Open
Bug 1649568
Opened 4 years ago
Updated 2 years ago
Assertion failure: !aAncestorLimiter || aContent.IsInclusiveDescendantOf(aAncestorLimiter) (aContent isn't in aAncestorLimiter), at /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditUtils.h:489
Categories
(Core :: DOM: Editor, defect, P5)
Core
DOM: Editor
Tracking
()
NEW
| Tracking | Status | |
|---|---|---|
| firefox-esr91 | --- | unaffected |
| firefox80 | --- | wontfix |
| firefox101 | --- | fixed |
| firefox102 | --- | fixed |
| firefox103 | --- | fixed |
People
(Reporter: jkratzer, Unassigned)
References
(Blocks 1 open bug, Regression)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:bisected,confirmed])
Attachments
(1 file)
|
542 bytes,
text/html
|
Details |
Testcase found while fuzzing mozilla-central rev adc328596e28 (built with --enable-debug).
Assertion failure: !aAncestorLimiter || aContent.IsInclusiveDescendantOf(aAncestorLimiter) (aContent isn't in aAncestorLimiter), at /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditUtils.h:489
rax = 0x00007f70acbca4e3 rdx = 0x0000000000000000
rcx = 0x0000555c825a4a58 rbx = 0x0000555c8426a770
rsi = 0x00007f70bdc408b0 rdi = 0x00007f70bdc3f680
rbp = 0x00007ffdcdb5b000 rsp = 0x00007ffdcdb5afc0
r8 = 0x00007f70bdc408b0 r9 = 0x00007f70beda6780
r10 = 0x0000000000000002 r11 = 0x0000000000000000
r12 = 0x0000555c84299ea0 r13 = 0x0000555c841211e0
r14 = 0x0000555c841211e0 r15 = 0x0000555c84299ea0
rip = 0x00007f70a7296226
OS|Linux|0.0.0 Linux 5.3.0-51-generic #44~18.04.2-Ubuntu SMP Thu Apr 23 14:27:18 UTC 2020 x86_64
CPU|amd64|family 6 model 94 stepping 3|8
GPU|||
Crash|SIGSEGV|0x0|0
0|0|libxul.so|mozilla::HTMLEditUtils::GetAncestorBlockElement(nsIContent const&, nsINode const*)|hg:hg.mozilla.org/mozilla-central:editor/libeditor/HTMLEditUtils.h:adc328596e28636b03fabe701ec6a4d07054e5af|487|0x29
0|1|libxul.so|mozilla::HTMLEditor::RemoveEmptyInclusiveAncestorInlineElements(nsIContent&)|hg:hg.mozilla.org/mozilla-central:editor/libeditor/HTMLEditor.cpp:adc328596e28636b03fabe701ec6a4d07054e5af|3082|0xb
0|2|libxul.so|mozilla::EditorBase::DeleteSelectionWithTransaction(short, short)|hg:hg.mozilla.org/mozilla-central:editor/libeditor/EditorBase.cpp:adc328596e28636b03fabe701ec6a4d07054e5af|4146|0x13
0|3|libxul.so|mozilla::HTMLEditor::HandleDeleteNonCollapsedSelection(short, short, mozilla::HTMLEditor::SelectionWasCollapsed)|hg:hg.mozilla.org/mozilla-central:editor/libeditor/HTMLEditSubActionHandler.cpp:adc328596e28636b03fabe701ec6a4d07054e5af|3244|0xf
0|4|libxul.so|mozilla::HTMLEditor::HandleDeleteSelectionInternal(short, short)|hg:hg.mozilla.org/mozilla-central:editor/libeditor/HTMLEditSubActionHandler.cpp:adc328596e28636b03fabe701ec6a4d07054e5af|2531|0x10
0|5|libxul.so|mozilla::HTMLEditor::HandleDeleteSelection(short, short)|hg:hg.mozilla.org/mozilla-central:editor/libeditor/HTMLEditSubActionHandler.cpp:adc328596e28636b03fabe701ec6a4d07054e5af|2370|0x13
0|6|libxul.so|mozilla::EditorBase::DeleteSelectionAsSubAction(short, short)|hg:hg.mozilla.org/mozilla-central:editor/libeditor/EditorBase.cpp:adc328596e28636b03fabe701ec6a4d07054e5af|3762|0x14
0|7|libxul.so|mozilla::HTMLEditor::InsertBRElementAtSelectionWithTransaction()|hg:hg.mozilla.org/mozilla-central:editor/libeditor/HTMLEditor.cpp:adc328596e28636b03fabe701ec6a4d07054e5af|1150|0xc
0|8|libxul.so|mozilla::HTMLEditor::InsertLineBreakAsAction(nsIPrincipal*)|hg:hg.mozilla.org/mozilla-central:editor/libeditor/HTMLEditor.cpp:adc328596e28636b03fabe701ec6a4d07054e5af|986|0x8
0|9|libxul.so|mozilla::InsertLineBreakCommand::DoCommand(mozilla::Command, mozilla::TextEditor&, nsIPrincipal*) const|hg:hg.mozilla.org/mozilla-central:editor/libeditor/EditorCommands.cpp:adc328596e28636b03fabe701ec6a4d07054e5af|921|0xb
0|10|libxul.so|mozilla::dom::Document::ExecCommand(nsTSubstring<char16_t> const&, bool, nsTSubstring<char16_t> const&, nsIPrincipal&, mozilla::ErrorResult&)|hg:hg.mozilla.org/mozilla-central:dom/base/Document.cpp:adc328596e28636b03fabe701ec6a4d07054e5af|4880|0x33
0|11|libxul.so|mozilla::dom::Document_Binding::execCommand(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&)|s3:gecko-generated-sources:8f7281e3ba1d600673dcaa1ac04d192ebae5bd1389403ef4cb1737261df8d246aba5da557aa502b708e3a3d18afebea6aedb14885532cb2904ce3fbf2ec40b9f/dom/bindings/DocumentBinding.cpp:|3469|0x34
