Open Bug 1354025 Opened 3 years ago Updated 2 years ago

Assertion failure: selection->GetAnchorFocusRange() && selection->GetAnchorFocusRange()->Collapsed() (Selection not collapsed after delete)

Categories

(Core :: DOM: Editor, defect, P3, critical)

defect

Tracking

()

Tracking Status
firefox-esr52 --- wontfix
firefox55 --- wontfix
firefox56 --- wontfix
firefox57 --- wontfix
firefox58 --- wontfix
firefox59 --- ?

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, crash, testcase)

Attachments

(2 files)

Attached file Testcase
Testcase found while fuzzing mozilla-central rev 20170404-b043233ec04f.

[8503] WARNING: '!mEditableNode', file /home/worker/workspace/build/src/dom/events/IMEContentObserver.cpp, line 289
Assertion failure: selection->GetAnchorFocusRange() && selection->GetAnchorFocusRange()->Collapsed() (Selection not collapsed after delete), at /home/worker/workspace/build/src/editor/libeditor/EditorBase.cpp:4192
ASAN:DEADLYSIGNAL
=================================================================
==8503==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f8589df51bc bp 0x7fffd1da9990 sp 0x7fffd1da9860 T0)
==8503==The signal is caused by a WRITE memory access.
==8503==Hint: address points to the zero page.
    #0 0x7f8589df51bb in mozilla::EditorBase::DeleteSelectionAndPrepareToCreateNode() /home/worker/workspace/build/src/editor/libeditor/EditorBase.cpp:4198:3
    #1 0x7f8589e93c53 in mozilla::HTMLEditor::DoInsertHTMLWithContext(nsAString const&, nsAString const&, nsAString const&, nsAString const&, nsIDOMDocument*, nsIDOMNode*, int, bool, bool, bool) /home/worker/workspace/build/src/editor/libeditor/HTMLEditorDataTransfer.cpp:327:10
    #2 0x7f8589e93225 in mozilla::HTMLEditor::InsertHTMLWithContext(nsAString const&, nsAString const&, nsAString const&, nsAString const&, nsIDOMDocument*, nsIDOMNode*, int, bool) /home/worker/workspace/build/src/editor/libeditor/HTMLEditorDataTransfer.cpp:182:10
    #3 0x7f8589e931e2 in mozilla::HTMLEditor::InsertHTML(nsAString const&) /home/worker/workspace/build/src/editor/libeditor/HTMLEditorDataTransfer.cpp:168:10
    #4 0x7f8589f27121 in nsInsertHTMLCommand::DoCommandParams(char const*, nsICommandParams*, nsISupports*) /home/worker/workspace/build/src/editor/composer/nsComposerCommands.cpp:1329:18
    #5 0x7f8588865c1c in nsControllerCommandTable::DoCommandParams(char const*, nsICommandParams*, nsISupports*) /home/worker/workspace/build/src/dom/commandhandler/nsControllerCommandTable.cpp:162:26
    #6 0x7f858885ec03 in nsBaseCommandController::DoCommandWithParams(char const*, nsICommandParams*) /home/worker/workspace/build/src/dom/commandhandler/nsBaseCommandController.cpp:152:25
    #7 0x7f858886321d in nsCommandManager::DoCommand(char const*, nsICommandParams*, mozIDOMWindowProxy*) /home/worker/workspace/build/src/dom/commandhandler/nsCommandManager.cpp:212:29
    #8 0x7f8588c048d9 in nsHTMLDocument::ExecCommand(nsAString const&, bool, nsAString const&, nsIPrincipal&, mozilla::ErrorResult&) /home/worker/workspace/build/src/dom/html/nsHTMLDocument.cpp:3345:18
    #9 0x7f858837ec7e in mozilla::dom::HTMLDocumentBinding::execCommand(JSContext*, JS::Handle<JSObject*>, nsHTMLDocument*, JSJitMethodCallArgs const&) /home/worker/workspace/build/src/obj-firefox/dom/bindings/HTMLDocumentBinding.cpp:835:21
    #10 0x7f85885ee948 in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:2953:13
    #11 0x7f858cb908e1 in js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) /home/worker/workspace/build/src/js/src/jscntxtinlines.h:291:15
    #12 0x7f858cb9048d in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:455:16
    #13 0x7f858cb91335 in InternalCall(JSContext*, js::AnyInvokeArgs const&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:500:12
    #14 0x7f858cb7ac1c in Interpret(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:2997:18
    #15 0x7f858cb71b98 in js::RunScript(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:395:12
Flags: in-testsuite?
assertion only
Priority: -- → P3
This reproduced in bughunter using the test case from bug 1361052 attachment 8863361 [details] on Windows, Linux Nightly/58, Beta/57. It also crashed opt [@ nsRange::Collapsed()]

I'd like to comment on the comment this was "just" an assertion. Fatal assertions should assert an invariant that should always be true. If the assertion fails, then the invariant was either not really an invariant or the invariant was violated and the assumptions the code relies upon are not true.

If the invariant wasn't really invariant then the assertion is bogus and should be removed since it effectively hides any other, possibly more serious, failures which may occur later in the execution path.

If the invariant was truly invariant, then the code is not correct and has caused the invariant to be violated and the code should be fixed.

A fatal assertion is never "just a debug assertion".
See Also: → 1361052
Has Regression Range: --- → no
You need to log in before you can comment on or make changes to this bug.