Closed Bug 1863771 Opened 8 months ago Closed 8 months ago

Assertion failure: movedContentRange.StartRef().EqualsOrIsBefore(pointToInsert), at /editor/libeditor/HTMLEditorDeleteHandler.cpp:5475

Categories

(Core :: DOM: Editor, defect)

Product:
Core
Component:
DOM: Editor
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
121 Branch
Tracking Flags:
Tracking Status
firefox-esr115 --- unaffected
firefox119 --- unaffected
firefox120 --- unaffected
firefox121 --- fixed

People

(Reporter: jkratzer, Assigned: masayuki)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: regression, testcase, Whiteboard: [bugmon:bisected,confirmed], [wptsync upstream])

Attachments

(2 files, 1 obsolete file)

testcase.html
284 bytes, text/html
Details
Bug 1863771 - Add reported testcase r=m_kato!
48 bytes, text/x-phabricator-request
Details | Review

Testcase found while fuzzing mozilla-central rev 5d6699b34edc (built with: --enable-debug --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build 5d6699b34edc --debug --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

Assertion failure: movedContentRange.StartRef().EqualsOrIsBefore(pointToInsert), at /editor/libeditor/HTMLEditorDeleteHandler.cpp:5475

    ==769092==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f87676f8b5a bp 0x7ffda0d56350 sp 0x7ffda0d55c80 T769092)
    ==769092==The signal is caused by a WRITE memory access.
    ==769092==Hint: address points to the zero page.
        #0 0x7f87676f8b5a in mozilla::HTMLEditor::AutoMoveOneLineHandler::Run(mozilla::HTMLEditor&, mozilla::dom::Element const&) /editor/libeditor/HTMLEditorDeleteHandler.cpp:5475:7
        #1 0x7f87677748cd in mozilla::WhiteSpaceVisibilityKeeper::MergeFirstLineOfRightBlockElementIntoDescendantLeftBlockElement(mozilla::HTMLEditor&, mozilla::dom::Element&, mozilla::dom::Element&, mozilla::EditorDOMPointBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent>> const&, mozilla::Maybe<nsAtom*> const&, mozilla::dom::HTMLBRElement const*, mozilla::dom::Element const&) /editor/libeditor/WSRunObject.cpp:319:35
        #2 0x7f87676e87cf in mozilla::HTMLEditor::AutoDeleteRangesHandler::AutoBlockElementsJoiner::AutoInclusiveAncestorBlockElementsJoiner::Run(mozilla::HTMLEditor&, mozilla::dom::Element const&) /editor/libeditor/HTMLEditorDeleteHandler.cpp:4998:14
        #3 0x7f87676e76bc in mozilla::HTMLEditor::AutoDeleteRangesHandler::AutoBlockElementsJoiner::HandleDeleteAtOtherBlockBoundary(mozilla::HTMLEditor&, short, short, mozilla::EditorDOMPointBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent>> const&, mozilla::AutoRangeArray&, mozilla::dom::Element const&) /editor/libeditor/HTMLEditorDeleteHandler.cpp:2722:18
        #4 0x7f87676e3967 in mozilla::HTMLEditor::AutoDeleteRangesHandler::AutoBlockElementsJoiner::Run(mozilla::HTMLEditor&, short, short, mozilla::EditorDOMPointBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent>> const&, mozilla::AutoRangeArray&, mozilla::dom::Element const&) /editor/libeditor/HTMLEditorDeleteHandler.cpp:534:15
        #5 0x7f87676ddca3 in mozilla::HTMLEditor::AutoDeleteRangesHandler::HandleDeleteAroundCollapsedRanges(mozilla::HTMLEditor&, short, short, mozilla::AutoRangeArray&, mozilla::WSRunScanner const&, mozilla::WSScanResult const&, mozilla::dom::Element const&) /editor/libeditor/HTMLEditorDeleteHandler.cpp:1952:56
        #6 0x7f87676d9a9a in mozilla::HTMLEditor::AutoDeleteRangesHandler::Run(mozilla::HTMLEditor&, short, short, mozilla::AutoRangeArray&, mozilla::dom::Element const&) /editor/libeditor/HTMLEditorDeleteHandler.cpp:1698:11
        #7 0x7f87676d8a1f in mozilla::HTMLEditor::HandleDeleteSelection(short, short) /editor/libeditor/HTMLEditorDeleteHandler.cpp:1165:61
        #8 0x7f876760284c in mozilla::EditorBase::DeleteSelectionAsSubAction(short, short) /editor/libeditor/EditorBase.cpp:4442:9
        #9 0x7f87675fce10 in mozilla::EditorBase::DeleteSelectionAsAction(short, short, nsIPrincipal*) /editor/libeditor/EditorBase.cpp:4405:8
        #10 0x7f876761c818 in mozilla::DeleteCommand::DoCommand(mozilla::Command, mozilla::EditorBase&, nsIPrincipal*) const /editor/libeditor/EditorCommands.cpp:623:29
        #11 0x7f8763baa4f7 in mozilla::dom::Document::ExecCommand(nsTSubstring<char16_t> const&, bool, nsTSubstring<char16_t> const&, nsIPrincipal&, mozilla::ErrorResult&) /dom/base/Document.cpp:5504:37
        #12 0x7f8764e647a1 in mozilla::dom::Document_Binding::execCommand(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/./DocumentBinding.cpp:4007:36
        #13 0x7f87651ad618 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /dom/bindings/BindingUtils.cpp:3330:13
        #14 0x7f8769973734 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /js/src/vm/Interpreter.cpp:472:13
        #15 0x7f876997304d in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:566:12
        #16 0x7f8769983618 in CallFromStack /js/src/vm/Interpreter.cpp:638:10
        #17 0x7f8769983618 in js::Interpret(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:3053:16
        #18 0x7f87699725a2 in js::RunScript(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:444:13
        #19 0x7f8769973069 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:598:13
        #20 0x7f876997450d in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /js/src/vm/Interpreter.cpp:665:8
        #21 0x7f8769a5b2e4 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /js/src/vm/CallAndConstruct.cpp:119:10
        #22 0x7f8764ec39ec in mozilla::dom::EventListener::HandleEvent(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/./EventListenerBinding.cpp:62:8
        #23 0x7f876581f6c6 in void mozilla::dom::EventListener::HandleEvent<mozilla::dom::EventTarget*>(mozilla::dom::EventTarget* const&, mozilla::dom::Event&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventListenerBinding.h:65:12
        #24 0x7f876581f282 in mozilla::EventListenerManager::HandleEventSingleListener(mozilla::EventListenerManager::Listener*, nsAtom*, mozilla::WidgetEvent*, mozilla::dom::Event*, mozilla::dom::EventTarget*, bool) /dom/events/EventListenerManager.cpp:1342:43
        #25 0x7f87658203c4 in mozilla::EventListenerManager::HandleEventWithListenerArray(mozilla::EventListenerManager::ListenerArray*, nsAtom*, mozilla::EventMessage, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, bool) /dom/events/EventListenerManager.cpp:1663:12
        #26 0x7f876581fc39 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /dom/events/EventListenerManager.cpp:1560:35
        #27 0x7f876581322f in HandleEvent /builds/worker/workspace/obj-build/dist/include/mozilla/EventListenerManager.h:465:5
        #28 0x7f876581322f in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /dom/events/EventDispatcher.cpp:364:17
        #29 0x7f87658127ab in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /dom/events/EventDispatcher.cpp:611:18
        #30 0x7f87658151e6 in mozilla::EventDispatcher::Dispatch(mozilla::dom::EventTarget*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /dom/events/EventDispatcher.cpp:1232:11
        #31 0x7f8767959f42 in nsDocumentViewer::LoadComplete(nsresult) /layout/base/nsDocumentViewer.cpp:1077:7
        #32 0x7f8768f63442 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /docshell/base/nsDocShell.cpp:6348:20
        #33 0x7f8768f6284b in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /docshell/base/nsDocShell.cpp:5740:7
        #34 0x7f8768f64516 in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /docshell/base/nsDocShell.cpp
        #35 0x7f8762fd4ad9 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /uriloader/base/nsDocLoader.cpp:1372:3
        #36 0x7f8762fd4052 in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /uriloader/base/nsDocLoader.cpp:978:14
        #37 0x7f8762fd220b in nsDocLoader::DocLoaderIsEmpty(bool, mozilla::Maybe<nsresult> const&) /uriloader/base/nsDocLoader.cpp:795:9
        #38 0x7f8762fd34b1 in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /uriloader/base/nsDocLoader.cpp:678:5
        #39 0x7f8768f9a0af in nsDocShell::OnStopRequest(nsIRequest*, nsresult) /docshell/base/nsDocShell.cpp:13813:23
        #40 0x7f87621f445f in mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) /netwerk/base/nsLoadGroup.cpp:631:22
        #41 0x7f87621f59a0 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /netwerk/base/nsLoadGroup.cpp:535:10
        #42 0x7f8763bd796c in mozilla::dom::Document::DoUnblockOnload() /dom/base/Document.cpp:11679:18
        #43 0x7f8763bbd906 in mozilla::dom::Document::DispatchContentLoadedEvents() /dom/base/Document.cpp:8132:3
        #44 0x7f8763c705a9 in operator()<> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1164:18
        #45 0x7f8763c705a9 in __invoke_impl<void, (lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1163:9)> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/invoke.h:60:14
        #46 0x7f8763c705a9 in __invoke<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1163:9)> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/invoke.h:95:14
        #47 0x7f8763c705a9 in __apply_impl<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1163:9), std::tuple<> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/tuple:1678:14
        #48 0x7f8763c705a9 in apply<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1163:9), std::tuple<> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/tuple:1687:14
        #49 0x7f8763c705a9 in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1162:12
        #50 0x7f8763c705a9 in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1213:13
        #51 0x7f8761fb4bc7 in mozilla::RunnableTask::Run() /xpcom/threads/TaskController.cpp:549:16
        #52 0x7f8761fac793 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:876:26
        #53 0x7f8761faafd7 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:699:15
        #54 0x7f8761fab435 in mozilla::TaskController::ProcessPendingMTTask(bool) /xpcom/threads/TaskController.cpp:485:36
        #55 0x7f8761fb88d6 in operator() /xpcom/threads/TaskController.cpp:211:37
        #56 0x7f8761fb88d6 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /xpcom/threads/nsThreadUtils.h:548:5
        #57 0x7f8761fcf432 in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1198:16
        #58 0x7f8761fd651d in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:480:10
        #59 0x7f8762c92845 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:85:21
        #60 0x7f8762bac831 in RunHandler /ipc/chromium/src/base/message_loop.cc:363:3
        #61 0x7f8762bac831 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:345:3
        #62 0x7f87674e8d18 in nsBaseAppShell::Run() /widget/nsBaseAppShell.cpp:148:27
        #63 0x7f876973482b in XRE_RunAppShell() /toolkit/xre/nsEmbedFunctions.cpp:721:20
        #64 0x7f8762c93726 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:235:9
        #65 0x7f8762bac831 in RunHandler /ipc/chromium/src/base/message_loop.cc:363:3
        #66 0x7f8762bac831 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:345:3
        #67 0x7f8769734092 in XRE_InitChildProcess(int, char**, XREChildData const*) /toolkit/xre/nsEmbedFunctions.cpp:656:34
        #68 0x5631d9426276 in content_process_main /browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
        #69 0x5631d9426276 in main /browser/app/nsBrowserApp.cpp:375:18
        #70 0x7f8776340d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
        #71 0x7f8776340e3f in __libc_start_main csu/../csu/libc-start.c:392:3
        #72 0x5631d93fbfa8 in _start (/home/jkratzer/builds/m-c-20231107214948-fuzzing-debug/firefox-bin+0x58fa8) (BuildId: e85916198980a98c4e9f8fdbf0edfb81a869e8a7)
    
