Closed Bug 1623913 Opened 3 years ago Closed 3 years ago

Assertion failure: aEndPoint.IsSetAndValid(), at /builds/worker/checkouts/gecko/editor/libeditor/WSRunObject.cpp:1411

Categories

(Core :: DOM: Editor, defect, P3)

Product:
Core
Component:
DOM: Editor
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla76
Tracking Flags:
Tracking Status
firefox-esr68 --- wontfix
firefox74 --- wontfix
firefox75 --- wontfix
firefox76 --- verified

People

(Reporter: jkratzer, Assigned: masayuki)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(2 files)

testcase.html
888 bytes, text/html
Details
Bug 1623913 - Make `WSRunObject::PrepareToDeleteRangePriv()` invalidate child of `mScanStartPoint` before reusing it r=m_kato!
47 bytes, text/x-phabricator-request
Details | Review
Attached file testcase.html

Testcase found while fuzzing mozilla-central rev 32d6a3f1f83c (built with --enable-debug).

Assertion failure: aEndPoint.IsSetAndValid(), at /builds/worker/checkouts/gecko/editor/libeditor/WSRunObject.cpp:1411

rax = 0x000055a898de4380   rdx = 0x00007fcfc093828b
rcx = 0x0000000000000b40   rbx = 0x00007ffc0076a418
rsi = 0x00007fcfcc3198b0   rdi = 0x00007fcfcc318680
rbp = 0x00007ffc0076a380   rsp = 0x00007ffc0076a2b0
r8 = 0x00007fcfcc3198b0    r9 = 0x00007fcfcd47f780
r10 = 0x0000000000000000   r11 = 0x0000000000000000
r12 = 0x00007ffc0076a520   r13 = 0x00007ffc0076a418
r14 = 0x00007fcfb2c411c0   r15 = 0x00007ffc0076a518
rip = 0x00007fcfbccf7723
OS|Linux|0.0.0 Linux 5.3.0-28-generic #30~18.04.1-Ubuntu SMP Fri Jan 17 06:14:09 UTC 2020 x86_64
CPU|amd64|family 6 model 94 stepping 3|8
GPU|||
Crash|SIGSEGV|0x0|0
0|0|libxul.so|mozilla::WSRunObject::DeleteRange(mozilla::EditorDOMPointBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent> > const&, mozilla::EditorDOMPointBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent> > const&)|hg:hg.mozilla.org/mozilla-central:editor/libeditor/WSRunObject.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|1405|0x6c
0|1|libxul.so|mozilla::WSRunObject::PrepareToDeleteRangePriv(mozilla::WSRunObject*)|hg:hg.mozilla.org/mozilla-central:editor/libeditor/WSRunObject.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|1312|0x34
0|2|libxul.so|mozilla::WSRunObject::PrepareToDeleteRange(mozilla::HTMLEditor&, mozilla::EditorDOMPointBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent> >*, mozilla::EditorDOMPointBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent> >*)|hg:hg.mozilla.org/mozilla-central:editor/libeditor/WSRunObject.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|139|0xb
0|3|libxul.so|mozilla::HTMLEditor::HandleDeleteNonCollapsedSelection(short, short, mozilla::HTMLEditor::SelectionWasCollapsed)|hg:hg.mozilla.org/mozilla-central:editor/libeditor/HTMLEditSubActionHandler.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|3177|0x12
0|4|libxul.so|mozilla::HTMLEditor::HandleDeleteSelectionInternal(short, short)|hg:hg.mozilla.org/mozilla-central:editor/libeditor/HTMLEditSubActionHandler.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|2497|0x16
0|5|libxul.so|mozilla::HTMLEditor::HandleDeleteSelection(short, short)|hg:hg.mozilla.org/mozilla-central:editor/libeditor/HTMLEditSubActionHandler.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|2345|0x16
0|6|libxul.so|mozilla::TextEditor::DeleteSelectionAsSubAction(short, short)|hg:hg.mozilla.org/mozilla-central:editor/libeditor/TextEditor.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|732|0x14
0|7|libxul.so|mozilla::HTMLEditor::InsertParagraphSeparatorAsSubAction()|hg:hg.mozilla.org/mozilla-central:editor/libeditor/HTMLEditSubActionHandler.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|1754|0xc
0|8|libxul.so|mozilla::HTMLEditor::InsertParagraphSeparatorAsAction(nsIPrincipal*)|hg:hg.mozilla.org/mozilla-central:editor/libeditor/HTMLEditor.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|1073|0x8
0|9|libxul.so|mozilla::InsertParagraphCommand::DoCommand(mozilla::Command, mozilla::TextEditor&, nsIPrincipal*) const|hg:hg.mozilla.org/mozilla-central:editor/libeditor/EditorCommands.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|886|0x5
0|10|libxul.so|mozilla::dom::Document::ExecCommand(nsTSubstring<char16_t> const&, bool, nsTSubstring<char16_t> const&, nsIPrincipal&, mozilla::ErrorResult&)|hg:hg.mozilla.org/mozilla-central:dom/base/Document.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|4850|0x19
0|11|libxul.so|mozilla::dom::Document_Binding::execCommand|s3:gecko-generated-sources:14863a2b2a6389528d2390329f9ef00fd608dc847d95cf4fb4e276672470cbaf2ba3bffea0bbe4dfdc700e07cdef769b5219c5fae418f6cd54145735b40d4f43/dom/bindings/DocumentBinding.cpp:|3466|0x2e
0|12|libxul.so|bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*)|hg:hg.mozilla.org/mozilla-central:dom/bindings/BindingUtils.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|3205|0x21
0|13|libxul.so|CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|476|0x19
0|14|libxul.so|js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|568|0x12
0|15|libxul.so|InternalCall|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|631|0x10
0|16|libxul.so|Interpret|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|3026|0x16
0|17|libxul.so|js::RunScript(JSContext*, js::RunState&)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|409|0x152
0|18|libxul.so|js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|603|0xf
0|19|libxul.so|InternalCall|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|631|0x10
0|20|libxul.so|js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|648|0x8
0|21|libxul.so|JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>)|hg:hg.mozilla.org/mozilla-central:js/src/jsapi.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|2790|0x1f
0|22|libxul.so|mozilla::dom::EventListener::HandleEvent(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&)|s3:gecko-generated-sources:0992ac839e78be4b5bc946db6152e8b3f5934ea0d4e9c78c35aef98c89edecbc33dfe0851074a4d84c381b1ab23c7f73c4a13405b94b9c4746627a7dccdf6e10/dom/bindings/EventListenerBinding.cpp:|54|0x5
0|23|libxul.so|mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*)|s3:gecko-generated-sources:99837b3cdc69c5eb1234f9d2b3e771dcff734d56a022bedb1d00c0cf4ee6243fb5c91397a058f2ddab63bda8ed6b581ea1232a0229033866910c7289d24cbc2d/dist/include/mozilla/dom/EventListenerBinding.h:|66|0x19
0|24|libxul.so|mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool)|hg:hg.mozilla.org/mozilla-central:dom/events/EventListenerManager.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|1271|0x1c
0|25|libxul.so|mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|326|0x6b
0|26|libxul.so|mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|558|0x12
0|27|libxul.so|mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|1055|0x1a
0|28|libxul.so|mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|1160|0x16
0|29|libxul.so|nsINode::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&)|hg:hg.mozilla.org/mozilla-central:dom/base/nsINode.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|1300|0x5
0|30|libxul.so|nsContentUtils::DispatchEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, mozilla::Trusted, bool*, mozilla::ChromeOnlyDispatch)|hg:hg.mozilla.org/mozilla-central:dom/base/nsContentUtils.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|4091|0x2a
0|31|libxul.so|nsContentUtils::DispatchTrustedEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, bool*)|hg:hg.mozilla.org/mozilla-central:dom/base/nsContentUtils.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|4061|0x21
0|32|libxul.so|mozilla::dom::Document::DispatchContentLoadedEvents()|hg:hg.mozilla.org/mozilla-central:dom/base/Document.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|7252|0x5
0|33|libxul.so|mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run()|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.h:32d6a3f1f83cec54b8190f1993c7fa343406ce20|1210|0x5
0|34|libxul.so|mozilla::SchedulerGroup::Runnable::Run()|hg:hg.mozilla.org/mozilla-central:xpcom/threads/SchedulerGroup.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|282|0x14
0|35|libxul.so|nsThread::ProcessNextEvent(bool, bool*)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|1220|0xe
0|36|libxul.so|NS_ProcessNextEvent(nsIThread*, bool)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|481|0x11
0|37|libxul.so|mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|87|0xa
0|38|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:32d6a3f1f83cec54b8190f1993c7fa343406ce20|315|0x19
0|39|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:32d6a3f1f83cec54b8190f1993c7fa343406ce20|290|0x8
0|40|libxul.so|nsBaseAppShell::Run()|hg:hg.mozilla.org/mozilla-central:widget/nsBaseAppShell.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|137|0xd
0|41|libxul.so|XRE_RunAppShell()|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|911|0x6
0|42|libxul.so|mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|237|0x5
0|43|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:32d6a3f1f83cec54b8190f1993c7fa343406ce20|315|0x19
0|44|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:32d6a3f1f83cec54b8190f1993c7fa343406ce20|290|0x8
0|45|libxul.so|XRE_InitChildProcess(int, char**, XREChildData const*)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|742|0xc
0|46|firefox-bin|content_process_main(mozilla::Bootstrap*, int, char**)|hg:hg.mozilla.org/mozilla-central:ipc/contentproc/plugin-container.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|56|0x14
0|47|firefox-bin|main|hg:hg.mozilla.org/mozilla-central:browser/app/nsBrowserApp.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|303|0x13
0|48|libc.so.6||||0x21b97
0|49|firefox-bin|__cxa_throw_bad_array_new_length|hg:hg.mozilla.org/mozilla-central:build/unix/stdc++compat/stdc++compat.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|82|0x12
0|50|firefox-bin||||0x10b10
0|51|ld-linux-x86-64.so.2||||0x10733
0|52|libdl.so.2||||0x202d80
0|53|libpthread.so.0||||0x219bb0
0|54|firefox-bin||||0x10b10
0|55|firefox-bin|_start|||0x29
Flags: in-testsuite?
Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]
Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20200320095353-32d6a3f1f83c.
The bug appears to have been introduced in the following build range:
> Start: d7e7f63dc1bfb94fd3293b9cc09032d846a14bd9 (20200303095030)
> End: 34693216604b848f77a737ecf36001bd2251ebad (20200303155457)
> Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=d7e7f63dc1bfb94fd3293b9cc09032d846a14bd9&tochange=34693216604b848f77a737ecf36001bd2251ebad

Could this be caused by your changes in above build range?

Flags: needinfo?(masayuki)

Looks like a regression of bug 1618089 or hitting existing bug.

Assignee: nobody → masayuki
Flags: needinfo?(masayuki)
Priority: -- → P3

Bugbug thinks this bug is a regression, but please revert this change in case of error.

Keywords: regression

I give up to write a clean patch for this bug with current design. The trigger
is indeed bug 1618089, but this is a hidden regression of bug 1530649.

Starting from bug 1530649, WSRunObject started to use EditorDOMPoint for
storing the specified point. And it may store (or only store) child node.
Therefore, if it points a text node and it's removed by
WSRunObject::DeleteRange(), the point becomes invalid even if its offset
is still valid. Therefore, we should make mStartScanPoint and mEndScanPoint
forget their child before DOM tree change ideally, but it means that we need
to compute offset of the child every time before changing the DOM tree. We
cannot accept this safest approach due to performance reason.

Therefore, this patch just invalidates mStartScanPoint's child node only when
it's reused after the DOM tree is modified.

Has Regression Range: --- → yes
Pushed by masayuki@d-toybox.com:
https://hg.mozilla.org/integration/autoland/rev/f2f4628ef591
Make `WSRunObject::PrepareToDeleteRangePriv()` invalidate child of `mScanStartPoint` before reusing it r=m_kato

https://hg.mozilla.org/mozilla-central/rev/f2f4628ef591

Status: NEW → RESOLVED
Closed: 3 years ago
status-firefox76: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla76
Status: RESOLVED → VERIFIED
status-firefox76: fixedverified
Keywords: bugmon
Bugmon Analysis:
Verified bug as fixed on rev mozilla-central 20200422214848-17aa41e3cb7c.
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.
You need to log in before you can comment on or make changes to this bug.