Closed
Bug 1799231
Opened 2 years ago
Closed 2 years ago
Assertion failure: pointToMoveFirstLineContent.IsSetAndValid(), at /builds/worker/checkouts/gecko/editor/libeditor/WSRunObject.cpp:523
Categories
(Core :: DOM: Editor, defect, P3)
Core
DOM: Editor
Tracking
()
VERIFIED
FIXED
108 Branch
People
(Reporter: tsmith, Assigned: masayuki)
References
(Blocks 1 open bug)
Details
(Keywords: assertion, testcase, Whiteboard: [bugmon:bisected,confirmed], [wptsync upstream])
Attachments
(2 files)
Found while fuzzing m-c 20221102-6d65bca9434c (--enable-debug --enable-fuzzing)
To reproduce via Grizzly Replay:
$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html
Assertion failure: pointToMoveFirstLineContent.IsSetAndValid(), at /builds/worker/checkouts/gecko/editor/libeditor/WSRunObject.cpp:523
#0 0x7fc3804e5958 in mozilla::WhiteSpaceVisibilityKeeper::MergeFirstLineOfRightBlockElementIntoAncestorLeftBlockElement(mozilla::HTMLEditor&, mozilla::dom::Element&, mozilla::dom::Element&, mozilla::EditorDOMPointBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent>> const&, nsIContent&, mozilla::Maybe<nsAtom*> const&, mozilla::dom::HTMLBRElement const*, mozilla::dom::Element const&) /builds/worker/checkouts/gecko/editor/libeditor/WSRunObject.cpp:523:5
#1 0x7fc38047e151 in mozilla::HTMLEditor::AutoDeleteRangesHandler::AutoBlockElementsJoiner::AutoInclusiveAncestorBlockElementsJoiner::Run(mozilla::HTMLEditor&, mozilla::dom::Element const&) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditorDeleteHandler.cpp:4774:49
#2 0x7fc38047eb6c in mozilla::HTMLEditor::AutoDeleteRangesHandler::AutoBlockElementsJoiner::HandleDeleteAtCurrentBlockBoundary(mozilla::HTMLEditor&, mozilla::EditorDOMPointBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent>> const&, mozilla::dom::Element const&) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditorDeleteHandler.cpp:2999:16
#3 0x7fc38047a698 in mozilla::HTMLEditor::AutoDeleteRangesHandler::AutoBlockElementsJoiner::Run(mozilla::HTMLEditor&, short, short, mozilla::EditorDOMPointBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent>> const&, mozilla::AutoRangeArray&, mozilla::dom::Element const&) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditorDeleteHandler.cpp:540:15
#4 0x7fc380475cbf in mozilla::HTMLEditor::AutoDeleteRangesHandler::HandleDeleteAroundCollapsedRanges(mozilla::HTMLEditor&, short, short, mozilla::AutoRangeArray&, mozilla::WSRunScanner const&, mozilla::WSScanResult const&, mozilla::dom::Element const&) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditorDeleteHandler.cpp:1938:56
#5 0x7fc380472431 in mozilla::HTMLEditor::AutoDeleteRangesHandler::Run(mozilla::HTMLEditor&, short, short, mozilla::AutoRangeArray&, mozilla::dom::Element const&) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditorDeleteHandler.cpp:1679:11
#6 0x7fc380470c92 in mozilla::HTMLEditor::HandleDeleteSelection(short, short) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditorDeleteHandler.cpp:1160:61
#7 0x7fc3803a0f84 in mozilla::EditorBase::DeleteSelectionAsSubAction(short, short) /builds/worker/checkouts/gecko/editor/libeditor/EditorBase.cpp:4227:9
#8 0x7fc38039bb31 in mozilla::EditorBase::DeleteSelectionAsAction(short, short, nsIPrincipal*) /builds/worker/checkouts/gecko/editor/libeditor/EditorBase.cpp:4190:8
#9 0x7fc3803b9aeb in mozilla::DeleteCommand::DoCommand(mozilla::Command, mozilla::EditorBase&, nsIPrincipal*) const /builds/worker/checkouts/gecko/editor/libeditor/EditorCommands.cpp:619:29
#10 0x7fc37cd20dd1 in mozilla::dom::Document::ExecCommand(nsTSubstring<char16_t> const&, bool, nsTSubstring<char16_t> const&, nsIPrincipal&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/Document.cpp:5446:37
#11 0x7fc37e0c121f in mozilla::dom::Document_Binding::execCommand(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/DocumentBinding.cpp:4149:36
#12 0x7fc37e455042 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3287:13
#13 0x7fc382718ebc in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:459:13
#14 0x7fc38271878e in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:547:12
#15 0x7fc3827081e0 in CallFromStack /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:619:10
#16 0x7fc3827081e0 in Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3375:16
#17 0x7fc3826f944e in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:431:13
#18 0x7fc38271861b in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:579:13
#19 0x7fc382719b91 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:646:8
#20 0x7fc3827d38cc in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/CallAndConstruct.cpp:117:10
#21 0x7fc37e151875 in mozilla::dom::EventHandlerNonNull::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventHandlerBinding.cpp:65:37
#22 0x7fc37ea2b829 in void mozilla::dom::EventHandlerNonNull::Call<nsCOMPtr<mozilla::dom::EventTarget>>(nsCOMPtr<mozilla::dom::EventTarget> const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventHandlerBinding.h:82:12
#23 0x7fc37ea2aa44 in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) /builds/worker/checkouts/gecko/dom/events/JSEventHandler.cpp:201:12
#24 0x7fc37ea0b6dd in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1316:22
#25 0x7fc37ea0c349 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1506:17
#26 0x7fc37ea01336 in HandleEvent /builds/worker/checkouts/gecko/dom/events/EventListenerManager.h:395:5
#27 0x7fc37ea01336 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:348:17
#28 0x7fc37ea0086b in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:550:16
#29 0x7fc37ea0302b in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:1119:11
