Found while fuzzing m-c 20210501-cd81489560e4 (--enable-debug --enable-fuzzing)

A reduced test case is not available.

Assertion failure: !OwnerDoc()->IsScrollingElement(this) (How can we have a scrollframe if we're the scrollingElement for our document?), at src/dom/base/Element.cpp:639

#0 0x7f89bb5dd4e9 in mozilla::dom::Element::GetScrollFrame(nsIFrame**, mozilla::FlushType) src/dom/base/Element.cpp:637:9
#1 0x7f89bb5de257 in mozilla::dom::Element::ScrollHeight() src/dom/base/Element.cpp:922:28
#2 0x7f89bc64a665 in mozilla::dom::Element_Binding::get_scrollHeight(JSContext*, JS::Handle<JSObject*>, void*, JSJitGetterCallArgs) /builds/worker/workspace/obj-build/dom/bindings/ElementBinding.cpp:3249:39
#3 0x7f89bc9580a1 in bool mozilla::dom::binding_detail::GenericGetter<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) src/dom/bindings/BindingUtils.cpp:3114:13
#4 0x7f89bfa22180 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) src/js/src/vm/Interpreter.cpp:437:13
#5 0x7f89bfa218e2 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) src/js/src/vm/Interpreter.cpp:522:12
#6 0x7f89bfa23109 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) src/js/src/vm/Interpreter.cpp:582:10
#7 0x7f89bfa23faf in Call src/js/src/vm/Interpreter.cpp:599:8
#8 0x7f89bfa23faf in js::CallGetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) src/js/src/vm/Interpreter.cpp:724:10
#9 0x7f89bfd544af in CallGetter src/js/src/vm/NativeObject.cpp:2135:12
#10 0x7f89bfd544af in bool GetExistingProperty<(js::AllowGC)1>(JSContext*, js::MaybeRooted<JS::Value, (js::AllowGC)1>::HandleType, js::MaybeRooted<js::NativeObject*, (js::AllowGC)1>::HandleType, js::MaybeRooted<JS::PropertyKey, (js::AllowGC)1>::HandleType, js::ShapeProperty, js::MaybeRooted<JS::Value, (js::AllowGC)1>::MutableHandleType) src/js/src/vm/NativeObject.cpp:2163:12
#11 0x7f89bfd54c69 in bool NativeGetPropertyInline<(js::AllowGC)1>(JSContext*, js::MaybeRooted<js::NativeObject*, (js::AllowGC)1>::HandleType, js::MaybeRooted<JS::Value, (js::AllowGC)1>::HandleType, js::MaybeRooted<JS::PropertyKey, (js::AllowGC)1>::HandleType, IsNameLookup, js::MaybeRooted<JS::Value, (js::AllowGC)1>::MutableHandleType) src/js/src/vm/NativeObject.cpp:2308:14
#12 0x7f89bfa2817f in GetProperty src/js/src/vm/ObjectOperations-inl.h:116:10
#13 0x7f89bfa2817f in js::GetProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, js::PropertyName*, JS::MutableHandle<JS::Value>) src/js/src/vm/ObjectOperations-inl.h:123:10
#14 0x7f89bfa275ad in js::GetProperty(JSContext*, JS::Handle<JS::Value>, JS::Handle<js::PropertyName*>, JS::MutableHandle<JS::Value>) src/js/src/vm/Interpreter.cpp:4579:10
#15 0x7f89bfa157ce in GetPropertyOperation src/js/src/vm/Interpreter.cpp:219:10
#16 0x7f89bfa157ce in Interpret(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:2939:12
#17 0x7f89bfa0f465 in js::RunScript(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:406:13
#18 0x7f89bfa218ff in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) src/js/src/vm/Interpreter.cpp:554:13
#19 0x7f89bfa23109 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) src/js/src/vm/Interpreter.cpp:582:10
#20 0x7f89bfa23341 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) src/js/src/vm/Interpreter.cpp:599:8
#21 0x7f89bffb78ab in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) src/js/src/jsapi.cpp:2849:10
#22 0x7f89bc2528f9 in mozilla::dom::IdleRequestCallback::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::IdleDeadline&, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/WindowBinding.cpp:883:8
#23 0x7f89bb516043 in mozilla::dom::IdleRequestCallback::Call(mozilla::dom::IdleDeadline&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/WindowBinding.h:782:12
#24 0x7f89bb607c69 in Call /builds/worker/workspace/obj-build/dist/include/mozilla/dom/WindowBinding.h:795:12
#25 0x7f89bb607c69 in mozilla::dom::IdleRequest::IdleRun(nsPIDOMWindowInner*, double, bool) src/dom/base/IdleRequest.cpp:61:13
#26 0x7f89bb490113 in nsGlobalWindowInner::RunIdleRequest(mozilla::dom::IdleRequest*, double, bool) src/dom/base/nsGlobalWindowInner.cpp:745:12
#27 0x7f89bb48f4c5 in nsGlobalWindowInner::ExecuteIdleRequest(mozilla::TimeStamp) src/dom/base/nsGlobalWindowInner.cpp:773:3
#28 0x7f89bb48f2f4 in IdleRequestExecutor::Run() src/dom/base/nsGlobalWindowInner.cpp:614:13
#29 0x7f89b9a537ce in mozilla::RunnableTask::Run() src/xpcom/threads/TaskController.cpp:482:16
#30 0x7f89b9a31119 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) src/xpcom/threads/TaskController.cpp:766:26
#31 0x7f89b9a30105 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) src/xpcom/threads/TaskController.cpp:644:15
#32 0x7f89b9a30203 in mozilla::TaskController::ProcessPendingMTTask(bool) src/xpcom/threads/TaskController.cpp:405:36
#33 0x7f89b9a56e86 in operator() src/xpcom/threads/TaskController.cpp:138:37
#34 0x7f89b9a56e86 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:534:5
#35 0x7f89b9a42e9f in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1159:16
#36 0x7f89b9a49b5a in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:548:10
#37 0x7f89ba329816 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:85:21
#38 0x7f89ba293867 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:335:10
#39 0x7f89ba293782 in RunHandler src/ipc/chromium/src/base/message_loop.cc:328:3
#40 0x7f89ba293782 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:310:3
#41 0x7f89be014dd8 in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:137:27
#42 0x7f89bf8ecdf3 in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:911:20
#43 0x7f89ba32a70a in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:235:9
#44 0x7f89ba293867 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:335:10
#45 0x7f89ba293782 in RunHandler src/ipc/chromium/src/base/message_loop.cc:328:3
#46 0x7f89ba293782 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:310:3
#47 0x7f89bf8eca0e in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:743:34
#48 0x559628d92b36 in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#49 0x559628d92b36 in main src/browser/app/nsBrowserApp.cpp:313:18
#50 0x7f89cfd090b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
#51 0x559628d6f93c in _start (/home/worker/builds/m-c-20210501093251-fuzzing-debug/firefox-bin+0x1593c)

A Pernosco session is available here: https://pernos.co/debug/PuuMxxohSuYcr4SrNxPMRQ/index.html

I don't have a quick idea. Emilio, could you take a look?

There are two bodies and we forget to reframe when one of those is removed. It'd be great to have a test-case to confirm what's going on, but it's not too worrisome.

Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20210506214311-c9980e971a31.
Failed to bisect testcase (Testcase reproduces on start build!):

Start: ead8f0367372fe5767d33a0aa0a95b07ee76ea75 (20200508033807)
End: cd81489560e48d19e43f8438c0c939fb58023648 (20210501093251)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=True, coverage=False, valgrind=False)

Okay, let's say S4 then.

Bugmon was unable reproduce this issue.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

A change to the Taskcluster build definitions over the weekend caused Bugmon to fail when reproducing issues. This issue has been corrected. Re-enabling bugmon.