1837463 - Assertion failure: !IsDOMException() (Don't overwrite DOM exceptions), at /builds/worker/workspace/obj-build/dist/include/mozilla/ErrorResult.h:551

Status: VERIFIED FIXED

(Core :: DOM: Editor, defect)

Description

[Tyson Smith [:tsmith]]

Attachment: testcase.html

Found while fuzzing m-c 20230526-d49f009b89ad (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

Assertion failure: !IsDOMException() (Don't overwrite DOM exceptions), at /builds/worker/workspace/obj-build/dist/include/mozilla/ErrorResult.h:551

#0 0x7f5ffa2d6144 in mozilla::binding_danger::TErrorResult<mozilla::binding_danger::AssertAndSuppressCleanupPolicy>::AssignErrorCode(nsresult) /builds/worker/workspace/obj-build/dist/include/mozilla/ErrorResult.h:551:5
#1 0x7f5fff9586ab in mozilla::HTMLEditor::MoveChildrenBetween(nsIContent&, nsIContent&, mozilla::EditorDOMPointBase<nsINode*, nsIContent*> const&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditorDeleteHandler.cpp
#2 0x7f5fff9141aa in mozilla::HTMLEditor::MoveInclusiveNextSiblings(nsIContent&, mozilla::EditorDOMPointBase<nsINode*, nsIContent*> const&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditorDeleteHandler.cpp:5994:3
#3 0x7f5fff91317f in mozilla::HTMLEditor::DoSplitNode(mozilla::EditorDOMPointBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent>> const&, nsIContent&, mozilla::SplitNodeDirection) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditor.cpp:5221:7
#4 0x7f5fff9c2c3e in mozilla::SplitNodeTransaction::DoTransactionInternal(mozilla::HTMLEditor&, nsIContent&, nsIContent&, unsigned int) /builds/worker/checkouts/gecko/editor/libeditor/SplitNodeTransaction.cpp:157:67
#5 0x7f5fff9c2433 in mozilla::SplitNodeTransaction::DoTransaction() /builds/worker/checkouts/gecko/editor/libeditor/SplitNodeTransaction.cpp:131:55
#6 0x7f5fffa2b749 in DoTransaction /builds/worker/checkouts/gecko/editor/txmgr/TransactionItem.cpp:80:30
#7 0x7f5fffa2b749 in mozilla::TransactionManager::BeginTransaction(nsITransaction*, nsISupports*) /builds/worker/checkouts/gecko/editor/txmgr/TransactionManager.cpp:422:34
#8 0x7f5fffa2b578 in mozilla::TransactionManager::DoTransaction(nsITransaction*) /builds/worker/checkouts/gecko/editor/txmgr/TransactionManager.cpp:74:17
#9 0x7f5fff8454d0 in mozilla::EditorBase::DoTransactionInternal(nsITransaction*) /builds/worker/checkouts/gecko/editor/libeditor/EditorBase.cpp:908:41
#10 0x7f5fff8cca83 in mozilla::HTMLEditor::SplitNodeWithTransaction(mozilla::EditorDOMPointBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent>> const&) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditor.cpp:4920:17
#11 0x7f5fff8b9784 in mozilla::HTMLEditor::SplitNodeDeepWithTransaction(nsIContent&, mozilla::EditorDOMPointBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent>> const&, mozilla::HTMLEditor::SplitAtEdges) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditor.cpp:5004:11
#12 0x7f5fff907af0 in mozilla::Result<mozilla::CreateNodeResultBase<mozilla::dom::Element>, nsresult> mozilla::HTMLEditor::InsertNodeIntoProperAncestorWithTransaction<mozilla::dom::Element>(mozilla::dom::Element&, mozilla::EditorDOMPointBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent>> const&, mozilla::HTMLEditor::SplitAtEdges) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditor.cpp:2293:9
#13 0x7f5fff9061d6 in mozilla::HTMLEditor::InsertElementAtSelectionAsAction(mozilla::dom::Element*, bool, nsIPrincipal*) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditor.cpp:2195:9
#14 0x7f5fff91e435 in mozilla::InsertTagCommand::DoCommand(mozilla::Command, mozilla::EditorBase&, nsIPrincipal*) const /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditorCommands.cpp:1193:13
#15 0x7f5ffbd36018 in mozilla::dom::Document::ExecCommand(nsTSubstring<char16_t> const&, bool, nsTSubstring<char16_t> const&, nsIPrincipal&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/Document.cpp:5533:37
#16 0x7f5ffd1d5177 in mozilla::dom::Document_Binding::execCommand(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/DocumentBinding.cpp:4126:36
#17 0x7f5ffd579008 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3329:13
#18 0x7f6001cb93c5 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:486:13
#19 0x7f6001cb8c1d in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:580:12
#20 0x7f6001ccd492 in CallFromStack /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:652:10
#21 0x7f6001ccd492 in js::Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3395:16
#22 0x7f6001cb816d in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:458:13
#23 0x7f6001cb8c39 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:612:13
#24 0x7f6001cba24d in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:679:8
#25 0x7f6001da4202 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/CallAndConstruct.cpp:117:10
#26 0x7f5ffd2423cb in mozilla::dom::EventHandlerNonNull::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventHandlerBinding.cpp:65:37
#27 0x7f5ffdbdfe99 in void mozilla::dom::EventHandlerNonNull::Call<nsCOMPtr<mozilla::dom::EventTarget>>(nsCOMPtr<mozilla::dom::EventTarget> const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventHandlerBinding.h:82:12
#28 0x7f5ffdbdef69 in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) /builds/worker/checkouts/gecko/dom/events/JSEventHandler.cpp:199:12
#29 0x7f5ffdbbd3bd in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1241:22
#30 0x7f5ffdbbde4e in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1427:21
#31 0x7f5ffdbb2ab0 in HandleEvent /builds/worker/workspace/obj-build/dist/include/mozilla/EventListenerManager.h:412:5
#32 0x7f5ffdbb2ab0 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:342:17
#33 0x7f5ffdbb203a in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:559:18
#34 0x7f5ffdbb480c in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:1152:11
#35 0x7f5fff28f27f in mozilla::(anonymous namespace)::AsyncTimeEventRunner::Run() /builds/worker/checkouts/gecko/dom/smil/SMILTimedElement.cpp:97:12
#36 0x7f5ffa168912 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/checkouts/gecko/xpcom/threads/SchedulerGroup.cpp:114:20
#37 0x7f5ffa173b37 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:555:16
#38 0x7f5ffa16ebea in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:879:26
#39 0x7f5ffa16d557 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:702:15
#40 0x7f5ffa16d9b5 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:491:36
#41 0x7f5ffa1771a6 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:218:37
#42 0x7f5ffa1771a6 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548:5
#43 0x7f5ffa18e12a in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1240:16
#44 0x7f5ffa194fdd in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:479:10
#45 0x7f5ffae42715 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#46 0x7f5ffad5e931 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#47 0x7f5ffad5e931 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#48 0x7f5fff750048 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
#49 0x7f6001a78b8b in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:717:20
#50 0x7f5ffae435f6 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
#51 0x7f5ffad5e931 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#52 0x7f5ffad5e931 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#53 0x7f6001a78452 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:652:34
#54 0x55c3af67f526 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#55 0x55c3af67f526 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:375:18
#56 0x7f600de29d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#57 0x7f600de29e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#58 0x55c3af6567c8 in _start (/home/user/workspace/browsers/m-c-20230607214358-fuzzing-debug/firefox-bin+0x587c8) (BuildId: a51cce1359e84ee61fddf883ec41bc4b4d57e313)

Comment 1

[Bugmon [:jkratzer for issues]]

Verified bug as reproducible on mozilla-central 20230609214634-501ade4b55d9.
The bug appears to have been introduced in the following build range:

Start: 12a40a80a9757d658928c97c0c3af6c15302fca2 (20230322000349)
End: be84a6280becce858982e8a84d2311ebbc1e68dc (20230322020849)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=12a40a80a9757d658928c97c0c3af6c15302fca2&tochange=be84a6280becce858982e8a84d2311ebbc1e68dc

Comment 2

[Hsin-Yi Tsai (she/her) [:hsinyi]]

Bug 1820116 is in the regression window.

Comment 3

[BugBot [:suhaib / :marco/ :calixte]]

Set release status flags based on info from the regressing bug 1820116

Comment 4

[Masayuki Nakano [:masayuki] (he/him)(JST, +0900)]

This must be just an assertion failure, the behavior itself is intentional.

Comment 5

[Masayuki Nakano [:masayuki] (he/him)(JST, +0900)]

Attachment: Bug 1837463 - Make move node methods return `nsresult` instead of using `ErrorResult` out-param r=m_kato!

The assertion failure is caused by that RemoveChild() or InsertBefore() is
failed, and overriding the error code with NS_ERROR_EDITOR_DESTROYED.

For saving the construction cost of ErrorResult instances, the related methods
take ErrorResult& as in/out-param. However, the cost is not so high if we
use IgnoredErrorResult and do not create it in the for loop in
MoveChildrenBetween(). Therefore, this patch make them return nsresult
simply to avoid updating error code and suppressing JS error in various places.

Depends on D180786

Comment 6

[Pulsebot]

Pushed by masayuki@d-toybox.com:
https://hg.mozilla.org/integration/autoland/rev/34ee66e10596
Make move node methods return `nsresult` instead of using `ErrorResult` out-param r=m_kato

Comment 7

[Web Platform Test Sync Bot [:wpt-sync] (Matrix: #interop:mozilla.org)]

Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/40583 for changes under testing/web-platform/tests

Comment 8

[Serban Stanca [:SerbanS]]

https://hg.mozilla.org/mozilla-central/rev/34ee66e10596

Comment 9

[Bugmon [:jkratzer for issues]]

Verified bug as fixed on rev mozilla-central 20230616155552-439d02859a2e.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Comment 10

[Web Platform Test Sync Bot [:wpt-sync] (Matrix: #interop:mozilla.org)]

Upstream PR merged by moz-wptsync-bot

Comment 11

[Masayuki Nakano [:masayuki] (he/him)(JST, +0900)]

status-firefox115: affected → disabled

No, the regression cause is not disabled in 115. However, this is a problem only in debug builds. So I think that we don't need to uplift this.