Closed Bug 1728433 Opened 3 years ago Closed 7 months ago

Assertion failure: !mContent || !mContent->GetParentElement() || HTMLEditUtils::IsBlockElement(*mContent) || HTMLEditUtils::IsBlockElement(*mContent->GetParentElement()) || !mContent->GetParentElement()->IsEditable(), at /edi

Categories

(Core :: DOM: Editor, defect, P5)

Product:
Core
Component:
DOM: Editor
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
120 Branch
Tracking Flags:
Tracking Status
firefox-esr115 --- wontfix
firefox118 --- wontfix
firefox119 --- wontfix
firefox120 --- fixed

People

(Reporter: jkratzer, Assigned: masayuki)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: regression, testcase, Whiteboard: [bugmon:bisected,confirmed], [wptsync upstream])

Attachments

(3 files)

Detailed Crash Information
10.82 KB, text/plain
Details
Testcase
492 bytes, text/html
Details
Bug 1728433 - Make `WSScanResult::AssertIfInvalidData` check the ancestor block element if the reason is `CurrentBlockBoundary` r=m_kato!
48 bytes, text/x-phabricator-request
Details | Review

Testcase found while fuzzing mozilla-central rev 86d5ab060da8 (built with: --enable-debug --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build 86d5ab060da8 --debug --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

Assertion failure: !mContent || !mContent->GetParentElement() || HTMLEditUtils::IsBlockElement(*mContent) || HTMLEditUtils::IsBlockElement(*mContent->GetParentElement()) || !mContent->GetParentElement()->IsEditable(), at /edi

    ==115110==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fac1921f863 bp 0x7ffdc92c7570 sp 0x7ffdc92c7560 T115110)
    ==115110==The signal is caused by a WRITE memory access.
    ==115110==Hint: address points to the zero page.
        #0 0x7fac1921f863 in mozilla::WSScanResult::AssertIfInvalidData() const /editor/libeditor/WSRunObject.h:102:5
        #1 0x7fac19217733 in mozilla::WSScanResult::WSScanResult(nsIContent*, mozilla::WSScanResult::WSType) /editor/libeditor/WSRunObject.h:66:5
        #2 0x7fac192183c3 in mozilla::WSScanResult mozilla::WSRunScanner::ScanNextVisibleNodeOrBlockBoundaryFrom<nsINode*, nsIContent*>(mozilla::EditorDOMPointBase<nsINode*, nsIContent*> const&) const /editor/libeditor/WSRunObject.cpp
        #3 0x7fac191313dd in mozilla::WSScanResult mozilla::WSRunScanner::ScanNextVisibleNodeOrBlockBoundary<nsINode*, nsIContent*>(mozilla::dom::Element const*, mozilla::EditorDOMPointBase<nsINode*, nsIContent*> const&) /editor/libeditor/WSRunObject.h:308:10
        #4 0x7fac19164cc2 in mozilla::HTMLEditor::MaybeCollapseSelectionAtFirstEditableNode(bool) const /editor/libeditor/HTMLEditor.cpp:818:11
        #5 0x7fac191775d7 in mozilla::HTMLEditor::NotifyRootChanged() /editor/libeditor/HTMLEditor.cpp:5996:8
        #6 0x7fac191ea9a6 in applyImpl<mozilla::HTMLEditor, void (mozilla::HTMLEditor::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1148:12
        #7 0x7fac191ea9a6 in apply<mozilla::HTMLEditor, void (mozilla::HTMLEditor::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1154:12
        #8 0x7fac191ea9a6 in mozilla::detail::RunnableMethodImpl<mozilla::HTMLEditor*, void (mozilla::HTMLEditor::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1201:13
        #9 0x7fac16251057 in nsContentUtils::RemoveScriptBlocker() /dom/base/nsContentUtils.cpp:5683:17
        #10 0x7fac163babb2 in mozilla::dom::Document::EndUpdate() /dom/base/Document.cpp:7709:3
        #11 0x7fac1654a8c0 in ~mozAutoDocUpdate /dom/base/mozAutoDocUpdate.h:34:18
        #12 0x7fac1654a8c0 in nsINode::ReplaceOrInsertBefore(bool, nsINode*, nsINode*, mozilla::ErrorResult&) /dom/base/nsINode.cpp:2727:1
        #13 0x7fac16a362ab in ReplaceChild /dom/base/nsINode.h:1994:12
        #14 0x7fac16a362ab in mozilla::dom::Node_Binding::replaceChild(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/NodeBinding.cpp:1073:60
        #15 0x7fac17880568 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /dom/bindings/BindingUtils.cpp:3300:13
        #16 0x7fac1aff7fa0 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /js/src/vm/Interpreter.cpp:401:13
        #17 0x7fac1aff769e in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:488:12
        #18 0x7fac1aff909e in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /js/src/vm/Interpreter.cpp:548:10
        #19 0x7fac1afee600 in CallFromStack /js/src/vm/Interpreter.cpp:552:10
        #20 0x7fac1afee600 in Interpret(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:3255:16
        #21 0x7fac1afe5225 in js::RunScript(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:370:13
        #22 0x7fac1aff7597 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:520:13
        #23 0x7fac1aff909e in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /js/src/vm/Interpreter.cpp:548:10
        #24 0x7fac1aff92a1 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /js/src/vm/Interpreter.cpp:565:8
        #25 0x7fac1b1d8c03 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /js/src/vm/CallAndConstruct.cpp:117:10
        #26 0x7fac174bf70e in mozilla::dom::EventListener::HandleEvent(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventListenerBinding.cpp:62:8
        #27 0x7fac17c8b4b6 in void mozilla::dom::EventListener::HandleEvent<mozilla::dom::EventTarget*>(mozilla::dom::EventTarget* const&, mozilla::dom::Event&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventListenerBinding.h:65:12
        #28 0x7fac17c8b20a in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /dom/events/EventListenerManager.cpp:1115:43
        #29 0x7fac17c8bf62 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /dom/events/EventListenerManager.cpp:1312:17
        #30 0x7fac17c80da5 in HandleEvent /dom/events/EventListenerManager.h:394:5
        #31 0x7fac17c80da5 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /dom/events/EventDispatcher.cpp:348:17
        #32 0x7fac17c802bf in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /dom/events/EventDispatcher.cpp:550:16
        #33 0x7fac17c82ee4 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /dom/events/EventDispatcher.cpp:1082:11
        #34 0x7fac1939f483 in nsDocumentViewer::LoadComplete(nsresult) /layout/base/nsDocumentViewer.cpp:1087:7
        #35 0x7fac1a837954 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /docshell/base/nsDocShell.cpp:6284:20
        #36 0x7fac1a83744f in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /docshell/base/nsDocShell.cpp:5674:7
        #37 0x7fac1a8382cf in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /docshell/base/nsDocShell.cpp
        #38 0x7fac15aaad2c in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /uriloader/base/nsDocLoader.cpp:1376:3
        #39 0x7fac15aaa2aa in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /uriloader/base/nsDocLoader.cpp:974:14
        #40 0x7fac15aa8627 in nsDocLoader::DocLoaderIsEmpty(bool, mozilla::Maybe<nsresult> const&) /uriloader/base/nsDocLoader.cpp:793:9
        #41 0x7fac15aa985f in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /uriloader/base/nsDocLoader.cpp:676:5
        #42 0x7fac1a858108 in nsDocShell::OnStopRequest(nsIRequest*, nsresult) /docshell/base/nsDocShell.cpp:13459:23
        #43 0x7fac1489ceca in mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) /netwerk/base/nsLoadGroup.cpp:614:22
        #44 0x7fac1489e453 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /netwerk/base/nsLoadGroup.cpp:518:10
        #45 0x7fac163cc27d in mozilla::dom::Document::DoUnblockOnload() /dom/base/Document.cpp:11450:18
        #46 0x7fac163a8ce0 in mozilla::dom::Document::UnblockOnload(bool) /dom/base/Document.cpp:11380:9
        #47 0x7fac163bb3b6 in mozilla::dom::Document::DispatchContentLoadedEvents() /dom/base/Document.cpp:7901:3
        #48 0x7fac1642cc96 in applyImpl<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1148:12
        #49 0x7fac1642cc96 in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1154:12
        #50 0x7fac1642cc96 in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1201:13
        #51 0x7fac146d0682 in mozilla::SchedulerGroup::Runnable::Run() /xpcom/threads/SchedulerGroup.cpp:144:20
        #52 0x7fac146fd83e in mozilla::RunnableTask::Run() /xpcom/threads/TaskController.cpp:502:16
        #53 0x7fac146d989f in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:805:26
        #54 0x7fac146d8508 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:641:15
        #55 0x7fac146d8783 in mozilla::TaskController::ProcessPendingMTTask(bool) /xpcom/threads/TaskController.cpp:425:36
        #56 0x7fac14700e36 in operator() /xpcom/threads/TaskController.cpp:135:37
        #57 0x7fac14700e36 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:532:5
        #58 0x7fac146ec23f in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1148:16
        #59 0x7fac146f303a in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:466:10
        #60 0x7fac1513e9d6 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:85:21
        #61 0x7fac1505f0c7 in MessageLoop::RunInternal() /ipc/chromium/src/base/message_loop.cc:331:10
        #62 0x7fac1505efd2 in RunHandler /ipc/chromium/src/base/message_loop.cc:324:3
        #63 0x7fac1505efd2 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:306:3
        #64 0x7fac18ffc078 in nsBaseAppShell::Run() /widget/nsBaseAppShell.cpp:137:27
        #65 0x7fac1ae7b593 in XRE_RunAppShell() /toolkit/xre/nsEmbedFunctions.cpp:917:20
        #66 0x7fac1513f8ca in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:235:9
        #67 0x7fac1505f0c7 in MessageLoop::RunInternal() /ipc/chromium/src/base/message_loop.cc:331:10
        #68 0x7fac1505efd2 in RunHandler /ipc/chromium/src/base/message_loop.cc:324:3
        #69 0x7fac1505efd2 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:306:3
        #70 0x7fac1ae7abce in XRE_InitChildProcess(int, char**, XREChildData const*) /toolkit/xre/nsEmbedFunctions.cpp:749:34
        #71 0x558413ebaab6 in content_process_main /browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
        #72 0x558413ebaab6 in main /browser/app/nsBrowserApp.cpp:327:18
        #73 0x7fac29ecf0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
        #74 0x558413e978bc in _start (/home/jkratzer/builds/mc-debug/firefox-bin+0x158bc)
    
    UndefinedBehaviorSanitizer can not provide additional info.
    SUMMARY: UndefinedBehaviorSanitizer: SEGV /editor/libeditor/WSRunObject.h:102:5 in mozilla::WSScanResult::AssertIfInvalidData() const
    ==115110==ABORTING


    
    

    
  

      
      
      
      

        Attached file
          
        Testcase
      

    


  

    
    

    
  
Bugmon Analysis

Verified bug as reproducible on mozilla-central 20210831213957-e8a630d41a77.

The bug appears to have been introduced in the following build range:




Start: c86dd2d20421089cabe5555c0c9bb2ada824fb7c (20210823100448)

End: 2139b35435875e1b58686491a583a2142d9c024d (20210823100755)

Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=c86dd2d20421089cabe5555c0c9bb2ada824fb7c&tochange=2139b35435875e1b58686491a583a2142d9c024d




Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]

    
    

    
  
Per comment #3, this looks like caused by bug 1727008. Masayuki, mind taking a look? Thanks!


Flags: needinfo?(masayuki)

    
    

    
  
Well, I'm rewriting a lot around there for making WSRunObject.cpp support white-space:pre-*. After that, I could take a look, but probably, this is not so important because as far as I know, swapping editor root is minor case in the wild.


Assignee: nobody → masayuki
Severity: -- → S4
Status: NEW → ASSIGNED
Flags: needinfo?(masayuki)
Priority: -- → P5

    
    

    
  
:masayuki, since this bug contains a bisection range, could you fill (if possible) the regressed_by field?

For more information, please visit auto_nag documentation.


Flags: needinfo?(masayuki)
Flags: needinfo?(masayuki)
Regressed by: 1727008

    
  
Has Regression Range: --- → yes

    
  
Depends on: domino

    
  
Blocks: domino
No longer depends on: domino

    
    

    
  
Bugmon was unable reproduce this issue.

Removing bugmon keyword as no further action possible.  Please review the bug and re-add the keyword for further analysis.


Keywords: bugmon

    
    

    
  
A change to the Taskcluster build definitions over the weekend caused Bugmon to fail when reproducing issues.  This issue has been corrected.  Re-enabling bugmon.


Keywords: bugmon

    
    

    
  
Testcase crashes using the initial build (mozilla-central 20221008093624-9fb70b4ae593) but not with tip (mozilla-central 20231006152733-9b362770f30b.)


The bug appears to have been fixed in the following build range:




Start: 583cfd323dab818e35dc1f15fa3e92a503e56e11 (20230927023537)

End: 82ae09837aed66d319e3280febbf971a401bd8a6 (20230927062331)

Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=583cfd323dab818e35dc1f15fa3e92a503e56e11&tochange=82ae09837aed66d319e3280febbf971a401bd8a6




masayuki, can you confirm that the above bisection range is responsible for fixing this issue?

Removing bugmon keyword as no further action possible.  Please review the bug and re-add the keyword for further analysis.


Flags: needinfo?(masayuki)
Keywords: bugmon
Flags: needinfo?(masayuki)
Regressed by: 1851951
No longer regressed by: 1727008
Regressed by: 1727008
No longer regressed by: 1851951

    
    

    
  
Oops, so, this is now WFM in the early beta builds and in the Nightly channel. However, we still enable the legacy behavior in the late beta builds and in the release channel. And perhaps, the fix just hides this bug.



    
    

    
  
Set release status flags based on info from the regressing bug 1727008



          status-firefox118:
          --- → affected

          status-firefox119:
          --- → affected

          status-firefox120:
          --- → affected

          status-firefox-esr115:
          --- → affected

        Attachment #9238793 -
        Attachment mime type: text/plain → text/html

    
    

    
  
At crash, WSRunScanner founds <mo id="id_29">\n </mo>. When this happens the document root element is: <object id="id_4" contenteditable="true"><mo id="id_29">\n </mo>\n</object>.



    
    

    
  
The WSRunScanner instance reaches here and here. Then, the WSScanResult is initialized with <mo>.



    
    

    
  


  
As the comment in the method, CurrentBlockBoundary may be set when mContent

is not a block.  However, it's not allowed that there is an editable block

ancestor of mContent in same editing host (in this case, mContent should be

the block).  Therefore, it should compute ancestor block element and check

whether it's not in same editing host if mContent is editable and connected.



    
    

    
  
Pushed by masayuki@d-toybox.com:
https://hg.mozilla.org/integration/autoland/rev/d2ed52003519
Make `WSScanResult::AssertIfInvalidData` check the ancestor block element if the reason is `CurrentBlockBoundary` r=m_kato

    
    

    
  
Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/42520 for changes under testing/web-platform/tests
Whiteboard: [bugmon:bisected,confirmed] → [bugmon:bisected,confirmed], [wptsync upstream]

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/d2ed52003519


Status: ASSIGNED → RESOLVED
Closed: 7 months ago

          status-firefox120:
          affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 120 Branch

    
    

    
  
Upstream PR merged by moz-wptsync-bot

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: