Closed Bug 1649572 Opened 4 years ago Closed 2 years ago

Assertion failure: !mPointToInsert.IsInDataNode(), at /builds/worker/checkouts/gecko/editor/libeditor/CreateElementTransaction.cpp:58

Categories

(Core :: DOM: Editor, defect, P5)

defect

Tracking

()

RESOLVED FIXED
99 Branch
Tracking Status
firefox-esr91 --- wontfix
firefox80 --- wontfix
firefox95 --- wontfix
firefox96 --- fixed
firefox97 --- fixed
firefox98 --- fixed
firefox99 --- fixed

People

(Reporter: jkratzer, Assigned: masayuki)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:bisected,confirmed], [wptsync upstream])

Attachments

(2 files)

Attached file testcase.html

Testcase found while fuzzing mozilla-central rev 933c9f34edfa (built with --enable-debug).

Assertion failure: !mPointToInsert.IsInDataNode(), at /builds/worker/checkouts/gecko/editor/libeditor/CreateElementTransaction.cpp:58

rax = 0x00007f0007363883   rdx = 0x0000000000000000
rcx = 0x000055978dfc2a58   rbx = 0x000055978f570ea0
rsi = 0x00007f00183ee8b0   rdi = 0x00007f00183ed680
rbp = 0x00007ffec5112ec0   rsp = 0x00007ffec5112e70
r8 = 0x00007f00183ee8b0    r9 = 0x00007f0019554780
r10 = 0x0000000000000002   r11 = 0x0000000000000000
r12 = 0x000055978f5229a0   r13 = 0x0000000000000010
r14 = 0x00007ffec5113040   r15 = 0x000055978f570ec8
rip = 0x00007f0001a32125
OS|Linux|0.0.0 Linux 5.3.0-51-generic #44~18.04.2-Ubuntu SMP Thu Apr 23 14:27:18 UTC 2020 x86_64
CPU|amd64|family 6 model 94 stepping 3|8
GPU|||
Crash|SIGSEGV|0x0|0
0|0|libxul.so|mozilla::CreateElementTransaction::CreateElementTransaction<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent> >(mozilla::EditorBase&, nsAtom&, mozilla::EditorDOMPointBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent> > const&)|hg:hg.mozilla.org/mozilla-central:editor/libeditor/CreateElementTransaction.cpp:933c9f34edfab8d5cf2a5389304cf3708889eb1c|58|0x29
0|1|libxul.so|already_AddRefed<mozilla::CreateElementTransaction> mozilla::CreateElementTransaction::Create<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent> >(mozilla::EditorBase&, nsAtom&, mozilla::EditorDOMPointBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent> > const&)|hg:hg.mozilla.org/mozilla-central:editor/libeditor/CreateElementTransaction.cpp:933c9f34edfab8d5cf2a5389304cf3708889eb1c|46|0x1e
0|2|libxul.so|mozilla::EditorBase::CreateNodeWithTransaction(nsAtom&, mozilla::EditorDOMPointBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent> > const&)|hg:hg.mozilla.org/mozilla-central:editor/libeditor/EditorBase.cpp:933c9f34edfab8d5cf2a5389304cf3708889eb1c|1460|0x15
0|3|libxul.so|mozilla::HTMLEditor::InsertBRElementWithTransaction(mozilla::EditorDOMPointBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent> > const&, short)|hg:hg.mozilla.org/mozilla-central:editor/libeditor/HTMLEditor.cpp:933c9f34edfab8d5cf2a5389304cf3708889eb1c|3479|0x1d
0|4|libxul.so|mozilla::HTMLEditor::InsertBRElementAtSelectionWithTransaction()|hg:hg.mozilla.org/mozilla-central:editor/libeditor/HTMLEditor.cpp:933c9f34edfab8d5cf2a5389304cf3708889eb1c|1167|0x10
0|5|libxul.so|mozilla::HTMLEditor::InsertLineBreakAsAction(nsIPrincipal*)|hg:hg.mozilla.org/mozilla-central:editor/libeditor/HTMLEditor.cpp:933c9f34edfab8d5cf2a5389304cf3708889eb1c|986|0x8
0|6|libxul.so|mozilla::InsertLineBreakCommand::DoCommand(mozilla::Command, mozilla::TextEditor&, nsIPrincipal*) const|hg:hg.mozilla.org/mozilla-central:editor/libeditor/EditorCommands.cpp:933c9f34edfab8d5cf2a5389304cf3708889eb1c|921|0xb
0|7|libxul.so|mozilla::dom::Document::ExecCommand(nsTSubstring<char16_t> const&, bool, nsTSubstring<char16_t> const&, nsIPrincipal&, mozilla::ErrorResult&)|hg:hg.mozilla.org/mozilla-central:dom/base/Document.cpp:933c9f34edfab8d5cf2a5389304cf3708889eb1c|4880|0x33
0|8|libxul.so|mozilla::dom::Document_Binding::execCommand(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&)|s3:gecko-generated-sources:8f7281e3ba1d600673dcaa1ac04d192ebae5bd1389403ef4cb1737261df8d246aba5da557aa502b708e3a3d18afebea6aedb14885532cb2904ce3fbf2ec40b9f/dom/bindings/DocumentBinding.cpp:|3469|0x34
0|9|libxul.so|bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*)|hg:hg.mozilla.org/mozilla-central:dom/bindings/BindingUtils.cpp:933c9f34edfab8d5cf2a5389304cf3708889eb1c|3219|0x21
0|10|libxul.so|CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:933c9f34edfab8d5cf2a5389304cf3708889eb1c|484|0x12
0|11|libxul.so|js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:933c9f34edfab8d5cf2a5389304cf3708889eb1c|576|0xe
0|12|libxul.so|InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:933c9f34edfab8d5cf2a5389304cf3708889eb1c|639|0x10
0|13|libxul.so|Interpret(JSContext*, js::RunState&)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:933c9f34edfab8d5cf2a5389304cf3708889eb1c|643|0xa
0|14|libxul.so|js::RunScript(JSContext*, js::RunState&)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:933c9f34edfab8d5cf2a5389304cf3708889eb1c|456|0xb
0|15|libxul.so|js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:933c9f34edfab8d5cf2a5389304cf3708889eb1c|611|0x8
0|16|libxul.so|InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:933c9f34edfab8d5cf2a5389304cf3708889eb1c|639|0x10
0|17|libxul.so|<name omitted>|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:933c9f34edfab8d5cf2a5389304cf3708889eb1c|656|0xb
0|18|libxul.so|JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>)|hg:hg.mozilla.org/mozilla-central:js/src/jsapi.cpp:933c9f34edfab8d5cf2a5389304cf3708889eb1c|2846|0x23
0|19|libxul.so|mozilla::dom::EventListener::HandleEvent(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&)|s3:gecko-generated-sources:2563ad09677feb8ddf64827a409899848ef6a80bfacaa11f581c512536a6fb0c779d8b29517ba6358a054c6d475f770bf7bac2913a941d0394881c5649b08603/dom/bindings/EventListenerBinding.cpp:|55|0xe
0|20|libxul.so|void mozilla::dom::EventListener::HandleEvent<mozilla::dom::EventTarget*>(mozilla::dom::EventTarget* const&, mozilla::dom::Event&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*)|s3:gecko-generated-sources:99837b3cdc69c5eb1234f9d2b3e771dcff734d56a022bedb1d00c0cf4ee6243fb5c91397a058f2ddab63bda8ed6b581ea1232a0229033866910c7289d24cbc2d/dist/include/mozilla/dom/EventListenerBinding.h:|66|0x21
0|21|libxul.so|mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*)|hg:hg.mozilla.org/mozilla-central:dom/events/EventListenerManager.cpp:933c9f34edfab8d5cf2a5389304cf3708889eb1c|1082|0x2c
0|22|libxul.so|mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool)|hg:hg.mozilla.org/mozilla-central:dom/events/EventListenerManager.cpp:933c9f34edfab8d5cf2a5389304cf3708889eb1c|1279|0x15
0|23|libxul.so|mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:933c9f34edfab8d5cf2a5389304cf3708889eb1c|355|0xb
0|24|libxul.so|mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:933c9f34edfab8d5cf2a5389304cf3708889eb1c|557|0x19
0|25|libxul.so|mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:933c9f34edfab8d5cf2a5389304cf3708889eb1c|1054|0x5
0|26|libxul.so|mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:933c9f34edfab8d5cf2a5389304cf3708889eb1c|0|0x8
0|27|libxul.so|nsINode::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&)|hg:hg.mozilla.org/mozilla-central:dom/base/nsINode.cpp:933c9f34edfab8d5cf2a5389304cf3708889eb1c|1301|0x10
0|28|libxul.so|nsContentUtils::DispatchEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, mozilla::Trusted, bool*, mozilla::ChromeOnlyDispatch)|hg:hg.mozilla.org/mozilla-central:dom/base/nsContentUtils.cpp:933c9f34edfab8d5cf2a5389304cf3708889eb1c|4051|0x23
0|29|libxul.so|nsContentUtils::DispatchTrustedEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, bool*)|hg:hg.mozilla.org/mozilla-central:dom/base/nsContentUtils.cpp:933c9f34edfab8d5cf2a5389304cf3708889eb1c|4021|0x23
0|30|libxul.so|mozilla::dom::Document::DispatchContentLoadedEvents()|hg:hg.mozilla.org/mozilla-central:dom/base/Document.cpp:933c9f34edfab8d5cf2a5389304cf3708889eb1c|7197|0x21
0|31|libxul.so|mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run()|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.h:933c9f34edfab8d5cf2a5389304cf3708889eb1c|1240|0x17
0|32|libxul.so|mozilla::SchedulerGroup::Runnable::Run()|hg:hg.mozilla.org/mozilla-central:xpcom/threads/SchedulerGroup.cpp:933c9f34edfab8d5cf2a5389304cf3708889eb1c|146|0x11
0|33|libxul.so|nsThread::ProcessNextEvent(bool, bool*)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:933c9f34edfab8d5cf2a5389304cf3708889eb1c|1234|0xe
0|34|libxul.so|NS_ProcessNextEvent(nsIThread*, bool)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:933c9f34edfab8d5cf2a5389304cf3708889eb1c|513|0xc
0|35|libxul.so|mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:933c9f34edfab8d5cf2a5389304cf3708889eb1c|87|0x7
0|36|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:933c9f34edfab8d5cf2a5389304cf3708889eb1c|334|0x17
0|37|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:933c9f34edfab8d5cf2a5389304cf3708889eb1c|309|0x8
0|38|libxul.so|nsBaseAppShell::Run()|hg:hg.mozilla.org/mozilla-central:widget/nsBaseAppShell.cpp:933c9f34edfab8d5cf2a5389304cf3708889eb1c|137|0xd
0|39|libxul.so|XRE_RunAppShell()|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:933c9f34edfab8d5cf2a5389304cf3708889eb1c|913|0xe
0|40|libxul.so|mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:933c9f34edfab8d5cf2a5389304cf3708889eb1c|237|0x5
0|41|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:933c9f34edfab8d5cf2a5389304cf3708889eb1c|334|0x17
0|42|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:933c9f34edfab8d5cf2a5389304cf3708889eb1c|309|0x8
0|43|libxul.so|XRE_InitChildProcess(int, char**, XREChildData const*)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:933c9f34edfab8d5cf2a5389304cf3708889eb1c|744|0x5
0|44|firefox-bin|content_process_main(mozilla::Bootstrap*, int, char**)|hg:hg.mozilla.org/mozilla-central:ipc/contentproc/plugin-container.cpp:933c9f34edfab8d5cf2a5389304cf3708889eb1c|56|0x11
0|45|firefox-bin|main|hg:hg.mozilla.org/mozilla-central:browser/app/nsBrowserApp.cpp:933c9f34edfab8d5cf2a5389304cf3708889eb1c|303|0x20
0|46|libc.so.6||||0x21b97
0|47|firefox-bin|<name omitted>|hg:hg.mozilla.org/mozilla-central:mfbt/UniquePtr.h:933c9f34edfab8d5cf2a5389304cf3708889eb1c|253|0x17
Flags: in-testsuite?
Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]
Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20200702152109-2d709e60c76e.
The bug appears to have been introduced in the following build range:
> Start: 1c8115a9a6842c045e0a75f268dd3a59e4f92833 (20200403182703)
> End: b9ebe58001d787bb0bbad6d39ae8681966d5a77f (20200403182815)
> Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=1c8115a9a6842c045e0a75f268dd3a59e4f92833&tochange=b9ebe58001d787bb0bbad6d39ae8681966d5a77f

Bugmon Analysis
Testcase crashes using the initial build (mozilla-central 20201212092303-8491ac4866e8) but not with tip (mozilla-central 20211210215852-9eb74149f75b.)
The bug appears to have been fixed in the following build range:

Start: dcbd261bc72b516b97cc9141c89dab9daf4df16d (20211126030414)
End: d4bd94bc7b58345d02f59b22f35ba6269d8fd2b0 (20211126053501)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=dcbd261bc72b516b97cc9141c89dab9daf4df16d&tochange=d4bd94bc7b58345d02f59b22f35ba6269d8fd2b0
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon

Yeah, bug 1742744 stops using CreateElementTransaction so that the crash in it never occurs.

Currently, it can be backed out by flipping the pref if we'd get a regression report in important websites. Therefore, we should not add the testcase into the tree for making the backout work simpler. When we delete CreateElementTransaction from the tree completely, we should add the reported testcase into the tree.

Assignee: nobody → masayuki
Severity: normal → S3
Status: NEW → ASSIGNED
Depends on: 1742744
OS: Unspecified → All
Priority: -- → P5
Hardware: Unspecified → All

:masayuki, since this bug contains a bisection range, could you fill (if possible) the regressed_by field?
For more information, please visit auto_nag documentation.

Flags: needinfo?(masayuki)
Flags: needinfo?(masayuki)
Regressed by: 1619914
Has Regression Range: --- → yes
Keywords: regression

Set release status flags based on info from the regressing bug 1619914

The reported issue is hitting MOZ_ASSERT in the constructor of
CreateElementTransaction, and CreateElementTransaction is now replaced
with InsertNodeTransaction. Therefore, the bug itself is never reproducible.
We should just add the reported testcase as a crashtest of WPT for now.

Perhaps, we should add tests for the cases that selection is collapsed in
comment node. However, it's not urgent and I don't have much time to do it
right now.

Depends on D139718

Pushed by masayuki@d-toybox.com:
https://hg.mozilla.org/integration/autoland/rev/1a80adc83c36
Add reported automated testcase r=m_kato
Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/33011 for changes under testing/web-platform/tests
Whiteboard: [bugmon:bisected,confirmed] → [bugmon:bisected,confirmed], [wptsync upstream]
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → 99 Branch
Upstream PR merged by moz-wptsync-bot

Change the status for beta to have the same as nightly and release.
For more information, please visit auto_nag documentation.

Flags: in-testsuite? → in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: