Closed
Bug 1659717
Opened 4 years ago
Closed 4 years ago
Assertion failure: selection->GetAnchorFocusRange()->StartRef() == mAnchorFocusRange->StartRef(), at /builds/worker/checkouts/gecko/editor/libeditor/EditorUtils.cpp:107
Categories
(Core :: DOM: Editor, defect, P2)
Core
DOM: Editor
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr68 | --- | unaffected |
| firefox-esr78 | --- | unaffected |
| firefox79 | --- | unaffected |
| firefox80 | --- | unaffected |
| firefox81 | --- | fixed |
| firefox82 | --- | verified |
People
(Reporter: jkratzer, Assigned: masayuki)
References
(Blocks 1 open bug, Regression)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:bisected,confirmed])
Attachments
(2 files)
|
332 bytes,
text/html
|
Details | |
|
47 bytes,
text/x-phabricator-request
|
RyanVM
:
approval-mozilla-beta+
|
Details | Review |
Testcase found while fuzzing mozilla-central rev 1891b1e3fa34 (built with --enable-debug).
Assertion failure: selection->GetAnchorFocusRange()->StartRef() == mAnchorFocusRange->StartRef(), at /builds/worker/checkouts/gecko/editor/libeditor/EditorUtils.cpp:107
#0 0x7f06a3347c80 in AnnotateMozCrashReason /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:42:19
#1 0x7f06a3347c80 in mozilla::AutoRangeArray::ExtendAnchorFocusRangeFor(mozilla::EditorBase&, short) /builds/worker/checkouts/gecko/editor/libeditor/EditorUtils.cpp:106:3
#2 0x7f06a33724f7 in mozilla::HTMLEditor::HandleDeleteSelectionInternal(short, short, mozilla::AutoRangeArray&) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditSubActionHandler.cpp:2512:25
#3 0x7f06a3371474 in mozilla::HTMLEditor::HandleDeleteSelection(short, short) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditSubActionHandler.cpp:2386:29
#4 0x7f06a3336321 in mozilla::EditorBase::DeleteSelectionAsSubAction(short, short) /builds/worker/checkouts/gecko/editor/libeditor/EditorBase.cpp:3738:7
#5 0x7f06a332723a in mozilla::EditorBase::DeleteSelectionAsAction(short, short, nsIPrincipal*) /builds/worker/checkouts/gecko/editor/libeditor/EditorBase.cpp:3707:8
#6 0x7f06a33405e8 in mozilla::DeleteCommand::DoCommand(mozilla::Command, mozilla::TextEditor&, nsIPrincipal*) const /builds/worker/checkouts/gecko/editor/libeditor/EditorCommands.cpp:619:29
#7 0x7f06a09a83f8 in mozilla::dom::Document::ExecCommand(nsTSubstring<char16_t> const&, bool, nsTSubstring<char16_t> const&, nsIPrincipal&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/Document.cpp:4913:26
#8 0x7f06a19d5dea in mozilla::dom::Document_Binding::execCommand(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/DocumentBinding.cpp:3470:36
#9 0x7f06a1d43111 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3227:13
#10 0x7f06a4bde961 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:507:13
#11 0x7f06a4bde0d2 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:599:12
#12 0x7f06a4bdfc9f in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:664:10
#13 0x7f06a4bd3618 in CallFromStack /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:668:10
#14 0x7f06a4bd3618 in Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3336:16
#15 0x7f06a4bc9e93 in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:468:13
#16 0x7f06a4bde08f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:636:13
#17 0x7f06a4bdfc9f in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:664:10
#18 0x7f06a4bdfe7f in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:681:8
#19 0x7f06a4cef267 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/jsapi.cpp:2831:10
#20 0x7f06a1a6ac93 in mozilla::dom::EventListener::HandleEvent(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventListenerBinding.cpp:55:8
#21 0x7f06a20ee346 in void mozilla::dom::EventListener::HandleEvent<mozilla::dom::EventTarget*>(mozilla::dom::EventTarget* const&, mozilla::dom::Event&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventListenerBinding.h:66:12
#22 0x7f06a20ee06d in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1082:43
#23 0x7f06a20eed03 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1279:17
#24 0x7f06a20e46a4 in HandleEvent /builds/worker/workspace/obj-build/dist/include/mozilla/EventListenerManager.h:354:5
#25 0x7f06a20e46a4 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:356:17
#26 0x7f06a20e3c41 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:558:16
#27 0x7f06a20e67f2 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:1055:11
#28 0x7f06a20e8e56 in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp
#29 0x7f06a0b39263 in nsINode::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/nsINode.cpp:1300:17
#30 0x7f06a085159a in nsContentUtils::DispatchEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, mozilla::Trusted, bool*, mozilla::ChromeOnlyDispatch) /builds/worker/checkouts/gecko/dom/base/nsContentUtils.cpp:4048:28
#31 0x7f06a0851423 in nsContentUtils::DispatchTrustedEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, bool*) /builds/worker/checkouts/gecko/dom/base/nsContentUtils.cpp:4018:10
#32 0x7f06a09b30f3 in mozilla::dom::Document::DispatchContentLoadedEvents() /builds/worker/checkouts/gecko/dom/base/Document.cpp:7224:3
#33 0x7f06a0a23086 in applyImpl<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1188:12
#34 0x7f06a0a23086 in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1194:12
#35 0x7f06a0a23086 in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1240:13
#36 0x7f069ea952c2 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/checkouts/gecko/xpcom/threads/SchedulerGroup.cpp:146:20
#37 0x7f069ea9b124 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:242:16
#38 0x7f069ea98eed in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:512:26
#39 0x7f069ea97eb4 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:371:15
#40 0x7f069ea98067 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:168:36
#41 0x7f069ea9fc56 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:83:37
#42 0x7f069ea9fc56 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_4>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:577:5
#43 0x7f069eab30a8 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1242:14
#44 0x7f069eab8a7a in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:513:10
#45 0x7f069f3d77af in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:87:21
#46 0x7f069f348043 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:334:10
#47 0x7f069f347f5d in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:327:3
#48 0x7f069f347f5d in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:309:3
#49 0x7f06a3274e18 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137:27
#50 0x7f06a4a9cb03 in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:913:20
#51 0x7f069f3d8577 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:237:9
#52 0x7f069f348043 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:334:10
#53 0x7f069f347f5d in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:327:3
#54 0x7f069f347f5d in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:309:3
#55 0x7f06a4a9c6a2 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:744:34
#56 0x556d5acd309f in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
#57 0x556d5acd309f in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:303:18
#58 0x7f06ba1f8b96 in __libc_start_main /build/glibc-2ORdQG/glibc-2.27/csu/../csu/libc-start.c:310
Flags: in-testsuite?
|
Reporter | |
Updated•4 years ago
|
Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]
|
|
Reporter | |
Comment 1•4 years ago
|
||
Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20200818153308-c38fb352aacf.
The bug appears to have been introduced in the following build range:
> Start: 9040cdaddc7c0b4d8e518bab272191759f3f6f6c (20200811100509)
> End: 7941839958b6781e0584c62fb820850f42208fcd (20200811102015)
> Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=9040cdaddc7c0b4d8e518bab272191759f3f6f6c&tochange=7941839958b6781e0584c62fb820850f42208fcd
|
Assignee | |
Comment 3•4 years ago
|
||
Yeah, indeed, this occurs what I didn't assume.
Assignee: nobody → masayuki
Status: NEW → ASSIGNED
Flags: needinfo?(masayuki)
Priority: -- → P2
|
||
Updated•4 years ago
|
Has Regression Range: --- → yes
|
||
Comment 4•4 years ago
|
||
Set release status flags based on info from the regressing bug 1657269
status-firefox79:
--- → unaffected
status-firefox80:
--- → unaffected
status-firefox-esr68:
--- → unaffected
status-firefox-esr78:
--- → unaffected
|
|
Assignee | |
Comment 5•4 years ago
|
||
The assertion detects actual regression so that we need to fix this even with uplifting.
Root Cause: --- → Coding: Logical Error
|
|
||
Updated•4 years ago
|
Keywords: regression
|
|
Assignee | |
Comment 6•4 years ago
|
||
If AutoSetTemporaryAncestorLimiter sets ancestor limiter of the Selection,
existing range which is already cached by AutoRangeArray may be changed
into the new limiter.
Therefore, this patch makes AutoSetTemporaryAncestorLimiter take
AutoRangeArray optionally and reset it only when it sets new limiter for
the performance.
|
||
Comment 7•4 years ago
|
||
Hi Masayuki, can you please set a suitable severity for this bug? Thank you!
Flags: needinfo?(masayuki)
|
|
Assignee | |
Updated•4 years ago
|
Severity: normal → S3
Flags: needinfo?(masayuki)
|
|
Assignee | |
Updated•4 years ago
|
OS: Unspecified → All
Hardware: Unspecified → All
Pushed by masayuki@d-toybox.com:
https://hg.mozilla.org/integration/autoland/rev/5c0af3d7bd69
Make `AutoSetTemporaryAncestorLimiter` update cached ranges if selection limiter is updated r=m_kato
|
||
Comment 9•4 years ago
|
||
| bugherder | ||
Status: ASSIGNED → RESOLVED
Closed: 4 years ago
status-firefox82:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 82 Branch
|
|
Assignee | |
Comment 10•4 years ago
|
||
Comment on attachment 9171309 [details]
Bug 1659717 - Make AutoSetTemporaryAncestorLimiter update cached ranges if selection limiter is updated r=m_kato!
Beta/Release Uplift Approval Request
- User impact if declined: This is new regression, and may delete unexpected range without this patch when user or web app tries to delete selected range if web app has contenteditable and manage its editable state with complicated logic.
- Is this code covered by automated tests?: Yes
- Has the fix been verified in Nightly?: No
- Needs manual test from QE?: No
- If yes, steps to reproduce:
- List of other uplifts needed: None
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): When the stack class touches
Selection, this patch just make it update the cache ofSelectionwhich is used for considering delete ranges inHTMLEditor. - String changes made/needed: No.
Attachment #9171309 -
Flags: approval-mozilla-beta?
|
|
Reporter | |
Updated•4 years ago
|
|
|
Reporter | |
Comment 11•4 years ago
|
||
Bugmon Analysis:
Verified bug as fixed on rev mozilla-central 20200825094622-e9ff11c7fe04.
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.
|
||
Comment 12•4 years ago
|
||
Comment on attachment 9171309 [details]
Bug 1659717 - Make AutoSetTemporaryAncestorLimiter update cached ranges if selection limiter is updated r=m_kato!
Approved for 81.0b2. Thanks for including a test.
Attachment #9171309 -
Flags: approval-mozilla-beta? → approval-mozilla-beta+
|
|
||
Comment 13•4 years ago
|
||
| bugherder uplift | ||
Flags: in-testsuite? → in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•