Closed Bug 1413625 Opened 8 years ago Closed 2 months ago

Assertion failure: !aAncestorLimiter || &aNode == aAncestorLimiter || EditorUtils::IsDescendantOf(&aNode, aAncestorLimiter) (aNode isn't in aAncestorLimiter), at /builds/worker/workspace/build/src/editor/libeditor/HTMLEditor.cpp:791

Categories

(Core :: DOM: Editor, defect, P3)

Product:
Core
Component:
DOM: Editor
Version:
58 Branch
Type:
defect

Tracking

()

Status:
RESOLVED WORKSFORME
Tracking Flags:
Tracking Status
firefox-esr52 --- unaffected
firefox-esr68 --- wontfix
firefox56 --- unaffected
firefox57 --- unaffected
firefox58 --- wontfix
firefox59 --- wontfix
firefox63 --- wontfix
firefox64 --- wontfix
firefox65 --- wontfix
firefox72 --- wontfix
firefox73 --- wontfix
firefox74 --- wontfix

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, testcase)

Attachments

(1 file)

trigger.html
502 bytes, text/html
Details
Attached file trigger.html
Testcase found while fuzzing mozilla-central rev cd7217cf05a2. ==414==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f74d6a72539 bp 0x7fff125099b0 sp 0x7fff125099a0 T0) ==414==The signal is caused by a WRITE memory access. ==414==Hint: address points to the zero page. #0 0x7f74d6a72538 in mozilla::HTMLEditor::GetBlock(nsINode&, nsINode*) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditor.cpp:788:3 #1 0x7f74d6a5e0ae in mozilla::HTMLEditRules::WillInsertBreak(mozilla::dom::Selection&, bool*, bool*) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:1628:33 #2 0x7f74d6a5bcc7 in mozilla::HTMLEditRules::WillDoAction(mozilla::dom::Selection*, mozilla::RulesInfo*, bool*, bool*) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:650:14 #3 0x7f74d6b20a9c in mozilla::TextEditor::InsertLineBreak() /builds/worker/workspace/build/src/editor/libeditor/TextEditor.cpp:701:24 #4 0x7f74d6b1eeeb in mozilla::TextEditor::TypedText(nsTSubstring<char16_t> const&, mozilla::TextEditor::ETypingAction) /builds/worker/workspace/build/src/editor/libeditor/TextEditor.cpp:410:14 #5 0x7f74d6aaaecf in mozilla::HTMLEditor::TypedText(nsTSubstring<char16_t> const&, mozilla::TextEditor::ETypingAction) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditor.cpp:956:22 #6 0x7f74d6a3054f in mozilla::InsertParagraphCommand::DoCommand(char const*, nsISupports*) /builds/worker/workspace/build/src/editor/libeditor/EditorCommands.cpp:1154:22 #7 0x7f74d5333f6e in nsControllerCommandTable::DoCommand(char const*, nsISupports*) /builds/worker/workspace/build/src/dom/commandhandler/nsControllerCommandTable.cpp:147:26 #8 0x7f74d532cd0c in nsBaseCommandController::DoCommand(char const*) /builds/worker/workspace/build/src/dom/commandhandler/nsBaseCommandController.cpp:136:25 #9 0x7f74d533180f in nsCommandManager::DoCommand(char const*, nsICommandParams*, mozIDOMWindowProxy*) /builds/worker/workspace/build/src/dom/commandhandler/nsCommandManager.cpp:212:22 #10 0x7f74d56d439a in nsHTMLDocument::ExecCommand(nsTSubstring<char16_t> const&, bool, nsTSubstring<char16_t> const&, nsIPrincipal&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/html/nsHTMLDocument.cpp:3349:18 #11 0x7f74d4e2197b in mozilla::dom::HTMLDocumentBinding::execCommand(JSContext*, JS::Handle<JSObject*>, nsHTMLDocument*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/HTMLDocumentBinding.cpp:891:21 #12 0x7f74d50b317e in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3040:13 #13 0x7f74da094ef1 in js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) /builds/worker/workspace/build/src/js/src/jscntxtinlines.h:291:15 #14 0x7f74da094aca in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:472:16 #15 0x7f74da095b75 in InternalCall(JSContext*, js::AnyInvokeArgs const&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:521:12 #16 0x7f74da08a10f in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3066:18 #17 0x7f74da075834 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:422:12 #18 0x7f74da0977f2 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:705:15 #19 0x7f74da0982b2 in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:737:12 #20 0x7f74da95f4df in ExecuteScript(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::Value*) /builds/worker/workspace/build/src/js/src/jsapi.cpp:4689:12 #21 0x7f74da95fd46 in ExecuteScript(JSContext*, JS::AutoObjectVector&, JS::Handle<JSScript*>, JS::Value*) /builds/worker/workspace/build/src/js/src/jsapi.cpp:4708:12 #22 0x7f74da95f92e in JS_ExecuteScript(JSContext*, JS::AutoObjectVector&, JS::Handle<JSScript*>, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:4729:12 #23 0x7f74d395b4bb in nsJSUtils::ExecutionContext::CompileAndExec(JS::CompileOptions&, JS::SourceBufferHolder&, JS::MutableHandle<JSScript*>) /builds/worker/workspace/build/src/dom/base/nsJSUtils.cpp:268:8 #24 0x7f74d67dbdc1 in mozilla::dom::ScriptLoader::EvaluateScript(mozilla::dom::ScriptLoadRequest*) /builds/worker/workspace/build/src/dom/script/ScriptLoader.cpp:2255:25 #25 0x7f74d67d8c80 in mozilla::dom::ScriptLoader::ProcessRequest(mozilla::dom::ScriptLoadRequest*) /builds/worker/workspace/build/src/dom/script/ScriptLoader.cpp:1895:10 #26 0x7f74d67c698a in mozilla::dom::ScriptLoader::ProcessScriptElement(nsIScriptElement*) /builds/worker/workspace/build/src/dom/script/ScriptLoader.cpp:1596:10 #27 0x7f74d67c5513 in mozilla::dom::ScriptElement::MaybeProcessScript() /builds/worker/workspace/build/src/dom/script/ScriptElement.cpp:147:18 #28 0x7f74d2b0a9ee in nsIScriptElement::AttemptToExecute() /builds/worker/workspace/build/src/obj-firefox/dist/include/nsIScriptElement.h:231:18 #29 0x7f74d2b09cc0 in nsHtml5TreeOpExecutor::RunScript(nsIContent*) /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:700:22 #30 0x7f74d2b06bc5 in nsHtml5TreeOpExecutor::RunFlushLoop() /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:501:7 #31 0x7f74d2b0fc84 in nsHtml5ExecutorFlusher::Run() /builds/worker/workspace/build/src/parser/html/nsHtml5StreamParser.cpp:130:20 #32 0x7f74d11954ff in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1037:14 #33 0x7f74d11b6110 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:513:10 #34 0x7f74d1d52665 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21 #35 0x7f74d1ca4aa7 in MessageLoop::RunInternal() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10 #36 0x7f74d1ca4939 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299:3 #37 0x7f74d690e9ca in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:158:27 #38 0x7f74d9cce8a1 in nsAppStartup::Run() /builds/worker/workspace/build/src/toolkit/components/startup/nsAppStartup.cpp:288:30 #39 0x7f74d9e42838 in XREMain::XRE_mainRun() /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4675:22 #40 0x7f74d9e4445a in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4837:8 #41 0x7f74d9e45389 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4932:21 #42 0x4ed558 in do_main(int, char**, char**) /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:231:22 #43 0x4ece7b in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:304:16 #44 0x7f74f05ae82f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291 #45 0x41ebe4 in _start (/home/forb1dden/builds/mc-asan-debug/firefox+0x41ebe4)
Flags: in-testsuite?
INFO: Last good revision: acc9f95343e7cf385c24f256f0cdf305c4af77a2 INFO: First bad revision: 777f76d30950ec0607b644c6c8c6d6af0651ebca INFO: Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=acc9f95343e7cf385c24f256f0cdf305c4af77a2&tochange=777f76d30950ec0607b644c6c8c6d6af0651ebca
Blocks: 1411687
Has Regression Range: --- → yes
status-firefox56: --- → unaffected
status-firefox57: --- → unaffected
status-firefox-esr52: --- → unaffected
Flags: needinfo?(masayuki)
Priority: -- → P3
See Also: → 1515065
Severity: normal → S3

This issue is no longer reported by the fuzzers and the attached testcase is no longer reproducing the issue.

Status: NEW → RESOLVED
Closed: 2 months ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: