Found while fuzzing m-c 20220530-87e39a7da999 (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

Assertion failure: input->ControlType() == FormControlType::InputRange, at /builds/worker/checkouts/gecko/layout/forms/nsRangeFrame.cpp:315

#0 0x7f6d54893525 in nsRangeFrame::GetValueAsFractionOfRange() /builds/worker/checkouts/gecko/layout/forms/nsRangeFrame.cpp
#1 0x7f6d54299256 in void mozilla::widget::Theme::PaintRange<mozilla::widget::WebRenderBackendData>(nsIFrame*, mozilla::widget::WebRenderBackendData&, mozilla::gfx::RectTyped<mozilla::LayoutDevicePixel, float> const&, mozilla::EventStates const&, mozilla::widget::ThemeColors const&, mozilla::gfx::ScaleFactor<mozilla::CSSPixel, mozilla::LayoutDevicePixel>, bool) /builds/worker/checkouts/gecko/widget/Theme.cpp:813:33
#2 0x7f6d5428527f in bool mozilla::widget::Theme::DoDrawWidgetBackground<mozilla::widget::WebRenderBackendData>(mozilla::widget::WebRenderBackendData&, nsIFrame*, mozilla::StyleAppearance, nsRect const&, nsITheme::DrawOverflow) /builds/worker/checkouts/gecko/widget/Theme.cpp:1160:7
#3 0x7f6d542856ce in CreateWebRenderCommandsForWidget /builds/worker/checkouts/gecko/widget/Theme.cpp:1026:10
#4 0x7f6d542856ce in non-virtual thunk to mozilla::widget::Theme::CreateWebRenderCommandsForWidget(mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, mozilla::layers::RenderRootStateManager*, nsIFrame*, mozilla::StyleAppearance, nsRect const&) /builds/worker/checkouts/gecko/widget/Theme.cpp
#5 0x7f6d54a26511 in mozilla::nsDisplayThemedBackground::CreateWebRenderCommands(mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, mozilla::layers::RenderRootStateManager*, mozilla::nsDisplayListBuilder*) /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:3751:17
#6 0x7f6d509420d7 in mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommands(mozilla::nsDisplayItem*, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, mozilla::nsDisplayListBuilder*) /builds/worker/checkouts/gecko/gfx/layers/wr/WebRenderCommandBuilder.cpp:1822:41
#7 0x7f6d509409c9 in mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommandsFromDisplayList(mozilla::nsDisplayList*, mozilla::nsDisplayItem*, mozilla::nsDisplayListBuilder*, mozilla::layers::StackingContextHelper const&, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, bool) /builds/worker/checkouts/gecko/gfx/layers/wr/WebRenderCommandBuilder.cpp:2085:7
#8 0x7f6d54a2ec5a in CreateWebRenderCommandsNewClipListOption /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:4643:30
#9 0x7f6d54a2ec5a in CreateWebRenderCommands /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.h:4933:12
#10 0x7f6d54a2ec5a in mozilla::nsDisplayOwnLayer::CreateWebRenderCommands(mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, mozilla::layers::RenderRootStateManager*, mozilla::nsDisplayListBuilder*) /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:5270:22
#11 0x7f6d509420d7 in mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommands(mozilla::nsDisplayItem*, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, mozilla::nsDisplayListBuilder*) /builds/worker/checkouts/gecko/gfx/layers/wr/WebRenderCommandBuilder.cpp:1822:41
#12 0x7f6d509409c9 in mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommandsFromDisplayList(mozilla::nsDisplayList*, mozilla::nsDisplayItem*, mozilla::nsDisplayListBuilder*, mozilla::layers::StackingContextHelper const&, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, bool) /builds/worker/checkouts/gecko/gfx/layers/wr/WebRenderCommandBuilder.cpp:2085:7
#13 0x7f6d5093ef31 in mozilla::layers::WebRenderCommandBuilder::BuildWebRenderCommands(mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::nsDisplayList*, mozilla::nsDisplayListBuilder*, mozilla::layers::WebRenderScrollData&, WrFiltersHolder&&) /builds/worker/checkouts/gecko/gfx/layers/wr/WebRenderCommandBuilder.cpp:1743:5
#14 0x7f6d5095376e in mozilla::layers::WebRenderLayerManager::EndTransactionWithoutLayer(mozilla::nsDisplayList*, mozilla::nsDisplayListBuilder*, WrFiltersHolder&&, mozilla::layers::WebRenderBackgroundData*, double) /builds/worker/checkouts/gecko/gfx/layers/wr/WebRenderLayerManager.cpp:363:30
#15 0x7f6d54a1d9c9 in mozilla::nsDisplayList::PaintRoot(mozilla::nsDisplayListBuilder*, gfxContext*, unsigned int, mozilla::Maybe<double>) /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:2289:18
#16 0x7f6d5468a1b9 in nsLayoutUtils::PaintFrame(gfxContext*, nsIFrame*, nsRegion const&, unsigned int, mozilla::nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) /builds/worker/checkouts/gecko/layout/base/nsLayoutUtils.cpp:3450:9
#17 0x7f6d545fbbea in mozilla::PresShell::PaintInternal(nsView*, mozilla::PaintInternalFlags) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:6436:5
#18 0x7f6d53ae382c in mozilla::dom::BrowserChild::RecvRenderLayers(bool const&, mozilla::layers::LayersObserverEpoch const&) /builds/worker/checkouts/gecko/dom/ipc/BrowserChild.cpp:2680:18
#19 0x7f6d53ae79da in mozilla::dom::BrowserChild::PaintWhileInterruptingJS(mozilla::layers::LayersObserverEpoch const&) /builds/worker/checkouts/gecko/dom/ipc/BrowserChild.cpp:3381:3
#20 0x7f6d53aba899 in InterruptCallback /builds/worker/checkouts/gecko/dom/ipc/ProcessHangMonitor.cpp:372:21
#21 0x7f6d53aba899 in InterruptCallback(JSContext*) /builds/worker/checkouts/gecko/dom/ipc/ProcessHangMonitor.cpp:1029:19
#22 0x7f6d568a2166 in HandleInterrupt /builds/worker/checkouts/gecko/js/src/vm/Runtime.cpp:429:10
#23 0x7f6d568a2166 in JSContext::handleInterrupt() /builds/worker/checkouts/gecko/js/src/vm/Runtime.cpp:497:12
#24 0x7f6d5798fd1b in Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:2279:7
#25 0x7f6d5798e7f2 in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:389:13
#26 0x7f6d579a0076 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:539:13
#27 0x7f6d579a16a8 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:605:8
#28 0x7f6d566656f1 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/CallAndConstruct.cpp:117:10
#29 0x7f6d52226c49 in mozilla::dom::EventListener::HandleEvent(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventListenerBinding.cpp:62:8
#30 0x7f6d53d7b6f3 in mozilla::dom::EventListener::HandleEvent(mozilla::dom::Event&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventListenerBinding.h:80:12
#31 0x7f6d53d790ba in mozilla::dom::EventListener::HandleEvent(mozilla::dom::Event&, char const*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventListenerBinding.h:93:12
#32 0x7f6d53d78d21 in mozilla::dom::JSWindowActorProtocol::HandleEvent(mozilla::dom::Event*) /builds/worker/checkouts/gecko/dom/ipc/jsactor/JSWindowActorProtocol.cpp:228:18
#33 0x7f6d52a6e3ce in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1316:22
#34 0x7f6d52a6f05d in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1507:17
#35 0x7f6d52a63f44 in HandleEvent /builds/worker/checkouts/gecko/dom/events/EventListenerManager.h:395:5
#36 0x7f6d52a63f44 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:348:17
#37 0x7f6d52a63492 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:550:16
#38 0x7f6d52a65d31 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:1119:11
#39 0x7f6d52a687d6 in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp
#40 0x7f6d51171d2d in nsINode::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/nsINode.cpp:1366:17
#41 0x7f6d50cbc8ba in nsContentUtils::DispatchEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, mozilla::Trusted, bool*, mozilla::ChromeOnlyDispatch) /builds/worker/checkouts/gecko/dom/base/nsContentUtils.cpp:4351:28
#42 0x7f6d50cbf99e in nsContentUtils::DispatchEventOnlyToChrome(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, bool*) /builds/worker/checkouts/gecko/dom/base/nsContentUtils.cpp:4638:10
#43 0x7f6d52be83e5 in DispatchEventOnlyToChrome /builds/worker/workspace/obj-build/dist/include/nsContentUtils.h:1654:12
#44 0x7f6d52be83e5 in NotifySubmitObservers /builds/worker/checkouts/gecko/dom/html/HTMLFormElement.cpp:990:17
#45 0x7f6d52be83e5 in mozilla::dom::HTMLFormElement::SubmitSubmission(mozilla::dom::HTMLFormSubmission*) /builds/worker/checkouts/gecko/dom/html/HTMLFormElement.cpp:791:10
#46 0x7f6d52be6b1a in mozilla::dom::HTMLFormElement::DoSubmit(mozilla::dom::Event*) /builds/worker/checkouts/gecko/dom/html/HTMLFormElement.cpp:703:10
#47 0x7f6d52be67f3 in mozilla::dom::HTMLFormElement::Submit(mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/html/HTMLFormElement.cpp:281:9
#48 0x7f6d523f9383 in mozilla::dom::HTMLFormElement_Binding::submit(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/HTMLFormElementBinding.cpp:887:24
#49 0x7f6d525076dc in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3271:13
#50 0x7f6d579a0970 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:420:13
#51 0x7f6d579a017a in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:507:12
#52 0x7f6d57997556 in CallFromStack /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:578:10
#53 0x7f6d57997556 in Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3314:16
#54 0x7f6d5798e7f2 in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:389:13
#55 0x7f6d579a0076 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:539:13
#56 0x7f6d579a16a8 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:605:8
#57 0x7f6d566656f1 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/CallAndConstruct.cpp:117:10
#58 0x7f6d5233dc86 in mozilla::dom::BlobCallback::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Blob*, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/HTMLCanvasElementBinding.cpp:335:8
#59 0x7f6d52689f59 in mozilla::dom::BlobCallback::Call(mozilla::dom::Blob*, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/HTMLCanvasElementBinding.h:466:12
#60 0x7f6d52689ab9 in mozilla::dom::CanvasRenderingContextHelper::ToBlob(JSContext*, nsIGlobalObject*, mozilla::dom::BlobCallback&, nsTSubstring<char16_t> const&, JS::Handle<JS::Value>, bool, mozilla::ErrorResult&)::EncodeCallback::ReceiveBlobImpl(already_AddRefed<mozilla::dom::BlobImpl>) /builds/worker/checkouts/gecko/dom/canvas/CanvasRenderingContextHelper.cpp:53:17
#61 0x7f6d50fe6e1b in mozilla::dom::EncodingCompleteEvent::Run() /builds/worker/checkouts/gecko/dom/base/ImageEncoder.cpp:107:22
#62 0x7f6d4f58999e in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:475:16
#63 0x7f6d4f564353 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:788:26
#64 0x7f6d4f562f03 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:620:15
#65 0x7f6d4f563173 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:398:36
#66 0x7f6d4f58d126 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:124:37
#67 0x7f6d4f58d126 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
#68 0x7f6d4f578bff in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1180:16
#69 0x7f6d4f57f1fd in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:465:10
#70 0x7f6d501409d6 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#71 0x7f6d50068cf7 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:380:10
#72 0x7f6d50068c02 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:373:3
#73 0x7f6d50068c02 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:355:3
#74 0x7f6d5429cf08 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137:27
#75 0x7f6d563dfc7b in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:875:20
#76 0x7f6d501418ca in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
#77 0x7f6d50068cf7 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:380:10
#78 0x7f6d50068c02 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:373:3
#79 0x7f6d50068c02 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:355:3
#80 0x7f6d563df29c in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:734:34
#81 0x55adfbaa0e90 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#82 0x55adfbaa0e90 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:338:18
#83 0x7f6d65ae6082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
#84 0x55adfba76c3c in _start (/home/user/workspace/browsers/m-c-20220530140717-fuzzing-debug/firefox-bin+0x15c3c) (BuildId: 5baee988517db5bd4aee5405a88fb409f103e22c)

A Pernosco session is available here: https://pernos.co/debug/DVhjJWroiaYX6WEOHS6BFA/index.html

Bugmon Analysis
Verified bug as reproducible on mozilla-central 20220530140717-87e39a7da999.
Unable to bisect testcase (Testcase reproduces on start build!):

Start: 391dbe0ceb290de3c1a6989aab62e602e55f176c (20210601032903)
End: 87e39a7da999bfa064f7acfcd4fa01f50f962d37 (20220530140717)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False)

This seems pretty race condition.

Bugmon was unable reproduce this issue.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

A change to the Taskcluster build definitions over the weekend caused Bugmon to fail when reproducing issues. This issue has been corrected. Re-enabling bugmon.