Assertion failure: startFrame, at /builds/worker/checkouts/gecko/dom/base/nsFocusManager.cpp:3226
Categories
(Core :: DOM: Selection, defect)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr115 | --- | unaffected |
| firefox121 | --- | unaffected |
| firefox122 | --- | unaffected |
| firefox123 | --- | verified |
People
(Reporter: tsmith, Assigned: masayuki)
References
(Blocks 1 open bug, Regression)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:bisected,confirmed], [wptsync upstream])
Attachments
(2 files)
Found while fuzzing m-c 20231225-fdd85a789550 (--enable-debug --enable-fuzzing)
To reproduce via Grizzly Replay:
$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>
Assertion failure: startFrame, at /builds/worker/checkouts/gecko/dom/base/nsFocusManager.cpp:3226
#0 0x7f11139fd0cb in nsFocusManager::GetSelectionLocation(mozilla::dom::Document*, mozilla::PresShell*, nsIContent**, nsIContent**) /builds/worker/checkouts/gecko/dom/base/nsFocusManager.cpp:3226:5
#1 0x7f11139ea3d4 in nsFocusManager::DetermineElementToMoveFocus(nsPIDOMWindowOuter*, nsIContent*, int, bool, bool, nsIContent**) /builds/worker/checkouts/gecko/dom/base/nsFocusManager.cpp:3455:9
#2 0x7f11139e8fe5 in nsFocusManager::MoveFocus(mozIDOMWindowProxy*, mozilla::dom::Element*, unsigned int, unsigned int, mozilla::dom::Element**) /builds/worker/checkouts/gecko/dom/base/nsFocusManager.cpp:532:17
#3 0x7f1118c53f83 in nsWebBrowserFind::SetSelectionAndScroll(nsPIDOMWindowOuter*, nsRange*) /builds/worker/checkouts/gecko/toolkit/components/find/nsWebBrowserFind.cpp:356:13
#4 0x7f1118c53473 in nsWebBrowserFind::SearchInFrame(nsPIDOMWindowOuter*, bool, bool*) /builds/worker/checkouts/gecko/toolkit/components/find/nsWebBrowserFind.cpp:675:5
#5 0x7f1118c528f6 in nsWebBrowserFind::FindNext(bool*) /builds/worker/checkouts/gecko/toolkit/components/find/nsWebBrowserFind.cpp:109:8
#6 0x7f11136331c0 in nsGlobalWindowOuter::FindOuter(nsTSubstring<char16_t> const&, bool, bool, bool, bool, bool, bool, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/nsGlobalWindowOuter.cpp:6409:20
#7 0x7f11135e45a5 in nsGlobalWindowInner::Find(nsTSubstring<char16_t> const&, bool, bool, bool, bool, bool, bool, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/nsGlobalWindowInner.cpp:4154:3
#8 0x7f111474d3f5 in mozilla::dom::Window_Binding::find(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/./WindowBinding.cpp:6394:36
#9 0x7f1114c9857a in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::MaybeCrossOriginObjectThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3258:13
#10 0x3b3909faf47d ([anon:js-executable-memory]+0x47d)
|
||
Comment 1•2 years ago
|
||
Verified bug as reproducible on mozilla-central 20231228170344-10aa74237898.
The bug appears to have been introduced in the following build range:
Start: e6f85355d2f352d6bc64a11372bc8efc1ced07b8 (20231223155306)
End: 0f896a4a54629904c55cc5e18aa1f6e387c9a697 (20231224060404)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=e6f85355d2f352d6bc64a11372bc8efc1ced07b8&tochange=0f896a4a54629904c55cc5e18aa1f6e387c9a697
|
||
Comment 2•2 years ago
|
||
Set release status flags based on info from the regressing bug 779684
:masayuki, since you are the author of the regressor, bug 779684, could you take a look? Also, could you set the severity field?
For more information, please visit BugBot documentation.
|
Assignee | |
Comment 3•2 years ago
|
||
Thank you. The new assertion just detects the existing bug and the test case must find the way to reproduce!
|
||
Comment 4•2 years ago
|
||
Could you clarify what you mean about the test case needing a way to reproduce? Is it not helping you find the cause?
|
Reporter | |
Comment 5•2 years ago
|
||
Bugmon can open a Pernosco session if the pernosco-wanted keyword is added.
|
|
Assignee | |
Comment 6•2 years ago
•
|
||
(In reply to Bob Hood [:bhood] from comment #4)
Could you clarify what you mean about the test case needing a way to reproduce? Is it not helping you find the cause?
I meant it found a traditional bug. The assertion was not there, and in the opt build, the error case is correctly handled. So this is assertion failure only, not affecting users, but I'll try to take a look soon.
|
|
Assignee | |
Comment 7•2 years ago
|
||
In the test case, nsFocusManager::GetSelectionLocation is called with
collapsed selection at end of the <svg> which ends with collapsible
white-spaces. Therefore, it reaches the white-space only text node and it
does not have a primary frame due to invisible.
Previously, creating nsFrameIterator failed and then the method returned
error, but after bug 779684, nsFrameIterator constructor wants non-nullptr
frame avoiding crash. Therefore, I added the MOZ_ASSERT there to get a
way to reproduce the case and now we got it.
I think that just removing MOZ_ASSERT and keeping returning error is not
correct. The text can be invisible with the other reasons and it does not
collapsed at end of invisible text, this does not return error. Therefore,
this patch makes just returning the text in the case without error.
|
||
Comment 10•2 years ago
|
||
| bugherder | ||
|
|
||
Comment 11•2 years ago
|
||
Verified bug as fixed on rev mozilla-central 20240117040825-2a7dd75d1bfc.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Description
•