Assertion failure: !aRootNode || aNotInsertedYet || (aStartBoundary.Container()->IsInclusiveDescendantOf(aRootNode) && aEndBoundary.Container()->IsInclusiveDescendantOf(aRootNode) && aRootNode == RangeUtils::ComputeRootNode(aStartBoundary.Container()) &&
Categories
(Core :: DOM: Core & HTML, defect, P3)
Tracking
()
People
(Reporter: jkratzer, Assigned: masayuki)
References
(Blocks 2 open bugs)
Details
(Keywords: assertion, testcase, Whiteboard: [bugmon:bisected,confirmed])
Attachments
(2 files)
Testcase found while fuzzing mozilla-central rev fc74eb2c7b84 (built with --enable-debug).
Assertion failure: !aRootNode || aNotInsertedYet || (aStartBoundary.Container()->IsInclusiveDescendantOf(aRootNode) && aEndBoundary.Container()->IsInclusiveDescendantOf(aRootNode) && aRootNode == RangeUtils::ComputeRootNode(aStartBoundary.Container()) && aRootNode == RangeUtils::ComputeRootNode(aEndBoundary.Container())) (Wrong root), at /builds/worker/checkouts/gecko/dom/base/nsRange.cpp:855
#0 0x7f0c4379227b in void nsRange::DoSetRange<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent>, nsCOMPtr<nsINode>, nsCOMPtr<nsIContent> >(mozilla::RangeBoundaryBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent> > const&, mozilla::RangeBoundaryBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent> > const&, nsINode*, bool) /builds/worker/checkouts/gecko/dom/base/nsRange.cpp:848:3
#1 0x7f0c4379afe2 in nsRange::CloneRange() const /builds/worker/checkouts/gecko/dom/base/nsRange.cpp:2212:10
#2 0x7f0c436b4a95 in mozilla::dom::Selection::Extend(nsINode&, unsigned int, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/Selection.cpp:2413:46
#3 0x7f0c436b48bc in mozilla::dom::Selection::ExtendJS(nsINode&, unsigned int, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/Selection.cpp:2340:3
#4 0x7f0c44011db6 in mozilla::dom::Selection_Binding::extend(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/SelectionBinding.cpp:777:24
#5 0x7f0c4499c43a in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3233:13
#6 0x7f0c47a3fb61 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:435:13
#7 0x7f0c47a3f2d0 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:520:12
#8 0x7f0c47a40ab3 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:580:10
#9 0x7f0c47a357a3 in CallFromStack /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:584:10
#10 0x7f0c47a357a3 in Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3243:16
#11 0x7f0c47a2cd88 in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:405:13
#12 0x7f0c47a3f2f1 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:552:13
#13 0x7f0c47a40ab3 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:580:10
#14 0x7f0c47a40cef in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:597:8
#15 0x7f0c47fc830b in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/jsapi.cpp:2861:10
#16 0x7f0c44737d82 in mozilla::dom::Function::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, nsTArray<JS::Value> const&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/FunctionBinding.cpp:46:8
#17 0x7f0c436dd0cc in void mozilla::dom::Function::Call<nsCOMPtr<nsIGlobalObject> >(nsCOMPtr<nsIGlobalObject> const&, nsTArray<JS::Value> const&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/FunctionBinding.h:72:12
#18 0x7f0c436dcda8 in mozilla::dom::CallbackTimeoutHandler::Call(char const*) /builds/worker/checkouts/gecko/dom/base/TimeoutHandler.cpp:167:29
#19 0x7f0c434e0765 in nsGlobalWindowInner::RunTimeoutHandler(mozilla::dom::Timeout*, nsIScriptContext*) /builds/worker/checkouts/gecko/dom/base/nsGlobalWindowInner.cpp:6240:38
#20 0x7f0c436da9d2 in mozilla::dom::TimeoutManager::RunTimeout(mozilla::TimeStamp const&, mozilla::TimeStamp const&, bool) /builds/worker/checkouts/gecko/dom/base/TimeoutManager.cpp:896:44
#21 0x7f0c436da114 in mozilla::dom::TimeoutExecutor::MaybeExecute() /builds/worker/checkouts/gecko/dom/base/TimeoutExecutor.cpp:179:11
#22 0x7f0c436db712 in Notify /builds/worker/checkouts/gecko/dom/base/TimeoutExecutor.cpp:246:5
#23 0x7f0c436db712 in non-virtual thunk to mozilla::dom::TimeoutExecutor::Notify(nsITimer*) /builds/worker/checkouts/gecko/dom/base/TimeoutExecutor.cpp
#24 0x7f0c419d292c in nsTimerImpl::Fire(int) /builds/worker/checkouts/gecko/xpcom/threads/nsTimerImpl.cpp:565:39
#25 0x7f0c419d25a8 in nsTimerEvent::Run() /builds/worker/checkouts/gecko/xpcom/threads/TimerThread.cpp:252:11
#26 0x7f0c419f378c in mozilla::ThrottledEventQueue::Inner::ExecuteRunnable() /builds/worker/checkouts/gecko/xpcom/threads/ThrottledEventQueue.cpp:254:22
#27 0x7f0c419ee2c1 in mozilla::ThrottledEventQueue::Inner::Executor::Run() /builds/worker/checkouts/gecko/xpcom/threads/ThrottledEventQueue.cpp:81:15
#28 0x7f0c419c730f in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:472:16
#29 0x7f0c419c5886 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:753:26
#30 0x7f0c419c46e4 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:611:15
#31 0x7f0c419c4897 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:395:36
#32 0x7f0c419cb199 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:136:37
#33 0x7f0c419cb199 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_4>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:534:5
#34 0x7f0c419dc617 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1158:16
#35 0x7f0c419e2a6a in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:548:10
#36 0x7f0c422f8ef4 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:109:5
#37 0x7f0c42264563 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:335:10
#38 0x7f0c4226447d in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:328:3
#39 0x7f0c4226447d in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:310:3
#40 0x7f0c460c3858 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137:27
#41 0x7f0c479045d3 in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:902:20
#42 0x7f0c422f9e2c in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:237:9
#43 0x7f0c42264563 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:335:10
#44 0x7f0c4226447d in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:328:3
#45 0x7f0c4226447d in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:310:3
#46 0x7f0c479041a8 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:733:34
#47 0x55dda00aff86 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#48 0x55dda00aff86 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:306:18
#49 0x7f0c57dfa0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
Comment 1•4 years ago
|
||
Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20210216094005-fc74eb2c7b84.
Failed to bisect testcase (Testcase reproduces on start build!):
Start: 5df075b6a6bb092533d786fefc350535dd940f67 (20200218041021)
End: 00b18dc4bfac9e9d226627f9ccbf2a2f4e3e6a9d (20210216031051)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=False, coverage=False, valgrind=False)
Comment 2•4 years ago
|
||
(In reply to Bugmon [:jkratzer for issues] from comment #1)
Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20210216094005-fc74eb2c7b84.
Failed to bisect testcase (Testcase reproduces on start build!):Start: 5df075b6a6bb092533d786fefc350535dd940f67 (20200218041021)
End: 00b18dc4bfac9e9d226627f9ccbf2a2f4e3e6a9d (20210216031051)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=False, coverage=False, valgrind=False)
Link to "Start" revision: https://hg.mozilla.org/mozilla-central/rev/5df075b6a6bb092533d786fefc350535dd940f67.
Updated•4 years ago
|
Comment 3•4 years ago
|
||
A Pernosco session is available here: https://pernos.co/debug/tnFRttLqFNO20kM4yLzvZA/index.html
Comment 4•4 years ago
|
||
Mirko, it seems from here that you have a good understanding of this code - would you mind to take a look at the pernosco trace?
Comment 5•4 years ago
|
||
I've refactored related code but I don't have a complete understanding of that code. The first step should be to determine whether this duplicates bug 1669342. I'll have a closer look in the coming days.
Comment 6•4 years ago
|
||
aStartBoundary.Container()->IsInclusiveDescendantOf(aRootNode)
is false
. There's no Pernosco run for bug 1669342, so it requires manual reproduction to determine if it's a duplicate of this ticket.
(pernosco) print aStartBoundary.Container()
$13 = (nsTextNode *) 0x55934acae250
(pernosco) print aRootNode
$14 = (mozilla::dom::HTMLInputElement *) 0x55934ad991e0
print aStartBoundary.Container()->mText
$16 = {{m2b = 0x55934aeb9420, m1b = 0x55934aeb9420 "ResetU"}, {mAllBits = 41, mState = {mInHeap = 1, mIs2b = 0, mIsBidi = 0, mLength = 5}}}
That is, aStartBoundary.Container()
is presumably an anonymous child of aRootNode
.
Updated•4 years ago
|
Comment 7•4 years ago
•
|
||
It's suspicious that AbstractRange::ClearForReuse
doesn't reset nsRange
s members, such as mRoot
.
@masayuki: if that's unnecessary, why?
Updated•4 years ago
|
Comment 8•4 years ago
|
||
The invalidity of the range is detected only when nsRange::CloneRange
is called. nsRange::DoSetRange
is always called with aNotInsertedYet=false
. Hence all conditions in the violated assertion always have to be true
when calling nsRange::DoSetRange
not from nsRange::CloneRange
. That is, after some call to nsRange::DoSetRange
, mStart
, mEnd
or mRoot
are modified.
Assignee | ||
Comment 9•4 years ago
|
||
(In reply to Mirko Brodesser (:mbrodesser) from comment #7)
It's suspicious that
AbstractRange::ClearForReuse
doesn't resetnsRange
s members, such asmRoot
.@masayuki: if that's unnecessary, why?
Because it should be cleared by DoSetRange
call here.
https://searchfox.org/mozilla-central/rev/1624c3803a808e3e148b2fa54258c13bc8a2d09d/dom/base/nsRange.cpp#177-179
(In reply to Mirko Brodesser (:mbrodesser) from comment #8)
The invalidity of the range is detected only when
nsRange::CloneRange
is called.nsRange::DoSetRange
is always called withaNotInsertedYet=false
. Hence all conditions in the violated assertion always have to betrue
when callingnsRange::DoSetRange
not fromnsRange::CloneRange
. That is, after some call tonsRange::DoSetRange
,mStart
,mEnd
ormRoot
are modified.
The MOZ_ASSERT
is wrong. I'll post rewriting patches to bug 1669342. Probably, this bug is fixed by it although it may cause another assertion hit.
Comment 10•4 years ago
|
||
(In reply to Masayuki Nakano [:masayuki] (he/him)(JST, +0900)(Still not recoverd perfectly) from comment #9)
(In reply to Mirko Brodesser (:mbrodesser) from comment #7)
It's suspicious that
AbstractRange::ClearForReuse
doesn't resetnsRange
s members, such asmRoot
.@masayuki: if that's unnecessary, why?
Because it should be cleared by
DoSetRange
call here.
https://searchfox.org/mozilla-central/rev/1624c3803a808e3e148b2fa54258c13bc8a2d09d/dom/base/nsRange.cpp#177-179
Oh, thanks for pointing this out. It's not really obvious, when one isn't too familiar with the CC. It seems, it would be cleaner if the clean-up would happen at exactly one location in the code.
(In reply to Mirko Brodesser (:mbrodesser) from comment #8)
The invalidity of the range is detected only when
nsRange::CloneRange
is called.nsRange::DoSetRange
is always called withaNotInsertedYet=false
. Hence all conditions in the violated assertion always have to betrue
when callingnsRange::DoSetRange
not fromnsRange::CloneRange
. That is, after some call tonsRange::DoSetRange
,mStart
,mEnd
ormRoot
are modified.The
MOZ_ASSERT
is wrong. I'll post rewriting patches to bug 1669342. Probably, this bug is fixed by it although it may cause another assertion hit.
Thanks for working on the related ticket, bug 1669342. I'll pause the work on this ticket.
Updated•4 years ago
|
Assignee | ||
Updated•4 years ago
|
Assignee | ||
Comment 11•4 years ago
|
||
Comment 12•4 years ago
|
||
Pushed by masayuki@d-toybox.com: https://hg.mozilla.org/integration/autoland/rev/fb3ba9b86cad Add a crashtest (the bug itself was fixed in bug 1669342) r=mbrodesser
Comment 13•4 years ago
|
||
bugherder |
Comment 14•4 years ago
|
||
Since the status are different for nightly and release, what's the status for beta?
For more information, please visit auto_nag documentation.
Assignee | ||
Updated•4 years ago
|
Assignee | ||
Comment 15•4 years ago
|
||
The bug itself was fixed in bug 1669342. The patch just added the reported testcase into the tree.
Comment 16•4 years ago
|
||
Bugmon Analysis:
Verified bug as fixed on rev mozilla-central 20210324040732-768e04aaea52.
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.
Updated•4 years ago
|
Comment 17•2 years ago
|
||
:masayuki, since this bug contains a bisection range, could you fill (if possible) the regressed_by field?
For more information, please visit auto_nag documentation.
Comment 18•2 years ago
|
||
Sorry, wrong needinfo because of a bug in the bot.
Description
•