Closed Bug 1618906 Opened 2 years ago Closed 2 years ago

Assertion failure: mReason == WSType::text || mReason == WSType::normalWS || mReason == WSType::br || mReason == WSType::special || mReason == WSType::thisBlock || mReason == WSType::otherBlock, at /builds/worker/workspace/build/src/editor/libeditor/WSRun

Categories

(Core :: DOM: Editor, defect, P3)

defect

Tracking

()

RESOLVED FIXED
mozilla76
Tracking Status
firefox-esr68 --- unaffected
firefox73 --- unaffected
firefox74 --- unaffected
firefox75 --- wontfix
firefox76 --- fixed

People

(Reporter: jkratzer, Assigned: masayuki)

References

(Blocks 1 open bug, Regression)

Details

(4 keywords, Whiteboard: [bugmon:confirmed])

Attachments

(3 files)

Attached file testcase.html

Testcase found while fuzzing mozilla-central rev fb4f281c1c54 (built with --enable-debug).

Assertion failure: mReason == WSType::text || mReason == WSType::normalWS || mReason == WSType::br || mReason == WSType::special || mReason == WSType::thisBlock || mReason == WSType::otherBlock, at /builds/worker/workspace/build/src/editor/libeditor/WSRunObject.h:163

rax = 0x000055e11e889380   rdx = 0x0000000000000000
rcx = 0x00007f080a76652c   rbx = 0x00007ffcac181ea0
rsi = 0x00007f08161728b0   rdi = 0x00007f0816171680
rbp = 0x00007ffcac181c20   rsp = 0x00007ffcac181c00
r8 = 0x00007f08161728b0    r9 = 0x00007f08172d8780
r10 = 0x0000000000000000   r11 = 0x0000000000000000
r12 = 0x0000000000000000   r13 = 0x0000000000000000
r14 = 0x00007ffcac181d58   r15 = 0x00007ffcac181c68
rip = 0x00007f0806ac6055
OS|Linux|0.0.0 Linux 5.3.0-28-generic #30~18.04.1-Ubuntu SMP Fri Jan 17 06:14:09 UTC 2020 x86_64
CPU|amd64|family 6 model 94 stepping 3|8
GPU|||
Crash|SIGSEGV|0x0|0
0|0|libxul.so|mozilla::WSScanResult::AssertIfInvalidData() const|hg:hg.mozilla.org/mozilla-central:editor/libeditor/WSRunObject.h:fb4f281c1c54a5199e6e713c1b8115f80d7faa37|164|0x49
0|1|libxul.so|mozilla::WSScanResult::WSScanResult(nsIContent*, unsigned int, mozilla::WSType)|hg:hg.mozilla.org/mozilla-central:editor/libeditor/WSRunObject.h:fb4f281c1c54a5199e6e713c1b8115f80d7faa37|156|0x8
0|2|libxul.so|mozilla::WSScanResult mozilla::WSRunScanner::ScanPreviousVisibleNodeOrBlockBoundaryFrom<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent> >(mozilla::EditorDOMPointBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent> > const&) const|hg:hg.mozilla.org/mozilla-central:editor/libeditor/WSRunObject.cpp:fb4f281c1c54a5199e6e713c1b8115f80d7faa37|563|0xb
0|3|libxul.so|mozilla::HTMLEditor::MaybeExtendSelectionToHardLineEdgesForBlockEditAction()|hg:hg.mozilla.org/mozilla-central:editor/libeditor/HTMLEditSubActionHandler.cpp:fb4f281c1c54a5199e6e713c1b8115f80d7faa37|7016|0xe
0|4|libxul.so|mozilla::HTMLEditor::HandleHTMLIndentAtSelection()|hg:hg.mozilla.org/mozilla-central:editor/libeditor/HTMLEditSubActionHandler.cpp:fb4f281c1c54a5199e6e713c1b8115f80d7faa37|5238|0x8
0|5|libxul.so|mozilla::HTMLEditor::HandleIndentAtSelection()|hg:hg.mozilla.org/mozilla-central:editor/libeditor/HTMLEditSubActionHandler.cpp:fb4f281c1c54a5199e6e713c1b8115f80d7faa37|5029|0x5
0|6|libxul.so|mozilla::HTMLEditor::IndentAsSubAction()|hg:hg.mozilla.org/mozilla-central:editor/libeditor/HTMLEditSubActionHandler.cpp:fb4f281c1c54a5199e6e713c1b8115f80d7faa37|4893|0x8
0|7|libxul.so|mozilla::HTMLEditor::IndentAsAction(nsIPrincipal*)|hg:hg.mozilla.org/mozilla-central:editor/libeditor/HTMLEditor.cpp:fb4f281c1c54a5199e6e713c1b8115f80d7faa37|2274|0x8
0|8|libxul.so|mozilla::IndentCommand::DoCommand(mozilla::Command, mozilla::TextEditor&, nsIPrincipal*) const|hg:hg.mozilla.org/mozilla-central:editor/libeditor/HTMLEditorCommands.cpp:fb4f281c1c54a5199e6e713c1b8115f80d7faa37|423|0xb
0|9|libxul.so|mozilla::dom::Document::ExecCommand(nsTSubstring<char16_t> const&, bool, nsTSubstring<char16_t> const&, nsIPrincipal&, mozilla::ErrorResult&)|hg:hg.mozilla.org/mozilla-central:dom/base/Document.cpp:fb4f281c1c54a5199e6e713c1b8115f80d7faa37|4833|0x19
0|10|libxul.so|mozilla::dom::Document_Binding::execCommand|s3:gecko-generated-sources:2876a177247267539f2cdaa04b1c82d95c57dcc0484a2e4ee3f611db89b35efe8a0e61d65a0c29e18dc145d9c0762c3d06a03d6ed8dbcacb3b96a9d8cd9f6962/dom/bindings/DocumentBinding.cpp:|3431|0x2e
0|11|libxul.so|bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*)|hg:hg.mozilla.org/mozilla-central:dom/bindings/BindingUtils.cpp:fb4f281c1c54a5199e6e713c1b8115f80d7faa37|3171|0x21
0|12|libxul.so|CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:fb4f281c1c54a5199e6e713c1b8115f80d7faa37|477|0x19
0|13|libxul.so|js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:fb4f281c1c54a5199e6e713c1b8115f80d7faa37|569|0x12
0|14|libxul.so|InternalCall|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:fb4f281c1c54a5199e6e713c1b8115f80d7faa37|632|0x10
0|15|libxul.so|Interpret|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:fb4f281c1c54a5199e6e713c1b8115f80d7faa37|3046|0x16
0|16|libxul.so|js::RunScript(JSContext*, js::RunState&)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:fb4f281c1c54a5199e6e713c1b8115f80d7faa37|410|0x152
0|17|libxul.so|js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:fb4f281c1c54a5199e6e713c1b8115f80d7faa37|604|0xf
0|18|libxul.so|InternalCall|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:fb4f281c1c54a5199e6e713c1b8115f80d7faa37|632|0x10
0|19|libxul.so|js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:fb4f281c1c54a5199e6e713c1b8115f80d7faa37|649|0x8
0|20|libxul.so|JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>)|hg:hg.mozilla.org/mozilla-central:js/src/jsapi.cpp:fb4f281c1c54a5199e6e713c1b8115f80d7faa37|2797|0x1f
0|21|libxul.so|mozilla::dom::EventListener::HandleEvent(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&)|s3:gecko-generated-sources:9ca8646d8042e9b4b76d2e1b358b984be17743b71b832c0897d61bb500e0fecbe38fa54273dc522878c87fcb2c9bfd274a8190c7bc56fbbb58cb3ca68462e527/dom/bindings/EventListenerBinding.cpp:|52|0x5
0|22|libxul.so|mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*)|s3:gecko-generated-sources:f3d9c01258576daaac3afc4fb3b283652e7f1168abb5287eff6775451ebd0ab6a0e4c8d88d3a67f7147042501bc091c6dfed25b4b8ccf4e4f420897b8d0ba906/dist/include/mozilla/dom/EventListenerBinding.h:|66|0x1c
0|23|libxul.so|mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool)|hg:hg.mozilla.org/mozilla-central:dom/events/EventListenerManager.cpp:fb4f281c1c54a5199e6e713c1b8115f80d7faa37|1271|0x1c
0|24|libxul.so|mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:fb4f281c1c54a5199e6e713c1b8115f80d7faa37|326|0x6b
0|25|libxul.so|mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:fb4f281c1c54a5199e6e713c1b8115f80d7faa37|558|0x12
0|26|libxul.so|mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:fb4f281c1c54a5199e6e713c1b8115f80d7faa37|1055|0x1a
0|27|libxul.so|nsDocumentViewer::LoadComplete(nsresult)|hg:hg.mozilla.org/mozilla-central:layout/base/nsDocumentViewer.cpp:fb4f281c1c54a5199e6e713c1b8115f80d7faa37|1144|0x1a
0|28|libxul.so|nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult)|hg:hg.mozilla.org/mozilla-central:docshell/base/nsDocShell.cpp:fb4f281c1c54a5199e6e713c1b8115f80d7faa37|6084|0x18
0|29|libxul.so|nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult)|hg:hg.mozilla.org/mozilla-central:docshell/base/nsDocShell.cpp:fb4f281c1c54a5199e6e713c1b8115f80d7faa37|5867|0x1c
0|30|libxul.so|nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult)|hg:hg.mozilla.org/mozilla-central:uriloader/base/nsDocLoader.cpp:fb4f281c1c54a5199e6e713c1b8115f80d7faa37|1348|0x31
0|31|libxul.so|nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult)|hg:hg.mozilla.org/mozilla-central:uriloader/base/nsDocLoader.cpp:fb4f281c1c54a5199e6e713c1b8115f80d7faa37|907|0x2a
0|32|libxul.so|nsDocLoader::DocLoaderIsEmpty(bool)|hg:hg.mozilla.org/mozilla-central:uriloader/base/nsDocLoader.cpp:fb4f281c1c54a5199e6e713c1b8115f80d7faa37|727|0x15
0|33|libxul.so|nsDocLoader::OnStopRequest(nsIRequest*, nsresult)|hg:hg.mozilla.org/mozilla-central:uriloader/base/nsDocLoader.cpp:fb4f281c1c54a5199e6e713c1b8115f80d7faa37|615|0x16
0|34|libxul.so|mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult)|hg:hg.mozilla.org/mozilla-central:netwerk/base/nsLoadGroup.cpp:fb4f281c1c54a5199e6e713c1b8115f80d7faa37|604|0x1a
0|35|libxul.so|mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult)|hg:hg.mozilla.org/mozilla-central:netwerk/base/nsLoadGroup.cpp:fb4f281c1c54a5199e6e713c1b8115f80d7faa37|511|0xe
0|36|libxul.so|mozilla::dom::Document::DoUnblockOnload()|hg:hg.mozilla.org/mozilla-central:dom/base/Document.cpp:fb4f281c1c54a5199e6e713c1b8115f80d7faa37|10673|0x4c
0|37|libxul.so|mozilla::dom::Document::UnblockOnload(bool)|hg:hg.mozilla.org/mozilla-central:dom/base/Document.cpp:fb4f281c1c54a5199e6e713c1b8115f80d7faa37|10607|0x2a
0|38|libxul.so|mozilla::dom::Document::DispatchContentLoadedEvents()|hg:hg.mozilla.org/mozilla-central:dom/base/Document.cpp:fb4f281c1c54a5199e6e713c1b8115f80d7faa37|7300|0xd
0|39|libxul.so|mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run()|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.h:fb4f281c1c54a5199e6e713c1b8115f80d7faa37|1210|0x5
0|40|libxul.so|mozilla::SchedulerGroup::Runnable::Run()|hg:hg.mozilla.org/mozilla-central:xpcom/threads/SchedulerGroup.cpp:fb4f281c1c54a5199e6e713c1b8115f80d7faa37|282|0x14
0|41|libxul.so|nsThread::ProcessNextEvent(bool, bool*)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:fb4f281c1c54a5199e6e713c1b8115f80d7faa37|1220|0xe
0|42|libxul.so|NS_ProcessNextEvent(nsIThread*, bool)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:fb4f281c1c54a5199e6e713c1b8115f80d7faa37|481|0x11
0|43|libxul.so|mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:fb4f281c1c54a5199e6e713c1b8115f80d7faa37|87|0xa
0|44|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:fb4f281c1c54a5199e6e713c1b8115f80d7faa37|315|0x19
0|45|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:fb4f281c1c54a5199e6e713c1b8115f80d7faa37|290|0x8
0|46|libxul.so|nsBaseAppShell::Run()|hg:hg.mozilla.org/mozilla-central:widget/nsBaseAppShell.cpp:fb4f281c1c54a5199e6e713c1b8115f80d7faa37|137|0xd
0|47|libxul.so|XRE_RunAppShell()|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:fb4f281c1c54a5199e6e713c1b8115f80d7faa37|926|0x6
0|48|libxul.so|mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:fb4f281c1c54a5199e6e713c1b8115f80d7faa37|237|0x5
0|49|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:fb4f281c1c54a5199e6e713c1b8115f80d7faa37|315|0x19
0|50|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:fb4f281c1c54a5199e6e713c1b8115f80d7faa37|290|0x8
0|51|libxul.so|XRE_InitChildProcess(int, char**, XREChildData const*)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:fb4f281c1c54a5199e6e713c1b8115f80d7faa37|761|0x8
0|52|firefox-bin|content_process_main(mozilla::Bootstrap*, int, char**)|hg:hg.mozilla.org/mozilla-central:ipc/contentproc/plugin-container.cpp:fb4f281c1c54a5199e6e713c1b8115f80d7faa37|56|0x14
0|53|firefox-bin|main|hg:hg.mozilla.org/mozilla-central:browser/app/nsBrowserApp.cpp:fb4f281c1c54a5199e6e713c1b8115f80d7faa37|303|0x13
0|54|libc-2.27.so||||0x21b97
0|55|firefox-bin|__cxa_throw_bad_array_new_length|hg:hg.mozilla.org/mozilla-central:build/unix/stdc++compat/stdc++compat.cpp:fb4f281c1c54a5199e6e713c1b8115f80d7faa37|82|0x12
0|56|firefox-bin||||0x10b20
0|57|ld-2.27.so||||0x10733
0|58|libdl-2.27.so||||0x202d80
0|59|libpthread-2.27.so||||0x219bb0
0|60|firefox-bin||||0x10b20
0|61|firefox-bin|_start|||0x29
Flags: in-testsuite?
Attached file prefs.js
BugMon: Verified bug as reproducible on fb4f281c1c54a5199e6e713c1b8115f80d7faa37
BugMon: Reduced build range to...
> Start: f3da8ae9d1a3e74cd273746da51a035ddc572bee (20200225214332)
> End: 7f41334e10443f4f1c7426e86fb0cb7adfdf4d62 (20200226092757)
> Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=f3da8ae9d1a3e74cd273746da51a035ddc572bee&tochange=7f41334e10443f4f1c7426e86fb0cb7adfdf4d62
Whiteboard: [bugmon:confirm] → [bugmon:confirmed]

I guess that this is regression by bug 1616257.

Flags: needinfo?(masayuki)
Priority: -- → P1

Hmm, could be WSType::none in edge case??

Assignee: nobody → masayuki
Status: NEW → ASSIGNED
Flags: needinfo?(masayuki)

My guess is correct. This does not affect anything on opt build. (But I found a bug of bug 1618089. WSScanResult cannot use EditorDOMPoint::ContainerAsContent() since it's nullable.)

Priority: P1 → P3

Bugbug thinks this bug is a regression, but please revert this change in case of error.

Keywords: regression

(In reply to Masayuki Nakano [:masayuki] (he/him)(JST, +0900) from comment #6)

This does not affect anything on opt build.

Should we remove the affected tracking for 75 then?

It's valid thing that a container of a Range of Selection is not a content
node. Actually, it can be a Document node. But it's illegal case for
editor. So, if HTMLEditor meets such case, it does not need to do anything.

This patch makes that if HTMLEditor meets the situation at very first time
of public edit action method, it returns "OK" for avoiding new exception case.
Otherwise, i.e., it's an XPCOM API or meeting such situation after a DOM
mutation, returns error.

Pushed by masayuki@d-toybox.com:
https://hg.mozilla.org/integration/autoland/rev/97a8f04641de
Make `HTMLEditor` stop handling anything if container of a range in `Selection` is not a content node r=m_kato

Backed out changeset 97a8f04641de (bug 1618906) on request by masayuki for accidentally landed it

Backout: https://hg.mozilla.org/integration/autoland/rev/22d4555e290a045aabb0eb27157e5dcc45b07b6a

Flags: needinfo?(masayuki)

I'll reland it after the merge.

Pushed by masayuki@d-toybox.com:
https://hg.mozilla.org/integration/autoland/rev/6ca6a4888ec6
Make `HTMLEditor` stop handling anything if container of a range in `Selection` is not a content node r=m_kato
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla76
Flags: needinfo?(masayuki)

Is there a user impact which justifies Beta uplift consideration or can this fix ride Fx76 to release?

Flags: needinfo?(masayuki)
Flags: in-testsuite?
Flags: in-testsuite+
Regressed by: 1616257

No problem unless somebody tries to debug something in beta/release branches. Just a bug of hitting the new assertion. And the patch is pretty risky because it tries to avoid the odd situation in various edit action handlers. Meaning it may cause new web-compat issue. So, if it's important to fix the assertion, I'll create another patch which just avoids the assertion.

Flags: needinfo?(masayuki)
Regressions: 1624007
Regressions: 1624011
You need to log in before you can comment on or make changes to this bug.