Closed
Bug 1415006
Opened 7 years ago
Closed 6 years ago
Assertion failure: aFirstNewContent->GetParentNode() == container, at /builds/worker/workspace/build/src/dom/base/nsRange.cpp:649
Categories
(Core :: DOM: Core & HTML, defect, P3)
Core
DOM: Core & HTML
Tracking
()
People
(Reporter: jkratzer, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: assertion, testcase)
Attachments
(1 file)
|
426 bytes,
text/html
|
Details |
Testcase found while fuzzing mozilla-central rev dc45ee24c55d.
==23602==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f701d422f29 bp 0x7fff6df2ff70 sp 0x7fff6df2fe20 T0)
==23602==The signal is caused by a WRITE memory access.
==23602==Hint: address points to the zero page.
#0 0x7f701d422f28 in nsRange::ContentAppended(nsIDocument*, nsIContent*, nsIContent*) /builds/worker/workspace/build/src/dom/base/nsRange.cpp:648:3
#1 0x7f701d40c949 in nsNodeUtils::ContentAppended(nsIContent*, nsIContent*) /builds/worker/workspace/build/src/dom/base/nsNodeUtils.cpp:167:3
#2 0x7f701d3c1701 in nsINode::doInsertChildAt(nsIContent*, unsigned int, bool, nsAttrAndChildArray&) /builds/worker/workspace/build/src/dom/base/nsINode.cpp:1644:7
#3 0x7f701d3c4ca2 in nsINode::ReplaceOrInsertBefore(bool, nsINode*, nsINode*, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/base/nsINode.cpp:2533:14
#4 0x7f702049d5a2 in mozilla::CreateElementTransaction::DoTransaction() /builds/worker/workspace/build/src/editor/libeditor/CreateElementTransaction.cpp:94:12
#5 0x7f70205e37d5 in nsTransactionManager::BeginTransaction(nsITransaction*, nsISupports*) /builds/worker/workspace/build/src/editor/txmgr/nsTransactionManager.cpp:639:21
#6 0x7f70205e348c in nsTransactionManager::DoTransaction(nsITransaction*) /builds/worker/workspace/build/src/editor/txmgr/nsTransactionManager.cpp:72:8
#7 0x7f70204a7737 in mozilla::EditorBase::DoTransaction(mozilla::dom::Selection*, nsITransaction*) /builds/worker/workspace/build/src/editor/libeditor/EditorBase.cpp:760:20
#8 0x7f70204ad49f in mozilla::EditorBase::CreateNode(nsAtom*, nsINode*, int, nsIContent*) /builds/worker/workspace/build/src/editor/libeditor/EditorBase.cpp:1441:17
#9 0x7f70205bc023 in mozilla::TextEditor::CreateBRImpl(nsCOMPtr<nsIDOMNode>*, int*, nsCOMPtr<nsIDOMNode>*, short) /builds/worker/workspace/build/src/editor/libeditor/TextEditor.cpp:470:14
#10 0x7f70205bc6f0 in mozilla::TextEditor::CreateBR(nsIDOMNode*, int, nsCOMPtr<nsIDOMNode>*, short) /builds/worker/workspace/build/src/editor/libeditor/TextEditor.cpp:506:10
#11 0x7f70205b8e2e in mozilla::TextEditRules::CreateBRInternal(nsIDOMNode*, int, bool, nsIDOMNode**) /builds/worker/workspace/build/src/editor/libeditor/TextEditRules.cpp:1630:30
#12 0x7f70205b05e7 in mozilla::TextEditRules::CreateTrailingBRIfNeeded() /builds/worker/workspace/build/src/editor/libeditor/TextEditRules.cpp:1368:12
#13 0x7f70205b0ea2 in mozilla::TextEditRules::AfterEdit(EditAction, short) /builds/worker/workspace/build/src/editor/libeditor/TextEditRules.cpp:248:10
#14 0x7f70205c3e0d in mozilla::TextEditor::EndOperation() /builds/worker/workspace/build/src/editor/libeditor/TextEditor.cpp:1613:32
#15 0x7f70204a8f94 in mozilla::AutoRules::~AutoRules() /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/EditorUtils.h:241:20
#16 0x7f70205be43a in mozilla::TextEditor::SetText(nsTSubstring<char16_t> const&) /builds/worker/workspace/build/src/editor/libeditor/TextEditor.cpp:815:1
#17 0x7f701f17c43e in nsTextEditorState::SetValue(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const*, unsigned int) /builds/worker/workspace/build/src/dom/html/nsTextEditorState.cpp:2545:25
#18 0x7f701f17735a in nsTextEditorState::PrepareEditor(nsTSubstring<char16_t> const*) /builds/worker/workspace/build/src/dom/html/nsTextEditorState.cpp:1599:20
#19 0x7f7020d08448 in nsTextControlFrame::EnsureEditorInitialized() /builds/worker/workspace/build/src/layout/forms/nsTextControlFrame.cpp:315:28
#20 0x7f7020d1113b in nsTextControlFrame::EditorInitializer::Run() /builds/worker/workspace/build/src/layout/forms/nsTextControlFrame.cpp:1450:11
#21 0x7f701cfeb1ad in nsContentUtils::RemoveScriptBlocker() /builds/worker/workspace/build/src/dom/base/nsContentUtils.cpp:5735:15
#22 0x7f7020941525 in mozilla::PresShell::DidCauseReflow() /builds/worker/workspace/build/src/layout/base/PresShell.cpp:8794:3
#23 0x7f7020913d3e in mozilla::PresShell::Initialize(int, int) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:1792:5
#24 0x7f701d2a55ef in nsContentSink::StartLayout(bool) /builds/worker/workspace/build/src/dom/base/nsContentSink.cpp:1288:26
#25 0x7f701c593e21 in nsHtml5TreeOpExecutor::StartLayout(bool*) /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:665:18
#26 0x7f701c591d99 in nsHtml5TreeOperation::Perform(nsHtml5TreeOpExecutor*, nsIContent**, bool*, bool*) /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOperation.cpp:1210:17
#27 0x7f701c58fb27 in nsHtml5TreeOpExecutor::RunFlushLoop() /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:492:29
#28 0x7f701c599324 in nsHtml5ExecutorFlusher::Run() /builds/worker/workspace/build/src/parser/html/nsHtml5StreamParser.cpp:130:20
#29 0x7f701ac08cff in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1037:14
#30 0x7f701ac29910 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:513:10
#31 0x7f701b7c6025 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21
#32 0x7f701b718177 in MessageLoop::RunInternal() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
#33 0x7f701b718009 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299:3
#34 0x7f70203aae1a in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:158:27
#35 0x7f70235cefe1 in nsAppStartup::Run() /builds/worker/workspace/build/src/toolkit/components/startup/nsAppStartup.cpp:288:30
#36 0x7f7023743b68 in XREMain::XRE_mainRun() /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4675:22
#37 0x7f702374578a in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4837:8
#38 0x7f70237466b9 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4932:21
#39 0x4ed558 in do_main(int, char**, char**) /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:231:22Flags: in-testsuite?
|
||
Comment 1•7 years ago
|
||
Catalin has been touching relevant code recently, he may have ideas. FWIW, createShadowRoot is an experimental API (shadow DOM v0) that we won't be supporting anymore.
Flags: needinfo?(catalin.badea392)
|
||
Comment 2•7 years ago
|
||
Goes back more than a year, which is the furthest back mozregression can bisect debug builds.
Has Regression Range: --- → no
status-firefox56:
--- → wontfix
status-firefox57:
--- → wontfix
status-firefox58:
--- → fix-optional
status-firefox-esr52:
--- → wontfix
Version: 52 Branch → unspecified
|
||
Comment 3•7 years ago
|
||
(In reply to Ryan VanderMeulen [:RyanVM] from comment #2) > Goes back more than a year, which is the furthest back mozregression can > bisect debug builds. Does this reproduce on m-c asan debug builds? I'm having a hard time hitting the segfault. I tried: nightly asan debug builds on linux, as well as local debug builds of rev dc45ee24c55d.
Flags: needinfo?(catalin.badea392) → needinfo?(ryanvm)
|
|
||
Comment 4•7 years ago
|
||
(In reply to Hsin-Yi Tsai [:hsinyi] from comment #1) > Catalin has been touching relevant code recently, he may have ideas. > > FWIW, createShadowRoot is an experimental API (shadow DOM v0) that we won't > be supporting anymore. From the stack, it looks like we're triggering a content appended notification for anonymous content, which is most likely a bug in the shadow DOM code, not the nsRange code.
|
|
||
Comment 5•7 years ago
|
||
I can still reproduce on Win10. It crashes both opt and debug builds, with debug builds still hitting the assertion this bug was initially filed for.
Flags: needinfo?(ryanvm)
|
|
||
Comment 6•7 years ago
|
||
(In reply to Cătălin Badea (:catalinb) from comment #4) > (In reply to Hsin-Yi Tsai [:hsinyi] from comment #1) > > Catalin has been touching relevant code recently, he may have ideas. > > > > FWIW, createShadowRoot is an experimental API (shadow DOM v0) that we won't > > be supporting anymore. > > From the stack, it looks like we're triggering a content appended > notification for anonymous content, which is most likely a bug in the shadow > DOM code, not the nsRange code. Is this only v0 code defect or ...? Not sure how this impacts the Shadow DOM v1 code.
Flags: needinfo?(btian)
Priority: -- → P3
|
||
Comment 7•7 years ago
|
||
Make this bug block Shadow DOM v1 meta bug. Will revisit after implementation is complete.
Blocks: shadowdom-initial-release
Flags: needinfo?(btian)
|
||
Comment 8•6 years ago
|
||
https://wiki.mozilla.org/Bug_Triage/Projects/Bug_Handling/Bug_Husbandry#Move_fix-optionals
status-firefox59:
--- → ?
|
||
Comment 9•6 years ago
|
||
I can't see the assertion anymore.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → WORKSFORME
|
Assignee | |
Updated•5 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•