Closed Bug 1707630 Opened 8 months ago Closed 7 months ago

Assertion failure: aChild, at /builds/worker/workspace/obj-build/dist/include/mozilla/EditorDOMPoint.h:494

Categories

(Core :: DOM: Editor, defect, P3)

defect

Tracking

()

VERIFIED FIXED
90 Branch
Tracking Status
firefox-esr78 --- unaffected
firefox88 --- wontfix
firefox89 --- verified
firefox90 --- verified

People

(Reporter: jkratzer, Assigned: masayuki)

References

(Blocks 2 open bugs, Regression)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:bisected,confirmed])

Crash Data

Attachments

(5 files)

Attached file testcase.html

Testcase found while fuzzing mozilla-central rev 289e41464376 (built with --enable-debug --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build 289e41464376 --debug --fuzzing -n mc-debug
$ python -m grizzly.replay --xvfb ./mc-debug/firefox ./testcase.html
Assertion failure: aChild, at /builds/worker/workspace/obj-build/dist/include/mozilla/EditorDOMPoint.h:494

    #0 0x7f62fd3dae72 in mozilla::EditorDOMPointBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent> >::SetAfter(nsINode const*) /builds/worker/workspace/obj-build/dist/include/mozilla/EditorDOMPoint.h:494:5
    #1 0x7f62fd3e26a3 in mozilla::HTMLEditor::HandleInsertParagraphInParagraph(mozilla::dom::Element&) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditSubActionHandler.cpp:6701:32
    #2 0x7f62fd3dc29e in mozilla::HTMLEditor::InsertParagraphSeparatorAsSubAction() /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditSubActionHandler.cpp:1439:31
    #3 0x7f62fd417733 in mozilla::HTMLEditor::InsertParagraphSeparatorAsAction(nsIPrincipal*) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditor.cpp:1098:29
    #4 0x7f62fd3b89ea in mozilla::InsertParagraphCommand::DoCommand(mozilla::Command, mozilla::TextEditor&, nsIPrincipal*) const /builds/worker/checkouts/gecko/editor/libeditor/EditorCommands.cpp:887:25
    #5 0x7f62fa83bbd1 in mozilla::dom::Document::ExecCommand(nsTSubstring<char16_t> const&, bool, nsTSubstring<char16_t> const&, nsIPrincipal&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/Document.cpp:5309:37
    #6 0x7f62fb88007d in mozilla::dom::Document_Binding::execCommand(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/DocumentBinding.cpp:3477:36
    #7 0x7f62fbc0353d in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3232:13
    #8 0x7f62fec8c3e0 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:437:13
    #9 0x7f62fec8bb4c in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:522:12
    #10 0x7f62fec8d359 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:582:10
    #11 0x7f62fec81e65 in CallFromStack /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:586:10
    #12 0x7f62fec81e65 in Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3248:16
    #13 0x7f62fec79455 in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:406:13
    #14 0x7f62fec8bb69 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:554:13
    #15 0x7f62fec8d359 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:582:10
    #16 0x7f62fec8d57f in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:599:8
    #17 0x7f62ff21925b in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/jsapi.cpp:2861:10
    #18 0x7f62fb854a1c in mozilla::dom::EventListener::HandleEvent(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventListenerBinding.cpp:58:8
    #19 0x7f62fbfbb736 in void mozilla::dom::EventListener::HandleEvent<mozilla::dom::EventTarget*>(mozilla::dom::EventTarget* const&, mozilla::dom::Event&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventListenerBinding.h:65:12
    #20 0x7f62fbfbb47e in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1108:43
    #21 0x7f62fbfbc100 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1305:17
    #22 0x7f62fbfb1475 in HandleEvent /builds/worker/workspace/obj-build/dist/include/mozilla/EventListenerManager.h:390:5
    #23 0x7f62fbfb1475 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:354:17
    #24 0x7f62fbfb0a23 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:556:16
    #25 0x7f62fbfb3621 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:1099:11
    #26 0x7f62fd63bef2 in nsDocumentViewer::LoadComplete(nsresult) /builds/worker/checkouts/gecko/layout/base/nsDocumentViewer.cpp:1084:7
    #27 0x7f62fe60c1df in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:6540:20
    #28 0x7f62fe60bbb8 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:5909:7
    #29 0x7f62fe60cb5f in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp
    #30 0x7f62f9e7ea5c in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:1348:3
    #31 0x7f62f9e7e00a in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:954:14
    #32 0x7f62f9e7c527 in nsDocLoader::DocLoaderIsEmpty(bool, mozilla::Maybe<nsresult> const&) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:773:9
    #33 0x7f62f9e7d4b4 in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:656:5
    #34 0x7f62fe62d148 in nsDocShell::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:13692:23
    #35 0x7f62f8de936a in mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:625:22
    #36 0x7f62f8dea8b3 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:529:10
    #37 0x7f62fa858fa1 in mozilla::dom::Document::DoUnblockOnload() /builds/worker/checkouts/gecko/dom/base/Document.cpp:11313:18
    #38 0x7f62fa8363f0 in mozilla::dom::Document::UnblockOnload(bool) /builds/worker/checkouts/gecko/dom/base/Document.cpp:11243:9
    #39 0x7f62fa8482e6 in mozilla::dom::Document::DispatchContentLoadedEvents() /builds/worker/checkouts/gecko/dom/base/Document.cpp:7791:3
    #40 0x7f62fa8baeb6 in applyImpl<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1148:12
    #41 0x7f62fa8baeb6 in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1154:12
    #42 0x7f62fa8baeb6 in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1201:13
    #43 0x7f62f8c35e72 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/checkouts/gecko/xpcom/threads/SchedulerGroup.cpp:143:20
    #44 0x7f62f8c61373 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:473:16
    #45 0x7f62f8c3eb69 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:757:26
    #46 0x7f62f8c3dad4 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:612:15
    #47 0x7f62f8c3dc63 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:396:36
    #48 0x7f62f8c64c96 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:135:37
    #49 0x7f62f8c64c96 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:534:5
    #50 0x7f62f8c50990 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1159:16
    #51 0x7f62f8c5768a in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:548:10
    #52 0x7f62f9590f66 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
    #53 0x7f62f94fb9b3 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:335:10
    #54 0x7f62f94fb8cd in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:328:3
    #55 0x7f62f94fb8cd in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:310:3
    #56 0x7f62fd2d6298 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137:27
    #57 0x7f62feb57da3 in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:906:20
    #58 0x7f62f9591e4c in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
    #59 0x7f62f94fb9b3 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:335:10
    #60 0x7f62f94fb8cd in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:328:3
    #61 0x7f62f94fb8cd in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:310:3
    #62 0x7f62feb5797f in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:738:34
    #63 0x56199ea54396 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
    #64 0x56199ea54396 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:309:18
    #65 0x7f630dc580b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
Flags: in-testsuite?
Severity: -- → S3
Flags: needinfo?(masayuki)
Priority: -- → P3
Assignee: nobody → masayuki
Status: NEW → ASSIGNED
Flags: needinfo?(masayuki)

Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20210426213158-6f8320a4798f.
The bug appears to have been introduced in the following build range:

Start: 8803bc71047a75f0983844d891d82b4a5edecda4 (20210310041823)
End: 10ca32d83c66663d73c0600ff90022e85f52b92b (20210310054241)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=8803bc71047a75f0983844d891d82b4a5edecda4&tochange=10ca32d83c66663d73c0600ff90022e85f52b92b

Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]
Blocks: 1623017
Root Cause: --- → Coding: Unhandled Exceptions
OS: Unspecified → All
Regressed by: 1677566
Hardware: Unspecified → All
Crash Signature: [@ mozilla::EditorDOMPointBase<T>::SetAfter ]

Wow, is this causing crash in the wild? I'd really like to know which web apps do this kind of odd approach for handling the DOM tree normalization.

(In reply to Masayuki Nakano [:masayuki] (he/him)(JST, +0900)(Still not recoverd perfectly) from comment #2)

Wow, is this causing crash in the wild? I'd really like to know which web apps do this kind of odd approach for handling the DOM tree normalization.

the crash I added was from the testcase on Nightly. But looks like the signature exists in the wild too.

For making it's upliftable, this patch just fixes the crash with a one line fix.

Depends on D113282

The testcase hits the assertion because CreateNodeTransaction::DoTransaction()
returns error, but it's not handled by HandledInsertParagraphInParagraph()
so that we should make InsertBRElementWithTransaction() and its callees
should return error if they meet unexpected cases.

Depends on D113471

Set release status flags based on info from the regressing bug 1677566

Pushed by masayuki@d-toybox.com:
https://hg.mozilla.org/integration/autoland/rev/4b97980bad2d
Fix the crash with a one line fix r=m_kato
https://hg.mozilla.org/integration/autoland/rev/b64921ded846
part 1: Make `HTMLEditor::InsertBREelementWithTransaction()` return error when it fails r=m_kato
https://hg.mozilla.org/integration/autoland/rev/0300e499ae04
part 2: Make `HTMLEditor::PrepareToInsertBRElement()` return error if failed r=m_kato
https://hg.mozilla.org/integration/autoland/rev/ce981753ec94
part 3: Make `EditorBase::CreateNodeWithTransaction()` return error if failed r=m_kato

Comment on attachment 9218568 [details]
Bug 1707630 - Fix the crash with a one line fix r=m_kato!

Beta/Release Uplift Approval Request

  • User impact if declined: Some web apps which have contenteditable or designMode editor may crash.
  • Is this code covered by automated tests?: Yes
  • Has the fix been verified in Nightly?: No
  • Needs manual test from QE?: Yes
  • If yes, steps to reproduce: 1. Load the testcase
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Just adding the null-check (and the testcase)
  • String changes made/needed: none
Attachment #9218568 - Flags: approval-mozilla-beta?
Flags: qe-verify+

Masayuki, do I understand correctly from your uplift request that you are only requesting the uplift of https://hg.mozilla.org/mozilla-central/rev/4b97980bad2d ? Thanks

Flags: needinfo?(masayuki)

Bugmon Analysis:
Verified bug as fixed on rev mozilla-central 20210428100720-1ea87880589f.
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
Keywords: bugmon

(In reply to Pascal Chevrel:pascalc from comment #12)

Masayuki, do I understand correctly from your uplift request that you are only requesting the uplift of https://hg.mozilla.org/mozilla-central/rev/4b97980bad2d ? Thanks

Yes, it is. The other patches are too risky for uplift. And the first patch can prevent the crash at least.

Flags: needinfo?(masayuki)
QA Whiteboard: [qa-triaged]

Hello,

I have reproduced the issue using the test case from comment 0, on an asan Nightly build.
I've verified the fix on the latest asan Nightly 90.0a1 (2021-04-29). The testing was performed on both Ubuntu 20.04 and Windows 10x64.
Leaving the qe+ flag in place for now, until this gets verified on Beta as well.

Thanks!

Comment on attachment 9218568 [details]
Bug 1707630 - Fix the crash with a one line fix r=m_kato!

Approved for 89.0b6.

Attachment #9218568 - Flags: approval-mozilla-beta? → approval-mozilla-beta+

I've verified the fix on 89.0b6. The testing was performed on Windows 10x64 and Ubuntu 20.04. Thanks!

Flags: qe-verify+
You need to log in before you can comment on or make changes to this bug.