0|12|libxul.so|bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*)|hg:hg.mozilla.org/mozilla-central:dom/bindings/BindingUtils.cpp:adc328596e28636b03fabe701ec6a4d07054e5af|3219|0x21
0|13|libxul.so|CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:adc328596e28636b03fabe701ec6a4d07054e5af|484|0x12
0|14|libxul.so|js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:adc328596e28636b03fabe701ec6a4d07054e5af|576|0xe
0|15|libxul.so|InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:adc328596e28636b03fabe701ec6a4d07054e5af|639|0x10
0|16|libxul.so|Interpret(JSContext*, js::RunState&)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:adc328596e28636b03fabe701ec6a4d07054e5af|643|0xa
0|17|libxul.so|js::RunScript(JSContext*, js::RunState&)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:adc328596e28636b03fabe701ec6a4d07054e5af|456|0xb
0|18|libxul.so|js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:adc328596e28636b03fabe701ec6a4d07054e5af|611|0x8
0|19|libxul.so|InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:adc328596e28636b03fabe701ec6a4d07054e5af|639|0x10
0|20|libxul.so|<name omitted>|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:adc328596e28636b03fabe701ec6a4d07054e5af|656|0xb
0|21|libxul.so|JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>)|hg:hg.mozilla.org/mozilla-central:js/src/jsapi.cpp:adc328596e28636b03fabe701ec6a4d07054e5af|2846|0x23
0|22|libxul.so|mozilla::dom::EventListener::HandleEvent(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&)|s3:gecko-generated-sources:2563ad09677feb8ddf64827a409899848ef6a80bfacaa11f581c512536a6fb0c779d8b29517ba6358a054c6d475f770bf7bac2913a941d0394881c5649b08603/dom/bindings/EventListenerBinding.cpp:|55|0xe
0|23|libxul.so|void mozilla::dom::EventListener::HandleEvent<mozilla::dom::EventTarget*>(mozilla::dom::EventTarget* const&, mozilla::dom::Event&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*)|s3:gecko-generated-sources:99837b3cdc69c5eb1234f9d2b3e771dcff734d56a022bedb1d00c0cf4ee6243fb5c91397a058f2ddab63bda8ed6b581ea1232a0229033866910c7289d24cbc2d/dist/include/mozilla/dom/EventListenerBinding.h:|66|0x21
0|24|libxul.so|mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*)|hg:hg.mozilla.org/mozilla-central:dom/events/EventListenerManager.cpp:adc328596e28636b03fabe701ec6a4d07054e5af|1082|0x2c
0|25|libxul.so|mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool)|hg:hg.mozilla.org/mozilla-central:dom/events/EventListenerManager.cpp:adc328596e28636b03fabe701ec6a4d07054e5af|1279|0x15
0|26|libxul.so|mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:adc328596e28636b03fabe701ec6a4d07054e5af|355|0xb
0|27|libxul.so|mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:adc328596e28636b03fabe701ec6a4d07054e5af|557|0x19
0|28|libxul.so|mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:adc328596e28636b03fabe701ec6a4d07054e5af|1054|0x5
0|29|libxul.so|mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:adc328596e28636b03fabe701ec6a4d07054e5af|0|0x8
0|30|libxul.so|nsINode::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&)|hg:hg.mozilla.org/mozilla-central:dom/base/nsINode.cpp:adc328596e28636b03fabe701ec6a4d07054e5af|1301|0x10
0|31|libxul.so|nsContentUtils::DispatchEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, mozilla::Trusted, bool*, mozilla::ChromeOnlyDispatch)|hg:hg.mozilla.org/mozilla-central:dom/base/nsContentUtils.cpp:adc328596e28636b03fabe701ec6a4d07054e5af|4051|0x23
0|32|libxul.so|nsContentUtils::DispatchTrustedEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, bool*)|hg:hg.mozilla.org/mozilla-central:dom/base/nsContentUtils.cpp:adc328596e28636b03fabe701ec6a4d07054e5af|4021|0x23
0|33|libxul.so|mozilla::dom::Document::DispatchContentLoadedEvents()|hg:hg.mozilla.org/mozilla-central:dom/base/Document.cpp:adc328596e28636b03fabe701ec6a4d07054e5af|7197|0x21
0|34|libxul.so|mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run()|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.h:adc328596e28636b03fabe701ec6a4d07054e5af|1238|0x17
0|35|libxul.so|mozilla::SchedulerGroup::Runnable::Run()|hg:hg.mozilla.org/mozilla-central:xpcom/threads/SchedulerGroup.cpp:adc328596e28636b03fabe701ec6a4d07054e5af|146|0x11
