Closed Bug 1596516 Opened 5 months ago Closed 4 months ago

Assertion failure: IsElement(), at /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/Element.h:2004

Categories

(Core :: DOM: Editor, defect, P2)

defect

Tracking

()

RESOLVED FIXED
mozilla73
Tracking Status
firefox-esr68 --- wontfix
firefox71 --- wontfix
firefox72 --- fixed
firefox73 --- fixed

People

(Reporter: jkratzer, Assigned: m_kato)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, testcase)

Attachments

(2 files)

Attached file testcase.html

Testcase found while fuzzing mozilla-central rev caf55914ccdd.

Assertion failure: IsElement(), at /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/Element.h:2004

rax = 0x0000555d21a72340   rdx = 0x0000000000000000
rcx = 0x00007f558b46ddc6   rbx = 0x00007f557b94e400
rsi = 0x00007f559715f8b0   rdi = 0x00007f559715e680
rbp = 0x00007ffd476615c0   rsp = 0x00007ffd476615c0
r8 = 0x00007f559715f8b0    r9 = 0x00007f55982c8780
r10 = 0x0000000000000000   r11 = 0x0000000000000000
r12 = 0x00007ffd476617d0   r13 = 0x00007ffd47661678
r14 = 0x00007ffd47661690   r15 = 0x0000000000000017
rip = 0x00007f55861a6b57
OS|Linux|0.0.0 Linux 5.0.0-31-generic #33~18.04.1-Ubuntu SMP Tue Oct 1 10:20:39 UTC 2019 x86_64
CPU|amd64|family 6 model 94 stepping 3|1
GPU|||
Crash|SIGSEGV|0x0|0
0|0|libxul.so|nsINode::AsElement()|hg:hg.mozilla.org/mozilla-central:dom/base/Element.h:caf55914ccddba34d462a1206530d7868b6c4992|2004|0x16
0|1|libxul.so|void mozilla::HTMLEditor::SelectBRElementIfCollapsedInEmptyBlock<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent>, nsCOMPtr<nsINode>, nsCOMPtr<nsIContent> >(mozilla::RangeBoundaryBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent> >&, mozilla::RangeBoundaryBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent> >&)|hg:hg.mozilla.org/mozilla-central:editor/libeditor/HTMLEditSubActionHandler.cpp:caf55914ccddba34d462a1206530d7868b6c4992|7449|0xb
0|2|libxul.so|already_AddRefed<nsRange> mozilla::HTMLEditor::CreateRangeExtendedToHardLineStartAndEnd<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent>, nsCOMPtr<nsINode>, nsCOMPtr<nsIContent> >(mozilla::RangeBoundaryBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent> > const&, mozilla::RangeBoundaryBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent> > const&, mozilla::EditSubAction)|hg:hg.mozilla.org/mozilla-central:editor/libeditor/HTMLEditSubActionHandler.cpp:caf55914ccddba34d462a1206530d7868b6c4992|7550|0x16
0|3|libxul.so|mozilla::HTMLEditor::CreateRangeExtendedToHardLineStartAndEnd(mozilla::dom::AbstractRange const&, mozilla::EditSubAction)|hg:hg.mozilla.org/mozilla-central:editor/libeditor/HTMLEditSubActionHandler.cpp:caf55914ccddba34d462a1206530d7868b6c4992|7537|0xd
0|4|libxul.so|mozilla::HTMLEditor::GetSelectionRangesExtendedToHardLineStartAndEnd(nsTArray<RefPtr<nsRange> >&, mozilla::EditSubAction)|hg:hg.mozilla.org/mozilla-central:editor/libeditor/HTMLEditSubActionHandler.cpp:caf55914ccddba34d462a1206530d7868b6c4992|7424|0x15
0|5|libxul.so|mozilla::HTMLEditor::CollectEditTargetNodesInExtendedSelectionRanges(nsTArray<mozilla::OwningNonNull<nsINode> >&, mozilla::EditSubAction, mozilla::HTMLEditor::CollectNonEditableNodes)|hg:hg.mozilla.org/mozilla-central:editor/libeditor/HTMLEditor.h:caf55914ccddba34d462a1206530d7868b6c4992|1612|0xe
0|6|libxul.so|mozilla::ParagraphStateAtSelection::CollectEditableFormatNodesInSelection(mozilla::HTMLEditor&, nsTArray<mozilla::OwningNonNull<nsINode> >&)|hg:hg.mozilla.org/mozilla-central:editor/libeditor/HTMLEditSubActionHandler.cpp:caf55914ccddba34d462a1206530d7868b6c4992|1189|0x5
0|7|libxul.so|mozilla::ParagraphStateAtSelection::ParagraphStateAtSelection(mozilla::HTMLEditor&, mozilla::ErrorResult&)|hg:hg.mozilla.org/mozilla-central:editor/libeditor/HTMLEditSubActionHandler.cpp:caf55914ccddba34d462a1206530d7868b6c4992|1055|0xb
0|8|libxul.so|mozilla::ParagraphStateCommand::GetCurrentState(mozilla::HTMLEditor*, nsCommandParams&) const|hg:hg.mozilla.org/mozilla-central:editor/libeditor/HTMLEditorCommands.cpp:caf55914ccddba34d462a1206530d7868b6c4992|562|0xe
0|9|libxul.so|mozilla::EditorCommand::GetCommandStateParams(char const*, nsICommandParams*, nsISupports*)|hg:hg.mozilla.org/mozilla-central:editor/libeditor/EditorCommands.cpp:caf55914ccddba34d462a1206530d7868b6c4992|249|0x13
0|10|libxul.so|nsControllerCommandTable::GetCommandState(char const*, nsICommandParams*, nsISupports*)|hg:hg.mozilla.org/mozilla-central:dom/commandhandler/nsControllerCommandTable.cpp:caf55914ccddba34d462a1206530d7868b6c4992|169|0x14
0|11|libxul.so|nsBaseCommandController::GetCommandStateWithParams(char const*, nsICommandParams*)|hg:hg.mozilla.org/mozilla-central:dom/commandhandler/nsBaseCommandController.cpp:caf55914ccddba34d462a1206530d7868b6c4992|144|0x1a
0|12|libxul.so|nsCommandManager::GetCommandState(char const*, mozIDOMWindowProxy*, nsICommandParams*)|hg:hg.mozilla.org/mozilla-central:dom/commandhandler/nsCommandManager.cpp:caf55914ccddba34d462a1206530d7868b6c4992|177|0x13
0|13|libxul.so|mozilla::dom::Document::QueryCommandState(nsTSubstring<char16_t> const&, mozilla::ErrorResult&)|hg:hg.mozilla.org/mozilla-central:dom/base/Document.cpp:caf55914ccddba34d462a1206530d7868b6c4992|4769|0x25
0|14|libxul.so|mozilla::dom::Document_Binding::queryCommandState|s3:gecko-generated-sources:1929e32c92f4e760ff4ef4101416f810650e80336f5c2d93fc1f01369215534e04d24f4cf1b30df604684d3df267c0df238ee4b7e50ded8b069081cd68898bca/dom/bindings/DocumentBinding.cpp:|3504|0x12
0|15|libxul.so|bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*)|hg:hg.mozilla.org/mozilla-central:dom/bindings/BindingUtils.cpp:caf55914ccddba34d462a1206530d7868b6c4992|3218|0x24
0|16|libxul.so|CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:caf55914ccddba34d462a1206530d7868b6c4992|456|0x15
0|17|libxul.so|js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:caf55914ccddba34d462a1206530d7868b6c4992|548|0x15
0|18|libxul.so|InternalCall|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:caf55914ccddba34d462a1206530d7868b6c4992|617|0x10
0|19|libxul.so|Interpret|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:caf55914ccddba34d462a1206530d7868b6c4992|621|0x15
0|20|libxul.so|js::RunScript(JSContext*, js::RunState&)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:caf55914ccddba34d462a1206530d7868b6c4992|423|0xb
0|21|libxul.so|js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:caf55914ccddba34d462a1206530d7868b6c4992|589|0x13
0|22|libxul.so|InternalCall|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:caf55914ccddba34d462a1206530d7868b6c4992|617|0x10
0|23|libxul.so|js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:caf55914ccddba34d462a1206530d7868b6c4992|634|0x8
0|24|libxul.so|JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>)|hg:hg.mozilla.org/mozilla-central:js/src/jsapi.cpp:caf55914ccddba34d462a1206530d7868b6c4992|2718|0x1f
0|25|libxul.so|mozilla::dom::EventListener::HandleEvent(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&)|s3:gecko-generated-sources:9ca8646d8042e9b4b76d2e1b358b984be17743b71b832c0897d61bb500e0fecbe38fa54273dc522878c87fcb2c9bfd274a8190c7bc56fbbb58cb3ca68462e527/dom/bindings/EventListenerBinding.cpp:|52|0x5
0|26|libxul.so|mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*)|s3:gecko-generated-sources:f3d9c01258576daaac3afc4fb3b283652e7f1168abb5287eff6775451ebd0ab6a0e4c8d88d3a67f7147042501bc091c6dfed25b4b8ccf4e4f420897b8d0ba906/dist/include/mozilla/dom/EventListenerBinding.h:|66|0x1c
0|27|libxul.so|mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool)|hg:hg.mozilla.org/mozilla-central:dom/events/EventListenerManager.cpp:caf55914ccddba34d462a1206530d7868b6c4992|1231|0x19
0|28|libxul.so|mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:caf55914ccddba34d462a1206530d7868b6c4992|351|0x6
0|29|libxul.so|mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:caf55914ccddba34d462a1206530d7868b6c4992|551|0x12
0|30|libxul.so|mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:caf55914ccddba34d462a1206530d7868b6c4992|1050|0x1a
0|31|libxul.so|mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:caf55914ccddba34d462a1206530d7868b6c4992|1150|0x19
0|32|libxul.so|nsINode::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&)|hg:hg.mozilla.org/mozilla-central:dom/base/nsINode.cpp:caf55914ccddba34d462a1206530d7868b6c4992|1139|0x5
0|33|libxul.so|nsContentUtils::DispatchEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, mozilla::Trusted, bool*, mozilla::ChromeOnlyDispatch)|hg:hg.mozilla.org/mozilla-central:dom/base/nsContentUtils.cpp:caf55914ccddba34d462a1206530d7868b6c4992|4013|0x30
0|34|libxul.so|nsContentUtils::DispatchTrustedEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, bool*)|hg:hg.mozilla.org/mozilla-central:dom/base/nsContentUtils.cpp:caf55914ccddba34d462a1206530d7868b6c4992|3984|0x19
0|35|libxul.so|mozilla::dom::Document::DispatchContentLoadedEvents()|hg:hg.mozilla.org/mozilla-central:dom/base/Document.cpp:caf55914ccddba34d462a1206530d7868b6c4992|7009|0x40
0|36|libxul.so|mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run()|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.h:caf55914ccddba34d462a1206530d7868b6c4992|1176|0x13
0|37|libxul.so|mozilla::SchedulerGroup::Runnable::Run()|hg:hg.mozilla.org/mozilla-central:xpcom/threads/SchedulerGroup.cpp:caf55914ccddba34d462a1206530d7868b6c4992|295|0x15
0|38|libxul.so|nsThread::ProcessNextEvent(bool, bool*)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:caf55914ccddba34d462a1206530d7868b6c4992|1225|0x15
0|39|libxul.so|NS_ProcessNextEvent(nsIThread*, bool)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:caf55914ccddba34d462a1206530d7868b6c4992|486|0x11
0|40|libxul.so|mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:caf55914ccddba34d462a1206530d7868b6c4992|88|0xa
0|41|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:caf55914ccddba34d462a1206530d7868b6c4992|315|0x17
0|42|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:caf55914ccddba34d462a1206530d7868b6c4992|290|0x8
0|43|libxul.so|nsBaseAppShell::Run()|hg:hg.mozilla.org/mozilla-central:widget/nsBaseAppShell.cpp:caf55914ccddba34d462a1206530d7868b6c4992|137|0xd
0|44|libxul.so|XRE_RunAppShell()|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:caf55914ccddba34d462a1206530d7868b6c4992|934|0x11
0|45|libxul.so|mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:caf55914ccddba34d462a1206530d7868b6c4992|238|0x5
0|46|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:caf55914ccddba34d462a1206530d7868b6c4992|315|0x17
0|47|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:caf55914ccddba34d462a1206530d7868b6c4992|290|0x8
0|48|libxul.so|XRE_InitChildProcess(int, char**, XREChildData const*)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:caf55914ccddba34d462a1206530d7868b6c4992|769|0xc
0|49|firefox-bin|content_process_main(mozilla::Bootstrap*, int, char**)|hg:hg.mozilla.org/mozilla-central:ipc/contentproc/plugin-container.cpp:caf55914ccddba34d462a1206530d7868b6c4992|56|0x14
0|50|firefox-bin|main|hg:hg.mozilla.org/mozilla-central:browser/app/nsBrowserApp.cpp:caf55914ccddba34d462a1206530d7868b6c4992|272|0x12
0|51|libc-2.27.so||||0x21b97
0|52|firefox-bin|MOZ_ReportCrash|hg:hg.mozilla.org/mozilla-central:mfbt/Assertions.h:caf55914ccddba34d462a1206530d7868b6c4992|203|0x5
Flags: in-testsuite?

A debug build here is enough to reproduce the issue.

Makoto could you take a look? If you don't have time, give this back to me, thanks.

Flags: needinfo?(m_kato)
Assignee: nobody → m_kato
Flags: needinfo?(m_kato)
Priority: -- → P2
Pushed by m_kato@ga2.so-net.ne.jp:
https://hg.mozilla.org/integration/autoland/rev/7db5bc115b20
NodeIsBlockStatic should return false for non-element. r=masayuki
Status: NEW → RESOLVED
Closed: 4 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla73

Can this ride the trains or do you want to uplift to beta?

Flags: in-testsuite? → in-testsuite+
Flags: needinfo?(m_kato)

Comment on attachment 9115098 [details]
Bug 1596516 - NodeIsBlockStatic should return false for non-element.

Beta/Release Uplift Approval Request

  • User impact if declined: Although this test case doesn't crash Firefox, debug build hits assertion.
  • Is this code covered by automated tests?: Yes
  • Has the fix been verified in Nightly?: Yes
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Adding additional condition to return valid value.
  • String changes made/needed:
Flags: needinfo?(m_kato)
Attachment #9115098 - Flags: approval-mozilla-beta?

Comment on attachment 9115098 [details]
Bug 1596516 - NodeIsBlockStatic should return false for non-element.

looks safe enough, approved for 72.0b9

Attachment #9115098 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
You need to log in before you can comment on or make changes to this bug.