Closed Bug 1771809 Opened 3 years ago Closed 3 years ago

Assertion failure: EditorUtils::IsEditableContent( *aSelectionStartPoint.ContainerAsContent(), EditorType::HTML), at src/editor/libeditor/HTMLEditorDeleteHandler.cpp:3717

Categories

(Core :: DOM: Editor, defect, P3)

Product:
Core
Component:
DOM: Editor
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
103 Branch
Tracking Flags:
Tracking Status
firefox-esr91 --- wontfix
firefox-esr102 --- wontfix
firefox101 --- wontfix
firefox102 --- wontfix
firefox103 --- verified

People

(Reporter: tsmith, Assigned: masayuki)

References

(Depends on 1 open bug, Blocks 2 open bugs, Regressed 1 open bug,
URL
)

Details

(Keywords: assertion, testcase, Whiteboard: [bugmon:bisected,confirmed], [wptsync upstream])

Attachments

(2 files)

testcase.html
281 bytes, text/html
Details
Bug 1771809 - Make `HTMLEditor::AutoDeleteRangesHandler::HandleDeleteNonCollapsedRanges` check if handling range is still editable r=m_kato!
48 bytes, text/x-phabricator-request
Details | Review
Attached file testcase.html

Found while fuzzing m-c 20220529-ac2e51f9332e (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

Assertion failure: EditorUtils::IsEditableContent( *aSelectionStartPoint.ContainerAsContent(), EditorType::HTML), at src/editor/libeditor/HTMLEditorDeleteHandler.cpp:3717

#0 0x7f0a43c8a433 in mozilla::HTMLEditor::AutoDeleteRangesHandler::DeleteUnnecessaryNodesAndCollapseSelection(mozilla::HTMLEditor&, short, mozilla::EditorDOMPointBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent> > const&, mozilla::EditorDOMPointBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent> > const&) src/editor/libeditor/HTMLEditorDeleteHandler.cpp:3716:3
#1 0x7f0a43c7e822 in mozilla::HTMLEditor::AutoDeleteRangesHandler::HandleDeleteNonCollapsedRanges(mozilla::HTMLEditor&, short, short, mozilla::AutoRangeArray&, mozilla::HTMLEditor::AutoDeleteRangesHandler::SelectionWasCollapsed) src/editor/libeditor/HTMLEditorDeleteHandler.cpp:3115:19
#2 0x7f0a43c79f7d in mozilla::HTMLEditor::AutoDeleteRangesHandler::Run(mozilla::HTMLEditor&, short, short, mozilla::AutoRangeArray&) src/editor/libeditor/HTMLEditorDeleteHandler.cpp:1655:29
#3 0x7f0a43c78ea2 in mozilla::HTMLEditor::HandleDeleteSelection(short, short) src/editor/libeditor/HTMLEditorDeleteHandler.cpp:1128:43
#4 0x7f0a43bba602 in mozilla::EditorBase::DeleteSelectionAsSubAction(short, short) src/editor/libeditor/EditorBase.cpp:4294:7
#5 0x7f0a43bb5165 in mozilla::EditorBase::DeleteSelectionAsAction(short, short, nsIPrincipal*) src/editor/libeditor/EditorBase.cpp:4258:8
#6 0x7f0a43bd4ceb in mozilla::DeleteCommand::DoCommand(mozilla::Command, mozilla::EditorBase&, nsIPrincipal*) const src/editor/libeditor/EditorCommands.cpp:619:29
#7 0x7f0a40715ad3 in mozilla::dom::Document::ExecCommand(nsTSubstring<char16_t> const&, bool, nsTSubstring<char16_t> const&, nsIPrincipal&, mozilla::ErrorResult&) src/dom/base/Document.cpp:5538:37
#8 0x7f0a419c57e3 in mozilla::dom::Document_Binding::execCommand(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/DocumentBinding.cpp:4052:36
#9 0x7f0a41d3b65c in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) src/dom/bindings/BindingUtils.cpp:3271:13
#10 0x7f0a471d48f0 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) src/js/src/vm/Interpreter.cpp:420:13
#11 0x7f0a471d40fa in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) src/js/src/vm/Interpreter.cpp:507:12
#12 0x7f0a471cb4d6 in CallFromStack src/js/src/vm/Interpreter.cpp:578:10
#13 0x7f0a471cb4d6 in Interpret(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:3314:16
#14 0x7f0a471c2772 in js::RunScript(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:389:13
#15 0x7f0a471d3ff6 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) src/js/src/vm/Interpreter.cpp:539:13
#16 0x7f0a471d5628 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) src/js/src/vm/Interpreter.cpp:605:8
#17 0x7f0a45e99671 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) src/js/src/vm/CallAndConstruct.cpp:117:10
#18 0x7f0a4174ce93 in mozilla::dom::IdleRequestCallback::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::IdleDeadline&, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/WindowBinding.cpp:836:8
#19 0x7f0a406870b9 in mozilla::dom::IdleRequestCallback::Call(mozilla::dom::IdleDeadline&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/WindowBinding.h:692:12
#20 0x7f0a407fb7e6 in Call /builds/worker/workspace/obj-build/dist/include/mozilla/dom/WindowBinding.h:705:12
#21 0x7f0a407fb7e6 in mozilla::dom::IdleRequest::IdleRun(nsPIDOMWindowInner*, double, bool) src/dom/base/IdleRequest.cpp:61:13
#22 0x7f0a4056ba76 in nsGlobalWindowInner::RunIdleRequest(mozilla::dom::IdleRequest*, double, bool) src/dom/base/nsGlobalWindowInner.cpp:731:12
#23 0x7f0a4056a83d in nsGlobalWindowInner::ExecuteIdleRequest(mozilla::TimeStamp) src/dom/base/nsGlobalWindowInner.cpp:759:3
#24 0x7f0a4056a543 in IdleRequestExecutor::Run() src/dom/base/nsGlobalWindowInner.cpp:600:13
#25 0x7f0a3edbd91e in mozilla::RunnableTask::Run() src/xpcom/threads/TaskController.cpp:475:16
#26 0x7f0a3ed982d3 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) src/xpcom/threads/TaskController.cpp:788:26
#27 0x7f0a3ed96fa9 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) src/xpcom/threads/TaskController.cpp:662:15
#28 0x7f0a3ed970f3 in mozilla::TaskController::ProcessPendingMTTask(bool) src/xpcom/threads/TaskController.cpp:398:36
#29 0x7f0a3edc10a6 in operator() src/xpcom/threads/TaskController.cpp:124:37
#30 0x7f0a3edc10a6 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
#31 0x7f0a3edacb7f in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1180:16
#32 0x7f0a3edb317d in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:465:10
#33 0x7f0a3f974956 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:85:21
#34 0x7f0a3f89cc77 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:380:10
#35 0x7f0a3f89cb82 in RunHandler src/ipc/chromium/src/base/message_loop.cc:373:3
#36 0x7f0a3f89cb82 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:355:3
#37 0x7f0a43ad0e88 in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:137:27
#38 0x7f0a45c13bfb in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:875:20
#39 0x7f0a3f97584a in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:235:9
#40 0x7f0a3f89cc77 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:380:10
#41 0x7f0a3f89cb82 in RunHandler src/ipc/chromium/src/base/message_loop.cc:373:3
#42 0x7f0a3f89cb82 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:355:3
#43 0x7f0a45c1321c in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:734:34
#44 0x5582cbb67e90 in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#45 0x5582cbb67e90 in main src/browser/app/nsBrowserApp.cpp:338:18
#46 0x7f0a55318082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
#47 0x5582cbb3dc3c in _start (/home/worker/builds/m-c-20220529090310-fuzzing-debug/firefox-bin+0x15c3c) (BuildId: da9e76af05647b6d317ba2077d910112aacae28d)
Flags: in-testsuite?

