Closed
Bug 1623913
Opened 5 years ago
Closed 5 years ago
Assertion failure: aEndPoint.IsSetAndValid(), at /builds/worker/checkouts/gecko/editor/libeditor/WSRunObject.cpp:1411
Categories
(Core :: DOM: Editor, defect, P3)
Core
DOM: Editor
Tracking
()
VERIFIED
FIXED
mozilla76
People
(Reporter: jkratzer, Assigned: masayuki)
References
(Blocks 1 open bug, Regression)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:bisected,confirmed])
Attachments
(2 files)
Testcase found while fuzzing mozilla-central rev 32d6a3f1f83c (built with --enable-debug).
Assertion failure: aEndPoint.IsSetAndValid(), at /builds/worker/checkouts/gecko/editor/libeditor/WSRunObject.cpp:1411
rax = 0x000055a898de4380 rdx = 0x00007fcfc093828b
rcx = 0x0000000000000b40 rbx = 0x00007ffc0076a418
rsi = 0x00007fcfcc3198b0 rdi = 0x00007fcfcc318680
rbp = 0x00007ffc0076a380 rsp = 0x00007ffc0076a2b0
r8 = 0x00007fcfcc3198b0 r9 = 0x00007fcfcd47f780
r10 = 0x0000000000000000 r11 = 0x0000000000000000
r12 = 0x00007ffc0076a520 r13 = 0x00007ffc0076a418
r14 = 0x00007fcfb2c411c0 r15 = 0x00007ffc0076a518
rip = 0x00007fcfbccf7723
OS|Linux|0.0.0 Linux 5.3.0-28-generic #30~18.04.1-Ubuntu SMP Fri Jan 17 06:14:09 UTC 2020 x86_64
CPU|amd64|family 6 model 94 stepping 3|8
GPU|||
Crash|SIGSEGV|0x0|0
0|0|libxul.so|mozilla::WSRunObject::DeleteRange(mozilla::EditorDOMPointBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent> > const&, mozilla::EditorDOMPointBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent> > const&)|hg:hg.mozilla.org/mozilla-central:editor/libeditor/WSRunObject.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|1405|0x6c
0|1|libxul.so|mozilla::WSRunObject::PrepareToDeleteRangePriv(mozilla::WSRunObject*)|hg:hg.mozilla.org/mozilla-central:editor/libeditor/WSRunObject.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|1312|0x34
0|2|libxul.so|mozilla::WSRunObject::PrepareToDeleteRange(mozilla::HTMLEditor&, mozilla::EditorDOMPointBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent> >*, mozilla::EditorDOMPointBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent> >*)|hg:hg.mozilla.org/mozilla-central:editor/libeditor/WSRunObject.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|139|0xb
0|3|libxul.so|mozilla::HTMLEditor::HandleDeleteNonCollapsedSelection(short, short, mozilla::HTMLEditor::SelectionWasCollapsed)|hg:hg.mozilla.org/mozilla-central:editor/libeditor/HTMLEditSubActionHandler.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|3177|0x12
0|4|libxul.so|mozilla::HTMLEditor::HandleDeleteSelectionInternal(short, short)|hg:hg.mozilla.org/mozilla-central:editor/libeditor/HTMLEditSubActionHandler.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|2497|0x16
0|5|libxul.so|mozilla::HTMLEditor::HandleDeleteSelection(short, short)|hg:hg.mozilla.org/mozilla-central:editor/libeditor/HTMLEditSubActionHandler.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|2345|0x16
0|6|libxul.so|mozilla::TextEditor::DeleteSelectionAsSubAction(short, short)|hg:hg.mozilla.org/mozilla-central:editor/libeditor/TextEditor.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|732|0x14
0|7|libxul.so|mozilla::HTMLEditor::InsertParagraphSeparatorAsSubAction()|hg:hg.mozilla.org/mozilla-central:editor/libeditor/HTMLEditSubActionHandler.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|1754|0xc
0|8|libxul.so|mozilla::HTMLEditor::InsertParagraphSeparatorAsAction(nsIPrincipal*)|hg:hg.mozilla.org/mozilla-central:editor/libeditor/HTMLEditor.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|1073|0x8
0|9|libxul.so|mozilla::InsertParagraphCommand::DoCommand(mozilla::Command, mozilla::TextEditor&, nsIPrincipal*) const|hg:hg.mozilla.org/mozilla-central:editor/libeditor/EditorCommands.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|886|0x5
0|10|libxul.so|mozilla::dom::Document::ExecCommand(nsTSubstring<char16_t> const&, bool, nsTSubstring<char16_t> const&, nsIPrincipal&, mozilla::ErrorResult&)|hg:hg.mozilla.org/mozilla-central:dom/base/Document.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|4850|0x19
0|11|libxul.so|mozilla::dom::Document_Binding::execCommand|s3:gecko-generated-sources:14863a2b2a6389528d2390329f9ef00fd608dc847d95cf4fb4e276672470cbaf2ba3bffea0bbe4dfdc700e07cdef769b5219c5fae418f6cd54145735b40d4f43/dom/bindings/DocumentBinding.cpp:|3466|0x2e
0|12|libxul.so|bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*)|hg:hg.mozilla.org/mozilla-central:dom/bindings/BindingUtils.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|3205|0x21
0|13|libxul.so|CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|476|0x19
0|14|libxul.so|js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|568|0x12
0|15|libxul.so|InternalCall|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|631|0x10
0|16|libxul.so|Interpret|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|3026|0x16
0|17|libxul.so|js::RunScript(JSContext*, js::RunState&)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|409|0x152
0|18|libxul.so|js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|603|0xf
0|19|libxul.so|InternalCall|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|631|0x10
0|20|libxul.so|js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|648|0x8
0|21|libxul.so|JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>)|hg:hg.mozilla.org/mozilla-central:js/src/jsapi.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|2790|0x1f
0|22|libxul.so|mozilla::dom::EventListener::HandleEvent(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&)|s3:gecko-generated-sources:0992ac839e78be4b5bc946db6152e8b3f5934ea0d4e9c78c35aef98c89edecbc33dfe0851074a4d84c381b1ab23c7f73c4a13405b94b9c4746627a7dccdf6e10/dom/bindings/EventListenerBinding.cpp:|54|0x5
0|23|libxul.so|mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*)|s3:gecko-generated-sources:99837b3cdc69c5eb1234f9d2b3e771dcff734d56a022bedb1d00c0cf4ee6243fb5c91397a058f2ddab63bda8ed6b581ea1232a0229033866910c7289d24cbc2d/dist/include/mozilla/dom/EventListenerBinding.h:|66|0x19
0|24|libxul.so|mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool)|hg:hg.mozilla.org/mozilla-central:dom/events/EventListenerManager.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|1271|0x1c
0|25|libxul.so|mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|326|0x6b
0|26|libxul.so|mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|558|0x12
0|27|libxul.so|mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|1055|0x1a
0|28|libxul.so|mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|1160|0x16
0|29|libxul.so|nsINode::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&)|hg:hg.mozilla.org/mozilla-central:dom/base/nsINode.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|1300|0x5
0|30|libxul.so|nsContentUtils::DispatchEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, mozilla::Trusted, bool*, mozilla::ChromeOnlyDispatch)|hg:hg.mozilla.org/mozilla-central:dom/base/nsContentUtils.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|4091|0x2a
0|31|libxul.so|nsContentUtils::DispatchTrustedEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, bool*)|hg:hg.mozilla.org/mozilla-central:dom/base/nsContentUtils.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|4061|0x21
0|32|libxul.so|mozilla::dom::Document::DispatchContentLoadedEvents()|hg:hg.mozilla.org/mozilla-central:dom/base/Document.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|7252|0x5
0|33|libxul.so|mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run()|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.h:32d6a3f1f83cec54b8190f1993c7fa343406ce20|1210|0x5
0|34|libxul.so|mozilla::SchedulerGroup::Runnable::Run()|hg:hg.mozilla.org/mozilla-central:xpcom/threads/SchedulerGroup.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|282|0x14
0|35|libxul.so|nsThread::ProcessNextEvent(bool, bool*)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|1220|0xe
0|36|libxul.so|NS_ProcessNextEvent(nsIThread*, bool)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|481|0x11
0|37|libxul.so|mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|87|0xa
0|38|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:32d6a3f1f83cec54b8190f1993c7fa343406ce20|315|0x19
0|39|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:32d6a3f1f83cec54b8190f1993c7fa343406ce20|290|0x8
0|40|libxul.so|nsBaseAppShell::Run()|hg:hg.mozilla.org/mozilla-central:widget/nsBaseAppShell.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|137|0xd
0|41|libxul.so|XRE_RunAppShell()|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|911|0x6
0|42|libxul.so|mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|237|0x5
0|43|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:32d6a3f1f83cec54b8190f1993c7fa343406ce20|315|0x19
0|44|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:32d6a3f1f83cec54b8190f1993c7fa343406ce20|290|0x8
0|45|libxul.so|XRE_InitChildProcess(int, char**, XREChildData const*)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|742|0xc
0|46|firefox-bin|content_process_main(mozilla::Bootstrap*, int, char**)|hg:hg.mozilla.org/mozilla-central:ipc/contentproc/plugin-container.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|56|0x14
0|47|firefox-bin|main|hg:hg.mozilla.org/mozilla-central:browser/app/nsBrowserApp.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|303|0x13
0|48|libc.so.6||||0x21b97
0|49|firefox-bin|__cxa_throw_bad_array_new_length|hg:hg.mozilla.org/mozilla-central:build/unix/stdc++compat/stdc++compat.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|82|0x12
0|50|firefox-bin||||0x10b10
0|51|ld-linux-x86-64.so.2||||0x10733
0|52|libdl.so.2||||0x202d80
0|53|libpthread.so.0||||0x219bb0
0|54|firefox-bin||||0x10b10
0|55|firefox-bin|_start|||0x29
Flags: in-testsuite?
|
Reporter | |
Updated•5 years ago
|
Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]
|
|
Reporter | |
Comment 1•5 years ago
|
||
Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20200320095353-32d6a3f1f83c.
The bug appears to have been introduced in the following build range:
> Start: d7e7f63dc1bfb94fd3293b9cc09032d846a14bd9 (20200303095030)
> End: 34693216604b848f77a737ecf36001bd2251ebad (20200303155457)
> Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=d7e7f63dc1bfb94fd3293b9cc09032d846a14bd9&tochange=34693216604b848f77a737ecf36001bd2251ebad
Could this be caused by your changes in above build range?
Flags: needinfo?(masayuki)
|
Assignee | |
Comment 3•5 years ago
|
||
Looks like a regression of bug 1618089 or hitting existing bug.
Assignee: nobody → masayuki
Flags: needinfo?(masayuki)
Priority: -- → P3
|
||
Comment 4•5 years ago
|
||
Bugbug thinks this bug is a regression, but please revert this change in case of error.
Keywords: regression
|
|
Assignee | |
Comment 5•5 years ago
|
||
I give up to write a clean patch for this bug with current design. The trigger
is indeed bug 1618089, but this is a hidden regression of bug 1530649.
Starting from bug 1530649, WSRunObject started to use EditorDOMPoint for
storing the specified point. And it may store (or only store) child node.
Therefore, if it points a text node and it's removed by
WSRunObject::DeleteRange(), the point becomes invalid even if its offset
is still valid. Therefore, we should make mStartScanPoint and mEndScanPoint
forget their child before DOM tree change ideally, but it means that we need
to compute offset of the child every time before changing the DOM tree. We
cannot accept this safest approach due to performance reason.
Therefore, this patch just invalidates mStartScanPoint's child node only when
it's reused after the DOM tree is modified.
|
||
Updated•5 years ago
|
status-firefox74:
--- → wontfix
status-firefox75:
--- → wontfix
status-firefox-esr68:
--- → wontfix
Regressed by: 1530649
|
||
Updated•5 years ago
|
Has Regression Range: --- → yes
Pushed by masayuki@d-toybox.com:
https://hg.mozilla.org/integration/autoland/rev/f2f4628ef591
Make `WSRunObject::PrepareToDeleteRangePriv()` invalidate child of `mScanStartPoint` before reusing it r=m_kato
|
||
Comment 7•5 years ago
|
||
| bugherder | ||
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla76
|
|
Reporter | |
Updated•5 years ago
|
|
|
Reporter | |
Comment 8•5 years ago
|
||
Bugmon Analysis:
Verified bug as fixed on rev mozilla-central 20200422214848-17aa41e3cb7c.
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.
You need to log in
before you can comment on or make changes to this bug.
Description
•