Open Bug 1453208 Opened 6 years ago Updated 1 year ago

Assertion failure: mParent->GetChildAt_Deprecated(mOffset.value()) == mChild, at /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/EditorDOMPoint.h:741

Categories

(Core :: DOM: Editor, defect, P3)

Product:
Core
Component:
DOM: Editor
Version:
59 Branch
Type:
defect

Tracking

()

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 2 open bugs)

Details

(Keywords: assertion, testcase, Whiteboard: [bugmon:confirmed])

Attachments

(1 file)

trigger.html
613 bytes, text/html
Details
Attached file trigger.html 
Testcase found while fuzzing mozilla-central rev a8061a09cd70.

rax = 0x0000000000000000   rdx = 0x0000000000000000
rcx = 0x00007f6e2ab8d2dd   rbx = 0x00007fffbf1ad1b8
rsi = 0x00007f6e2ae5c770   rdi = 0x00007f6e2ae5b540
rbp = 0x00007fffbf1ad120   rsp = 0x00007fffbf1ad0f0
r8 = 0x00007f6e2ae5c770    r9 = 0x00007f6e2bf26740
r10 = 0x0000000000000039   r11 = 0x0000000000000000
r12 = 0x00007fffbf1ad198   r13 = 0x00007fffbf1ad1c8
r14 = 0x00007f6e0f508790   r15 = 0x00007f6e19bad4ca
rip = 0x00007f6e1acf6391
OS|Linux|0.0.0 Linux 4.4.0-119-generic #143-Ubuntu SMP Mon Apr 2 16:08:24 UTC 2018 x86_64
CPU|amd64|family 6 model 78 stepping 3|1
GPU|||
Crash|SIGSEGV|0x0|0
0|0|libxul.so|mozilla::EditorDOMPointBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent> >::operator const RawRangeBoundary|hg:hg.mozilla.org/mozilla-central:editor/libeditor/EditorDOMPoint.h:a8061a09cd7064a8783ca9e67979d77fb52e001e|741|0x18
0|1|libxul.so|mozilla::HTMLEditRules::InsertBRElement|hg:hg.mozilla.org/mozilla-central:editor/libeditor/HTMLEditRules.cpp:a8061a09cd7064a8783ca9e67979d77fb52e001e|1967|0xb
0|2|libxul.so|mozilla::HTMLEditRules::WillInsertBreak|hg:hg.mozilla.org/mozilla-central:editor/libeditor/HTMLEditRules.cpp:a8061a09cd7064a8783ca9e67979d77fb52e001e|1834|0xe
0|3|libxul.so|mozilla::HTMLEditRules::WillDoAction|hg:hg.mozilla.org/mozilla-central:editor/libeditor/HTMLEditRules.cpp:a8061a09cd7064a8783ca9e67979d77fb52e001e|637|0x15
0|4|libxul.so|mozilla::TextEditor::InsertLineBreak|hg:hg.mozilla.org/mozilla-central:editor/libeditor/TextEditor.cpp:a8061a09cd7064a8783ca9e67979d77fb52e001e|749|0x27
0|5|libxul.so|mozilla::TextEditor::TypedText|hg:hg.mozilla.org/mozilla-central:editor/libeditor/TextEditor.cpp:a8061a09cd7064a8783ca9e67979d77fb52e001e|410|0xc
0|6|libxul.so|mozilla::HTMLEditor::TypedText|hg:hg.mozilla.org/mozilla-central:editor/libeditor/HTMLEditor.cpp:a8061a09cd7064a8783ca9e67979d77fb52e001e|1059|0xb
0|7|libxul.so|mozilla::InsertParagraphCommand::DoCommand|hg:hg.mozilla.org/mozilla-central:editor/libeditor/EditorCommands.cpp:a8061a09cd7064a8783ca9e67979d77fb52e001e|1155|0x1d
0|8|libxul.so|nsControllerCommandTable::DoCommand|hg:hg.mozilla.org/mozilla-central:dom/commandhandler/nsControllerCommandTable.cpp:a8061a09cd7064a8783ca9e67979d77fb52e001e|147|0x17
0|9|libxul.so|nsBaseCommandController::DoCommand|hg:hg.mozilla.org/mozilla-central:dom/commandhandler/nsBaseCommandController.cpp:a8061a09cd7064a8783ca9e67979d77fb52e001e|136|0x18
0|10|libxul.so|nsCommandManager::DoCommand|hg:hg.mozilla.org/mozilla-central:dom/commandhandler/nsCommandManager.cpp:a8061a09cd7064a8783ca9e67979d77fb52e001e|212|0x14
0|11|libxul.so|nsHTMLDocument::ExecCommand|hg:hg.mozilla.org/mozilla-central:dom/html/nsHTMLDocument.cpp:a8061a09cd7064a8783ca9e67979d77fb52e001e|2944|0x22
0|12|libxul.so|mozilla::dom::HTMLDocumentBinding::execCommand|s3:gecko-generated-sources:8ed2155768eaeb9800de16f7288021abfb895eb5d33542f4cdf1d05e4dc9d4420244d42c8f50bea6b565eb16fe78988272133e5cdcf52ad1a25b55dbf6210397/dom/bindings/HTMLDocumentBinding.cpp:|584|0x32
0|13|libxul.so|mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>|hg:hg.mozilla.org/mozilla-central:dom/bindings/BindingUtils.cpp:a8061a09cd7064a8783ca9e67979d77fb52e001e|3191|0x9
0|14|libxul.so|js::CallJSNative|hg:hg.mozilla.org/mozilla-central:js/src/vm/JSContext-inl.h:a8061a09cd7064a8783ca9e67979d77fb52e001e|290|0x6
0|15|libxul.so|js::InternalCallOrConstruct|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:a8061a09cd7064a8783ca9e67979d77fb52e001e|467|0xf
0|16|libxul.so|InternalCall|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:a8061a09cd7064a8783ca9e67979d77fb52e001e|516|0xd
0|17|libxul.so|Interpret|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:a8061a09cd7064a8783ca9e67979d77fb52e001e|522|0xf
0|18|libxul.so|js::RunScript|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:a8061a09cd7064a8783ca9e67979d77fb52e001e|417|0xb
0|19|libxul.so|js::InternalCallOrConstruct|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:a8061a09cd7064a8783ca9e67979d77fb52e001e|489|0xf
0|20|libxul.so|InternalCall|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:a8061a09cd7064a8783ca9e67979d77fb52e001e|516|0xd
0|21|libxul.so|js::Call|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:a8061a09cd7064a8783ca9e67979d77fb52e001e|535|0x5
0|22|libxul.so|JS::Call|hg:hg.mozilla.org/mozilla-central:js/src/jsapi.cpp:a8061a09cd7064a8783ca9e67979d77fb52e001e|3003|0x20
0|23|libxul.so|mozilla::dom::EventListener::HandleEvent|s3:gecko-generated-sources:ccbadb8791154c00d5d9f3f34300a418cdfa4b3b0b60424e60394883162a95118b3edbfce81cbc7a5b48193d5a2618fc449143e250bd5c61dd1340709a3af189/dom/bindings/EventListenerBinding.cpp:|51|0x5
0|24|libxul.so|mozilla::dom::EventListener::HandleEvent<mozilla::dom::EventTarget*>|s3:gecko-generated-sources:0502cca494d7ae0441ada14535523caade9340fdd09934cf6d31cc421267c319ae3d6f5b43b2730d0b36ae1c87480f3b426c5fa4fec57d51047d83a51acde602/dist/include/mozilla/dom/EventListenerBinding.h:|66|0x1c
0|25|libxul.so|mozilla::EventListenerManager::HandleEventSubType|hg:hg.mozilla.org/mozilla-central:dom/events/EventListenerManager.cpp:a8061a09cd7064a8783ca9e67979d77fb52e001e|1120|0x36
0|26|libxul.so|mozilla::EventListenerManager::HandleEventInternal|hg:hg.mozilla.org/mozilla-central:dom/events/EventListenerManager.cpp:a8061a09cd7064a8783ca9e67979d77fb52e001e|1292|0x19
0|27|libxul.so|mozilla::EventTargetChainItem::HandleEvent|hg:hg.mozilla.org/mozilla-central:dom/events/EventListenerManager.h:a8061a09cd7064a8783ca9e67979d77fb52e001e|378|0xa
0|28|libxul.so|mozilla::EventTargetChainItem::HandleEventTargetChain|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:a8061a09cd7064a8783ca9e67979d77fb52e001e|527|0xf
0|29|libxul.so|mozilla::EventDispatcher::Dispatch|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:a8061a09cd7064a8783ca9e67979d77fb52e001e|934|0xb
0|30|libxul.so|nsDocumentViewer::LoadComplete|hg:hg.mozilla.org/mozilla-central:layout/base/nsDocumentViewer.cpp:a8061a09cd7064a8783ca9e67979d77fb52e001e|1066|0x25
0|31|libxul.so|nsDocShell::EndPageLoad|hg:hg.mozilla.org/mozilla-central:docshell/base/nsDocShell.cpp:a8061a09cd7064a8783ca9e67979d77fb52e001e|7285|0x11
0|32|libxul.so|nsDocShell::OnStateChange|hg:hg.mozilla.org/mozilla-central:docshell/base/nsDocShell.cpp:a8061a09cd7064a8783ca9e67979d77fb52e001e|7078|0x18
0|33|libxul.so|nsDocLoader::DoFireOnStateChange|hg:hg.mozilla.org/mozilla-central:uriloader/base/nsDocLoader.cpp:a8061a09cd7064a8783ca9e67979d77fb52e001e|1315|0x2b
0|34|libxul.so|nsDocLoader::doStopDocumentLoad|hg:hg.mozilla.org/mozilla-central:uriloader/base/nsDocLoader.cpp:a8061a09cd7064a8783ca9e67979d77fb52e001e|858|0x22
0|35|libxul.so|nsDocLoader::DocLoaderIsEmpty|hg:hg.mozilla.org/mozilla-central:uriloader/base/nsDocLoader.cpp:a8061a09cd7064a8783ca9e67979d77fb52e001e|747|0xf
0|36|libxul.so|nsDocLoader::OnStopRequest|hg:hg.mozilla.org/mozilla-central:uriloader/base/nsDocLoader.cpp:a8061a09cd7064a8783ca9e67979d77fb52e001e|632|0x16
0|37|libxul.so|mozilla::net::nsLoadGroup::RemoveRequest|hg:hg.mozilla.org/mozilla-central:netwerk/base/nsLoadGroup.cpp:a8061a09cd7064a8783ca9e67979d77fb52e001e|629|0x1f
0|38|libxul.so|nsIDocument::DoUnblockOnload|hg:hg.mozilla.org/mozilla-central:dom/base/nsDocument.cpp:a8061a09cd7064a8783ca9e67979d77fb52e001e|8409|0x20
0|39|libxul.so|nsDocument::UnblockOnload|hg:hg.mozilla.org/mozilla-central:dom/base/nsDocument.cpp:a8061a09cd7064a8783ca9e67979d77fb52e001e|8331|0x8
0|40|libxul.so|nsIDocument::DispatchContentLoadedEvents|hg:hg.mozilla.org/mozilla-central:dom/base/nsDocument.cpp:a8061a09cd7064a8783ca9e67979d77fb52e001e|5314|0x11
0|41|libxul.so|mozilla::detail::RunnableMethodImpl<nsIDocument*, void (nsIDocument::*)(), true, (mozilla::RunnableKind)0u>::Run|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.h:a8061a09cd7064a8783ca9e67979d77fb52e001e|1164|0x13
0|42|libxul.so|mozilla::SchedulerGroup::Runnable::Run|hg:hg.mozilla.org/mozilla-central:xpcom/threads/SchedulerGroup.cpp:a8061a09cd7064a8783ca9e67979d77fb52e001e|337|0x15
0|43|libxul.so|nsThread::ProcessNextEvent|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:a8061a09cd7064a8783ca9e67979d77fb52e001e|1096|0x15
0|44|libxul.so|NS_ProcessNextEvent|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:a8061a09cd7064a8783ca9e67979d77fb52e001e|519|0x11
0|45|libxul.so|mozilla::ipc::MessagePump::Run|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:a8061a09cd7064a8783ca9e67979d77fb52e001e|97|0xa
0|46|libxul.so|MessageLoop::RunInternal|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:a8061a09cd7064a8783ca9e67979d77fb52e001e|326|0x17
0|47|libxul.so|MessageLoop::Run|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:a8061a09cd7064a8783ca9e67979d77fb52e001e|319|0x8
0|48|libxul.so|nsBaseAppShell::Run|hg:hg.mozilla.org/mozilla-central:widget/nsBaseAppShell.cpp:a8061a09cd7064a8783ca9e67979d77fb52e001e|157|0xd
0|49|libxul.so|XRE_RunAppShell|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:a8061a09cd7064a8783ca9e67979d77fb52e001e|893|0x11
0|50|libxul.so|mozilla::ipc::MessagePumpForChildProcess::Run|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:a8061a09cd7064a8783ca9e67979d77fb52e001e|269|0x5
0|51|libxul.so|MessageLoop::RunInternal|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:a8061a09cd7064a8783ca9e67979d77fb52e001e|326|0x17
0|52|libxul.so|MessageLoop::Run|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:a8061a09cd7064a8783ca9e67979d77fb52e001e|319|0x8
0|53|libxul.so|XRE_InitChildProcess|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:a8061a09cd7064a8783ca9e67979d77fb52e001e|719|0x8
0|54|firefox|content_process_main|hg:hg.mozilla.org/mozilla-central:ipc/contentproc/plugin-container.cpp:a8061a09cd7064a8783ca9e67979d77fb52e001e|50|0x14
0|55|firefox|main|hg:hg.mozilla.org/mozilla-central:browser/app/nsBrowserApp.cpp:a8061a09cd7064a8783ca9e67979d77fb52e001e|280|0x11
0|56|libc-2.23.so||||0x20830
0|57|firefox|MOZ_ReportAssertionFailure|hg:hg.mozilla.org/mozilla-central:mfbt/Assertions.h:a8061a09cd7064a8783ca9e67979d77fb52e001e|164|0x5
Flags: in-testsuite?
assertion
Priority: -- → P3

Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20210224162107-27f574662450.

Whiteboard: [bugmon:confirmed]

Hi Jason, can we have an updated stack or even better pernosco here? Thank you!

Flags: needinfo?(jkratzer)

The attached testcase now reproduces the following stack:

    #0 0x7fe061b1b70c in mozilla::EditorDOMPointBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent> >::ToRawRangeBoundary() const /builds/worker/workspace/obj-build/dist/include/mozilla/EditorDOMPoint.h:915:9
    #1 0x7fe061bd027c in operator RangeBoundaryBase /builds/worker/workspace/obj-build/dist/include/mozilla/EditorDOMPoint.h:897:52
    #2 0x7fe061bd027c in void mozilla::HTMLEditor::CollapseSelectionTo<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent> >(mozilla::EditorDOMPointBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent> > const&, mozilla::ErrorResult&) const /builds/worker/workspace/obj-build/dist/include/mozilla/HTMLEditor.h:3043:57
    #3 0x7fe061b1b5cb in nsresult mozilla::HTMLEditor::CollapseSelectionTo<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent> >(mozilla::EditorDOMPointBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent> > const&) const /builds/worker/workspace/obj-build/dist/include/mozilla/HTMLEditor.h:3033:5
    #4 0x7fe061b1e3bd in mozilla::HTMLEditor::InsertBRElement(mozilla::EditorDOMPointBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent> > const&) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditSubActionHandler.cpp:1588:17
    #5 0x7fe061b1c6db in mozilla::HTMLEditor::InsertParagraphSeparatorAsSubAction() /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditSubActionHandler.cpp:1441:8
    #6 0x7fe061b56c78 in mozilla::HTMLEditor::InsertParagraphSeparatorAsAction(nsIPrincipal*) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditor.cpp:1096:29
    #7 0x7fe061af88dc in mozilla::InsertParagraphCommand::DoCommand(mozilla::Command, mozilla::TextEditor&, nsIPrincipal*) const /builds/worker/checkouts/gecko/editor/libeditor/EditorCommands.cpp:887:34
    #8 0x7fe05ef2d7d3 in mozilla::dom::Document::ExecCommand(nsTSubstring<char16_t> const&, bool, nsTSubstring<char16_t> const&, nsIPrincipal&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/Document.cpp:5132:26
    #9 0x7fe05ff81e3d in mozilla::dom::Document_Binding::execCommand(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/DocumentBinding.cpp:3474:36
    #10 0x7fe0602f56fa in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3235:13
    #11 0x7fe0633a75a1 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:435:13
    #12 0x7fe0633a6d10 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:520:12
    #13 0x7fe0633a84f3 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:580:10
    #14 0x7fe06339d1e3 in CallFromStack /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:584:10
    #15 0x7fe06339d1e3 in Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3243:16
    #16 0x7fe0633947c8 in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:405:13
    #17 0x7fe0633a6d31 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:552:13
    #18 0x7fe0633a84f3 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:580:10
    #19 0x7fe0633a872f in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:597:8
    #20 0x7fe06392ec6b in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/jsapi.cpp:2863:10
    #21 0x7fe0600176ac in mozilla::dom::EventListener::HandleEvent(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventListenerBinding.cpp:57:8
    #22 0x7fe060699ab6 in void mozilla::dom::EventListener::HandleEvent<mozilla::dom::EventTarget*>(mozilla::dom::EventTarget* const&, mozilla::dom::Event&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventListenerBinding.h:65:12
    #23 0x7fe0606997fe in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1099:43
    #24 0x7fe06069a480 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1296:17
    #25 0x7fe06068f735 in HandleEvent /builds/worker/workspace/obj-build/dist/include/mozilla/EventListenerManager.h:390:5
    #26 0x7fe06068f735 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:354:17
    #27 0x7fe06068ece3 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:556:16
    #28 0x7fe060691895 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:1099:11
    #29 0x7fe061d75c05 in nsDocumentViewer::LoadComplete(nsresult) /builds/worker/checkouts/gecko/layout/base/nsDocumentViewer.cpp:1103:7
    #30 0x7fe062d3fec0 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:6519:20
    #31 0x7fe062d3f872 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:5875:7
    #32 0x7fe062d407ff in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp
    #33 0x7fe05e584e0c in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:1332:3
    #34 0x7fe05e5843ba in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:938:14
    #35 0x7fe05e5828f7 in nsDocLoader::DocLoaderIsEmpty(bool, mozilla::Maybe<nsresult> const&) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:757:9
    #36 0x7fe05e58383d in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:640:5
    #37 0x7fe05e583fdc in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp
    #38 0x7fe05d4ba606 in mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:616:22
    #39 0x7fe05d4bbb13 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:523:10
    #40 0x7fe05ef49d71 in mozilla::dom::Document::DoUnblockOnload() /builds/worker/checkouts/gecko/dom/base/Document.cpp:11055:18
    #41 0x7fe05ef28590 in mozilla::dom::Document::UnblockOnload(bool) /builds/worker/checkouts/gecko/dom/base/Document.cpp:10985:9
    #42 0x7fe05ef392cc in mozilla::dom::Document::DispatchContentLoadedEvents() /builds/worker/checkouts/gecko/dom/base/Document.cpp:7549:3
    #43 0x7fe05efaa576 in applyImpl<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1148:12
    #44 0x7fe05efaa576 in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1154:12
    #45 0x7fe05efaa576 in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1201:13
    #46 0x7fe05d30fde2 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/checkouts/gecko/xpcom/threads/SchedulerGroup.cpp:146:20
    #47 0x7fe05d3163ff in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:472:16
    #48 0x7fe05d314970 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:760:26
    #49 0x7fe05d313734 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:611:15
    #50 0x7fe05d3138e7 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:395:36
    #51 0x7fe05d31a216 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:133:37
    #52 0x7fe05d31a216 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_3>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:534:5
    #53 0x7fe05d32b707 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1158:16
    #54 0x7fe05d331d5a in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:548:10
    #55 0x7fe05dc4d446 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:87:21
    #56 0x7fe05dbb8893 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:335:10
    #57 0x7fe05dbb87ad in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:328:3
    #58 0x7fe05dbb87ad in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:310:3
    #59 0x7fe061a1dc28 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137:27
    #60 0x7fe06326c0b3 in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:902:20
    #61 0x7fe05dc4e32c in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:237:9
    #62 0x7fe05dbb8893 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:335:10
    #63 0x7fe05dbb87ad in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:328:3
    #64 0x7fe05dbb87ad in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:310:3
    #65 0x7fe06326bc88 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:733:34
    #66 0x557b56c12fa6 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
    #67 0x557b56c12fa6 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:309:18
    #68 0x7fe0724340b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16

A pernosco session for this issue can be found at:
https://pernos.co/debug/P7txXUSors9RqTD0e-JKGQ/index.html

Flags: needinfo?(jkratzer)

Hi Kagami, would you want to give this a try?

Flags: needinfo?(krosylight)

Will add it to my backlog while I'm working on pointer events 👀 (but feel free to assign yourself if anyone else is interested).

Assignee: nobody → krosylight
Flags: needinfo?(krosylight)

Looking at the stack again, I think Masayuki may have an idea since I haven't touched HTMLEditRules:

Flags: needinfo?(masayuki)

Ah, yeah, the given point can be outdated.
https://searchfox.org/mozilla-central/rev/c24ecdc6f5025ea7e60d0691673de030bd5bf411/editor/libeditor/HTMLEditSubActionHandler.cpp#1540-1541,1560,1588
afterBRElement is fixed before calling MoveNodeWithTransaction, but it and event listeners may change the DOM tree. Perhaps, it tried to put caret at the offset of afterBRElement. So, using AutoEditorDOMPointChildInvalidator in the block must fix the bug.

Flags: needinfo?(masayuki)

I'm not working on this now.

Assignee: krosylight → nobody
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.