Closed
Bug 1872428
Opened 6 months ago
Closed 5 months ago
Assertion failure: !HasCaretPointSuggestion() || CaretPointHandled(), at /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditHelpers.h:136
Categories
(Core :: DOM: Editor, defect)
Core
DOM: Editor
Tracking
()
VERIFIED
FIXED
123 Branch
| Tracking | Status | |
|---|---|---|
| firefox-esr115 | --- | unaffected |
| firefox121 | --- | unaffected |
| firefox122 | --- | wontfix |
| firefox123 | --- | verified |
People
(Reporter: tsmith, Assigned: masayuki)
References
(Blocks 1 open bug, Regression)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:bisected,confirmed], [wptsync upstream])
Attachments
(2 files)
Found while fuzzing m-c 20231129-d6f61c448b90 (--enable-debug --enable-fuzzing)
To reproduce via Grizzly Replay:
$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>
Assertion failure: !HasCaretPointSuggestion() || CaretPointHandled(), at /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditHelpers.h:136
#0 0x7fdc8411d4c0 in mozilla::MoveNodeResult::~MoveNodeResult() /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditHelpers.h:136:5
#1 0x7fdc8419e716 in mozilla::HTMLEditor::AutoMoveOneLineHandler::Run(mozilla::HTMLEditor&, mozilla::dom::Element const&) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditorDeleteHandler.cpp:5644:1
#2 0x7fdc8421e426 in mozilla::WhiteSpaceVisibilityKeeper::MergeFirstLineOfRightBlockElementIntoLeftBlockElement(mozilla::HTMLEditor&, mozilla::dom::Element&, mozilla::dom::Element&, mozilla::Maybe<nsAtom*> const&, mozilla::dom::HTMLBRElement const*, mozilla::dom::Element const&) /builds/worker/checkouts/gecko/editor/libeditor/WSRunObject.cpp:774:35
#3 0x7fdc8418cbe9 in mozilla::HTMLEditor::AutoDeleteRangesHandler::AutoBlockElementsJoiner::AutoInclusiveAncestorBlockElementsJoiner::Run(mozilla::HTMLEditor&, mozilla::dom::Element const&) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditorDeleteHandler.cpp:5071:14
#4 0x7fdc8418e04c in mozilla::HTMLEditor::AutoDeleteRangesHandler::AutoBlockElementsJoiner::HandleDeleteAtCurrentBlockBoundary(mozilla::HTMLEditor&, short, mozilla::EditorDOMPointBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent>> const&, mozilla::dom::Element const&) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditorDeleteHandler.cpp:3010:16
#5 0x7fdc84187f38 in mozilla::HTMLEditor::AutoDeleteRangesHandler::AutoBlockElementsJoiner::Run(mozilla::HTMLEditor&, short, short, mozilla::EditorDOMPointBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent>> const&, mozilla::AutoRangeArray&, mozilla::dom::Element const&) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditorDeleteHandler.cpp:529:15
#6 0x7fdc841823f2 in mozilla::HTMLEditor::AutoDeleteRangesHandler::HandleDeleteAroundCollapsedRanges(mozilla::HTMLEditor&, short, short, mozilla::AutoRangeArray&, mozilla::WSRunScanner const&, mozilla::WSScanResult const&, mozilla::dom::Element const&) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditorDeleteHandler.cpp:1976:56
#7 0x7fdc8417e0ba in mozilla::HTMLEditor::AutoDeleteRangesHandler::Run(mozilla::HTMLEditor&, short, short, mozilla::AutoRangeArray&, mozilla::dom::Element const&) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditorDeleteHandler.cpp:1702:11
#8 0x7fdc8417d03f in mozilla::HTMLEditor::HandleDeleteSelection(short, short) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditorDeleteHandler.cpp:1169:61
#9 0x7fdc840a6a3c in mozilla::EditorBase::DeleteSelectionAsSubAction(short, short) /builds/worker/checkouts/gecko/editor/libeditor/EditorBase.cpp:4440:9
#10 0x7fdc840a1010 in mozilla::EditorBase::DeleteSelectionAsAction(short, short, nsIPrincipal*) /builds/worker/checkouts/gecko/editor/libeditor/EditorBase.cpp:4403:8
#11 0x7fdc840c09e8 in mozilla::DeleteCommand::DoCommand(mozilla::Command, mozilla::EditorBase&, nsIPrincipal*) const /builds/worker/checkouts/gecko/editor/libeditor/EditorCommands.cpp:623:29
#12 0x7fdc80696ef7 in mozilla::dom::Document::ExecCommand(nsTSubstring<char16_t> const&, bool, nsTSubstring<char16_t> const&, nsIPrincipal&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/Document.cpp:5528:37
#13 0x7fdc81872f71 in mozilla::dom::Document_Binding::execCommand(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/./DocumentBinding.cpp:4039:36
