Closed Bug 1749299 Opened 2 years ago Closed 2 years ago

Assertion failure: HTMLEditUtils::CanNodeContain(*pointToInsert.ContainerAsContent(), *nsGkAtoms::textTagName), at /editor/libeditor/HTMLEditSubActionHandler.cpp:2006

Categories

(Core :: DOM: Editor, defect, P3)

x86_64
Linux
defect

Tracking

()

VERIFIED FIXED
98 Branch
Tracking Status
firefox-esr91 --- unaffected
firefox96 --- wontfix
firefox97 --- wontfix
firefox98 --- verified

People

(Reporter: jkratzer, Assigned: masayuki)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: regression, testcase, Whiteboard: [bugmon:bisected,confirmed], [wptsync upstream])

Attachments

(2 files)

Testcase found while fuzzing mozilla-central rev b81970e39db4 (built with: --enable-debug --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build b81970e39db4 --debug --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html
Assertion failure: HTMLEditUtils::CanNodeContain(*pointToInsert.ContainerAsContent(), *nsGkAtoms::textTagName), at /editor/libeditor/HTMLEditSubActionHandler.cpp:2006

    ==545529==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fcef293fad3 bp 0x7ffd860ff560 sp 0x7ffd860ff250 T545529)
    ==545529==The signal is caused by a WRITE memory access.
    ==545529==Hint: address points to the zero page.
        #0 0x7fcef293fad3 in mozilla::HTMLEditor::HandleInsertLinefeed(mozilla::EditorDOMPointBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent> > const&, mozilla::dom::Element&) /editor/libeditor/HTMLEditSubActionHandler.cpp:2003:3
        #1 0x7fcef293ff5a in mozilla::HTMLEditor::InsertParagraphSeparatorAsSubAction() /editor/libeditor/HTMLEditSubActionHandler.cpp:1661:21
        #2 0x7fcef297fe23 in mozilla::HTMLEditor::InsertParagraphSeparatorAsAction(nsIPrincipal*) /editor/libeditor/HTMLEditor.cpp:1206:29
        #3 0x7fcef29143e6 in mozilla::InsertParagraphCommand::DoCommand(mozilla::Command, mozilla::EditorBase&, nsIPrincipal*) const /editor/libeditor/EditorCommands.cpp:887:25
        #4 0x7fceef9be0d4 in mozilla::dom::Document::ExecCommand(nsTSubstring<char16_t> const&, bool, nsTSubstring<char16_t> const&, nsIPrincipal&, mozilla::ErrorResult&) /dom/base/Document.cpp:5414:37
        #5 0x7fcef0bc80e3 in mozilla::dom::Document_Binding::execCommand(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/DocumentBinding.cpp:3772:36
        #6 0x7fcef0f47e88 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /dom/bindings/BindingUtils.cpp:3306:13
        #7 0x7fcef49afcaf in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /js/src/vm/Interpreter.cpp:425:13
        #8 0x7fcef49af3ad in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:512:12
        #9 0x7fcef49b0e8e in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /js/src/vm/Interpreter.cpp:572:10
        #10 0x7fcef49a6696 in CallFromStack /js/src/vm/Interpreter.cpp:576:10
        #11 0x7fcef49a6696 in Interpret(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:3309:16
        #12 0x7fcef499d5b3 in js::RunScript(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:394:13
        #13 0x7fcef49af2a8 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:544:13
        #14 0x7fcef49b0e8e in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /js/src/vm/Interpreter.cpp:572:10
        #15 0x7fcef49b1091 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /js/src/vm/Interpreter.cpp:589:8
        #16 0x7fcef4b70c71 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /js/src/vm/CallAndConstruct.cpp:117:10
        #17 0x7fcef0c5d727 in mozilla::dom::EventListener::HandleEvent(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventListenerBinding.cpp:62:8
        #18 0x7fcef1410e06 in void mozilla::dom::EventListener::HandleEvent<mozilla::dom::EventTarget*>(mozilla::dom::EventTarget* const&, mozilla::dom::Event&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventListenerBinding.h:65:12
        #19 0x7fcef1410b8a in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /dom/events/EventListenerManager.cpp:1303:43
        #20 0x7fcef1411889 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /dom/events/EventListenerManager.cpp:1500:17
        #21 0x7fcef14068b4 in HandleEvent /dom/events/EventListenerManager.h:395:5
        #22 0x7fcef14068b4 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /dom/events/EventDispatcher.cpp:348:17
        #23 0x7fcef1405dd7 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /dom/events/EventDispatcher.cpp:550:16
        #24 0x7fcef1408638 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /dom/events/EventDispatcher.cpp:1085:11
        #25 0x7fcef140af06 in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) /dom/events/EventDispatcher.cpp
        #26 0x7fceefc507fd in nsINode::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) /dom/base/nsINode.cpp:1355:17
        #27 0x7fceef7a34aa in nsContentUtils::DispatchEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, mozilla::Trusted, bool*, mozilla::ChromeOnlyDispatch) /dom/base/nsContentUtils.cpp:4323:28
        #28 0x7fceef7a32a7 in nsContentUtils::DispatchTrustedEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, bool*) /dom/base/nsContentUtils.cpp:4293:10
        #29 0x7fceef9d188f in mozilla::dom::Document::DispatchContentLoadedEvents() /dom/base/Document.cpp:7891:3
        #30 0x7fceefa8307b in applyImpl<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1147:12
        #31 0x7fceefa8307b in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1153:12
        #32 0x7fceefa8307b in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1200:13
        #33 0x7fceedba0b92 in mozilla::SchedulerGroup::Runnable::Run() /xpcom/threads/SchedulerGroup.cpp:144:20
        #34 0x7fceedbd0ece in mozilla::RunnableTask::Run() /xpcom/threads/TaskController.cpp:468:16
        #35 0x7fceedbaad26 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:771:26
        #36 0x7fceedba99e8 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:607:15
        #37 0x7fceedba9c63 in mozilla::TaskController::ProcessPendingMTTask(bool) /xpcom/threads/TaskController.cpp:391:36
        #38 0x7fceedbd3f06 in operator() /xpcom/threads/TaskController.cpp:124:37
        #39 0x7fceedbd3f06 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
        #40 0x7fceedbbf623 in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1195:16
        #41 0x7fceedbc670a in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:467:10
        #42 0x7fceee669c86 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:85:21
        #43 0x7fceee5897c7 in MessageLoop::RunInternal() /ipc/chromium/src/base/message_loop.cc:331:10
        #44 0x7fceee5896d2 in RunHandler /ipc/chromium/src/base/message_loop.cc:324:3
        #45 0x7fceee5896d2 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:306:3
        #46 0x7fcef2808158 in nsBaseAppShell::Run() /widget/nsBaseAppShell.cpp:137:27
        #47 0x7fcef4833a83 in XRE_RunAppShell() /toolkit/xre/nsEmbedFunctions.cpp:864:20
        #48 0x7fceee66ab7a in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:235:9
        #49 0x7fceee5897c7 in MessageLoop::RunInternal() /ipc/chromium/src/base/message_loop.cc:331:10
        #50 0x7fceee5896d2 in RunHandler /ipc/chromium/src/base/message_loop.cc:324:3
        #51 0x7fceee5896d2 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:306:3
        #52 0x7fcef48330bb in XRE_InitChildProcess(int, char**, XREChildData const*) /toolkit/xre/nsEmbedFunctions.cpp:701:34
        #53 0x55a073464029 in content_process_main /browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
        #54 0x55a073464029 in main /browser/app/nsBrowserApp.cpp:327:18
        #55 0x7fcf0453b0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
        #56 0x55a07343f7bc in _start (/home/jkratzer/builds/mc-debug/firefox-bin+0x157bc)
    
    UndefinedBehaviorSanitizer can not provide additional info.
    SUMMARY: UndefinedBehaviorSanitizer: SEGV /editor/libeditor/HTMLEditSubActionHandler.cpp:2003:3 in mozilla::HTMLEditor::HandleInsertLinefeed(mozilla::EditorDOMPointBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent> > const&, mozilla::dom::Element&)
    ==545529==ABORTING
Attached file Testcase

Bugmon Analysis
Verified bug as reproducible on mozilla-central 20220110093702-b81970e39db4.
The bug appears to have been introduced in the following build range:

Start: ede86e9e0fdb5162502ddf301e992800d6a84ea1 (20210910211800)
End: a2d4c087b7222581f7d996bf0b4fd7659dc2cbfe (20210910214815)
Pushlog: https://hg.mozilla.org/mozilla-unified/pushloghtml?fromchange=ede86e9e0fdb5162502ddf301e992800d6a84ea1&tochange=a2d4c087b7222581f7d996bf0b4fd7659dc2cbfe

Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]
Attachment #9258323 - Attachment mime type: text/plain → text/html

It's a simple bug. It tries to insert a LF in an element which cannot have a text node.

Assignee: nobody → masayuki
Severity: -- → S3
Status: NEW → ASSIGNED
Keywords: regression
Priority: -- → P3
Regressed by: 1720809
Has Regression Range: --- → yes

Set release status flags based on info from the regressing bug 1720809

Ideally, it should not be called when the editor cannot insert new text node.
However, the callers are complicated. Therefore, let's check in it for avoiding
making the callers more complicated. Fortunately, this is not realistic path
for normal web apps. Therefore, the compatibility of the behavior is not
matter. That's the reason why this patch does not have a test comparing the
result.

Pushed by masayuki@d-toybox.com:
https://hg.mozilla.org/integration/autoland/rev/9ef0614a5962
Make `HTMLEditor::HandleInsertLinefeed()` stop handling it if insertion point cannot have text nodes r=m_kato
Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/32401 for changes under testing/web-platform/tests
Whiteboard: [bugmon:bisected,confirmed] → [bugmon:bisected,confirmed], [wptsync upstream]
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → 98 Branch
Upstream PR merged by moz-wptsync-bot

Bugmon Analysis
Verified bug as fixed on rev mozilla-central 20220116095124-9ef0614a5962.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
Keywords: bugmon

The patch landed in nightly and beta is affected.
:masayuki, is this bug important enough to require an uplift?
If not please set status_beta to wontfix.

For more information, please visit auto_nag documentation.

Flags: needinfo?(masayuki)
Flags: needinfo?(masayuki)
You need to log in before you can comment on or make changes to this bug.