Closed
Bug 1624007
Opened 5 years ago
Closed 5 years ago
Assertion failure: !IsSelectionRangeContainerNotContent(), at /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditor.cpp:2546
Categories
(Core :: DOM: Editor, defect, P2)
Core
DOM: Editor
Tracking
()
VERIFIED
FIXED
mozilla77
| Tracking | Status | |
|---|---|---|
| firefox-esr68 | --- | unaffected |
| firefox74 | --- | unaffected |
| firefox75 | --- | unaffected |
| firefox76 | --- | wontfix |
| firefox77 | --- | verified |
People
(Reporter: jkratzer, Assigned: masayuki)
References
(Blocks 2 open bugs, Regression)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:bisected,confirmed])
Attachments
(2 files)
Testcase found while fuzzing mozilla-central rev 32d6a3f1f83c (built with --enable-debug).
Assertion failure: !IsSelectionRangeContainerNotContent(), at /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditor.cpp:2546
rax = 0x000055c6ba28b380 rdx = 0x0000000000000000
rcx = 0x00007fe2e8d34ad1 rbx = 0x00007fe2d9c13c00
rsi = 0x00007fe2f474c8b0 rdi = 0x00007fe2f474b680
rbp = 0x00007ffc2083ba90 rsp = 0x00007ffc2083ba30
r8 = 0x00007fe2f474c8b0 r9 = 0x00007fe2f58b2780
r10 = 0x0000000000000000 r11 = 0x0000000000000000
r12 = 0x00007fe2d9c13c00 r13 = 0x00007fe2e7c47f80
r14 = 0x00007fe2e7c59e1c r15 = 0x00007ffc2083bae0
rip = 0x00007fe2e50a31f0
OS|Linux|0.0.0 Linux 5.3.0-28-generic #30~18.04.1-Ubuntu SMP Fri Jan 17 06:14:09 UTC 2020 x86_64
CPU|amd64|family 6 model 94 stepping 3|8
GPU|||
Crash|SIGSEGV|0x0|0
0|0|libxul.so|mozilla::HTMLEditor::GetElementOrParentByTagNameAtSelection(nsAtom const&) const|hg:hg.mozilla.org/mozilla-central:editor/libeditor/HTMLEditor.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|2546|0x35
0|1|libxul.so|mozilla::HTMLEditor::RefreshEditingUI()|hg:hg.mozilla.org/mozilla-central:editor/libeditor/HTMLAnonymousNodeEditor.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|326|0x1a
0|2|libxul.so|mozilla::EditorBase::EndUpdateViewBatch()|hg:hg.mozilla.org/mozilla-central:editor/libeditor/EditorBase.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|4521|0x2b
0|3|libxul.so|mozilla::EditorBase::EndPlaceholderTransaction()|hg:hg.mozilla.org/mozilla-central:editor/libeditor/EditorBase.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|992|0x8
0|4|libxul.so|mozilla::EditorBase::AutoPlaceholderBatch::~AutoPlaceholderBatch()|hg:hg.mozilla.org/mozilla-central:editor/libeditor/EditorBase.h:32d6a3f1f83cec54b8190f1993c7fa343406ce20|2695|0x16
0|5|libxul.so|mozilla::HTMLEditor::SetInlinePropertyAsAction(nsAtom&, nsAtom*, nsTSubstring<char16_t> const&, nsIPrincipal*)|hg:hg.mozilla.org/mozilla-central:editor/libeditor/HTMLStyleEditor.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|85|0x12
0|6|libxul.so|mozilla::StyleUpdatingCommand::ToggleState(nsAtom*, mozilla::HTMLEditor*, nsIPrincipal*) const|hg:hg.mozilla.org/mozilla-central:editor/libeditor/HTMLEditorCommands.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|179|0x145
0|7|libxul.so|mozilla::StateUpdatingCommandBase::DoCommand(mozilla::Command, mozilla::TextEditor&, nsIPrincipal*) const|hg:hg.mozilla.org/mozilla-central:editor/libeditor/HTMLEditorCommands.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|78|0x12
0|8|libxul.so|mozilla::dom::Document::ExecCommand(nsTSubstring<char16_t> const&, bool, nsTSubstring<char16_t> const&, nsIPrincipal&, mozilla::ErrorResult&)|hg:hg.mozilla.org/mozilla-central:dom/base/Document.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|4850|0x19
0|9|libxul.so|mozilla::dom::Document_Binding::execCommand|s3:gecko-generated-sources:14863a2b2a6389528d2390329f9ef00fd608dc847d95cf4fb4e276672470cbaf2ba3bffea0bbe4dfdc700e07cdef769b5219c5fae418f6cd54145735b40d4f43/dom/bindings/DocumentBinding.cpp:|3466|0x2e
0|10|libxul.so|bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*)|hg:hg.mozilla.org/mozilla-central:dom/bindings/BindingUtils.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|3205|0x21
0|11|libxul.so|CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|476|0x19
0|12|libxul.so|js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|568|0x12
0|13|libxul.so|InternalCall|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|631|0x10
0|14|libxul.so|Interpret|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|3026|0x16
0|15|libxul.so|js::RunScript(JSContext*, js::RunState&)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|409|0x152
0|16|libxul.so|js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|603|0xf
0|17|libxul.so|InternalCall|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|631|0x10
0|18|libxul.so|js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|648|0x8
0|19|libxul.so|JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>)|hg:hg.mozilla.org/mozilla-central:js/src/jsapi.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|2790|0x1f
0|20|libxul.so|mozilla::dom::EventListener::HandleEvent(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&)|s3:gecko-generated-sources:0992ac839e78be4b5bc946db6152e8b3f5934ea0d4e9c78c35aef98c89edecbc33dfe0851074a4d84c381b1ab23c7f73c4a13405b94b9c4746627a7dccdf6e10/dom/bindings/EventListenerBinding.cpp:|54|0x5
0|21|libxul.so|mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*)|s3:gecko-generated-sources:99837b3cdc69c5eb1234f9d2b3e771dcff734d56a022bedb1d00c0cf4ee6243fb5c91397a058f2ddab63bda8ed6b581ea1232a0229033866910c7289d24cbc2d/dist/include/mozilla/dom/EventListenerBinding.h:|66|0x19
0|22|libxul.so|mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool)|hg:hg.mozilla.org/mozilla-central:dom/events/EventListenerManager.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|1271|0x1c
0|23|libxul.so|mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|326|0x6b
0|24|libxul.so|mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|558|0x12
0|25|libxul.so|mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|1055|0x1a
0|26|libxul.so|nsDocumentViewer::LoadComplete(nsresult)|hg:hg.mozilla.org/mozilla-central:layout/base/nsDocumentViewer.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|1157|0x1a
0|27|libxul.so|nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult)|hg:hg.mozilla.org/mozilla-central:docshell/base/nsDocShell.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|6071|0x18
0|28|libxul.so|nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult)|hg:hg.mozilla.org/mozilla-central:docshell/base/nsDocShell.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|5854|0x1c
0|29|libxul.so|nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult)|hg:hg.mozilla.org/mozilla-central:uriloader/base/nsDocLoader.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|1348|0x31
0|30|libxul.so|nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult)|hg:hg.mozilla.org/mozilla-central:uriloader/base/nsDocLoader.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|907|0x2a
0|31|libxul.so|nsDocLoader::DocLoaderIsEmpty(bool)|hg:hg.mozilla.org/mozilla-central:uriloader/base/nsDocLoader.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|727|0x15
0|32|libxul.so|nsDocLoader::OnStopRequest(nsIRequest*, nsresult)|hg:hg.mozilla.org/mozilla-central:uriloader/base/nsDocLoader.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|615|0x16
0|33|libxul.so|mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult)|hg:hg.mozilla.org/mozilla-central:netwerk/base/nsLoadGroup.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|611|0x1a
0|34|libxul.so|mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult)|hg:hg.mozilla.org/mozilla-central:netwerk/base/nsLoadGroup.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|518|0xe
0|35|libxul.so|mozilla::dom::Document::DoUnblockOnload()|hg:hg.mozilla.org/mozilla-central:dom/base/Document.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|10738|0x4c
0|36|libxul.so|mozilla::dom::Document::UnblockOnload(bool)|hg:hg.mozilla.org/mozilla-central:dom/base/Document.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|10672|0x2a
0|37|libxul.so|mozilla::dom::Document::DispatchContentLoadedEvents()|hg:hg.mozilla.org/mozilla-central:dom/base/Document.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|7360|0xd
0|38|libxul.so|mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run()|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.h:32d6a3f1f83cec54b8190f1993c7fa343406ce20|1210|0x5
0|39|libxul.so|mozilla::SchedulerGroup::Runnable::Run()|hg:hg.mozilla.org/mozilla-central:xpcom/threads/SchedulerGroup.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|282|0x14
0|40|libxul.so|nsThread::ProcessNextEvent(bool, bool*)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|1220|0xe
0|41|libxul.so|NS_ProcessNextEvent(nsIThread*, bool)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|481|0x11
0|42|libxul.so|mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|87|0xa
0|43|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:32d6a3f1f83cec54b8190f1993c7fa343406ce20|315|0x19
0|44|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:32d6a3f1f83cec54b8190f1993c7fa343406ce20|290|0x8
0|45|libxul.so|nsBaseAppShell::Run()|hg:hg.mozilla.org/mozilla-central:widget/nsBaseAppShell.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|137|0xd
0|46|libxul.so|XRE_RunAppShell()|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|911|0x6
0|47|libxul.so|mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|237|0x5
0|48|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:32d6a3f1f83cec54b8190f1993c7fa343406ce20|315|0x19
0|49|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:32d6a3f1f83cec54b8190f1993c7fa343406ce20|290|0x8
0|50|libxul.so|XRE_InitChildProcess(int, char**, XREChildData const*)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|742|0xc
0|51|firefox-bin|content_process_main(mozilla::Bootstrap*, int, char**)|hg:hg.mozilla.org/mozilla-central:ipc/contentproc/plugin-container.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|56|0x14
0|52|firefox-bin|main|hg:hg.mozilla.org/mozilla-central:browser/app/nsBrowserApp.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|303|0x13
0|53|libc.so.6||||0x21b97
0|54|firefox-bin|__cxa_throw_bad_array_new_length|hg:hg.mozilla.org/mozilla-central:build/unix/stdc++compat/stdc++compat.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|82|0x12
0|55|firefox-bin||||0x10b10
0|56|ld-linux-x86-64.so.2||||0x10733
0|57|libdl.so.2||||0x202d80
0|58|libpthread.so.0||||0x219bb0
0|59|firefox-bin||||0x10b10
0|60|firefox-bin|_start|||0x29
Flags: in-testsuite?
|
Reporter | |
Updated•5 years ago
|
Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]
|
|
Reporter | |
Comment 1•5 years ago
|
||
Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20200320215802-7df85231b517.
The bug appears to have been introduced in the following build range:
> Start: 4121453852cb90884200815b333a6fd636f3931c (20200309154158)
> End: 268543e53e1b11ce0e468d985ea3777563e7b8a8 (20200309215254)
> Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=4121453852cb90884200815b333a6fd636f3931c&tochange=268543e53e1b11ce0e468d985ea3777563e7b8a8
|
||
Comment 2•5 years ago
|
||
Mirko, would you want to take a quick look at this?
Flags: needinfo?(mbrodesser)
|
||
Comment 3•5 years ago
|
||
The violated assertion (https://searchfox.org/mozilla-central/rev/c80fa7258c935223fe319c5345b58eae85d4c6ae/editor/libeditor/HTMLEditor.cpp#2546) was added recently by Masayuki. Masayuki, can you please have a look?
Flags: needinfo?(mbrodesser) → needinfo?(masayuki)
|
Assignee | |
Comment 4•5 years ago
|
||
Yeah, I'll take a look.
Assignee: nobody → masayuki
Flags: needinfo?(masayuki)
|
|
||
Updated•5 years ago
|
Priority: -- → P2
|
|
Reporter | |
Comment 5•5 years ago
|
||
Bugmon Analysis:
|
|
Assignee | |
Updated•5 years ago
|
Status: NEW → ASSIGNED
|
|
Assignee | |
Updated•5 years ago
|
Blocks: add-scriptable-editor-API-tests
|
|
Assignee | |
Comment 6•5 years ago
|
||
We can relax about GetElementOrParentElement*() because they just return
nullptr when selection anchor is a Document node.
Additionally, this patch renames the internal APIs to the names similar to
modern DOM API.
Finally, this adds automated test for
nsIHTMLEditor.getElementOrParentByTagName().
|
||
Comment 7•5 years ago
|
||
Bugbug thinks this bug is a regression, but please revert this change in case of error.
Keywords: regression
Pushed by masayuki@d-toybox.com:
https://hg.mozilla.org/integration/autoland/rev/c3ee1bc3fade
Don't check `IsSelectionRangeContainerNotContent()` for/in `GetElementOrParentElement*()` r=m_kato
|
||
Comment 9•5 years ago
|
||
| bugherder | ||
Status: ASSIGNED → RESOLVED
Closed: 5 years ago
status-firefox77:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla77
|
||
Updated•5 years ago
|
status-firefox74:
--- → unaffected
status-firefox75:
--- → unaffected
status-firefox-esr68:
--- → unaffected
Flags: in-testsuite? → in-testsuite+
|
|
Reporter | |
Updated•5 years ago
|
|
|
Reporter | |
Comment 10•5 years ago
|
||
Bugmon Analysis:
Verified bug as fixed on rev mozilla-central 20200423145559-03626342f6e6.
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.
|
|
||
Comment 11•4 years ago
|
||
:masayuki, since this bug contains a bisection range, could you fill (if possible) the regressed_by field?
For more information, please visit auto_nag documentation.
Flags: needinfo?(masayuki)
|
||
Updated•4 years ago
|
Has Regression Range: --- → yes
You need to log in
before you can comment on or make changes to this bug.
Description
•