Testcase found while fuzzing mozilla-central rev 96a077ed86f8 (built with: --enable-debug --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build 96a077ed86f8 --debug --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

Assertion failure: mTarget, at /dom/html/ElementInternals.cpp:47

    ==1113693==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f700702638f bp 0x7ffc4a7c6160 sp 0x7ffc4a7c6160 T1113693)
    ==1113693==The signal is caused by a WRITE memory access.
    ==1113693==Hint: address points to the zero page.
        #0 0x7f700702638f in mozilla::dom::ElementInternals::GetShadowRoot() const /dom/html/ElementInternals.cpp:47:3
        #1 0x7f700668ad85 in mozilla::dom::ElementInternals_Binding::get_shadowRoot(JSContext*, JS::Handle<JSObject*>, void*, JSJitGetterCallArgs) /builds/worker/workspace/obj-build/dom/bindings/ElementInternalsBinding.cpp:651:77
        #2 0x7f700696fa5f in bool mozilla::dom::binding_detail::GenericGetter<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /dom/bindings/BindingUtils.cpp:3188:13
        #3 0x7f700a90841f in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /js/src/vm/Interpreter.cpp:425:13
        #4 0x7f700a907b1d in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:512:12
        #5 0x7f700a9095fe in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /js/src/vm/Interpreter.cpp:572:10
        #6 0x7f700a90a68f in Call /js/src/vm/Interpreter.cpp:589:8
        #7 0x7f700a90a68f in js::CallGetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) /js/src/vm/Interpreter.cpp:715:10
        #8 0x7f700ab8a3ff in CallGetter /js/src/vm/NativeObject.cpp:1970:12
        #9 0x7f700ab8a3ff in bool GetExistingProperty<(js::AllowGC)1>(JSContext*, js::MaybeRooted<JS::Value, (js::AllowGC)1>::HandleType, js::MaybeRooted<js::NativeObject*, (js::AllowGC)1>::HandleType, js::MaybeRooted<JS::PropertyKey, (js::AllowGC)1>::HandleType, js::PropertyInfoBase<unsigned int>, js::MaybeRooted<JS::Value, (js::AllowGC)1>::MutableHandleType) /js/src/vm/NativeObject.cpp:1998:12
        #10 0x7f700ab8aa93 in bool NativeGetPropertyInline<(js::AllowGC)1>(JSContext*, js::MaybeRooted<js::NativeObject*, (js::AllowGC)1>::HandleType, js::MaybeRooted<JS::Value, (js::AllowGC)1>::HandleType, js::MaybeRooted<JS::PropertyKey, (js::AllowGC)1>::HandleType, IsNameLookup, js::MaybeRooted<JS::Value, (js::AllowGC)1>::MutableHandleType) /js/src/vm/NativeObject.cpp:2144:14
        #11 0x7f700a90e59f in GetProperty /js/src/vm/ObjectOperations-inl.h:120:10
        #12 0x7f700a90e59f in js::GetProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, js::PropertyName*, JS::MutableHandle<JS::Value>) /js/src/vm/ObjectOperations-inl.h:127:10
        #13 0x7f700a90da50 in js::GetProperty(JSContext*, JS::Handle<JS::Value>, JS::Handle<js::PropertyName*>, JS::MutableHandle<JS::Value>) /js/src/vm/Interpreter.cpp:4710:10
        #14 0x7f700a8fca9b in GetPropertyOperation /js/src/vm/Interpreter.cpp:208:10
        #15 0x7f700a8fca9b in Interpret(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:2973:12
        #16 0x7f700a8f5db3 in js::RunScript(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:394:13
        #17 0x7f700a907a18 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:544:13
        #18 0x7f700a9095fe in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /js/src/vm/Interpreter.cpp:572:10
        #19 0x7f700a909801 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /js/src/vm/Interpreter.cpp:589:8
        #20 0x7f700aa3bf01 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /js/src/vm/CallAndConstruct.cpp:117:10
        #21 0x7f7006693c67 in mozilla::dom::EventListener::HandleEvent(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventListenerBinding.cpp:62:8
        #22 0x7f7006eda966 in void mozilla::dom::EventListener::HandleEvent<mozilla::dom::EventTarget*>(mozilla::dom::EventTarget* const&, mozilla::dom::Event&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventListenerBinding.h:65:12
        #23 0x7f7006eda6ea in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /dom/events/EventListenerManager.cpp:1310:43
        #24 0x7f7006edb3e9 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /dom/events/EventListenerManager.cpp:1507:17
        #25 0x7f7006ed03f4 in HandleEvent /dom/events/EventListenerManager.h:395:5
        #26 0x7f7006ed03f4 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /dom/events/EventDispatcher.cpp:348:17
        #27 0x7f7006ecf917 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /dom/events/EventDispatcher.cpp:550:16
        #28 0x7f7006ed2178 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /dom/events/EventDispatcher.cpp:1085:11
        #29 0x7f7006ed4a36 in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) /dom/events/EventDispatcher.cpp
        #30 0x7f70056178bd in nsINode::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) /dom/base/nsINode.cpp:1354:17
        #31 0x7f70051609ba in nsContentUtils::DispatchEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, mozilla::Trusted, bool*, mozilla::ChromeOnlyDispatch) /dom/base/nsContentUtils.cpp:4314:28
        #32 0x7f70051607b7 in nsContentUtils::DispatchTrustedEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, bool*) /dom/base/nsContentUtils.cpp:4284:10
        #33 0x7f7005392c7f in mozilla::dom::Document::DispatchContentLoadedEvents() /dom/base/Document.cpp:7910:3
        #34 0x7f70054463db in applyImpl<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1147:12
        #35 0x7f70054463db in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1153:12
        #36 0x7f70054463db in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1200:13
        #37 0x7f7003a3c1d2 in mozilla::SchedulerGroup::Runnable::Run() /xpcom/threads/SchedulerGroup.cpp:140:20
        #38 0x7f7003a6d2de in mozilla::RunnableTask::Run() /xpcom/threads/TaskController.cpp:467:16
        #39 0x7f7003a462c6 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:770:26
        #40 0x7f7003a44f88 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:606:15
        #41 0x7f7003a45203 in mozilla::TaskController::ProcessPendingMTTask(bool) /xpcom/threads/TaskController.cpp:390:36
        #42 0x7f7003a70786 in operator() /xpcom/threads/TaskController.cpp:124:37
        #43 0x7f7003a70786 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
        #44 0x7f7003a5b253 in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1173:16
        #45 0x7f7003a6276a in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:467:10
        #46 0x7f7004604c06 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:85:21
        #47 0x7f7004524697 in MessageLoop::RunInternal() /ipc/chromium/src/base/message_loop.cc:331:10
        #48 0x7f70045245a2 in RunHandler /ipc/chromium/src/base/message_loop.cc:324:3
        #49 0x7f70045245a2 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:306:3
        #50 0x7f7008681c08 in nsBaseAppShell::Run() /widget/nsBaseAppShell.cpp:137:27
        #51 0x7f700a7894b3 in XRE_RunAppShell() /toolkit/xre/nsEmbedFunctions.cpp:870:20
        #52 0x7f7004605afa in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:235:9
        #53 0x7f7004524697 in MessageLoop::RunInternal() /ipc/chromium/src/base/message_loop.cc:331:10
        #54 0x7f70045245a2 in RunHandler /ipc/chromium/src/base/message_loop.cc:324:3
        #55 0x7f70045245a2 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:306:3
        #56 0x7f700a788ae9 in XRE_InitChildProcess(int, char**, XREChildData const*) /toolkit/xre/nsEmbedFunctions.cpp:729:34
        #57 0x55680c7482f7 in content_process_main /browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
        #58 0x55680c7482f7 in main /browser/app/nsBrowserApp.cpp:327:18
        #59 0x7f7019d2a0b2 in __libc_start_main /build/glibc-sMfBJT/glibc-2.31/csu/../csu/libc-start.c:308:16
        #60 0x55680c723a7c in _start (/home/jkratzer/builds/mc-debug/firefox-bin+0x15a7c)
    
    UndefinedBehaviorSanitizer can not provide additional info.
    SUMMARY: UndefinedBehaviorSanitizer: SEGV /dom/html/ElementInternals.cpp:47:3 in mozilla::dom::ElementInternals::GetShadowRoot() const
    ==1113693==ABORTING

Bugmon Analysis
Verified bug as reproducible on mozilla-central 20220303094735-96a077ed86f8.
The bug appears to have been introduced in the following build range:

Start: f12a240d70af72935cd03335a88fbc48a62acedf (20211004200014)
End: 4a3438f0772b77cd515dadfa4060053518d4d223 (20211004221543)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=f12a240d70af72935cd03335a88fbc48a62acedf&tochange=4a3438f0772b77cd515dadfa4060053518d4d223

Edgar: can you please assign priority and severity for this issue? The violated assertion was introduced in bug 1723521.

It might be worth checking if this affects other OSs too.

In the current design, ElementInternal won't keep the custom element alive, so yes, mTarget could be null, e.g. the custom element is unlinked.
We don't need that assertion, align with other ElementInternal's API, and just return null for elementInternal.shadowRoot.

Given the ElementInternals won't keep the target element alive, so mTarget could
be null if it is released or unlinked.

:edgar, since this bug contains a bisection range, could you fill (if possible) the regressed_by field?
For more information, please visit auto_nag documentation.

Set release status flags based on info from the regressing bug 1556351

https://hg.mozilla.org/mozilla-central/rev/a18fe023ddbb

Bugmon Analysis
Verified bug as fixed on rev mozilla-central 20220311215110-63ef5a7d2b10.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.