Closed Bug 1489231 Opened 6 years ago Closed 4 years ago

Assertion failure: nsContentUtils::ComparePoints(mStart.Container(), static_cast<int32_t>(mStart.Offset()), mEnd.Container(), static_cast<int32_t>(mEnd.Offset())) <= 0, at /builds/worker/workspace/build/src/dom/events/ContentEventHandler.cpp:52

Categories

(Core :: DOM: UI Events & Focus Handling, defect, P2)

Product:
Core
Component:
DOM: UI Events & Focus Handling
Type:
defect

Tracking

()

Status:
RESOLVED WORKSFORME
Tracking Flags:
Tracking Status
firefox64 --- affected

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, testcase, Whiteboard: [bugmon:confirmed])

Attachments

(1 file)

testcase.html
368 bytes, text/html
Details
Attached file testcase.html
Assertion failure: nsContentUtils::ComparePoints(mStart.Container(), static_cast<int32_t>(mStart.Offset()), mEnd.Container(), static_cast<int32_t>(mEnd.Offset())) <= 0, at /builds/worker/workspace/build/src/dom/events/ContentEventHandler.cpp:52 Testcase found while fuzzing mozilla-central rev 0c947d96e8f3. rax = 0x0000000000000000 rdx = 0x0000000000000000 rcx = 0x0000000000000b40 rbx = 0x00007fff15f258c8 rsi = 0x00007f9342ce78b0 rdi = 0x00007f9342ce6680 rbp = 0x00007fff15f257f0 rsp = 0x00007fff15f257d0 r8 = 0x00007f9342ce78b0 r9 = 0x00007f9343e5f740 r10 = 0x00000000ffffffc7 r11 = 0x0000000000000000 r12 = 0x00007f9328a4d940 r13 = 0x0000000000000003 r14 = 0x00007fff15f258e8 r15 = 0x00007fff15f259ec rip = 0x00007f9332d64a39 OS|Linux|0.0.0 Linux 4.15.0-33-generic #36-Ubuntu SMP Wed Aug 15 16:00:05 UTC 2018 x86_64 CPU|amd64|family 6 model 78 stepping 3|1 GPU||| Crash|SIGSEGV /SEGV_MAPERR|0x0|0 0|0|libxul.so|mozilla::ContentEventHandler::RawRange::AssertStartIsBeforeOrEqualToEnd()|hg:hg.mozilla.org/mozilla-central:dom/events/ContentEventHandler.cpp:0c947d96e8f3c9f04979975c69aa7d0bcb8a4266|48|0x18 0|1|libxul.so|mozilla::ContentEventHandler::RawRange::SetEnd(mozilla::RangeBoundaryBase<nsINode*, nsIContent*> const&)|hg:hg.mozilla.org/mozilla-central:dom/events/ContentEventHandler.cpp:0c947d96e8f3c9f04979975c69aa7d0bcb8a4266|99|0x8 0|2|libxul.so|mozilla::ContentEventHandler::GetFlatTextLengthInRange(mozilla::ContentEventHandler::NodePosition const&, mozilla::ContentEventHandler::NodePosition const&, nsIContent*, unsigned int*, mozilla::LineBreakType, bool)|hg:hg.mozilla.org/mozilla-central:dom/events/ContentEventHandler.cpp:0c947d96e8f3c9f04979975c69aa7d0bcb8a4266|2860|0xb 0|3|libxul.so|mozilla::ContentEventHandler::GetStartOffset(mozilla::ContentEventHandler::RawRange const&, unsigned int*, mozilla::LineBreakType)|hg:hg.mozilla.org/mozilla-central:dom/events/ContentEventHandler.cpp:0c947d96e8f3c9f04979975c69aa7d0bcb8a4266|2959|0x5 0|4|libxul.so|mozilla::ContentEventHandler::OnQueryCaretRect(mozilla::WidgetQueryContentEvent*)|hg:hg.mozilla.org/mozilla-central:dom/events/ContentEventHandler.cpp:0c947d96e8f3c9f04979975c69aa7d0bcb8a4266|2543|0x5 0|5|libxul.so|mozilla::IMEContentObserver::HandleQueryContentEvent(mozilla::WidgetQueryContentEvent*)|hg:hg.mozilla.org/mozilla-central:dom/events/IMEContentObserver.cpp:0c947d96e8f3c9f04979975c69aa7d0bcb8a4266|826|0xb 