Closed Bug 1548853 Opened 5 years ago Closed 3 years ago

Assertion failure: IsElement(), at /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/Element.h:1987

Categories

(Core :: DOM: Editor, defect, P3)

defect

Tracking

()

RESOLVED WORKSFORME
Tracking Status
firefox68 --- affected

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, testcase, Whiteboard: [bugmon:confirmed])

Attachments

(1 file)

Attached file testcase.html

Testcase found while fuzzing mozilla-central rev 083106d8fc74.

Assertion failure: IsElement(), at /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/Element.h:1987

rax = 0x000055d95eb39e40   rdx = 0x0000000000000000
rcx = 0x00007f162d949a72   rbx = 0x00007f161f899400
rsi = 0x00007f1638cdd8b0   rdi = 0x00007f1638cdc680
rbp = 0x00007ffd89b1d9d0   rsp = 0x00007ffd89b1d9d0
r8 = 0x00007f1638cdd8b0    r9 = 0x00007f1639e47740
r10 = 0x0000000000000000   r11 = 0x0000000000000000
r12 = 0x00007f161fc24d40   r13 = 0x0000000000000000
r14 = 0x0000000000000013   r15 = 0x00007ffd89b1da20
rip = 0x00007f1628a05c11
OS|Linux|0.0.0 Linux 4.18.0-17-generic #18~18.04.1-Ubuntu SMP Fri Mar 15 15:27:12 UTC 2019 x86_64
CPU|amd64|family 6 model 94 stepping 3|1
GPU|||
Crash|SIGSEGV /SEGV_MAPERR|0x0|0
0|0|libxul.so|nsINode::AsElement()|hg:hg.mozilla.org/mozilla-central:dom/base/Element.h:083106d8fc7407c880a3a044c83d4e15e5961063|1987|0x16
0|1|libxul.so|mozilla::HTMLEditRules::PromoteRange(nsRange&, mozilla::EditSubAction)|hg:hg.mozilla.org/mozilla-central:editor/libeditor/HTMLEditRules.cpp:083106d8fc7407c880a3a044c83d4e15e5961063|7037|0x1b
0|2|libxul.so|mozilla::HTMLEditRules::GetPromotedRanges(nsTArray<RefPtr<nsRange> >&, mozilla::EditSubAction)|hg:hg.mozilla.org/mozilla-central:editor/libeditor/HTMLEditRules.cpp:083106d8fc7407c880a3a044c83d4e15e5961063|7011|0x16
0|3|libxul.so|mozilla::HTMLEditRules::GetNodesFromSelection(mozilla::EditSubAction, nsTArray<mozilla::OwningNonNull<nsINode> >&, mozilla::HTMLEditRules::TouchContent)|hg:hg.mozilla.org/mozilla-central:editor/libeditor/HTMLEditRules.cpp:083106d8fc7407c880a3a044c83d4e15e5961063|7647|0xe
0|4|libxul.so|mozilla::HTMLEditRules::GetListActionNodes(nsTArray<mozilla::OwningNonNull<nsINode> >&, mozilla::HTMLEditRules::EntireList, mozilla::HTMLEditRules::TouchContent)|hg:hg.mozilla.org/mozilla-central:editor/libeditor/HTMLEditRules.cpp:083106d8fc7407c880a3a044c83d4e15e5961063|7317|0x13
0|5|libxul.so|mozilla::HTMLEditRules::GetListState(bool*, bool*, bool*, bool*)|hg:hg.mozilla.org/mozilla-central:editor/libeditor/HTMLEditRules.cpp:083106d8fc7407c880a3a044c83d4e15e5961063|816|0x10
0|6|libxul.so|mozilla::HTMLEditor::GetListState(bool*, bool*, bool*, bool*)|hg:hg.mozilla.org/mozilla-central:editor/libeditor/HTMLEditor.cpp:083106d8fc7407c880a3a044c83d4e15e5961063|2041|0x24
0|7|libxul.so|mozilla::GetListState|hg:hg.mozilla.org/mozilla-central:editor/libeditor/HTMLEditorCommands.cpp:083106d8fc7407c880a3a044c83d4e15e5961063|1331|0x17
0|8|libxul.so|mozilla::RemoveListCommand::IsCommandEnabled(mozilla::Command, mozilla::TextEditor*) const|hg:hg.mozilla.org/mozilla-central:editor/libeditor/HTMLEditorCommands.cpp:083106d8fc7407c880a3a044c83d4e15e5961063|389|0x12
0|9|libxul.so|mozilla::EditorCommand::IsCommandEnabled(char const*, nsISupports*, bool*)|hg:hg.mozilla.org/mozilla-central:editor/libeditor/EditorCommands.cpp:083106d8fc7407c880a3a044c83d4e15e5961063|44|0x14
0|10|libxul.so|nsControllerCommandTable::IsCommandEnabled(char const*, nsISupports*, bool*)|hg:hg.mozilla.org/mozilla-central:dom/commandhandler/nsControllerCommandTable.cpp:083106d8fc7407c880a3a044c83d4e15e5961063|91|0x14
0|11|libxul.so|nsBaseCommandController::IsCommandEnabled(char const*, bool*)|hg:hg.mozilla.org/mozilla-central:dom/commandhandler/nsBaseCommandController.cpp:083106d8fc7407c880a3a044c83d4e15e5961063|87|0x1a
0|12|libxul.so|nsWindowRoot::GetEnabledDisabledCommandsForControllers(nsIControllers*, nsTHashtable<nsCharPtrHashKey>&, nsTArray<nsTString<char> >&, nsTArray<nsTString<char> >&)|hg:hg.mozilla.org/mozilla-central:dom/base/nsWindowRoot.cpp:083106d8fc7407c880a3a044c83d4e15e5961063|239|0x15
0|13|libxul.so|nsWindowRoot::GetEnabledDisabledCommands(nsTArray<nsTString<char> >&, nsTArray<nsTString<char> >&)|hg:hg.mozilla.org/mozilla-central:dom/base/nsWindowRoot.cpp:083106d8fc7407c880a3a044c83d4e15e5961063|266|0x19
0|14|libxul.so|ChildCommandDispatcher::Run|hg:hg.mozilla.org/mozilla-central:dom/base/nsGlobalWindowOuter.cpp:083106d8fc7407c880a3a044c83d4e15e5961063|6478|0x1b
0|15|libxul.so|nsContentUtils::AddScriptRunner(already_AddRefed<nsIRunnable>)|hg:hg.mozilla.org/mozilla-central:dom/base/nsContentUtils.cpp:083106d8fc7407c880a3a044c83d4e15e5961063|5217|0x11
0|16|libxul.so|nsContentUtils::AddScriptRunner(nsIRunnable*)|hg:hg.mozilla.org/mozilla-central:dom/base/nsContentUtils.cpp:083106d8fc7407c880a3a044c83d4e15e5961063|5223|0x13
0|17|libxul.so|nsGlobalWindowOuter::UpdateCommands(nsTSubstring<char16_t> const&, mozilla::dom::Selection*, short)|hg:hg.mozilla.org/mozilla-central:dom/base/nsGlobalWindowOuter.cpp:083106d8fc7407c880a3a044c83d4e15e5961063|6516|0x8
0|18|libxul.so|nsDocViewerSelectionListener::NotifySelectionChanged(mozilla::dom::Document*, mozilla::dom::Selection*, short)|hg:hg.mozilla.org/mozilla-central:layout/base/nsDocumentViewer.cpp:083106d8fc7407c880a3a044c83d4e15e5961063|3360|0x42
0|19|libxul.so|mozilla::dom::Selection::NotifySelectionListeners()|hg:hg.mozilla.org/mozilla-central:dom/base/Selection.cpp:083106d8fc7407c880a3a044c83d4e15e5961063|3239|0x49
0|20|libxul.so|nsFrameSelection::NotifySelectionListeners(mozilla::SelectionType)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsFrameSelection.cpp:083106d8fc7407c880a3a044c83d4e15e5961063|1905|0x10
0|21|libxul.so|mozilla::dom::Selection::AddRangeInternal(nsRange&, mozilla::dom::Document*, mozilla::ErrorResult&)|hg:hg.mozilla.org/mozilla-central:dom/base/Selection.cpp:083106d8fc7407c880a3a044c83d4e15e5961063|2061|0x12
0|22|libxul.so|mozilla::dom::Selection::AddRange(nsRange&, mozilla::ErrorResult&)|hg:hg.mozilla.org/mozilla-central:dom/base/Selection.cpp:083106d8fc7407c880a3a044c83d4e15e5961063|1983|0x12
0|23|libxul.so|mozilla::dom::Selection::AddRangeJS(nsRange&, mozilla::ErrorResult&)|hg:hg.mozilla.org/mozilla-central:dom/base/Selection.cpp:083106d8fc7407c880a3a044c83d4e15e5961063|1978|0x5
0|24|libxul.so|mozilla::dom::Selection_Binding::addRange|s3:gecko-generated-sources:6ce490b2da98ae5927ad291dd7e6c5f1a37dad5db19b1a7ad8d63dff8301fab737d88d177a7001df827379dad6924c02d808fd1f503406ed74cfe0f3cfb2a472/dom/bindings/SelectionBinding.cpp:|350|0x1a
0|25|libxul.so|bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*)|hg:hg.mozilla.org/mozilla-central:dom/bindings/BindingUtils.cpp:083106d8fc7407c880a3a044c83d4e15e5961063|3153|0x24
0|26|libxul.so|CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:083106d8fc7407c880a3a044c83d4e15e5961063|443|0x13
0|27|libxul.so|js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:083106d8fc7407c880a3a044c83d4e15e5961063|535|0x12
0|28|libxul.so|InternalCall|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:083106d8fc7407c880a3a044c83d4e15e5961063|590|0xd
0|29|libxul.so|Interpret|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:083106d8fc7407c880a3a044c83d4e15e5961063|594|0x13
0|30|libxul.so|js::RunScript(JSContext*, js::RunState&)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:083106d8fc7407c880a3a044c83d4e15e5961063|423|0xb
0|31|libxul.so|js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:083106d8fc7407c880a3a044c83d4e15e5961063|563|0xf
0|32|libxul.so|InternalCall|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:083106d8fc7407c880a3a044c83d4e15e5961063|590|0xd
0|33|libxul.so|js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:083106d8fc7407c880a3a044c83d4e15e5961063|606|0x5
0|34|libxul.so|JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>)|hg:hg.mozilla.org/mozilla-central:js/src/jsapi.cpp:083106d8fc7407c880a3a044c83d4e15e5961063|2647|0x1c
0|35|libxul.so|mozilla::dom::Function::Call(JSContext*, JS::Handle<JS::Value>, nsTArray<JS::Value> const&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&)|s3:gecko-generated-sources:a7c2e5fbc8d754dda6a548b7b47f3620d4c9b10ea79911d63eee97dce3943509e5dac2b094e8f79cc317b469bbff7142455a8edf1bb906af40be582eb3c8ce34/dom/bindings/FunctionBinding.cpp:|41|0x5
0|36|libxul.so|void mozilla::dom::Function::Call<nsCOMPtr<nsISupports> >(nsCOMPtr<nsISupports> const&, nsTArray<JS::Value> const&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*)|s3:gecko-generated-sources:46fb03c1a8c0e11d34f5e031c89d1a474e669ef986de20768612085e4233f6871c6674b6fc7e076da097557e955e8fa4dd7337ed126d39cecea8d5c6e05d7972/dist/include/mozilla/dom/FunctionBinding.h:|73|0x23
0|37|libxul.so|nsGlobalWindowInner::RunTimeoutHandler(mozilla::dom::Timeout*, nsIScriptContext*)|hg:hg.mozilla.org/mozilla-central:dom/base/nsGlobalWindowInner.cpp:083106d8fc7407c880a3a044c83d4e15e5961063|5688|0x31
0|38|libxul.so|mozilla::dom::TimeoutManager::RunTimeout(mozilla::TimeStamp const&, mozilla::TimeStamp const&, bool)|hg:hg.mozilla.org/mozilla-central:dom/base/TimeoutManager.cpp:083106d8fc7407c880a3a044c83d4e15e5961063|979|0x13
0|39|libxul.so|mozilla::dom::TimeoutExecutor::MaybeExecute()|hg:hg.mozilla.org/mozilla-central:dom/base/TimeoutExecutor.cpp:083106d8fc7407c880a3a044c83d4e15e5961063|177|0x13
0|40|libxul.so|mozilla::dom::TimeoutExecutor::Notify(nsITimer*)|hg:hg.mozilla.org/mozilla-central:dom/base/TimeoutExecutor.cpp:083106d8fc7407c880a3a044c83d4e15e5961063|244|0x5
0|41|libxul.so|nsTimerImpl::Fire(int)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsTimerImpl.cpp:083106d8fc7407c880a3a044c83d4e15e5961063|564|0xe
0|42|libxul.so|nsTimerEvent::Run()|hg:hg.mozilla.org/mozilla-central:xpcom/threads/TimerThread.cpp:083106d8fc7407c880a3a044c83d4e15e5961063|260|0x18
0|43|libxul.so|mozilla::ThrottledEventQueue::Inner::ExecuteRunnable()|hg:hg.mozilla.org/mozilla-central:xpcom/threads/ThrottledEventQueue.cpp:083106d8fc7407c880a3a044c83d4e15e5961063|243|0x11
0|44|libxul.so|mozilla::ThrottledEventQueue::Inner::Executor::Run()|hg:hg.mozilla.org/mozilla-central:xpcom/threads/ThrottledEventQueue.cpp:083106d8fc7407c880a3a044c83d4e15e5961063|80|0xd
0|45|libxul.so|mozilla::SchedulerGroup::Runnable::Run()|hg:hg.mozilla.org/mozilla-central:xpcom/threads/SchedulerGroup.cpp:083106d8fc7407c880a3a044c83d4e15e5961063|295|0x15
0|46|libxul.so|nsThread::ProcessNextEvent(bool, bool*)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:083106d8fc7407c880a3a044c83d4e15e5961063|1180|0x15
0|47|libxul.so|NS_ProcessNextEvent(nsIThread*, bool)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:083106d8fc7407c880a3a044c83d4e15e5961063|486|0x11
0|48|libxul.so|mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:083106d8fc7407c880a3a044c83d4e15e5961063|110|0xd
0|49|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:083106d8fc7407c880a3a044c83d4e15e5961063|315|0x17
0|50|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:083106d8fc7407c880a3a044c83d4e15e5961063|290|0x8
0|51|libxul.so|nsBaseAppShell::Run()|hg:hg.mozilla.org/mozilla-central:widget/nsBaseAppShell.cpp:083106d8fc7407c880a3a044c83d4e15e5961063|137|0xd
0|52|libxul.so|XRE_RunAppShell()|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:083106d8fc7407c880a3a044c83d4e15e5961063|919|0x11
0|53|libxul.so|mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:083106d8fc7407c880a3a044c83d4e15e5961063|238|0x5
0|54|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:083106d8fc7407c880a3a044c83d4e15e5961063|315|0x17
0|55|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:083106d8fc7407c880a3a044c83d4e15e5961063|290|0x8
0|56|libxul.so|XRE_InitChildProcess(int, char**, XREChildData const*)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:083106d8fc7407c880a3a044c83d4e15e5961063|757|0xc
0|57|firefox-bin|content_process_main(mozilla::Bootstrap*, int, char**)|hg:hg.mozilla.org/mozilla-central:ipc/contentproc/plugin-container.cpp:083106d8fc7407c880a3a044c83d4e15e5961063|56|0x14
0|58|firefox-bin|main|hg:hg.mozilla.org/mozilla-central:browser/app/nsBrowserApp.cpp:083106d8fc7407c880a3a044c83d4e15e5961063|263|0x11
0|59|libc-2.27.so|__libc_start_main|||0xe7
0|60|firefox-bin|_start|||0x29
Flags: in-testsuite?

assertion only

Priority: -- → P3

Could you wrap stacktrace with triple backquotes? Then, each line won't be wrapped and it becomes easier to read.

Flags: needinfo?(jkratzer)
Flags: needinfo?(jkratzer)

Bugmon Analysis:
Unable to reproduce bug using the following builds:

mozilla-central 20210224215151-69be3221f49a
mozilla-central 20200227033937-7a5cb26a2d51

Whiteboard: [bugmon:confirmed]

This seems to have been fixed elsewhere more than a year ago.

Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: