Found while fuzzing m-c 20210727-e7b81cc1f26d (--enable-address-sanitizer --enable-fuzzing)

NOTE: Testcase requires a fuzzing builds for use of FuzzingFunctions.

#0 0x7f8ef6b99a95 in MOZ_Crash /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:256:3
#1 0x7f8ef6b99a95 in InvalidArrayIndex_CRASH(unsigned long, unsigned long) /gecko/xpcom/ds/nsTArray.cpp:28:3
#2 0x7f8efdf3fe8c in nsTArray_Impl<mozilla::SVGPoint, nsTArrayFallibleAllocator>::ElementAt(unsigned long) /builds/worker/workspace/obj-build/dist/include/nsTArray.h:1200:7
#3 0x7f8efdf1ffcd in operator[] /builds/worker/workspace/obj-build/dist/include/nsTArray.h:1237:12
#4 0x7f8efdf1ffcd in mozilla::dom::DOMSVGPoint::InternalItem() /gecko/dom/svg/DOMSVGPoint.cpp:164:12
#5 0x7f8efdf213de in mozilla::dom::DOMSVGPoint::RemovingFromList() /gecko/dom/svg/DOMSVGPoint.cpp:157:23
#6 0x7f8efdf26179 in mozilla::dom::DOMSVGPointList::RemoveItem(unsigned int, mozilla::ErrorResult&) /gecko/dom/svg/DOMSVGPointList.cpp:352:19
#7 0x7f8efb4bfa84 in mozilla::dom::SVGPointList_Binding::removeItem(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/SVGPointListBinding.cpp:352:78
#8 0x7f8efc29c419 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /gecko/dom/bindings/BindingUtils.cpp:3299:13
#9 0x7f8f03077152 in CallJSNative /gecko/js/src/vm/Interpreter.cpp:402:13
#10 0x7f8f03077152 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:487:12
#11 0x7f8f0305e981 in CallFromStack /gecko/js/src/vm/Interpreter.cpp:551:10
#12 0x7f8f0305e981 in Interpret(JSContext*, js::RunState&) /gecko/js/src/vm/Interpreter.cpp:3239:16
#13 0x7f8f03048a6c in js::RunScript(JSContext*, js::RunState&) /gecko/js/src/vm/Interpreter.cpp:371:13
#14 0x7f8f0307728b in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:519:13
#15 0x7f8f03078e8b in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:564:8
#16 0x7f8f032fa3f5 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /gecko/js/src/vm/CallAndConstruct.cpp:117:10
#17 0x7f8efbde66c4 in mozilla::dom::EventHandlerNonNull::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventHandlerBinding.cpp:282:37
#18 0x7f8efca96151 in void mozilla::dom::EventHandlerNonNull::Call<nsCOMPtr<mozilla::dom::EventTarget> >(nsCOMPtr<mozilla::dom::EventTarget> const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventHandlerBinding.h:365:12
#19 0x7f8efca94593 in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) /gecko/dom/events/JSEventHandler.cpp:201:12
#20 0x7f8efca5cb08 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /gecko/dom/events/EventListenerManager.cpp:1121:22
#21 0x7f8efca5e097 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /gecko/dom/events/EventListenerManager.cpp:1312:17
#22 0x7f8efca4b40e in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /gecko/dom/events/EventDispatcher.cpp:348:17
#23 0x7f8efca49c31 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /gecko/dom/events/EventDispatcher.cpp:550:16
#24 0x7f8efca4e035 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /gecko/dom/events/EventDispatcher.cpp:1082:11
#25 0x7f8eff231aa6 in nsDocumentViewer::LoadComplete(nsresult) /gecko/layout/base/nsDocumentViewer.cpp:1087:7
#26 0x7f8f02360710 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /gecko/docshell/base/nsDocShell.cpp:6284:20
#27 0x7f8f0235fa03 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /gecko/docshell/base/nsDocShell.cpp:5674:7
#28 0x7f8f023619bf in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /gecko/docshell/base/nsDocShell.cpp
#29 0x7f8ef93d4e39 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /gecko/uriloader/base/nsDocLoader.cpp:1370:3
#30 0x7f8ef93d3bb4 in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /gecko/uriloader/base/nsDocLoader.cpp:968:14
#31 0x7f8ef93d0673 in nsDocLoader::DocLoaderIsEmpty(bool, mozilla::Maybe<nsresult> const&) /gecko/uriloader/base/nsDocLoader.cpp:787:9
#32 0x7f8ef93d2869 in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /gecko/uriloader/base/nsDocLoader.cpp:670:5
#33 0x7f8f023993bf in nsDocShell::OnStopRequest(nsIRequest*, nsresult) /gecko/docshell/base/nsDocShell.cpp:13438:23
#34 0x7f8ef751629e in mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) /gecko/netwerk/base/nsLoadGroup.cpp:614:22
#35 0x7f8ef7518a63 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /gecko/netwerk/base/nsLoadGroup.cpp:518:10
#36 0x7f8efa6ed5a0 in mozilla::dom::Document::DoUnblockOnload() /gecko/dom/base/Document.cpp:11468:18
#37 0x7f8efa6a883e in mozilla::dom::Document::UnblockOnload(bool) /gecko/dom/base/Document.cpp:11398:9
#38 0x7f8efa6cbd9f in mozilla::dom::Document::DispatchContentLoadedEvents() /gecko/dom/base/Document.cpp:7906:3
#39 0x7f8efa78989f in applyImpl<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1148:12
#40 0x7f8efa78989f in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1154:12
#41 0x7f8efa78989f in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1201:13
#42 0x7f8ef71ee20f in mozilla::SchedulerGroup::Runnable::Run() /gecko/xpcom/threads/SchedulerGroup.cpp:144:20
#43 0x7f8ef72322a2 in mozilla::RunnableTask::Run() /gecko/xpcom/threads/TaskController.cpp:502:16
#44 0x7f8ef71fed94 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:805:26
#45 0x7f8ef71fc5e8 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:641:15
#46 0x7f8ef71fccfd in mozilla::TaskController::ProcessPendingMTTask(bool) /gecko/xpcom/threads/TaskController.cpp:425:36
#47 0x7f8ef723c2e1 in operator() /gecko/xpcom/threads/TaskController.cpp:135:37
#48 0x7f8ef723c2e1 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() /gecko/xpcom/threads/nsThreadUtils.h:532:5
#49 0x7f8ef7219717 in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1148:16
#50 0x7f8ef72243ec in NS_ProcessNextEvent(nsIThread*, bool) /gecko/xpcom/threads/nsThreadUtils.cpp:466:10
#51 0x7f8ef844805f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /gecko/ipc/glue/MessagePump.cpp:85:21
#52 0x7f8ef8332d81 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:331:10
#53 0x7f8ef8332d81 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:324:3
#54 0x7f8ef8332d81 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:306:3
#55 0x7f8efebfde97 in nsBaseAppShell::Run() /gecko/widget/nsBaseAppShell.cpp:137:27
#56 0x7f8f02e2319f in XRE_RunAppShell() /gecko/toolkit/xre/nsEmbedFunctions.cpp:910:20
#57 0x7f8ef8332d81 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:331:10
#58 0x7f8ef8332d81 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:324:3
#59 0x7f8ef8332d81 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:306:3
#60 0x7f8f02e22b78 in XRE_InitChildProcess(int, char**, XREChildData const*) /gecko/toolkit/xre/nsEmbedFunctions.cpp:742:34
#61 0x5592d571a05d in content_process_main(mozilla::Bootstrap*, int, char**) /gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#62 0x5592d571a48d in main /gecko/browser/app/nsBrowserApp.cpp:327:18
#63 0x7f8f182910b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
#64 0x5592d566b6f9 in _start (/home/worker/builds/m-c-20210727214000-fuzzing-asan-opt/firefox+0x5b6f9)

Test case also triggers: Assertion failure: mItems.Length() == 0 || mItems.Length() == InternalList().Length() (DOM wrapper's list length is out of sync), at /builds/worker/checkouts/gecko/dom/svg/DOMSVGPointList.h:142

A Pernosco session is available here: https://pernos.co/debug/PJDv8I3krEFSLVGDtt13VA/index.html

Bugmon Analysis
Verified bug as reproducible on mozilla-central 20210817214910-659f053820bf.
Failed to bisect testcase (Testcase reproduces on start build!):

Start: 157db696462d8a98905d0f8697088aa97cb6e08f (20200819100116)
End: e7b81cc1f26db0a381af49cfa49395727d207f98 (20210727214000)
BuildFlags: BuildFlags(asan=True, tsan=False, debug=False, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False)

I'll try to look at this on pernosco in the next few days...

I think it's because the DOM types get garbage collected because of bug 1242048 but I never quite finished that bug. I think it mostly worked except for the SVGMatrix in DOMSVGTransform.

Still meaning to take a look at this. Looks like I needinfo'd the reporter rather than myself. :)

Since the crash volume is low (less than 5 per week), the severity is downgraded to S3. Feel free to change it back if you think the bug is still critical.

For more information, please visit auto_nag documentation.

Bugmon was unable reproduce this issue.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

A change to the Taskcluster build definitions over the weekend caused Bugmon to fail when reproducing issues. This issue has been corrected. Re-enabling bugmon.