0|6|libxul.so|mozilla::EventStateManager::HandleQueryContentEvent(mozilla::WidgetQueryContentEvent*)|hg:hg.mozilla.org/mozilla-central:dom/events/EventStateManager.cpp:0c947d96e8f3c9f04979975c69aa7d0bcb8a4266|972|0x13 0|7|libxul.so|mozilla::EventStateManager::PreHandleEvent(nsPresContext*, mozilla::WidgetEvent*, nsIFrame*, nsIContent*, nsEventStatus*, nsIContent*)|hg:hg.mozilla.org/mozilla-central:dom/events/EventStateManager.cpp:0c947d96e8f3c9f04979975c69aa7d0bcb8a4266|545|0xe 0|8|libxul.so|mozilla::PresShell::HandleEventInternal(mozilla::WidgetEvent*, nsEventStatus*, bool, nsIContent*)|hg:hg.mozilla.org/mozilla-central:layout/base/PresShell.cpp:0c947d96e8f3c9f04979975c69aa7d0bcb8a4266|7648|0x26 0|9|libxul.so|mozilla::PresShell::HandleEvent(nsIFrame*, mozilla::WidgetGUIEvent*, bool, nsEventStatus*)|hg:hg.mozilla.org/mozilla-central:layout/base/PresShell.cpp:0c947d96e8f3c9f04979975c69aa7d0bcb8a4266|7374|0x1a 0|10|libxul.so|nsViewManager::DispatchEvent(mozilla::WidgetGUIEvent*, nsView*, nsEventStatus*)|hg:hg.mozilla.org/mozilla-central:view/nsViewManager.cpp:0c947d96e8f3c9f04979975c69aa7d0bcb8a4266|812|0x20 0|11|libxul.so|nsView::HandleEvent(mozilla::WidgetGUIEvent*, bool)|hg:hg.mozilla.org/mozilla-central:view/nsView.cpp:0c947d96e8f3c9f04979975c69aa7d0bcb8a4266|1141|0x1a 0|12|libxul.so|mozilla::widget::PuppetWidget::DispatchEvent(mozilla::WidgetGUIEvent*, nsEventStatus&)|hg:hg.mozilla.org/mozilla-central:widget/PuppetWidget.cpp:0c947d96e8f3c9f04979975c69aa7d0bcb8a4266|409|0x20 0|13|libxul.so|mozilla::ContentCacheInChild::CacheCaret(nsIWidget*, mozilla::widget::IMENotification const*)|hg:hg.mozilla.org/mozilla-central:widget/ContentCache.cpp:0c947d96e8f3c9f04979975c69aa7d0bcb8a4266|210|0x16 0|14|libxul.so|mozilla::ContentCacheInChild::CacheSelection(nsIWidget*, mozilla::widget::IMENotification const*)|hg:hg.mozilla.org/mozilla-central:widget/ContentCache.cpp:0c947d96e8f3c9f04979975c69aa7d0bcb8a4266|186|0x5 0|15|libxul.so|mozilla::widget::PuppetWidget::NotifyIMEOfPositionChange(mozilla::widget::IMENotification const&)|hg:hg.mozilla.org/mozilla-central:widget/PuppetWidget.cpp:0c947d96e8f3c9f04979975c69aa7d0bcb8a4266|962|0xe 0|16|libxul.so|mozilla::widget::TextEventDispatcher::NotifyIME(mozilla::widget::IMENotification const&)|hg:hg.mozilla.org/mozilla-central:widget/TextEventDispatcher.cpp:0c947d96e8f3c9f04979975c69aa7d0bcb8a4266|494|0x17 0|17|libxul.so|nsBaseWidget::NotifyIME(mozilla::widget::IMENotification const&)|hg:hg.mozilla.org/mozilla-central:widget/nsBaseWidget.cpp:0c947d96e8f3c9f04979975c69aa7d0bcb8a4266|1915|0x17 0|18|libxul.so|nsBaseWidget::NotifyWindowMoved(int, int)|hg:hg.mozilla.org/mozilla-central:widget/nsBaseWidget.cpp:0c947d96e8f3c9f04979975c69aa7d0bcb8a4266|1842|0x1c 0|19|libxul.so|mozilla::widget::PuppetWidget::Resize(double, double, double, double, bool)|hg:hg.mozilla.org/mozilla-central:widget/PuppetWidget.h:0c947d96e8f3c9f04979975c69aa7d0bcb8a4266|114|0x18 0|20|libxul.so|mozilla::dom::TabChild::RecvUpdateDimensions(mozilla::dom::DimensionInfo const&)|hg:hg.mozilla.org/mozilla-central:dom/ipc/TabChild.cpp:0c947d96e8f3c9f04979975c69aa7d0bcb8a4266|1324|0xa 0|21|libxul.so|mozilla::dom::PBrowserChild::OnMessageReceived(IPC::Message const&)|s3:gecko-generated-sources:0e43f1bff49da52b3e4b5eb0c6289f7a78d4ac499c6652613a28d157a7575447ee4464fc43f57144d6a3653eeb5963e5a2d3ba35d1c3fdb7cfb8bec0456d0519/ipc/ipdl/PBrowserChild.cpp:|3140|0xc 0|22|libxul.so|mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:0c947d96e8f3c9f04979975c69aa7d0bcb8a4266|2248|0x6 0|23|libxul.so|mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:0c947d96e8f3c9f04979975c69aa7d0bcb8a4266|2175|0xb 0|24|libxul.so|mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:0c947d96e8f3c9f04979975c69aa7d0bcb8a4266|2012|0xb 0|25|libxul.so|mozilla::ipc::MessageChannel::MessageTask::Run()|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:0c947d96e8f3c9f04979975c69aa7d0bcb8a4266|2045|0xc 0|26|libxul.so|mozilla::SchedulerGroup::Runnable::Run()|hg:hg.mozilla.org/mozilla-central:xpcom/threads/SchedulerGroup.cpp:0c947d96e8f3c9f04979975c69aa7d0bcb8a4266|337|0x15 0|27|libxul.so|nsThread::ProcessNextEvent(bool, bool*)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:0c947d96e8f3c9f04979975c69aa7d0bcb8a4266|1161|0x15 0|28|libxul.so|NS_ProcessNextEvent(nsIThread*, bool)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:0c947d96e8f3c9f04979975c69aa7d0bcb8a4266|519|0x11 0|29|libxul.so|mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:0c947d96e8f3c9f04979975c69aa7d0bcb8a4266|125|0xd 0|30|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:0c947d96e8f3c9f04979975c69aa7d0bcb8a4266|325|0x17 0|31|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:0c947d96e8f3c9f04979975c69aa7d0bcb8a4266|318|0x8 0|32|libxul.so|nsBaseAppShell::Run()|hg:hg.mozilla.org/mozilla-central:widget/nsBaseAppShell.cpp:0c947d96e8f3c9f04979975c69aa7d0bcb8a4266|158|0xd 0|33|libxul.so|XRE_RunAppShell()|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:0c947d96e8f3c9f04979975c69aa7d0bcb8a4266|944|0x11 0|34|libxul.so|mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:0c947d96e8f3c9f04979975c69aa7d0bcb8a4266|269|0x5 0|35|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:0c947d96e8f3c9f04979975c69aa7d0bcb8a4266|325|0x17 0|36|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:0c947d96e8f3c9f04979975c69aa7d0bcb8a4266|318|0x8 0|37|libxul.so|XRE_InitChildProcess(int, char**, XREChildData const*)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:0c947d96e8f3c9f04979975c69aa7d0bcb8a4266|770|0x8 0|38|firefox|content_process_main(mozilla::Bootstrap*, int, char**)|hg:hg.mozilla.org/mozilla-central:ipc/contentproc/plugin-container.cpp:0c947d96e8f3c9f04979975c69aa7d0bcb8a4266|50|0x14 0|39|firefox|main|hg:hg.mozilla.org/mozilla-central:browser/app/nsBrowserApp.cpp:0c947d96e8f3c9f04979975c69aa7d0bcb8a4266|287|0x11 0|40|libc-2.27.so||||0x21b97 0|41|firefox|MOZ_ReportAssertionFailure|hg:hg.mozilla.org/mozilla-central:mfbt/Assertions.h:0c947d96e8f3c9f04979975c69aa7d0bcb8a4266|164|0x5
Flags: in-testsuite?
Priority: -- → P2
Component: Event Handling → User events and focus handling

Bugmon Analysis:
Unable to reproduce bug using the following builds:

mozilla-central 20210224162107-27f574662450
mozilla-central 20200226092757-7f41334e1044

Whiteboard: [bugmon:confirmed]

This seems to have been fixed somewhere else more than a year ago.

Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → WORKSFORME
See Also: → 1429427
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: