Found while fuzzing m-c 20230611-2e3060c42d23 (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

Hit MOZ_CRASH(Element state change during style refresh (140737488355328)) at /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:3296

#0 0x7f268833104a in MOZ_Crash /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:264:3
#1 0x7f268833104a in mozilla::RestyleManager::ElementStateChanged(mozilla::dom::Element*, mozilla::dom::ElementState) /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:3294:5
#2 0x7f2688330bf0 in mozilla::PresShell::ElementStateChanged(mozilla::dom::Document*, mozilla::dom::Element*, mozilla::dom::ElementState) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4437:37
#3 0x7f2684545a80 in mozilla::dom::Document::ElementStateChanged(mozilla::dom::Element*, mozilla::dom::ElementState) /builds/worker/checkouts/gecko/dom/base/Document.cpp:8248:3
#4 0x7f2684597887 in mozilla::dom::Element::NotifyStateChange(mozilla::dom::ElementState) /builds/worker/checkouts/gecko/dom/base/Element.cpp:368:10
#5 0x7f26866c406b in mozilla::dom::HTMLTextAreaElement::OnValueChanged(mozilla::TextControlElement::ValueChangeKind, bool, nsTSubstring<char16_t> const*) /builds/worker/checkouts/gecko/dom/html/HTMLTextAreaElement.cpp
#6 0x7f26866dafd3 in OnValueChanged /builds/worker/workspace/obj-build/dist/include/mozilla/TextControlElement.h:193:12
#7 0x7f26866dafd3 in mozilla::TextControlState::SetValue(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const*, mozilla::EnumSet<mozilla::TextControlState::ValueSetterOption, unsigned int> const&) /builds/worker/checkouts/gecko/dom/html/TextControlState.cpp:2706:47
#8 0x7f26866bde61 in SetValue /builds/worker/workspace/obj-build/dist/include/mozilla/TextControlState.h:284:12
#9 0x7f26866bde61 in mozilla::TextControlState::UnbindFromFrame(nsTextControlFrame*) /builds/worker/checkouts/gecko/dom/html/TextControlState.cpp:2469:26
#10 0x7f26885ef518 in nsTextControlFrame::DestroyFrom(nsIFrame*, mozilla::PostFrameDestroyData&) /builds/worker/checkouts/gecko/layout/forms/nsTextControlFrame.cpp:138:25
#11 0x7f2688567d4a in nsLineBox::DeleteLineList(nsPresContext*, nsLineList&, nsIFrame*, nsFrameList*, mozilla::PostFrameDestroyData&) /builds/worker/checkouts/gecko/layout/generic/nsLineBox.cpp:369:14
#12 0x7f268843de9b in nsBlockFrame::DestroyFrom(nsIFrame*, mozilla::PostFrameDestroyData&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:482:3
#13 0x7f2688567d4a in nsLineBox::DeleteLineList(nsPresContext*, nsLineList&, nsIFrame*, nsFrameList*, mozilla::PostFrameDestroyData&) /builds/worker/checkouts/gecko/layout/generic/nsLineBox.cpp:369:14
#14 0x7f268843de9b in nsBlockFrame::DestroyFrom(nsIFrame*, mozilla::PostFrameDestroyData&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:482:3
#15 0x7f268849b47a in nsFrameList::DestroyFramesFrom(nsIFrame*, mozilla::PostFrameDestroyData&) /builds/worker/checkouts/gecko/layout/generic/nsFrameList.cpp:50:12
#16 0x7f268843e719 in nsContainerFrame::DestroyFrom(nsIFrame*, mozilla::PostFrameDestroyData&) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:232:11
#17 0x7f2688466301 in nsCanvasFrame::DestroyFrom(nsIFrame*, mozilla::PostFrameDestroyData&) /builds/worker/checkouts/gecko/layout/generic/nsCanvasFrame.cpp:213:21
#18 0x7f268849b47a in nsFrameList::DestroyFramesFrom(nsIFrame*, mozilla::PostFrameDestroyData&) /builds/worker/checkouts/gecko/layout/generic/nsFrameList.cpp:50:12
#19 0x7f268843e719 in nsContainerFrame::DestroyFrom(nsIFrame*, mozilla::PostFrameDestroyData&) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:232:11
#20 0x7f26884b2f91 in nsHTMLScrollFrame::DestroyFrom(nsIFrame*, mozilla::PostFrameDestroyData&) /builds/worker/checkouts/gecko/layout/generic/nsGfxScrollFrame.cpp:364:21
#21 0x7f2688436df7 in Destroy /builds/worker/checkouts/gecko/layout/generic/nsIFrame.h:657:5
#22 0x7f2688436df7 in nsContainerFrame::RemoveFrame(mozilla::FrameChildListID, nsIFrame*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:186:19
#23 0x7f268839b228 in nsCSSFrameConstructor::ContentRemoved(nsIContent*, nsIContent*, nsCSSFrameConstructor::RemoveFlags) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:7560:5
#24 0x7f2688396fa5 in nsCSSFrameConstructor::RecreateFramesForContent(nsIContent*, nsCSSFrameConstructor::InsertionKind) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:8542:7
#25 0x7f2688354b6d in mozilla::RestyleManager::ProcessRestyledFrames(nsStyleChangeList&) /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:1607:25
#26 0x7f268835bd34 in mozilla::RestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:3179:9
#27 0x7f2688330150 in mozilla::RestyleManager::ProcessPendingRestyles() /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:3264:3
#28 0x7f268832f22d in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4329:39
#29 0x7f2684558fae in FlushPendingNotifications /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:1464:5
#30 0x7f2684558fae in mozilla::dom::Document::FlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/dom/base/Document.cpp:10876:16
#31 0x7f268636e3b0 in InitBasic /builds/worker/checkouts/gecko/dom/events/ContentEventHandler.cpp:258:16
#32 0x7f268636e3b0 in mozilla::ContentEventHandler::InitCommon(mozilla::EventMessage, mozilla::SelectionType, bool) /builds/worker/checkouts/gecko/dom/events/ContentEventHandler.cpp:331:17
#33 0x7f268636ea20 in mozilla::ContentEventHandler::Init(mozilla::WidgetQueryContentEvent*) /builds/worker/checkouts/gecko/dom/events/ContentEventHandler.cpp:404:7
#34 0x7f2686373228 in mozilla::ContentEventHandler::OnQueryTextContent(mozilla::WidgetQueryContentEvent*) /builds/worker/checkouts/gecko/dom/events/ContentEventHandler.cpp:1483:17
#35 0x7f2686372ad1 in mozilla::ContentEventHandler::HandleQueryContentEvent(mozilla::WidgetQueryContentEvent*) /builds/worker/checkouts/gecko/dom/events/ContentEventHandler.cpp:1318:12
#36 0x7f26863c425d in mozilla::IMEContentObserver::HandleQueryContentEvent(mozilla::WidgetQueryContentEvent*) /builds/worker/checkouts/gecko/dom/events/IMEContentObserver.cpp:664:25
#37 0x7f268634a30e in mozilla::EventStateManager::HandleQueryContentEvent(mozilla::WidgetQueryContentEvent*) /builds/worker/checkouts/gecko/dom/events/EventStateManager.cpp:1090:22
#38 0x7f268634956e in mozilla::EventStateManager::PreHandleEvent(nsPresContext*, mozilla::WidgetEvent*, nsIFrame*, nsIContent*, nsEventStatus*, nsIContent*) /builds/worker/checkouts/gecko/dom/events/EventStateManager.cpp:643:5
#39 0x7f2688345f3d in mozilla::PresShell::EventHandler::DispatchEvent(mozilla::EventStateManager*, mozilla::WidgetEvent*, bool, nsEventStatus*, nsIContent*) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:8209:39
#40 0x7f268833fab7 in mozilla::PresShell::EventHandler::HandleEventWithCurrentEventInfo(mozilla::WidgetEvent*, nsEventStatus*, bool, nsIContent*) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:8178:17
#41 0x7f268834034a in mozilla::PresShell::EventHandler::HandleEventAtFocusedContent(mozilla::WidgetGUIEvent*, nsEventStatus*) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:7925:7
#42 0x7f268833dd7b in mozilla::PresShell::EventHandler::HandleEvent(nsIFrame*, mozilla::WidgetGUIEvent*, bool, nsEventStatus*) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:6950:12
#43 0x7f268833d334 in mozilla::PresShell::HandleEvent(nsIFrame*, mozilla::WidgetGUIEvent*, bool, nsEventStatus*) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:6868:23
#44 0x7f2687edb78e in nsViewManager::DispatchEvent(mozilla::WidgetGUIEvent*, nsView*, nsEventStatus*) /builds/worker/checkouts/gecko/view/nsViewManager.cpp:678:18
#45 0x7f2687edb539 in nsView::HandleEvent(mozilla::WidgetGUIEvent*, bool) /builds/worker/checkouts/gecko/view/nsView.cpp:1149:9
#46 0x7f2687f15da3 in mozilla::widget::PuppetWidget::DispatchEvent(mozilla::WidgetGUIEvent*, nsEventStatus&) /builds/worker/checkouts/gecko/widget/PuppetWidget.cpp:348:37
#47 0x7f2687ef912a in mozilla::ContentCacheInChild::CacheText(nsIWidget*, mozilla::widget::IMENotification const*) /builds/worker/checkouts/gecko/widget/ContentCache.cpp:293:12
#48 0x7f2687f18306 in mozilla::widget::PuppetWidget::NotifyIMEOfTextChange(mozilla::widget::IMENotification const&) /builds/worker/checkouts/gecko/widget/PuppetWidget.cpp:812:7
