1748018 - Assertion failure: lastListItem, at /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditUtils.h:1310

Status: VERIFIED FIXED

(Core :: DOM: Editor, defect, P3)

Description

[Tyson Smith [:tsmith]]

Attachment: testcase.html

Found while fuzzing m-c 20211127-afed7ee7a5dc (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html --xvfb

Assertion failure: lastListItem, at src/editor/libeditor/HTMLEditUtils.h:1316

#0 0x7ff89d52ef7e in mozilla::EditorDOMRangeBase<mozilla::EditorDOMPointBase<nsINode*, nsIContent*> > mozilla::HTMLEditUtils::GetRangeSelectingAllContentInAllListItems<mozilla::EditorDOMRangeBase<mozilla::EditorDOMPointBase<nsINode*, nsIContent*> > >(mozilla::dom::Element const&) src/editor/libeditor/HTMLEditUtils.h:1316:5
#1 0x7ff89d4ee4e7 in mozilla::Result<mozilla::EditorDOMRangeBase<mozilla::EditorDOMPointBase<nsINode*, nsIContent*> >, nsresult> mozilla::HTMLEditor::AutoDeleteRangesHandler::ExtendOrShrinkRangeToDelete<mozilla::EditorDOMRangeBase<mozilla::EditorDOMPointBase<nsINode*, nsIContent*> > >(mozilla::HTMLEditor const&, nsFrameSelection const*, mozilla::EditorDOMRangeBase<mozilla::EditorDOMPointBase<nsINode*, nsIContent*> > const&) const src/editor/libeditor/HTMLEditorDeleteHandler.cpp:5553:9
#2 0x7ff89d4e48eb in mozilla::HTMLEditor::AutoDeleteRangesHandler::HandleDeleteNonCollapsedRanges(mozilla::HTMLEditor&, short, short, mozilla::AutoRangeArray&, mozilla::HTMLEditor::AutoDeleteRangesHandler::SelectionWasCollapsed) src/editor/libeditor/HTMLEditorDeleteHandler.cpp:3001:50
#3 0x7ff89d4e07eb in mozilla::HTMLEditor::AutoDeleteRangesHandler::Run(mozilla::HTMLEditor&, short, short, mozilla::AutoRangeArray&) src/editor/libeditor/HTMLEditorDeleteHandler.cpp:1641:29
#4 0x7ff89d4df492 in mozilla::HTMLEditor::HandleDeleteSelection(short, short) src/editor/libeditor/HTMLEditorDeleteHandler.cpp:1126:43
#5 0x7ff89d42982d in mozilla::EditorBase::DeleteSelectionAsSubAction(short, short) src/editor/libeditor/EditorBase.cpp:4206:7
#6 0x7ff89d4cd7ce in mozilla::HTMLEditor::HTMLWithContextInserter::Run(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, mozilla::EditorDOMPointBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent> > const&, bool, bool, bool) src/editor/libeditor/HTMLEditorDataTransfer.cpp:570:38
#7 0x7ff89d4c96fc in DoInsertHTMLWithContext src/editor/libeditor/HTMLEditorDataTransfer.cpp:477:34
#8 0x7ff89d4c96fc in mozilla::HTMLEditor::InsertHTMLAsAction(nsTSubstring<char16_t> const&, nsIPrincipal*) src/editor/libeditor/HTMLEditorDataTransfer.cpp:239:8
#9 0x7ff89d4c9546 in mozilla::InsertHTMLCommand::DoCommand(mozilla::Command, mozilla::EditorBase&, nsIPrincipal*) const src/editor/libeditor/HTMLEditorCommands.cpp:1133:34
#10 0x7ff89a6d73ea in mozilla::dom::Document::ExecCommand(nsTSubstring<char16_t> const&, bool, nsTSubstring<char16_t> const&, nsIPrincipal&, mozilla::ErrorResult&) src/dom/base/Document.cpp:5403:37
#11 0x7ff89b7ca4f3 in mozilla::dom::Document_Binding::execCommand(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/DocumentBinding.cpp:3772:36
#12 0x7ff89bb4fb58 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) src/dom/bindings/BindingUtils.cpp:3306:13
#13 0x7ff89f46dfbf in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) src/js/src/vm/Interpreter.cpp:388:13
#14 0x7ff89f46d6cb in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) src/js/src/vm/Interpreter.cpp:475:12
#15 0x7ff89f46f19e in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) src/js/src/vm/Interpreter.cpp:535:10
#16 0x7ff89f464a26 in CallFromStack src/js/src/vm/Interpreter.cpp:539:10
#17 0x7ff89f464a26 in Interpret(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:3243:16
#18 0x7ff89f45b923 in js::RunScript(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:357:13
#19 0x7ff89f46d5c6 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) src/js/src/vm/Interpreter.cpp:507:13
#20 0x7ff89f46f19e in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) src/js/src/vm/Interpreter.cpp:535:10
#21 0x7ff89f46f3a1 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) src/js/src/vm/Interpreter.cpp:552:8
#22 0x7ff89f627721 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) src/js/src/vm/CallAndConstruct.cpp:117:10
#23 0x7ff89b860f7c in mozilla::dom::EventHandlerNonNull::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventHandlerBinding.cpp:283:37
#24 0x7ff89bf7b239 in void mozilla::dom::EventHandlerNonNull::Call<nsCOMPtr<mozilla::dom::EventTarget> >(nsCOMPtr<mozilla::dom::EventTarget> const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventHandlerBinding.h:365:12
#25 0x7ff89bf7a4b0 in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) src/dom/events/JSEventHandler.cpp:201:12
#26 0x7ff89bf5b4db in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) src/dom/events/EventListenerManager.cpp:1309:22
#27 0x7ff89bf5c199 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) src/dom/events/EventListenerManager.cpp:1500:17
#28 0x7ff89bf51284 in HandleEvent src/dom/events/EventListenerManager.h:395:5
#29 0x7ff89bf51284 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) src/dom/events/EventDispatcher.cpp:348:17
#30 0x7ff89bf507a7 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) src/dom/events/EventDispatcher.cpp:550:16
#31 0x7ff89bf53008 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) src/dom/events/EventDispatcher.cpp:1085:11
#32 0x7ff89cfaf203 in mozilla::(anonymous namespace)::AsyncTimeEventRunner::Run() src/dom/smil/SMILTimedElement.cpp:97:12
#33 0x7ff89899af12 in mozilla::SchedulerGroup::Runnable::Run() src/xpcom/threads/SchedulerGroup.cpp:144:20
#34 0x7ff8989cadde in mozilla::RunnableTask::Run() src/xpcom/threads/TaskController.cpp:468:16
#35 0x7ff8989a45b6 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) src/xpcom/threads/TaskController.cpp:771:26
#36 0x7ff8989a3278 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) src/xpcom/threads/TaskController.cpp:607:15
#37 0x7ff8989a34f3 in mozilla::TaskController::ProcessPendingMTTask(bool) src/xpcom/threads/TaskController.cpp:391:36
#38 0x7ff8989ce3d6 in operator() src/xpcom/threads/TaskController.cpp:124:37
#39 0x7ff8989ce3d6 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
#40 0x7ff8989b8fe3 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1183:16
#41 0x7ff8989c02aa in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:467:10
#42 0x7ff899457e66 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:85:21
#43 0x7ff8993774a7 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:331:10
#44 0x7ff8993773b2 in RunHandler src/ipc/chromium/src/base/message_loop.cc:324:3
#45 0x7ff8993773b2 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:306:3
#46 0x7ff89d337868 in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:137:27
#47 0x7ff89f2f1823 in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:864:20
#48 0x7ff899458d5a in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:235:9
#49 0x7ff8993774a7 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:331:10
#50 0x7ff8993773b2 in RunHandler src/ipc/chromium/src/base/message_loop.cc:324:3
#51 0x7ff8993773b2 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:306:3
#52 0x7ff89f2f0e5b in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:701:34
#53 0x560505442ec9 in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#54 0x560505442ec9 in main src/browser/app/nsBrowserApp.cpp:327:18
#55 0x7ff8ae43d0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
#56 0x56050541e65c in _start (/home/worker/builds/m-c-20211127220034-fuzzing-debug/firefox-bin+0x1565c)

Comment 1

[Tyson Smith [:tsmith]]

A Pernosco session is available here: https://pernos.co/debug/nkf3c3LElQYTn7N2-V2_cw/index.html

Comment 2

[Bugmon [:jkratzer for issues]]

Bugmon Analysis
Verified bug as reproducible on mozilla-central 20211230212924-7b2c3d8ab474.
The bug appears to have been introduced in the following build range:

Start: 9cbf4fe3f852cede86354eb884cd33d305026b17 (20210911095121)
End: fbc127829141099ee56f6363ef89c6597c013530 (20210911110321)
Pushlog: https://hg.mozilla.org/mozilla-unified/pushloghtml?fromchange=9cbf4fe3f852cede86354eb884cd33d305026b17&tochange=fbc127829141099ee56f6363ef89c6597c013530

Comment 3

[BugBot [:suhaib / :marco/ :calixte]]

Set release status flags based on info from the regressing bug 1672900

Comment 4

[Masayuki Nakano [:masayuki] (he/him)(JST, +0900)]

It seems that this detects an actual bug of the logic.

Comment 5

[Masayuki Nakano [:masayuki] (he/him)(JST, +0900)]

Attachment: Bug 1748018 - Make `HTMLEditUtils::GetFirstListItemElement` scan only within the given list element r=m_kato!

It calls nsINode::GetNextNode() to scan first descendant list item in the
list without specifying the root node to scan within. Therefore, it may return
following list item element of the given list element if the list element does
not have children.

Comment 6

[Pulsebot]

Pushed by masayuki@d-toybox.com:
https://hg.mozilla.org/integration/autoland/rev/e2c04a66bb42
Make `HTMLEditUtils::GetFirstListItemElement` scan only within the given list element r=m_kato

Comment 7

[Web Platform Test Sync Bot (Matrix: #interop:mozilla.org)]

Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/32265 for changes under testing/web-platform/tests

Comment 8

[Cristian Tuns]

https://hg.mozilla.org/mozilla-central/rev/e2c04a66bb42

Comment 9

[Web Platform Test Sync Bot (Matrix: #interop:mozilla.org)]

Upstream PR merged by moz-wptsync-bot

Comment 10

[Bugmon [:jkratzer for issues]]

Bugmon Analysis
Verified bug as fixed on rev mozilla-central 20220106090415-7b247c3a9e97.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.