Closed Bug 1611853 Opened 2 months ago Closed 2 months ago

Assertion failure: rangeIndex >= 0, at /builds/worker/workspace/build/src/dom/base/Selection.cpp:1939

Categories

(Core :: DOM: Core & HTML, defect, P2)

defect

Tracking

()

RESOLVED FIXED
mozilla74
Tracking Status
firefox-esr68 --- unaffected
firefox72 --- unaffected
firefox73 --- unaffected
firefox74 --- fixed

People

(Reporter: jkratzer, Assigned: mbrodesser)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: assertion, testcase)

Attachments

(4 files)

Attached file testcase.html

Testcase found while fuzzing mozilla-central rev c0fa6d007c58.

Assertion failure: rangeIndex >= 0, at /builds/worker/workspace/build/src/dom/base/Selection.cpp:1939

rax = 0x000055aeed24f340   rdx = 0x0000000000000000
rcx = 0x00007fba7950bae1   rbx = 0x00007fba6bb5a050
rsi = 0x00007fba8521e8b0   rdi = 0x00007fba8521d680
rbp = 0x00007ffea4cc2260   rsp = 0x00007ffea4cc21b0
r8 = 0x00007fba8521e8b0    r9 = 0x00007fba86385780
r10 = 0x0000000000000000   r11 = 0x0000000000000000
r12 = 0x00007ffea4cc21e0   r13 = 0x00007ffea4cc21e8
r14 = 0x00007ffea4cc21dc   r15 = 0x00007ffea4cc23d8
rip = 0x00007fba745ef72f
OS|Linux|0.0.0 Linux 5.3.0-26-generic #28~18.04.1-Ubuntu SMP Wed Dec 18 16:40:14 UTC 2019 x86_64
CPU|amd64|family 6 model 94 stepping 3|8
GPU|||
Crash|SIGSEGV|0x0|0
0|0|libxul.so|mozilla::dom::Selection::AddRangeAndSelectFramesAndNotifyListeners(nsRange&, mozilla::dom::Document*, mozilla::ErrorResult&)|hg:hg.mozilla.org/mozilla-central:dom/base/Selection.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|1940|0x31
0|1|libxul.so|mozilla::dom::Selection::AddRangeAndSelectFramesAndNotifyListeners(nsRange&, mozilla::ErrorResult&)|hg:hg.mozilla.org/mozilla-central:dom/base/Selection.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|1879|0x12
0|2|libxul.so|mozilla::dom::Selection::SetStartAndEndInternal(mozilla::dom::Selection::InLimiter, mozilla::RangeBoundaryBase<nsINode*, nsIContent*> const&, mozilla::RangeBoundaryBase<nsINode*, nsIContent*> const&, nsDirection, mozilla::ErrorResult&)|hg:hg.mozilla.org/mozilla-central:dom/base/Selection.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|3411|0x19
0|3|libxul.so|mozilla::dom::Selection::SelectAllChildren(nsINode&, mozilla::ErrorResult&)|hg:hg.mozilla.org/mozilla-central:dom/base/Selection.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|2660|0x54
0|4|libxul.so|mozilla::HTMLEditor::SelectAllInternal()|hg:hg.mozilla.org/mozilla-central:editor/libeditor/HTMLEditor.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|3615|0x1f
0|5|libxul.so|mozilla::EditorBase::SelectAll()|hg:hg.mozilla.org/mozilla-central:editor/libeditor/EditorBase.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|1000|0xd
0|6|libxul.so|mozilla::dom::Document::ExecCommand(nsTSubstring<char16_t> const&, bool, nsTSubstring<char16_t> const&, nsIPrincipal&, mozilla::ErrorResult&)|hg:hg.mozilla.org/mozilla-central:dom/base/Document.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|4847|0x14
0|7|libxul.so|mozilla::dom::Document_Binding::execCommand|s3:gecko-generated-sources:d2ef72c71c794d0feb59c5b46b697c524e1f593b0430173abf3c676f7ce5601264f410930dcd6ce2856b188618109a15c7a3b4fedda47d3a6f2d41d1945f7ca4/dom/bindings/DocumentBinding.cpp:|3431|0x2e
0|8|libxul.so|bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*)|hg:hg.mozilla.org/mozilla-central:dom/bindings/BindingUtils.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|3151|0x21
0|9|libxul.so|CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|450|0x19
0|10|libxul.so|js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|542|0x12
0|11|libxul.so|InternalCall|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|605|0x10
0|12|libxul.so|Interpret|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|609|0x18
0|13|libxul.so|js::RunScript(JSContext*, js::RunState&)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|386|0xfe
0|14|libxul.so|js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|577|0xf
0|15|libxul.so|InternalCall|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|605|0x10
0|16|libxul.so|js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|622|0x8
0|17|libxul.so|JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>)|hg:hg.mozilla.org/mozilla-central:js/src/jsapi.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|2797|0x1f
0|18|libxul.so|mozilla::dom::BlobCallback::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Blob*, mozilla::ErrorResult&)|s3:gecko-generated-sources:18f84e19b5489b4d13415d3dabc3741d78190b84f62dbccf5b3a705a3caebcd2fce59a6b8604eaddfb8886f3a5c16189551e65d59c17ae0d262ff7333d6f990e/dom/bindings/HTMLCanvasElementBinding.cpp:|89|0x5
0|19|libxul.so|mozilla::dom::CanvasRenderingContextHelper::ToBlob(JSContext*, nsIGlobalObject*, mozilla::dom::BlobCallback&, nsTSubstring<char16_t> const&, JS::Handle<JS::Value>, bool, mozilla::ErrorResult&)::EncodeCallback::ReceiveBlobImpl(already_AddRefed<mozilla::dom::BlobImpl>)|||0x15b
0|20|libxul.so|mozilla::dom::EncodingCompleteEvent::Run()|hg:hg.mozilla.org/mozilla-central:dom/base/ImageEncoder.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|107|0x1b
0|21|libxul.so|nsThread::ProcessNextEvent(bool, bool*)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|1220|0xe
0|22|libxul.so|NS_ProcessNextEvent(nsIThread*, bool)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|486|0x11
0|23|libxul.so|mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|87|0xa
0|24|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:c0fa6d007c58437398cc06a97d221c42d41dcf9e|315|0x19
0|25|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:c0fa6d007c58437398cc06a97d221c42d41dcf9e|290|0x8
0|26|libxul.so|nsBaseAppShell::Run()|hg:hg.mozilla.org/mozilla-central:widget/nsBaseAppShell.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|137|0xd
0|27|libxul.so|XRE_RunAppShell()|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|943|0x6
0|28|libxul.so|mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|237|0x5
0|29|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:c0fa6d007c58437398cc06a97d221c42d41dcf9e|315|0x19
0|30|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:c0fa6d007c58437398cc06a97d221c42d41dcf9e|290|0x8
0|31|libxul.so|XRE_InitChildProcess(int, char**, XREChildData const*)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|778|0x8
0|32|firefox-bin|content_process_main(mozilla::Bootstrap*, int, char**)|hg:hg.mozilla.org/mozilla-central:ipc/contentproc/plugin-container.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|56|0x14
0|33|firefox-bin|main|hg:hg.mozilla.org/mozilla-central:browser/app/nsBrowserApp.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|303|0x12
0|34|libc-2.27.so||||0x21b97
0|35|firefox-bin|__cxa_throw_bad_array_new_length|hg:hg.mozilla.org/mozilla-central:build/unix/stdc++compat/stdc++compat.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|82|0x12
0|36|firefox-bin||||0x10e30
0|37|ld-2.27.so||||0x10733
0|38|libdl-2.27.so||||0x202d80
0|39|libpthread-2.27.so||||0x219bb0
0|40|firefox-bin||||0x10e30
0|41|firefox-bin|_start|||0x29
Flags: in-testsuite?
Flags: needinfo?(mbrodesser)
Assignee: nobody → mbrodesser
Flags: needinfo?(mbrodesser)
Priority: -- → P2
Regressed by: 1609662
Pushed by mbrodesser@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/e5b76dfdc06f
return early in `Selection::AddRangeAndSelectFramesAndNotifyListeners` when it didn't add a range. r=smaug
Status: NEW → RESOLVED
Closed: 2 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla74

Can we land this test?

Flags: needinfo?(mbrodesser)

@RyanVM: thanks for the reminder, yes, I'll create a patch for it.

Tests that selecting a contentEditable node with style user-select: none via execCommand doesn't trigger an assertion.

Status: RESOLVED → REOPENED
Flags: needinfo?(mbrodesser)
Resolution: FIXED → ---
Status: REOPENED → RESOLVED
Closed: 2 months ago2 months ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.