#30 0x7fc3806a30d4 in nsDocumentViewer::LoadComplete(nsresult) /builds/worker/checkouts/gecko/layout/base/nsDocumentViewer.cpp:1079:7
#31 0x7fc381d02da0 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:6434:20
#32 0x7fc381d0234a in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:5827:7
#33 0x7fc381d03c86 in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp
#34 0x7fc37c1ff008 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:1380:3
#35 0x7fc37c1fe5f2 in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:978:14
#36 0x7fc37c1fc8a3 in nsDocLoader::DocLoaderIsEmpty(bool, mozilla::Maybe<nsresult> const&) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:797:9
#37 0x7fc37c1fda85 in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:680:5
#38 0x7fc381d3598e in nsDocShell::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:13846:23
#39 0x7fc37b5049af in mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:628:22
#40 0x7fc37b505ed3 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:532:10
#41 0x7fc37cd4cdc9 in mozilla::dom::Document::DoUnblockOnload() /builds/worker/checkouts/gecko/dom/base/Document.cpp:11502:18
#42 0x7fc37cd1935b in mozilla::dom::Document::UnblockOnload(bool) /builds/worker/checkouts/gecko/dom/base/Document.cpp:11440:9
#43 0x7fc37cd33d8a in mozilla::dom::Document::DispatchContentLoadedEvents() /builds/worker/checkouts/gecko/dom/base/Document.cpp:7967:3
#44 0x7fc37cde51f8 in applyImpl<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1147:12
#45 0x7fc37cde51f8 in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1153:12
#46 0x7fc37cde51f8 in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1200:13
#47 0x7fc37b2f1722 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/checkouts/gecko/xpcom/threads/SchedulerGroup.cpp:140:20
#48 0x7fc37b2fb9a5 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:538:16
#49 0x7fc37b2f6f8c in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:851:26
#50 0x7fc37b2f5b5a in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:683:15
#51 0x7fc37b2f5eb5 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:461:36
#52 0x7fc37b2ff2a6 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:187:37
#53 0x7fc37b2ff2a6 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_2>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
#54 0x7fc37b314c48 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1204:16
#55 0x7fc37b31b3bd in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:465:10
#56 0x7fc37befc333 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#57 0x7fc37be22478 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
#58 0x7fc37be22381 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
#59 0x7fc37be22381 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
#60 0x7fc3802a7518 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:150:27
#61 0x7fc3824d323b in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:884:20
#62 0x7fc37befd1f9 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
#63 0x7fc37be22478 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
#64 0x7fc37be22381 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
#65 0x7fc37be22381 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
#66 0x7fc3824d27cc in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:743:34
#67 0x55a3b0e74a40 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#68 0x55a3b0e74a40 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:357:18
#69 0x7fc390154082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
#70 0x55a3b0e4b188 in _start (/home/worker/builds/m-c-20221102174350-fuzzing-debug/firefox-bin+0x5b188) (BuildId: e4e723b1ffada4c8fff84940df3f57eed6899ae7)
Flags: in-testsuite?
|
Reporter | |
Comment 1•2 years ago
|
||
A Pernosco session is available here: https://pernos.co/debug/qQ9ak-87ArQejsDUMHExCA/index.html
|
||
Comment 2•2 years ago
|
||
Verified bug as reproducible on mozilla-central 20221104160427-510fd2811bcd.
Unable to bisect testcase (Testcase reproduces on start build!):
Start: 0283aba1bf2069cfff3ee77c86162fb153a55fc2 (20211106093208)
End: 6d65bca9434c03e5a847b07c8aad330461a9cb56 (20221102174350)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False, nyx=False)
Whiteboard: [bugmon:bisected,confirmed]
|
Assignee | |
Comment 3•2 years ago
|
||
Due to the preceding DeleteInvisibleASCIIWhiteSpaces call, the destination
may be lost since aLeftContentInBlock may have already been removed from the
DOM tree. Therefore, it should stop handling the deletion when destination is
modified by the web app.
Depends on D161423
|
||
Updated•2 years ago
|
Assignee: nobody → masayuki
Status: NEW → ASSIGNED
|
|
Assignee | |
Updated•2 years ago
|
Severity: -- → S3
OS: Unspecified → All
Priority: -- → P3
Hardware: Unspecified → All
Pushed by masayuki@d-toybox.com: https://hg.mozilla.org/integration/autoland/rev/b134b46b3b8f Make `WhiteSpaceVisibilityKeeper::MergeFirstLineOfRightBlockElementIntoAncestorLeftBlockElement` verify destination r=m_kato
Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/36882 for changes under testing/web-platform/tests
Whiteboard: [bugmon:bisected,confirmed] → [bugmon:bisected,confirmed], [wptsync upstream]
|
||
Comment 6•2 years ago
|
||
| bugherder | ||
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → 108 Branch
|
|
||
Comment 7•2 years ago
|
||
Verified bug as fixed on rev mozilla-central 20221109164728-650b8a7c9585.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
|
||
Updated•2 years ago
|
status-firefox106:
--- → wontfix
status-firefox107:
--- → wontfix
status-firefox-esr102:
--- → wontfix
Flags: in-testsuite? → in-testsuite+
Upstream PR merged by moz-wptsync-bot
You need to log in
before you can comment on or make changes to this bug.
Description
•