Assertion failure: aPoint.IsSetAndValid(), at /builds/worker/workspace/obj-build/dist/include/mozilla/EditorDOMPoint.h:1527
Categories
(Core :: DOM: Editor, defect, P3)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr102 | --- | unaffected |
| firefox109 | --- | wontfix |
| firefox110 | --- | wontfix |
| firefox111 | --- | verified |
People
(Reporter: tsmith, Assigned: masayuki)
References
(Blocks 1 open bug, Regression)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:bisected,confirmed], [wptsync upstream])
Attachments
(5 files)
Found while fuzzing m-c 20230113-9af5d0877b6b (--enable-debug --enable-fuzzing)
To reproduce via Grizzly Replay:
$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html
Assertion failure: aPoint.IsSetAndValid(), at /builds/worker/workspace/obj-build/dist/include/mozilla/EditorDOMPoint.h:1527
#0 0x7f1d645393e4 in AutoEditorDOMRangeChildrenInvalidator /builds/worker/checkouts/gecko/editor/libeditor/EditorDOMPoint.h
#1 0x7f1d645393e4 in mozilla::HTMLEditor::MoveOneHardLineContentsWithTransaction(mozilla::EditorDOMPointBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent>> const&, mozilla::EditorDOMPointBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent>> const&, mozilla::dom::Element const&, mozilla::HTMLEditor::MoveToEndOfContainer) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditorDeleteHandler.cpp:5049:45
#2 0x7f1d6459ef3d in mozilla::WhiteSpaceVisibilityKeeper::MergeFirstLineOfRightBlockElementIntoAncestorLeftBlockElement(mozilla::HTMLEditor&, mozilla::dom::Element&, mozilla::dom::Element&, mozilla::EditorDOMPointBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent>> const&, nsIContent&, mozilla::Maybe<nsAtom*> const&, mozilla::dom::HTMLBRElement const*, mozilla::dom::Element const&) /builds/worker/checkouts/gecko/editor/libeditor/WSRunObject.cpp:593:21
#3 0x7f1d6452ce51 in mozilla::HTMLEditor::AutoDeleteRangesHandler::AutoBlockElementsJoiner::AutoInclusiveAncestorBlockElementsJoiner::Run(mozilla::HTMLEditor&, mozilla::dom::Element const&) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditorDeleteHandler.cpp:4774:49
#4 0x7f1d6452d86c in mozilla::HTMLEditor::AutoDeleteRangesHandler::AutoBlockElementsJoiner::HandleDeleteAtCurrentBlockBoundary(mozilla::HTMLEditor&, mozilla::EditorDOMPointBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent>> const&, mozilla::dom::Element const&) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditorDeleteHandler.cpp:2999:16
#5 0x7f1d645293a8 in mozilla::HTMLEditor::AutoDeleteRangesHandler::AutoBlockElementsJoiner::Run(mozilla::HTMLEditor&, short, short, mozilla::EditorDOMPointBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent>> const&, mozilla::AutoRangeArray&, mozilla::dom::Element const&) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditorDeleteHandler.cpp:540:15
#6 0x7f1d645249da in mozilla::HTMLEditor::AutoDeleteRangesHandler::HandleDeleteAroundCollapsedRanges(mozilla::HTMLEditor&, short, short, mozilla::AutoRangeArray&, mozilla::WSRunScanner const&, mozilla::WSScanResult const&, mozilla::dom::Element const&) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditorDeleteHandler.cpp:1938:56
#7 0x7f1d64521151 in mozilla::HTMLEditor::AutoDeleteRangesHandler::Run(mozilla::HTMLEditor&, short, short, mozilla::AutoRangeArray&, mozilla::dom::Element const&) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditorDeleteHandler.cpp:1679:11
#8 0x7f1d6451f9b2 in mozilla::HTMLEditor::HandleDeleteSelection(short, short) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditorDeleteHandler.cpp:1160:61
#9 0x7f1d6444c8e4 in mozilla::EditorBase::DeleteSelectionAsSubAction(short, short) /builds/worker/checkouts/gecko/editor/libeditor/EditorBase.cpp:4230:9
#10 0x7f1d644474a1 in mozilla::EditorBase::DeleteSelectionAsAction(short, short, nsIPrincipal*) /builds/worker/checkouts/gecko/editor/libeditor/EditorBase.cpp:4193:8
#11 0x7f1d6446546b in mozilla::DeleteCommand::DoCommand(mozilla::Command, mozilla::EditorBase&, nsIPrincipal*) const /builds/worker/checkouts/gecko/editor/libeditor/EditorCommands.cpp:619:29
#12 0x7f1d60cf9356 in mozilla::dom::Document::ExecCommand(nsTSubstring<char16_t> const&, bool, nsTSubstring<char16_t> const&, nsIPrincipal&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/Document.cpp:5489:37
#13 0x7f1d620becff in mozilla::dom::Document_Binding::execCommand(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/DocumentBinding.cpp:4149:36
#14 0x7f1d62453ec2 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3308:13
#15 0x7f1d667c7696 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:459:13
#16 0x7f1d667c6fbf in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:547:12
#17 0x7f1d667b8bff in CallFromStack /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:619:10
#18 0x7f1d667b8bff in Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3362:16
#19 0x7f1d667ac2be in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:431:13
#20 0x7f1d667c6ebb in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:579:13
#21 0x7f1d667c83ec in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:646:8
#22 0x7f1d6688484c in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/CallAndConstruct.cpp:117:10
#23 0x7f1d61d63ce1 in mozilla::dom::IdleRequestCallback::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::IdleDeadline&, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/WindowBinding.cpp:827:8
#24 0x7f1d60c69795 in mozilla::dom::IdleRequestCallback::Call(mozilla::dom::IdleDeadline&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/WindowBinding.h:691:12
#25 0x7f1d60de35f6 in Call /builds/worker/workspace/obj-build/dist/include/mozilla/dom/WindowBinding.h:704:12
#26 0x7f1d60de35f6 in mozilla::dom::IdleRequest::IdleRun(nsPIDOMWindowInner*, double, bool) /builds/worker/checkouts/gecko/dom/base/IdleRequest.cpp:58:13
#27 0x7f1d60b4edf4 in nsGlobalWindowInner::RunIdleRequest(mozilla::dom::IdleRequest*, double, bool) /builds/worker/checkouts/gecko/dom/base/nsGlobalWindowInner.cpp:730:12
#28 0x7f1d60b4dc0b in nsGlobalWindowInner::ExecuteIdleRequest(mozilla::TimeStamp) /builds/worker/checkouts/gecko/dom/base/nsGlobalWindowInner.cpp:758:3
#29 0x7f1d60b4d921 in IdleRequestExecutor::Run() /builds/worker/checkouts/gecko/dom/base/nsGlobalWindowInner.cpp:599:13
#30 0x7f1d5f2a6205 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:539:16
#31 0x7f1d5f2a17dc in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:852:26
#32 0x7f1d5f2a050e in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:726:15
#33 0x7f1d5f2a0705 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:462:36
#34 0x7f1d5f2a9b06 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:188:37
#35 0x7f1d5f2a9b06 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_2>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:546:5
#36 0x7f1d5f2bf355 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1197:16
#37 0x7f1d5f2c567d in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:477:10
#38 0x7f1d5febe3d3 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#39 0x7f1d5fde0258 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
#40 0x7f1d5fde0161 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
#41 0x7f1d5fde0161 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
#42 0x7f1d64349168 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
#43 0x7f1d66581a7b in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:742:20
#44 0x7f1d5febf299 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
#45 0x7f1d5fde0258 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
#46 0x7f1d5fde0161 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
#47 0x7f1d5fde0161 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
#48 0x7f1d665815d8 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:675:34
#49 0x55b770251ce0 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#50 0x55b770251ce0 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:359:18
#51 0x7f1d72993d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#52 0x7f1d72993e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#53 0x55b770228348 in _start (/home/user/workspace/browsers/m-c-20230119163652-fuzzing-debug/firefox-bin+0x5b348) (BuildId: ddb32622b19b12c874ac81c404ddbedbd42e7b22)
|
||
Comment 1•1 year ago
|
||
Verified bug as reproducible on mozilla-central 20230120034623-36cf8390eddd.
The bug appears to have been introduced in the following build range:
Start: 38f540397664cb2b76cd6bc516551184d935a7f4 (20220925090605)
End: 2484b73438e2b3128344cbd4728fb5409feb7dc0 (20220925125406)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=38f540397664cb2b76cd6bc516551184d935a7f4&tochange=2484b73438e2b3128344cbd4728fb5409feb7dc0
|
||
Comment 2•1 year ago
|
||
Setting Regressed by field after analyzing regression range found by bugmon in comment #1.
|
|
||
Comment 3•1 year ago
|
||
Set release status flags based on info from the regressing bug 1782911
:masayuki, since you are the author of the regressor, bug 1782911, could you take a look? Also, could you set the severity field?
For more information, please visit auto_nag documentation.
|
||
Updated•1 year ago
|
|
Assignee | |
Updated•1 year ago
|
|
|
Assignee | |
Comment 4•1 year ago
|
||
Now, the method does too many things. Therefore, touching it is hard to review.
I think that it should be handled in a stack class and split each chunk of the
method with sharing some data with members.
Depends on D168179
|
|
Assignee | |
Comment 5•1 year ago
|
||
Depends on D168180
|
|
Assignee | |
Comment 6•1 year ago
|
||
Depends on D168181
|
|
Assignee | |
Comment 7•1 year ago
|
||
One of the crash reasons is, the destination is the parent <video> of the
<ol>. When AutoRangeArray considers the range of first line is, making
<video><source/>{<ol><li>a</li></ol>}. This is not intuitive, but extending
the range to outside of the block boundaries is required to collect editable
target nodes. However, this causes a problem. AutoMoveOneLineHandler splits
the parent <video> element at the range boundaries with
AutoRangeArray::SplitTextNodesAtEndBoundariesAndParentInlineElementsAtBoundaries
since it's treated as an inline element. However, the <video> element is the
container of destination, so this is one unexpected issue for
AutoMoveOneLineHandler. Then, it tries to move split empty nodes to same
or another <video> element (depending on the split node direction). However,
at this time, it fails to move the node and delete it instead because <video>
cannot have not all elements. If the source <video> and destination <video>
is same one, nodes disappear from movedContentRange in Run() and Run()
cannot track it. Therefore, the range becomes invalid.
Ideal approach to fix this issue is, we should redesign considering where is
a line and how to collect the target nodes. However, if I change the
AutoRangeArray methods to fix this case, a lot of regressions appeared because
they are shared in a lot of edit actions. Therefore, I give up to fix them.
Instead, this patch just prevents to split the destination container. This may
have not fixed the real point, However, for now, we should just patch this
case because this could be potentially a problem for web apps which use inline
elements with display: block.
Depends on D168182
Pushed by masayuki@d-toybox.com: https://hg.mozilla.org/integration/autoland/rev/5d9a767433f3 part 1: Create `AutoMoveOneLineHandler` to implement `HTMLEditor::MoveOneHardLineContentsWithTransaction` r=m_kato
Pushed by masayuki@d-toybox.com: https://hg.mozilla.org/integration/autoland/rev/718117e104e2 part 2: Split `AutoMoveOneLineHandler::Prepare` more r=m_kato
|
||
Comment 10•1 year ago
|
||
Pushed by masayuki@d-toybox.com: https://hg.mozilla.org/integration/autoland/rev/3bf8e7781650 part 3: Move `HTMLEditor::CanMoveOrDeleteSomethingInHardLine` into `AutoMoveOneLineHandler` r=m_kato
|
|
||
Comment 11•1 year ago
|
||
Pushed by masayuki@d-toybox.com: https://hg.mozilla.org/integration/autoland/rev/a3b7df71803c part 4: Make `AutoMoveOneLineHandler` never split container of insertion point r=m_kato
Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/38341 for changes under testing/web-platform/tests
|
||
Comment 13•1 year ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/5d9a767433f3
https://hg.mozilla.org/mozilla-central/rev/718117e104e2
https://hg.mozilla.org/mozilla-central/rev/3bf8e7781650
https://hg.mozilla.org/mozilla-central/rev/a3b7df71803c
Upstream PR merged by moz-wptsync-bot
|
|
||
Comment 15•1 year ago
|
||
Verified bug as fixed on rev mozilla-central 20230203091639-62c9a4ca360b.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Description
•