Closed
Bug 1659716
Opened 4 years ago
Closed 2 years ago
Assertion failure: atPreviousContent.IsSet(), at /builds/worker/checkouts/gecko/editor/libeditor/WSRunObject.cpp:343
Categories
(Core :: DOM: Editor, defect)
Core
DOM: Editor
Tracking
()
RESOLVED
FIXED
105 Branch
People
(Reporter: jkratzer, Assigned: masayuki)
References
(Blocks 1 open bug)
Details
(Keywords: assertion, testcase, Whiteboard: [bugmon:bisected,confirmed], [wptsync upstream])
Attachments
(2 files)
Testcase found while fuzzing mozilla-central rev 1891b1e3fa34 (built with --enable-debug).
Assertion failure: atPreviousContent.IsSet(), at /builds/worker/checkouts/gecko/editor/libeditor/WSRunObject.cpp:343
#0 0x7f521f633748 in AnnotateMozCrashReason /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:42:19
#1 0x7f521f633748 in mozilla::WhiteSpaceVisibilityKeeper::MergeFirstLineOfRightBlockElementIntoAncestorLeftBlockElement(mozilla::HTMLEditor&, mozilla::dom::Element&, mozilla::dom::Element&, mozilla::EditorDOMPointBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent> > const&, nsIContent&, mozilla::Maybe<nsAtom*> const&) /builds/worker/checkouts/gecko/editor/libeditor/WSRunObject.cpp:343:5
#2 0x7f521f585110 in mozilla::HTMLEditor::TryToJoinBlocksWithTransaction(nsIContent&, nsIContent&) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditSubActionHandler.cpp:4705:31
#3 0x7f521f585675 in mozilla::HTMLEditor::AutoBlockElementsJoiner::HandleDeleteCollapsedSelectionAtCurrentBlockBoundary(mozilla::HTMLEditor&, mozilla::EditorDOMPointBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent> > const&) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditSubActionHandler.cpp:3290:27
#4 0x7f521f580e40 in mozilla::HTMLEditor::AutoBlockElementsJoiner::Run(mozilla::HTMLEditor&, short, mozilla::EditorDOMPointBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent> > const&) /builds/worker/workspace/obj-build/dist/include/mozilla/HTMLEditor.h:2775:15
#5 0x7f521f57cc88 in mozilla::HTMLEditor::HandleDeleteAroundCollapsedRanges(short, short, mozilla::AutoRangeArray&) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditSubActionHandler.cpp:2685:16
#6 0x7f521f57b54d in mozilla::HTMLEditor::HandleDeleteSelectionInternal(short, short, mozilla::AutoRangeArray&) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditSubActionHandler.cpp:2529:33
#7 0x7f521f57a474 in mozilla::HTMLEditor::HandleDeleteSelection(short, short) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditSubActionHandler.cpp:2386:29
#8 0x7f521f53f321 in mozilla::EditorBase::DeleteSelectionAsSubAction(short, short) /builds/worker/checkouts/gecko/editor/libeditor/EditorBase.cpp:3738:7
#9 0x7f521f53023a in mozilla::EditorBase::DeleteSelectionAsAction(short, short, nsIPrincipal*) /builds/worker/checkouts/gecko/editor/libeditor/EditorBase.cpp:3707:8
#10 0x7f521f5495e8 in mozilla::DeleteCommand::DoCommand(mozilla::Command, mozilla::TextEditor&, nsIPrincipal*) const /builds/worker/checkouts/gecko/editor/libeditor/EditorCommands.cpp:619:29
#11 0x7f521cbb13f8 in mozilla::dom::Document::ExecCommand(nsTSubstring<char16_t> const&, bool, nsTSubstring<char16_t> const&, nsIPrincipal&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/Document.cpp:4913:26
#12 0x7f521dbdedea in mozilla::dom::Document_Binding::execCommand(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/DocumentBinding.cpp:3470:36
#13 0x7f521df4c111 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3227:13
#14 0x7f5220de7961 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:507:13
#15 0x7f5220de70d2 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:599:12
#16 0x7f5220de8c9f in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:664:10
#17 0x7f5220ddc618 in CallFromStack /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:668:10
#18 0x7f5220ddc618 in Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3336:16
#19 0x7f5220dd2e93 in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:468:13
#20 0x7f5220de708f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:636:13
#21 0x7f5220de8c9f in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:664:10
#22 0x7f5220de8e7f in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:681:8
#23 0x7f5220ef8267 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/jsapi.cpp:2831:10
#24 0x7f521dc73c93 in mozilla::dom::EventListener::HandleEvent(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventListenerBinding.cpp:55:8
#25 0x7f521e2f7346 in void mozilla::dom::EventListener::HandleEvent<mozilla::dom::EventTarget*>(mozilla::dom::EventTarget* const&, mozilla::dom::Event&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventListenerBinding.h:66:12
#26 0x7f521e2f706d in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1082:43
#27 0x7f521e2f7d03 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1279:17
#28 0x7f521e2ed6a4 in HandleEvent /builds/worker/workspace/obj-build/dist/include/mozilla/EventListenerManager.h:354:5
#29 0x7f521e2ed6a4 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:356:17
#30 0x7f521e2ecc41 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:558:16
#31 0x7f521e2ef7f2 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:1055:11
#32 0x7f521e2f1e56 in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp
#33 0x7f521cd42263 in nsINode::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/nsINode.cpp:1300:17
#34 0x7f521ca5a59a in nsContentUtils::DispatchEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, mozilla::Trusted, bool*, mozilla::ChromeOnlyDispatch) /builds/worker/checkouts/gecko/dom/base/nsContentUtils.cpp:4048:28
#35 0x7f521ca5a423 in nsContentUtils::DispatchTrustedEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, bool*) /builds/worker/checkouts/gecko/dom/base/nsContentUtils.cpp:4018:10
#36 0x7f521cbbc0f3 in mozilla::dom::Document::DispatchContentLoadedEvents() /builds/worker/checkouts/gecko/dom/base/Document.cpp:7224:3
#37 0x7f521cc2c086 in applyImpl<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1188:12
#38 0x7f521cc2c086 in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1194:12
#39 0x7f521cc2c086 in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1240:13
#40 0x7f521ac9e2c2 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/checkouts/gecko/xpcom/threads/SchedulerGroup.cpp:146:20
#41 0x7f521aca4124 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:242:16
#42 0x7f521aca1eed in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:512:26
#43 0x7f521aca0eb4 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:371:15
#44 0x7f521aca1067 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:168:36
#45 0x7f521aca8c56 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:83:37
#46 0x7f521aca8c56 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_4>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:577:5
#47 0x7f521acbc0a8 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1242:14
#48 0x7f521acc1a7a in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:513:10
#49 0x7f521b5e07af in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:87:21
#50 0x7f521b551043 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:334:10
#51 0x7f521b550f5d in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:327:3
#52 0x7f521b550f5d in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:309:3
#53 0x7f521f47de18 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137:27
#54 0x7f5220ca5b03 in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:913:20
#55 0x7f521b5e1577 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:237:9
#56 0x7f521b551043 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:334:10
#57 0x7f521b550f5d in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:327:3
#58 0x7f521b550f5d in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:309:3
#59 0x7f5220ca56a2 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:744:34
#60 0x55e2484cb09f in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
#61 0x55e2484cb09f in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:303:18
#62 0x7f5236476b96 in __libc_start_main /build/glibc-2ORdQG/glibc-2.27/csu/../csu/libc-start.c:310
Flags: in-testsuite?
|
Reporter | |
Updated•4 years ago
|
Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]
|
|
Reporter | |
Comment 1•4 years ago
|
||
Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20200818153308-c38fb352aacf.
Failed to bisect testcase (Start build crashes!):
> Start: e8b7c48d4e7ed1b63aeedff379b51e566ea499d9 (20191107015224)
> End: aa98a6ece5fbbe2b09796d543fa91db5735a44a9 (20200818041548)
> BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=False, coverage=False, valgrind=False)
|
||
Comment 2•2 years ago
|
||
Bugmon Analysis
Testcase crashes using the initial build (mozilla-central 20210807092614-7338d7d94091) but not with tip (mozilla-central 20220805213002-85dd3c18eb48.)
The bug appears to have been fixed in the following build range:
Start: e54a1ebb8e121afe592198cd88fefc58cd2b2790 (20220804050746)
End: a0dd784acd4c5a932d89ed8adc63fe62d8207618 (20220804051000)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=e54a1ebb8e121afe592198cd88fefc58cd2b2790&tochange=a0dd784acd4c5a932d89ed8adc63fe62d8207618
jkratzer, can you confirm that the above bisection range is responsible for fixing this issue?
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Flags: needinfo?(jkratzer)
Keywords: bugmon
|
|
Reporter | |
Comment 3•2 years ago
|
||
:masayuki, is it possible that this was fixed via bug 1774704?
Flags: needinfo?(jkratzer) → needinfo?(masayuki)
|
Assignee | |
Comment 4•2 years ago
|
||
It's hard to say because I didn't try to change the behavior in web apps which do not refer Selection from the legacy DOM mutation events.
On the other hand, it stops updating Selection after each DOM tree mutation. Therefore, there was a bug which caused returning error, but execCommand never throws exception anymore (bug 1697078), so I guess that we've failed to update Selection and stopped handling justifyLeft command, but it's now skipped. Therefore, the DOM tree after calling execCommand("justifyLeft") has been changed by the patch.
I'll add the automated test into the tree, anyway.
Assignee: nobody → masayuki
Status: NEW → ASSIGNED
status-firefox103:
--- → wontfix
status-firefox104:
--- → wontfix
status-firefox105:
--- → fixed
Depends on: 1774704
Flags: needinfo?(masayuki)
|
|
Assignee | |
Comment 5•2 years ago
|
||
The assertion hit has been fixed by the part 7-7 of bug 1774704. I didn't try
to change any behavior with the patch, however, it stops updating Selection
immediately after every DOM tree change. Therefore I guess that updating
Selection at execCommand("justifyLeft") may have failed, and it's now
skipped after handling everything, so the DOM tree after calling it must be
changed by the patch (note that we've stopped throwing from
Document.execCommand, so failing to handle the command does not cause stopping
the JS).
Pushed by masayuki@d-toybox.com: https://hg.mozilla.org/integration/autoland/rev/4ea96139bf43 Add the reported testcase to WPT r=m_kato
Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/35429 for changes under testing/web-platform/tests
Whiteboard: [bugmon:bisected,confirmed] → [bugmon:bisected,confirmed], [wptsync upstream]
|
||
Comment 8•2 years ago
|
||
| bugherder | ||
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → 105 Branch
Upstream PR merged by moz-wptsync-bot
|
||
Updated•2 years ago
|
status-firefox-esr102:
--- → wontfix
status-firefox-esr91:
--- → wontfix
Flags: in-testsuite? → in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•