Closed
Bug 1812170
Opened 3 years ago
Closed 3 years ago
Assertion failure: aPoint.IsSetAndValid(), at /builds/worker/checkouts/gecko/editor/libeditor/AutoRangeArray.cpp:67
Categories
(Core :: DOM: Editor, defect, P2)
Core
DOM: Editor
Tracking
()
VERIFIED
FIXED
111 Branch
| Tracking | Status | |
|---|---|---|
| firefox-esr102 | --- | unaffected |
| firefox109 | --- | unaffected |
| firefox110 | --- | unaffected |
| firefox111 | --- | verified |
People
(Reporter: tsmith, Assigned: masayuki)
References
(Blocks 1 open bug, Regression)
Details
(4 keywords, Whiteboard: [bugmon:bisected,confirmed], [wptsync upstream])
Crash Data
Attachments
(2 files)
Found while fuzzing m-c 20230124-35f8b8a01747 (--enable-debug --enable-fuzzing)
To reproduce via Grizzly Replay:
$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html
Assertion failure: aPoint.IsSetAndValid(), at /builds/worker/checkouts/gecko/editor/libeditor/AutoRangeArray.cpp:67
#0 0x7f716f92e1c2 in mozilla::AutoRangeArray::AutoRangeArray<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent>>(mozilla::EditorDOMPointBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent>> const&) /builds/worker/checkouts/gecko/editor/libeditor/AutoRangeArray.cpp:67:3
#1 0x7f716f94cfaa in mozilla::HTMLEditor::CreateStyleForInsertText(mozilla::EditorDOMPointBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent>> const&, mozilla::dom::Element const&) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditSubActionHandler.cpp:6216:18
#2 0x7f716f94a61b in mozilla::HTMLEditor::HandleInsertText(mozilla::EditSubAction, nsTSubstring<char16_t> const&, mozilla::EditorBase::SelectionHandling) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditSubActionHandler.cpp:1097:7
#3 0x7f716f909029 in mozilla::EditorBase::InsertTextAsSubAction(nsTSubstring<char16_t> const&, mozilla::EditorBase::SelectionHandling) /builds/worker/checkouts/gecko/editor/libeditor/EditorBase.cpp:6033:7
#4 0x7f716f91c557 in mozilla::EditorBase::InsertTextAsAction(nsTSubstring<char16_t> const&, nsIPrincipal*) /builds/worker/checkouts/gecko/editor/libeditor/EditorBase.cpp:5996:8
#5 0x7f716f9210bc in mozilla::InsertPlaintextCommand::DoCommandParam(mozilla::Command, nsTSubstring<char16_t> const&, mozilla::EditorBase&, nsIPrincipal*) const /builds/worker/checkouts/gecko/editor/libeditor/EditorCommands.cpp:852:19
#6 0x7f716c12087e in mozilla::dom::Document::ExecCommand(nsTSubstring<char16_t> const&, bool, nsTSubstring<char16_t> const&, nsIPrincipal&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/Document.cpp:5514:27
#7 0x7f716d4e618f in mozilla::dom::Document_Binding::execCommand(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/DocumentBinding.cpp:4149:36
#8 0x7f716d87b912 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3308:13
#9 0x7f7171c8e2a6 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:459:13
#10 0x7f7171c8dbcf in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:547:12
#11 0x7f7171c7f80f in CallFromStack /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:619:10
#12 0x7f7171c7f80f in Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3362:16
#13 0x7f7171c72ece in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:431:13
#14 0x7f7171c8dacb in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:579:13
#15 0x7f7171c8effc in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:646:8
#16 0x7f7171d4b45c in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/CallAndConstruct.cpp:117:10
#17 0x7f716d54d5d1 in mozilla::dom::EventHandlerNonNull::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventHandlerBinding.cpp:65:37
#18 0x7f716de93529 in void mozilla::dom::EventHandlerNonNull::Call<nsCOMPtr<mozilla::dom::EventTarget>>(nsCOMPtr<mozilla::dom::EventTarget> const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventHandlerBinding.h:82:12
#19 0x7f716de92716 in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) /builds/worker/checkouts/gecko/dom/events/JSEventHandler.cpp:199:12
#20 0x7f716de7309d in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1314:22
#21 0x7f716de73d09 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1504:17
#22 0x7f716de68b76 in HandleEvent /builds/worker/checkouts/gecko/dom/events/EventListenerManager.h:395:5
#23 0x7f716de68b76 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:347:17
#24 0x7f716de680ab in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:549:16
#25 0x7f716de6a865 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:1122:11
#26 0x7f716fc1aa64 in nsDocumentViewer::LoadComplete(nsresult) /builds/worker/checkouts/gecko/layout/base/nsDocumentViewer.cpp:1079:7
#27 0x7f717125b580 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:6447:20
#28 0x7f717125ab2b in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:5840:7
#29 0x7f717125c426 in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp
#30 0x7f716b5ee988 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:1380:3
#31 0x7f716b5edf72 in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:978:14
#32 0x7f716b5ec205 in nsDocLoader::DocLoaderIsEmpty(bool, mozilla::Maybe<nsresult> const&) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:797:9
#33 0x7f716b5ed405 in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:680:5
#34 0x7f717128e45e in nsDocShell::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:13866:23
#35 0x7f716a8d385f in mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:628:22
#36 0x7f716a8d4d83 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:532:10
#37 0x7f716c14cb89 in mozilla::dom::Document::DoUnblockOnload() /builds/worker/checkouts/gecko/dom/base/Document.cpp:11552:18
#38 0x7f716c118cab in mozilla::dom::Document::UnblockOnload(bool) /builds/worker/checkouts/gecko/dom/base/Document.cpp:11490:9
#39 0x7f716c1339c8 in mozilla::dom::Document::DispatchContentLoadedEvents() /builds/worker/checkouts/gecko/dom/base/Document.cpp:8017:3
#40 0x7f716c1e36f8 in applyImpl<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1162:12
#41 0x7f716c1e36f8 in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1168:12
#42 0x7f716c1e36f8 in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1215:13
#43 0x7f716a6c0d82 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/checkouts/gecko/xpcom/threads/SchedulerGroup.cpp:114:20
#44 0x7f716a6cb015 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:539:16
#45 0x7f716a6c65ec in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:852:26
#46 0x7f716a6c51ba in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:684:15
#47 0x7f716a6c5515 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:462:36
#48 0x7f716a6ce916 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:188:37
#49 0x7f716a6ce916 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_2>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:546:5
#50 0x7f716a6e3e15 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1197:16
#51 0x7f716a6ea13d in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:477:10
#52 0x7f716b2e3163 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#53 0x7f716b204f18 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
#54 0x7f716b204e21 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
#55 0x7f716b204e21 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
#56 0x7f716f8049d8 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
#57 0x7f7171a486bb in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:742:20
#58 0x7f716b2e4029 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
#59 0x7f716b204f18 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
#60 0x7f716b204e21 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
#61 0x7f716b204e21 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
#62 0x7f7171a48218 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:675:34
#63 0x561c0c2face0 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#64 0x561c0c2face0 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:359:18
#65 0x7f717de02d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#66 0x7f717de02e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#67 0x561c0c2d1348 in _start (/home/user/workspace/browsers/m-c-20230120212103-fuzzing-debug/firefox-bin+0x5b348) (BuildId: fb2ab566cecf57e47d9c81989c8a405fb904864f)
Flags: in-testsuite?
|
||
Comment 1•3 years ago
|
||
Verified bug as reproducible on mozilla-central 20230124213422-ba77054848c4.
The bug appears to have been introduced in the following build range:
Start: 14b861cccbebd6e09c03b919554ec6cbb46a0609 (20230116222837)
End: 649e128771267789cb8ff55d9f42c459fd0f2cd2 (20230117000234)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=14b861cccbebd6e09c03b919554ec6cbb46a0609&tochange=649e128771267789cb8ff55d9f42c459fd0f2cd2
Keywords: regression
Whiteboard: [bugmon:bisected,confirmed]
|
||
Comment 2•3 years ago
|
||
Got crash from the testcase on latest Winx64 Nightly: https://crash-stats.mozilla.org/report/index/fcdbfd0b-ee58-458d-ab0d-9e3e00230125
Crash Signature: [@ nsINode::OwnerDoc ]
Keywords: crash
|
Assignee | |
Comment 3•3 years ago
|
||
Direct regression point must be bug 1807829 because of starting to use the unset pointToPutCaret for initializing AutoRangeArray. However, it's a bug of that it's unset there.
Assignee: nobody → masayuki
Severity: -- → S2
Status: NEW → ASSIGNED
OS: Unspecified → All
Priority: -- → P2
Regressed by: 1807829
Hardware: Unspecified → All
|
||
Comment 4•3 years ago
|
||
Set release status flags based on info from the regressing bug 1807829
status-firefox109:
--- → unaffected
status-firefox110:
--- → unaffected
status-firefox-esr102:
--- → unaffected
|
|
Assignee | |
Comment 5•3 years ago
|
||
This is also caused by bug 1792654. A regression caused by bug 1792654 becomes reproducible by the patch for bug 1807829.
Regressed by: 1792654
|
|
Assignee | |
Comment 6•3 years ago
|
||
The new path added in bug 1807829 hits the odd result case of ClearStyleAt.
pointToPutCaret may be updated if the preceding split occurs. Therefore,
it should be returned if it does not split next nodes after the first split
instead of returning unset point (because of not splitting the point,
unwrappedSplitNodeResult.AtSplitPoint may return unset point, therefore,
it may return unset point in the case).
Additionally, I forgot to split delete SplitNodeResult::mCaretPoint in
bug 1792654, and it causes SplitNodeDeepWithTransaction returns unset caret
point. This patch fixes this bug too.
Depends on D168178
Pushed by masayuki@d-toybox.com:
https://hg.mozilla.org/integration/autoland/rev/20512741e7b6
Make `HTMLEditor::ClearStyleAt` should return `pointToPutCaret` if next node of first split is not split r=m_kato
Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/38317 for changes under testing/web-platform/tests
Whiteboard: [bugmon:bisected,confirmed] → [bugmon:bisected,confirmed], [wptsync upstream]
|
||
Comment 9•3 years ago
|
||
| bugherder | ||
Status: ASSIGNED → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → 111 Branch
Upstream PR merged by moz-wptsync-bot
|
|
||
Comment 11•3 years ago
|
||
Verified bug as fixed on rev mozilla-central 20230202091542-20512741e7b6.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
You need to log in
before you can comment on or make changes to this bug.
Description
•