Closed Bug 1693049 Opened 3 years ago Closed 3 years ago

Assertion failure: !aRootNode || aNotInsertedYet || (aStartBoundary.Container()->IsInclusiveDescendantOf(aRootNode) && aEndBoundary.Container()->IsInclusiveDescendantOf(aRootNode) && aRootNode == RangeUtils::ComputeRootNode(aStartBoundary.Container()) &&

Categories

(Core :: DOM: Core & HTML, defect, P3)

defect

Tracking

()

VERIFIED FIXED
89 Branch
Tracking Status
firefox-esr78 --- wontfix
firefox86 --- wontfix
firefox87 --- wontfix
firefox88 --- verified
firefox89 --- verified

People

(Reporter: jkratzer, Assigned: masayuki)

References

(Blocks 2 open bugs)

Details

(Keywords: assertion, testcase, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(2 files)

Attached file testcase.html

Testcase found while fuzzing mozilla-central rev fc74eb2c7b84 (built with --enable-debug).

Assertion failure: !aRootNode || aNotInsertedYet || (aStartBoundary.Container()->IsInclusiveDescendantOf(aRootNode) && aEndBoundary.Container()->IsInclusiveDescendantOf(aRootNode) && aRootNode == RangeUtils::ComputeRootNode(aStartBoundary.Container()) && aRootNode == RangeUtils::ComputeRootNode(aEndBoundary.Container())) (Wrong root), at /builds/worker/checkouts/gecko/dom/base/nsRange.cpp:855

    #0 0x7f0c4379227b in void nsRange::DoSetRange<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent>, nsCOMPtr<nsINode>, nsCOMPtr<nsIContent> >(mozilla::RangeBoundaryBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent> > const&, mozilla::RangeBoundaryBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent> > const&, nsINode*, bool) /builds/worker/checkouts/gecko/dom/base/nsRange.cpp:848:3
    #1 0x7f0c4379afe2 in nsRange::CloneRange() const /builds/worker/checkouts/gecko/dom/base/nsRange.cpp:2212:10
    #2 0x7f0c436b4a95 in mozilla::dom::Selection::Extend(nsINode&, unsigned int, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/Selection.cpp:2413:46
    #3 0x7f0c436b48bc in mozilla::dom::Selection::ExtendJS(nsINode&, unsigned int, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/Selection.cpp:2340:3
    #4 0x7f0c44011db6 in mozilla::dom::Selection_Binding::extend(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/SelectionBinding.cpp:777:24
    #5 0x7f0c4499c43a in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3233:13
    #6 0x7f0c47a3fb61 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:435:13
    #7 0x7f0c47a3f2d0 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:520:12
    #8 0x7f0c47a40ab3 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:580:10
    #9 0x7f0c47a357a3 in CallFromStack /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:584:10
    #10 0x7f0c47a357a3 in Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3243:16
    #11 0x7f0c47a2cd88 in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:405:13
    #12 0x7f0c47a3f2f1 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:552:13
    #13 0x7f0c47a40ab3 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:580:10
    #14 0x7f0c47a40cef in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:597:8
    #15 0x7f0c47fc830b in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/jsapi.cpp:2861:10
    #16 0x7f0c44737d82 in mozilla::dom::Function::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, nsTArray<JS::Value> const&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/FunctionBinding.cpp:46:8
    #17 0x7f0c436dd0cc in void mozilla::dom::Function::Call<nsCOMPtr<nsIGlobalObject> >(nsCOMPtr<nsIGlobalObject> const&, nsTArray<JS::Value> const&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/FunctionBinding.h:72:12
    #18 0x7f0c436dcda8 in mozilla::dom::CallbackTimeoutHandler::Call(char const*) /builds/worker/checkouts/gecko/dom/base/TimeoutHandler.cpp:167:29
    #19 0x7f0c434e0765 in nsGlobalWindowInner::RunTimeoutHandler(mozilla::dom::Timeout*, nsIScriptContext*) /builds/worker/checkouts/gecko/dom/base/nsGlobalWindowInner.cpp:6240:38
    #20 0x7f0c436da9d2 in mozilla::dom::TimeoutManager::RunTimeout(mozilla::TimeStamp const&, mozilla::TimeStamp const&, bool) /builds/worker/checkouts/gecko/dom/base/TimeoutManager.cpp:896:44
    #21 0x7f0c436da114 in mozilla::dom::TimeoutExecutor::MaybeExecute() /builds/worker/checkouts/gecko/dom/base/TimeoutExecutor.cpp:179:11
    #22 0x7f0c436db712 in Notify /builds/worker/checkouts/gecko/dom/base/TimeoutExecutor.cpp:246:5
    #23 0x7f0c436db712 in non-virtual thunk to mozilla::dom::TimeoutExecutor::Notify(nsITimer*) /builds/worker/checkouts/gecko/dom/base/TimeoutExecutor.cpp
    #24 0x7f0c419d292c in nsTimerImpl::Fire(int) /builds/worker/checkouts/gecko/xpcom/threads/nsTimerImpl.cpp:565:39
    #25 0x7f0c419d25a8 in nsTimerEvent::Run() /builds/worker/checkouts/gecko/xpcom/threads/TimerThread.cpp:252:11
    #26 0x7f0c419f378c in mozilla::ThrottledEventQueue::Inner::ExecuteRunnable() /builds/worker/checkouts/gecko/xpcom/threads/ThrottledEventQueue.cpp:254:22
    #27 0x7f0c419ee2c1 in mozilla::ThrottledEventQueue::Inner::Executor::Run() /builds/worker/checkouts/gecko/xpcom/threads/ThrottledEventQueue.cpp:81:15
    #28 0x7f0c419c730f in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:472:16
    #29 0x7f0c419c5886 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:753:26
    #30 0x7f0c419c46e4 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:611:15
    #31 0x7f0c419c4897 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:395:36
    #32 0x7f0c419cb199 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:136:37
    #33 0x7f0c419cb199 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_4>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:534:5
    #34 0x7f0c419dc617 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1158:16
    #35 0x7f0c419e2a6a in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:548:10
    #36 0x7f0c422f8ef4 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:109:5
    #37 0x7f0c42264563 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:335:10
    #38 0x7f0c4226447d in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:328:3
    #39 0x7f0c4226447d in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:310:3
    #40 0x7f0c460c3858 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137:27
    #41 0x7f0c479045d3 in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:902:20
    #42 0x7f0c422f9e2c in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:237:9
    #43 0x7f0c42264563 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:335:10
    #44 0x7f0c4226447d in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:328:3
    #45 0x7f0c4226447d in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:310:3
    #46 0x7f0c479041a8 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:733:34
    #47 0x55dda00aff86 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
    #48 0x55dda00aff86 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:306:18
    #49 0x7f0c57dfa0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
Flags: in-testsuite?
See Also: → 1669342

Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20210216094005-fc74eb2c7b84.
Failed to bisect testcase (Testcase reproduces on start build!):

Start: 5df075b6a6bb092533d786fefc350535dd940f67 (20200218041021)
End: 00b18dc4bfac9e9d226627f9ccbf2a2f4e3e6a9d (20210216031051)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=False, coverage=False, valgrind=False)

Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]

(In reply to Bugmon [:jkratzer for issues] from comment #1)

Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20210216094005-fc74eb2c7b84.
Failed to bisect testcase (Testcase reproduces on start build!):

Start: 5df075b6a6bb092533d786fefc350535dd940f67 (20200218041021)
End: 00b18dc4bfac9e9d226627f9ccbf2a2f4e3e6a9d (20210216031051)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=False, coverage=False, valgrind=False)

Link to "Start" revision: https://hg.mozilla.org/mozilla-central/rev/5df075b6a6bb092533d786fefc350535dd940f67.

Severity: -- → S4
Priority: -- → P3
See Also: → 381012
See Also: → 1647442

Mirko, it seems from here that you have a good understanding of this code - would you mind to take a look at the pernosco trace?

Flags: needinfo?(mbrodesser)

I've refactored related code but I don't have a complete understanding of that code. The first step should be to determine whether this duplicates bug 1669342. I'll have a closer look in the coming days.

aStartBoundary.Container()->IsInclusiveDescendantOf(aRootNode) is false. There's no Pernosco run for bug 1669342, so it requires manual reproduction to determine if it's a duplicate of this ticket.

(pernosco) print aStartBoundary.Container() 
$13 = (nsTextNode *) 0x55934acae250
(pernosco) print aRootNode 
$14 = (mozilla::dom::HTMLInputElement *) 0x55934ad991e0
print aStartBoundary.Container()->mText
$16 = {{m2b = 0x55934aeb9420, m1b = 0x55934aeb9420 "ResetU"}, {mAllBits = 41, mState = {mInHeap = 1, mIs2b = 0, mIsBidi = 0, mLength = 5}}}

That is, aStartBoundary.Container() is presumably an anonymous child of aRootNode.

Assignee: nobody → mbrodesser
Flags: needinfo?(mbrodesser)

It's suspicious that AbstractRange::ClearForReuse doesn't reset nsRanges members, such as mRoot.

@masayuki: if that's unnecessary, why?

The invalidity of the range is detected only when nsRange::CloneRange is called. nsRange::DoSetRange is always called with aNotInsertedYet=false. Hence all conditions in the violated assertion always have to be true when calling nsRange::DoSetRange not from nsRange::CloneRange. That is, after some call to nsRange::DoSetRange, mStart, mEnd or mRoot are modified.

(In reply to Mirko Brodesser (:mbrodesser) from comment #7)

It's suspicious that AbstractRange::ClearForReuse doesn't reset nsRanges members, such as mRoot.

@masayuki: if that's unnecessary, why?

Because it should be cleared by DoSetRange call here.
https://searchfox.org/mozilla-central/rev/1624c3803a808e3e148b2fa54258c13bc8a2d09d/dom/base/nsRange.cpp#177-179

(In reply to Mirko Brodesser (:mbrodesser) from comment #8)

The invalidity of the range is detected only when nsRange::CloneRange is called. nsRange::DoSetRange is always called with aNotInsertedYet=false. Hence all conditions in the violated assertion always have to be true when calling nsRange::DoSetRange not from nsRange::CloneRange. That is, after some call to nsRange::DoSetRange, mStart, mEnd or mRoot are modified.

The MOZ_ASSERT is wrong. I'll post rewriting patches to bug 1669342. Probably, this bug is fixed by it although it may cause another assertion hit.

Flags: needinfo?(masayuki)

(In reply to Masayuki Nakano [:masayuki] (he/him)(JST, +0900)(Still not recoverd perfectly) from comment #9)

(In reply to Mirko Brodesser (:mbrodesser) from comment #7)

It's suspicious that AbstractRange::ClearForReuse doesn't reset nsRanges members, such as mRoot.

@masayuki: if that's unnecessary, why?

Because it should be cleared by DoSetRange call here.
https://searchfox.org/mozilla-central/rev/1624c3803a808e3e148b2fa54258c13bc8a2d09d/dom/base/nsRange.cpp#177-179

Oh, thanks for pointing this out. It's not really obvious, when one isn't too familiar with the CC. It seems, it would be cleaner if the clean-up would happen at exactly one location in the code.

(In reply to Mirko Brodesser (:mbrodesser) from comment #8)

The invalidity of the range is detected only when nsRange::CloneRange is called. nsRange::DoSetRange is always called with aNotInsertedYet=false. Hence all conditions in the violated assertion always have to be true when calling nsRange::DoSetRange not from nsRange::CloneRange. That is, after some call to nsRange::DoSetRange, mStart, mEnd or mRoot are modified.

The MOZ_ASSERT is wrong. I'll post rewriting patches to bug 1669342. Probably, this bug is fixed by it although it may cause another assertion hit.

Thanks for working on the related ticket, bug 1669342. I'll pause the work on this ticket.

Assignee: mbrodesser → nobody
Assignee: nobody → masayuki
Status: NEW → ASSIGNED
Pushed by masayuki@d-toybox.com:
https://hg.mozilla.org/integration/autoland/rev/fb3ba9b86cad
Add a crashtest (the bug itself was fixed in bug 1669342) r=mbrodesser
Status: ASSIGNED → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → 89 Branch

Since the status are different for nightly and release, what's the status for beta?
For more information, please visit auto_nag documentation.

The bug itself was fixed in bug 1669342. The patch just added the reported testcase into the tree.

Bugmon Analysis:
Verified bug as fixed on rev mozilla-central 20210324040732-768e04aaea52.
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
Keywords: bugmon
Flags: in-testsuite? → in-testsuite+

:masayuki, since this bug contains a bisection range, could you fill (if possible) the regressed_by field?
For more information, please visit auto_nag documentation.

Flags: needinfo?(masayuki)

Sorry, wrong needinfo because of a bug in the bot.

Flags: needinfo?(masayuki)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: