1753487 - Assertion failure: IsElement(), at /builds/worker/workspace/obj-build/dist/include/mozilla/dom/Element.h:2078

Status: RESOLVED FIXED

(Core :: DOM: Selection, defect, P3)

Description

[Tyson Smith [:tsmith]]

Attachment: testcase.html

Found while fuzzing m-c 20211211-32443a93b4b7 (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html --xvfb

Requires pref layout.accessiblecaret.enabled=true

Assertion failure: IsElement(), at /builds/worker/workspace/obj-build/dist/include/mozilla/dom/Element.h:2078

#0 0x7fb2bfbb3ebf in AsElement /builds/worker/workspace/obj-build/dist/include/mozilla/dom/Element.h:2078:3
#1 0x7fb2bfbb3ebf in nsIContent::GetEditingHost() src/dom/base/FragmentOrElement.cpp:256:19
#2 0x7fb2c2c7695f in GetEditingHostForFrame src/layout/base/AccessibleCaretManager.cpp:866:19
#3 0x7fb2c2c7695f in mozilla::AccessibleCaretManager::DispatchCaretStateChangedEvent(mozilla::dom::CaretChangedReason) src/layout/base/AccessibleCaretManager.cpp:1482:30
#4 0x7fb2c2c718d0 in mozilla::AccessibleCaretManager::OnSelectionChanged(mozilla::dom::Document*, mozilla::dom::Selection*, short) src/layout/base/AccessibleCaretManager.cpp
#5 0x7fb2bfc81fa8 in mozilla::dom::Selection::NotifySelectionListeners() src/dom/base/Selection.cpp:3169:10
#6 0x7fb2bfc85c07 in mozilla::dom::Selection::Extend(nsINode&, unsigned int, mozilla::ErrorResult&) src/dom/base/Selection.cpp:2649:3
#7 0x7fb2bfc85e40 in mozilla::dom::Selection::Extend(nsINode*, unsigned int) src/dom/base/Selection.cpp:2351:3
#8 0x7fb2c2df4c95 in nsFrameSelection::TakeFocus(nsIContent&, unsigned int, unsigned int, mozilla::CaretAssociationHint, nsFrameSelection::FocusMode) src/layout/generic/nsFrameSelection.cpp:1499:20
#9 0x7fb2c2df37d9 in nsFrameSelection::MoveCaret(nsDirection, bool, nsSelectionAmount, nsFrameSelection::CaretMovementStyle) src/layout/generic/nsFrameSelection.cpp:855:10
#10 0x7fb2bfc8a847 in mozilla::dom::Selection::Modify(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, mozilla::ErrorResult&) src/dom/base/Selection.cpp:3347:24
#11 0x7fb2c06dc525 in mozilla::dom::Selection_Binding::modify(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/SelectionBinding.cpp:1117:24
#12 0x7fb2c10a1128 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) src/dom/bindings/BindingUtils.cpp:3306:13
#13 0x7fb2c4ad589f in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) src/js/src/vm/Interpreter.cpp:388:13
#14 0x7fb2c4ad4f9d in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) src/js/src/vm/Interpreter.cpp:475:12
#15 0x7fb2c4ad6a7e in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) src/js/src/vm/Interpreter.cpp:535:10
#16 0x7fb2c4acc2a6 in CallFromStack src/js/src/vm/Interpreter.cpp:539:10
#17 0x7fb2c4acc2a6 in Interpret(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:3243:16
#18 0x7fb2c4ac31a3 in js::RunScript(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:357:13
#19 0x7fb2c4ad4e98 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) src/js/src/vm/Interpreter.cpp:507:13
#20 0x7fb2c4ad6a7e in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) src/js/src/vm/Interpreter.cpp:535:10
#21 0x7fb2c4ad6c81 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) src/js/src/vm/Interpreter.cpp:552:8
#22 0x7fb2c4c92e91 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) src/js/src/vm/CallAndConstruct.cpp:117:10
#23 0x7fb2c0db26cc in mozilla::dom::EventHandlerNonNull::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventHandlerBinding.cpp:283:37
#24 0x7fb2c1588179 in void mozilla::dom::EventHandlerNonNull::Call<nsCOMPtr<mozilla::dom::EventTarget> >(nsCOMPtr<mozilla::dom::EventTarget> const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventHandlerBinding.h:365:12
#25 0x7fb2c15873f0 in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) src/dom/events/JSEventHandler.cpp:201:12
#26 0x7fb2c156841b in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) src/dom/events/EventListenerManager.cpp:1309:22
#27 0x7fb2c15690d9 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) src/dom/events/EventListenerManager.cpp:1500:17
#28 0x7fb2c155e1b4 in HandleEvent src/dom/events/EventListenerManager.h:395:5
#29 0x7fb2c155e1b4 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) src/dom/events/EventDispatcher.cpp:348:17
#30 0x7fb2c155d6d7 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) src/dom/events/EventDispatcher.cpp:550:16
#31 0x7fb2c155ff38 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) src/dom/events/EventDispatcher.cpp:1085:11
#32 0x7fb2c2d0b353 in nsDocumentViewer::LoadComplete(nsresult) src/layout/base/nsDocumentViewer.cpp:1085:7
#33 0x7fb2c42e6494 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) src/docshell/base/nsDocShell.cpp:6338:20
#34 0x7fb2c42e5f83 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) src/docshell/base/nsDocShell.cpp:5727:7
#35 0x7fb2c42e6e1f in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) src/docshell/base/nsDocShell.cpp
#36 0x7fb2bf18011c in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) src/uriloader/base/nsDocLoader.cpp:1376:3
#37 0x7fb2bf17f6aa in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) src/uriloader/base/nsDocLoader.cpp:974:14
#38 0x7fb2bf17da30 in nsDocLoader::DocLoaderIsEmpty(bool, mozilla::Maybe<nsresult> const&) src/uriloader/base/nsDocLoader.cpp:793:9
#39 0x7fb2bf17ebed in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) src/uriloader/base/nsDocLoader.cpp:676:5
#40 0x7fb2c430773d in nsDocShell::OnStopRequest(nsIRequest*, nsresult) src/docshell/base/nsDocShell.cpp:13605:23
#41 0x7fb2bdf01c0a in mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) src/netwerk/base/nsLoadGroup.cpp:614:22
#42 0x7fb2bdf031f3 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) src/netwerk/base/nsLoadGroup.cpp:518:10
#43 0x7fb2bf80170c in imgRequestProxy::RemoveFromLoadGroup() src/image/imgRequestProxy.cpp:372:15
#44 0x7fb2bf8076af in imgRequestProxy::OnLoadComplete(bool) src/image/imgRequestProxy.cpp:1005:7
#45 0x7fb2bf7d61ea in operator() src/image/ProgressTracker.cpp:351:13
#46 0x7fb2bf7d61ea in void mozilla::image::ImageObserverNotifier<mozilla::image::ObserverTable const*>::operator()<void mozilla::image::SyncNotifyInternal<mozilla::image::ObserverTable const*>(mozilla::image::ObserverTable const* const&, bool, unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&)::'lambda5'(mozilla::image::IProgressObserver*)>(mozilla::image::ObserverTable const*) src/image/ProgressTracker.cpp:281:9
#47 0x7fb2bf7d4983 in void mozilla::image::SyncNotifyInternal<mozilla::image::ObserverTable const*>(mozilla::image::ObserverTable const* const&, bool, unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) src/image/ProgressTracker.cpp:350:5
#48 0x7fb2bf79aeb1 in operator() src/image/ProgressTracker.cpp:369:5
#49 0x7fb2bf79aeb1 in Read<(lambda at src/image/ProgressTracker.cpp:368:19)> src/image/CopyOnWrite.h:155:12
#50 0x7fb2bf79aeb1 in mozilla::image::ProgressTracker::SyncNotifyProgress(unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) src/image/ProgressTracker.cpp:368:14
#51 0x7fb2bf7c53fe in mozilla::image::VectorImage::OnSVGDocumentLoaded() src/image/VectorImage.cpp:1496:23
#52 0x7fb2bf7c89bf in mozilla::image::SVGLoadEventListener::HandleEvent(mozilla::dom::Event*) src/image/VectorImage.cpp:214:13
#53 0x7fb2c156841b in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) src/dom/events/EventListenerManager.cpp:1309:22
#54 0x7fb2c15690d9 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) src/dom/events/EventListenerManager.cpp:1500:17
#55 0x7fb2c155e1b4 in HandleEvent src/dom/events/EventListenerManager.h:395:5
#56 0x7fb2c155e1b4 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) src/dom/events/EventDispatcher.cpp:348:17
#57 0x7fb2c155d6d7 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) src/dom/events/EventDispatcher.cpp:550:16
#58 0x7fb2c155ff38 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) src/dom/events/EventDispatcher.cpp:1085:11
#59 0x7fb2c1562706 in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) src/dom/events/EventDispatcher.cpp
#60 0x7fb2bfdadd4d in nsINode::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) src/dom/base/nsINode.cpp:1354:17
#61 0x7fb2c156fbd2 in mozilla::dom::EventTarget::DispatchEvent(mozilla::dom::Event&) src/dom/events/EventTarget.cpp:180:13
#62 0x7fb2c152275b in mozilla::AsyncEventDispatcher::Run() src/dom/events/AsyncEventDispatcher.cpp:69:12
#63 0x7fb2bdd3947e in mozilla::RunnableTask::Run() src/xpcom/threads/TaskController.cpp:468:16
#64 0x7fb2bdd12fd6 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) src/xpcom/threads/TaskController.cpp:771:26
#65 0x7fb2bdd11c98 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) src/xpcom/threads/TaskController.cpp:607:15
#66 0x7fb2bdd11f13 in mozilla::TaskController::ProcessPendingMTTask(bool) src/xpcom/threads/TaskController.cpp:391:36
#67 0x7fb2bdd3ca76 in operator() src/xpcom/threads/TaskController.cpp:124:37
#68 0x7fb2bdd3ca76 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
#69 0x7fb2bdd27973 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1183:16
#70 0x7fb2bdd2ec3a in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:467:10
#71 0x7fb2be7cecb6 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:85:21
#72 0x7fb2be6ee787 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:331:10
#73 0x7fb2be6ee692 in RunHandler src/ipc/chromium/src/base/message_loop.cc:324:3
#74 0x7fb2be6ee692 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:306:3
#75 0x7fb2c295a5d8 in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:137:27
#76 0x7fb2c4959113 in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:864:20
#77 0x7fb2be7cfbaa in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:235:9
#78 0x7fb2be6ee787 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:331:10
#79 0x7fb2be6ee692 in RunHandler src/ipc/chromium/src/base/message_loop.cc:324:3
#80 0x7fb2be6ee692 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:306:3
#81 0x7fb2c495874b in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:701:34
#82 0x564fb0b14ec9 in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#83 0x564fb0b14ec9 in main src/browser/app/nsBrowserApp.cpp:327:18
#84 0x7fb2d30b80b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
#85 0x564fb0af065c in _start (/home/worker/builds/m-c-20211211213843-fuzzing-debug/firefox-bin+0x1565c)

Comment 1

[Tyson Smith [:tsmith]]

A Pernosco session is available here: https://pernos.co/debug/MTX8-jvlKgop1rIBwMRtOQ/index.html

Comment 2

[Bugmon [:jkratzer for issues]]

Bugmon Analysis
Verified bug as reproducible on mozilla-central 20220204034627-3dd2d157c24a.
The bug appears to have been introduced in the following build range:

Start: 74250c6a9c4cc8d28d316270ccbc47a6a806fcf0 (20211012033145)
End: d51a3f4602303979556ca1962d0fb271304e86fc (20211012044446)
Pushlog: https://hg.mozilla.org/mozilla-unified/pushloghtml?fromchange=74250c6a9c4cc8d28d316270ccbc47a6a806fcf0&tochange=d51a3f4602303979556ca1962d0fb271304e86fc

Comment 3

[Bugmon [:jkratzer for issues]]

Bugmon Analysis
Unable to reproduce bug 1753487 using build mozilla-central 20211211213843-32443a93b4b7. Without a baseline, bugmon is unable to analyze this bug.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Comment 4

[Peter Van der Beken [:peterv]]

Seems like nsIContent::GetEditingHost was changed to return an element, but that's wrong for an nsIContent that doesn't have an element for its parent?

Comment 5

[Masayuki Nakano [:masayuki] (he/him)(JST, +0900)]

(In reply to Peter Van der Beken [:peterv] from comment #4)

Seems like nsIContent::GetEditingHost was changed to return an element, but that's wrong for an nsIContent that doesn't have an element for its parent?

Ah, yes, the this is not element and the parent is not an element, this occurs.

Comment 6

[Masayuki Nakano [:masayuki] (he/him)(JST, +0900)]

Attachment: Bug 1753487 - Make `nsIContent::GetEditingHost()` not assume that itself is an element if there is no parent element r=peterv!

If the instance is not an element and is a child of Document or something
non-element node, the method calls this->AsElement() in non-element instance.

It should check whether it's an element node or not when there is no editable
parent element.

Comment 7

[Pulsebot]

Pushed by masayuki@d-toybox.com:
https://hg.mozilla.org/integration/autoland/rev/80590d5a5830
Make `nsIContent::GetEditingHost()` not assume that itself is an element if there is no parent element r=peterv

Comment 8

[Web Platform Test Sync Bot [:wpt-sync] (Matrix: #interop:mozilla.org)]

Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/32798 for changes under testing/web-platform/tests

Comment 9

[Sandor Molnar[:smolnar]]

https://hg.mozilla.org/mozilla-central/rev/80590d5a5830

Comment 10

[Web Platform Test Sync Bot [:wpt-sync] (Matrix: #interop:mozilla.org)]

Upstream PR merged by moz-wptsync-bot