Closed Bug 1655539 Opened 5 years ago Closed 4 years ago

Assertion failure: rangeToDelete.EndRef().EqualsOrIsBefore( replaceRangeDataAtEnd.EndRef()), at /builds/worker/checkouts/gecko/editor/libeditor/WSRunObject.cpp:1250

Categories

(Core :: DOM: Editor, defect, P4)

Product:
Core
Component:
DOM: Editor
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
88 Branch
Tracking Flags:
Tracking Status
firefox-esr78 --- wontfix
firefox81 --- wontfix
firefox86 --- wontfix
firefox87 --- wontfix
firefox88 --- fixed

People

(Reporter: jkratzer, Assigned: masayuki)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(2 files)

testcase.html
460 bytes, text/html
Details
Bug 1655539 - Add crash test (the bug itself is fixed by the patch for bug 1677566) r=m_kato!
48 bytes, text/x-phabricator-request
Details | Review
Attached file testcase.html

Testcase found while fuzzing mozilla-central rev 798bdad605b9 (built with --enable-debug).

Assertion failure: rangeToDelete.EndRef().EqualsOrIsBefore( replaceRangeDataAtEnd.EndRef()), at /builds/worker/checkouts/gecko/editor/libeditor/WSRunObject.cpp:1250

==18486==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f11924b9c03 bp 0x7ffccdb47450 sp 0x7ffccdb46db0 T18486)
==18486==The signal is caused by a WRITE memory access.
==18486==Hint: address points to the zero page.
    #0 0x7f11924b9c02 in AnnotateMozCrashReason /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:42:19
    #1 0x7f11924b9c02 in mozilla::WhiteSpaceVisibilityKeeper::MakeSureToKeepVisibleStateOfWhiteSpacesAroundDeletingRange(mozilla::HTMLEditor&, mozilla::EditorDOMRangeBase<mozilla::EditorDOMPointBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent> > > const&) /builds/worker/checkouts/gecko/editor/libeditor/WSRunObject.cpp:1249:5
    #2 0x7f11924b9f1e in mozilla::WhiteSpaceVisibilityKeeper::PrepareToDeleteRange(mozilla::HTMLEditor&, mozilla::EditorDOMPointBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent> >*, mozilla::EditorDOMPointBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent> >*) /builds/worker/checkouts/gecko/editor/libeditor/WSRunObject.cpp:95:17
    #3 0x7f11924098ff in mozilla::HTMLEditor::HandleDeleteNonCollapsedSelection(short, short, mozilla::HTMLEditor::SelectionWasCollapsed) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditSubActionHandler.cpp:3200:19
    #4 0x7f1192406f98 in mozilla::HTMLEditor::HandleDeleteSelectionInternal(short, short) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditSubActionHandler.cpp:2521:29
    #5 0x7f11924064e4 in mozilla::HTMLEditor::HandleDeleteSelection(short, short) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditSubActionHandler.cpp:2360:7
    #6 0x7f11923cc32e in mozilla::EditorBase::DeleteSelectionAsSubAction(short, short) /builds/worker/checkouts/gecko/editor/libeditor/EditorBase.cpp:3763:7
    #7 0x7f11923bcb0c in mozilla::EditorBase::DeleteSelectionAsAction(short, short, nsIPrincipal*) /builds/worker/checkouts/gecko/editor/libeditor/EditorBase.cpp:3732:8
    #8 0x7f11923d69e8 in mozilla::DeleteCommand::DoCommand(mozilla::Command, mozilla::TextEditor&, nsIPrincipal*) const /builds/worker/checkouts/gecko/editor/libeditor/EditorCommands.cpp:619:29
    #9 0x7f118f962ca8 in mozilla::dom::Document::ExecCommand(nsTSubstring<char16_t> const&, bool, nsTSubstring<char16_t> const&, nsIPrincipal&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/Document.cpp:4910:26
    #10 0x7f1190a4af82 in mozilla::dom::Document_Binding::execCommand(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/DocumentBinding.cpp:3469:36
    #11 0x7f1190df6071 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3220:13
    #12 0x7f1193c693f1 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:485:13
    #13 0x7f1193c68c69 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:577:12
    #14 0x7f1193c6a72f in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:640:10
    #15 0x7f1193c5dc2b in CallFromStack /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:644:10
    #16 0x7f1193c5dc2b in Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3333:16
    #17 0x7f1193c54316 in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:457:10
    #18 0x7f1193c68bc6 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:612:13
    #19 0x7f1193c6a72f in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:640:10
    #20 0x7f1193c6a90f in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:657:8
    #21 0x7f1193d7ad87 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/jsapi.cpp:2837:10
    #22 0x7f1190aed7d3 in mozilla::dom::EventListener::HandleEvent(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventListenerBinding.cpp:55:8
    #23 0x7f11911a19c6 in void mozilla::dom::EventListener::HandleEvent<mozilla::dom::EventTarget*>(mozilla::dom::EventTarget* const&, mozilla::dom::Event&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventListenerBinding.h:66:12
    #24 0x7f11911a16ed in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1082:43
    #25 0x7f11911a2383 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1279:17
    #26 0x7f1191197c44 in HandleEvent /builds/worker/workspace/obj-build/dist/include/mozilla/EventListenerManager.h:354:5
    #27 0x7f1191197c44 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:355:17
    #28 0x7f11911971e1 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:557:16
    #29 0x7f1191199da9 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:1054:11
    #30 0x7f119119c2f6 in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp
    #31 0x7f118faf3433 in nsINode::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/nsINode.cpp:1300:17
    #32 0x7f118f80c4fa in nsContentUtils::DispatchEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, mozilla::Trusted, bool*, mozilla::ChromeOnlyDispatch) /builds/worker/checkouts/gecko/dom/base/nsContentUtils.cpp:4048:28
    #33 0x7f118f80c383 in nsContentUtils::DispatchTrustedEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, bool*) /builds/worker/checkouts/gecko/dom/base/nsContentUtils.cpp:4018:10
    #34 0x7f118f96d9f3 in mozilla::dom::Document::DispatchContentLoadedEvents() /builds/worker/checkouts/gecko/dom/base/Document.cpp:7219:3
    #35 0x7f118f9dc0b6 in applyImpl<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1188:12
    #36 0x7f118f9dc0b6 in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1194:12
    #37 0x7f118f9dc0b6 in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1240:13
    #38 0x7f118da2f142 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/checkouts/gecko/xpcom/threads/SchedulerGroup.cpp:146:20
    #39 0x7f118da35194 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:242:16
    #40 0x7f118da32f5d in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:512:26
    #41 0x7f118da31d44 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:371:15
    #42 0x7f118da31f36 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:168:36
    #43 0x7f118da39b56 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:83:37
    #44 0x7f118da39b56 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_4>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:577:5
    #45 0x7f118da4d8f9 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1234:14
    #46 0x7f118da5341a in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:513:10
    #47 0x7f118e35f47f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:87:21
    #48 0x7f118e2d0733 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:334:10
    #49 0x7f118e2d064d in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:327:3
    #50 0x7f118e2d064d in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:309:3
    #51 0x7f1192315358 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137:27
    #52 0x7f1193b261f3 in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:913:20
    #53 0x7f118e360247 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:237:9
    #54 0x7f118e2d0733 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:334:10
    #55 0x7f118e2d064d in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:327:3
    #56 0x7f118e2d064d in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:309:3
    #57 0x7f1193b25ce7 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:744:34
    #58 0x55d160bdafb8 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
    #59 0x55d160bdafb8 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:303:18
    #60 0x7f11a9012b96 in __libc_start_main /build/glibc-2ORdQG/glibc-2.27/csu/../csu/libc-start.c:310

UndefinedBehaviorSanitizer can not provide additional info.
Flags: in-testsuite?
Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]
Bugmon Analysis: Verified bug as reproducible on mozilla-central 20200804022706-fdfd1e91d204. The bug appears to have been introduced in the following build range: > Start: 4b04d694fb5c80287ed777013214f672236197cb (20200716233816) > End: b1f1014ba56d5046949ae02de03d1b7ef95ab9c5 (20200716233928) > Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=4b04d694fb5c80287ed777013214f672236197cb&tochange=b1f1014ba56d5046949ae02de03d1b7ef95ab9c5
Flags: needinfo?(masayuki)
Regressed by: 1651874
See Also: → 1655988
Has Regression Range: --- → yes
Assignee: nobody → masayuki
Severity: normal → S3
Status: NEW → ASSIGNED
Depends on: 1677566
Flags: needinfo?(masayuki)
OS: Unspecified → All
Priority: -- → P4
Hardware: Unspecified → All
Pushed by masayuki@d-toybox.com: https://hg.mozilla.org/integration/autoland/rev/62ad5212f00b Add crash test (the bug itself is fixed by the patch for bug 1677566) r=m_kato

https://hg.mozilla.org/mozilla-central/rev/62ad5212f00b

Status: ASSIGNED → RESOLVED
Closed: 4 years ago
status-firefox88: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 88 Branch
status-firefox81: affectedwontfix
status-firefox86: --- → wontfix
status-firefox87: --- → wontfix
status-firefox-esr78: --- → wontfix
Flags: in-testsuite? → in-testsuite+

Bugmon Analysis
Verified bug as fixed on rev mozilla-central 20210310215846-db7158dfb86d.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
Keywords: bugmon
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: