Found while fuzzing m-c 20240301-76bfcd57b0cd (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>

The attached test case is flaky and relies on FuzzingFunctions.

Assertion failure: mMilestoneEntries.Top().mMilestone >= containerMilestone (Trying to pop off earliest times but we have earlier ones that were overlooked), at /builds/worker/checkouts/gecko/dom/smil/SMILTimeContainer.cpp:231

#0 0x7f379b9811b2 in mozilla::SMILTimeContainer::PopMilestoneElementsAtMilestone(mozilla::SMILMilestone const&, nsTArray<RefPtr<mozilla::dom::SVGAnimationElement>>&) /builds/worker/checkouts/gecko/dom/smil/SMILTimeContainer.cpp:229:3
#1 0x7f379b9719f6 in mozilla::SMILAnimationController::DoMilestoneSamples() /builds/worker/checkouts/gecko/dom/smil/SMILAnimationController.cpp:471:18
#2 0x7f379b96ffef in mozilla::SMILAnimationController::DoSample(bool) /builds/worker/checkouts/gecko/dom/smil/SMILAnimationController.cpp:281:3
#3 0x7f379c2734f6 in Resample /builds/worker/workspace/obj-build/dist/include/mozilla/SMILAnimationController.h:73:21
#4 0x7f379c2734f6 in FlushResampleRequests /builds/worker/workspace/obj-build/dist/include/mozilla/SMILAnimationController.h:86:5
#5 0x7f379c2734f6 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4325:46
#6 0x7f37985745ef in FlushPendingNotifications /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:1474:5
#7 0x7f37985745ef in mozilla::dom::Document::FlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/dom/base/Document.cpp:10927:16
#8 0x7f37986cf892 in mozilla::dom::Selection::ScrollIntoView(short, mozilla::ScrollAxis, mozilla::ScrollAxis, int) /builds/worker/checkouts/gecko/dom/base/Selection.cpp:3403:31
#9 0x7f37986d5825 in mozilla::dom::Selection::ScrollSelectionIntoViewEvent::Run() /builds/worker/checkouts/gecko/dom/base/Selection.cpp:3332:14
#10 0x7f379c234303 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2688:13
#11 0x7f379c23dfd1 in TickDriver /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:367:13
#12 0x7f379c23dfd1 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver>>&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:345:7
#13 0x7f379c23ded0 in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:361:5
#14 0x7f379c23dd6d in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:951:5
#15 0x7f379c23d00c in mozilla::VsyncRefreshDriverTimer::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:861:5
#16 0x7f379c23c279 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsyncTimerOnMainThread() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:592:14
#17 0x7f379b5556fb in mozilla::dom::VsyncMainChild::RecvNotify(mozilla::VsyncEvent const&, float const&) /builds/worker/checkouts/gecko/dom/ipc/VsyncMainChild.cpp:66:15
#18 0x7f379b84545d in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:237:78
#19 0x7f379b72d3e0 in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PContentChild.cpp:8277:32
#20 0x7f37975f311f in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1812:25
#21 0x7f37975efe72 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1731:9
#22 0x7f37975f0af2 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1524:3
#23 0x7f37975f1c3f in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1622:14
#24 0x7f37968f3377 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:578:16
#25 0x7f37968e8ae6 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:905:26
#26 0x7f37968e72c7 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:728:15
#27 0x7f37968e7745 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:514:36
#28 0x7f37968f7316 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:232:37
#29 0x7f37968f7316 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548:5
#30 0x7f379690c682 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1199:16
#31 0x7f37969137cd in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10
#32 0x7f37975f9065 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#33 0x7f379750f411 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#34 0x7f379750f411 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#35 0x7f379be68158 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
#36 0x7f379bf2abb8 in nsAppShell::Run() /builds/worker/checkouts/gecko/widget/gtk/nsAppShell.cpp:470:33
#37 0x7f379dd6282b in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:712:20
#38 0x7f37975f9f46 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
#39 0x7f379750f411 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#40 0x7f379750f411 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#41 0x7f379dd62092 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:647:34
#42 0x55e821ec53f6 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#43 0x55e821ec53f6 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:375:18
#44 0x7f37ab829d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#45 0x7f37ab829e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#46 0x55e821e9b128 in _start (/home/user/workspace/browsers/m-c-20240304165340-fuzzing-debug/firefox-bin+0x59128) (BuildId: 4cd10e79b03551268afff4f2a04b8043968b0ce3)

A Pernosco session is available here: https://pernos.co/debug/ZzapgZ0P81YFmpv1EykuWQ/index.html

Verified bug as reproducible on mozilla-central 20240304212558-7d0df3f2acae.
The bug appears to have been introduced in the following build range:

Start: 12a40a80a9757d658928c97c0c3af6c15302fca2 (20230322000349)
End: be84a6280becce858982e8a84d2311ebbc1e68dc (20230322020849)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=12a40a80a9757d658928c97c0c3af6c15302fca2&tochange=be84a6280becce858982e8a84d2311ebbc1e68dc

Is bug 1820116 a possible regressor here?

The change in bug 1820116 changes the editing result of the testcase. So, it must be a trigger to reproduce this, but it seems that this is not a bug of the editor module. The editor module maybe creates unexpected state for SMIL. I guess that the assertion could fail without the editor.

Triaging as S3 since the assertion failure here doesn't look catastrophic/dangerous.

Not diving fully in to debugging, but just a quick note from a quick look at the moment where the assertion fails:

 p mMilestoneEntries.Top().mMilestone 
$1 = {
  mTime = 1000,
  mIsEnd = true
}
(pernosco) p containerMilestone 
$2 = {
  mTime = 1798,
  mIsEnd = true
}

(and indeed, that means mMilestoneEntries.Top().mMilestone >= containerMilestone fails, since the value 1000 is not >= the value 1798)