Closed Bug 1421504 Opened 7 years ago Closed 7 years ago

Assertion failure: childNode, at /builds/worker/workspace/build/src/editor/libeditor/EditorBase.cpp:3015

Categories

(Core :: DOM: Editor, defect, P1)

Product:
Core
Component:
DOM: Editor
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla59
Tracking Flags:
Tracking Status
firefox-esr52 --- unaffected
firefox57 --- unaffected
firefox58 --- unaffected
firefox59 --- fixed

People

(Reporter: jkratzer, Assigned: masayuki)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, testcase)

Crash Data

Attachments

(2 files, 1 obsolete file)

trigger.html
475 bytes, text/html
Details
Bug 1421504 - EditorBase should move children carefully
59 bytes, text/x-review-board-request
m_kato
: review+
Details
Attached file trigger.html 
Testcase found while fuzzing mozilla-central rev c2248f853469.

OS|Linux|0.0.0 Linux 4.4.0-98-generic #121-Ubuntu SMP Tue Oct 10 14:24:03 UTC 2017 x86_64
CPU|amd64|family 6 model 69 stepping 1|1
GPU|||
Crash|SIGSEGV|0x0|0
0|0|libxul.so|mozilla::EditorBase::SplitNodeImpl|hg:hg.mozilla.org/mozilla-central:editor/libeditor/EditorBase.cpp:c2248f853469|2965|0x0
0|1|libxul.so|mozilla::SplitNodeTransaction::DoTransaction|hg:hg.mozilla.org/mozilla-central:editor/libeditor/SplitNodeTransaction.cpp:c2248f853469|76|0x15
0|2|libxul.so|nsTransactionManager::BeginTransaction|hg:hg.mozilla.org/mozilla-central:editor/txmgr/nsTransactionManager.cpp:c2248f853469|639|0x10
0|3|libxul.so|nsTransactionManager::DoTransaction|hg:hg.mozilla.org/mozilla-central:editor/txmgr/nsTransactionManager.cpp:c2248f853469|72|0xd
0|4|libxul.so|mozilla::EditorBase::DoTransaction|hg:hg.mozilla.org/mozilla-central:editor/libeditor/EditorBase.cpp:c2248f853469|762|0x13
0|5|libxul.so|mozilla::EditorBase::SplitNode|hg:hg.mozilla.org/mozilla-central:editor/libeditor/EditorBase.cpp:c2248f853469|1566|0x10
0|6|libxul.so|mozilla::EditorBase::SplitNodeDeep|hg:hg.mozilla.org/mozilla-central:editor/libeditor/EditorBase.cpp:c2248f853469|4089|0x1d
0|7|libxul.so|mozilla::HTMLEditRules::BustUpInlinesAtRangeEndpoints|hg:hg.mozilla.org/mozilla-central:editor/libeditor/HTMLEditRules.cpp:c2248f853469|6466|0x18
0|8|libxul.so|mozilla::HTMLEditRules::GetNodesForOperation|hg:hg.mozilla.org/mozilla-central:editor/libeditor/HTMLEditRules.cpp:c2248f853469|6119|0x17
0|9|libxul.so|mozilla::HTMLEditRules::GetNodesFromSelection|hg:hg.mozilla.org/mozilla-central:editor/libeditor/HTMLEditRules.cpp:c2248f853469|6634|0x5
0|10|libxul.so|mozilla::HTMLEditRules::MakeBasicBlock|hg:hg.mozilla.org/mozilla-central:editor/libeditor/HTMLEditRules.cpp:c2248f853469|3822|0x21
0|11|libxul.so|mozilla::HTMLEditRules::WillInsertBreak|hg:hg.mozilla.org/mozilla-central:editor/libeditor/HTMLEditRules.cpp:c2248f853469|1732|0xe
0|12|libxul.so|mozilla::HTMLEditRules::WillDoAction|hg:hg.mozilla.org/mozilla-central:editor/libeditor/HTMLEditRules.cpp:c2248f853469|651|0x15
0|13|libxul.so|mozilla::TextEditor::InsertLineBreak|hg:hg.mozilla.org/mozilla-central:editor/libeditor/TextEditor.cpp:c2248f853469|757|0x27
0|14|libxul.so|mozilla::TextEditor::TypedText|hg:hg.mozilla.org/mozilla-central:editor/libeditor/TextEditor.cpp:c2248f853469|412|0xc
0|15|libxul.so|mozilla::HTMLEditor::TypedText|hg:hg.mozilla.org/mozilla-central:editor/libeditor/HTMLEditor.cpp:c2248f853469|960|0xb
0|16|libxul.so|mozilla::InsertParagraphCommand::DoCommand|hg:hg.mozilla.org/mozilla-central:editor/libeditor/EditorCommands.cpp:c2248f853469|1154|0x1d
0|17|libxul.so|nsControllerCommandTable::DoCommand|hg:hg.mozilla.org/mozilla-central:dom/commandhandler/nsControllerCommandTable.cpp:c2248f853469|147|0x17
0|18|libxul.so|nsBaseCommandController::DoCommand|hg:hg.mozilla.org/mozilla-central:dom/commandhandler/nsBaseCommandController.cpp:c2248f853469|136|0x18
0|19|libxul.so|nsCommandManager::DoCommand|hg:hg.mozilla.org/mozilla-central:dom/commandhandler/nsCommandManager.cpp:c2248f853469|212|0x14
0|20|libxul.so|nsHTMLDocument::ExecCommand|hg:hg.mozilla.org/mozilla-central:dom/html/nsHTMLDocument.cpp:c2248f853469|3276|0x22
0|21|libxul.so|mozilla::dom::HTMLDocumentBinding::execCommand|s3:gecko-generated-sources:e3a57f98750b393f9f24b3621d7726e3ff401aa0874ab396b449c82cd15e9839b68fc3dd8ab9193c02e65990012510f56b500d79867ce12e0b59f4b6942fb555/dom/bindings/HTMLDocumentBinding.cpp:|854|0x2e
0|22|libxul.so|mozilla::dom::GenericBindingMethod|hg:hg.mozilla.org/mozilla-central:dom/bindings/BindingUtils.cpp:c2248f853469|3042|0x9
0|23|||||0x1b37d07f50d1
0|24|||||0x7fdbb0dd61e8
0|25|||||0x1b37d0719add
0|26|libxul.so|EnterJit|hg:hg.mozilla.org/mozilla-central:js/src/jit/Jit.cpp:c2248f853469|101|0x22
0|27|libxul.so|js::RunScript|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:c2248f853469|408|0xb
0|28|libxul.so|js::InternalCallOrConstruct|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:c2248f853469|495|0xf
0|29|libxul.so|InternalCall|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:c2248f853469|522|0xd
0|30|libxul.so|js::Call|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:c2248f853469|541|0x5
0|31|libxul.so|JS::Call|hg:hg.mozilla.org/mozilla-central:js/src/jsapi.cpp:c2248f853469|3036|0x1c
0|32|libxul.so|mozilla::dom::EventListener::HandleEvent|s3:gecko-generated-sources:11dcc5f3aa4382b1117fa0b86a3cf43bb87c7f5f278e2943cc5311d11c6a1f0eeb861ca2ee05b0a80a616ed128aa73c18065f0eee6f709d1e9a246f773e75752/dom/bindings/EventListenerBinding.cpp:|47|0x5
0|33|libxul.so|mozilla::dom::EventListener::HandleEvent<mozilla::dom::EventTarget*>|s3:gecko-generated-sources:5fb27134dec5c683a890d7dc45ae33c1a6940b182eb54e11127bf808c94b1a4a3cfcdb8b5ea706a480e12d29f14e84233dba5438c016cf1e8418b54fcb42f1d8/dist/include/mozilla/dom/EventListenerBinding.h:|65|0x1c
0|34|libxul.so|mozilla::EventListenerManager::HandleEventSubType|hg:hg.mozilla.org/mozilla-central:dom/events/EventListenerManager.cpp:c2248f853469|1108|0x36
0|35|libxul.so|mozilla::EventListenerManager::HandleEventInternal|hg:hg.mozilla.org/mozilla-central:dom/events/EventListenerManager.cpp:c2248f853469|1286|0x15
0|36|libxul.so|mozilla::EventTargetChainItem::HandleEvent|hg:hg.mozilla.org/mozilla-central:dom/events/EventListenerManager.h:c2248f853469|376|0xa
0|37|libxul.so|mozilla::EventTargetChainItem::HandleEventTargetChain|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:c2248f853469|486|0xf
0|38|libxul.so|mozilla::EventDispatcher::Dispatch|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:c2248f853469|827|0x5
0|39|libxul.so|mozilla::EventDispatcher::DispatchDOMEvent|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:c2248f853469|896|0x19
0|40|libxul.so|nsINode::DispatchEvent|hg:hg.mozilla.org/mozilla-central:dom/base/nsINode.cpp:c2248f853469|1356|0x5
0|41|libxul.so|mozilla::AsyncEventDispatcher::Run|hg:hg.mozilla.org/mozilla-central:dom/events/AsyncEventDispatcher.cpp:c2248f853469|70|0x1b
0|42|libxul.so|nsContentUtils::RemoveScriptBlocker|hg:hg.mozilla.org/mozilla-central:dom/base/nsContentUtils.cpp:c2248f853469|5676|0xe
0|43|libxul.so|nsDocument::EndUpdate|hg:hg.mozilla.org/mozilla-central:dom/base/nsDocument.cpp:c2248f853469|5407|0x5
0|44|libxul.so|nsHTMLDocument::EndUpdate|hg:hg.mozilla.org/mozilla-central:dom/html/nsHTMLDocument.cpp:c2248f853469|2449|0x5
0|45|libxul.so|mozAutoDocUpdate::~mozAutoDocUpdate|hg:hg.mozilla.org/mozilla-central:dom/base/mozAutoDocUpdate.h:c2248f853469|40|0x14
0|46|libxul.so|nsINode::ReplaceOrInsertBefore|hg:hg.mozilla.org/mozilla-central:dom/base/nsINode.cpp:c2248f853469|2405|0xc
0|47|libxul.so|mozilla::EditorBase::SplitNodeImpl|hg:hg.mozilla.org/mozilla-central:editor/libeditor/EditorBase.cpp:c2248f853469|2984|0x15
0|48|libxul.so|mozilla::SplitNodeTransaction::DoTransaction|hg:hg.mozilla.org/mozilla-central:editor/libeditor/SplitNodeTransaction.cpp:c2248f853469|76|0x15
0|49|libxul.so|nsTransactionManager::BeginTransaction|hg:hg.mozilla.org/mozilla-central:editor/txmgr/nsTransactionManager.cpp:c2248f853469|639|0x10
0|50|libxul.so|nsTransactionManager::DoTransaction|hg:hg.mozilla.org/mozilla-central:editor/txmgr/nsTransactionManager.cpp:c2248f853469|72|0xd
0|51|libxul.so|mozilla::EditorBase::DoTransaction|hg:hg.mozilla.org/mozilla-central:editor/libeditor/EditorBase.cpp:c2248f853469|762|0x13
0|52|libxul.so|mozilla::EditorBase::SplitNode|hg:hg.mozilla.org/mozilla-central:editor/libeditor/EditorBase.cpp:c2248f853469|1566|0x10
0|53|libxul.so|mozilla::EditorBase::SplitNodeDeep|hg:hg.mozilla.org/mozilla-central:editor/libeditor/EditorBase.cpp:c2248f853469|4089|0x1d
0|54|libxul.so|mozilla::HTMLEditRules::BustUpInlinesAtRangeEndpoints|hg:hg.mozilla.org/mozilla-central:editor/libeditor/HTMLEditRules.cpp:c2248f853469|6466|0x18
0|55|libxul.so|mozilla::HTMLEditRules::GetNodesForOperation|hg:hg.mozilla.org/mozilla-central:editor/libeditor/HTMLEditRules.cpp:c2248f853469|6119|0x17
0|56|libxul.so|mozilla::HTMLEditRules::GetNodesFromSelection|hg:hg.mozilla.org/mozilla-central:editor/libeditor/HTMLEditRules.cpp:c2248f853469|6634|0x5
0|57|libxul.so|mozilla::HTMLEditRules::MakeBasicBlock|hg:hg.mozilla.org/mozilla-central:editor/libeditor/HTMLEditRules.cpp:c2248f853469|3822|0x21
0|58|libxul.so|mozilla::HTMLEditRules::WillInsertBreak|hg:hg.mozilla.org/mozilla-central:editor/libeditor/HTMLEditRules.cpp:c2248f853469|1732|0xe
0|59|libxul.so|mozilla::HTMLEditRules::WillDoAction|hg:hg.mozilla.org/mozilla-central:editor/libeditor/HTMLEditRules.cpp:c2248f853469|651|0x15
0|60|libxul.so|mozilla::TextEditor::InsertLineBreak|hg:hg.mozilla.org/mozilla-central:editor/libeditor/TextEditor.cpp:c2248f853469|757|0x27
0|61|libxul.so|mozilla::TextEditor::TypedText|hg:hg.mozilla.org/mozilla-central:editor/libeditor/TextEditor.cpp:c2248f853469|412|0xc
0|62|libxul.so|mozilla::HTMLEditor::TypedText|hg:hg.mozilla.org/mozilla-central:editor/libeditor/HTMLEditor.cpp:c2248f853469|960|0xb
0|63|libxul.so|mozilla::InsertParagraphCommand::DoCommand|hg:hg.mozilla.org/mozilla-central:editor/libeditor/EditorCommands.cpp:c2248f853469|1154|0x1d
0|64|libxul.so|nsControllerCommandTable::DoCommand|hg:hg.mozilla.org/mozilla-central:dom/commandhandler/nsControllerCommandTable.cpp:c2248f853469|147|0x17