#49 0x7f2687f2830f in mozilla::widget::TextEventDispatcher::NotifyIME(mozilla::widget::IMENotification const&) /builds/worker/checkouts/gecko/widget/TextEventDispatcher.cpp:486:40
#50 0x7f2687eee78a in nsBaseWidget::NotifyIME(mozilla::widget::IMENotification const&) /builds/worker/checkouts/gecko/widget/nsBaseWidget.cpp:1897:43
#51 0x7f26863c2fc4 in mozilla::IMEStateManager::NotifyIME(mozilla::widget::IMENotification const&, nsIWidget*, mozilla::dom::BrowserParent*) /builds/worker/checkouts/gecko/dom/events/IMEStateManager.cpp
#52 0x7f26863ca032 in mozilla::IMEContentObserver::IMENotificationSender::SendTextChange() /builds/worker/checkouts/gecko/dom/events/IMEContentObserver.cpp:1980:3
#53 0x7f26863c956b in mozilla::IMEContentObserver::IMENotificationSender::Run() /builds/worker/checkouts/gecko/dom/events/IMEContentObserver.cpp:1736:5
#54 0x7f26882f0363 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2534:13
#55 0x7f26882f9ee1 in TickDriver /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:373:13
#56 0x7f26882f9ee1 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver>>&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:351:7
#57 0x7f26882f9de0 in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:367:5
#58 0x7f26882f9c7d in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:911:5
#59 0x7f26882f8ff6 in mozilla::VsyncRefreshDriverTimer::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:825:5
#60 0x7f26882f8329 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsyncTimerOnMainThread() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:592:14
#61 0x7f2687685e4b in mozilla::dom::VsyncMainChild::RecvNotify(mozilla::VsyncEvent const&, float const&) /builds/worker/checkouts/gecko/dom/ipc/VsyncMainChild.cpp:66:15
#62 0x7f26879532fe in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:220:78
#63 0x7f2687845ed0 in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PContentChild.cpp:8737:32
#64 0x7f26836388af in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1811:25
#65 0x7f2683635602 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1736:9
#66 0x7f2683636282 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1536:3
#67 0x7f26836373cf in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1634:14
#68 0x7f2682972007 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:555:16
#69 0x7f2682969c91 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:880:26
#70 0x7f2682968627 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:704:15
#71 0x7f2682968a85 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:491:36
#72 0x7f2682975e46 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:218:37
#73 0x7f2682975e46 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548:5
#74 0x7f268298c4ca in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1199:16
#75 0x7f268299323d in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:479:10
#76 0x7f268363e7b5 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#77 0x7f2683558411 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#78 0x7f2683558411 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#79 0x7f2687f480e8 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
#80 0x7f268a27020b in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:717:20
#81 0x7f268363f696 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
#82 0x7f2683558411 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#83 0x7f2683558411 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#84 0x7f268a26fada in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:652:34
#85 0x55e7f379c526 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#86 0x55e7f379c526 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:375:18
#87 0x7f2697829d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#88 0x7f2697829e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#89 0x55e7f37737c8 in _start (/home/user/workspace/browsers/m-c-20230616214102-fuzzing-debug/firefox-bin+0x587c8) (BuildId: 8ce77c76ab58288fa94701b836e1066960983b07)

Verified bug as reproducible on mozilla-central 20230616233847-c5ccbac63992.
The bug appears to have been introduced in the following build range:

Start: a9b52fdbc20f032b083bdecb106fcaf54b999f07 (20230515171352)
End: f62bd71b6825afd300936e2d3dff4ce7bacc0163 (20230515191908)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=a9b52fdbc20f032b083bdecb106fcaf54b999f07&tochange=f62bd71b6825afd300936e2d3dff4ce7bacc0163

The bug is linked to a topcrash signature, which matches the following criteria:

• Top 20 desktop browser crashes on beta
• Top 10 content process crashes on beta
• Top 10 AArch64 and ARM crashes on nightly
• Top 10 AArch64 and ARM crashes on beta

For more information, please visit BugBot documentation.

Successfully recorded a pernosco session. A link to the pernosco session will be added here shortly.

A pernosco session for this bug can be found here.

I can't reproduce this but from the pernosco recording we can see that:

• We have an editor and a frame.
• But the editor is not initialized.
• Then we go and read the value from it anyways (which returns the
  empty string), and cache it on the frame.
• Then when the frame goes away the cached value is read and wrongly
  persisted.

I don't think we should read the editor value if the editor hasn't been
initialized?

Ok, so that fails a bajillion tests and I'm not in a position to be able to spend a lot of time debugging this right now... Masayuki, do you happen to have an idea of what is the right thing to do here?

The bug is linked to a topcrash signature, which matches the following criteria:

• Top 10 AArch64 and ARM crashes on nightly
• Top 10 AArch64 and ARM crashes on beta

For more information, please visit BugBot documentation.

I guess that TextEditor is once created by autofocus or HTMLTextAreaElement itself first, then, it's temporarily destroyed by the dir change, but finally, setting value blocks re-initialization of TextEditor and the initializer does not re-try to do it here in this situation:

CallJSNative () at Interpreter.cpp:486
::binding_detail::GenericSetter<> () at BindingUtils.cpp:3277
::HTMLTextAreaElement_Binding::set_value () at HTMLTextAreaElementBinding.cpp:1242
::HTMLTextAreaElement::SetValue () at HTMLTextAreaElement.cpp:277
::HTMLTextAreaElement::SetValueInternal () at HTMLTextAreaElement.cpp:258
::TextControlState::SetValue () at Unified_cpp_dom_html4.cpp:284
::TextControlState::SetValue () at TextControlState.cpp:2696
::TextControlState::SetValueWithTextEditor () at TextControlState.cpp:2842
::SelectionBatcher::~SelectionBatcher () at Selection.h:1025
::Selection::EndBatchChanges () at Selection.cpp:3568
nsFrameSelection::EndBatchChanges () at nsFrameSelection.cpp:2287
nsFrameSelection::NotifySelectionListeners () at nsFrameSelection.cpp:2296
::Selection::NotifySelectionListeners () at Selection.cpp:3539
::AccessibleCaretEventHub::OnSelectionChange () at AccessibleCaretEventHub.cpp:663
::NoActionState::OnSelectionChanged () at AccessibleCaretEventHub.cpp:86
::AccessibleCaretManager::OnSelectionChanged () at AccessibleCaretManager.cpp:131
::AccessibleCaretManager::HideCaretsAndDispatchCaretStateChangedEvent () at AccessibleCaretManager.cpp:181
::AccessibleCaretManager::DispatchCaretStateChangedEvent () at AccessibleCaretManager.cpp:1425
::AccessibleCaretManager::MaybeFlushLayout () at AccessibleCaretManager.cpp:189
::LayoutFlusher::MaybeFlush () at AccessibleCaretManager.cpp:1044
::Document::FlushPendingNotifications () at Document.cpp:10819
::Document::FlushPendingNotifications () at Document.cpp:10887
::PresShell::FlushPendingNotifications () at PresShell.h:1464
::PresShell::DoFlushPendingNotifications () at PresShell.cpp:4331
nsAutoScriptBlocker::~nsAutoScriptBlocker () at nsContentUtils.h:3602
nsContentUtils::RemoveScriptBlocker () at nsContentUtils.cpp:5991
::EditorInitializer::Run () at nsTextControlFrame.cpp:1320

So it seems that even if we fix the crash, TextEditor may not work well. For solving the crash, I think that we should make TextControlState or the uninitialized TextEditor cache the value instead of nsTextControlFrame.

Hi :emilio, are you planning to land this for 116? Just a reminder the soft code freeze is tomorrow. If not, would you mind adding severity/priority?

Not really, the patch can't land as is, and this is not a new issue. My patch exposed the bug, but also this assert is not crashing release users.

Note: Bug 1793410 is the general bug for this crash signature. This bug is just one way that we're aware of, to trigger that crash. (But this bug probably isn't associated with all of the crash volume there.)

--> Marking this as blocking that general bug, and copying the S3 severity assessment, and removing the crash signature field here (since otherwise BugBot posts various nags like comment 7 on every bug that shares the crash signature, as if every helper-bug were responsible for all of the crash volume).

Testcase crashes using the initial build (mozilla-central 20230611214645-2e3060c42d23) but not with tip (mozilla-central 20231006152733-9b362770f30b.)

The bug appears to have been fixed in the following build range:

Start: db960ca5d4904de457b81d5c2ad8eca9ba07db8e (20230912032935)
End: 2e2360c55e7b421532f4d12b7a36a0e0f943a1e9 (20230912073158)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=db960ca5d4904de457b81d5c2ad8eca9ba07db8e&tochange=2e2360c55e7b421532f4d12b7a36a0e0f943a1e9

tsmith, can you confirm that the above bisection range is responsible for fixing this issue?
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

I am no longer able to reproduce the issue. It was last reported by fuzzer targeting m-c 20230830-c4e74daae186.

Emilio: I didn't want to close this without checking with you first since you have a patch in the works. Are you ok with closing this?

I'm fine closing as WFM, but the bisection in comment 19 makes no sense to me. I couldn't repro locally at all so I can't bisect manually either... If it's not too hard it'd be nice to know what really fixed this. But if it's not easy let's not spend too much time on it.

Bugmon doesn't check signatures so it can get confused if the test case triggers another crash.

Based on what the fuzzers are reporting the range is https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=c4e74daae18650ad8979e2718448476df759092a&tochange=01e6745f9ba2e0920482c15dcf09aa1c27a18f7b