Assertion failure: mChild || mParent->Length() == mOffset.value(), at /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/EditorDOMPoint.h:121
Categories
(Core :: DOM: Editor, defect, P1)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr60 | --- | unaffected |
| firefox67 | --- | wontfix |
| firefox68 | --- | fixed |
People
(Reporter: jkratzer, Assigned: masayuki)
References
(Blocks 1 open bug)
Details
(Keywords: assertion, testcase)
Attachments
(3 files)
Testcase found while fuzzing mozilla-central rev 420e18a75314.
Assertion failure: mChild || mParent->Length() == mOffset.value(), at /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/EditorDOMPoint.h:121
rax = 0x000055809e233e40 rdx = 0x0000000000000000
rcx = 0x00007f7a42644973 rbx = 0x00007ffdaf430f10
rsi = 0x00007f7a4d55c8b0 rdi = 0x00007f7a4d55b680
rbp = 0x00007ffdaf430d80 rsp = 0x00007ffdaf430d40
r8 = 0x00007f7a4d55c8b0 r9 = 0x00007f7a4e6c6740
r10 = 0x0000000000000000 r11 = 0x0000000000000000
r12 = 0x00007ffdaf430f20 r13 = 0x0000000000000002
r14 = 0x00007f7a342b7680 r15 = 0x00007ffdaf430e58
rip = 0x00007f7a3ecc11c5
OS|Linux|0.0.0 Linux 4.18.0-17-generic #18~18.04.1-Ubuntu SMP Fri Mar 15 15:27:12 UTC 2019 x86_64
CPU|amd64|family 6 model 94 stepping 3|1
GPU|||
Crash|SIGSEGV /SEGV_MAPERR|0x0|0
0|0|libxul.so|mozilla::EditorDOMPointBase<nsINode*, nsIContent*>::EditorDOMPointBase(nsINode*, nsIContent*, int)|hg:hg.mozilla.org/mozilla-central:editor/libeditor/EditorDOMPoint.h:420e18a75314b8123b515d8a93cbacd145ecb03c|120|0x41
0|1|libxul.so|mozilla::HTMLEditRules::NormalizeSelection()|hg:hg.mozilla.org/mozilla-central:editor/libeditor/HTMLEditRules.cpp:420e18a75314b8123b515d8a93cbacd145ecb03c|6713|0x18
0|2|libxul.so|mozilla::HTMLEditRules::WillHTMLIndent(bool*, bool*)|hg:hg.mozilla.org/mozilla-central:editor/libeditor/HTMLEditRules.cpp:420e18a75314b8123b515d8a93cbacd145ecb03c|4895|0x5
0|3|libxul.so|mozilla::HTMLEditRules::WillIndent(bool*, bool*)|hg:hg.mozilla.org/mozilla-central:editor/libeditor/HTMLEditRules.cpp:420e18a75314b8123b515d8a93cbacd145ecb03c|4573|0x5
0|4|libxul.so|mozilla::HTMLEditRules::WillDoAction(mozilla::EditSubActionInfo&, bool*, bool*)|hg:hg.mozilla.org/mozilla-central:editor/libeditor/HTMLEditRules.cpp:420e18a75314b8123b515d8a93cbacd145ecb03c|722|0xe
0|5|libxul.so|mozilla::HTMLEditor::IndentOrOutdentAsSubAction(mozilla::EditSubAction)|hg:hg.mozilla.org/mozilla-central:editor/libeditor/HTMLEditor.cpp:420e18a75314b8123b515d8a93cbacd145ecb03c|2426|0x2b
0|6|libxul.so|mozilla::HTMLEditor::IndentAsAction()|hg:hg.mozilla.org/mozilla-central:editor/libeditor/HTMLEditor.cpp:420e18a75314b8123b515d8a93cbacd145ecb03c|2384|0xd
0|7|libxul.so|mozilla::IndentCommand::DoCommand(char const*, mozilla::TextEditor&) const|hg:hg.mozilla.org/mozilla-central:editor/libeditor/HTMLEditorCommands.cpp:420e18a75314b8123b515d8a93cbacd145ecb03c|443|0x5
0|8|libxul.so|mozilla::EditorCommand::DoCommand(char const*, nsISupports*)|hg:hg.mozilla.org/mozilla-central:editor/libeditor/EditorCommands.cpp:420e18a75314b8123b515d8a93cbacd145ecb03c|58|0x1b
0|9|libxul.so|nsControllerCommandTable::DoCommand(char const*, nsISupports*)|hg:hg.mozilla.org/mozilla-central:dom/commandhandler/nsControllerCommandTable.cpp:420e18a75314b8123b515d8a93cbacd145ecb03c|138|0x17
0|10|libxul.so|nsBaseCommandController::DoCommand(char const*)|hg:hg.mozilla.org/mozilla-central:dom/commandhandler/nsBaseCommandController.cpp:420e18a75314b8123b515d8a93cbacd145ecb03c|115|0x1a
0|11|libxul.so|nsCommandManager::DoCommand(char const*, nsICommandParams*, mozIDOMWindowProxy*)|hg:hg.mozilla.org/mozilla-central:dom/commandhandler/nsCommandManager.cpp:420e18a75314b8123b515d8a93cbacd145ecb03c|201|0x14
0|12|libxul.so|nsHTMLDocument::ExecCommand(nsTSubstring<char16_t> const&, bool, nsTSubstring<char16_t> const&, nsIPrincipal&, mozilla::ErrorResult&)|hg:hg.mozilla.org/mozilla-central:dom/html/nsHTMLDocument.cpp:420e18a75314b8123b515d8a93cbacd145ecb03c|2381|0x26
0|13|libxul.so|mozilla::dom::HTMLDocument_Binding::execCommand|s3:gecko-generated-sources:d6d5d8475b5b9f31319cd44ba68619c4e466e2d1ecfbb9b5f85a5ca890d0f6599352a0d3794cebf38a5bb8425897d682e8035dec8dc546960753f192e93307f4/dom/bindings/HTMLDocumentBinding.cpp:|539|0x2e
0|14|libxul.so|bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*)|hg:hg.mozilla.org/mozilla-central:dom/bindings/BindingUtils.cpp:420e18a75314b8123b515d8a93cbacd145ecb03c|3153|0x24
0|15|libxul.so|CallJSNative(JSContext*, bool ()(JSContext, unsigned int, JS::Value*), JS::CallArgs const&)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:420e18a75314b8123b515d8a93cbacd145ecb03c|443|0x13
0|16|libxul.so|js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:420e18a75314b8123b515d8a93cbacd145ecb03c|535|0x12
0|17|libxul.so|InternalCall|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:420e18a75314b8123b515d8a93cbacd145ecb03c|590|0xd
0|18|libxul.so|Interpret|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:420e18a75314b8123b515d8a93cbacd145ecb03c|594|0xf
0|19|libxul.so|js::RunScript(JSContext*, js::RunState&)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:420e18a75314b8123b515d8a93cbacd145ecb03c|423|0xb
0|20|libxul.so|js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:420e18a75314b8123b515d8a93cbacd145ecb03c|563|0xf
0|21|libxul.so|InternalCall|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:420e18a75314b8123b515d8a93cbacd145ecb03c|590|0xd
0|22|libxul.so|js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:420e18a75314b8123b515d8a93cbacd145ecb03c|606|0x5
0|23|libxul.so|JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>)|hg:hg.mozilla.org/mozilla-central:js/src/jsapi.cpp:420e18a75314b8123b515d8a93cbacd145ecb03c|2636|0x1c
0|24|libxul.so|mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&)|s3:gecko-generated-sources:07034a91c20d743b6b1cb0050fb45856e506111933106e79effdb8dcee60d394334ccec99923dca240d02a8a2423627e46882951c1689b39a2e7f0665bac7e9b/dom/bindings/EventHandlerBinding.cpp:|267|0x5
0|25|libxul.so|mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*)|hg:hg.mozilla.org/mozilla-central:dom/events/JSEventHandler.cpp:420e18a75314b8123b515d8a93cbacd145ecb03c|205|0x15e
0|26|libxul.so|mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*)|hg:hg.mozilla.org/mozilla-central:dom/events/EventListenerManager.cpp:420e18a75314b8123b515d8a93cbacd145ecb03c|1045|0xc
0|27|libxul.so|mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool)|hg:hg.mozilla.org/mozilla-central:dom/events/EventListenerManager.cpp:420e18a75314b8123b515d8a93cbacd145ecb03c|1240|0x19
0|28|libxul.so|mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:420e18a75314b8123b515d8a93cbacd145ecb03c|351|0x6
0|29|libxul.so|mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:420e18a75314b8123b515d8a93cbacd145ecb03c|551|0x12
0|30|libxul.so|mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:420e18a75314b8123b515d8a93cbacd145ecb03c|1047|0x1a
0|31|libxul.so|nsDocumentViewer::LoadComplete(nsresult)|hg:hg.mozilla.org/mozilla-central:layout/base/nsDocumentViewer.cpp:420e18a75314b8123b515d8a93cbacd145ecb03c|1102|0x25
0|32|libxul.so|nsDocShell::EndPageLoad(nsIWebProgress, nsIChannel*, nsresult)|hg:hg.mozilla.org/mozilla-central:docshell/base/nsDocShell.cpp:420e18a75314b8123b515d8a93cbacd145ecb03c|6625|0x14
0|33|libxul.so|nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult)|hg:hg.mozilla.org/mozilla-central:docshell/base/nsDocShell.cpp:420e18a75314b8123b515d8a93cbacd145ecb03c|6425|0x18
0|34|libxul.so|nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult)|hg:hg.mozilla.org/mozilla-central:uriloader/base/nsDocLoader.cpp:420e18a75314b8123b515d8a93cbacd145ecb03c|1313|0x64
0|35|libxul.so|nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult)|hg:hg.mozilla.org/mozilla-central:uriloader/base/nsDocLoader.cpp:420e18a75314b8123b515d8a93cbacd145ecb03c|872|0x2a
0|36|libxul.so|nsDocLoader::DocLoaderIsEmpty(bool)|hg:hg.mozilla.org/mozilla-central:uriloader/base/nsDocLoader.cpp:420e18a75314b8123b515d8a93cbacd145ecb03c|710|0x15
0|37|libxul.so|nsDocLoader::OnStopRequest(nsIRequest*, nsresult)|hg:hg.mozilla.org/mozilla-central:uriloader/base/nsDocLoader.cpp:420e18a75314b8123b515d8a93cbacd145ecb03c|598|0x16
0|38|libxul.so|mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult)|hg:hg.mozilla.org/mozilla-central:netwerk/base/nsLoadGroup.cpp:420e18a75314b8123b515d8a93cbacd145ecb03c|568|0x17
0|39|libxul.so|mozilla::dom::Document::DoUnblockOnload()|hg:hg.mozilla.org/mozilla-central:dom/base/Document.cpp:420e18a75314b8123b515d8a93cbacd145ecb03c|7987|0x20
0|40|libxul.so|mozilla::dom::Document::UnblockOnload(bool)|hg:hg.mozilla.org/mozilla-central:dom/base/Document.cpp:420e18a75314b8123b515d8a93cbacd145ecb03c|7919|0x5
0|41|libxul.so|mozilla::dom::Document::DispatchContentLoadedEvents()|hg:hg.mozilla.org/mozilla-central:dom/base/Document.cpp:420e18a75314b8123b515d8a93cbacd145ecb03c|5105|0xd
0|42|libxul.so|mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::)(), true, (mozilla::RunnableKind)0>::Run()|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.h:420e18a75314b8123b515d8a93cbacd145ecb03c|1174|0x13
0|43|libxul.so|mozilla::SchedulerGroup::Runnable::Run()|hg:hg.mozilla.org/mozilla-central:xpcom/threads/SchedulerGroup.cpp:420e18a75314b8123b515d8a93cbacd145ecb03c|295|0x15
0|44|libxul.so|nsThread::ProcessNextEvent(bool, bool)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:420e18a75314b8123b515d8a93cbacd145ecb03c|1180|0x15
0|45|libxul.so|NS_ProcessNextEvent(nsIThread*, bool)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:420e18a75314b8123b515d8a93cbacd145ecb03c|486|0x11
0|46|libxul.so|mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:420e18a75314b8123b515d8a93cbacd145ecb03c|88|0xa
0|47|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:420e18a75314b8123b515d8a93cbacd145ecb03c|315|0x17
0|48|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:420e18a75314b8123b515d8a93cbacd145ecb03c|290|0x8
0|49|libxul.so|nsBaseAppShell::Run()|hg:hg.mozilla.org/mozilla-central:widget/nsBaseAppShell.cpp:420e18a75314b8123b515d8a93cbacd145ecb03c|137|0xd
0|50|libxul.so|XRE_RunAppShell()|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:420e18a75314b8123b515d8a93cbacd145ecb03c|919|0x11
0|51|libxul.so|mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:420e18a75314b8123b515d8a93cbacd145ecb03c|238|0x5
0|52|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:420e18a75314b8123b515d8a93cbacd145ecb03c|315|0x17
0|53|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:420e18a75314b8123b515d8a93cbacd145ecb03c|290|0x8
0|54|libxul.so|XRE_InitChildProcess(int, char**, XREChildData const*)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:420e18a75314b8123b515d8a93cbacd145ecb03c|757|0xc
0|55|firefox-bin|content_process_main(mozilla::Bootstrap*, int, char**)|hg:hg.mozilla.org/mozilla-central:ipc/contentproc/plugin-container.cpp:420e18a75314b8123b515d8a93cbacd145ecb03c|56|0x14
0|56|firefox-bin|main|hg:hg.mozilla.org/mozilla-central:browser/app/nsBrowserApp.cpp:420e18a75314b8123b515d8a93cbacd145ecb03c|263|0x11
0|57|libc-2.27.so|__libc_start_main|||0xe7
0|58|firefox-bin|_start|||0x29
|
Assignee | |
Updated•5 years ago
|
|
|
Assignee | |
Updated•5 years ago
|
|
|
Assignee | |
Comment 1•5 years ago
|
||
This is a simple mistake of MOZ_ASSERTION() in it. When mParent is a node
which can have children, mChild should be non-nullptr or mOffset should
/ be set to the end of mParent. But when mParent is not a container, any
mOffset value should be allowed.
|
|
Assignee | |
Comment 2•5 years ago
|
||
For guaranteeing the sets of container node, offset in it, and the node
referred by the offset, the method should use EditorDOMPoint instead of
managing them separately.
Pushed by masayuki@d-toybox.com: https://hg.mozilla.org/integration/autoland/rev/aea4f15b4cf2 part 1: The constructor of EditorDOMPointBase which takes all information should allow non-end point of text node r=m_kato https://hg.mozilla.org/integration/autoland/rev/b103cb020965 part 2: Make HTMLEditRules::NormalizeSelection() use EditorDOMPoint r=m_kato
|
||
Comment 4•5 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/aea4f15b4cf2
https://hg.mozilla.org/mozilla-central/rev/b103cb020965
|
||
Updated•5 years ago
|
Description
•