1701348 - Assertion failure: !ShouldAlreadyHaveHandledBeforeInputEventDispatching() (beforeinput event hasn't been dispatched yet), at src/editor/libeditor/EditorBase.cpp:793

Status: VERIFIED FIXED

(Core :: DOM: Editor, defect, P3)

Description

[Tyson Smith [:tsmith]]

Attachment: testcase.html

Found while fuzzing m-c 20210324-3be60f42358a (--enable-debug --enable-fuzzing)

Assertion failure: !ShouldAlreadyHaveHandledBeforeInputEventDispatching() (beforeinput event hasn't been dispatched yet), at src/editor/libeditor/EditorBase.cpp:793

#0 0x7f3e6eac6711 in mozilla::EditorBase::DoTransactionInternal(nsITransaction*) src/editor/libeditor/EditorBase.cpp:792:3
#1 0x7f3e6eadda18 in mozilla::EditorBase::InsertNodeWithTransaction(nsIContent&, mozilla::EditorDOMPointBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent> > const&) src/editor/libeditor/EditorBase.cpp:1554:17
#2 0x7f3e6eae696c in mozilla::EditorBase::MaybeCreatePaddingBRElementForEmptyEditor() src/editor/libeditor/EditorBase.cpp:3242:7
#3 0x7f3e6ebd808b in mozilla::TextEditor::InitEditorContentAndSelection() src/editor/libeditor/TextEditSubActionHandler.cpp:53:17
#4 0x7f3e6ebdd27b in mozilla::TextEditor::Init(mozilla::dom::Document&, mozilla::dom::Element*, nsISelectionController*, unsigned int, nsTSubstring<char16_t> const&) src/editor/libeditor/TextEditor.cpp:146:8
#5 0x7f3e6d899e6d in mozilla::TextControlState::PrepareEditor(nsTSubstring<char16_t> const*) src/dom/html/TextControlState.cpp:1804:25
#6 0x7f3e6d8bc0db in mozilla::PrepareEditorEvent::Run() src/dom/html/TextControlState.cpp:1579:13
#7 0x7f3e6bdfa149 in nsContentUtils::RemoveScriptBlocker() src/dom/base/nsContentUtils.cpp:5561:17
#8 0x7f3e6ed04a21 in ~nsAutoScriptBlocker /builds/worker/workspace/obj-build/dist/include/nsContentUtils.h:3471:28
#9 0x7f3e6ed04a21 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) src/layout/base/PresShell.cpp:4203:5
#10 0x7f3e6eae8133 in FlushPendingNotifications /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:1400:5
#11 0x7f3e6eae8133 in mozilla::EditorBase::FlushPendingNotificationsIfToHandleDeletionWithFrameSelection(short) const src/editor/libeditor/EditorBase.cpp:3609:16
#12 0x7f3e6ead91b3 in mozilla::EditorBase::DeleteSelectionAsAction(short, short, nsIPrincipal*) src/editor/libeditor/EditorBase.cpp:3718:8
#13 0x7f3e6eaf377b in mozilla::DeleteCommand::DoCommand(mozilla::Command, mozilla::TextEditor&, nsIPrincipal*) const src/editor/libeditor/EditorCommands.cpp:619:29
#14 0x7f3e6bf55780 in mozilla::dom::Document::ExecCommand(nsTSubstring<char16_t> const&, bool, nsTSubstring<char16_t> const&, nsIPrincipal&, mozilla::ErrorResult&) src/dom/base/Document.cpp:5314:37
#15 0x7f3e6cf9c17d in mozilla::dom::Document_Binding::execCommand(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/DocumentBinding.cpp:3477:36
#16 0x7f3e6d31697d in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) src/dom/bindings/BindingUtils.cpp:3242:13
#17 0x7f3e703b49a0 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) src/js/src/vm/Interpreter.cpp:435:13
#18 0x7f3e703b410c in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) src/js/src/vm/Interpreter.cpp:520:12
#19 0x7f3e703b5909 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) src/js/src/vm/Interpreter.cpp:580:10
#20 0x7f3e703aa595 in CallFromStack src/js/src/vm/Interpreter.cpp:584:10
#21 0x7f3e703aa595 in Interpret(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:3244:16
#22 0x7f3e703a1b81 in js::RunScript(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:405:13
#23 0x7f3e703b4129 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) src/js/src/vm/Interpreter.cpp:552:13
#24 0x7f3e703b5909 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) src/js/src/vm/Interpreter.cpp:580:10
#25 0x7f3e703b5b2f in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) src/js/src/vm/Interpreter.cpp:597:8
#26 0x7f3e7092cbdb in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) src/js/src/jsapi.cpp:2856:10
#27 0x7f3e6cf6efc3 in mozilla::dom::EventHandlerNonNull::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventHandlerBinding.cpp:279:37
#28 0x7f3e6d6dcb41 in void mozilla::dom::EventHandlerNonNull::Call<nsCOMPtr<mozilla::dom::EventTarget> >(nsCOMPtr<mozilla::dom::EventTarget> const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventHandlerBinding.h:365:12
#29 0x7f3e6d6dbc03 in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) src/dom/events/JSEventHandler.cpp:201:12
#30 0x7f3e6d6be5ef in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) src/dom/events/EventListenerManager.cpp:1101:22
#31 0x7f3e6d6bf230 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) src/dom/events/EventListenerManager.cpp:1292:17
#32 0x7f3e6d6b4555 in HandleEvent /builds/worker/workspace/obj-build/dist/include/mozilla/EventListenerManager.h:390:5
#33 0x7f3e6d6b4555 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) src/dom/events/EventDispatcher.cpp:354:17
#34 0x7f3e6d6b3b03 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) src/dom/events/EventDispatcher.cpp:556:16
#35 0x7f3e6d6b6701 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) src/dom/events/EventDispatcher.cpp:1099:11
#36 0x7f3e6ed75062 in nsDocumentViewer::LoadComplete(nsresult) src/layout/base/nsDocumentViewer.cpp:1103:7
#37 0x7f3e6fd40ebf in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) src/docshell/base/nsDocShell.cpp:6563:20
#38 0x7f3e6fd40892 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) src/docshell/base/nsDocShell.cpp:5918:7
#39 0x7f3e6fd417df in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) src/docshell/base/nsDocShell.cpp
#40 0x7f3e6b59adac in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) src/uriloader/base/nsDocLoader.cpp:1332:3
#41 0x7f3e6b59a35a in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) src/uriloader/base/nsDocLoader.cpp:938:14
#42 0x7f3e6b5988a7 in nsDocLoader::DocLoaderIsEmpty(bool, mozilla::Maybe<nsresult> const&) src/uriloader/base/nsDocLoader.cpp:757:9
#43 0x7f3e6b5997dd in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) src/uriloader/base/nsDocLoader.cpp:640:5
#44 0x7f3e6b599f7c in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsresult) src/uriloader/base/nsDocLoader.cpp
#45 0x7f3e6a4af316 in mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) src/netwerk/base/nsLoadGroup.cpp:616:22
#46 0x7f3e6a4b0823 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) src/netwerk/base/nsLoadGroup.cpp:523:10
#47 0x7f3e6bf72811 in mozilla::dom::Document::DoUnblockOnload() src/dom/base/Document.cpp:11291:18
#48 0x7f3e6bf4ffd0 in mozilla::dom::Document::UnblockOnload(bool) src/dom/base/Document.cpp:11221:9
#49 0x7f3e6bf61c36 in mozilla::dom::Document::DispatchContentLoadedEvents() src/dom/base/Document.cpp:7774:3
#50 0x7f3e6bfd4c26 in applyImpl<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1148:12
#51 0x7f3e6bfd4c26 in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1154:12
#52 0x7f3e6bfd4c26 in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1201:13
#53 0x7f3e6a303342 in mozilla::SchedulerGroup::Runnable::Run() src/xpcom/threads/SchedulerGroup.cpp:143:20
#54 0x7f3e6a30981f in mozilla::RunnableTask::Run() src/xpcom/threads/TaskController.cpp:470:16
#55 0x7f3e6a307da0 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) src/xpcom/threads/TaskController.cpp:754:26
#56 0x7f3e6a306d04 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) src/xpcom/threads/TaskController.cpp:609:15
#57 0x7f3e6a306eb7 in mozilla::TaskController::ProcessPendingMTTask(bool) src/xpcom/threads/TaskController.cpp:393:36
#58 0x7f3e6a30d3b6 in operator() src/xpcom/threads/TaskController.cpp:133:37
#59 0x7f3e6a30d3b6 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_3>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:534:5
#60 0x7f3e6a31e85d in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1155:16
#61 0x7f3e6a324e1a in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:548:10
#62 0x7f3e6ac58c96 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:87:21
#63 0x7f3e6abc3363 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:335:10
#64 0x7f3e6abc327d in RunHandler src/ipc/chromium/src/base/message_loop.cc:328:3
#65 0x7f3e6abc327d in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:310:3
#66 0x7f3e6ea13c78 in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:137:27
#67 0x7f3e7027f863 in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:902:20
#68 0x7f3e6ac59b7c in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:237:9
#69 0x7f3e6abc3363 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:335:10
#70 0x7f3e6abc327d in RunHandler src/ipc/chromium/src/base/message_loop.cc:328:3
#71 0x7f3e6abc327d in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:310:3
#72 0x7f3e7027f433 in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:734:34
#73 0x555d4920ffb6 in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#74 0x555d4920ffb6 in main src/browser/app/nsBrowserApp.cpp:309:18

Comment 1

[Tyson Smith [:tsmith]]

A Pernosco session is available here: https://pernos.co/debug/ozblKHbb-c9DyoXKb7aABg/index.html

Comment 2

[Bugmon [:jkratzer for issues]]

Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20210406152948-b85e871f6a8d.
The bug appears to have been introduced in the following build range:

Start: 768e04aaea528ec9a0af31c49708cf73ad505a2a (20210324040732)
End: d69774c978c67130b12313703d125ffd80f65483 (20210324041713)
Pushlog: https://hg.mozilla.org/mozilla-unified/pushloghtml?fromchange=768e04aaea528ec9a0af31c49708cf73ad505a2a&tochange=d69774c978c67130b12313703d125ffd80f65483

Comment 3

[Masayuki Nakano [:masayuki] (he/him)(JST, +0900)]

Attachment: Bug 1701348 - Make `TextEditor::Init()` and `HTMLEditor::Init()` stop using `EditAction::eNotEditing` r=m_kato!

Currently, they set EditAction::eNotEditing even though they may create a
paddning <br> element. If there is already handling edit action, setting
eNotEditing makes inherit the parent edit action.
https://searchfox.org/mozilla-central/rev/be413c29deeb86be6cdac22445e0d0b035cb9e04/editor/libeditor/EditorBase.cpp#5150-5159

However, in the reported case, FlushPendingNotificationsIfToHandleDeletionWithFrameSelection()
is called for computing target ranges at forwarddelete command handling.
In this case, EditAction::eDeleteSelection or something is set as parent
edit action.
https://searchfox.org/mozilla-central/rev/be413c29deeb86be6cdac22445e0d0b035cb9e04/editor/libeditor/EditorBase.cpp#3638-3660
But at this moment, beforeinput event hasn't been dispatched. Then,
initializing code inherits this state and trying to insert a padding <br>
element without beforeinput event. Then, we hit the assertion.

For solving this issue, Init methods should set edit action to "initializing"
and it should be marked as not requiring beforeinput event.

Comment 4

[Pulsebot]

Pushed by masayuki@d-toybox.com:
https://hg.mozilla.org/integration/autoland/rev/93e0e2807b57
Make `TextEditor::Init()` and `HTMLEditor::Init()` stop using `EditAction::eNotEditing` r=m_kato

Comment 5

[Alexandru Michis [:malexandru]]

https://hg.mozilla.org/mozilla-central/rev/93e0e2807b57

Comment 6

[Bugmon [:jkratzer for issues]]

Bugmon Analysis:
Verified bug as fixed on rev mozilla-central 20210408215439-970ef713fe58.
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.