0|65|libxul.so|nsBaseCommandController::DoCommand|hg:hg.mozilla.org/mozilla-central:dom/commandhandler/nsBaseCommandController.cpp:c2248f853469|136|0x18
0|66|libxul.so|nsCommandManager::DoCommand|hg:hg.mozilla.org/mozilla-central:dom/commandhandler/nsCommandManager.cpp:c2248f853469|212|0x14
0|67|libxul.so|nsHTMLDocument::ExecCommand|hg:hg.mozilla.org/mozilla-central:dom/html/nsHTMLDocument.cpp:c2248f853469|3276|0x22
0|68|libxul.so|mozilla::dom::HTMLDocumentBinding::execCommand|s3:gecko-generated-sources:e3a57f98750b393f9f24b3621d7726e3ff401aa0874ab396b449c82cd15e9839b68fc3dd8ab9193c02e65990012510f56b500d79867ce12e0b59f4b6942fb555/dom/bindings/HTMLDocumentBinding.cpp:|854|0x2e
0|69|libxul.so|mozilla::dom::GenericBindingMethod|hg:hg.mozilla.org/mozilla-central:dom/bindings/BindingUtils.cpp:c2248f853469|3042|0x9
0|70|||||0x1b37d07f50d1
0|71|||||0x7fdbb0dd61e8
0|72|||||0x1b37d0719add
0|73|libxul.so|EnterJit|hg:hg.mozilla.org/mozilla-central:js/src/jit/Jit.cpp:c2248f853469|101|0x22
0|74|libxul.so|js::RunScript|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:c2248f853469|408|0xb
0|75|libxul.so|js::InternalCallOrConstruct|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:c2248f853469|495|0xf
0|76|libxul.so|InternalCall|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:c2248f853469|522|0xd
0|77|libxul.so|js::Call|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:c2248f853469|541|0x5
0|78|libxul.so|JS::Call|hg:hg.mozilla.org/mozilla-central:js/src/jsapi.cpp:c2248f853469|3036|0x1c
0|79|libxul.so|mozilla::dom::EventListener::HandleEvent|s3:gecko-generated-sources:11dcc5f3aa4382b1117fa0b86a3cf43bb87c7f5f278e2943cc5311d11c6a1f0eeb861ca2ee05b0a80a616ed128aa73c18065f0eee6f709d1e9a246f773e75752/dom/bindings/EventListenerBinding.cpp:|47|0x5
0|80|libxul.so|mozilla::dom::EventListener::HandleEvent<mozilla::dom::EventTarget*>|s3:gecko-generated-sources:5fb27134dec5c683a890d7dc45ae33c1a6940b182eb54e11127bf808c94b1a4a3cfcdb8b5ea706a480e12d29f14e84233dba5438c016cf1e8418b54fcb42f1d8/dist/include/mozilla/dom/EventListenerBinding.h:|65|0x1c
0|81|libxul.so|mozilla::EventListenerManager::HandleEventSubType|hg:hg.mozilla.org/mozilla-central:dom/events/EventListenerManager.cpp:c2248f853469|1108|0x36
0|82|libxul.so|mozilla::EventListenerManager::HandleEventInternal|hg:hg.mozilla.org/mozilla-central:dom/events/EventListenerManager.cpp:c2248f853469|1286|0x15
0|83|libxul.so|mozilla::EventTargetChainItem::HandleEvent|hg:hg.mozilla.org/mozilla-central:dom/events/EventListenerManager.h:c2248f853469|376|0xa
0|84|libxul.so|mozilla::EventTargetChainItem::HandleEventTargetChain|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:c2248f853469|486|0xf
0|85|libxul.so|mozilla::EventDispatcher::Dispatch|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:c2248f853469|827|0x5
0|86|libxul.so|mozilla::EventDispatcher::DispatchDOMEvent|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:c2248f853469|896|0x19
0|87|libxul.so|nsINode::DispatchEvent|hg:hg.mozilla.org/mozilla-central:dom/base/nsINode.cpp:c2248f853469|1356|0x5
0|88|libxul.so|mozilla::AsyncEventDispatcher::Run|hg:hg.mozilla.org/mozilla-central:dom/events/AsyncEventDispatcher.cpp:c2248f853469|70|0x1b
0|89|libxul.so|nsContentUtils::RemoveScriptBlocker|hg:hg.mozilla.org/mozilla-central:dom/base/nsContentUtils.cpp:c2248f853469|5676|0xe
0|90|libxul.so|nsDocument::EndUpdate|hg:hg.mozilla.org/mozilla-central:dom/base/nsDocument.cpp:c2248f853469|5407|0x5
0|91|libxul.so|nsHTMLDocument::EndUpdate|hg:hg.mozilla.org/mozilla-central:dom/html/nsHTMLDocument.cpp:c2248f853469|2449|0x5
0|92|libxul.so|mozAutoDocUpdate::~mozAutoDocUpdate|hg:hg.mozilla.org/mozilla-central:dom/base/mozAutoDocUpdate.h:c2248f853469|40|0x14
0|93|libxul.so|nsINode::ReplaceOrInsertBefore|hg:hg.mozilla.org/mozilla-central:dom/base/nsINode.cpp:c2248f853469|2405|0xc
0|94|libxul.so|mozilla::EditorBase::SplitNodeImpl|hg:hg.mozilla.org/mozilla-central:editor/libeditor/EditorBase.cpp:c2248f853469|2984|0x15
0|95|libxul.so|mozilla::SplitNodeTransaction::DoTransaction|hg:hg.mozilla.org/mozilla-central:editor/libeditor/SplitNodeTransaction.cpp:c2248f853469|76|0x15
0|96|libxul.so|nsTransactionManager::BeginTransaction|hg:hg.mozilla.org/mozilla-central:editor/txmgr/nsTransactionManager.cpp:c2248f853469|639|0x10
0|97|libxul.so|nsTransactionManager::DoTransaction|hg:hg.mozilla.org/mozilla-central:editor/txmgr/nsTransactionManager.cpp:c2248f853469|72|0xd
0|98|libxul.so|mozilla::EditorBase::DoTransaction|hg:hg.mozilla.org/mozilla-central:editor/libeditor/EditorBase.cpp:c2248f853469|762|0x13
0|99|libxul.so|mozilla::EditorBase::SplitNode|hg:hg.mozilla.org/mozilla-central:editor/libeditor/EditorBase.cpp:c2248f853469|1566|0x10
0|100|libxul.so|mozilla::EditorBase::SplitNodeDeep|hg:hg.mozilla.org/mozilla-central:editor/libeditor/EditorBase.cpp:c2248f853469|4089|0x1d
0|101|libxul.so|mozilla::HTMLEditRules::BustUpInlinesAtRangeEndpoints|hg:hg.mozilla.org/mozilla-central:editor/libeditor/HTMLEditRules.cpp:c2248f853469|6466|0x18
0|102|libxul.so|mozilla::HTMLEditRules::GetNodesForOperation|hg:hg.mozilla.org/mozilla-central:editor/libeditor/HTMLEditRules.cpp:c2248f853469|6119|0x17
0|103|libxul.so|mozilla::HTMLEditRules::GetNodesFromSelection|hg:hg.mozilla.org/mozilla-central:editor/libeditor/HTMLEditRules.cpp:c2248f853469|6634|0x5
0|104|libxul.so|mozilla::HTMLEditRules::MakeBasicBlock|hg:hg.mozilla.org/mozilla-central:editor/libeditor/HTMLEditRules.cpp:c2248f853469|3822|0x21
0|105|libxul.so|mozilla::HTMLEditRules::WillInsertBreak|hg:hg.mozilla.org/mozilla-central:editor/libeditor/HTMLEditRules.cpp:c2248f853469|1732|0xe
0|106|libxul.so|mozilla::HTMLEditRules::WillDoAction|hg:hg.mozilla.org/mozilla-central:editor/libeditor/HTMLEditRules.cpp:c2248f853469|651|0x15
0|107|libxul.so|mozilla::TextEditor::InsertLineBreak|hg:hg.mozilla.org/mozilla-central:editor/libeditor/TextEditor.cpp:c2248f853469|757|0x27
0|108|libxul.so|mozilla::TextEditor::TypedText|hg:hg.mozilla.org/mozilla-central:editor/libeditor/TextEditor.cpp:c2248f853469|412|0xc
0|109|libxul.so|mozilla::HTMLEditor::TypedText|hg:hg.mozilla.org/mozilla-central:editor/libeditor/HTMLEditor.cpp:c2248f853469|960|0xb
0|110|libxul.so|mozilla::InsertParagraphCommand::DoCommand|hg:hg.mozilla.org/mozilla-central:editor/libeditor/EditorCommands.cpp:c2248f853469|1154|0x1d
0|111|libxul.so|nsControllerCommandTable::DoCommand|hg:hg.mozilla.org/mozilla-central:dom/commandhandler/nsControllerCommandTable.cpp:c2248f853469|147|0x17
0|112|libxul.so|nsBaseCommandController::DoCommand|hg:hg.mozilla.org/mozilla-central:dom/commandhandler/nsBaseCommandController.cpp:c2248f853469|136|0x18
0|113|libxul.so|nsCommandManager::DoCommand|hg:hg.mozilla.org/mozilla-central:dom/commandhandler/nsCommandManager.cpp:c2248f853469|212|0x14
0|114|libxul.so|nsHTMLDocument::ExecCommand|hg:hg.mozilla.org/mozilla-central:dom/html/nsHTMLDocument.cpp:c2248f853469|3276|0x22
0|115|libxul.so|mozilla::dom::HTMLDocumentBinding::execCommand|s3:gecko-generated-sources:e3a57f98750b393f9f24b3621d7726e3ff401aa0874ab396b449c82cd15e9839b68fc3dd8ab9193c02e65990012510f56b500d79867ce12e0b59f4b6942fb555/dom/bindings/HTMLDocumentBinding.cpp:|854|0x2e
0|116|libxul.so|mozilla::dom::GenericBindingMethod|hg:hg.mozilla.org/mozilla-central:dom/bindings/BindingUtils.cpp:c2248f853469|3042|0x9
0|117|||||0x1b37d07f50d1
0|118|||||0x7fdbb0dd61e8
0|119|||||0x1b37d0719add
0|120|libxul.so|EnterJit|hg:hg.mozilla.org/mozilla-central:js/src/jit/Jit.cpp:c2248f853469|101|0x22
0|121|libxul.so|js::RunScript|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:c2248f853469|408|0xb
0|122|libxul.so|js::InternalCallOrConstruct|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:c2248f853469|495|0xf
0|123|libxul.so|InternalCall|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:c2248f853469|522|0xd
0|124|libxul.so|js::Call|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:c2248f853469|541|0x5
0|125|libxul.so|JS::Call|hg:hg.mozilla.org/mozilla-central:js/src/jsapi.cpp:c2248f853469|3036|0x1c
0|126|libxul.so|mozilla::dom::EventListener::HandleEvent|s3:gecko-generated-sources:11dcc5f3aa4382b1117fa0b86a3cf43bb87c7f5f278e2943cc5311d11c6a1f0eeb861ca2ee05b0a80a616ed128aa73c18065f0eee6f709d1e9a246f773e75752/dom/bindings/EventListenerBinding.cpp:|47|0x5
0|127|libxul.so|mozilla::dom::EventListener::HandleEvent<mozilla::dom::EventTarget*>|s3:gecko-generated-sources:5fb27134dec5c683a890d7dc45ae33c1a6940b182eb54e11127bf808c94b1a4a3cfcdb8b5ea706a480e12d29f14e84233dba5438c016cf1e8418b54fcb42f1d8/dist/include/mozilla/dom/EventListenerBinding.h:|65|0x1c
0|128|libxul.so|mozilla::EventListenerManager::HandleEventSubType|hg:hg.mozilla.org/mozilla-central:dom/events/EventListenerManager.cpp:c2248f853469|1108|0x36
0|129|libxul.so|mozilla::EventListenerManager::HandleEventInternal|hg:hg.mozilla.org/mozilla-central:dom/events/EventListenerManager.cpp:c2248f853469|1286|0x15
0|130|libxul.so|mozilla::EventTargetChainItem::HandleEvent|hg:hg.mozilla.org/mozilla-central:dom/events/EventListenerManager.h:c2248f853469|376|0xa
0|131|libxul.so|mozilla::EventTargetChainItem::HandleEventTargetChain|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:c2248f853469|486|0xf
0|132|libxul.so|mozilla::EventDispatcher::Dispatch|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:c2248f853469|827|0x5
0|133|libxul.so|mozilla::EventDispatcher::DispatchDOMEvent|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:c2248f853469|896|0x19
0|134|libxul.so|mozilla::EventDispatcher::DispatchDOMEvent|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:c2248f853469|882|0x10
Flags: in-testsuite?
Crash Signature: [@ mozilla::EditorBase::SplitNodeImpl]
Priority: -- → P1
Looks like that the first splitting node causes a mutation event before each selection range is modified by mutation observers. Therefore, some ranges may be not position at here?:
https://searchfox.org/mozilla-central/rev/7a8c667bdd2a4a32746c9862356e199627c0896d/editor/libeditor/EditorBase.cpp#2965
Assignee: nobody → masayuki
Status: NEW → ASSIGNED
Comment on attachment 8932946 [details]
Bug 1421504 - EditorBase should move children carefully

https://reviewboard.mozilla.org/r/203882/#review209620

Oh, this has a permanent orange. Sorry for the spam.
Attachment #8932946 - Flags: review-
Attachment #8932946 - Attachment is obsolete: true
Attachment #8932946 - Flags: review?(m_kato)
Note that the test might cause infinite loop with ~58. The patch also fixes it but still taking a long time. So, we shouldn't include the testcase into automated test.
Comment on attachment 8933218 [details]
Bug 1421504 - EditorBase should move children carefully

https://reviewboard.mozilla.org/r/204154/#review209682


C/C++ static analysis found 1 defect in this patch.

You can run this analysis locally with: `./mach static-analysis check path/to/file.cpp`


::: editor/libeditor/EditorBase.cpp:3097
(Diff revision 1)
>      aError.Throw(NS_ERROR_FAILURE);
>      return;
>    }
>  
> +  // Grab the child node and container before changing the DOM tree.
> +  EditorDOMPoint atStartOfRightNode(aStartOfRightNode);

Warning: Local copy 'atstartofrightnode' of the variable 'astartofrightnode' is never modified; consider avoiding the copy [clang-tidy: performance-unnecessary-copy-initialization]

  EditorDOMPoint atStartOfRightNode(aStartOfRightNode);
                 ^
  const         &
Comment on attachment 8933218 [details]
Bug 1421504 - EditorBase should move children carefully

https://reviewboard.mozilla.org/r/204154/#review209682

> Warning: Local copy 'atstartofrightnode' of the variable 'astartofrightnode' is never modified; consider avoiding the copy [clang-tidy: performance-unnecessary-copy-initialization]
> 
>   EditorDOMPoint atStartOfRightNode(aStartOfRightNode);
>                  ^
>   const         &

Oh, aStartOfRightNode is const EditorDOMPoint&, not const EditorRawDOMPoint.
(Hmm, if the given argument were a class member and it'd be modified during the call, such copy would be necessary though.)
Comment on attachment 8933218 [details]
Bug 1421504 - EditorBase should move children carefully

https://reviewboard.mozilla.org/r/204154/#review210022
Attachment #8933218 - Flags: review?(m_kato) → review+
Pushed by masayuki@d-toybox.com:
https://hg.mozilla.org/integration/autoland/rev/7d20fee48462
EditorBase should move children carefully r=m_kato
https://hg.mozilla.org/mozilla-central/rev/7d20fee48462
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
status-firefox59: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla59
Blocks: 1413181
Has Regression Range: --- → yes
status-firefox57: --- → unaffected
status-firefox58: --- → unaffected
status-firefox-esr52: --- → unaffected
Flags: in-testsuite? → in-testsuite-
Version: unspecified → Trunk
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: