Assertion failure: mFrameSelection->GetPresShell()->GetDocument() == content->GetComposedDoc(), at /builds/worker/checkouts/gecko/dom/base/Selection.cpp:1556
Categories
(Core :: DOM: Selection, defect)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr115 | --- | unaffected |
| firefox121 | --- | unaffected |
| firefox122 | --- | unaffected |
| firefox123 | --- | verified |
People
(Reporter: tsmith, Assigned: masayuki)
References
(Blocks 2 open bugs, Regression)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:bisected,confirmed], [wptsync upstream])
Attachments
(2 files)
Found while fuzzing m-c 20231227-856e86584c4c (--enable-debug --enable-fuzzing)
To reproduce via Grizzly Replay:
$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>
Assertion failure: mFrameSelection->GetPresShell()->GetDocument() == content->GetComposedDoc(), at /builds/worker/checkouts/gecko/dom/base/Selection.cpp:1556
#0 0x7f6df871cdd3 in mozilla::dom::Selection::GetPrimaryFrameForCaretAtFocusNode(bool) const /builds/worker/checkouts/gecko/dom/base/Selection.cpp:1555:3
#1 0x7f6df8729d36 in mozilla::dom::Selection::Modify(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/Selection.cpp:3694:7
#2 0x7f6df90c4f51 in mozilla::dom::Selection_Binding::modify(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/./SelectionBinding.cpp:1073:24
#3 0x7f6df9a96c6e in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3258:13
#4 0x7f6dfdfa78b4 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:479:13
#5 0x7f6dfdfa720b in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:573:12
#6 0x7f6dfdfb6b08 in CallFromStack /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:645:10
#7 0x7f6dfdfb6b08 in js::Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3060:16
#8 0x7f6dfdfa6792 in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:451:13
#9 0x7f6dfdfa7228 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:605:13
#10 0x7f6dfdfa84dd in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:672:8
#11 0x7f6dfe09a4f4 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/CallAndConstruct.cpp:119:10
#12 0x7f6df94fff98 in mozilla::dom::IdleRequestCallback::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::IdleDeadline&, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/./WindowBinding.cpp:453:8
#13 0x7f6df84e0654 in mozilla::dom::IdleRequestCallback::Call(mozilla::dom::IdleDeadline&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/WindowBinding.h:397:12
#14 0x7f6df868e506 in Call /builds/worker/workspace/obj-build/dist/include/mozilla/dom/WindowBinding.h:410:12
#15 0x7f6df868e506 in mozilla::dom::IdleRequest::IdleRun(nsPIDOMWindowInner*, double, bool) /builds/worker/checkouts/gecko/dom/base/IdleRequest.cpp:57:13
#16 0x7f6df83c6391 in nsGlobalWindowInner::RunIdleRequest(mozilla::dom::IdleRequest*, double, bool) /builds/worker/checkouts/gecko/dom/base/nsGlobalWindowInner.cpp:726:12
#17 0x7f6df83c51e1 in nsGlobalWindowInner::ExecuteIdleRequest(mozilla::TimeStamp) /builds/worker/checkouts/gecko/dom/base/nsGlobalWindowInner.cpp:754:3
#18 0x7f6df83c4f70 in IdleRequestExecutor::Run() /builds/worker/checkouts/gecko/dom/base/nsGlobalWindowInner.cpp:595:13
#19 0x7f6df69462d7 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:568:16
#20 0x7f6df693ba46 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:895:26
#21 0x7f6df693a38e in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:760:15
#22 0x7f6df693a6a5 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:504:36
#23 0x7f6df694a276 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:222:37
#24 0x7f6df694a276 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548:5
#25 0x7f6df695f5e2 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1199:16
#26 0x7f6df696672d in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10
#27 0x7f6df7639885 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#28 0x7f6df7553351 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#29 0x7f6df7553351 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#30 0x7f6dfbe7d488 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
#31 0x7f6dfbf3a458 in nsAppShell::Run() /builds/worker/checkouts/gecko/widget/gtk/nsAppShell.cpp:470:33
#32 0x7f6dfdd6db7b in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:721:20
#33 0x7f6df763a766 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
#34 0x7f6df7553351 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#35 0x7f6df7553351 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#36 0x7f6dfdd6d3e2 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:656:34
#37 0x56232186e156 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#38 0x56232186e156 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:375:18
#39 0x7f6e0c429d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#40 0x7f6e0c429e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#41 0x562321843e88 in _start (/home/user/workspace/browsers/m-c-20231228170344-fuzzing-debug/firefox-bin+0x58e88) (BuildId: 7361de96fa77a97dae318edc8ce497bdf446c925)
|
||
Comment 1•9 months ago
|
||
Verified bug as reproducible on mozilla-central 20231228170344-10aa74237898.
The bug appears to have been introduced in the following build range:
Start: 6d9a0abd0a3c26f4337aff723c15795fe91fe884 (20231227091935)
End: 856e86584c4c811f064f93e2b734dd374c787eaf (20231227145854)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=6d9a0abd0a3c26f4337aff723c15795fe91fe884&tochange=856e86584c4c811f064f93e2b734dd374c787eaf
|
Reporter | |
Comment 2•9 months ago
|
||
Looks like it was regressed by either bug 1816581 or bug 1872000.
|
||
Comment 3•9 months ago
|
||
Based on comment #1, this bug contains a bisection range found by bugmon. However, the Regressed by field is still not filled.
:masayuki and :lsalzman, since you are the authors of the changes in the range, if possible, could you fill the Regressed by field and investigate this regression?
For more information, please visit BugBot documentation.
|
||
Updated•9 months ago
|
|
Assignee | |
Comment 4•9 months ago
|
||
The assertion should be handled in the root callers of the method, so this assertion just detects the edge case.
|
|
Assignee | |
Comment 5•9 months ago
|
||
Oh, the first Selection.modify call moves selection into the anonymous subtree!
|
|
||
Comment 6•9 months ago
|
||
:masayuki, since this bug is a regression, could you fill (if possible) the regressed_by field?
For more information, please visit BugBot documentation.
|
|
||
Comment 7•9 months ago
|
||
Set release status flags based on info from the regressing bug 1816581
|
|
Assignee | |
Comment 8•9 months ago
|
||
Selection.modify with "line" calls nsIFrame::PeekOffsetForLine (which
is also used to move caret). To compute the destination,
nsIFrame::PeekOffsetForLine is used, but it may return a native anonymous
node because its helper function, GetSelectionClosestFrame, does not check
the boundary. On the other hand, it's used by pointing device event handlers
too. In this case, it needs to return a native anonymous node. Therefore,
the helper method requires additional flag to consider whether it can return
native anonymous node.
|
||
Comment 11•8 months ago
|
||
| bugherder | ||
|
|
||
Comment 12•8 months ago
|
||
Verified bug as fixed on rev mozilla-central 20240117092715-71000174812f.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Description
•