Closed
Bug 1624005
Opened 4 years ago
Closed 4 years ago
Assertion failure: mReason == WSType::text || mReason == WSType::normalWS || mReason == WSType::br || mReason == WSType::special || mReason == WSType::thisBlock || mReason == WSType::otherBlock, at /builds/worker/checkouts/gecko/editor/libeditor/WSRunObje
Categories
(Core :: DOM: Editor, defect, P3)
Core
DOM: Editor
Tracking
()
VERIFIED
FIXED
84 Branch
People
(Reporter: jkratzer, Assigned: masayuki)
References
(Blocks 1 open bug, Regression)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:bisected,confirmed])
Attachments
(2 files)
Testcase found while fuzzing mozilla-central rev 32d6a3f1f83c (built with --enable-debug).
Assertion failure: mReason == WSType::text || mReason == WSType::normalWS || mReason == WSType::br || mReason == WSType::special || mReason == WSType::thisBlock || mReason == WSType::otherBlock, at /builds/worker/checkouts/gecko/editor/libeditor/WSRunObject.h:166
rax = 0x0000562c38f5d380 rdx = 0x0000000000000000
rcx = 0x00007f614c444e5a rbx = 0x00007ffcb8805220
rsi = 0x00007f6157e318b0 rdi = 0x00007f6157e30680
rbp = 0x00007ffcb8805140 rsp = 0x00007ffcb8805120
r8 = 0x00007f6157e318b0 r9 = 0x00007f6158f97780
r10 = 0x0000000000000000 r11 = 0x0000000000000000
r12 = 0x00007ffcb8800000 r13 = 0x0000000000000000
r14 = 0x0000000000000000 r15 = 0x00007ffcb8805250
rip = 0x00007f61487e9575
OS|Linux|0.0.0 Linux 5.3.0-28-generic #30~18.04.1-Ubuntu SMP Fri Jan 17 06:14:09 UTC 2020 x86_64
CPU|amd64|family 6 model 94 stepping 3|8
GPU|||
Crash|SIGSEGV|0x0|0
0|0|libxul.so|mozilla::WSScanResult::AssertIfInvalidData() const|hg:hg.mozilla.org/mozilla-central:editor/libeditor/WSRunObject.h:32d6a3f1f83cec54b8190f1993c7fa343406ce20|167|0x49
0|1|libxul.so|mozilla::WSScanResult::WSScanResult(mozilla::EditorDOMPointBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent> > const&, mozilla::WSType)|hg:hg.mozilla.org/mozilla-central:editor/libeditor/WSRunObject.h:32d6a3f1f83cec54b8190f1993c7fa343406ce20|159|0x8
0|2|libxul.so|mozilla::WSScanResult mozilla::WSRunScanner::ScanNextVisibleNodeOrBlockBoundaryFrom<nsINode*, nsIContent*>(mozilla::EditorDOMPointBase<nsINode*, nsIContent*> const&) const|hg:hg.mozilla.org/mozilla-central:editor/libeditor/WSRunObject.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|636|0x1c
0|3|libxul.so|mozilla::HTMLEditor::GetBetterInsertionPointFor(nsIContent&, mozilla::EditorDOMPointBase<nsINode*, nsIContent*> const&)|hg:hg.mozilla.org/mozilla-central:editor/libeditor/HTMLEditor.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|1621|0xe
0|4|libxul.so|mozilla::HTMLEditor::InsertElementAtSelectionAsAction(mozilla::dom::Element*, bool, nsIPrincipal*)|hg:hg.mozilla.org/mozilla-central:editor/libeditor/HTMLEditor.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|1781|0x1c
0|5|libxul.so|mozilla::InsertTagCommand::DoCommand(mozilla::Command, mozilla::TextEditor&, nsIPrincipal*) const|hg:hg.mozilla.org/mozilla-central:editor/libeditor/HTMLEditorCommands.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|1245|0x14
0|6|libxul.so|mozilla::dom::Document::ExecCommand(nsTSubstring<char16_t> const&, bool, nsTSubstring<char16_t> const&, nsIPrincipal&, mozilla::ErrorResult&)|hg:hg.mozilla.org/mozilla-central:dom/base/Document.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|4850|0x19
0|7|libxul.so|mozilla::dom::Document_Binding::execCommand|s3:gecko-generated-sources:14863a2b2a6389528d2390329f9ef00fd608dc847d95cf4fb4e276672470cbaf2ba3bffea0bbe4dfdc700e07cdef769b5219c5fae418f6cd54145735b40d4f43/dom/bindings/DocumentBinding.cpp:|3466|0x2e
0|8|libxul.so|bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*)|hg:hg.mozilla.org/mozilla-central:dom/bindings/BindingUtils.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|3205|0x21
0|9|libxul.so|CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|476|0x19
0|10|libxul.so|js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|568|0x12
0|11|libxul.so|InternalCall|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|631|0x10
0|12|libxul.so|Interpret|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|3026|0x16
0|13|libxul.so|js::RunScript(JSContext*, js::RunState&)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|409|0x152
0|14|libxul.so|js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|603|0xf
0|15|libxul.so|InternalCall|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|631|0x10
0|16|libxul.so|js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|648|0x8
0|17|libxul.so|JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>)|hg:hg.mozilla.org/mozilla-central:js/src/jsapi.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|2790|0x1f
0|18|libxul.so|mozilla::dom::EventListener::HandleEvent(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&)|s3:gecko-generated-sources:0992ac839e78be4b5bc946db6152e8b3f5934ea0d4e9c78c35aef98c89edecbc33dfe0851074a4d84c381b1ab23c7f73c4a13405b94b9c4746627a7dccdf6e10/dom/bindings/EventListenerBinding.cpp:|54|0x5
0|19|libxul.so|mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*)|s3:gecko-generated-sources:99837b3cdc69c5eb1234f9d2b3e771dcff734d56a022bedb1d00c0cf4ee6243fb5c91397a058f2ddab63bda8ed6b581ea1232a0229033866910c7289d24cbc2d/dist/include/mozilla/dom/EventListenerBinding.h:|66|0x19
0|20|libxul.so|mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool)|hg:hg.mozilla.org/mozilla-central:dom/events/EventListenerManager.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|1271|0x1c
0|21|libxul.so|mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|326|0x6b
0|22|libxul.so|mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|558|0x12
0|23|libxul.so|mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|1055|0x1a
0|24|libxul.so|nsDocumentViewer::LoadComplete(nsresult)|hg:hg.mozilla.org/mozilla-central:layout/base/nsDocumentViewer.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|1157|0x1a
0|25|libxul.so|nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult)|hg:hg.mozilla.org/mozilla-central:docshell/base/nsDocShell.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|6071|0x18
0|26|libxul.so|nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult)|hg:hg.mozilla.org/mozilla-central:docshell/base/nsDocShell.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|5854|0x1c
0|27|libxul.so|nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult)|hg:hg.mozilla.org/mozilla-central:uriloader/base/nsDocLoader.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|1348|0x31
0|28|libxul.so|nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult)|hg:hg.mozilla.org/mozilla-central:uriloader/base/nsDocLoader.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|907|0x2a
0|29|libxul.so|nsDocLoader::DocLoaderIsEmpty(bool)|hg:hg.mozilla.org/mozilla-central:uriloader/base/nsDocLoader.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|727|0x15
0|30|libxul.so|nsDocLoader::OnStopRequest(nsIRequest*, nsresult)|hg:hg.mozilla.org/mozilla-central:uriloader/base/nsDocLoader.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|615|0x16
0|31|libxul.so|mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult)|hg:hg.mozilla.org/mozilla-central:netwerk/base/nsLoadGroup.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|611|0x1a
0|32|libxul.so|mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult)|hg:hg.mozilla.org/mozilla-central:netwerk/base/nsLoadGroup.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|518|0xe
0|33|libxul.so|mozilla::dom::Document::DoUnblockOnload()|hg:hg.mozilla.org/mozilla-central:dom/base/Document.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|10738|0x4c
0|34|libxul.so|mozilla::dom::Document::UnblockOnload(bool)|hg:hg.mozilla.org/mozilla-central:dom/base/Document.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|10672|0x2a
0|35|libxul.so|mozilla::dom::Document::DispatchContentLoadedEvents()|hg:hg.mozilla.org/mozilla-central:dom/base/Document.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|7360|0xd
0|36|libxul.so|mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run()|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.h:32d6a3f1f83cec54b8190f1993c7fa343406ce20|1210|0x5
0|37|libxul.so|mozilla::SchedulerGroup::Runnable::Run()|hg:hg.mozilla.org/mozilla-central:xpcom/threads/SchedulerGroup.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|282|0x14
0|38|libxul.so|nsThread::ProcessNextEvent(bool, bool*)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|1220|0xe
0|39|libxul.so|NS_ProcessNextEvent(nsIThread*, bool)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|481|0x11
0|40|libxul.so|mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|87|0xa
0|41|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:32d6a3f1f83cec54b8190f1993c7fa343406ce20|315|0x19
0|42|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:32d6a3f1f83cec54b8190f1993c7fa343406ce20|290|0x8
0|43|libxul.so|nsBaseAppShell::Run()|hg:hg.mozilla.org/mozilla-central:widget/nsBaseAppShell.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|137|0xd
0|44|libxul.so|XRE_RunAppShell()|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|911|0x6
0|45|libxul.so|mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|237|0x5
0|46|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:32d6a3f1f83cec54b8190f1993c7fa343406ce20|315|0x19
0|47|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:32d6a3f1f83cec54b8190f1993c7fa343406ce20|290|0x8
0|48|libxul.so|XRE_InitChildProcess(int, char**, XREChildData const*)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|742|0xc
0|49|firefox-bin|content_process_main(mozilla::Bootstrap*, int, char**)|hg:hg.mozilla.org/mozilla-central:ipc/contentproc/plugin-container.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|56|0x14
0|50|firefox-bin|main|hg:hg.mozilla.org/mozilla-central:browser/app/nsBrowserApp.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|303|0x13
0|51|libc.so.6||||0x21b97
0|52|firefox-bin|__cxa_throw_bad_array_new_length|hg:hg.mozilla.org/mozilla-central:build/unix/stdc++compat/stdc++compat.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|82|0x12
0|53|firefox-bin||||0x10b10
0|54|ld-linux-x86-64.so.2||||0x10733
0|55|libdl.so.2||||0x202d80
0|56|libpthread.so.0||||0x219bb0
0|57|firefox-bin||||0x10b10
0|58|firefox-bin|_start|||0x29
Flags: in-testsuite?
|
Reporter | |
Updated•4 years ago
|
Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]
|
|
Reporter | |
Comment 1•4 years ago
|
||
Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20200320173127-9dd52a62f5df.
The bug appears to have been introduced in the following build range:
> Start: f3da8ae9d1a3e74cd273746da51a035ddc572bee (20200225214332)
> End: 7f41334e10443f4f1c7426e86fb0cb7adfdf4d62 (20200226092757)
> Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=f3da8ae9d1a3e74cd273746da51a035ddc572bee&tochange=7f41334e10443f4f1c7426e86fb0cb7adfdf4d62
|
Assignee | |
Comment 3•4 years ago
|
||
Yeah, this must detect the case which editor can stop handling odd case earlier. So, not urgent bug.
Assignee: nobody → masayuki
Flags: needinfo?(masayuki)
Priority: -- → P3
|
||
Comment 4•4 years ago
|
||
Bugbug thinks this bug is a regression, but please revert this change in case of error.
Keywords: regression
|
||
Updated•4 years ago
|
|
|
Reporter | |
Comment 5•4 years ago
|
||
Bugmon Analysis:
|
||
Updated•4 years ago
|
status-firefox75:
--- → wontfix
status-firefox77:
--- → fix-optional
status-firefox-esr68:
--- → unaffected
Regressed by: 1616257
|
||
Updated•4 years ago
|
Has Regression Range: --- → yes
|
||
Comment 6•4 years ago
|
||
Because this bug's Severity has not been changed from the default since it was filed, and it's Priority is P3 (Backlog,) indicating it has been triaged, the bug's Severity is being updated to S3 (normal.)
Severity: normal → S3
|
|
Assignee | |
Comment 7•4 years ago
|
||
Resetting assignee which I don't work on in this several months.
Assignee: masayuki → nobody
|
|
Assignee | |
Updated•4 years ago
|
Assignee: nobody → masayuki
Status: NEW → ASSIGNED
|
|
Assignee | |
Comment 8•4 years ago
|
||
The test runs execCommand("insertHorizontalRule") when the document node
has no children. In this case, TextFragmentData fails to initialize itself.
In this case, our editor cannot do anything. Therefore, returning error
in this case must be better.
This patch makes all callers of the scan methods handle the error case unless
the caller cannot return error.
Comparing with Blink, perhaps, we should insert <html> and <body> element
in this case first and keep doing the requested operation in the future.
Currently, doing it may cause another complicated issue with mutation event
listeners.
Pushed by masayuki@d-toybox.com: https://hg.mozilla.org/integration/autoland/rev/390d970b08b6 Make `WSScanResult` have error state and make the scan methods of `WSRunScanner` use it when it fails to initialize `TextFragmentData` r=m_kato
|
||
Comment 10•4 years ago
|
||
| bugherder | ||
Status: ASSIGNED → RESOLVED
Closed: 4 years ago
status-firefox84:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 84 Branch
|
|
||
Updated•4 years ago
|
status-firefox82:
--- → wontfix
status-firefox83:
--- → wontfix
status-firefox-esr78:
--- → wontfix
Flags: in-testsuite? → in-testsuite+
|
|
Reporter | |
Comment 11•3 years ago
|
||
Bugmon Analysis:
Verified bug as fixed on rev mozilla-central 20201030160944-a7b7d089d5c3.
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.
Status: RESOLVED → VERIFIED
Keywords: bugmon
You need to log in
before you can comment on or make changes to this bug.
Description
•