0|36|libxul.so|nsThread::ProcessNextEvent(bool, bool*)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:adc328596e28636b03fabe701ec6a4d07054e5af|1234|0xe
0|37|libxul.so|NS_ProcessNextEvent(nsIThread*, bool)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:adc328596e28636b03fabe701ec6a4d07054e5af|504|0xc
0|38|libxul.so|mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:adc328596e28636b03fabe701ec6a4d07054e5af|87|0x7
0|39|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:adc328596e28636b03fabe701ec6a4d07054e5af|316|0x17
0|40|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:adc328596e28636b03fabe701ec6a4d07054e5af|291|0x8
0|41|libxul.so|nsBaseAppShell::Run()|hg:hg.mozilla.org/mozilla-central:widget/nsBaseAppShell.cpp:adc328596e28636b03fabe701ec6a4d07054e5af|137|0xd
0|42|libxul.so|XRE_RunAppShell()|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:adc328596e28636b03fabe701ec6a4d07054e5af|913|0xe
0|43|libxul.so|mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:adc328596e28636b03fabe701ec6a4d07054e5af|237|0x5
0|44|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:adc328596e28636b03fabe701ec6a4d07054e5af|316|0x17
0|45|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:adc328596e28636b03fabe701ec6a4d07054e5af|291|0x8
0|46|libxul.so|XRE_InitChildProcess(int, char**, XREChildData const*)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:adc328596e28636b03fabe701ec6a4d07054e5af|744|0x5
0|47|firefox-bin|content_process_main(mozilla::Bootstrap*, int, char**)|hg:hg.mozilla.org/mozilla-central:ipc/contentproc/plugin-container.cpp:adc328596e28636b03fabe701ec6a4d07054e5af|56|0x11
0|48|firefox-bin|main|hg:hg.mozilla.org/mozilla-central:browser/app/nsBrowserApp.cpp:adc328596e28636b03fabe701ec6a4d07054e5af|303|0x20
0|49|libc.so.6||||0x21b97
0|50|firefox-bin|<name omitted>|hg:hg.mozilla.org/mozilla-central:mfbt/UniquePtr.h:adc328596e28636b03fabe701ec6a4d07054e5af|253|0x17
Flags: in-testsuite?
|
Reporter | |
Updated•4 years ago
|
Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]
|
|
Reporter | |
Comment 1•4 years ago
|
||
Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20200702152109-2d709e60c76e.
The bug appears to have been introduced in the following build range:
> Start: c9955025d4a5353568a56a1048292c665312fa95 (20200427094322)
> End: f6310e0f0afd02620052cee407204ad0d80b2bb0 (20200427025349)
> Pushlog: https://hg.mozilla.org/mozilla-unified/pushloghtml?fromchange=c9955025d4a5353568a56a1048292c665312fa95&tochange=f6310e0f0afd02620052cee407204ad0d80b2bb0
|
||
Comment 2•3 years ago
|
||
A Pernosco session is available here: https://pernos.co/debug/nEuSqdKXTv7bil8zwvuJig/index.html
|
||
Comment 3•2 years ago
|
||
Bugmon Analysis
Testcase crashes using the initial build (mozilla-central 20201212092303-8491ac4866e8) but not with tip (mozilla-central 20211210215852-9eb74149f75b.)
The bug appears to have been fixed in the following build range:
Start: 8803bc71047a75f0983844d891d82b4a5edecda4 (20210310041823)
End: 194e31587e6c4174702a223b448e8748b1b4a144 (20210310045802)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=8803bc71047a75f0983844d891d82b4a5edecda4&tochange=194e31587e6c4174702a223b448e8748b1b4a144
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Keywords: bugmon
|
||
Comment 4•2 years ago
|
||
Setting regressed_by field after analyzing regression range found by bugmon.
Regressed by: 1632724
|
|
||
Updated•2 years ago
|
Keywords: regression
|
|
||
Comment 5•2 years ago
|
||
Set release status flags based on info from the regressing bug 1632724
status-firefox101:
--- → affected
status-firefox102:
--- → affected
status-firefox103:
--- → affected
status-firefox-esr91:
--- → affected
|
|
||
Comment 6•2 years ago
|
||
:masayuki, since you are the author of the regressor, bug 1632724, could you take a look?
For more information, please visit auto_nag documentation.
Flags: needinfo?(masayuki)
|
||
Comment 7•2 years ago
|
||
According to comment 3, this bug has already been "fixed" by bug 1677566. However, we should leave this open until adding the testcase into the tree.
Severity: normal → S3
Depends on: 1677566
Flags: needinfo?(masayuki)
OS: Unspecified → All
Priority: -- → P5
Hardware: Unspecified → All
You need to log in
before you can comment on or make changes to this bug.
Description
•