Closed
Bug 1400436
Opened 7 years ago
Closed 7 years ago
Assertion failure: aDelta > 0 || s->mEditableDescendantCount >= (uint32_t) (-1 * aDelta)
Categories
(Core :: DOM: Core & HTML, defect, P3)
Tracking
()
People
(Reporter: tsmith, Assigned: catalinb)
References
(Blocks 1 open bug)
Details
(Keywords: assertion, testcase)
Attachments
(1 file)
|
371 bytes,
text/html
|
Details |
Assertion failure: aDelta > 0 || s->mEditableDescendantCount >= (uint32_t) (-1 * aDelta), at /home/worker/workspace/build/src/dom/base/nsINode.cpp:1372 #0 0x7f46d5599c78 in nsINode::ChangeEditableDescendantCount(int) /dom/base/nsINode.cpp:1371:3 #1 0x7f46d535065a in mozilla::dom::Element::UnbindFromTree(bool, bool) /dom/base/Element.cpp:1823:11 #2 0x7f46d715f95f in nsGenericHTMLElement::UnbindFromTree(bool, bool) /dom/html/nsGenericHTMLElement.cpp:516:3 #3 0x7f46d7188c3e in nsGenericHTMLFormElement::UnbindFromTree(bool, bool) /dom/html/nsGenericHTMLElement.cpp:1917:3 #4 0x7f46d559c2e8 in nsINode::doRemoveChildAt(unsigned int, bool, nsIContent*, nsAttrAndChildArray&) /dom/base/nsINode.cpp:1929:3 #5 0x7f46d5393f0e in mozilla::dom::FragmentOrElement::RemoveChildAt(unsigned int, bool) /dom/base/FragmentOrElement.cpp:1113:5 #6 0x7f46d5595d3d in nsINode::RemoveChild(nsINode&, mozilla::ErrorResult&) /dom/base/nsINode.cpp:581:3 #7 0x7f46d5abf801 in mozilla::dom::NodeBinding::removeChild(JSContext*, JS::Handle<JSObject*>, nsINode*, JSJitMethodCallArgs const&) /obj-firefox/dom/bindings/NodeBinding.cpp:809:39 #8 0x7f46d6bee8c6 in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /dom/bindings/BindingUtils.cpp:2904:13 #9 0x7f46db8c4e9e in js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) /js/src/jscntxtinlines.h:239:15 #10 0x7f46db8c49ff in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /js/src/vm/Interpreter.cpp:447:16 #11 0x7f46db8c535e in InternalCall(JSContext*, js::AnyInvokeArgs const&) /js/src/vm/Interpreter.cpp:504:12 #12 0x7f46db8b411a in Interpret(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:2922:18 #13 0x7f46db8a8a1a in js::RunScript(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:405:12 #14 0x7f46db8c4b42 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /js/src/vm/Interpreter.cpp:477:15 #15 0x7f46db8c535e in InternalCall(JSContext*, js::AnyInvokeArgs const&) /js/src/vm/Interpreter.cpp:504:12 #16 0x7f46db8c5591 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /js/src/vm/Interpreter.cpp:523:10 #17 0x7f46db4763b9 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /js/src/jsapi.cpp:2828:12 #18 0x7f46d66cddfc in mozilla::dom::EventListener::HandleEvent(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /obj-firefox/dom/bindings/EventListenerBinding.cpp:47:8 #19 0x7f46d6f0f6c1 in void mozilla::dom::EventListener::HandleEvent<mozilla::dom::EventTarget*>(mozilla::dom::EventTarget* const&, mozilla::dom::Event&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JSCompartment*) /obj-firefox/dist/include/mozilla/dom/EventListenerBinding.h:64:12 #20 0x7f46d6f0f216 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) /dom/events/EventListenerManager.cpp:1130:7 #21 0x7f46d6f10310 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) /dom/events/EventListenerManager.cpp:1287:17 #22 0x7f46d6f030c4 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /dom/events/EventDispatcher.cpp:275:7 #23 0x7f46d6f02892 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /dom/events/EventDispatcher.cpp:380:5 #24 0x7f46d6f043d6 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /dom/events/EventDispatcher.cpp:711:9 #25 0x7f46d6f05461 in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, nsIDOMEvent*, nsPresContext*, nsEventStatus*) /dom/events/EventDispatcher.cpp:777:12 #26 0x7f46d559985e in nsINode::DispatchEvent(nsIDOMEvent*, bool*) /dom/base/nsINode.cpp:1309:5 #27 0x7f46d6ebe310 in mozilla::AsyncEventDispatcher::Run() /dom/events/AsyncEventDispatcher.cpp:54:3 #28 0x7f46d51e46fd in nsContentUtils::RemoveScriptBlocker() /dom/base/nsContentUtils.cpp:5195:5 #29 0x7f46d49af42d in nsAutoScriptBlocker::~nsAutoScriptBlocker() /dom/base/nsContentUtils.h:2865:5 #30 0x7f46d5352747 in mozilla::dom::Element::SetAttr(int, nsIAtom*, nsIAtom*, nsAString_internal const&, bool) /dom/base/Element.cpp:2387:1 #31 0x7f46d718472b in nsGenericHTMLElement::SetAttr(int, nsIAtom*, nsIAtom*, nsAString_internal const&, bool) /dom/html/nsGenericHTMLElement.cpp:825:17 #32 0x7f46d711a222 in mozilla::dom::HTMLObjectElement::SetAttr(int, nsIAtom*, nsIAtom*, nsAString_internal const&, bool) /dom/html/HTMLObjectElement.cpp:305:17 #33 0x7f46d534ce51 in mozilla::dom::Element::SetAttribute(nsAString_internal const&, nsAString_internal const&, mozilla::ErrorResult&) /dom/base/Element.cpp:1246:14 #34 0x7f46d675d7e5 in mozilla::dom::ElementBinding::setAttribute(JSContext*, JS::Handle<JSObject*>, mozilla::dom::Element*, JSJitMethodCallArgs const&) /obj-firefox/dom/bindings/ElementBinding.cpp:723:3 #35 0x7f46d6bee8c6 in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /dom/bindings/BindingUtils.cpp:2904:13 #36 0x7f46db8c4e9e in js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) /js/src/jscntxtinlines.h:239:15 #37 0x7f46db8c49ff in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /js/src/vm/Interpreter.cpp:447:16 #38 0x7f46db8c535e in InternalCall(JSContext*, js::AnyInvokeArgs const&) /js/src/vm/Interpreter.cpp:504:12 #39 0x7f46db8b411a in Interpret(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:2922:18 #40 0x7f46db8a8a1a in js::RunScript(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:405:12 #41 0x7f46db8c4b42 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /js/src/vm/Interpreter.cpp:477:15 #42 0x7f46db8c535e in InternalCall(JSContext*, js::AnyInvokeArgs const&) /js/src/vm/Interpreter.cpp:504:12 #43 0x7f46db8c5591 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /js/src/vm/Interpreter.cpp:523:10 #44 0x7f46db4763b9 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /js/src/jsapi.cpp:2828:12 #45 0x7f46d66cc419 in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /obj-firefox/dom/bindings/EventHandlerBinding.cpp:259:37 #46 0x7f46d6f320b0 in void mozilla::dom::EventHandlerNonNull::Call<nsISupports*>(nsISupports* const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JSCompartment*) /obj-firefox/dist/include/mozilla/dom/EventHandlerBinding.h:361:12 #47 0x7f46d6f30898 in mozilla::JSEventHandler::HandleEvent(nsIDOMEvent*) /dom/events/JSEventHandler.cpp:214:3 #48 0x7f46d6f0f273 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) /dom/events/EventListenerManager.cpp:1134:16 #49 0x7f46d6f10310 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) /dom/events/EventListenerManager.cpp:1287:17 #50 0x7f46d6f030c4 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /dom/events/EventDispatcher.cpp:275:7 #51 0x7f46d6f02892 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /dom/events/EventDispatcher.cpp:380:5 #52 0x7f46d6f043d6 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /dom/events/EventDispatcher.cpp:711:9 #53 0x7f46d87e61d2 in nsDocumentViewer::LoadComplete(nsresult) /layout/base/nsDocumentViewer.cpp:1047:7 #54 0x7f46d92b11da in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /docshell/base/nsDocShell.cpp:7635:5 #55 0x7f46d92ae7eb in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /docshell/base/nsDocShell.cpp:7439:7 #56 0x7f46d92b28ff in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /docshell/base/nsDocShell.cpp:7336:13 #57 0x7f46d4862d1d in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /uriloader/base/nsDocLoader.cpp:1255:3 #58 0x7f46d4862399 in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /uriloader/base/nsDocLoader.cpp:840:5 #59 0x7f46d485fdb6 in nsDocLoader::DocLoaderIsEmpty(bool) /uriloader/base/nsDocLoader.cpp:730:9 #60 0x7f46d4861500 in nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /uriloader/base/nsDocLoader.cpp:612:5 #61 0x7f46d4861ecc in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /uriloader/base/nsDocLoader.cpp:468:14 #62 0x7f46d342611b in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /netwerk/base/nsLoadGroup.cpp:633:18 #63 0x7f46d54fd1ab in nsDocument::DoUnblockOnload() /dom/base/nsDocument.cpp:8647:7 #64 0x7f46d54fce87 in nsDocument::UnblockOnload(bool) /dom/base/nsDocument.cpp:8575:9 #65 0x7f46d54e1d06 in nsDocument::DispatchContentLoadedEvents() /dom/base/nsDocument.cpp:5061:3 #66 0x7f46d556cc04 in mozilla::detail::RunnableMethodImpl<void (nsDocument::*)(), true, false>::Run() /obj-firefox/dist/include/nsThreadUtils.h:810:7 #67 0x7f46d325eb62 in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1216:7 #68 0x7f46d32eaca0 in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/glue/nsThreadUtils.cpp:361:10 #69 0x7f46d3d96589 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:96:21 #70 0x7f46d3d04287 in MessageLoop::RunInternal() /ipc/chromium/src/base/message_loop.cc:232:3 #71 0x7f46d3d04119 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:205:3 #72 0x7f46d81b8a9a in nsBaseAppShell::Run() /widget/nsBaseAppShell.cpp:156:3 #73 0x7f46d995930c in nsAppStartup::Run() /toolkit/components/startup/nsAppStartup.cpp:283:19 #74 0x7f46d9a770bd in XREMain::XRE_mainRun() /toolkit/xre/nsAppRunner.cpp:4488:10 #75 0x7f46d9a78707 in XREMain::XRE_main(int, char**, nsXREAppData const*) /toolkit/xre/nsAppRunner.cpp:4621:8 #76 0x7f46d9a792f2 in XRE_main /toolkit/xre/nsAppRunner.cpp:4712:16 #77 0x4e03e9 in do_main(int, char**, char**, nsIFile*) /browser/app/nsBrowserApp.cpp:282:10 #78 0x4dfac5 in main /browser/app/nsBrowserApp.cpp:415:16 #79 0x7f46eff9982f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291 #80 0x41c274 in _start (/home/user/workspace/browsers/m-e-1505415248-asan-debug/firefox+0x41c274)
Flags: in-testsuite?
|
||
Comment 1•7 years ago
|
||
Catalin has recently been looking at code in this area so he may have thoughts. I'm mostly curious if this is a big deal and/or how urgently we should fix it. Thanks!
Flags: needinfo?(catalin.badea392)
|
Assignee | |
Comment 2•7 years ago
|
||
I can't reproduce the assert on local debug builds or nightly asan debug builds. :tsmith, are there any special conditions for reproducing this? :overholt, this doesn't look like it can lead to a crash. I think this is a P3.
Points: --- → 3
Flags: needinfo?(catalin.badea392) → needinfo?(twsmith)
|
|
Assignee | |
Updated•7 years ago
|
Points: 3 → ---
Priority: -- → P3
|
Reporter | |
Comment 3•7 years ago
|
||
(In reply to Cătălin Badea (:catalinb) from comment #2) > I can't reproduce the assert on local debug builds or nightly asan debug > builds. :tsmith, are there any special conditions for reproducing this? At the moment our fuzzers are only hitting this on ESR52.
Flags: needinfo?(twsmith)
|
|
||
Comment 4•7 years ago
|
||
(In reply to Tyson Smith [:tsmith] from comment #3) > (In reply to Cătălin Badea (:catalinb) from comment #2) > > I can't reproduce the assert on local debug builds or nightly asan debug > > builds. :tsmith, are there any special conditions for reproducing this? > > At the moment our fuzzers are only hitting this on ESR52. That's a bit concerning as it'll be ESR until 59. Catalin, can you take a look again with ESR52?
Flags: needinfo?(catalin.badea392)
|
|
Assignee | |
Comment 5•7 years ago
|
||
Will take another look tomorrow.
Assignee: nobody → catalin.badea392
Flags: needinfo?(catalin.badea392)
|
|
Assignee | |
Comment 6•7 years ago
|
||
This happens (in esr52) because we run script before updating the editable descendants count. I think this was fixed in bug 1365092 in the patch that moves the side effects of nsGenericHTMLElement::SetAttr to BeforeSetAttr/AfterSetAttr. I couldn't come up with an easy fix. We could try to uplift the first patch from bug 1365092 or ask Kirk to have a look, but isn't this outside the scope of fixes we uplift to ESR?
Flags: needinfo?(overholt)
|
|
||
Comment 7•7 years ago
|
||
This does indeed seem like it's outside the scope of fixes we uplift to ESR and given comment 2 ("this doesn't look like it can lead to a crash"), I'm OK WONTFIXing this in ESR. Tyson, is that ok?
Flags: needinfo?(overholt) → needinfo?(twsmith)
|
|
Reporter | |
Comment 8•7 years ago
|
||
If it is not in scope of course I support your decision.
Flags: needinfo?(twsmith)
|
|
||
Updated•7 years ago
|
Status: NEW → RESOLVED
Closed: 7 years ago
status-firefox55:
--- → fixed
status-firefox56:
--- → fixed
status-firefox57:
--- → fixed
Resolution: --- → WONTFIX
|
||
Updated•5 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•