Closed
Bug 1753786
Opened 2 years ago
Closed 2 years ago
Assertion failure: !Failed(), at /builds/worker/workspace/obj-build/dist/include/mozilla/ErrorResult.h:582
Categories
(Core :: DOM: Selection, defect, P3)
Core
DOM: Selection
Tracking
()
VERIFIED
FIXED
99 Branch
People
(Reporter: tsmith, Assigned: masayuki)
References
(Blocks 1 open bug)
Details
(Keywords: assertion, testcase, Whiteboard: [bugmon:bisected,confirmed], [wptsync upstream])
Attachments
(2 files)
Found while fuzzing m-c 20220129-8133283f58b2 (--enable-debug --enable-fuzzing)
To reproduce via Grizzly Replay:
$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html --xvfb
Assertion failure: !Failed(), at /builds/worker/workspace/obj-build/dist/include/mozilla/ErrorResult.h:582
#0 0x7fc649bda88a in mozilla::binding_danger::TErrorResult<mozilla::binding_danger::AssertAndSuppressCleanupPolicy>::~TErrorResult() /builds/worker/workspace/obj-build/dist/include/mozilla/ErrorResult.h
#1 0x7fc64bbd0de7 in nsRange::ExcludeNonSelectableNodes(nsTArray<RefPtr<nsRange> >*) /builds/worker/checkouts/gecko/dom/base/nsRange.cpp:3078:5
#2 0x7fc64ba51bc0 in UserSelectRangesToAdd /builds/worker/checkouts/gecko/dom/base/Selection.cpp:786:12
#3 0x7fc64ba51bc0 in mozilla::dom::Selection::IsUserSelectionCollapsed(nsRange const&, nsTArray<RefPtr<nsRange> >&) /builds/worker/checkouts/gecko/dom/base/Selection.cpp:834:3
#4 0x7fc64ba51fa1 in mozilla::dom::Selection::AddRangesForUserSelectableNodes(nsRange*, mozilla::Maybe<unsigned long>*, mozilla::dom::Selection::DispatchSelectstartEvent) /builds/worker/checkouts/gecko/dom/base/Selection.cpp:879:9
#5 0x7fc64ba5a5f1 in mozilla::dom::Selection::AddRangeAndSelectFramesAndNotifyListeners(nsRange&, mozilla::dom::Document*, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/Selection.cpp:1934:14
#6 0x7fc64ba5e776 in AddRangeAndSelectFramesAndNotifyListeners /builds/worker/checkouts/gecko/dom/base/Selection.cpp:1894:10
#7 0x7fc64ba5e776 in mozilla::dom::Selection::SetStartAndEndInternal(mozilla::dom::Selection::InLimiter, mozilla::RangeBoundaryBase<nsINode*, nsIContent*> const&, mozilla::RangeBoundaryBase<nsINode*, nsIContent*> const&, nsDirection, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/Selection.cpp:3471:3
#8 0x7fc64ba5e4f2 in mozilla::dom::Selection::SelectAllChildren(nsINode&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/Selection.cpp:2672:3
#9 0x7fc64e8eb8c9 in mozilla::HTMLEditor::SelectAllInternal() /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditor.cpp:4112:18
#10 0x7fc64e85348b in mozilla::EditorBase::SelectAll() /builds/worker/checkouts/gecko/editor/libeditor/EditorBase.cpp:1273:17
#11 0x7fc64e86ea74 in mozilla::SelectAllCommand::DoCommand(mozilla::Command, mozilla::EditorBase&, nsIPrincipal*) const /builds/worker/checkouts/gecko/editor/libeditor/EditorCommands.cpp:655:29
#12 0x7fc64b8f1a54 in mozilla::dom::Document::ExecCommand(nsTSubstring<char16_t> const&, bool, nsTSubstring<char16_t> const&, nsIPrincipal&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/Document.cpp:5414:37
#13 0x7fc64cb176c3 in mozilla::dom::Document_Binding::execCommand(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/DocumentBinding.cpp:3826:36
#14 0x7fc64ce8bf68 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3306:13
#15 0x7fc650941c3f in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:425:13
#16 0x7fc65094133d in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:512:12
#17 0x7fc650942e1e in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:572:10
#18 0x7fc6509386e6 in CallFromStack /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:576:10
#19 0x7fc6509386e6 in Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3309:16
#20 0x7fc65092f5d3 in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:394:13
#21 0x7fc650941238 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:544:13
#22 0x7fc650942e1e in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:572:10
#23 0x7fc650943021 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:589:8
#24 0x7fc650b01601 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/CallAndConstruct.cpp:117:10
#25 0x7fc64ccb5fd5 in mozilla::dom::BlobCallback::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Blob*, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/HTMLCanvasElementBinding.cpp:353:8
#26 0x7fc64cff0079 in mozilla::dom::BlobCallback::Call(mozilla::dom::Blob*, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/HTMLCanvasElementBinding.h:469:12
#27 0x7fc64cfefbd9 in mozilla::dom::CanvasRenderingContextHelper::ToBlob(JSContext*, nsIGlobalObject*, mozilla::dom::BlobCallback&, nsTSubstring<char16_t> const&, JS::Handle<JS::Value>, bool, mozilla::ErrorResult&)::EncodeCallback::ReceiveBlobImpl(already_AddRefed<mozilla::dom::BlobImpl>) /builds/worker/checkouts/gecko/dom/canvas/CanvasRenderingContextHelper.cpp:52:17
#28 0x7fc64b9f6fcb in mozilla::dom::EncodingCompleteEvent::Run() /builds/worker/checkouts/gecko/dom/base/ImageEncoder.cpp:107:22
#29 0x7fc649aed17e in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:467:16
#30 0x7fc649ac7006 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:770:26
#31 0x7fc649ac5cc8 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:606:15
#32 0x7fc649ac5f43 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:390:36
#33 0x7fc649af01b6 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:124:37
#34 0x7fc649af01b6 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
#35 0x7fc649adb8d3 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1195:16
#36 0x7fc649ae29ba in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:467:10
#37 0x7fc64a582a46 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#38 0x7fc64a4a77a7 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:331:10
#39 0x7fc64a4a76b2 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:324:3
#40 0x7fc64a4a76b2 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:306:3
#41 0x7fc64e76e0b8 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137:27
#42 0x7fc6507c5913 in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:870:20
#43 0x7fc64a58393a in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
#44 0x7fc64a4a77a7 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:331:10
#45 0x7fc64a4a76b2 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:324:3
#46 0x7fc64a4a76b2 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:306:3
#47 0x7fc6507c4f4c in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:707:34
#48 0x563f5d0f8009 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#49 0x563f5d0f8009 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:327:18
#50 0x7fc65f66d0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
#51 0x563f5d0d379c in _start (/home/worker/builds/m-c-20220129214144-fuzzing-debug/firefox-bin+0x1579c)
Flags: in-testsuite?
|
Reporter | |
Comment 1•2 years ago
|
||
A Pernosco session is available here: https://pernos.co/debug/bIaN7LDYifH4-gSmayZBaQ/index.html
|
||
Comment 2•2 years ago
|
||
Bugmon Analysis
Verified bug as reproducible on mozilla-central 20220205014840-e8991d00a1d1.
Unable to bisect testcase (Testcase reproduces on start build!):
Start: ea0966587b4a224ef38dad7df1e9c7333948a1a4 (20210206094243)
End: 8133283f58b20445a3bf2e039eb8dbbeffd42f67 (20220129214144)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False)
Whiteboard: [bugmon:bisected,confirmed]
|
||
Comment 3•2 years ago
|
||
If nsRange::ExcludeNonSelectableNodes wants to ignore errors from function that it calls (like nsRange::SetStartBefore/SetEndBefore) then it should use IgnoredErrorResult or IgnoreErrors().
Severity: -- → S3
Flags: needinfo?(masayuki)
Priority: -- → P3
|
Assignee | |
Comment 4•2 years ago
|
||
Indeed, it seems that it's just a simple mistake.
Assignee: nobody → masayuki
Status: NEW → ASSIGNED
Flags: needinfo?(masayuki)
|
|
Assignee | |
Comment 5•2 years ago
|
||
It never returns error since its return type is void and it does not take
out param whose type is ErrorResult.
Therefore, ErrorResult in it is used only for checking whether an error occurs
in the calling methods, but neither SuppressException() nor StealNSResult()
is called for avoiding assertions at destructing the instance.
For avoiding the assertion, and in this case, it should not use ErrorResult.
When the result is completely ignored, IgnoreErrors() should be used instead.
Otherwise, when it just needs to know whether an API call failed or not, it
should use IgnoreErrors to avoid the redundant calls of ErrorResult and
for the performance (ErrorResult's destruction may appear in the profile if
it's used in a hot path).
Depends on D138230
Pushed by masayuki@d-toybox.com: https://hg.mozilla.org/integration/autoland/rev/0955a24d5c1c Make `nsRange::ExcludeNonSelectableNodes` stop using `ErrorResult` r=mbrodesser
Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/32797 for changes under testing/web-platform/tests
Whiteboard: [bugmon:bisected,confirmed] → [bugmon:bisected,confirmed], [wptsync upstream]
|
||
Comment 8•2 years ago
|
||
| bugherder | ||
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
status-firefox99:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 99 Branch
Upstream PR merged by moz-wptsync-bot
|
||
Comment 10•2 years ago
|
||
Still happening: https://treeherder.mozilla.org/logviewer?job_id=367488700&repo=autoland&lineNumber=132221
Status: RESOLVED → REOPENED
status-firefox99:
fixed → ---
Resolution: FIXED → ---
Target Milestone: 99 Branch → ---
|
|
Reporter | |
Comment 11•2 years ago
|
||
Hey Cosmin, that has a different stack and the attached test case no longer reproduces the issue. Can you double check the issue and open another bug if needed?
Flags: needinfo?(csabou)
|
|
||
Comment 12•2 years ago
|
||
Sure, filed Bug 1754913.
Status: REOPENED → RESOLVED
Closed: 2 years ago → 2 years ago
status-firefox99:
--- → fixed
Flags: needinfo?(csabou)
Resolution: --- → FIXED
See Also: → 1754913
Target Milestone: --- → 99 Branch
|
||
Updated•2 years ago
|
status-firefox97:
--- → wontfix
status-firefox-esr91:
--- → wontfix
Flags: in-testsuite? → in-testsuite+
|
|
||
Comment 13•2 years ago
|
||
Bugmon Analysis
Verified bug as fixed on rev mozilla-central 20220210213101-e8444fbb022b.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
| Comment hidden (Intermittent Failures Robot) |
|
||
Comment 15•2 years ago
|
||
:masayuki, since this bug contains a bisection range, could you fill (if possible) the regressed_by field?
For more information, please visit auto_nag documentation.
Flags: needinfo?(masayuki)
You need to log in
before you can comment on or make changes to this bug.
Description
•