Closed
Bug 1415226
Opened 7 years ago
Closed 7 years ago
Assertion failure: mOffset.value() <= mParent->Length(), at /src/obj-firefox/dist/include/mozilla/RangeBoundary.h:415
Categories
(Core :: DOM: Selection, defect, P3)
Tracking
()
RESOLVED
FIXED
mozilla58
| Tracking | Status | |
|---|---|---|
| firefox-esr52 | --- | unaffected |
| firefox56 | --- | unaffected |
| firefox57 | --- | unaffected |
| firefox58 | --- | fixed |
People
(Reporter: tsmith, Assigned: masayuki)
References
(Blocks 1 open bug)
Details
(Keywords: assertion, testcase)
Attachments
(1 file)
|
201 bytes,
text/html
|
Details |
Assertion failure: mOffset.value() <= mParent->Length(), at /src/obj-firefox/dist/include/mozilla/RangeBoundary.h:415 #0 mozilla::RangeBoundaryBase<nsINode*, nsIContent*>::EnsureRef() const /src/obj-firefox/dist/include/mozilla/RangeBoundary.h:414:5 #1 mozilla::RangeBoundaryBase<nsINode*, nsIContent*>::GetChildAtOffset() const /src/obj-firefox/dist/include/mozilla/RangeBoundary.h:132:5 #2 mozilla::HTMLEditRules::PromoteRange(nsRange&, EditAction) /src/editor/libeditor/HTMLEditRules.cpp:5874:10 #3 mozilla::HTMLEditRules::GetPromotedRanges(mozilla::dom::Selection&, nsTArray<RefPtr<nsRange> >&, EditAction) /src/editor/libeditor/HTMLEditRules.cpp:5801:5 #4 mozilla::HTMLEditRules::GetNodesFromSelection(mozilla::dom::Selection&, EditAction, nsTArray<mozilla::OwningNonNull<nsINode> >&, mozilla::HTMLEditRules::TouchContent) /src/editor/libeditor/HTMLEditRules.cpp:6464:3 #5 mozilla::HTMLEditRules::GetListActionNodes(nsTArray<mozilla::OwningNonNull<nsINode> >&, mozilla::HTMLEditRules::EntireList, mozilla::HTMLEditRules::TouchContent) /src/editor/libeditor/HTMLEditRules.cpp:6127:19 #6 mozilla::HTMLEditRules::GetListState(bool*, bool*, bool*, bool*) /src/editor/libeditor/HTMLEditRules.cpp:736:17 #7 mozilla::HTMLEditor::GetListState(bool*, bool*, bool*, bool*) /src/editor/libeditor/HTMLEditor.cpp:1900:21 #8 GetListState(mozilla::HTMLEditor*, bool*, nsTSubstring<char16_t>&) /src/editor/composer/nsComposerCommands.cpp:1575:30 #9 nsRemoveListCommand::IsCommandEnabled(char const*, nsISupports*, bool*) /src/editor/composer/nsComposerCommands.cpp:436:17 #10 nsControllerCommandTable::IsCommandEnabled(char const*, nsISupports*, bool*) /src/dom/commandhandler/nsControllerCommandTable.cpp:98:26 #11 nsBaseCommandController::IsCommandEnabled(char const*, bool*) /src/dom/commandhandler/nsBaseCommandController.cpp:105:25 #12 nsWindowRoot::GetEnabledDisabledCommandsForControllers(nsIControllers*, nsTHashtable<nsCharPtrHashKey>&, nsTArray<nsTString<char> >&, nsTArray<nsTString<char> >&) /src/dom/base/nsWindowRoot.cpp:329:25 #13 nsWindowRoot::GetEnabledDisabledCommands(nsTArray<nsTString<char> >&, nsTArray<nsTString<char> >&) /src/dom/base/nsWindowRoot.cpp:355:5 #14 ChildCommandDispatcher::Run() /src/dom/base/nsGlobalWindow.cpp:10119:11 #15 nsContentUtils::AddScriptRunner(already_AddRefed<nsIRunnable>) /src/dom/base/nsContentUtils.cpp:5806:13 #16 nsContentUtils::AddScriptRunner(nsIRunnable*) /src/dom/base/nsContentUtils.cpp:5813:3 #17 nsGlobalWindow::UpdateCommands(nsTSubstring<char16_t> const&, nsISelection*, short) /src/dom/base/nsGlobalWindow.cpp:10159:7 #18 non-virtual thunk to nsGlobalWindow::UpdateCommands(nsTSubstring<char16_t> const&, nsISelection*, short) /src/dom/base/nsGlobalWindow.cpp:10154:17 #19 nsFocusManager::Focus(nsPIDOMWindowOuter*, nsIContent*, unsigned int, bool, bool, bool, bool, nsIContent*) /src/dom/base/nsFocusManager.cpp:2035:16 #20 nsFocusManager::WindowRaised(mozIDOMWindowProxy*) /src/dom/base/nsFocusManager.cpp:776:3 #21 nsWebBrowser::Activate() /src/toolkit/components/browser/nsWebBrowser.cpp:1832:16 #22 mozilla::dom::TabChild::RecvActivate() /src/dom/ipc/TabChild.cpp:1517:12 #23 mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) /src/obj-firefox/ipc/ipdl/PContentChild.cpp:7647:20 #24 mozilla::dom::ContentChild::OnMessageReceived(IPC::Message const&) /src/dom/ipc/ContentChild.cpp:3719:25 #25 mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /src/ipc/glue/MessageChannel.cpp:2119:25 #26 mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /src/ipc/glue/MessageChannel.cpp:2049:17 #27 mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /src/ipc/glue/MessageChannel.cpp:1895:5 #28 mozilla::ipc::MessageChannel::MessageTask::Run() /src/ipc/glue/MessageChannel.cpp:1928:15 #29 nsThread::ProcessNextEvent(bool, bool*) /src/xpcom/threads/nsThread.cpp:1037:14 #30 NS_ProcessNextEvent(nsIThread*, bool) /src/xpcom/threads/nsThreadUtils.cpp:513:10 #31 mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /src/ipc/glue/MessagePump.cpp:125:5 #32 MessageLoop::RunInternal() /src/ipc/chromium/src/base/message_loop.cc:326:10 #33 MessageLoop::Run() /src/ipc/chromium/src/base/message_loop.cc:299:3 #34 nsBaseAppShell::Run() /src/widget/nsBaseAppShell.cpp:158:27 #35 XRE_RunAppShell() /src/toolkit/xre/nsEmbedFunctions.cpp:877:22 #36 mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /src/ipc/glue/MessagePump.cpp:269:9 #37 MessageLoop::RunInternal() /src/ipc/chromium/src/base/message_loop.cc:326:10 #38 MessageLoop::Run() /src/ipc/chromium/src/base/message_loop.cc:299:3 #39 XRE_InitChildProcess(int, char**, XREChildData const*) /src/toolkit/xre/nsEmbedFunctions.cpp:703:34 #40 content_process_main(mozilla::Bootstrap*, int, char**) /src/browser/app/../../ipc/contentproc/plugin-container.cpp:63:30 #41 main /src/browser/app/nsBrowserApp.cpp:280:18 #42 __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291 #43 _start (firefox+0x41ebe4)
Flags: in-testsuite?
|
||
Comment 1•7 years ago
|
||
INFO: Last good revision: a5cd9cc9a7e172231bea1abfcd85cd878cf873bd INFO: First bad revision: 2a2bb9c3b9a867ae3924dc51bbd6c8c74dbe003c INFO: Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=a5cd9cc9a7e172231bea1abfcd85cd878cf873bd&tochange=2a2bb9c3b9a867ae3924dc51bbd6c8c74dbe003c
Blocks: 1408544
Has Regression Range: --- → yes
status-firefox56:
--- → unaffected
status-firefox57:
--- → unaffected
status-firefox-esr52:
--- → unaffected
Flags: needinfo?(masayuki)
|
Assignee | |
Comment 2•7 years ago
|
||
I cannot reproduce the crash and the stacktrace doesn't make sense. > Assertion failure: mOffset.value() <= mParent->Length(), at /src/obj-firefox/dist/include/mozilla/RangeBoundary.h:415 > > #0 mozilla::RangeBoundaryBase<nsINode*, nsIContent*>::EnsureRef() const /src/obj-firefox/dist/include/mozilla/RangeBoundary.h:414:5 > #1 mozilla::RangeBoundaryBase<nsINode*, nsIContent*>::GetChildAtOffset() const /src/obj-firefox/dist/include/mozilla/RangeBoundary.h:132:5 > #2 mozilla::HTMLEditRules::PromoteRange(nsRange&, EditAction) /src/editor/libeditor/HTMLEditRules.cpp:5874:10 PromoteRange() doesn't access RangeBoundaryBase::GetChildAtOffset() directly: https://searchfox.org/mozilla-central/source/editor/libeditor/HTMLEditRules.cpp#5813,5871-5874,5877-5882,5887 It might omit RewindOffset() though, anyway, do you have some additional information?
Flags: needinfo?(masayuki) → needinfo?(twsmith)
|
Reporter | |
Comment 3•7 years ago
|
||
(In reply to Masayuki Nakano [:masayuki] (JST, +0900) from comment #2) > I cannot reproduce the crash and the stacktrace doesn't make sense. I verified I can reproduce the issue with the latest m-c ASan debug build from TC (on Linux): BuildID=20171108184714 SourceStamp=26d7a3a91c8596ca6834effec4b77a2c13d5f622 It also appears that :RyanVM was able to reproduce the issue to get a regression range. > It might omit RewindOffset() though, anyway, do you have some additional > information? Not really. My STR are basically: 1) Launch the browser 2) open the testcase (I just drag and drop it)
Flags: needinfo?(twsmith)
|
|
||
Comment 4•7 years ago
|
||
Yeah, this reproduces for me on Ubuntu 17.10 on plain Linux64 debug builds launched via mozregression.
|
|
Assignee | |
Comment 5•7 years ago
|
||
Thank you. I still cannot reproduce it just open the attached testcase on Windows. Oddly, it might depend on platforms.
|
|
Assignee | |
Comment 6•7 years ago
|
||
I landed a lot of clean up fixes yesterday. So, I'd like you to check if this bug is still reproduced with today's m-c build.
|
||
Updated•7 years ago
|
Priority: -- → P3
|
|
Assignee | |
Comment 7•7 years ago
|
||
I cannot reproduce this crash with the latest m-c even on Linux. Could you check if this is still reproducible with current m-c on you environments?
Flags: needinfo?(twsmith)
Flags: needinfo?(ryanvm)
|
|
Reporter | |
Comment 8•7 years ago
|
||
(In reply to Masayuki Nakano [:masayuki] (JST, +0900) from comment #7) > I cannot reproduce this crash with the latest m-c even on Linux. > > Could you check if this is still reproducible with current m-c on you > environments? It appears this is no longer reproducible on m-c. It was last reported by our fuzzing tools on Nov 11.
Flags: needinfo?(twsmith)
|
|
Assignee | |
Comment 9•7 years ago
|
||
Thank you. This must be fixed by a bug blocking bug 1414710.
|
|
||
Updated•7 years ago
|
Target Milestone: --- → mozilla58
You need to log in
before you can comment on or make changes to this bug.
Description
•