Closed
Bug 1702675
Opened 3 years ago
Closed 3 years ago
Assertion failure: (mIsSelected == nsTextFrame::SelectionState::Selected) == isReallySelected, at src/layout/generic/nsTextFrame.cpp:7446
Categories
(Core :: DOM: Selection, defect, P3)
Core
DOM: Selection
Tracking
()
VERIFIED
FIXED
89 Branch
| Tracking | Status | |
|---|---|---|
| firefox-esr78 | --- | unaffected |
| firefox87 | --- | unaffected |
| firefox88 | --- | unaffected |
| firefox89 | --- | verified |
People
(Reporter: tsmith, Assigned: mikokm)
References
(Depends on 1 open bug, Blocks 2 open bugs, Regression)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:bisected,confirmed])
Attachments
(3 files)
Found while fuzzing m-c 20210326-cad5e739410b (--enable-debug --enable-fuzzing)
Assertion failure: (mIsSelected == nsTextFrame::SelectionState::Selected) == isReallySelected, at src/layout/generic/nsTextFrame.cpp:7446
#0 0x7fb02499b055 in nsTextFrame::IsFrameSelected() const src/layout/generic/nsTextFrame.cpp:7445:5
#1 0x7fb024b9a05f in IsSelected src/layout/generic/nsIFrame.h:3741:64
#2 0x7fb024b9a05f in nsDisplayText::CreateWebRenderCommands(mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, mozilla::layers::RenderRootStateManager*, nsDisplayListBuilder*) src/layout/painting/nsDisplayList.cpp:8841:12
#3 0x7fb0213731d9 in mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommands(nsDisplayItem*, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, nsDisplayListBuilder*) src/gfx/layers/wr/WebRenderCommandBuilder.cpp:1673:41
#4 0x7fb021371afd in mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommandsFromDisplayList(nsDisplayList*, nsDisplayItem*, nsDisplayListBuilder*, mozilla::layers::StackingContextHelper const&, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&) src/gfx/layers/wr/WebRenderCommandBuilder.cpp:1796:7
#5 0x7fb024b954ad in nsDisplayTransform::CreateWebRenderCommands(mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, mozilla::layers::RenderRootStateManager*, nsDisplayListBuilder*) src/layout/painting/nsDisplayList.cpp:8015:30
#6 0x7fb0213731d9 in mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommands(nsDisplayItem*, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, nsDisplayListBuilder*) src/gfx/layers/wr/WebRenderCommandBuilder.cpp:1673:41
#7 0x7fb021371afd in mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommandsFromDisplayList(nsDisplayList*, nsDisplayItem*, nsDisplayListBuilder*, mozilla::layers::StackingContextHelper const&, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&) src/gfx/layers/wr/WebRenderCommandBuilder.cpp:1796:7
#8 0x7fb024b8c881 in CreateWebRenderCommands src/layout/painting/nsDisplayList.cpp:5564:30
#9 0x7fb024b8c881 in nsDisplayOwnLayer::CreateWebRenderCommands(mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, mozilla::layers::RenderRootStateManager*, nsDisplayListBuilder*) src/layout/painting/nsDisplayList.cpp:6318:22
#10 0x7fb024b8e967 in nsDisplayFixedPosition::CreateWebRenderCommands(mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, mozilla::layers::RenderRootStateManager*, nsDisplayListBuilder*) src/layout/painting/nsDisplayList.cpp:6623:29
#11 0x7fb0213731d9 in mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommands(nsDisplayItem*, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, nsDisplayListBuilder*) src/gfx/layers/wr/WebRenderCommandBuilder.cpp:1673:41
#12 0x7fb021371afd in mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommandsFromDisplayList(nsDisplayList*, nsDisplayItem*, nsDisplayListBuilder*, mozilla::layers::StackingContextHelper const&, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&) src/gfx/layers/wr/WebRenderCommandBuilder.cpp:1796:7
#13 0x7fb024b8c881 in CreateWebRenderCommands src/layout/painting/nsDisplayList.cpp:5564:30
#14 0x7fb024b8c881 in nsDisplayOwnLayer::CreateWebRenderCommands(mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, mozilla::layers::RenderRootStateManager*, nsDisplayListBuilder*) src/layout/painting/nsDisplayList.cpp:6318:22
#15 0x7fb0213731d9 in mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommands(nsDisplayItem*, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, nsDisplayListBuilder*) src/gfx/layers/wr/WebRenderCommandBuilder.cpp:1673:41
#16 0x7fb021371afd in mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommandsFromDisplayList(nsDisplayList*, nsDisplayItem*, nsDisplayListBuilder*, mozilla::layers::StackingContextHelper const&, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&) src/gfx/layers/wr/WebRenderCommandBuilder.cpp:1796:7
#17 0x7fb021370633 in mozilla::layers::WebRenderCommandBuilder::BuildWebRenderCommands(mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, nsDisplayList*, nsDisplayListBuilder*, mozilla::layers::WebRenderScrollData&, WrFiltersHolder&&) src/gfx/layers/wr/WebRenderCommandBuilder.cpp:1593:5
#18 0x7fb021381b71 in mozilla::layers::WebRenderLayerManager::EndTransactionWithoutLayer(nsDisplayList*, nsDisplayListBuilder*, WrFiltersHolder&&, mozilla::layers::WebRenderBackgroundData*) src/gfx/layers/wr/WebRenderLayerManager.cpp:371:30
#19 0x7fb024b77b7d in nsDisplayList::PaintRoot(nsDisplayListBuilder*, gfxContext*, unsigned int) src/layout/painting/nsDisplayList.cpp:2451:18
#20 0x7fb0247d88b6 in nsLayoutUtils::PaintFrame(gfxContext*, nsIFrame*, nsRegion const&, unsigned int, nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) src/layout/base/nsLayoutUtils.cpp:3476:13
#21 0x7fb0247501ea in mozilla::PresShell::Paint(nsView*, nsRegion const&, mozilla::PaintFlags) src/layout/base/PresShell.cpp:6391:5
#22 0x7fb02440730f in nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*) src/view/nsViewManager.cpp:459:18
#23 0x7fb024406e03 in nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) src/view/nsViewManager.cpp:394:22
#24 0x7fb02440826f in nsViewManager::ProcessPendingUpdates() src/view/nsViewManager.cpp:972:5
#25 0x7fb02470f3b9 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:2330:11
#26 0x7fb024716351 in TickDriver src/layout/base/nsRefreshDriver.cpp:345:13
#27 0x7fb024716351 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) src/layout/base/nsRefreshDriver.cpp:324:7
#28 0x7fb02471622f in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:339:5
#29 0x7fb024715848 in RunRefreshDrivers src/layout/base/nsRefreshDriver.cpp:769:5
#30 0x7fb024715848 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:699:16
#31 0x7fb02471512e in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyParentProcessVsync() src/layout/base/nsRefreshDriver.cpp:612:7
#32 0x7fb024714ba9 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) src/layout/base/nsRefreshDriver.cpp:533:9
#33 0x7fb023f2c0d6 in mozilla::dom::VsyncChild::RecvNotify(mozilla::VsyncEvent const&, float const&) src/dom/ipc/VsyncChild.cpp:68:15
#34 0x7fb020c464f0 in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:178:54
#35 0x7fb0209db04c in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundChild.cpp:6008:32
#36 0x7fb02068ec9e in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) src/ipc/glue/MessageChannel.cpp:2154:25
#37 0x7fb02068b17d in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) src/ipc/glue/MessageChannel.cpp:2078:9
#38 0x7fb02068c626 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) src/ipc/glue/MessageChannel.cpp:1926:3
#39 0x7fb02068d36b in mozilla::ipc::MessageChannel::MessageTask::Run() src/ipc/glue/MessageChannel.cpp:1957:13
#40 0x7fb01fd44fdf in mozilla::RunnableTask::Run() src/xpcom/threads/TaskController.cpp:470:16
#41 0x7fb01fd43560 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) src/xpcom/threads/TaskController.cpp:754:26
#42 0x7fb01fd424c4 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) src/xpcom/threads/TaskController.cpp:609:15
#43 0x7fb01fd42677 in mozilla::TaskController::ProcessPendingMTTask(bool) src/xpcom/threads/TaskController.cpp:393:36
#44 0x7fb01fd48b76 in operator() src/xpcom/threads/TaskController.cpp:133:37
#45 0x7fb01fd48b76 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_3>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:534:5
#46 0x7fb01fd5a01d in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1155:16
#47 0x7fb01fd605da in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:548:10
#48 0x7fb0206945d6 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:87:21
#49 0x7fb0205feca3 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:335:10
#50 0x7fb0205febbd in RunHandler src/ipc/chromium/src/base/message_loop.cc:328:3
#51 0x7fb0205febbd in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:310:3
#52 0x7fb024454bb8 in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:137:27
#53 0x7fb025cc45c3 in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:902:20
#54 0x7fb0206954bc in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:237:9
#55 0x7fb0205feca3 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:335:10
#56 0x7fb0205febbd in RunHandler src/ipc/chromium/src/base/message_loop.cc:328:3
#57 0x7fb0205febbd in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:310:3
#58 0x7fb025cc4193 in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:734:34
#59 0x56148f9c4fb6 in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#60 0x56148f9c4fb6 in main src/browser/app/nsBrowserApp.cpp:309:18
Flags: in-testsuite?
|
Reporter | |
Comment 1•3 years ago
|
||
|
|
Reporter | |
Comment 2•3 years ago
|
||
A Pernosco session is available here: https://pernos.co/debug/zc8dXKi6iJuxS-LGtQDn3A/index.html
|
||
Comment 3•3 years ago
|
||
Kagami, can you, please, take a look?
Severity: -- → S3
Flags: needinfo?(krosylight)
Priority: -- → P3
|
||
Comment 4•3 years ago
|
||
Hmm, it seems something changes the selection state without calling InvalidateSelectionState(). Could it be document.execCommand("selectAll", false)? I'll take a look.
Assignee: nobody → krosylight
Flags: needinfo?(krosylight)
|
||
Comment 5•3 years ago
|
||
Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20210406152948-b85e871f6a8d.
The bug appears to have been introduced in the following build range:
Start: fa19c8972d9e558d631d3f4cfbc89b02006591b1 (20210325204250)
End: cad5e739410ba4a3d90f8fd6f921616b77f08f68 (20210326005347)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=fa19c8972d9e558d631d3f4cfbc89b02006591b1&tochange=cad5e739410ba4a3d90f8fd6f921616b77f08f68
Whiteboard: [bugmon:bisected,confirmed]
|
|
||
Comment 6•3 years ago
|
||
Oh, turns out it's a regression. Pinging the author:
|
||
Updated•3 years ago
|
Has Regression Range: --- → yes
|
||
Comment 7•3 years ago
|
||
Set release status flags based on info from the regressing bug 1679645
status-firefox87:
--- → unaffected
status-firefox88:
--- → unaffected
status-firefox-esr78:
--- → unaffected
|
Assignee | |
Comment 8•3 years ago
|
||
Looking into this.
Assignee: krosylight → mikokm
Status: NEW → ASSIGNED
Flags: needinfo?(mikokm)
|
|
||
Comment 9•3 years ago
|
||
Thanks!
|
|
Assignee | |
Comment 10•3 years ago
•
|
||
I debugged the testcase in Pernosco with the help of Emilio, and it seems plausible that this might be caused by pre-existing issues with selection change propagation.
Because the testcase is quite contrived and unlikely to be found in the wild, and because the user impact is low, I think demoting the assertion to NS_ASSERT is a way to go.
|
|
Assignee | |
Comment 11•3 years ago
|
||
|
|
||
Comment 12•3 years ago
|
||
Probably should file a separate bug to track the root cause.
|
||
Comment 13•3 years ago
|
||
Pushed by mikokm@gmail.com: https://hg.mozilla.org/integration/autoland/rev/33251b41e254 Demote nsTextFrame selection state assert to NS_ASSERTION r=emilio
|
||
Comment 14•3 years ago
|
||
| bugherder | ||
Status: ASSIGNED → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → 89 Branch
|
|
||
Comment 15•3 years ago
|
||
Bugmon Analysis:
Verified bug as fixed on rev mozilla-central 20210414033918-44e7fa45c33e.
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.
You need to log in
before you can comment on or make changes to this bug.
Description
•