Closed Bug 1636541 Opened 4 years ago Closed 3 years ago

Assertion failure: indentedParentElement == content, at /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditSubActionHandler.cpp:6302

Categories

(Core :: DOM: Editor, defect, P5)

defect

Tracking

()

RESOLVED FIXED
93 Branch
Tracking Status
firefox-esr68 --- unaffected
firefox-esr78 --- wontfix
firefox-esr91 --- wontfix
firefox76 --- wontfix
firefox77 --- wontfix
firefox78 --- wontfix
firefox91 --- wontfix
firefox92 --- wontfix
firefox93 --- fixed

People

(Reporter: jkratzer, Assigned: masayuki)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(2 files)

Attached file testcase.html

Testcase found while fuzzing mozilla-central rev 19e273db8019 (built with --enable-debug).

Assertion failure: indentedParentElement == content, at /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditSubActionHandler.cpp:6302

rax = 0x00007f5c7cbb9a39   rdx = 0x0000000000000000
rcx = 0x0000562410f77a48   rbx = 0x000056241266eed0
rsi = 0x00007f5c8da768b0   rdi = 0x00007f5c8da75680
rbp = 0x00007ffd36bb6260   rsp = 0x00007ffd36bb5ca0
r8 = 0x00007f5c8da768b0    r9 = 0x00007f5c8ebdc780
r10 = 0x0000000000000002   r11 = 0x0000000000000000
r12 = 0x000056241238d930   r13 = 0x0000000000000001
r14 = 0x00007ffd36bb5d30   r15 = 0x00007ffd36bb5d58
rip = 0x00007f5c778b2586
OS|Linux|0.0.0 Linux 5.3.0-46-generic #38~18.04.1-Ubuntu SMP Tue Mar 31 04:17:56 UTC 2020 x86_64
CPU|amd64|family 6 model 94 stepping 3|8
GPU|||
Crash|SIGSEGV|0x0|0
0|0|libxul.so|mozilla::HTMLEditor::HandleOutdentAtSelectionInternal()|hg:hg.mozilla.org/mozilla-central:editor/libeditor/HTMLEditSubActionHandler.cpp:19e273db80195cc5de59647fcaf16bafad9bbcce|6302|0x0
0|1|libxul.so|mozilla::HTMLEditor::HandleOutdentAtSelection()|hg:hg.mozilla.org/mozilla-central:editor/libeditor/HTMLEditSubActionHandler.cpp:19e273db80195cc5de59647fcaf16bafad9bbcce|6187|0x8
0|2|libxul.so|mozilla::HTMLEditor::OutdentAsSubAction()|hg:hg.mozilla.org/mozilla-central:editor/libeditor/HTMLEditSubActionHandler.cpp:19e273db80195cc5de59647fcaf16bafad9bbcce|6152|0x8
0|3|libxul.so|mozilla::HTMLEditor::OutdentAsAction(nsIPrincipal*)|hg:hg.mozilla.org/mozilla-central:editor/libeditor/HTMLEditor.cpp:19e273db80195cc5de59647fcaf16bafad9bbcce|2440|0x8
0|4|libxul.so|mozilla::OutdentCommand::DoCommand(mozilla::Command, mozilla::TextEditor&, nsIPrincipal*) const|hg:hg.mozilla.org/mozilla-central:editor/libeditor/HTMLEditorCommands.cpp:19e273db80195cc5de59647fcaf16bafad9bbcce|468|0xb
0|5|libxul.so|mozilla::dom::Document::ExecCommand(nsTSubstring<char16_t> const&, bool, nsTSubstring<char16_t> const&, nsIPrincipal&, mozilla::ErrorResult&)|hg:hg.mozilla.org/mozilla-central:dom/base/Document.cpp:19e273db80195cc5de59647fcaf16bafad9bbcce|4843|0x33
0|6|libxul.so|mozilla::dom::Document_Binding::execCommand(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&)|s3:gecko-generated-sources:c83af1743915295036de61d059810e760308be90cc0b888f6d47bc56fdb083fba26e4a93f813375662a4117407ee354f01d87db86af3344ae5291f896a67b628/dom/bindings/DocumentBinding.cpp:|3469|0x34
0|7|libxul.so|bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*)|hg:hg.mozilla.org/mozilla-central:dom/bindings/BindingUtils.cpp:19e273db80195cc5de59647fcaf16bafad9bbcce|3203|0x21
0|8|libxul.so|CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:19e273db80195cc5de59647fcaf16bafad9bbcce|493|0x12
0|9|libxul.so|js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:19e273db80195cc5de59647fcaf16bafad9bbcce|585|0xe
0|10|libxul.so|Interpret(JSContext*, js::RunState&)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:19e273db80195cc5de59647fcaf16bafad9bbcce|652|0xa
0|11|libxul.so|js::RunScript(JSContext*, js::RunState&)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:19e273db80195cc5de59647fcaf16bafad9bbcce|465|0xb
0|12|libxul.so|js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:19e273db80195cc5de59647fcaf16bafad9bbcce|620|0x8
0|13|libxul.so|<name omitted>|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:19e273db80195cc5de59647fcaf16bafad9bbcce|665|0xb
0|14|libxul.so|JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>)|hg:hg.mozilla.org/mozilla-central:js/src/jsapi.cpp:19e273db80195cc5de59647fcaf16bafad9bbcce|2840|0x23
0|15|libxul.so|mozilla::dom::EventListener::HandleEvent(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&)|s3:gecko-generated-sources:2563ad09677feb8ddf64827a409899848ef6a80bfacaa11f581c512536a6fb0c779d8b29517ba6358a054c6d475f770bf7bac2913a941d0394881c5649b08603/dom/bindings/EventListenerBinding.cpp:|55|0xe
0|16|libxul.so|void mozilla::dom::EventListener::HandleEvent<mozilla::dom::EventTarget*>(mozilla::dom::EventTarget* const&, mozilla::dom::Event&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*)|s3:gecko-generated-sources:99837b3cdc69c5eb1234f9d2b3e771dcff734d56a022bedb1d00c0cf4ee6243fb5c91397a058f2ddab63bda8ed6b581ea1232a0229033866910c7289d24cbc2d/dist/include/mozilla/dom/EventListenerBinding.h:|66|0x21
0|17|libxul.so|mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*)|hg:hg.mozilla.org/mozilla-central:dom/events/EventListenerManager.cpp:19e273db80195cc5de59647fcaf16bafad9bbcce|1073|0x2c
0|18|libxul.so|mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool)|hg:hg.mozilla.org/mozilla-central:dom/events/EventListenerManager.cpp:19e273db80195cc5de59647fcaf16bafad9bbcce|1271|0x16