A Pernosco session is available here: https://pernos.co/debug/fRppBhyUrt-5bxzxm6robg/index.html

Looks like similar to bug 1771570 since the testcase deletes content after selectAll command.

Assignee: nobody → masayuki
URL: https://bugzilla.mozilla.org/show_bug...
Status: NEW → ASSIGNED
Depends on: 1771701

Bugmon Analysis
Verified bug as reproducible on mozilla-central 20220530140717-87e39a7da999.
The bug appears to have been introduced in the following build range:

Start: 6613af6e3203dd6259d0dc9dbbf7c9d20b8722c2 (20210817033820)
End: 72ef88010a597fde44c8c2b52cf174f5e1ea33f9 (20210817065732)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=6613af6e3203dd6259d0dc9dbbf7c9d20b8722c2&tochange=72ef88010a597fde44c8c2b52cf174f5e1ea33f9

Keywords: regression
Whiteboard: [bugmon:bisected,confirmed]

(In reply to Bugmon [:jkratzer for issues] from comment #3)

Bugmon Analysis
Verified bug as reproducible on mozilla-central 20220530140717-87e39a7da999.
The bug appears to have been introduced in the following build range:

Start: 6613af6e3203dd6259d0dc9dbbf7c9d20b8722c2 (20210817033820)
End: 72ef88010a597fde44c8c2b52cf174f5e1ea33f9 (20210817065732)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=6613af6e3203dd6259d0dc9dbbf7c9d20b8722c2&tochange=72ef88010a597fde44c8c2b52cf174f5e1ea33f9

It's not the right regression range because the utility method used by the assertion is changed in bug 1725291.

According to the Pernosco, the DeleteRangesWithTransaction call deletes the dd[contenteditable] from the document unexpectedly. Then, the caller tries to clean up the <dd> element and hits the assertion.

This is partially caused by bug 1714915. For now, we should just add the check only in the caller of DeleteUnnecessaryNodesAndCollapseSelection.

Blocks: cache-editing-host-first

In the testcase, editing host is removed when first node removing, but
HTMLEditor::Destroyed() still returns false. So, ideally, we should add
a check of editing host validity in Destroyed(), but for now, we should make
the method check whether the handling range is still editable after running
each transaction.

Depends on D147723

:masayuki, since this bug contains a bisection range, could you fill (if possible) the regressed_by field?
For more information, please visit auto_nag documentation.

Flags: needinfo?(masayuki)

This is a traditional bug which is detected by making the utility method check stricter. Therefore, it's not suitable to treat this bug as a regression unless we find a true regression range.

Severity: -- → S3
Flags: needinfo?(masayuki)
Keywords: regression
OS: Unspecified → All
Priority: -- → P3
Hardware: Unspecified → All
Pushed by masayuki@d-toybox.com: https://hg.mozilla.org/integration/autoland/rev/8b7e176bb5e0 Make `HTMLEditor::AutoDeleteRangesHandler::HandleDeleteNonCollapsedRanges` check if handling range is still editable r=m_kato
Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/34274 for changes under testing/web-platform/tests
Whiteboard: [bugmon:bisected,confirmed] → [bugmon:bisected,confirmed], [wptsync upstream]

https://hg.mozilla.org/mozilla-central/rev/8b7e176bb5e0

Status: ASSIGNED → RESOLVED
Closed: 3 years ago
status-firefox103: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 103 Branch
Upstream PR merged by moz-wptsync-bot

Bugmon Analysis
Verified bug as fixed on rev mozilla-central 20220601094632-a99cd6ce98c9.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
status-firefox103: fixedverified
Keywords: bugmon
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: