1414893 - Assertion failure: uint32_t(startOffset) <= startContainer->Length() && uint32_t(endOffset) <= endContainer->Length(), at /builds/worker/workspace/build/src/dom/base/nsContentIterator.cpp:1370

Status: RESOLVED FIXED

(Core :: DOM: Core & HTML, defect, P2)

Description

[Jason Kratzer [:jkratzer]]

Attachment: trigger.html

Testcase found while fuzzing mozilla-central rev dc45ee24c55d.

==7037==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fec1ea8626f bp 0x7ffe18a367d0 sp 0x7ffe18a366e0 T0)
==7037==The signal is caused by a WRITE memory access.
==7037==Hint: address points to the zero page.
    #0 0x7fec1ea8626e in nsContentSubtreeIterator::InitWithRange() /builds/worker/workspace/build/src/dom/base/nsContentIterator.cpp:1369:3
    #1 0x7fec1ea85c5d in nsContentSubtreeIterator::Init(nsIDOMRange*) /builds/worker/workspace/build/src/dom/base/nsContentIterator.cpp:1321:10
    #2 0x7fec1ea05158 in mozilla::dom::Selection::SelectFrames(nsPresContext*, nsRange*, bool) /builds/worker/workspace/build/src/dom/base/Selection.cpp:1900:9
    #3 0x7fec1ea04daf in mozilla::dom::Selection::Clear(nsPresContext*) /builds/worker/workspace/build/src/dom/base/Selection.cpp:1374:5
    #4 0x7fec1ea09a3e in mozilla::dom::Selection::RemoveAllRanges(mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/base/Selection.cpp:2300:22
    #5 0x7fec1ea09d9a in mozilla::dom::Selection::RemoveAllRangesTemporarily() /builds/worker/workspace/build/src/dom/base/Selection.cpp:2340:3
    #6 0x7fec2097c3f3 in nsTextEditorState::SetValue(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const*, unsigned int) /builds/worker/workspace/build/src/dom/html/nsTextEditorState.cpp:2542:26
    #7 0x7fec2090cbaa in mozilla::dom::HTMLTextAreaElement::SetValueInternal(nsTSubstring<char16_t> const&, unsigned int) /builds/worker/workspace/build/src/dom/html/HTMLTextAreaElement.cpp:342:15
    #8 0x7fec2090da8a in mozilla::dom::HTMLTextAreaElement::Reset() /builds/worker/workspace/build/src/dom/html/HTMLTextAreaElement.cpp:791:17
    #9 0x7fec20910975 in mozilla::dom::HTMLTextAreaElement::ContentChanged(nsIContent*) /builds/worker/workspace/build/src/dom/html/HTMLTextAreaElement.cpp:1029:5
    #10 0x7fec1ec0d28c in nsNodeUtils::ContentRemoved(nsINode*, nsIContent*, nsIContent*) /builds/worker/workspace/build/src/dom/base/nsNodeUtils.cpp:221:3
    #11 0x7fec1ebc3594 in nsINode::doRemoveChildAt(unsigned int, bool, nsIContent*, nsAttrAndChildArray&) /builds/worker/workspace/build/src/dom/base/nsINode.cpp:1947:5
    #12 0x7fec1e992f25 in mozilla::dom::FragmentOrElement::RemoveChildAt(unsigned int, bool) /builds/worker/workspace/build/src/dom/base/FragmentOrElement.cpp:1336:5
    #13 0x7fec1ebbd8dd in nsINode::RemoveChild(nsINode&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/base/nsINode.cpp:619:3
    #14 0x7fec21c9e8bc in mozilla::DeleteNodeTransaction::DoTransaction() /builds/worker/workspace/build/src/editor/libeditor/DeleteNodeTransaction.cpp:73:16
    #15 0x7fec21ca0738 in mozilla::EditAggregateTransaction::DoTransaction() /builds/worker/workspace/build/src/editor/libeditor/EditAggregateTransaction.cpp:42:24
    #16 0x7fec21c9f7d6 in mozilla::DeleteRangeTransaction::DoTransaction() /builds/worker/workspace/build/src/editor/libeditor/DeleteRangeTransaction.cpp:88:43
    #17 0x7fec21ca0738 in mozilla::EditAggregateTransaction::DoTransaction() /builds/worker/workspace/build/src/editor/libeditor/EditAggregateTransaction.cpp:42:24
    #18 0x7fec21de37d5 in nsTransactionManager::BeginTransaction(nsITransaction*, nsISupports*) /builds/worker/workspace/build/src/editor/txmgr/nsTransactionManager.cpp:639:21
    #19 0x7fec21de348c in nsTransactionManager::DoTransaction(nsITransaction*) /builds/worker/workspace/build/src/editor/txmgr/nsTransactionManager.cpp:72:8
    #20 0x7fec21ca7737 in mozilla::EditorBase::DoTransaction(mozilla::dom::Selection*, nsITransaction*) /builds/worker/workspace/build/src/editor/libeditor/EditorBase.cpp:760:20
    #21 0x7fec21cbfebc in mozilla::EditorBase::DeleteSelectionImpl(short, short) /builds/worker/workspace/build/src/editor/libeditor/EditorBase.cpp:4184:17
    #22 0x7fec21dbcb89 in mozilla::TextEditor::DeleteSelection(short, short) /builds/worker/workspace/build/src/editor/libeditor/TextEditor.cpp:630:10
    #23 0x7fec21db265b in mozilla::TextEditRules::WillInsertText(EditAction, mozilla::dom::Selection*, bool*, bool*, nsTSubstring<char16_t> const*, nsTSubstring<char16_t>*, int) /builds/worker/workspace/build/src/editor/libeditor/TextEditRules.cpp:669:23
    #24 0x7fec21db195f in mozilla::TextEditRules::WillDoAction(mozilla::dom::Selection*, mozilla::RulesInfo*, bool*, bool*) /builds/worker/workspace/build/src/editor/libeditor/TextEditRules.cpp:279:14
    #25 0x7fec21dbd147 in mozilla::TextEditor::InsertText(nsTSubstring<char16_t> const&) /builds/worker/workspace/build/src/editor/libeditor/TextEditor.cpp:669:24
    #26 0x7fec21dbe3c1 in mozilla::TextEditor::SetText(nsTSubstring<char16_t> const&) /builds/worker/workspace/build/src/editor/libeditor/TextEditor.cpp:809:14
    #27 0x7fec2097c43e in nsTextEditorState::SetValue(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const*, unsigned int) /builds/worker/workspace/build/src/dom/html/nsTextEditorState.cpp:2545:25
    #28 0x7fec2090cbaa in mozilla::dom::HTMLTextAreaElement::SetValueInternal(nsTSubstring<char16_t> const&, unsigned int) /builds/worker/workspace/build/src/dom/html/HTMLTextAreaElement.cpp:342:15
    #29 0x7fec2090da8a in mozilla::dom::HTMLTextAreaElement::Reset() /builds/worker/workspace/build/src/dom/html/HTMLTextAreaElement.cpp:791:17
    #30 0x7fec20910975 in mozilla::dom::HTMLTextAreaElement::ContentChanged(nsIContent*) /builds/worker/workspace/build/src/dom/html/HTMLTextAreaElement.cpp:1029:5
    #31 0x7fec1ec0c949 in nsNodeUtils::ContentAppended(nsIContent*, nsIContent*) /builds/worker/workspace/build/src/dom/base/nsNodeUtils.cpp:167:3
    #32 0x7fec1ebc1701 in nsINode::doInsertChildAt(nsIContent*, unsigned int, bool, nsAttrAndChildArray&) /builds/worker/workspace/build/src/dom/base/nsINode.cpp:1644:7
    #33 0x7fec1ebc4ca2 in nsINode::ReplaceOrInsertBefore(bool, nsINode*, nsINode*, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/base/nsINode.cpp:2533:14
    #34 0x7fec21c9d5a2 in mozilla::CreateElementTransaction::DoTransaction() /builds/worker/workspace/build/src/editor/libeditor/CreateElementTransaction.cpp:94:12
    #35 0x7fec21de37d5 in nsTransactionManager::BeginTransaction(nsITransaction*, nsISupports*) /builds/worker/workspace/build/src/editor/txmgr/nsTransactionManager.cpp:639:21
    #36 0x7fec21de348c in nsTransactionManager::DoTransaction(nsITransaction*) /builds/worker/workspace/build/src/editor/txmgr/nsTransactionManager.cpp:72:8
    #37 0x7fec21ca7737 in mozilla::EditorBase::DoTransaction(mozilla::dom::Selection*, nsITransaction*) /builds/worker/workspace/build/src/editor/libeditor/EditorBase.cpp:760:20
    #38 0x7fec21cad49f in mozilla::EditorBase::CreateNode(nsAtom*, nsINode*, int, nsIContent*) /builds/worker/workspace/build/src/editor/libeditor/EditorBase.cpp:1441:17
    #39 0x7fec21dbc023 in mozilla::TextEditor::CreateBRImpl(nsCOMPtr<nsIDOMNode>*, int*, nsCOMPtr<nsIDOMNode>*, short) /builds/worker/workspace/build/src/editor/libeditor/TextEditor.cpp:470:14
    #40 0x7fec21dbc6f0 in mozilla::TextEditor::CreateBR(nsIDOMNode*, int, nsCOMPtr<nsIDOMNode>*, short) /builds/worker/workspace/build/src/editor/libeditor/TextEditor.cpp:506:10
    #41 0x7fec21db8e2e in mozilla::TextEditRules::CreateBRInternal(nsIDOMNode*, int, bool, nsIDOMNode**) /builds/worker/workspace/build/src/editor/libeditor/TextEditRules.cpp:1630:30
    #42 0x7fec21db05e7 in mozilla::TextEditRules::CreateTrailingBRIfNeeded() /builds/worker/workspace/build/src/editor/libeditor/TextEditRules.cpp:1368:12
    #43 0x7fec21db0ea2 in mozilla::TextEditRules::AfterEdit(EditAction, short) /builds/worker/workspace/build/src/editor/libeditor/TextEditRules.cpp:248:10
    #44 0x7fec21dc3e0d in mozilla::TextEditor::EndOperation() /builds/worker/workspace/build/src/editor/libeditor/TextEditor.cpp:1613:32
    #45 0x7fec21ca8f94 in mozilla::AutoRules::~AutoRules() /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/EditorUtils.h:241:20
    #46 0x7fec21dbe43a in mozilla::TextEditor::SetText(nsTSubstring<char16_t> const&) /builds/worker/workspace/build/src/editor/libeditor/TextEditor.cpp:815:1
    #47 0x7fec2097c43e in nsTextEditorState::SetValue(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const*, unsigned int) /builds/worker/workspace/build/src/dom/html/nsTextEditorState.cpp:2545:25
    #48 0x7fec2097735a in nsTextEditorState::PrepareEditor(nsTSubstring<char16_t> const*) /builds/worker/workspace/build/src/dom/html/nsTextEditorState.cpp:1599:20
    #49 0x7fec22508448 in nsTextControlFrame::EnsureEditorInitialized() /builds/worker/workspace/build/src/layout/forms/nsTextControlFrame.cpp:315:28
    #50 0x7fec2251113b in nsTextControlFrame::EditorInitializer::Run() /builds/worker/workspace/build/src/layout/forms/nsTextControlFrame.cpp:1450:11
    #51 0x7fec1e7eb1ad in nsContentUtils::RemoveScriptBlocker() /builds/worker/workspace/build/src/dom/base/nsContentUtils.cpp:5735:15
    #52 0x7fec22141525 in mozilla::PresShell::DidCauseReflow() /builds/worker/workspace/build/src/layout/base/PresShell.cpp:8794:3
    #53 0x7fec22113d3e in mozilla::PresShell::Initialize(int, int) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:1792:5
    #54 0x7fec1eaa55ef in nsContentSink::StartLayout(bool) /builds/worker/workspace/build/src/dom/base/nsContentSink.cpp:1288:26
    #55 0x7fec1dd93e21 in nsHtml5TreeOpExecutor::StartLayout(bool*) /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:665:18
    #56 0x7fec1dd91d99 in nsHtml5TreeOperation::Perform(nsHtml5TreeOpExecutor*, nsIContent**, bool*, bool*) /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOperation.cpp:1210:17
    #57 0x7fec1dd8fb27 in nsHtml5TreeOpExecutor::RunFlushLoop() /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:492:29
    #58 0x7fec1dd99324 in nsHtml5ExecutorFlusher::Run() /builds/worker/workspace/build/src/parser/html/nsHtml5StreamParser.cpp:130:20
    #59 0x7fec1c408cff in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1037:14
    #60 0x7fec1c429910 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:513:10
    #61 0x7fec1cfc6025 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21
    #62 0x7fec1cf18177 in MessageLoop::RunInternal() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #63 0x7fec1cf18009 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299:3
    #64 0x7fec21baae1a in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:158:27
    #65 0x7fec24dcefe1 in nsAppStartup::Run() /builds/worker/workspace/build/src/toolkit/components/startup/nsAppStartup.cpp:288:30
    #66 0x7fec24f43b68 in XREMain::XRE_mainRun() /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4675:22
    #67 0x7fec24f4578a in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4837:8
    #68 0x7fec24f466b9 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4932:21
    #69 0x4ed558 in do_main(int, char**, char**) /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:231:22
    #70 0x4ece7b in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:304:16
    #71 0x7fec3b6c282f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291
    #72 0x41ebe4 in _start (/home/forb1dden/builds/mc-asan-debug/firefox+0x41ebe4)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /builds/worker/workspace/build/src/dom/base/nsContentIterator.cpp:1369:3 in nsContentSubtreeIterator::InitWithRange()

Comment 1

[Ryan VanderMeulen [:RyanVM]]

Doesn't depend on Stylo being enabled and goes back more than a year.

Comment 2

[Andrew Overholt [:overholt]]

Masayuki, does this stack trace seem relevant to your areas of expertise? (Just say so if not)

Comment 3

[Masayuki Nakano [:masayuki] (he/him)(JST, +0900)]

Yes, but I have no idea how this occurs yet.

Comment 4

[Firefox Bug Husbandry Bot]

https://wiki.mozilla.org/Bug_Triage/Projects/Bug_Handling/Bug_Husbandry#Move_fix-optionals

Comment 5

[Masayuki Nakano [:masayuki] (he/him)(JST, +0900)]

I don't reproduce the crash anymore with a debug build. I think one of the fix blocking bug 1703040 has already fixed this. Only the test case should be added to WPT.

Comment 6

[Masayuki Nakano [:masayuki] (he/him)(JST, +0900)]

Oh, the testcase uses a removed API, createShadowRoot. Therefore, the test does not run as expected on current build. However, even if I change it to attachShadow, I don't reproduce this crash anymore.

Comment 7

[Masayuki Nakano [:masayuki] (he/him)(JST, +0900)]

Attachment: Bug 1414893 - Add the reported testcase to WPT r=sefeng!

I don't reproduce the crash even if I rewrite the test using attachShadow
which replaced createShadowRoot. Therefore, this patch just adds the reported
testcase into the tree.

Comment 8

[Pulsebot]

Pushed by masayuki@d-toybox.com:
https://hg.mozilla.org/integration/autoland/rev/954e0f01f6b1
Add the reported testcase to WPT r=sefeng

Comment 9

[Web Platform Test Sync Bot [:wpt-sync] (Matrix: #interop:mozilla.org)]

Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/46741 for changes under testing/web-platform/tests

Comment 10

[Sandor Molnar[:smolnar]]

https://hg.mozilla.org/mozilla-central/rev/954e0f01f6b1

Comment 11

[Web Platform Test Sync Bot [:wpt-sync] (Matrix: #interop:mozilla.org)]

Upstream PR merged by moz-wptsync-bot