0|19|libxul.so|mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:19e273db80195cc5de59647fcaf16bafad9bbcce|356|0xb
0|20|libxul.so|mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:19e273db80195cc5de59647fcaf16bafad9bbcce|558|0x19
0|21|libxul.so|mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:19e273db80195cc5de59647fcaf16bafad9bbcce|1055|0x5
0|22|libxul.so|nsDocumentViewer::LoadComplete(nsresult)|hg:hg.mozilla.org/mozilla-central:layout/base/nsDocumentViewer.cpp:19e273db80195cc5de59647fcaf16bafad9bbcce|1146|0x1c
0|23|libxul.so|nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult)|hg:hg.mozilla.org/mozilla-central:docshell/base/nsDocShell.cpp:19e273db80195cc5de59647fcaf16bafad9bbcce|5842|0x18
0|24|libxul.so|nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult)|hg:hg.mozilla.org/mozilla-central:docshell/base/nsDocShell.cpp:19e273db80195cc5de59647fcaf16bafad9bbcce|5594|0xb
0|25|libxul.so|non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult)|hg:hg.mozilla.org/mozilla-central:docshell/base/nsDocShell.cpp:19e273db80195cc5de59647fcaf16bafad9bbcce|0|0x10
0|26|libxul.so|nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult)|hg:hg.mozilla.org/mozilla-central:uriloader/base/nsDocLoader.cpp:19e273db80195cc5de59647fcaf16bafad9bbcce|1345|0x2b
0|27|libxul.so|nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult)|hg:hg.mozilla.org/mozilla-central:uriloader/base/nsDocLoader.cpp:19e273db80195cc5de59647fcaf16bafad9bbcce|905|0x28
0|28|libxul.so|nsDocLoader::DocLoaderIsEmpty(bool)|hg:hg.mozilla.org/mozilla-central:uriloader/base/nsDocLoader.cpp:19e273db80195cc5de59647fcaf16bafad9bbcce|725|0xe
0|29|libxul.so|nsDocLoader::OnStopRequest(nsIRequest*, nsresult)|hg:hg.mozilla.org/mozilla-central:uriloader/base/nsDocLoader.cpp:19e273db80195cc5de59647fcaf16bafad9bbcce|613|0xb
0|30|libxul.so|non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsresult)|hg:hg.mozilla.org/mozilla-central:uriloader/base/nsDocLoader.cpp:19e273db80195cc5de59647fcaf16bafad9bbcce|0|0xd
0|31|libxul.so|mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult)|hg:hg.mozilla.org/mozilla-central:netwerk/base/nsLoadGroup.cpp:19e273db80195cc5de59647fcaf16bafad9bbcce|611|0x14
0|32|libxul.so|mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult)|hg:hg.mozilla.org/mozilla-central:netwerk/base/nsLoadGroup.cpp:19e273db80195cc5de59647fcaf16bafad9bbcce|518|0xe
0|33|libxul.so|mozilla::dom::Document::DoUnblockOnload()|hg:hg.mozilla.org/mozilla-central:dom/base/Document.cpp:19e273db80195cc5de59647fcaf16bafad9bbcce|10742|0x1c
0|34|libxul.so|mozilla::dom::Document::UnblockOnload(bool)|hg:hg.mozilla.org/mozilla-central:dom/base/Document.cpp:19e273db80195cc5de59647fcaf16bafad9bbcce|10674|0x8
0|35|libxul.so|mozilla::dom::Document::DispatchContentLoadedEvents()|hg:hg.mozilla.org/mozilla-central:dom/base/Document.cpp:19e273db80195cc5de59647fcaf16bafad9bbcce|7324|0xd
0|36|libxul.so|mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run()|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.h:19e273db80195cc5de59647fcaf16bafad9bbcce|1220|0x17
0|37|libxul.so|mozilla::SchedulerGroup::Runnable::Run()|hg:hg.mozilla.org/mozilla-central:xpcom/threads/SchedulerGroup.cpp:19e273db80195cc5de59647fcaf16bafad9bbcce|146|0x11
0|38|libxul.so|nsThread::ProcessNextEvent(bool, bool*)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:19e273db80195cc5de59647fcaf16bafad9bbcce|1200|0x11
0|39|libxul.so|NS_ProcessNextEvent(nsIThread*, bool)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:19e273db80195cc5de59647fcaf16bafad9bbcce|481|0xc
0|40|libxul.so|mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:19e273db80195cc5de59647fcaf16bafad9bbcce|87|0x7
0|41|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:19e273db80195cc5de59647fcaf16bafad9bbcce|315|0x17
0|42|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:19e273db80195cc5de59647fcaf16bafad9bbcce|290|0x8
0|43|libxul.so|nsBaseAppShell::Run()|hg:hg.mozilla.org/mozilla-central:widget/nsBaseAppShell.cpp:19e273db80195cc5de59647fcaf16bafad9bbcce|137|0xd
0|44|libxul.so|XRE_RunAppShell()|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:19e273db80195cc5de59647fcaf16bafad9bbcce|909|0xe
0|45|libxul.so|mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:19e273db80195cc5de59647fcaf16bafad9bbcce|237|0x5
0|46|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:19e273db80195cc5de59647fcaf16bafad9bbcce|315|0x17
0|47|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:19e273db80195cc5de59647fcaf16bafad9bbcce|290|0x8
0|48|libxul.so|XRE_InitChildProcess(int, char**, XREChildData const*)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:19e273db80195cc5de59647fcaf16bafad9bbcce|740|0x5
0|49|firefox-bin|content_process_main(mozilla::Bootstrap*, int, char**)|hg:hg.mozilla.org/mozilla-central:ipc/contentproc/plugin-container.cpp:19e273db80195cc5de59647fcaf16bafad9bbcce|56|0x11
0|50|firefox-bin|main|hg:hg.mozilla.org/mozilla-central:browser/app/nsBrowserApp.cpp:19e273db80195cc5de59647fcaf16bafad9bbcce|303|0x20
0|51|libc.so.6||||0x21b97
0|52|firefox-bin|<name omitted>|hg:hg.mozilla.org/mozilla-central:mfbt/UniquePtr.h:19e273db80195cc5de59647fcaf16bafad9bbcce|253|0x17
Flags: in-testsuite?

Because this bug's Severity is normal and has not been changed, and this bug's priority is -- (none,) indicating it has has not been previously triaged, the bug's Severity is being updated to -- (default, untriaged.)

Severity: normal → --
Severity: -- → S3
Regressed by: 1574852
Has Regression Range: --- → yes
Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]
Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20200519094847-96c90df47bda.
The bug appears to have been introduced in the following build range:
> Start: dc67f09ede456775ae2fdef5307fce22f168dafc (20190909102209)
> End: edaf6d0b4d0432d61f8cfdbacbb80d532b8374a3 (20190909104247)
> Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=dc67f09ede456775ae2fdef5307fce22f168dafc&tochange=edaf6d0b4d0432d61f8cfdbacbb80d532b8374a3

Bugmon Analysis
The bug appears to have been fixed in the following build range:

Start: 8803bc71047a75f0983844d891d82b4a5edecda4 (20210310041823)
End: 194e31587e6c4174702a223b448e8748b1b4a144 (20210310045802)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=8803bc71047a75f0983844d891d82b4a5edecda4&tochange=194e31587e6c4174702a223b448e8748b1b4a144
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon

:masayuki, I hate to NI you again but could this also have been fixed by bug 1677566?

Flags: needinfo?(masayuki)

Oh, thanks. I'll add the testcase into the tree.

Assignee: nobody → masayuki
Status: NEW → ASSIGNED
Flags: needinfo?(masayuki)
Priority: -- → P5

(I wonder, if this kind of assertion hit bug report makes a bot create a crashtest automatically and land it into the tree after a review, then, unexpected fix can be detected in each landing.)

Pushed by masayuki@d-toybox.com:
https://hg.mozilla.org/integration/autoland/rev/bb6e6d7c1ff8
Add reported testcase into the tree r=m_kato
Status: ASSIGNED → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → 93 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: