Assertion failure: !mMutationGuard.Mutated(0), at /builds/worker/workspace/obj-build/dist/include/mozilla/dom/AncestorIterator.h:62
Categories
(Core :: DOM: Editor, defect, P2)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr68 | --- | unaffected |
| firefox-esr78 | --- | wontfix |
| firefox74 | --- | unaffected |
| firefox75 | --- | wontfix |
| firefox76 | --- | wontfix |
| firefox81 | --- | wontfix |
| firefox82 | --- | wontfix |
| firefox83 | --- | fixed |
People
(Reporter: jkratzer, Assigned: masayuki)
References
(Blocks 1 open bug, Regression)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:bisected,confirmed])
Attachments
(4 files)
Testcase found while fuzzing mozilla-central rev 32d6a3f1f83c (built with --enable-debug).
Assertion failure: !mMutationGuard.Mutated(0), at /builds/worker/workspace/obj-build/dist/include/mozilla/dom/AncestorIterator.h:62
rax = 0x000055f04ffb4380 rdx = 0x0000000000000000
rcx = 0x00007f4b6d209030 rbx = 0x00007f4b5f8974c0
rsi = 0x00007f4b78f1e8b0 rdi = 0x00007f4b78f1d680
rbp = 0x00007ffe8d206300 rsp = 0x00007ffe8d206300
r8 = 0x00007f4b78f1e8b0 r9 = 0x00007f4b7a084780
r10 = 0x0000000000000000 r11 = 0x0000000000000000
r12 = 0x0000000000000000 r13 = 0x00007ffe8d206318
r14 = 0x00007ffe8d206328 r15 = 0x0000000000000000
rip = 0x00007f4b681d47ab
OS|Linux|0.0.0 Linux 5.3.0-28-generic #30~18.04.1-Ubuntu SMP Fri Jan 17 06:14:09 UTC 2020 x86_64
CPU|amd64|family 6 model 94 stepping 3|8
GPU|||
Crash|SIGSEGV|0x0|0
0|0|libxul.so|mozilla::dom::InclusiveAncestors::~InclusiveAncestors()|hg:hg.mozilla.org/mozilla-central:dom/base/AncestorIterator.h:32d6a3f1f83cec54b8190f1993c7fa343406ce20|62|0x39
0|1|libxul.so|nsINode::GetTextEditorRootContent(mozilla::TextEditor**)|hg:hg.mozilla.org/mozilla-central:dom/base/nsINode.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|393|0x8
0|2|libxul.so|nsINode::GetSelectionRootContent(mozilla::PresShell*)|hg:hg.mozilla.org/mozilla-central:dom/base/nsINode.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|525|0xa
0|3|libxul.so|mozilla::IMEContentObserver::InitWithEditor(nsPresContext*, nsIContent*, mozilla::EditorBase*)|hg:hg.mozilla.org/mozilla-central:dom/events/IMEContentObserver.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|230|0x227
0|4|libxul.so|mozilla::IMEContentObserver::Init(nsIWidget*, nsPresContext*, nsIContent*, mozilla::EditorBase*)|hg:hg.mozilla.org/mozilla-central:dom/events/IMEContentObserver.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|170|0x15
0|5|libxul.so|mozilla::IMEStateManager::CreateIMEContentObserver(mozilla::EditorBase*)|hg:hg.mozilla.org/mozilla-central:dom/events/IMEStateManager.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|1864|0x26
0|6|libxul.so|mozilla::IMEStateManager::OnFocusInEditor(nsPresContext*, nsIContent*, mozilla::EditorBase&)|hg:hg.mozilla.org/mozilla-central:dom/events/IMEStateManager.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|775|0x8
0|7|libxul.so|mozilla::EditorEventListener::Focus(mozilla::InternalFocusEvent*)|hg:hg.mozilla.org/mozilla-central:editor/libeditor/EditorEventListener.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|1188|0x1a
0|8|libxul.so|mozilla::EditorEventListener::HandleEvent(mozilla::dom::Event*)|hg:hg.mozilla.org/mozilla-central:editor/libeditor/EditorEventListener.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|472|0x17
0|9|libxul.so|mozilla::HTMLEditorEventListener::HandleEvent(mozilla::dom::Event*)|hg:hg.mozilla.org/mozilla-central:editor/libeditor/HTMLEditorEventListener.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|104|0xb
0|10|libxul.so|mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*)|hg:hg.mozilla.org/mozilla-central:dom/events/EventListenerManager.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|1079|0xc
0|11|libxul.so|mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool)|hg:hg.mozilla.org/mozilla-central:dom/events/EventListenerManager.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|1271|0x1c
0|12|libxul.so|mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|326|0x6b
0|13|libxul.so|mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|488|0x12
0|14|libxul.so|mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|638|0x5
0|15|libxul.so|mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|1055|0x1a
0|16|libxul.so|FocusBlurEvent::Run()|hg:hg.mozilla.org/mozilla-central:dom/base/nsFocusManager.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|2403|0x1b
0|17|libxul.so|nsContentUtils::AddScriptRunner(already_AddRefed<nsIRunnable>)|hg:hg.mozilla.org/mozilla-central:dom/base/nsContentUtils.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|5474|0x9
0|18|libxul.so|nsContentUtils::AddScriptRunner(nsIRunnable*)|hg:hg.mozilla.org/mozilla-central:dom/base/nsContentUtils.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|5480|0x35
0|19|libxul.so|nsFocusManager::FireFocusOrBlurEvent(mozilla::EventMessage, mozilla::PresShell*, nsISupports*, bool, bool, mozilla::dom::EventTarget*)|hg:hg.mozilla.org/mozilla-central:dom/base/nsFocusManager.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|2551|0x8
0|20|libxul.so|nsFocusManager::SendFocusOrBlurEvent(mozilla::EventMessage, mozilla::PresShell*, mozilla::dom::Document*, nsISupports*, unsigned int, bool, bool, mozilla::dom::EventTarget*)|hg:hg.mozilla.org/mozilla-central:dom/base/nsFocusManager.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|2519|0x29
0|21|libxul.so|nsFocusManager::Focus(nsPIDOMWindowOuter*, mozilla::dom::Element*, unsigned int, bool, bool, bool, bool, nsIContent*)|hg:hg.mozilla.org/mozilla-central:dom/base/nsFocusManager.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|2330|0x2f
0|22|libxul.so|nsFocusManager::WindowRaised(mozIDOMWindowProxy*)|hg:hg.mozilla.org/mozilla-central:dom/base/nsFocusManager.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|719|0x2b
0|23|libxul.so|nsWebBrowser::FocusActivate()|hg:hg.mozilla.org/mozilla-central:toolkit/components/browser/nsWebBrowser.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|1277|0x8
0|24|libxul.so|mozilla::dom::BrowserChild::RecvActivate()|hg:hg.mozilla.org/mozilla-central:dom/ipc/BrowserChild.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|1500|0x5
0|25|libxul.so|mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&)|s3:gecko-generated-sources:d7a1aac42baad276655f79f08b9e09b55215a49cd16a304c48bc91bd6c14ea3500014d36d3a48085e312bf09f1a78e231d50383a2e339b40567ca5a6beaf6de6/ipc/ipdl/PContentChild.cpp:|11681|0xf
0|26|libxul.so|mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|2187|0x6
0|27|libxul.so|mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|2111|0xe
0|28|libxul.so|mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|1959|0xb
0|29|libxul.so|mozilla::ipc::MessageChannel::MessageTask::Run()|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|1990|0xc
0|30|libxul.so|nsThread::ProcessNextEvent(bool, bool*)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|1220|0xe
0|31|libxul.so|NS_ProcessNextEvent(nsIThread*, bool)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|481|0x11
0|32|libxul.so|mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|109|0xd
0|33|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:32d6a3f1f83cec54b8190f1993c7fa343406ce20|315|0x19
0|34|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:32d6a3f1f83cec54b8190f1993c7fa343406ce20|290|0x8
0|35|libxul.so|nsBaseAppShell::Run()|hg:hg.mozilla.org/mozilla-central:widget/nsBaseAppShell.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|137|0xd
0|36|libxul.so|XRE_RunAppShell()|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|911|0x6
0|37|libxul.so|mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|237|0x5
0|38|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:32d6a3f1f83cec54b8190f1993c7fa343406ce20|315|0x19
0|39|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:32d6a3f1f83cec54b8190f1993c7fa343406ce20|290|0x8
0|40|libxul.so|XRE_InitChildProcess(int, char**, XREChildData const*)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|742|0xc
0|41|firefox-bin|content_process_main(mozilla::Bootstrap*, int, char**)|hg:hg.mozilla.org/mozilla-central:ipc/contentproc/plugin-container.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|56|0x14
0|42|firefox-bin|main|hg:hg.mozilla.org/mozilla-central:browser/app/nsBrowserApp.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|303|0x13
0|43|libc.so.6||||0x21b97
0|44|firefox-bin|__cxa_throw_bad_array_new_length|hg:hg.mozilla.org/mozilla-central:build/unix/stdc++compat/stdc++compat.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|82|0x12
0|45|firefox-bin||||0x10b10
0|46|ld-linux-x86-64.so.2||||0x10733
0|47|libdl.so.2||||0x202d80
0|48|libpthread.so.0||||0x219bb0
0|49|firefox-bin||||0x10b10
0|50|firefox-bin|_start|||0x29
|
||
Comment 1•5 years ago
|
||
Technically regressed by bug 1617084, I guess. Though should this be a problem is pre-existing.
|
Reporter | |
Updated•5 years ago
|
|
|
Reporter | |
Comment 2•5 years ago
|
||
|
|
||
Comment 3•5 years ago
|
||
This is the insertion of the <br> when initializing the editor... Masayuki, is it expected to initialize the text editor lazily like that? Looks a bit dangerous...
Anyhow it's probably fine to remove the iterator here if we expect this to happen...
|
Assignee | |
Comment 4•5 years ago
|
||
Still trying to understand what's going on... As you said, we hit an existing bug. I guess that there is no way to get mutation of anonymous subtree in <input> element, but I feel accessing TextEditor with the testcase is odd.
|
||
Comment 5•5 years ago
|
||
Bugbug thinks this bug is a regression, but please revert this change in case of error.
|
||
Updated•5 years ago
|
|
||
Updated•5 years ago
|
|
||
Updated•5 years ago
|
|
|
Reporter | |
Comment 6•5 years ago
|
||
|
|
Assignee | |
Comment 7•4 years ago
|
||
Resetting assignee which I don't work on in this several months.
|
|
Assignee | |
Updated•4 years ago
|
|
|
Assignee | |
Comment 8•4 years ago
|
||
It was designed for retrieving associated TextEditor and its root content
(anonymous <div> element) if the node is in native anonymous subtree in a
text editor or if the node itself is a TextControlElement. Additionally,
TextControlElement cannot be nested. Therefore, it can stop climbing up the
DOM tree when it meets a TextControlElement.
Then, we can rewrite this without a loop implemented by itself. Instead,
it can use GetClosestNativeAnonymousSubtreeRootParent() when the node is
in native anonymous subtree. Otherwise, it just needs to check whether it's
a TextControlElement or not. Therefore, we can make it stop using
InclusiveAncestorsOfType.
Finally, it calls TextControlElement::GetTextEditor() which is marked as
MOZ_CAN_RUN_SCRIPT. And I think that it may cause running selection
listeners (mutation event listeners won't run because changes occur only in
the native anonymous subtree). Therefore, we should mark all callers of
it with MOZ_CAN_RUN_SCRIPT later.
|
|
Assignee | |
Comment 9•4 years ago
|
||
This patch tries to mark root callers of nsINode::GetSelectionRootContent()
which calls nsINode::GetAnonymousRootElementOfTextEditor() as far as possible
(and reasonable).
It's used by ContentEventHandler so that a lot of methods of
EventStateManager, ContentEventHandler, IMEContentObserver which are main
users of it are also marked as MOZ_CAN_RUN_SCRIPT. I think that this is
reasonable.
On the other hand, it might not be reasonable to mark IMEStateManager methods
as MOZ_CAN_RUN_SCRIPT for initializing IMEContentObserver because
IMEStateManager may be able to initialize IMEContentObserver asynchronously
and its root callers are in XUL layout code. Therefore, this patch uses
MOZ_CAN_RUN_SCRIPT_BOUNDARY for IMEStateManager at least for now.
Depends on D92728
|
||
Comment 10•4 years ago
|
||
|
||
Comment 11•4 years ago
|
||
Backed out for crashtest failure on 1623918.html
Backout link: https://hg.mozilla.org/integration/autoland/rev/88cbfe04f278df2058f3b2e007b2bf02ed1b9451
Log link: https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=317992454&repo=autoland&lineNumber=1673
|
|
Assignee | |
Comment 12•4 years ago
|
||
Hmm, I just forgot to run the crashtest on tryserver. I'll make it allow to assert it since it's not a new regression. Perhaps, we should flush pending layout when a text editor gets focus or IME content observer prepares to notify widget of focus. However, at the latter case, we do it only on macOS. So, I'll check why we do it only on macOS (the reason is for the limitation of macOS's but I meant that the reason why we don't do it on the other platforms).
|
|
||
Comment 13•4 years ago
|
||
|
||
Comment 14•4 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/c3fa8c415d65
https://hg.mozilla.org/mozilla-central/rev/8aea4006269a
|
|
||
Updated•4 years ago
|
|
|
Reporter | |
Comment 15•3 years ago
|
||
Bugmon Analysis:
Verified bug as fixed on rev mozilla-central 20201009153554-1581160e62e6.
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.
Description
•