This was triggered while watching a video on youtube when built with -fsanitize=vptr Found with changeset: 409459:8bf380faae74 objdir-ff-vptr/dist/include/mozilla/dom/HTMLVideoElement.h:30:3: runtime error: downcast of address 0x61a0001aa680 which does not point to an object of type 'mozilla::dom::HTMLVideoElement' 0x61a0001aa680: note: object is of type 'mozilla::dom::HTMLMediaElement' d1 04 00 76 b0 3b 09 90 41 7f 00 00 b0 40 09 90 41 7f 00 00 00 00 00 00 00 00 00 00 00 00 08 00 ^~~~~~~~~~~~~~~~~~~~~~~ vptr for 'mozilla::dom::HTMLMediaElement' #0 0x7f41816aa230 in mozilla::dom::HTMLVideoElement* mozilla::dom::HTMLVideoElement::FromNode<mozilla::dom::HTMLMediaElement*&>(mozilla::dom::HTMLMediaElement*&) objdir-ff-vptr/dist/include/mozilla/dom/HTMLVideoElement.h:30:3 #1 0x7f41816200e1 in FromNodeOrNull<mozilla::dom::HTMLMediaElement *> objdir-ff-vptr/dist/include/mozilla/dom/HTMLVideoElement.h:30:3 #2 0x7f41816200e1 in mozilla::dom::HTMLMediaElement::ReportTelemetry() dom/html/HTMLMediaElement.cpp:4514 #3 0x7f4181636e08 in mozilla::dom::HTMLMediaElement::SuspendOrResumeElement(bool, bool) dom/html/HTMLMediaElement.cpp:6365:7 #4 0x7f41815f7b35 in mozilla::dom::HTMLMediaElement::NotifyOwnerDocumentActivityChanged() dom/html/HTMLMediaElement.cpp:6423:3 #5 0x7f4181612708 in mozilla::dom::HTMLMediaElement::HTMLMediaElement(already_AddRefed<mozilla::dom::NodeInfo>&) dom/html/HTMLMediaElement.cpp:3866:3 #6 0x7f418171c463 in mozilla::dom::HTMLVideoElement::HTMLVideoElement(already_AddRefed<mozilla::dom::NodeInfo>&) dom/html/HTMLVideoElement.cpp:48:5 #7 0x7f418171bfc1 in NS_NewHTMLVideoElement(already_AddRefed<mozilla::dom::NodeInfo>&&, mozilla::dom::FromParser) dom/html/HTMLVideoElement.cpp:38:1 #8 0x7f417c319f6b in nsHtml5TreeOperation::CreateHTMLElement(nsAtom*, nsHtml5HtmlAttributes*, mozilla::dom::FromParser, nsNodeInfoManager*, nsHtml5DocumentBuilder*, nsGenericHTMLElement* (*)(already_AddRefed<mozilla::dom::NodeInfo>&&, mozilla::dom::FromParser)) parser/html/nsHtml5TreeOperation.cpp:449:20 #9 0x7f417c2ed8dd in nsHtml5TreeBuilder::createElement(int, nsAtom*, nsHtml5HtmlAttributes*, void*, nsHtml5ContentCreatorFunction) parser/html/nsHtml5TreeBuilderCppSupplement.h:100:14 #10 0x7f417c30131f in nsHtml5TreeBuilder::appendToCurrentNodeAndPushElementMayFoster(nsHtml5ElementName*, nsHtml5HtmlAttributes*) parser/html/nsHtml5TreeBuilder.cpp:4453:11 #11 0x7f417c2dc3dc in nsHtml5TreeBuilder::startTag(nsHtml5ElementName*, nsHtml5HtmlAttributes*, bool) parser/html/nsHtml5TreeBuilder.cpp #12 0x7f417c2c3af2 in nsHtml5Tokenizer::emitCurrentTagToken(bool, int) parser/html/nsHtml5Tokenizer.cpp:384:21 #13 0x7f417c35875b in int nsHtml5Tokenizer::stateLoop<nsHtml5SilentPolicy>(int, char16_t, int, char16_t*, bool, int, int) parser/html/nsHtml5Tokenizer.cpp:1044:30 #14 0x7f417c2ae469 in nsHtml5Tokenizer::tokenizeBuffer(nsHtml5UTF16Buffer*) parser/html/nsHtml5Tokenizer.cpp:494:11 #15 0x7f417c2bda51 in nsHtml5StringParser::Tokenize(nsTSubstring<char16_t> const&, nsIDocument*, bool) parser/html/nsHtml5StringParser.cpp:108:33 #16 0x7f417d641305 in nsContentUtils::ParseFragmentHTML(nsTSubstring<char16_t> const&, nsIContent*, nsAtom*, int, bool, bool, nsContentUtils::SanitizeFragments) dom/base/nsContentUtils.cpp:5228:26 #17 0x7f417d63ffcd in nsContentUtils::CreateContextualFragment(nsINode*, nsTSubstring<char16_t> const&, bool, nsContentUtils::SanitizeFragments, mozilla::ErrorResult&) dom/base/nsContentUtils.cpp:5095:13 #18 0x7f417d63d921 in CreateContextualFragment dom/base/nsContentUtils.h:1654:12 #19 0x7f417d63d921 in nsContentUtils::CreateContextualFragment(nsINode*, nsTSubstring<char16_t> const&, bool, nsIDOMDocumentFragment**) dom/base/nsContentUtils.cpp:5055 #20 0x7f417d96e0de in mozilla::dom::Element::InsertAdjacentHTML(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, mozilla::ErrorResult&) dom/base/Element.cpp:4001:12 #21 0x7f417ff57104 in mozilla::dom::ElementBinding::insertAdjacentHTML(JSContext*, JS::Handle<JSObject*>, mozilla::dom::Element*, JSJitMethodCallArgs const&) objdir-ff-vptr/dom/bindings/ElementBinding.cpp:3714:9 #22 0x7f418080b147 in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) dom/bindings/BindingUtils.cpp:3031:13 #23 0x7f4189b693cf in CallJSNative js/src/vm/JSContext-inl.h:290:15 #24 0x7f4189b693cf in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) js/src/vm/Interpreter.cpp:467 #25 0x7f4189b4654b in CallFromStack js/src/vm/Interpreter.cpp:522:12 #26 0x7f4189b4654b in Interpret(JSContext*, js::RunState&) js/src/vm/Interpreter.cpp:3084 #27 0x7f4189b39bbb in js::RunScript(JSContext*, js::RunState&) js/src/vm/Interpreter.cpp:417:12 #28 0x7f4189b692b8 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) js/src/vm/Interpreter.cpp:489:15 #29 0x7f4189b6a152 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) js/src/vm/Interpreter.cpp:535:10 #30 0x7f418a8095bb in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) js/src/jsapi.cpp:3011:12 #31 0x7f417fdfcd52 in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) objdir-ff-vptr/dom/bindings/EventHandlerBinding.cpp:260:37 #32 0x7f418123c3a7 in void mozilla::dom::EventHandlerNonNull::Call<nsISupports*>(nsISupports* const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JSCompartment*) objdir-ff-vptr/dist/include/mozilla/dom/EventHandlerBinding.h:363:12 #33 0x7f418121d13b in mozilla::JSEventHandler::HandleEvent(nsIDOMEvent*) dom/events/JSEventHandler.cpp:215:12 #34 0x7f41811cfa2e in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) dom/events/EventListenerManager.cpp:1090:51 #35 0x7f41811d1768 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) dom/events/EventListenerManager.cpp:1259:20 #36 0x7f41811b52b2 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) dom/events/EventDispatcher.cpp:527:16 #37 0x7f41811ba980 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) dom/events/EventDispatcher.cpp:917:9 #38 0x7f41811bde6e in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, nsIDOMEvent*, nsPresContext*, nsEventStatus*) dom/events/EventDispatcher.cpp:996:12 #39 0x7f418115c269 in mozilla::DOMEventTargetHelper::DispatchEvent(nsIDOMEvent*, bool*) dom/events/DOMEventTargetHelper.cpp:269:5 #40 0x7f418362812d in mozilla::dom::XMLHttpRequestMainThread::DispatchOrStoreEvent(mozilla::DOMEventTargetHelper*, mozilla::dom::Event*) dom/xhr/XMLHttpRequestMainThread.cpp:1336:12 #41 0x7f418362224a in mozilla::dom::XMLHttpRequestMainThread::DispatchProgressEvent(mozilla::DOMEventTargetHelper*, mozilla::dom::XMLHttpRequestMainThread::ProgressEventType, long, long) dom/xhr/XMLHttpRequestMainThread.cpp:1299:3 #42 0x7f41836225ef in mozilla::dom::XMLHttpRequestMainThread::DispatchProgressEvent(mozilla::DOMEventTargetHelper*, mozilla::dom::XMLHttpRequestMainThread::ProgressEventType, long, long) dom/xhr/XMLHttpRequestMainThread.cpp:1317:5 #43 0x7f4183630684 in