Open
Bug 1649568
Opened 4 years ago
Updated 1 months ago
Assertion failure: !aAncestorLimiter || aContent.IsInclusiveDescendantOf(aAncestorLimiter) (aContent isn't in aAncestorLimiter), at /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditUtils.h:489
Categories
(Core :: DOM: Editor, defect, P5)
Core
DOM: Editor
Tracking
()
ASSIGNED
| Tracking | Status | |
|---|---|---|
| firefox-esr91 | --- | unaffected |
| firefox80 | --- | wontfix |
| firefox101 | --- | fixed |
| firefox102 | --- | fixed |
| firefox103 | --- | fixed |
People
(Reporter: jkratzer, Assigned: masayuki)
References
(Blocks 1 open bug, Regression)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:bisected,confirmed])
Attachments
(1 file)
|
542 bytes,
text/html
|
Details |
Testcase found while fuzzing mozilla-central rev adc328596e28 (built with --enable-debug).
Assertion failure: !aAncestorLimiter || aContent.IsInclusiveDescendantOf(aAncestorLimiter) (aContent isn't in aAncestorLimiter), at /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditUtils.h:489
rax = 0x00007f70acbca4e3 rdx = 0x0000000000000000
rcx = 0x0000555c825a4a58 rbx = 0x0000555c8426a770
rsi = 0x00007f70bdc408b0 rdi = 0x00007f70bdc3f680
rbp = 0x00007ffdcdb5b000 rsp = 0x00007ffdcdb5afc0
r8 = 0x00007f70bdc408b0 r9 = 0x00007f70beda6780
r10 = 0x0000000000000002 r11 = 0x0000000000000000
r12 = 0x0000555c84299ea0 r13 = 0x0000555c841211e0
r14 = 0x0000555c841211e0 r15 = 0x0000555c84299ea0
rip = 0x00007f70a7296226
OS|Linux|0.0.0 Linux 5.3.0-51-generic #44~18.04.2-Ubuntu SMP Thu Apr 23 14:27:18 UTC 2020 x86_64
CPU|amd64|family 6 model 94 stepping 3|8
GPU|||
Crash|SIGSEGV|0x0|0
0|0|libxul.so|mozilla::HTMLEditUtils::GetAncestorBlockElement(nsIContent const&, nsINode const*)|hg:hg.mozilla.org/mozilla-central:editor/libeditor/HTMLEditUtils.h:adc328596e28636b03fabe701ec6a4d07054e5af|487|0x29
0|1|libxul.so|mozilla::HTMLEditor::RemoveEmptyInclusiveAncestorInlineElements(nsIContent&)|hg:hg.mozilla.org/mozilla-central:editor/libeditor/HTMLEditor.cpp:adc328596e28636b03fabe701ec6a4d07054e5af|3082|0xb
0|2|libxul.so|mozilla::EditorBase::DeleteSelectionWithTransaction(short, short)|hg:hg.mozilla.org/mozilla-central:editor/libeditor/EditorBase.cpp:adc328596e28636b03fabe701ec6a4d07054e5af|4146|0x13
0|3|libxul.so|mozilla::HTMLEditor::HandleDeleteNonCollapsedSelection(short, short, mozilla::HTMLEditor::SelectionWasCollapsed)|hg:hg.mozilla.org/mozilla-central:editor/libeditor/HTMLEditSubActionHandler.cpp:adc328596e28636b03fabe701ec6a4d07054e5af|3244|0xf
0|4|libxul.so|mozilla::HTMLEditor::HandleDeleteSelectionInternal(short, short)|hg:hg.mozilla.org/mozilla-central:editor/libeditor/HTMLEditSubActionHandler.cpp:adc328596e28636b03fabe701ec6a4d07054e5af|2531|0x10
0|5|libxul.so|mozilla::HTMLEditor::HandleDeleteSelection(short, short)|hg:hg.mozilla.org/mozilla-central:editor/libeditor/HTMLEditSubActionHandler.cpp:adc328596e28636b03fabe701ec6a4d07054e5af|2370|0x13
0|6|libxul.so|mozilla::EditorBase::DeleteSelectionAsSubAction(short, short)|hg:hg.mozilla.org/mozilla-central:editor/libeditor/EditorBase.cpp:adc328596e28636b03fabe701ec6a4d07054e5af|3762|0x14
0|7|libxul.so|mozilla::HTMLEditor::InsertBRElementAtSelectionWithTransaction()|hg:hg.mozilla.org/mozilla-central:editor/libeditor/HTMLEditor.cpp:adc328596e28636b03fabe701ec6a4d07054e5af|1150|0xc
0|8|libxul.so|mozilla::HTMLEditor::InsertLineBreakAsAction(nsIPrincipal*)|hg:hg.mozilla.org/mozilla-central:editor/libeditor/HTMLEditor.cpp:adc328596e28636b03fabe701ec6a4d07054e5af|986|0x8
0|9|libxul.so|mozilla::InsertLineBreakCommand::DoCommand(mozilla::Command, mozilla::TextEditor&, nsIPrincipal*) const|hg:hg.mozilla.org/mozilla-central:editor/libeditor/EditorCommands.cpp:adc328596e28636b03fabe701ec6a4d07054e5af|921|0xb
0|10|libxul.so|mozilla::dom::Document::ExecCommand(nsTSubstring<char16_t> const&, bool, nsTSubstring<char16_t> const&, nsIPrincipal&, mozilla::ErrorResult&)|hg:hg.mozilla.org/mozilla-central:dom/base/Document.cpp:adc328596e28636b03fabe701ec6a4d07054e5af|4880|0x33
0|11|libxul.so|mozilla::dom::Document_Binding::execCommand(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&)|s3:gecko-generated-sources:8f7281e3ba1d600673dcaa1ac04d192ebae5bd1389403ef4cb1737261df8d246aba5da557aa502b708e3a3d18afebea6aedb14885532cb2904ce3fbf2ec40b9f/dom/bindings/DocumentBinding.cpp:|3469|0x34
0|12|libxul.so|bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*)|hg:hg.mozilla.org/mozilla-central:dom/bindings/BindingUtils.cpp:adc328596e28636b03fabe701ec6a4d07054e5af|3219|0x21
0|13|libxul.so|CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:adc328596e28636b03fabe701ec6a4d07054e5af|484|0x12
0|14|libxul.so|js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:adc328596e28636b03fabe701ec6a4d07054e5af|576|0xe
0|15|libxul.so|InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:adc328596e28636b03fabe701ec6a4d07054e5af|639|0x10
0|16|libxul.so|Interpret(JSContext*, js::RunState&)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:adc328596e28636b03fabe701ec6a4d07054e5af|643|0xa
0|17|libxul.so|js::RunScript(JSContext*, js::RunState&)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:adc328596e28636b03fabe701ec6a4d07054e5af|456|0xb
0|18|libxul.so|js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:adc328596e28636b03fabe701ec6a4d07054e5af|611|0x8
0|19|libxul.so|InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:adc328596e28636b03fabe701ec6a4d07054e5af|639|0x10
0|20|libxul.so|<name omitted>|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:adc328596e28636b03fabe701ec6a4d07054e5af|656|0xb
0|21|libxul.so|JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>)|hg:hg.mozilla.org/mozilla-central:js/src/jsapi.cpp:adc328596e28636b03fabe701ec6a4d07054e5af|2846|0x23
0|22|libxul.so|mozilla::dom::EventListener::HandleEvent(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&)|s3:gecko-generated-sources:2563ad09677feb8ddf64827a409899848ef6a80bfacaa11f581c512536a6fb0c779d8b29517ba6358a054c6d475f770bf7bac2913a941d0394881c5649b08603/dom/bindings/EventListenerBinding.cpp:|55|0xe
0|23|libxul.so|void mozilla::dom::EventListener::HandleEvent<mozilla::dom::EventTarget*>(mozilla::dom::EventTarget* const&, mozilla::dom::Event&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*)|s3:gecko-generated-sources:99837b3cdc69c5eb1234f9d2b3e771dcff734d56a022bedb1d00c0cf4ee6243fb5c91397a058f2ddab63bda8ed6b581ea1232a0229033866910c7289d24cbc2d/dist/include/mozilla/dom/EventListenerBinding.h:|66|0x21
0|24|libxul.so|mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*)|hg:hg.mozilla.org/mozilla-central:dom/events/EventListenerManager.cpp:adc328596e28636b03fabe701ec6a4d07054e5af|1082|0x2c
0|25|libxul.so|mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool)|hg:hg.mozilla.org/mozilla-central:dom/events/EventListenerManager.cpp:adc328596e28636b03fabe701ec6a4d07054e5af|1279|0x15
0|26|libxul.so|mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:adc328596e28636b03fabe701ec6a4d07054e5af|355|0xb
0|27|libxul.so|mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:adc328596e28636b03fabe701ec6a4d07054e5af|557|0x19
0|28|libxul.so|mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:adc328596e28636b03fabe701ec6a4d07054e5af|1054|0x5
0|29|libxul.so|mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:adc328596e28636b03fabe701ec6a4d07054e5af|0|0x8
0|30|libxul.so|nsINode::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&)|hg:hg.mozilla.org/mozilla-central:dom/base/nsINode.cpp:adc328596e28636b03fabe701ec6a4d07054e5af|1301|0x10
0|31|libxul.so|nsContentUtils::DispatchEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, mozilla::Trusted, bool*, mozilla::ChromeOnlyDispatch)|hg:hg.mozilla.org/mozilla-central:dom/base/nsContentUtils.cpp:adc328596e28636b03fabe701ec6a4d07054e5af|4051|0x23
0|32|libxul.so|nsContentUtils::DispatchTrustedEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, bool*)|hg:hg.mozilla.org/mozilla-central:dom/base/nsContentUtils.cpp:adc328596e28636b03fabe701ec6a4d07054e5af|4021|0x23
0|33|libxul.so|mozilla::dom::Document::DispatchContentLoadedEvents()|hg:hg.mozilla.org/mozilla-central:dom/base/Document.cpp:adc328596e28636b03fabe701ec6a4d07054e5af|7197|0x21
0|34|libxul.so|mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run()|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.h:adc328596e28636b03fabe701ec6a4d07054e5af|1238|0x17
0|35|libxul.so|mozilla::SchedulerGroup::Runnable::Run()|hg:hg.mozilla.org/mozilla-central:xpcom/threads/SchedulerGroup.cpp:adc328596e28636b03fabe701ec6a4d07054e5af|146|0x11
0|36|libxul.so|nsThread::ProcessNextEvent(bool, bool*)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:adc328596e28636b03fabe701ec6a4d07054e5af|1234|0xe
0|37|libxul.so|NS_ProcessNextEvent(nsIThread*, bool)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:adc328596e28636b03fabe701ec6a4d07054e5af|504|0xc
0|38|libxul.so|mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:adc328596e28636b03fabe701ec6a4d07054e5af|87|0x7
0|39|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:adc328596e28636b03fabe701ec6a4d07054e5af|316|0x17
0|40|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:adc328596e28636b03fabe701ec6a4d07054e5af|291|0x8
0|41|libxul.so|nsBaseAppShell::Run()|hg:hg.mozilla.org/mozilla-central:widget/nsBaseAppShell.cpp:adc328596e28636b03fabe701ec6a4d07054e5af|137|0xd
0|42|libxul.so|XRE_RunAppShell()|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:adc328596e28636b03fabe701ec6a4d07054e5af|913|0xe
0|43|libxul.so|mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:adc328596e28636b03fabe701ec6a4d07054e5af|237|0x5
0|44|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:adc328596e28636b03fabe701ec6a4d07054e5af|316|0x17
0|45|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:adc328596e28636b03fabe701ec6a4d07054e5af|291|0x8
0|46|libxul.so|XRE_InitChildProcess(int, char**, XREChildData const*)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:adc328596e28636b03fabe701ec6a4d07054e5af|744|0x5
0|47|firefox-bin|content_process_main(mozilla::Bootstrap*, int, char**)|hg:hg.mozilla.org/mozilla-central:ipc/contentproc/plugin-container.cpp:adc328596e28636b03fabe701ec6a4d07054e5af|56|0x11
0|48|firefox-bin|main|hg:hg.mozilla.org/mozilla-central:browser/app/nsBrowserApp.cpp:adc328596e28636b03fabe701ec6a4d07054e5af|303|0x20
0|49|libc.so.6||||0x21b97
0|50|firefox-bin|<name omitted>|hg:hg.mozilla.org/mozilla-central:mfbt/UniquePtr.h:adc328596e28636b03fabe701ec6a4d07054e5af|253|0x17
Flags: in-testsuite?
|
Reporter | |
Updated•4 years ago
|
Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]
|
|
Reporter | |
Comment 1•4 years ago
|
||
Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20200702152109-2d709e60c76e.
The bug appears to have been introduced in the following build range:
> Start: c9955025d4a5353568a56a1048292c665312fa95 (20200427094322)
> End: f6310e0f0afd02620052cee407204ad0d80b2bb0 (20200427025349)
> Pushlog: https://hg.mozilla.org/mozilla-unified/pushloghtml?fromchange=c9955025d4a5353568a56a1048292c665312fa95&tochange=f6310e0f0afd02620052cee407204ad0d80b2bb0
|
||
Comment 2•4 years ago
|
||
A Pernosco session is available here: https://pernos.co/debug/nEuSqdKXTv7bil8zwvuJig/index.html
|
||
Comment 3•3 years ago
|
||
Bugmon Analysis
Testcase crashes using the initial build (mozilla-central 20201212092303-8491ac4866e8) but not with tip (mozilla-central 20211210215852-9eb74149f75b.)
The bug appears to have been fixed in the following build range:
Start: 8803bc71047a75f0983844d891d82b4a5edecda4 (20210310041823)
End: 194e31587e6c4174702a223b448e8748b1b4a144 (20210310045802)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=8803bc71047a75f0983844d891d82b4a5edecda4&tochange=194e31587e6c4174702a223b448e8748b1b4a144
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Keywords: bugmon
|
||
Comment 4•2 years ago
|
||
Setting regressed_by field after analyzing regression range found by bugmon.
Regressed by: 1632724
|
|
||
Updated•2 years ago
|
Keywords: regression
|
|
||
Comment 5•2 years ago
|
||
Set release status flags based on info from the regressing bug 1632724
status-firefox101:
--- → affected
status-firefox102:
--- → affected
status-firefox103:
--- → affected
status-firefox-esr91:
--- → affected
|
|
||
Comment 6•2 years ago
|
||
:masayuki, since you are the author of the regressor, bug 1632724, could you take a look?
For more information, please visit auto_nag documentation.
Flags: needinfo?(masayuki)
|
Assignee | |
Comment 7•2 years ago
|
||
According to comment 3, this bug has already been "fixed" by bug 1677566. However, we should leave this open until adding the testcase into the tree.
Severity: normal → S3
Depends on: 1677566
Flags: needinfo?(masayuki)
OS: Unspecified → All
Priority: -- → P5
Hardware: Unspecified → All
|
|
||
Comment 8•2 months ago
|
||
(In reply to Masayuki Nakano [:masayuki] (he/him)(JST, +0900)(away until 10/14) from comment #7)
According to comment 3, this bug has already been "fixed" by bug 1677566. However, we should leave this open until adding the testcase into the tree.
Do you still plan to add the test case or can we close this?
Flags: needinfo?(masayuki)
|
|
Assignee | |
Comment 9•1 months ago
|
||
Well, the testcase should be in the tree because it tests an error-prone path.
Assignee: nobody → masayuki
Status: NEW → ASSIGNED
Flags: needinfo?(masayuki)
You need to log in
before you can comment on or make changes to this bug.
Description
•