Closed
Bug 1624011
Opened 5 years ago
Closed 5 years ago
Assertion failure: firstRange, at /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditSubActionHandler.cpp:835
Categories
(Core :: DOM: Editor, defect, P3)
Core
DOM: Editor
Tracking
()
VERIFIED
FIXED
mozilla76
| Tracking | Status | |
|---|---|---|
| firefox-esr68 | --- | unaffected |
| firefox74 | --- | unaffected |
| firefox75 | --- | unaffected |
| firefox76 | --- | verified |
People
(Reporter: jkratzer, Assigned: masayuki)
References
(Blocks 1 open bug, Regression)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:bisected,confirmed])
Attachments
(2 files)
Testcase found while fuzzing mozilla-central rev 32d6a3f1f83c (built with --enable-debug).
Assertion failure: firstRange, at /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditSubActionHandler.cpp:835
rax = 0x000055f4ae0da380 rdx = 0x0000000000000000
rcx = 0x0000000000000b40 rbx = 0x00007f9a5d83870c
rsi = 0x00007f9a692118b0 rdi = 0x00007f9a69210680
rbp = 0x00007ffe62fa5ee0 rsp = 0x00007ffe62fa56a0
r8 = 0x00007f9a692118b0 r9 = 0x00007f9a6a377780
r10 = 0x0000000000000000 r11 = 0x0000000000000000
r12 = 0x0000000000000000 r13 = 0x00007f9a4e712c00
r14 = 0x00007ffe62fa5f08 r15 = 0x00007f9a59b7df04
rip = 0x00007f9a59bb4a75
OS|Linux|0.0.0 Linux 5.3.0-28-generic #30~18.04.1-Ubuntu SMP Fri Jan 17 06:14:09 UTC 2020 x86_64
CPU|amd64|family 6 model 94 stepping 3|8
GPU|||
Crash|SIGSEGV|0x0|0
0|0|libxul.so|mozilla::AlignStateAtSelection::AlignStateAtSelection(mozilla::HTMLEditor&, mozilla::ErrorResult&)|hg:hg.mozilla.org/mozilla-central:editor/libeditor/HTMLEditSubActionHandler.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|886|0x2e
0|1|libxul.so|mozilla::AlignCommand::GetCurrentState(mozilla::HTMLEditor*, nsCommandParams&) const|hg:hg.mozilla.org/mozilla-central:editor/libeditor/HTMLEditorCommands.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|855|0x1b
0|2|libxul.so|mozilla::MultiStateCommandBase::GetCommandStateParams(mozilla::Command, nsCommandParams&, mozilla::TextEditor*, nsIEditingSession*) const|hg:hg.mozilla.org/mozilla-central:editor/libeditor/HTMLEditorCommands.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|543|0x13
0|3|libxul.so|mozilla::EditorCommand::GetCommandStateParams(char const*, nsICommandParams*, nsISupports*)|hg:hg.mozilla.org/mozilla-central:editor/libeditor/EditorCommands.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|235|0x44
0|4|libxul.so|nsControllerCommandTable::GetCommandState(char const*, nsICommandParams*, nsISupports*)|hg:hg.mozilla.org/mozilla-central:dom/commandhandler/nsControllerCommandTable.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|168|0x9
0|5|libxul.so|nsBaseCommandController::GetCommandStateWithParams(char const*, nsICommandParams*)|hg:hg.mozilla.org/mozilla-central:dom/commandhandler/nsBaseCommandController.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|143|0x19
0|6|libxul.so|nsCommandManager::GetCommandState(char const*, mozIDOMWindowProxy*, nsICommandParams*)|hg:hg.mozilla.org/mozilla-central:dom/commandhandler/nsCommandManager.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|171|0xd
0|7|libxul.so|mozilla::dom::Document::QueryCommandIndeterm(nsTSubstring<char16_t> const&, mozilla::ErrorResult&)|hg:hg.mozilla.org/mozilla-central:dom/base/Document.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|4972|0x5
0|8|libxul.so|mozilla::dom::Document_Binding::queryCommandIndeterm|s3:gecko-generated-sources:14863a2b2a6389528d2390329f9ef00fd608dc847d95cf4fb4e276672470cbaf2ba3bffea0bbe4dfdc700e07cdef769b5219c5fae418f6cd54145735b40d4f43/dom/bindings/DocumentBinding.cpp:|3563|0x12
0|9|libxul.so|bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*)|hg:hg.mozilla.org/mozilla-central:dom/bindings/BindingUtils.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|3205|0x21
0|10|libxul.so|CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|476|0x19
0|11|libxul.so|js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|568|0x12
0|12|libxul.so|InternalCall|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|631|0x10
0|13|libxul.so|Interpret|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|3026|0x16
0|14|libxul.so|js::RunScript(JSContext*, js::RunState&)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|409|0x152
0|15|libxul.so|js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|603|0xf
0|16|libxul.so|InternalCall|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|631|0x10
0|17|libxul.so|js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|648|0x8
0|18|libxul.so|JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>)|hg:hg.mozilla.org/mozilla-central:js/src/jsapi.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|2790|0x1f
0|19|libxul.so|mozilla::dom::EventListener::HandleEvent(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&)|s3:gecko-generated-sources:0992ac839e78be4b5bc946db6152e8b3f5934ea0d4e9c78c35aef98c89edecbc33dfe0851074a4d84c381b1ab23c7f73c4a13405b94b9c4746627a7dccdf6e10/dom/bindings/EventListenerBinding.cpp:|54|0x5
0|20|libxul.so|mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*)|s3:gecko-generated-sources:99837b3cdc69c5eb1234f9d2b3e771dcff734d56a022bedb1d00c0cf4ee6243fb5c91397a058f2ddab63bda8ed6b581ea1232a0229033866910c7289d24cbc2d/dist/include/mozilla/dom/EventListenerBinding.h:|66|0x19
0|21|libxul.so|mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool)|hg:hg.mozilla.org/mozilla-central:dom/events/EventListenerManager.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|1271|0x1c
0|22|libxul.so|mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|326|0x6b
0|23|libxul.so|mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|558|0x12
0|24|libxul.so|mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|1055|0x1a
0|25|libxul.so|nsDocumentViewer::LoadComplete(nsresult)|hg:hg.mozilla.org/mozilla-central:layout/base/nsDocumentViewer.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|1157|0x1a
0|26|libxul.so|nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult)|hg:hg.mozilla.org/mozilla-central:docshell/base/nsDocShell.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|6071|0x18
0|27|libxul.so|nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult)|hg:hg.mozilla.org/mozilla-central:docshell/base/nsDocShell.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|5854|0x1c
0|28|libxul.so|nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult)|hg:hg.mozilla.org/mozilla-central:uriloader/base/nsDocLoader.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|1348|0x31
0|29|libxul.so|nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult)|hg:hg.mozilla.org/mozilla-central:uriloader/base/nsDocLoader.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|907|0x2a
0|30|libxul.so|nsDocLoader::DocLoaderIsEmpty(bool)|hg:hg.mozilla.org/mozilla-central:uriloader/base/nsDocLoader.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|727|0x15
0|31|libxul.so|nsDocLoader::OnStopRequest(nsIRequest*, nsresult)|hg:hg.mozilla.org/mozilla-central:uriloader/base/nsDocLoader.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|615|0x16
0|32|libxul.so|mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult)|hg:hg.mozilla.org/mozilla-central:netwerk/base/nsLoadGroup.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|611|0x1a
0|33|libxul.so|mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult)|hg:hg.mozilla.org/mozilla-central:netwerk/base/nsLoadGroup.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|518|0xe
0|34|libxul.so|mozilla::dom::Document::DoUnblockOnload()|hg:hg.mozilla.org/mozilla-central:dom/base/Document.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|10738|0x4c
0|35|libxul.so|mozilla::dom::Document::UnblockOnload(bool)|hg:hg.mozilla.org/mozilla-central:dom/base/Document.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|10672|0x2a
0|36|libxul.so|mozilla::dom::Document::DispatchContentLoadedEvents()|hg:hg.mozilla.org/mozilla-central:dom/base/Document.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|7360|0xd
0|37|libxul.so|mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run()|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.h:32d6a3f1f83cec54b8190f1993c7fa343406ce20|1210|0x5
0|38|libxul.so|mozilla::SchedulerGroup::Runnable::Run()|hg:hg.mozilla.org/mozilla-central:xpcom/threads/SchedulerGroup.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|282|0x14
0|39|libxul.so|nsThread::ProcessNextEvent(bool, bool*)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|1220|0xe
0|40|libxul.so|NS_ProcessNextEvent(nsIThread*, bool)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|481|0x11
0|41|libxul.so|mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|87|0xa
0|42|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:32d6a3f1f83cec54b8190f1993c7fa343406ce20|315|0x19
0|43|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:32d6a3f1f83cec54b8190f1993c7fa343406ce20|290|0x8
0|44|libxul.so|nsBaseAppShell::Run()|hg:hg.mozilla.org/mozilla-central:widget/nsBaseAppShell.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|137|0xd
0|45|libxul.so|XRE_RunAppShell()|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|911|0x6
0|46|libxul.so|mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|237|0x5
0|47|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:32d6a3f1f83cec54b8190f1993c7fa343406ce20|315|0x19
0|48|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:32d6a3f1f83cec54b8190f1993c7fa343406ce20|290|0x8
0|49|libxul.so|XRE_InitChildProcess(int, char**, XREChildData const*)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|742|0xc
0|50|firefox-bin|content_process_main(mozilla::Bootstrap*, int, char**)|hg:hg.mozilla.org/mozilla-central:ipc/contentproc/plugin-container.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|56|0x14
0|51|firefox-bin|main|hg:hg.mozilla.org/mozilla-central:browser/app/nsBrowserApp.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|303|0x13
0|52|libc.so.6||||0x21b97
0|53|firefox-bin|__cxa_throw_bad_array_new_length|hg:hg.mozilla.org/mozilla-central:build/unix/stdc++compat/stdc++compat.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|82|0x12
0|54|firefox-bin||||0x10b10
0|55|ld-linux-x86-64.so.2||||0x10733
0|56|libdl.so.2||||0x202d80
0|57|libpthread.so.0||||0x219bb0
0|58|firefox-bin||||0x10b10
0|59|firefox-bin|_start|||0x29
Flags: in-testsuite?
|
Reporter | |
Updated•5 years ago
|
Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]
|
|
Reporter | |
Comment 1•5 years ago
|
||
Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20200324093140-9b338268ce36.
The bug appears to have been introduced in the following build range:
> Start: 4121453852cb90884200815b333a6fd636f3931c (20200309154158)
> End: 268543e53e1b11ce0e468d985ea3777563e7b8a8 (20200309215254)
> Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=4121453852cb90884200815b333a6fd636f3931c&tochange=268543e53e1b11ce0e468d985ea3777563e7b8a8
|
Assignee | |
Comment 3•5 years ago
|
||
Ah, yes. This assertion looks wrong. This is possible case.
Assignee: nobody → masayuki
Flags: needinfo?(masayuki)
Priority: -- → P3
|
|
Assignee | |
Updated•5 years ago
|
Status: NEW → ASSIGNED
|
|
Assignee | |
Comment 4•5 years ago
|
||
AlignStateAtSelection class is instantiated outside of editor class so that
we shouldn't make each user guarantee that there is selection range
(fortunately, the putting off cost is really low).
And as far as I tested, Blink and WebKit does not throw exception when
Document.qeuryCommand*("justify*") is called without selection ranges.
So, this patch also prevents exception in this situation.
|
||
Comment 5•5 years ago
|
||
Bugbug thinks this bug is a regression, but please revert this change in case of error.
Keywords: regression
|
||
Updated•5 years ago
|
status-firefox74:
--- → unaffected
status-firefox75:
--- → unaffected
status-firefox-esr68:
--- → unaffected
Flags: in-testsuite? → in-testsuite+
|
|
Reporter | |
Comment 6•5 years ago
|
||
Bugmon Analysis:
Pushed by masayuki@d-toybox.com:
https://hg.mozilla.org/integration/autoland/rev/7cc31e664754
Make constructor of `AlignStateAtSelection` not assert when there is no selection ranges r=m_kato
|
||
Comment 8•5 years ago
|
||
| bugherder | ||
Status: ASSIGNED → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla76
|
|
Reporter | |
Updated•5 years ago
|
|
|
Reporter | |
Comment 9•5 years ago
|
||
Bugmon Analysis:
Verified bug as fixed on rev mozilla-central 20200423145559-03626342f6e6.
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.
|
|
||
Comment 10•4 years ago
|
||
:masayuki, since this bug contains a bisection range, could you fill (if possible) the regressed_by field?
For more information, please visit auto_nag documentation.
Flags: needinfo?(masayuki)
|
||
Updated•4 years ago
|
Has Regression Range: --- → yes
You need to log in
before you can comment on or make changes to this bug.
Description
•