mozilla::dom::XMLHttpRequestMainThread::ChangeStateToDone() dom/xhr/XMLHttpRequestMainThread.cpp #44 0x7f418363c6e1 in mozilla::dom::XMLHttpRequestMainThread::OnStopRequest(nsIRequest*, nsISupports*, nsresult) dom/xhr/XMLHttpRequestMainThread.cpp #45 0x7f417a47663a in nsCORSListenerProxy::OnStopRequest(nsIRequest*, nsISupports*, nsresult) netwerk/protocol/http/nsCORSListenerProxy.cpp:651:27 #46 0x7f4179f4777c in mozilla::net::nsHTTPCompressConv::OnStopRequest(nsIRequest*, nsISupports*, nsresult) netwerk/streamconv/converters/nsHTTPCompressConv.cpp:169:20 #47 0x7f417a38da6b in mozilla::net::HttpChannelChild::DoOnStopRequest(nsIRequest*, nsresult, nsISupports*) netwerk/protocol/http/HttpChannelChild.cpp:1298:16 #48 0x7f417a39d063 in mozilla::net::HttpChannelChild::OnStopRequest(nsresult const&, mozilla::net::ResourceTimingStruct const&, mozilla::net::nsHttpHeaderArray const&) netwerk/protocol/http/HttpChannelChild.cpp:1176:5 #49 0x7f417a7259a3 in mozilla::net::ChannelEventQueue::FlushQueue() netwerk/ipc/ChannelEventQueue.cpp:93:12 #50 0x7f417a734dd4 in MaybeFlushQueue objdir-ff-vptr/dist/include/mozilla/net/ChannelEventQueue.h:329:5 #51 0x7f417a734dd4 in CompleteResume objdir-ff-vptr/dist/include/mozilla/net/ChannelEventQueue.h:306 #52 0x7f417a734dd4 in mozilla::net::ChannelEventQueue::ResumeInternal()::CompleteResumeRunnable::Run() netwerk/ipc/ChannelEventQueue.cpp:161 #53 0x7f4179111706 in mozilla::SchedulerGroup::Runnable::Run() xpcom/threads/SchedulerGroup.cpp:413:25 #54 0x7f4179135fde in nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp:1096:14 #55 0x7f4179177d3e in NS_ProcessNextEvent(nsIThread*, bool) xpcom/threads/nsThreadUtils.cpp:517:10 #56 0x7f417aaaebe8 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) ipc/glue/MessagePump.cpp:97:21 #57 0x7f417a934a8d in RunHandler ipc/chromium/src/base/message_loop.cc:319:3 #58 0x7f417a934a8d in MessageLoop::Run() ipc/chromium/src/base/message_loop.cc:299 #59 0x7f4183a87856 in nsBaseAppShell::Run() widget/nsBaseAppShell.cpp:157:27 #60 0x7f41897bf314 in XRE_RunAppShell() toolkit/xre/nsEmbedFunctions.cpp:893:22 #61 0x7f417a934a8d in RunHandler ipc/chromium/src/base/message_loop.cc:319:3 #62 0x7f417a934a8d in MessageLoop::Run() ipc/chromium/src/base/message_loop.cc:299 #63 0x7f41897be457 in XRE_InitChildProcess(int, char**, XREChildData const*) toolkit/xre/nsEmbedFunctions.cpp:719:34 #64 0x516234 in content_process_main(mozilla::Bootstrap*, int, char**) browser/app/../../ipc/contentproc/plugin-container.cpp:50:30 #65 0x516a50 in main browser/app/nsBrowserApp.cpp:280:18 #66 0x7f41a04521c0 in __libc_start_main /build/glibc-itYbWN/glibc-2.26/csu/../csu/libc-start.c:308 #67 0x41eef9 in _start (objdir-ff-vptr/dist/bin/firefox+0x41eef9)

Given the definition of FromNodeOrNull<>, is it possible this is a false-positive or bug in -fsanitize=vptr? Or a bug in nsINode.h? P2 based on it not likely being a bug-in-the-field

(In reply to Maire Reavy [:mreavy] Plz needinfo? from comment #1) > Given the definition of FromNodeOrNull<>, is it possible this is a > false-positive or bug in -fsanitize=vptr? Or a bug in nsINode.h? The problem is ReportTelemetry trying to access the HTMLVideoElement while it is still in the middle of constructing its base class. > P2 based on it not likely being a bug-in-the-field Right, I think it's safe in the field, just ASAN being extra cautious (for good reasons). I'll have a look at this soon (and probably-dup bug 1448203).

Thanks Gerald.