Assertion failure: SelectionRefPtr()->GetAnchorFocusRange() && SelectionRefPtr()->GetAnchorFocusRange()->Collapsed() (Selection not collapsed after delete), at /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditor.cpp:4920
Categories
(Core :: DOM: Editor, defect, P3)
Tracking
()
People
(Reporter: jkratzer, Assigned: masayuki)
References
(Depends on 1 open bug, Blocks 1 open bug, Regression)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:bisected,confirmed], [wptsync upstream])
Attachments
(2 files, 1 obsolete file)
Testcase found while fuzzing mozilla-central rev 9ad67cd4d216 (built with --enable-debug).
Assertion failure: SelectionRefPtr()->GetAnchorFocusRange() && SelectionRefPtr()->GetAnchorFocusRange()->Collapsed() (Selection not collapsed after delete), at /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditor.cpp:4920
#0 0x7f4456169846 in mozilla::HTMLEditor::DeleteSelectionAndPrepareToCreateNode() /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditor.cpp:4918:5
#1 0x7f4456168762 in mozilla::HTMLEditor::InsertElementAtSelectionAsAction(mozilla::dom::Element*, bool, nsIPrincipal*) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditor.cpp:1773:19
#2 0x7f4456180d85 in mozilla::InsertTagCommand::DoCommand(mozilla::Command, mozilla::TextEditor&, nsIPrincipal*) const /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditorCommands.cpp:1241:13
#3 0x7f4453572326 in mozilla::dom::Document::ExecCommand(nsTSubstring<char16_t> const&, bool, nsTSubstring<char16_t> const&, nsIPrincipal&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/Document.cpp:5146:34
#4 0x7f44545bf99d in mozilla::dom::Document_Binding::execCommand(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/DocumentBinding.cpp:3477:36
#5 0x7f44549340ed in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3238:13
#6 0x7f44579b8de0 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:435:13
#7 0x7f44579b854c in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:520:12
#8 0x7f44579b9d49 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:580:10
#9 0x7f44579ae89f in CallFromStack /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:584:10
#10 0x7f44579ae89f in Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3244:16
#11 0x7f44579a5d61 in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:405:13
#12 0x7f44579b8569 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:552:13
#13 0x7f44579b9d49 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:580:10
#14 0x7f44579b9f6f in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:597:8
#15 0x7f4457f2f06b in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/jsapi.cpp:2856:10
#16 0x7f4454655e0c in mozilla::dom::EventListener::HandleEvent(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventListenerBinding.cpp:58:8
#17 0x7f4454cda876 in void mozilla::dom::EventListener::HandleEvent<mozilla::dom::EventTarget*>(mozilla::dom::EventTarget* const&, mozilla::dom::Event&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventListenerBinding.h:65:12
#18 0x7f4454cda5be in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1108:43
#19 0x7f4454cdb240 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1305:17
#20 0x7f4454cd0595 in HandleEvent /builds/worker/workspace/obj-build/dist/include/mozilla/EventListenerManager.h:390:5
#21 0x7f4454cd0595 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:354:17
#22 0x7f4454ccfb43 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:556:16
#23 0x7f4454cd2715 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:1099:11
#24 0x7f4454cd5276 in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp
#25 0x7f4453700f03 in nsINode::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/nsINode.cpp:1332:17
#26 0x7f445341096a in nsContentUtils::DispatchEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, mozilla::Trusted, bool*, mozilla::ChromeOnlyDispatch) /builds/worker/checkouts/gecko/dom/base/nsContentUtils.cpp:4196:28
#27 0x7f44534107f6 in nsContentUtils::DispatchTrustedEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, bool*) /builds/worker/checkouts/gecko/dom/base/nsContentUtils.cpp:4166:10
#28 0x7f445357d843 in mozilla::dom::Document::DispatchContentLoadedEvents() /builds/worker/checkouts/gecko/dom/base/Document.cpp:7469:3
#29 0x7f44535efc06 in applyImpl<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1148:12
#30 0x7f44535efc06 in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1154:12
#31 0x7f44535efc06 in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1201:13
#32 0x7f4451959d32 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/checkouts/gecko/xpcom/threads/SchedulerGroup.cpp:146:20
#33 0x7f445196014f in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:472:16
#34 0x7f445195e6d0 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:760:26
#35 0x7f445195d634 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:611:15
#36 0x7f445195d7e7 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:395:36
#37 0x7f4451963d86 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:133:37
#38 0x7f4451963d86 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_3>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:534:5
#39 0x7f4451975277 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1158:16
#40 0x7f445197bc8a in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:548:10
#41 0x7f44522a4d26 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:87:21
#42 0x7f445220fe03 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:335:10
#43 0x7f445220fd1d in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:328:3
#44 0x7f445220fd1d in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:310:3
#45 0x7f4456025b18 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137:27
#46 0x7f4457883ac3 in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:901:20
#47 0x7f44522a5c0c in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:237:9
#48 0x7f445220fe03 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:335:10
#49 0x7f445220fd1d in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:328:3
#50 0x7f445220fd1d in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:310:3
#51 0x7f4457883698 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:733:34
#52 0x5590d186afb6 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#53 0x5590d186afb6 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:309:18
#54 0x7f44680450b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
|
||
Comment 1•3 years ago
|
||
Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20210318041543-973d2593ee6b.
The bug appears to have been introduced in the following build range:
Start: 8803bc71047a75f0983844d891d82b4a5edecda4 (20210310041823)
End: 194e31587e6c4174702a223b448e8748b1b4a144 (20210310045802)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=8803bc71047a75f0983844d891d82b4a5edecda4&tochange=194e31587e6c4174702a223b448e8748b1b4a144
|
||
Comment 2•3 years ago
|
||
Hi Masayuki, I see a set of changes in bug 1655539 and bug 1677566 that might be related here? See also bug 1699258.
|
Assignee | |
Updated•3 years ago
|
|
||
Comment 3•3 years ago
|
||
:masayuki, since this bug contains a bisection range, could you fill (if possible) the regressed_by field?
For more information, please visit auto_nag documentation.
|
||
Updated•3 years ago
|
|
|
Assignee | |
Comment 4•3 years ago
|
||
This will be suppressed by bug 1706771 (the root cause is bug 1697989 though).
|
|
||
Updated•3 years ago
|
|
||
Updated•3 years ago
|
|
Reporter | |
Updated•3 years ago
|
|
|
Reporter | |
Updated•3 years ago
|
|
|
||
Comment 5•3 years ago
|
||
Bugmon Analysis
Testcase crashes using the initial build (mozilla-central 20210317095331-9ad67cd4d216) but not with tip (mozilla-central 20211105214712-019196b56630.)
The bug appears to have been fixed in the following build range:
Start: 6f0d89c7a869767fdf2a852dfb41b9b82e5cac62 (20211105141501)
End: 5d6a85b1788ecb66fef5ea788eba0817e07db9e2 (20211105143150)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=6f0d89c7a869767fdf2a852dfb41b9b82e5cac62&tochange=5d6a85b1788ecb66fef5ea788eba0817e07db9e2
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
|
|
Assignee | |
Comment 6•3 years ago
|
||
(In reply to Bugmon [:jkratzer for issues] from comment #5)
The testcase uses heading command and it's now disabled by default. However, formatBlock works exactly same as heading. So we need to update the testcase for this bug.
|
|
Assignee | |
Comment 7•2 years ago
|
||
Unfortunately, it's still reproducible.
|
|
Assignee | |
Comment 8•2 years ago
|
||
The testcase is tricky. It creates 2 Selection ranges, one is collapsed at
end of the <html>, the other is collapsed in the new <h3> element. The
first one is ignored by delete handler since Gecko does not allow to edit
outside <body> for now.
Then, deleting non-collapsed selection ranges tries to delete empty parent
blocks at the remaining collapsed selection range in the <h3>. At this time,
it works with nsIEditor::eNone. Then, its GetNewCaretPosition does not
return a valid point. Then, the Run does not remove the Selection range
outside the <body>.
Therefore, HTMLEditor::DeleteSelectionAndPrepareToCreateNode() will see
2 ranges, then, hit the assertion.
Although there are some other cases which meet 2 or more Selection ranges
after deletion in DeleteSelectionAndPrepareToCreateNode, but for now, we
should make AutoEmptyBlockAncestorDeleter::Run collapse Selection when
it deletes empty ancestors.
Pushed by masayuki@d-toybox.com: https://hg.mozilla.org/integration/autoland/rev/c3323ac610b4 Make `AutoEmptyBlockAncestorDeleter::GetNewCaretPosition` always return a valid point if succeeded r=m_kato
Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/36581 for changes under testing/web-platform/tests
|
||
Comment 11•2 years ago
|
||
| bugherder | ||
Upstream PR merged by moz-wptsync-bot
|
|
||
Updated•2 years ago
|
|
|
||
Comment 13•2 years ago
|
||
Verified bug as fixed on rev mozilla-central 20221021160611-aa1994029eeb.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Description
•