Closed
Bug 1648564
Opened 4 years ago
Closed 4 years ago
Assertion failure: !aPointAtASCIIWhiteSpace.IsEndOfContainer(), at /builds/worker/checkouts/gecko/editor/libeditor/WSRunObject.cpp:1450
Categories
(Core :: DOM: Editor, defect)
Core
DOM: Editor
Tracking
()
VERIFIED
FIXED
mozilla80
| Tracking | Status | |
|---|---|---|
| firefox-esr68 | --- | unaffected |
| firefox-esr78 | --- | unaffected |
| firefox77 | --- | unaffected |
| firefox78 | --- | unaffected |
| firefox79 | --- | wontfix |
| firefox80 | --- | verified |
People
(Reporter: jkratzer, Assigned: masayuki)
References
(Blocks 1 open bug, Regression)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:bisected,confirmed])
Attachments
(2 files)
Testcase found while fuzzing mozilla-central rev db74cdf9afe7 (built with --enable-debug).
Assertion failure: !aPointAtASCIIWhiteSpace.IsEndOfContainer(), at /builds/worker/checkouts/gecko/editor/libeditor/WSRunObject.cpp:1450
rax = 0x00007f983707622e rdx = 0x0000000000000000
rcx = 0x000056086df30a58 rbx = 0x00007ffc68ccbab0
rsi = 0x00007f984809a8b0 rdi = 0x00007f9848099680
rbp = 0x00007ffc68ccba50 rsp = 0x00007ffc68ccb980
r8 = 0x00007f984809a8b0 r9 = 0x00007f9849200780
r10 = 0x0000000000000002 r11 = 0x0000000000000000
r12 = 0x00007ffc68ccbc80 r13 = 0x00007ffc68ccba80
r14 = 0x00007ffc68ccbab0 r15 = 0x00007ffc68ccbb78
rip = 0x00007f98317e5e52
OS|Linux|0.0.0 Linux 5.3.0-51-generic #44~18.04.2-Ubuntu SMP Thu Apr 23 14:27:18 UTC 2020 x86_64
CPU|amd64|family 6 model 94 stepping 3|8
GPU|||
Crash|SIGSEGV|0x0|0
0|0|libxul.so|mozilla::WSRunScanner::GetEndOfCollapsibleASCIIWhiteSpaces(mozilla::EditorDOMPointBase<RefPtr<mozilla::dom::Text>, nsIContent*> const&) const|hg:hg.mozilla.org/mozilla-central:editor/libeditor/WSRunObject.cpp:db74cdf9afe797ced554aaf7e79b9bdc3e86f719|1450|0x29
0|1|libxul.so|mozilla::WSRunObject::PrepareToDeleteRangePriv(mozilla::WSRunObject*)|hg:hg.mozilla.org/mozilla-central:editor/libeditor/WSRunObject.cpp:db74cdf9afe797ced554aaf7e79b9bdc3e86f719|1187|0x12
0|2|libxul.so|mozilla::WSRunObject::PrepareToDeleteRange(mozilla::HTMLEditor&, mozilla::EditorDOMPointBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent> >*, mozilla::EditorDOMPointBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent> >*)|hg:hg.mozilla.org/mozilla-central:editor/libeditor/WSRunObject.cpp:db74cdf9afe797ced554aaf7e79b9bdc3e86f719|143|0xb
0|3|libxul.so|mozilla::HTMLEditor::HandleDeleteNonCollapsedSelection(short, short, mozilla::HTMLEditor::SelectionWasCollapsed)|hg:hg.mozilla.org/mozilla-central:editor/libeditor/HTMLEditSubActionHandler.cpp:db74cdf9afe797ced554aaf7e79b9bdc3e86f719|3212|0x5
0|4|libxul.so|mozilla::HTMLEditor::HandleDeleteSelectionInternal(short, short)|hg:hg.mozilla.org/mozilla-central:editor/libeditor/HTMLEditSubActionHandler.cpp:db74cdf9afe797ced554aaf7e79b9bdc3e86f719|2531|0x10
0|5|libxul.so|mozilla::HTMLEditor::HandleDeleteSelection(short, short)|hg:hg.mozilla.org/mozilla-central:editor/libeditor/HTMLEditSubActionHandler.cpp:db74cdf9afe797ced554aaf7e79b9bdc3e86f719|2370|0x13
0|6|libxul.so|mozilla::EditorBase::DeleteSelectionAsSubAction(short, short)|hg:hg.mozilla.org/mozilla-central:editor/libeditor/EditorBase.cpp:db74cdf9afe797ced554aaf7e79b9bdc3e86f719|3762|0x14
0|7|libxul.so|mozilla::EditorBase::DeleteSelectionAsAction(short, short, nsIPrincipal*)|hg:hg.mozilla.org/mozilla-central:editor/libeditor/EditorBase.cpp:db74cdf9afe797ced554aaf7e79b9bdc3e86f719|3731|0x12
0|8|libxul.so|mozilla::DeleteCommand::DoCommand(mozilla::Command, mozilla::TextEditor&, nsIPrincipal*) const|hg:hg.mozilla.org/mozilla-central:editor/libeditor/EditorCommands.cpp:db74cdf9afe797ced554aaf7e79b9bdc3e86f719|619|0x7
0|9|libxul.so|mozilla::dom::Document::ExecCommand(nsTSubstring<char16_t> const&, bool, nsTSubstring<char16_t> const&, nsIPrincipal&, mozilla::ErrorResult&)|hg:hg.mozilla.org/mozilla-central:dom/base/Document.cpp:db74cdf9afe797ced554aaf7e79b9bdc3e86f719|4852|0x33
0|10|libxul.so|mozilla::dom::Document_Binding::execCommand(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&)|s3:gecko-generated-sources:8f7281e3ba1d600673dcaa1ac04d192ebae5bd1389403ef4cb1737261df8d246aba5da557aa502b708e3a3d18afebea6aedb14885532cb2904ce3fbf2ec40b9f/dom/bindings/DocumentBinding.cpp:|3469|0x34
0|11|libxul.so|bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*)|hg:hg.mozilla.org/mozilla-central:dom/bindings/BindingUtils.cpp:db74cdf9afe797ced554aaf7e79b9bdc3e86f719|3219|0x21
0|12|libxul.so|CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:db74cdf9afe797ced554aaf7e79b9bdc3e86f719|484|0x12
0|13|libxul.so|js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:db74cdf9afe797ced554aaf7e79b9bdc3e86f719|576|0xe
0|14|libxul.so|InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:db74cdf9afe797ced554aaf7e79b9bdc3e86f719|639|0x10
0|15|libxul.so|Interpret(JSContext*, js::RunState&)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:db74cdf9afe797ced554aaf7e79b9bdc3e86f719|643|0xa
0|16|libxul.so|js::RunScript(JSContext*, js::RunState&)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:db74cdf9afe797ced554aaf7e79b9bdc3e86f719|456|0xb
0|17|libxul.so|js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:db74cdf9afe797ced554aaf7e79b9bdc3e86f719|611|0x8
0|18|libxul.so|InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:db74cdf9afe797ced554aaf7e79b9bdc3e86f719|639|0x10
0|19|libxul.so|<name omitted>|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:db74cdf9afe797ced554aaf7e79b9bdc3e86f719|656|0xb
0|20|libxul.so|JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>)|hg:hg.mozilla.org/mozilla-central:js/src/jsapi.cpp:db74cdf9afe797ced554aaf7e79b9bdc3e86f719|2846|0x23
0|21|libxul.so|mozilla::dom::EventListener::HandleEvent(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&)|s3:gecko-generated-sources:2563ad09677feb8ddf64827a409899848ef6a80bfacaa11f581c512536a6fb0c779d8b29517ba6358a054c6d475f770bf7bac2913a941d0394881c5649b08603/dom/bindings/EventListenerBinding.cpp:|55|0xe
0|22|libxul.so|void mozilla::dom::EventListener::HandleEvent<mozilla::dom::EventTarget*>(mozilla::dom::EventTarget* const&, mozilla::dom::Event&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*)|s3:gecko-generated-sources:99837b3cdc69c5eb1234f9d2b3e771dcff734d56a022bedb1d00c0cf4ee6243fb5c91397a058f2ddab63bda8ed6b581ea1232a0229033866910c7289d24cbc2d/dist/include/mozilla/dom/EventListenerBinding.h:|66|0x21
0|23|libxul.so|mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*)|hg:hg.mozilla.org/mozilla-central:dom/events/EventListenerManager.cpp:db74cdf9afe797ced554aaf7e79b9bdc3e86f719|1082|0x2c
0|24|libxul.so|mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool)|hg:hg.mozilla.org/mozilla-central:dom/events/EventListenerManager.cpp:db74cdf9afe797ced554aaf7e79b9bdc3e86f719|1279|0x15
0|25|libxul.so|mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:db74cdf9afe797ced554aaf7e79b9bdc3e86f719|355|0xb
0|26|libxul.so|mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:db74cdf9afe797ced554aaf7e79b9bdc3e86f719|557|0x19
0|27|libxul.so|mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:db74cdf9afe797ced554aaf7e79b9bdc3e86f719|1054|0x5
0|28|libxul.so|nsDocumentViewer::LoadComplete(nsresult)|hg:hg.mozilla.org/mozilla-central:layout/base/nsDocumentViewer.cpp:db74cdf9afe797ced554aaf7e79b9bdc3e86f719|1148|0x1c
0|29|libxul.so|nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult)|hg:hg.mozilla.org/mozilla-central:docshell/base/nsDocShell.cpp:db74cdf9afe797ced554aaf7e79b9bdc3e86f719|5684|0x18
0|30|libxul.so|nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult)|hg:hg.mozilla.org/mozilla-central:docshell/base/nsDocShell.cpp:db74cdf9afe797ced554aaf7e79b9bdc3e86f719|5426|0xb
0|31|libxul.so|non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult)|hg:hg.mozilla.org/mozilla-central:docshell/base/nsDocShell.cpp:db74cdf9afe797ced554aaf7e79b9bdc3e86f719|0|0x10
0|32|libxul.so|nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult)|hg:hg.mozilla.org/mozilla-central:uriloader/base/nsDocLoader.cpp:db74cdf9afe797ced554aaf7e79b9bdc3e86f719|1331|0x2b
0|33|libxul.so|nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult)|hg:hg.mozilla.org/mozilla-central:uriloader/base/nsDocLoader.cpp:db74cdf9afe797ced554aaf7e79b9bdc3e86f719|937|0x28
0|34|libxul.so|nsDocLoader::DocLoaderIsEmpty(bool, mozilla::Maybe<nsresult> const&)|hg:hg.mozilla.org/mozilla-central:uriloader/base/nsDocLoader.cpp:db74cdf9afe797ced554aaf7e79b9bdc3e86f719|757|0xe
0|35|libxul.so|nsDocLoader::OnStopRequest(nsIRequest*, nsresult)|hg:hg.mozilla.org/mozilla-central:uriloader/base/nsDocLoader.cpp:db74cdf9afe797ced554aaf7e79b9bdc3e86f719|640|0x12
0|36|libxul.so|non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsresult)|hg:hg.mozilla.org/mozilla-central:uriloader/base/nsDocLoader.cpp:db74cdf9afe797ced554aaf7e79b9bdc3e86f719|0|0xd
0|37|libxul.so|mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult)|hg:hg.mozilla.org/mozilla-central:netwerk/base/nsLoadGroup.cpp:db74cdf9afe797ced554aaf7e79b9bdc3e86f719|615|0x14
0|38|libxul.so|mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult)|hg:hg.mozilla.org/mozilla-central:netwerk/base/nsLoadGroup.cpp:db74cdf9afe797ced554aaf7e79b9bdc3e86f719|522|0xe
0|39|libxul.so|mozilla::dom::Document::DoUnblockOnload()|hg:hg.mozilla.org/mozilla-central:dom/base/Document.cpp:db74cdf9afe797ced554aaf7e79b9bdc3e86f719|10716|0x1c
0|40|libxul.so|mozilla::dom::Document::UnblockOnload(bool)|hg:hg.mozilla.org/mozilla-central:dom/base/Document.cpp:db74cdf9afe797ced554aaf7e79b9bdc3e86f719|10648|0x8
0|41|libxul.so|mozilla::dom::Document::DispatchContentLoadedEvents()|hg:hg.mozilla.org/mozilla-central:dom/base/Document.cpp:db74cdf9afe797ced554aaf7e79b9bdc3e86f719|7282|0xd
0|42|libxul.so|mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run()|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.h:db74cdf9afe797ced554aaf7e79b9bdc3e86f719|1238|0x17
0|43|libxul.so|mozilla::SchedulerGroup::Runnable::Run()|hg:hg.mozilla.org/mozilla-central:xpcom/threads/SchedulerGroup.cpp:db74cdf9afe797ced554aaf7e79b9bdc3e86f719|146|0x11
0|44|libxul.so|nsThread::ProcessNextEvent(bool, bool*)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:db74cdf9afe797ced554aaf7e79b9bdc3e86f719|1234|0xe
0|45|libxul.so|NS_ProcessNextEvent(nsIThread*, bool)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:db74cdf9afe797ced554aaf7e79b9bdc3e86f719|501|0xc
0|46|libxul.so|mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:db74cdf9afe797ced554aaf7e79b9bdc3e86f719|87|0x7
0|47|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:db74cdf9afe797ced554aaf7e79b9bdc3e86f719|315|0x17
0|48|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:db74cdf9afe797ced554aaf7e79b9bdc3e86f719|290|0x8
0|49|libxul.so|nsBaseAppShell::Run()|hg:hg.mozilla.org/mozilla-central:widget/nsBaseAppShell.cpp:db74cdf9afe797ced554aaf7e79b9bdc3e86f719|137|0xd
0|50|libxul.so|XRE_RunAppShell()|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:db74cdf9afe797ced554aaf7e79b9bdc3e86f719|913|0xe
0|51|libxul.so|mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:db74cdf9afe797ced554aaf7e79b9bdc3e86f719|237|0x5
0|52|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:db74cdf9afe797ced554aaf7e79b9bdc3e86f719|315|0x17
0|53|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:db74cdf9afe797ced554aaf7e79b9bdc3e86f719|290|0x8
0|54|libxul.so|XRE_InitChildProcess(int, char**, XREChildData const*)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:db74cdf9afe797ced554aaf7e79b9bdc3e86f719|744|0x5
0|55|firefox-bin|content_process_main(mozilla::Bootstrap*, int, char**)|hg:hg.mozilla.org/mozilla-central:ipc/contentproc/plugin-container.cpp:db74cdf9afe797ced554aaf7e79b9bdc3e86f719|56|0x11
0|56|firefox-bin|main|hg:hg.mozilla.org/mozilla-central:browser/app/nsBrowserApp.cpp:db74cdf9afe797ced554aaf7e79b9bdc3e86f719|303|0x20
0|57|libc.so.6||||0x21b97
0|58|firefox-bin|<name omitted>|hg:hg.mozilla.org/mozilla-central:mfbt/UniquePtr.h:db74cdf9afe797ced554aaf7e79b9bdc3e86f719|253|0x17
Flags: in-testsuite?
|
Reporter | |
Updated•4 years ago
|
Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]
|
|
Reporter | |
Comment 1•4 years ago
|
||
Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20200625161839-324d5257f6f7.
The bug appears to have been introduced in the following build range:
> Start: 0290a1549a6e1965f2f47027508dbc93b1db2024 (20200615071141)
> End: 8e0e2c27bc4b48f2786984b00193bcf4c49cd8de (20200615073857)
> Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=0290a1549a6e1965f2f47027508dbc93b1db2024&tochange=8e0e2c27bc4b48f2786984b00193bcf4c49cd8de
|
||
Updated•4 years ago
|
Has Regression Range: --- → yes
|
Assignee | |
Comment 2•4 years ago
|
||
Hmm, this assertion must detect a bug of GetFirstASCIIWhiteSpacePointCollapsedTo() which shouldn't return end of container.
|
||
Comment 3•4 years ago
|
||
Set release status flags based on info from the regressing bug 1642594
status-firefox77:
--- → unaffected
status-firefox78:
--- → unaffected
status-firefox-esr68:
--- → unaffected
|
|
||
Updated•4 years ago
|
Keywords: regression
|
|
Assignee | |
Comment 4•4 years ago
|
||
Odd... Once I attach to a content process, it won't hit the assertion...
|
|
Assignee | |
Updated•4 years ago
|
Assignee: nobody → masayuki
Status: NEW → ASSIGNED
Flags: needinfo?(masayuki)
|
|
Assignee | |
Comment 5•4 years ago
|
||
This is caused by that the new methods, GetFirstASCIIWhiteSpacePointCollapsedTo() and GetEndOfCollapsibleASCIIWhiteSpaces() may return point in empty text node, but especially the former case, it's wrong. Therefore, they should ignore empty text nodes at the loops. This may change DOM tree modifying order (i.e., when empty text nodes are removed), but the result shouldn't be changed without edge cases with mutation event listeners. Therefore, we don't need to uplift the coming patch.
status-firefox80:
--- → affected
|
|
Assignee | |
Comment 6•4 years ago
|
||
Although their callers may want to remove empty text nodes around white-space
sequence, but for now, we should make them not return empty text node because
the former's name means so, and the latter should behave similarly for
consistency.
Pushed by masayuki@d-toybox.com:
https://hg.mozilla.org/integration/autoland/rev/05c8d1a8485d
Make `WSRunScanner::GetFirstASCIIWhiteSpacePointCollapsedTo()` and `WSRunScanner::GetEndOfCollapsibleASCIIWhiteSpaces()` not return point in empty text node r=m_kato
|
||
Comment 8•4 years ago
|
||
| bugherder | ||
Status: ASSIGNED → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla80
|
|
Reporter | |
Updated•4 years ago
|
|
|
Reporter | |
Comment 9•4 years ago
|
||
Bugmon Analysis:
Verified bug as fixed on rev mozilla-central 20200702152109-2d709e60c76e.
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.
|
||
Updated•4 years ago
|
status-firefox-esr78:
--- → unaffected
|
|
||
Updated•4 years ago
|
Flags: in-testsuite? → in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•