Closed
Bug 1677566
Opened 4 years ago
Closed 3 years ago
Assertion failure: replaceRangeDataAtEnd.StartRef().EqualsOrIsBefore( rangeToDelete.EndRef()), at /builds/worker/checkouts/gecko/editor/libeditor/WSRunObject.cpp:1872
Categories
(Core :: DOM: Editor, defect, P4)
Core
DOM: Editor
Tracking
()
VERIFIED
FIXED
88 Branch
| Tracking | Status | |
|---|---|---|
| firefox-esr78 | --- | unaffected |
| firefox85 | --- | wontfix |
| firefox86 | --- | wontfix |
| firefox87 | --- | wontfix |
| firefox88 | --- | verified |
People
(Reporter: jkratzer, Assigned: masayuki)
References
(Blocks 2 open bugs, Regressed 1 open bug, Regression)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:bisected,confirmed], [wptsync upstream])
Attachments
(4 files)
Testcase found while fuzzing mozilla-central rev e22423381bcd (built with --enable-debug).
Assertion failure: replaceRangeDataAtEnd.StartRef().EqualsOrIsBefore( rangeToDelete.EndRef()), at /builds/worker/checkouts/gecko/editor/libeditor/WSRunObject.cpp:1872
#0 0x7f3a7ebda361 in mozilla::WhiteSpaceVisibilityKeeper::MakeSureToKeepVisibleStateOfWhiteSpacesAroundDeletingRange(mozilla::HTMLEditor&, mozilla::EditorDOMRangeBase<mozilla::EditorDOMPointBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent> > > const&) /builds/worker/checkouts/gecko/editor/libeditor/WSRunObject.cpp:1870:5
#1 0x7f3a7eb752b1 in PrepareToDeleteRange /builds/worker/checkouts/gecko/editor/libeditor/WSRunObject.h:1291:19
#2 0x7f3a7eb752b1 in mozilla::HTMLEditor::AutoDeleteRangesHandler::HandleDeleteNonCollapsedRanges(mozilla::HTMLEditor&, short, short, mozilla::AutoRangeArray&, mozilla::HTMLEditor::AutoDeleteRangesHandler::SelectionWasCollapsed) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditorDeleteHandler.cpp:2899:19
#3 0x7f3a7eb716ea in mozilla::HTMLEditor::AutoDeleteRangesHandler::Run(mozilla::HTMLEditor&, short, short, mozilla::AutoRangeArray&) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditorDeleteHandler.cpp:1604:29
#4 0x7f3a7eb702d1 in mozilla::HTMLEditor::HandleDeleteSelection(short, short) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditorDeleteHandler.cpp:1084:43
#5 0x7f3a7ead5c01 in mozilla::EditorBase::DeleteSelectionAsSubAction(short, short) /builds/worker/checkouts/gecko/editor/libeditor/EditorBase.cpp:3772:7
#6 0x7f3a7eac6199 in mozilla::EditorBase::DeleteSelectionAsAction(short, short, nsIPrincipal*) /builds/worker/checkouts/gecko/editor/libeditor/EditorBase.cpp:3736:8
#7 0x7f3a7eae01e8 in mozilla::DeleteCommand::DoCommand(mozilla::Command, mozilla::TextEditor&, nsIPrincipal*) const /builds/worker/checkouts/gecko/editor/libeditor/EditorCommands.cpp:619:29
#8 0x7f3a7c0346b3 in mozilla::dom::Document::ExecCommand(nsTSubstring<char16_t> const&, bool, nsTSubstring<char16_t> const&, nsIPrincipal&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/Document.cpp:5052:26
#9 0x7f3a7d031cdd in mozilla::dom::Document_Binding::execCommand(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/DocumentBinding.cpp:3473:36
#10 0x7f3a7d394f2a in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3229:13
#11 0x7f3a8034d9b1 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:507:13
#12 0x7f3a8034d0e8 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:599:12
#13 0x7f3a8034ec93 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:664:10
#14 0x7f3a80342993 in CallFromStack /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:668:10
#15 0x7f3a80342993 in Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3337:16
#16 0x7f3a803398c4 in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:477:13
#17 0x7f3a8034d0b9 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:636:13
#18 0x7f3a8034ec93 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:664:10
#19 0x7f3a8034eecf in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:681:8
#20 0x7f3a80933d4b in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/jsapi.cpp:2830:10
#21 0x7f3a7d0c598c in mozilla::dom::EventListener::HandleEvent(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventListenerBinding.cpp:57:8
#22 0x7f3a7d72a576 in void mozilla::dom::EventListener::HandleEvent<mozilla::dom::EventTarget*>(mozilla::dom::EventTarget* const&, mozilla::dom::Event&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventListenerBinding.h:66:12
#23 0x7f3a7d72a2bd in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1073:43
#24 0x7f3a7d72af62 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1270:17
#25 0x7f3a7d720232 in HandleEvent /builds/worker/workspace/obj-build/dist/include/mozilla/EventListenerManager.h:354:5
#26 0x7f3a7d720232 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:352:17
#27 0x7f3a7d71f7e3 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:554:16
#28 0x7f3a7d7222f0 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:1093:11
#29 0x7f3a7d724f36 in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp
#30 0x7f3a7c1c39c3 in nsINode::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/nsINode.cpp:1315:17
#31 0x7f3a7becaeca in nsContentUtils::DispatchEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, mozilla::Trusted, bool*, mozilla::ChromeOnlyDispatch) /builds/worker/checkouts/gecko/dom/base/nsContentUtils.cpp:4072:28
#32 0x7f3a7becad53 in nsContentUtils::DispatchTrustedEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, bool*) /builds/worker/checkouts/gecko/dom/base/nsContentUtils.cpp:4042:10
#33 0x7f3a7c0400a3 in mozilla::dom::Document::DispatchContentLoadedEvents() /builds/worker/checkouts/gecko/dom/base/Document.cpp:7369:3
#34 0x7f3a7c0b1476 in applyImpl<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1188:12
#35 0x7f3a7c0b1476 in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1194:12
#36 0x7f3a7c0b1476 in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1240:13
#37 0x7f3a7a47bc02 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/checkouts/gecko/xpcom/threads/SchedulerGroup.cpp:146:20
#38 0x7f3a7a481c1f in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:450:16
#39 0x7f3a7a48028a in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:720:26
#40 0x7f3a7a47f334 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:579:15
#41 0x7f3a7a47f4e7 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:373:36
#42 0x7f3a7a485476 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:120:37
#43 0x7f3a7a485476 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_3>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:577:5
#44 0x7f3a7a4969f7 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1197:14
#45 0x7f3a7a49c73a in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:513:10
#46 0x7f3a7ad91d46 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:87:21
#47 0x7f3a7ad018f3 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:334:10
#48 0x7f3a7ad0180d in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:327:3
#49 0x7f3a7ad0180d in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:309:3
#50 0x7f3a7ea09608 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137:27
#51 0x7f3a80212c93 in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:913:20
#52 0x7f3a7ad92b09 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:237:9
#53 0x7f3a7ad018f3 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:334:10
#54 0x7f3a7ad0180d in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:327:3
#55 0x7f3a7ad0180d in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:309:3
#56 0x7f3a80212878 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:744:34
#57 0x55a2d84d8a27 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
#58 0x55a2d84d8a27 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:304:18
#59 0x7f3a8f2fb0b2 in __libc_start_main /build/glibc-ZN95T4/glibc-2.31/csu/../csu/libc-start.c:308:16
Flags: in-testsuite?
|
Reporter | |
Comment 1•4 years ago
|
||
Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20201116210217-6b97acd45602.
The bug appears to have been introduced in the following build range:
Start: 9040cdaddc7c0b4d8e518bab272191759f3f6f6c (20200811100509)
End: 7941839958b6781e0584c62fb820850f42208fcd (20200811102015)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=9040cdaddc7c0b4d8e518bab272191759f3f6f6c&tochange=7941839958b6781e0584c62fb820850f42208fcd
Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]
|
||
Updated•3 years ago
|
Has Regression Range: --- → yes
|
Assignee | |
Updated•3 years ago
|
Assignee: nobody → masayuki
Status: NEW → ASSIGNED
Flags: needinfo?(masayuki)
|
|
Assignee | |
Updated•3 years ago
|
Severity: normal → S3
Priority: -- → P4
|
|
Assignee | |
Updated•3 years ago
|
OS: Unspecified → All
Hardware: Unspecified → All
|
|
Assignee | |
Updated•3 years ago
|
See Also: → https://github.com/w3c/editing/issues/283
|
|
Assignee | |
Comment 2•3 years ago
|
||
It does not make sense WSRunScanner handles invisible white-spaces in
non-editable elements. Therefore, this patch makes it stop handling in the
cases.
Note that this change causes new fail of some WPTs. That will be fixed by
the following patch.
Depends on D106590
|
|
Assignee | |
Comment 3•3 years ago
|
||
Blink treats each non-editable node as an atomic object. E.g., deleting or
forward-deleting from next to a non-editable element, it deletes only one
non-editable element.
Unfortunately, our layout treat adjacent non-editable nodes as a node.
Therefore, the adding WPTs do not work, but they are not new regression of
this patch.
Depends on D107586
|
|
Assignee | |
Comment 4•3 years ago
|
||
For making delete handlers simpler, and set better target ranges to the
corresponding beforeinput event, we should ignore non-editable ranges
before handling deletion.
This patch makes editor stop handling deleteion when a range crosses editing
host boundaries. In this case, Gecko has done nothing, but fired
beforeinput event. Note that Blink deletes editable contents in the range
until it meets first non-editable content, but I don't think this is
a good behavior because it makes things complicated. Therefore, I filed
a spec issue: https://github.com/w3c/editing/issues/283
On the other hand, this behavior change causes different behavior in
https://searchfox.org/mozilla-central/source/editor/libeditor/crashtests/1345015.html
It tries to insert paragraph into <html> element, but our editor currently
does not support it. Therefore, it hits MOZ_ASSERT. Therefore, this patch
added a new check into HTMLEditor::InsertParagraphSeparatorAsSubAction().
Depends on D107587
|
||
Updated•3 years ago
|
Keywords: regression
Pushed by masayuki@d-toybox.com: https://hg.mozilla.org/integration/autoland/rev/e1bd15c09f4a part 1: `WSRunScanner::TextFragmentData` stop handling non-editable content r=m_kato https://hg.mozilla.org/integration/autoland/rev/999c9d18731d part 2: Make `HTMLEditUtils` treat a found non-editable element as a leaf node even if it has children r=m_kato https://hg.mozilla.org/integration/autoland/rev/52735c1a72f8 part 3: Ignore non-deletable ranges in `HTMLEditor::HandleDeleteSelection()` r=m_kato
Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/28005 for changes under testing/web-platform/tests
Whiteboard: [bugmon:bisected,confirmed] → [bugmon:bisected,confirmed], [wptsync upstream]
|
||
Comment 7•3 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/e1bd15c09f4a
https://hg.mozilla.org/mozilla-central/rev/999c9d18731d
https://hg.mozilla.org/mozilla-central/rev/52735c1a72f8
Status: ASSIGNED → RESOLVED
Closed: 3 years ago
status-firefox88:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 88 Branch
Upstream PR merged by moz-wptsync-bot
|
||
Comment 9•3 years ago
|
||
Bugmon Analysis:
Verified bug as fixed on rev mozilla-central 20210310215846-db7158dfb86d.
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.
|
||
Updated•3 years ago
|
status-firefox86:
--- → wontfix
status-firefox87:
--- → wontfix
|
||
Updated•3 years ago
|
status-firefox-esr78:
--- → unaffected
Flags: in-testsuite? → in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•