Closed Bug 1517028 Opened 4 years ago Closed 2 years ago

Crash [@ mozilla::HTMLEditRules::ReturnInHeader] or [@ mozilla::HTMLEditor::HandleInsertParagraphInHeadingElement ]

Categories

(Core :: DOM: Editor, defect, P3)

Product:
Core
Component:
DOM: Editor
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
88 Branch
Tracking Flags:
Tracking Status
firefox-esr78 --- wontfix
firefox66 --- wontfix
firefox86 --- wontfix
firefox87 --- wontfix
firefox88 --- fixed

People

(Reporter: jkratzer, Assigned: masayuki)

References

(Blocks 1 open bug)

Details

(Keywords: crash, testcase, Whiteboard: [bugmon:confirmed])

Crash Data

Attachments

(2 files)

testcase.html
466 bytes, text/html
Details
Bug 1517028 - Make `HTMLEditor::SplitNodeDeepWithTransaction` not try to split non-splittable node and `HTMLEditor::HandleInsertParagraphInHeadingElement` check its result r=m_kato!
48 bytes, text/x-phabricator-request
Details | Review
Attached file testcase.html 
Testcase found while fuzzing mozilla-central rev 83d06ab87e74.

rax = 0x00007fbfbb96ac46   rdx = 0x0000000000000003
rcx = 0x0000563151b4d948   rbx = 0x00007fbfad4b4000
rsi = 0x00007fbfae070f80   rdi = 0x00007fbfae070f80
rbp = 0x00007ffe302db360   rsp = 0x00007ffe302db250
r8 = 0x0000000000000000    r9 = 0x00000000000000c8
r10 = 0x00007ffe302dadd8   r11 = 0x0000000000000004
r12 = 0x00007fbfad4be280   r13 = 0x0000000080560001
r14 = 0x00007fbfae071080   r15 = 0x00007fbfae070f80
rip = 0x00007fbfb87a9672
OS|Linux|0.0.0 Linux 4.15.0-43-generic #46-Ubuntu SMP Thu Dec 6 14:45:28 UTC 2018 x86_64
CPU|amd64|family 6 model 78 stepping 3|1
GPU|||
Crash|SIGSEGV /SEGV_MAPERR|0x0|0
0|0|libxul.so|mozilla::HTMLEditRules::ReturnInHeader(mozilla::dom::Element&, nsINode&, int)|hg:hg.mozilla.org/mozilla-central:editor/libeditor/HTMLEditRules.cpp:83d06ab87e742c2eb63bce720741c0a222d20f36|7663|0x0
0|1|libxul.so|mozilla::HTMLEditRules::WillInsertParagraphSeparator()|hg:hg.mozilla.org/mozilla-central:editor/libeditor/HTMLEditRules.cpp:83d06ab87e742c2eb63bce720741c0a222d20f36|1812|0xe
0|2|libxul.so|mozilla::HTMLEditRules::WillDoAction(mozilla::EditSubActionInfo&, bool*, bool*)|hg:hg.mozilla.org/mozilla-central:editor/libeditor/HTMLEditRules.cpp:83d06ab87e742c2eb63bce720741c0a222d20f36|682|0x8
0|3|libxul.so|mozilla::HTMLEditor::InsertParagraphSeparatorAsSubAction()|hg:hg.mozilla.org/mozilla-central:editor/libeditor/HTMLEditor.cpp:83d06ab87e742c2eb63bce720741c0a222d20f36|1087|0x6
0|4|libxul.so|mozilla::HTMLEditor::InsertParagraphSeparatorAsAction()|hg:hg.mozilla.org/mozilla-central:editor/libeditor/HTMLEditor.cpp:83d06ab87e742c2eb63bce720741c0a222d20f36|1064|0x8
0|5|libxul.so|<name omitted>|hg:hg.mozilla.org/mozilla-central:editor/libeditor/EditorCommands.cpp:83d06ab87e742c2eb63bce720741c0a222d20f36|1098|0x5
0|6|libxul.so|nsControllerCommandTable::DoCommand(char const*, nsISupports*)|hg:hg.mozilla.org/mozilla-central:dom/commandhandler/nsControllerCommandTable.cpp:83d06ab87e742c2eb63bce720741c0a222d20f36|140|0xc
0|7|libxul.so|nsBaseCommandController::DoCommand(char const*)|hg:hg.mozilla.org/mozilla-central:dom/commandhandler/nsBaseCommandController.cpp:83d06ab87e742c2eb63bce720741c0a222d20f36|123|0x9
0|8|libxul.so|nsCommandManager::DoCommand(char const*, nsICommandParams*, mozIDOMWindowProxy*)|hg:hg.mozilla.org/mozilla-central:dom/commandhandler/nsCommandManager.cpp:83d06ab87e742c2eb63bce720741c0a222d20f36|199|0x9
0|9|libxul.so|nsHTMLDocument::ExecCommand(nsTSubstring<char16_t> const&, bool, nsTSubstring<char16_t> const&, nsIPrincipal&, mozilla::ErrorResult&)|hg:hg.mozilla.org/mozilla-central:dom/html/nsHTMLDocument.cpp:83d06ab87e742c2eb63bce720741c0a222d20f36|2813|0xb
0|10|libxul.so|mozilla::dom::HTMLDocument_Binding::execCommand(JSContext*, JS::Handle<JSObject*>, nsHTMLDocument*, JSJitMethodCallArgs const&)|s3:gecko-generated-sources:4b782966054acb7b963adef67bacb5e94fb27bdf71bcb9e8ddd370daf6755c5d2901d3ac2b178621d3b2913ef9cda44f6a319b2975c5327b6f83d2a5912bbe06/dom/bindings/HTMLDocumentBinding.cpp:|619|0x8
0|11|libxul.so|bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*)|hg:hg.mozilla.org/mozilla-central:dom/bindings/BindingUtils.cpp:83d06ab87e742c2eb63bce720741c0a222d20f36|3062|0x5
0|12|libxul.so|js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:83d06ab87e742c2eb63bce720741c0a222d20f36|443|0x6
0|13|libxul.so|Interpret(JSContext*, js::RunState&)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:83d06ab87e742c2eb63bce720741c0a222d20f36|594|0x8
0|14|libxul.so|js::RunScript(JSContext*, js::RunState&)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:83d06ab87e742c2eb63bce720741c0a222d20f36|423|0xb
0|15|libxul.so|js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:83d06ab87e742c2eb63bce720741c0a222d20f36|563|0x8
0|16|libxul.so|<name omitted>|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:83d06ab87e742c2eb63bce720741c0a222d20f36|606|0x8
0|17|libxul.so|JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>)|hg:hg.mozilla.org/mozilla-central:js/src/jsapi.cpp:83d06ab87e742c2eb63bce720741c0a222d20f36|2649|0xb
0|18|libxul.so|mozilla::dom::EventListener::HandleEvent(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&)|s3:gecko-generated-sources:b504f583ed3111ab416617cd63caa012e7478d0516eb5d3bc3cd43cef007715c1a91854c0528b0ec8e85f6341ccebf73a1b2c32556687ebaf4023e3c38ff4197/dom/bindings/EventListenerBinding.cpp:|52|0xb
0|19|libxul.so|mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*)|s3:gecko-generated-sources:f3d9c01258576daaac3afc4fb3b283652e7f1168abb5287eff6775451ebd0ab6a0e4c8d88d3a67f7147042501bc091c6dfed25b4b8ccf4e4f420897b8d0ba906/dist/include/mozilla/dom/EventListenerBinding.h:|66|0xe
0|20|libxul.so|mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool)|hg:hg.mozilla.org/mozilla-central:dom/events/EventListenerManager.cpp:83d06ab87e742c2eb63bce720741c0a222d20f36|1238|0x12
0|21|libxul.so|mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&)|hg:hg.mozilla.org/mozilla-central:dom/events/EventListenerManager.h:83d06ab87e742c2eb63bce720741c0a222d20f36|350|0xe
0|22|libxul.so|mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:83d06ab87e742c2eb63bce720741c0a222d20f36|552|0xf
0|23|libxul.so|mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:83d06ab87e742c2eb63bce720741c0a222d20f36|1042|0xc
0|24|libxul.so|mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:83d06ab87e742c2eb63bce720741c0a222d20f36|0|0x8
0|25|libxul.so|nsINode::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&)|hg:hg.mozilla.org/mozilla-central:dom/base/nsINode.cpp:83d06ab87e742c2eb63bce720741c0a222d20f36|1029|0x10
0|26|libxul.so|nsContentUtils::DispatchEvent(nsIDocument*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, mozilla::Trusted, bool*, mozilla::ChromeOnlyDispatch)|hg:hg.mozilla.org/mozilla-central:dom/base/nsContentUtils.cpp:83d06ab87e742c2eb63bce720741c0a222d20f36|4063|0xf
0|27|libxul.so|nsContentUtils::DispatchTrustedEvent(nsIDocument*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, bool*)|hg:hg.mozilla.org/mozilla-central:dom/base/nsContentUtils.cpp:83d06ab87e742c2eb63bce720741c0a222d20f36|4033|0x10
0|28|libxul.so|nsIDocument::DispatchContentLoadedEvents()|hg:hg.mozilla.org/mozilla-central:dom/base/nsDocument.cpp:83d06ab87e742c2eb63bce720741c0a222d20f36|4729|0x25
0|29|libxul.so|mozilla::detail::RunnableMethodImpl<nsIDocument*, void (nsIDocument::*)(), true, (mozilla::RunnableKind)0>::Run()|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.h:83d06ab87e742c2eb63bce720741c0a222d20f36|1106|0x17
0|30|libxul.so|mozilla::SchedulerGroup::Runnable::Run()|hg:hg.mozilla.org/mozilla-central:xpcom/threads/SchedulerGroup.cpp:83d06ab87e742c2eb63bce720741c0a222d20f36|299|0x6
0|31|libxul.so|nsThread::ProcessNextEvent(bool, bool*)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:83d06ab87e742c2eb63bce720741c0a222d20f36|1157|0x6
0|32|libxul.so|NS_ProcessNextEvent(nsIThread*, bool)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:83d06ab87e742c2eb63bce720741c0a222d20f36|468|0xd
0|33|libxul.so|mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:83d06ab87e742c2eb63bce720741c0a222d20f36|88|0xb
0|34|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:83d06ab87e742c2eb63bce720741c0a222d20f36|314|0x8
0|35|libxul.so|nsBaseAppShell::Run()|hg:hg.mozilla.org/mozilla-central:widget/nsBaseAppShell.cpp:83d06ab87e742c2eb63bce720741c0a222d20f36|137|0x8
0|36|libxul.so|XRE_RunAppShell()|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:83d06ab87e742c2eb63bce720741c0a222d20f36|915|0x6
0|37|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:83d06ab87e742c2eb63bce720741c0a222d20f36|314|0x8
0|38|libxul.so|XRE_InitChildProcess(int, char**, XREChildData const*)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:83d06ab87e742c2eb63bce720741c0a222d20f36|753|0x5
0|39|firefox-bin|main|hg:hg.mozilla.org/mozilla-central:ipc/contentproc/plugin-container.cpp:83d06ab87e742c2eb63bce720741c0a222d20f36|49|0x16
0|40|libc-2.27.so||||0x21b97
0|41|firefox-bin||||0x7aa0
0|42|firefox-bin||||0x78bc
0|43|ld-2.27.so||||0x10733
0|44|libdl-2.27.so||||0x202d80
0|45|libpthread-2.27.so||||0x219bb0
0|46|firefox-bin||||0x78bc
0|47|firefox-bin|_start|||0x29
Flags: in-testsuite?
Crash Signature: [@ mozilla::HTMLEditRules::ReturnInHeader ]
P3 as MOZ_DIAGNOSTIC_ASSERT
Priority: -- → P3
Crash Signature: [@ mozilla::HTMLEditRules::ReturnInHeader ] → [@ mozilla::HTMLEditRules::ReturnInHeader ] [@ mozilla::HTMLEditor::HandleInsertParagraphInHeadingElement ]
Summary: Crash [@ mozilla::HTMLEditRules::ReturnInHeader] → Crash [@ mozilla::HTMLEditRules::ReturnInHeader] or [@ mozilla::HTMLEditor::HandleInsertParagraphInHeadingElement ]
See Also: → 1655508

Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20210224162107-27f574662450.

Whiteboard: [bugmon:confirmed]

Masayuki, Now that we have a reproducible test case and if there is already a diagnostic assert here, I assume we were interested in hits here for some reason?

Flags: needinfo?(masayuki)

Today's mozilla-central's log:

[Child 49264, Main Thread] WARNING: '!aChild->IsContent()', file m:/fx64-dbg/dist/include\mozilla/EditorDOMPoint.h:448
[Child 49264, Main Thread] WARNING: GetPreviousNodeInternal() doesn't assume that the start point is a data node except text node: '!aPoint.IsInDataNode() || aPoint.IsInTextNode()', file m:/src/editor/libeditor/EditorBase.cpp:2812
[Child 49264, Main Thread] WARNING: GetPreviousNodeInternal() doesn't assume that the start point is a data node except text node: '!aPoint.IsInDataNode() || aPoint.IsInTextNode()', file m:/src/editor/libeditor/EditorBase.cpp:2812
[Child 49264, Main Thread] WARNING: GetNextNodeInternal() doesn't assume that the start point is a data node except text node: '!aPoint.IsInDataNode() || aPoint.IsInTextNode()', file m:/src/editor/libeditor/EditorBase.cpp:2871
[Child 49264, Main Thread] WARNING: GetNextNodeInternal() doesn't assume that the start point is a data node except text node: '!aPoint.IsInDataNode() || aPoint.IsInTextNode()', file m:/src/editor/libeditor/EditorBase.cpp:2871
[Child 49264, Main Thread] WARNING: NS_ENSURE_TRUE(frame) failed: file m:/src/dom/events/ContentEventHandler.cpp:1314
[Child 49264, Main Thread] WARNING: GetPreviousNodeInternal() doesn't assume that the start point is a data node except text node: '!aPoint.IsInDataNode() || aPoint.IsInTextNode()', file m:/src/editor/libeditor/EditorBase.cpp:2812
[Child 49264, Main Thread] WARNING: GetPreviousNodeInternal() doesn't assume that the start point is a data node except text node: '!aPoint.IsInDataNode() || aPoint.IsInTextNode()', file m:/src/editor/libeditor/EditorBase.cpp:2812
[Child 49264, Main Thread] WARNING: GetPreviousNodeInternal() doesn't assume that the start point is a data node except text node: '!aPoint.IsInDataNode() || aPoint.IsInTextNode()', file m:/src/editor/libeditor/EditorBase.cpp:2812
[Child 49264, Main Thread] WARNING: GetNextNodeInternal() doesn't assume that the start point is a data node except text node: '!aPoint.IsInDataNode() || aPoint.IsInTextNode()', file m:/src/editor/libeditor/EditorBase.cpp:2871
[Child 49264, Main Thread] WARNING: GetNextNodeInternal() doesn't assume that the start point is a data node except text node: '!aPoint.IsInDataNode() || aPoint.IsInTextNode()', file m:/src/editor/libeditor/EditorBase.cpp:2871
[Child 49264, Main Thread] WARNING: GetPreviousNodeInternal() doesn't assume that the start point is a data node except text node: '!aPoint.IsInDataNode() || aPoint.IsInTextNode()', file m:/src/editor/libeditor/EditorBase.cpp:2812
[Child 49264, Main Thread] WARNING: '!aChild->IsContent()', file m:/fx64-dbg/dist/include\mozilla/EditorDOMPoint.h:448
[Child 49264, Main Thread] WARNING: GetPreviousNodeInternal() doesn't assume that the start point is a data node except text node: '!aPoint.IsInDataNode() || aPoint.IsInTextNode()', file m:/src/editor/libeditor/EditorBase.cpp:2812
[Child 49264, Main Thread] ###!!! ASSERTION: Given content is not editable: 'EditorUtils::IsEditableContent( *mScanStartPoint.ContainerAsContent(), EditorType::HTML)', file m:/src/editor/libeditor/WSRunObject.cpp:1327
[Child 49264, Main Thread] WARNING: '!mParent->IsContainerNode()', file m:/fx64-dbg/dist/include\mozilla/EditorDOMPoint.h:317
[Child 49264, Main Thread] WARNING: '!previousContent', file m:/src/editor/libeditor/HTMLEditUtils.h:552
[Child 49264, Main Thread] WARNING: Selection::CollapseInLimiter() failed: '!error.Failed()', file m:/src/editor/libeditor/SplitNodeTransaction.cpp:117
[Child 49264, Main Thread] WARNING: nsITransaction::DoTransaction() failed: 'NS_SUCCEEDED(rv)', file m:/src/editor/txmgr/TransactionItem.cpp:84
[Child 49264, Main Thread] WARNING: TransactionItem::DoTransaction() failed: file m:/src/editor/txmgr/TransactionManager.cpp:689
[Child 49264, Main Thread] WARNING: TransactionManager::BeginTransaction() failed: file m:/src/editor/txmgr/TransactionManager.cpp:74
[Child 49264, Main Thread] WARNING: TransactionManager::DoTransaction() failed: file m:/src/editor/libeditor/EditorBase.cpp:856
[Child 49264, Main Thread] WARNING: EditorBase::DoTransactionInternal() failed: '!aError.Failed()', file m:/src/editor/libeditor/HTMLEditor.cpp:4208
[Child 49264, Main Thread] WARNING: HTMLEditor::SplitNodeWithTransaction() failed: file m:/src/editor/libeditor/HTMLEditor.cpp:4282
[Child 49264, Main Thread] WARNING: HTMLEditor::SplitNodeDeepWithTransaction() failed, but ignored: 'splitHeaderResult.Succeeded()', file m:/src/editor/libeditor/HTMLEditSubActionHandler.cpp:6401
Assertion failure: HTMLEditUtils::IsHeader(*prevItem), at m:/src/editor/libeditor/HTMLEditSubActionHandler.cpp:6407
[Child 49132, Main Thread] ###!!! ASSERTION: Somehow there's stuff in the op queue.: 'mOpQueue.IsEmpty()', file m:/src/parser/html/nsHtml5TreeOpExecutor.cpp:143
[Child 49132, Main Thread] ###!!! ASSERTION: Somehow there's stuff in the op queue.: 'mOpQueue.IsEmpty()', file m:/src/parser/html/nsHtml5TreeOpExecutor.cpp:143
#01: mozilla::HTMLEditor::InsertParagraphSeparatorAsAction (m:\src\editor\libeditor\HTMLEditor.cpp:1097)
#02: mozilla::InsertParagraphCommand::DoCommand (m:\src\editor\libeditor\EditorCommands.cpp:886)
#03: mozilla::dom::Document::ExecCommand (m:\src\dom\base\Document.cpp:5132)
#04: mozilla::dom::Document_Binding::execCommand (m:\fx64-dbg\dom\bindings\DocumentBinding.cpp:3475)
#05: mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy,mozilla::dom::binding_detail::ThrowExceptions> (m:\src\dom\bindings\BindingUtils.cpp:3237)
#06: CallJSNative (m:\src\js\src\vm\Interpreter.cpp:435)
#07: js::InternalCallOrConstruct (m:\src\js\src\vm\Interpreter.cpp:520)
#08: InternalCall (m:\src\js\src\vm\Interpreter.cpp:580)
#09: Interpret (m:\src\js\src\vm\Interpreter.cpp:3243)
#10: js::RunScript (m:\src\js\src\vm\Interpreter.cpp:405)
#11: js::InternalCallOrConstruct (m:\src\js\src\vm\Interpreter.cpp:552)
#12: InternalCall (m:\src\js\src\vm\Interpreter.cpp:580)
#13: js::Call (m:\src\js\src\vm\Interpreter.cpp:597)
#14: JS::Call (m:\src\js\src\jsapi.cpp:2863)
#15: mozilla::dom::EventListener::HandleEvent (m:\fx64-dbg\dom\bindings\EventListenerBinding.cpp:57)
#16: mozilla::dom::EventListener::HandleEvent<mozilla::dom::EventTarget *> (m:\fx64-dbg\dist\include\mozilla\dom\EventListenerBinding.h:65)
#17: mozilla::EventListenerManager::HandleEventSubType (m:\src\dom\events\EventListenerManager.cpp:1101)
#18: mozilla::EventListenerManager::HandleEventInternal (m:\src\dom\events\EventListenerManager.cpp:1298)
#19: mozilla::EventTargetChainItem::HandleEvent (m:\src\dom\events\EventDispatcher.cpp:357)
#20: mozilla::EventTargetChainItem::HandleEventTargetChain (m:\src\dom\events\EventDispatcher.cpp:558)
#21: mozilla::EventDispatcher::Dispatch (m:\src\dom\events\EventDispatcher.cpp:1099)
#22: mozilla::EventDispatcher::DispatchDOMEvent (m:\src\dom\events\EventDispatcher.cpp:1207)
#23: nsINode::DispatchEvent (m:\src\dom\base\nsINode.cpp:1332)
#24: nsContentUtils::DispatchEvent (m:\src\dom\base\nsContentUtils.cpp:4196)
#25: nsContentUtils::DispatchTrustedEvent (m:\src\dom\base\nsContentUtils.cpp:4165)
#26: mozilla::dom::Document::DispatchContentLoadedEvents (m:\src\dom\base\Document.cpp:7446)
#27: mozilla::detail::RunnableMethodImpl<mozilla::dom::Document *,void (mozilla::dom::Document::*)(),1,mozilla::RunnableKind::Standard>::Run (m:\fx64-dbg\dist\include\nsThreadUtils.h:1204)
#28: mozilla::SchedulerGroup::Runnable::Run (m:\src\xpcom\threads\SchedulerGroup.cpp:146)
#29: mozilla::RunnableTask::Run (m:\src\xpcom\threads\TaskController.cpp:473)
#30: mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal (m:\src\xpcom\threads\TaskController.cpp:760)
#31: mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal (m:\src\xpcom\threads\TaskController.cpp:611)
#32: mozilla::TaskController::ProcessPendingMTTask (m:\src\xpcom\threads\TaskController.cpp:395)
#33: mozilla::detail::RunnableFunction<`lambda at m:/src/xpcom/threads/TaskController.cpp:133:7'>::Run (m:\src\xpcom\threads\nsThreadUtils.h:535)
#34: nsThread::ProcessNextEvent (m:\src\xpcom\threads\nsThread.cpp:1162)
#35: NS_ProcessNextEvent (m:\src\xpcom\threads\nsThreadUtils.cpp:548)
#36: mozilla::ipc::MessagePump::Run (m:\src\ipc\glue\MessagePump.cpp:87)
#37: MessageLoop::RunHandler (m:\src\ipc\chromium\src\base\message_loop.cc:329)
#38: MessageLoop::Run (m:\src\ipc\chromium\src\base\message_loop.cc:311)
#39: nsBaseAppShell::Run (m:\src\widget\nsBaseAppShell.cpp:139)
#40: nsAppShell::Run (m:\src\widget\windows\nsAppShell.cpp:602)
#41: XRE_RunAppShell (m:\src\toolkit\xre\nsEmbedFunctions.cpp:902)
#42: mozilla::ipc::MessagePumpForChildProcess::Run (m:\src\ipc\glue\MessagePump.cpp:237)
#43: MessageLoop::RunHandler (m:\src\ipc\chromium\src\base\message_loop.cc:329)
#44: MessageLoop::Run (m:\src\ipc\chromium\src\base\message_loop.cc:311)
#45: XRE_InitChildProcess (m:\src\toolkit\xre\nsEmbedFunctions.cpp:737)
#46: NS_internal_main (m:\src\browser\app\nsBrowserApp.cpp:309)
#47: wmain (m:\src\toolkit\xre\nsWindowsWMain.cpp:131)
#48: __scrt_common_main_seh (d:\agent\_work\63\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:288)
#49: BaseThreadInitThunk[C:\WINDOWS\System32\KERNEL32.DLL +0x17034]
#50: RtlUserThreadStart[C:\WINDOWS\SYSTEM32\ntdll.dll +0x4d241]
Flags: needinfo?(masayuki)
Assignee: nobody → masayuki
Status: NEW → ASSIGNED

I assume we were interested in hits here for some reason?

When I refactor entire of editor module for beforeinput, I found a lot of lazy error handling. Then, I added a lot of MOZ_ASSERT and MOZ_DIAGNOSTIC_ASSERT for getting reproducible testcases. The different of them is, I used the latter only when the case causes really odd result for users.

There are 2 bugs. One is that SplitNodeDeepWithTransaction tries to split
comment node, but it fails. The other is, the failure result is not checked
by HandleInsertParagraphInHeadingElement. Therefore, the original head
element's previous node may not be a heading element.

Depends on D106591

Pushed by masayuki@d-toybox.com:
https://hg.mozilla.org/integration/autoland/rev/cd21cae59bec
Make `HTMLEditor::SplitNodeDeepWithTransaction` not try to split non-splittable node and `HTMLEditor::HandleInsertParagraphInHeadingElement` check its result r=m_kato

https://hg.mozilla.org/mozilla-central/rev/cd21cae59bec

Status: ASSIGNED → RESOLVED
Closed: 2 years ago
status-firefox88: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 88 Branch
status-firefox66: affectedwontfix
status-firefox86: --- → wontfix
status-firefox87: --- → wontfix
status-firefox-esr78: --- → wontfix
Flags: in-testsuite? → in-testsuite+

:masayuki, since this bug contains a bisection range, could you fill (if possible) the regressed_by field?
For more information, please visit auto_nag documentation.

Flags: needinfo?(masayuki)

There is no bisection range...

Flags: needinfo?(masayuki)
You need to log in before you can comment on or make changes to this bug.