Closed Bug 1756237 Opened 3 years ago Closed 1 years ago

Assertion failure: aContent.IsInclusiveDescendantOf(aAncestorLimit), at /editor/libeditor/HTMLEditUtils.h:1285

Categories

(Core :: DOM: Editor, defect, P3)

Product:
Core
Component:
DOM: Editor
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
116 Branch
Tracking Flags:
Tracking Status
firefox-esr91 --- wontfix
firefox-esr102 --- wontfix
firefox-esr115 --- wontfix
firefox100 --- wontfix
firefox101 --- wontfix
firefox102 --- wontfix
firefox114 --- wontfix
firefox115 --- wontfix
firefox116 --- verified

People

(Reporter: jkratzer, Assigned: masayuki)

References

(Blocks 1 open bug, Regression,
URL
)

Details

(Keywords: regression, testcase, Whiteboard: [bugmon:bisected,confirmed], [wptsync upstream])

Attachments

(2 files)

Testcase
501 bytes, text/html
Details
Bug 1756237 - Make `HTMLEditor::HandleHTMLIndentAroundRanges` validate DOM tree in each time of the loop r=m_kato!
48 bytes, text/x-phabricator-request
Details | Review

Testcase found while fuzzing mozilla-central rev 6938c3b26d14 (built with: --enable-debug --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build 6938c3b26d14 --debug --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

Assertion failure: aContent.IsInclusiveDescendantOf(aAncestorLimit), at /editor/libeditor/HTMLEditUtils.h:1285

    ==270352==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f416a0ca8b8 bp 0x7ffd57c4a4c0 sp 0x7ffd57c4a4a0 T270352)
    ==270352==The signal is caused by a WRITE memory access.
    ==270352==Hint: address points to the zero page.
        #0 0x7f416a0ca8b8 in mozilla::HTMLEditUtils::GetClosestAncestorListItemElement(nsIContent const&, mozilla::dom::Element const*) /editor/libeditor/HTMLEditUtils.h:1284:5
        #1 0x7f416a0e47a8 in mozilla::HTMLEditor::HandleHTMLIndentAtSelectionInternal() /editor/libeditor/HTMLEditSubActionHandler.cpp:4321:13
        #2 0x7f416a0e250e in mozilla::HTMLEditor::HandleHTMLIndentAtSelection() /editor/libeditor/HTMLEditSubActionHandler.cpp:4187:17
        #3 0x7f416a0e17e8 in mozilla::HTMLEditor::HandleIndentAtSelection() /editor/libeditor/HTMLEditSubActionHandler.cpp:3942:8
        #4 0x7f416a0e1465 in mozilla::HTMLEditor::IndentAsSubAction() /editor/libeditor/HTMLEditSubActionHandler.cpp:3784:13
        #5 0x7f416a1057b0 in mozilla::HTMLEditor::IndentAsAction(nsIPrincipal*) /editor/libeditor/HTMLEditor.cpp:2586:29
        #6 0x7f416a11f9cc in mozilla::IndentCommand::DoCommand(mozilla::Command, mozilla::EditorBase&, nsIPrincipal*) const /editor/libeditor/HTMLEditorCommands.cpp:418:44
        #7 0x7f41670403e4 in mozilla::dom::Document::ExecCommand(nsTSubstring<char16_t> const&, bool, nsTSubstring<char16_t> const&, nsIPrincipal&, mozilla::ErrorResult&) /dom/base/Document.cpp:5409:37
        #8 0x7f41682b7613 in mozilla::dom::Document_Binding::execCommand(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/DocumentBinding.cpp:3826:36
        #9 0x7f416862e028 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /dom/bindings/BindingUtils.cpp:3306:13
        #10 0x7f416c18e40f in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /js/src/vm/Interpreter.cpp:425:13
        #11 0x7f416c18db0d in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:512:12
        #12 0x7f416c18f5ee in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /js/src/vm/Interpreter.cpp:572:10
        #13 0x7f416c184ea6 in CallFromStack /js/src/vm/Interpreter.cpp:576:10
        #14 0x7f416c184ea6 in Interpret(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:3309:16
        #15 0x7f416c17bda3 in js::RunScript(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:394:13
        #16 0x7f416c18da08 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:544:13
        #17 0x7f416c18f5ee in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /js/src/vm/Interpreter.cpp:572:10
        #18 0x7f416c18f7f1 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /js/src/vm/Interpreter.cpp:589:8
        #19 0x7f416c2c1ef1 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /js/src/vm/CallAndConstruct.cpp:117:10
        #20 0x7f416834d247 in mozilla::dom::EventListener::HandleEvent(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventListenerBinding.cpp:62:8
        #21 0x7f4168b345b6 in void mozilla::dom::EventListener::HandleEvent<mozilla::dom::EventTarget*>(mozilla::dom::EventTarget* const&, mozilla::dom::Event&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventListenerBinding.h:65:12
        #22 0x7f4168b3433a in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /dom/events/EventListenerManager.cpp:1308:43
        #23 0x7f4168b35039 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /dom/events/EventListenerManager.cpp:1505:17
        #24 0x7f4168b2a044 in HandleEvent /dom/events/EventListenerManager.h:395:5
        #25 0x7f4168b2a044 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /dom/events/EventDispatcher.cpp:348:17
        #26 0x7f4168b29567 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /dom/events/EventDispatcher.cpp:550:16
        #27 0x7f4168b2bdc8 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /dom/events/EventDispatcher.cpp:1085:11
        #28 0x7f416a3420b3 in nsDocumentViewer::LoadComplete(nsresult) /layout/base/nsDocumentViewer.cpp:1084:7
        #29 0x7f416b9784e4 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /docshell/base/nsDocShell.cpp:6407:20
        #30 0x7f416b977fd3 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /docshell/base/nsDocShell.cpp:5796:7
        #31 0x7f416b978e6f in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /docshell/base/nsDocShell.cpp
        #32 0x7f416669871c in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /uriloader/base/nsDocLoader.cpp:1377:3
        #33 0x7f4166697caa in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /uriloader/base/nsDocLoader.cpp:975:14
        #34 0x7f4166696030 in nsDocLoader::DocLoaderIsEmpty(bool, mozilla::Maybe<nsresult> const&) /uriloader/base/nsDocLoader.cpp:794:9
        #35 0x7f41666971ed in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /uriloader/base/nsDocLoader.cpp:677:5
        #36 0x7f416b99a11d in nsDocShell::OnStopRequest(nsIRequest*, nsresult) /docshell/base/nsDocShell.cpp:13783:23
        #37 0x7f41653e964a in mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) /netwerk/base/nsLoadGroup.cpp:614:22
        #38 0x7f41653eac33 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /netwerk/base/nsLoadGroup.cpp:518:10
        #39 0x7f416706d6d5 in mozilla::dom::Document::DoUnblockOnload() /dom/base/Document.cpp:11549:18
        #40 0x7f4167038233 in mozilla::dom::Document::UnblockOnload(bool) /dom/base/Document.cpp:11479:9
        #41 0x7f41670540fb in mozilla::dom::Document::DispatchContentLoadedEvents() /dom/base/Document.cpp:7994:3
        #42 0x7f4167105c4b in applyImpl<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1147:12
        #43 0x7f4167105c4b in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1153:12
        #44 0x7f4167105c4b in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1200:13
        #45 0x7f41651ec4a2 in mozilla::SchedulerGroup::Runnable::Run() /xpcom/threads/SchedulerGroup.cpp:140:20
        #46 0x7f416521d2ce in mozilla::RunnableTask::Run() /xpcom/threads/TaskController.cpp:467:16
        #47 0x7f41651f64f6 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:770:26
        #48 0x7f41651f51b8 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:606:15
        #49 0x7f41651f5433 in mozilla::TaskController::ProcessPendingMTTask(bool) /xpcom/threads/TaskController.cpp:390:36
        #50 0x7f4165220776 in operator() /xpcom/threads/TaskController.cpp:124:37
        #51 0x7f4165220776 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
        #52 0x7f416520b443 in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1171:16
        #53 0x7f416521295a in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:467:10
        #54 0x7f4165cbf0a6 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:85:21
        #55 0x7f4165bdc167 in MessageLoop::RunInternal() /ipc/chromium/src/base/message_loop.cc:331:10
        #56 0x7f4165bdc072 in RunHandler /ipc/chromium/src/base/message_loop.cc:324:3
        #57 0x7f4165bdc072 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:306:3
        #58 0x7f4169f9d388 in nsBaseAppShell::Run() /widget/nsBaseAppShell.cpp:137:27
        #59 0x7f416c011b63 in XRE_RunAppShell() /toolkit/xre/nsEmbedFunctions.cpp:878:20
        #60 0x7f4165cbff9a in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:235:9
        #61 0x7f4165bdc167 in MessageLoop::RunInternal() /ipc/chromium/src/base/message_loop.cc:331:10
        #62 0x7f4165bdc072 in RunHandler /ipc/chromium/src/base/message_loop.cc:324:3
        #63 0x7f4165bdc072 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:306:3
        #64 0x7f416c01119c in XRE_InitChildProcess(int, char**, XREChildData const*) /toolkit/xre/nsEmbedFunctions.cpp:715:34
        #65 0x55850dd44d37 in content_process_main /browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
        #66 0x55850dd44d37 in main /browser/app/nsBrowserApp.cpp:327:18
        #67 0x7f417a13b0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
        #68 0x55850dd204bc in _start (/home/jkratzer/builds/mc-debug/firefox-bin+0x154bc)
    
    UndefinedBehaviorSanitizer can not provide additional info.
    SUMMARY: UndefinedBehaviorSanitizer: SEGV /editor/libeditor/HTMLEditUtils.h:1284:5 in mozilla::HTMLEditUtils::GetClosestAncestorListItemElement(nsIContent const&, mozilla::dom::Element const*)
    ==270352==ABORTING
Attached file Testcase

Bugmon Analysis
Verified bug as reproducible on mozilla-central 20220218215229-b21fa00b5f33.
The bug appears to have been introduced in the following build range:

Start: 41aa644c25e903647d39812e8aa7fd928c659292 (20210517211858)
End: 2f1ce60bd920913dad5dea4b4c3dabc51025c7d7 (20210517230803)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=41aa644c25e903647d39812e8aa7fd928c659292&tochange=2f1ce60bd920913dad5dea4b4c3dabc51025c7d7

Keywords: regression
Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]

The assertion was introduced in https://phabricator.services.mozilla.com/D115169, it just detects a long standing bug of indent command handling in inline editing host. I think that we should do nothing or add margin to the editing host, but we should check the other browsers' behavior and follow them if the behavior is reasonable.

Severity: -- → S3
Priority: -- → P3
Regressed by: 1627175

Set release status flags based on info from the regressing bug 1627175

status-firefox100: --- → affected
status-firefox101: --- → affected
status-firefox102: --- → affected
status-firefox-esr91: --- → affected

Sadly, Chrome inserts <blockquote> into the <span contenteditable>...

I don't want to follow the behavior due to invalid HTML structure creation.

URL: https://jsfiddle.net/d_toybox/ez8r1pgq/
OS: Linux → All
Hardware: x86_64 → All
See Also: → 1777903
Attachment #9264632 - Attachment mime type: text/plain → text/html

Bugmon was unable reproduce this issue.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon

A change to the Taskcluster build definitions over the weekend caused Bugmon to fail when reproducing issues. This issue has been corrected. Re-enabling bugmon.

Keywords: bugmon

There are 2 possible scenarios which are not handled by the method.

  1. Moving content node to new <blockquote> has already been moved to outside
    of the editing host.
  2. There is no container to insert new <blockquote>, e.g., in an inline
    editing host.

In the case #1, we should ignore the ex-child node. In the case #2, we should
abort it. Note that Chrome inserts <blockquote> even if there is no proper
container. However, such behavior is disagreed in interop-2023. Therefore,
it's okay just to abort it for now.

Depends on D180781

Assignee: nobody → masayuki
Status: NEW → ASSIGNED
Pushed by masayuki@d-toybox.com: https://hg.mozilla.org/integration/autoland/rev/42f3f3ab11b4 Make `HTMLEditor::HandleHTMLIndentAroundRanges` validate DOM tree in each time of the loop r=m_kato
Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/40565 for changes under testing/web-platform/tests
Whiteboard: [bugmon:bisected,confirmed] → [bugmon:bisected,confirmed], [wptsync upstream]

https://hg.mozilla.org/mozilla-central/rev/42f3f3ab11b4

Status: ASSIGNED → RESOLVED
Closed: 1 years ago
status-firefox116: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 116 Branch
Upstream PR merged by moz-wptsync-bot

Verified bug as fixed on rev mozilla-central 20230615214334-272d7188fe71.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
status-firefox116: fixedverified
Keywords: bugmon
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: