Found while fuzzing m-c 20230516-8ebc261d0f07 (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

Hit MOZ_CRASH(Element state change during style refresh (140737488355328)) at /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:3296

#0 0x7f180a939a03 in MOZ_Crash /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:261:3
#1 0x7f180a939a03 in mozilla::RestyleManager::ElementStateChanged(mozilla::dom::Element*, mozilla::dom::ElementState) /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:3294:5
#2 0x7f180a939550 in mozilla::PresShell::ElementStateChanged(mozilla::dom::Document*, mozilla::dom::Element*, mozilla::dom::ElementState) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4451:37
#3 0x7f1806daff4a in mozilla::dom::Document::ElementStateChanged(mozilla::dom::Element*, mozilla::dom::ElementState) /builds/worker/checkouts/gecko/dom/base/Document.cpp:8234:3
#4 0x7f1806dfed87 in mozilla::dom::Element::NotifyStateChange(mozilla::dom::ElementState) /builds/worker/checkouts/gecko/dom/base/Element.cpp:368:10
#5 0x7f1808d90b01 in mozilla::dom::HTMLInputElement::OnValueChanged(mozilla::TextControlElement::ValueChangeKind, bool, nsTSubstring<char16_t> const*) /builds/worker/checkouts/gecko/dom/html/HTMLInputElement.cpp
#6 0x7f1808e2f623 in OnValueChanged /builds/worker/workspace/obj-build/dist/include/mozilla/TextControlElement.h:193:12
#7 0x7f1808e2f623 in mozilla::TextControlState::SetValue(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const*, mozilla::EnumSet<mozilla::TextControlState::ValueSetterOption, unsigned int> const&) /builds/worker/checkouts/gecko/dom/html/TextControlState.cpp:2715:47
#8 0x7f1808e135f1 in SetValue /builds/worker/workspace/obj-build/dist/include/mozilla/TextControlState.h:283:12
#9 0x7f1808e135f1 in mozilla::TextControlState::UnbindFromFrame(nsTextControlFrame*) /builds/worker/checkouts/gecko/dom/html/TextControlState.cpp:2478:26
#10 0x7f180abdcdf8 in nsTextControlFrame::DestroyFrom(nsIFrame*, mozilla::PostFrameDestroyData&) /builds/worker/checkouts/gecko/layout/forms/nsTextControlFrame.cpp:138:25
#11 0x7f180aa59f82 in nsBlockFrame::DoRemoveFrameInternal(nsIFrame*, unsigned int, mozilla::PostFrameDestroyData&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:6534:20
#12 0x7f180aa58422 in DoRemoveFrame /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.h:549:5
#13 0x7f180aa58422 in nsBlockFrame::RemoveFrame(mozilla::FrameChildListID, nsIFrame*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:5834:5
#14 0x7f180a99d328 in nsCSSFrameConstructor::ContentRemoved(nsIContent*, nsIContent*, nsCSSFrameConstructor::RemoveFlags) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:7564:5
#15 0x7f180a999445 in nsCSSFrameConstructor::RecreateFramesForContent(nsIContent*, nsCSSFrameConstructor::InsertionKind) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:8546:7
#16 0x7f180a95a0bd in mozilla::RestyleManager::ProcessRestyledFrames(nsStyleChangeList&) /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:1607:25
#17 0x7f180a960de4 in mozilla::RestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:3179:9
#18 0x7f180a938ba0 in mozilla::RestyleManager::ProcessPendingRestyles() /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:3264:3
#19 0x7f180a93812d in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4343:39
#20 0x7f180a8fbd39 in FlushPendingNotifications /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:1470:5
#21 0x7f180a8fbd39 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2624:22
#22 0x7f180a90541d in TickDriver /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:373:13
#23 0x7f180a90541d in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver>>&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:351:7
#24 0x7f180a905320 in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:367:5
#25 0x7f180a9051fd in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:911:5
#26 0x7f180a9045b6 in mozilla::VsyncRefreshDriverTimer::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:825:5
#27 0x7f180a903879 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsyncTimerOnMainThread() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:592:14
#28 0x7f1809d073cb in mozilla::dom::VsyncMainChild::RecvNotify(mozilla::VsyncEvent const&, float const&) /builds/worker/checkouts/gecko/dom/ipc/VsyncMainChild.cpp:66:15
#29 0x7f1809fcb27e in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:220:78
#30 0x7f1809ec13d0 in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PContentChild.cpp:8885:32
#31 0x7f1805f08b7f in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1800:25
#32 0x7f1805f05832 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1725:9
#33 0x7f1805f06364 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1525:3
#34 0x7f1805f0768f in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1623:14
#35 0x7f18052abab7 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:555:16
#36 0x7f18052a6cba in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:879:26
#37 0x7f18052a5797 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:702:15
#38 0x7f18052a5b15 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:491:36
#39 0x7f18052af0d9 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:221:37
#40 0x7f18052af0d9 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_1>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548:5
#41 0x7f18052c53fa in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1239:16
#42 0x7f18052cba1d in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:479:10
#43 0x7f1805f0ead3 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:107:5
#44 0x7f1805e30411 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:362:3
#45 0x7f1805e30411 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:344:3
#46 0x7f180a57d068 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
#47 0x7f180c81a0ab in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:738:20
#48 0x7f1805f0f9d6 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
#49 0x7f1805e30411 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:362:3
#50 0x7f1805e30411 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:344:3
#51 0x7f180c819972 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:673:34
#52 0x55d24d7bc7a6 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#53 0x55d24d7bc7a6 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:375:18
#54 0x7f1818a29d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#55 0x7f1818a29e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#56 0x55d24d793a28 in _start (/home/user/workspace/browsers/m-c-20230516123447-fuzzing-debug/firefox-bin+0x58a28) (BuildId: 4b3675970ff23cfc53656ae29d88572c940a5a39)

Verified bug as reproducible on mozilla-central 20230516212859-035b9c71b042.
The bug appears to have been introduced in the following build range:

Start: a9b52fdbc20f032b083bdecb106fcaf54b999f07 (20230515171352)
End: f62bd71b6825afd300936e2d3dff4ce7bacc0163 (20230515191908)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=a9b52fdbc20f032b083bdecb106fcaf54b999f07&tochange=f62bd71b6825afd300936e2d3dff4ce7bacc0163

:jteow does Bug 1832868 look like the regressor?
(mentioned in the pushlog from Comment 1)

Hmm, I'm not sure. Can I get more context about what this test does?

The code I modified in my patch changed the inspection of an element (related to telemetry code) on a search engine results page to use windowUtils.getBoundsWithoutFlushing instead of getBoundingClientRect().

However, the feature is hidden behind a preference and the routine should only trigger if the page has a URL that matches a search engine results page, so I feel like it shouldn't have caused a regression to existing tests.

I could easily be wrong, there may be a more likely cause in the pushlog. Maybe Bug 1832701?

Or Bug 1833181 also looks likely since it touched input related code.

Emilio wdyt?

Yes the stack in comment 0 hits the OnValueChanged stuff bug 1833181 added.

Set release status flags based on info from the regressing bug 1833181

Successfully recorded a pernosco session. A link to the pernosco session will be added here shortly.

A pernosco session for this bug can be found here.

So the issue is that when we switch input types we call SetValue here, but without SetValueChanged, which means that the value ends up getting ignored only if we don't have a frame, which is rather weird...

I'm not sure why we take a different code path, it's very weird that the input.value = input.value line in this test-case changes our behavior... But arguably the behavior without that is slightly nicer... But it is somehow specific to text inputs which is odd?

Olli, Masayuki, do you have opinions on this?

What is "which means that the value ends up getting ignored only if we don't have a frame" referring to?
I'm not familiar with ValueSetterOption::SetValueChanged. When is that supposed to be used?

The issue here is that the SetValueInternal call made us go from empty
value to non-empty due to color's specialness of returning black always,
but since the value dirty flag wasn't set, the non-empty value actually
didn't make a difference and just confused the code.

Make the code follow the spec more closely, which fixes this (in
particular the SetDefaultValueAsValue call).

Also, remove some useless code in SetValueInternal() since callers end
up in OnValueChanged() effectively everywhere except when mDoneCreating
is false (in which case we can just wait until DoneCreatingElement calls
us again), and if the do not end up there then that's a bug to fix.

The bug is linked to a topcrash signature, which matches the following criterion:

• Top 10 AArch64 and ARM crashes on nightly

For more information, please visit BugBot documentation.

https://hg.mozilla.org/mozilla-central/rev/99a32758cd79

Verified bug as fixed on rev mozilla-central 20230524094121-edf46b420e6b.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.