Closed
Bug 1409520
Opened 7 years ago
Closed 7 years ago
Assertion failure: node->GetChildAt(offset) == *aInOutChildAtOffset, at /builds/worker/workspace/build/src/editor/libeditor/EditorBase.cpp:2513
Categories
(Core :: DOM: Editor, defect)
Core
DOM: Editor
Tracking
()
RESOLVED
FIXED
mozilla58
| Tracking | Status | |
|---|---|---|
| firefox-esr52 | --- | unaffected |
| firefox56 | --- | unaffected |
| firefox57 | --- | unaffected |
| firefox58 | --- | fixed |
People
(Reporter: jkratzer, Assigned: masayuki)
References
(Blocks 1 open bug)
Details
(Keywords: assertion, testcase)
Attachments
(4 files)
Testcase found while fuzzing mozilla-central rev 7b75416fb54c.
Flags: in-testsuite?
|
Reporter | |
Comment 1•7 years ago
|
||
|
||
Comment 2•7 years ago
|
||
INFO: Last good revision: f2b1253de1e684d57290ba086fc57e300870a91b INFO: First bad revision: fdb1abbe808a069d2b6ca4ae7ed98969a3fb7314 INFO: Pushlog: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=f2b1253de1e684d57290ba086fc57e300870a91b&tochange=fdb1abbe808a069d2b6ca4ae7ed98969a3fb7314 Masayuki, can you please take a look while Ehsan is away?
Blocks: 1406482
Has Regression Range: --- → yes
status-firefox56:
--- → unaffected
status-firefox57:
--- → unaffected
status-firefox58:
--- → affected
status-firefox-esr52:
--- → unaffected
Flags: needinfo?(masayuki)
|
|
||
Comment 4•7 years ago
|
||
On autoland rev e802283bbf21d14d431901dd286681cd1933bb97, it's still asserting, albeit a different now. Assertion failure: !node->IsContainerNode() || node->Length() == static_cast<uint32_t>(offset) || node->GetChildAt(offset) == *aInOutChildAtOffset (|child| must be a child node at |offset| in |node| unless it's a text or some other data node, or after the last child), at z:/build/build/src/editor/libeditor/EditorBase.cpp:2517
Flags: needinfo?(ryanvm)
|
||
Comment 5•7 years ago
|
||
Hmm, that's the rephrased assertion Masayuki just landed in bug 1407966: https://hg.mozilla.org/mozilla-central/rev/760469149d9d#l1.13 So there's still a gremlin in the box. Let's hope that bug 1408227 fixes it then. (Unrelated: Bug 1407966 fixed an assert in the TB Mozmill test suite.)
|
Assignee | |
Comment 6•7 years ago
|
||
Okay, I got what's the cause of this. That is, AutoTrackDOMPoint in WSRunObject::InsertText() may update aInOutParent and aInOutOffset but it doesn't modify aInOutChildAtOffset.
Assignee: nobody → masayuki
Status: NEW → ASSIGNED
Flags: needinfo?(masayuki)
|
|
Assignee | |
Comment 7•7 years ago
|
||
https://treeherder.mozilla.org/#/jobs?repo=try&revision=1b8ba68918317999981431680be6f7fc1d17cee6
| Comment hidden (mozreview-request) |
| Comment hidden (mozreview-request) |
|
||
Comment 10•7 years ago
|
||
| mozreview-review | ||
Comment on attachment 8921154 [details] Bug 1409520 - part 0: Add automated test https://reviewboard.mozilla.org/r/192140/#review197532
Attachment #8921154 -
Flags: review?(m_kato) → review+
|
|
||
Comment 11•7 years ago
|
||
| mozreview-review | ||
Comment on attachment 8921155 [details] Bug 1409520 - part 1: WSRunObject::InsertText() should update aInOutChildAtOffset after it might be modified https://reviewboard.mozilla.org/r/192142/#review197540
Attachment #8921155 -
Flags: review?(m_kato) → review+
|
||
Comment 12•7 years ago
|
||
Pushed by masayuki@d-toybox.com: https://hg.mozilla.org/integration/autoland/rev/e04990f5e538 part 0: Add automated test r=m_kato https://hg.mozilla.org/integration/autoland/rev/ef85fd3a802c part 1: WSRunObject::InsertText() should update aInOutChildAtOffset after it might be modified r=m_kato
|
||
Comment 13•7 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/e04990f5e538 https://hg.mozilla.org/mozilla-central/rev/ef85fd3a802c
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla58
You need to log in
before you can comment on or make changes to this bug.
Description
•