    UndefinedBehaviorSanitizer can not provide additional info.
    SUMMARY: UndefinedBehaviorSanitizer: SEGV /editor/libeditor/HTMLEditorDeleteHandler.cpp:5475:7 in mozilla::HTMLEditor::AutoMoveOneLineHandler::Run(mozilla::HTMLEditor&, mozilla::dom::Element const&)
    ==769092==ABORTING
Attached file Testcase (obsolete) — 

    
    

    
  

      
      
      
      

        Attached file
          
        testcase.html
      

    


  

        Attachment #9362629 -
        Attachment is obsolete: true

    
    

    
  
After applying the patch for bug 1861603, this is not reproducible. So I just need to add the test into the tree.


Assignee: nobody → masayuki
Severity: -- → S3
Status: NEW → ASSIGNED
Depends on: 1861603

    
    

    
  
Verified bug as reproducible on mozilla-central 20231108211203-f1fb5f0afb58.

The bug appears to have been introduced in the following build range:




Start: cc2d7a60e797ccda49d1a49206bcded220dd6c4b (20231101012948)

End: b73ef4c8979fb0702de9f4bf2fdf986b1d0fd487 (20231101040821)

Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=cc2d7a60e797ccda49d1a49206bcded220dd6c4b&tochange=b73ef4c8979fb0702de9f4bf2fdf986b1d0fd487




Keywords: regression
Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]

    
    

    
  
Set release status flags based on info from the regressing bug 1858794



          status-firefox119:
          --- → unaffected

          status-firefox120:
          --- → unaffected

          status-firefox121:
          --- → affected

          status-firefox-esr115:
          --- → unaffected

    
    

    
  
Testcase crashes using the initial build (mozilla-central 20231107214948-5d6699b34edc) but not with tip (mozilla-central 20231110212245-05705239ef28.)


The bug appears to have been fixed in the following build range:




Start: fd3f50f4dce00592f4da8f972037ced4a0c9f5be (20231109000405)

End: 975206b939dc6e4f823a1a29c703dd586e4157b9 (20231109041458)

Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=fd3f50f4dce00592f4da8f972037ced4a0c9f5be&tochange=975206b939dc6e4f823a1a29c703dd586e4157b9




masayuki, can you confirm that the above bisection range is responsible for fixing this issue?

Removing bugmon keyword as no further action possible.  Please review the bug and re-add the keyword for further analysis.


Flags: needinfo?(masayuki)
Keywords: bugmon

    
    

    
  
:masayuki, was this fixed by bug 1861603?



    
    

    
  
Ah, my apologies.  I missed the previous comments.



    
    

    
  
Yeah, I just add the testcase due to already fixed in bug 1861603. That fixed a bug of the utility method in the new editing behavior mode. Therefore, various cases of this kind of failures may have appeared before that, but all of them should be fixed now.


Flags: needinfo?(masayuki)

    
    

    
  
Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/43111 for changes under testing/web-platform/tests
Whiteboard: [bugmon:bisected,confirmed] → [bugmon:bisected,confirmed], [wptsync upstream]

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/ce6856251eaa


Status: ASSIGNED → RESOLVED
Closed: 8 months ago

          status-firefox121:
          affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 121 Branch

    
    

    
  
Upstream PR merged by moz-wptsync-bot

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: