20251031205128)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=f60abfee0f3556b8fe548fc18199dfab24a25abd&tochange=90470f1361431a99abb4526828c12b7adc2296cb
tsmith, can you confirm that the above bisection range is responsible for fixing this issue?
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
|
|
||
Comment 8•1 month ago
|
||
The bug is linked to a topcrash signature, which matches the following criterion:
- Top 10 desktop browser crashes on nightly
For more information, please visit BugBot documentation.
|
|
||
Comment 9•1 month ago
|
||
The bug is marked as tracked for firefox146 (nightly). We have limited time to fix this, the soft freeze is in 3 days. However, the bug still isn't assigned.
:hsinyi, could you please find an assignee for this tracked bug? Given that it is a regression and we know the cause, we could also simply backout the regressor. If you disagree with the tracking decision, please talk with the release managers.
For more information, please visit BugBot documentation.
|
||
Comment 10•1 month ago
|
||
Backout bug 1995614 was merged to central: https://hg-edge.mozilla.org/mozilla-central/rev/42c0e7efe0f2
Dianna, I assume we're okay to close this?
|
|
||
Updated•1 month ago
|
|
Reporter | |
Updated•1 month ago
|
|
||
Updated•25 days ago
|
|
||
Updated•22 days ago
|
Description
•