#14 0x7fdc81b9a0ee in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3258:13
#15 0x7fdc860ab9f4 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:479:13
#16 0x7fdc860ab34b in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:573:12
#17 0x7fdc860bac48 in CallFromStack /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:645:10
#18 0x7fdc860bac48 in js::Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3060:16
#19 0x7fdc860aa8d2 in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:451:13
#20 0x7fdc860ab368 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:605:13
#21 0x7fdc860ac61d in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:672:8
#22 0x7fdc8619e634 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/CallAndConstruct.cpp:119:10
#23 0x7fdc818cf58b in mozilla::dom::EventHandlerNonNull::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/./EventHandlerBinding.cpp:65:37
#24 0x7fdc82234589 in void mozilla::dom::EventHandlerNonNull::Call<nsCOMPtr<mozilla::dom::EventTarget>>(nsCOMPtr<mozilla::dom::EventTarget> const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventHandlerBinding.h:82:12
#25 0x7fdc82233657 in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) /builds/worker/checkouts/gecko/dom/events/JSEventHandler.cpp:199:12
#26 0x7fdc8220ff25 in mozilla::EventListenerManager::HandleEventSingleListener(mozilla::EventListenerManager::Listener*, nsAtom*, mozilla::WidgetEvent*, mozilla::dom::Event*, mozilla::dom::EventTarget*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1348:22
#27 0x7fdc82211024 in mozilla::EventListenerManager::HandleEventWithListenerArray(mozilla::EventListenerManager::ListenerArray*, nsAtom*, mozilla::EventMessage, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1663:12
#28 0x7fdc82210899 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1560:35
#29 0x7fdc82203fbf in HandleEvent /builds/worker/workspace/obj-build/dist/include/mozilla/EventListenerManager.h:465:5
#30 0x7fdc82203fbf in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:364:17
#31 0x7fdc8220353b in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:611:18
#32 0x7fdc82205f76 in mozilla::EventDispatcher::Dispatch(mozilla::dom::EventTarget*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:1232:11
#33 0x7fdc82209326 in mozilla::EventDispatcher::DispatchDOMEvent(mozilla::dom::EventTarget*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp
#34 0x7fdc804433a0 in nsContentUtils::DispatchEvent(mozilla::dom::Document*, mozilla::dom::EventTarget*, mozilla::WidgetEvent&, mozilla::EventMessage, mozilla::CanBubble, mozilla::Cancelable, mozilla::Trusted, bool*, mozilla::ChromeOnlyDispatch) /builds/worker/checkouts/gecko/dom/base/nsContentUtils.cpp:4786:17
#35 0x7fdc821bac1c in nsresult nsContentUtils::DispatchTrustedEvent<mozilla::WidgetEvent>(mozilla::dom::Document*, mozilla::dom::EventTarget*, mozilla::EventMessage, mozilla::CanBubble, mozilla::Cancelable, bool*, mozilla::ChromeOnlyDispatch) /builds/worker/checkouts/gecko/dom/base/nsContentUtils.h:1522:12
#36 0x7fdc821ba9f1 in mozilla::AsyncEventDispatcher::Run() /builds/worker/checkouts/gecko/dom/events/AsyncEventDispatcher.cpp:53:12
#37 0x7fdc7ea49337 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:568:16
#38 0x7fdc7ea3eaa6 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:895:26
#39 0x7fdc7ea3d287 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:718:15
#40 0x7fdc7ea3d705 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:504:36
#41 0x7fdc7ea4d2d6 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:222:37
#42 0x7fdc7ea4d2d6 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548:5
#43 0x7fdc7ea62642 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1199:16
#44 0x7fdc7ea6978d in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10
#45 0x7fdc7f73c9a5 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#46 0x7fdc7f656471 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#47 0x7fdc7f656471 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#48 0x7fdc83f815b8 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
#49 0x7fdc8403e588 in nsAppShell::Run() /builds/worker/checkouts/gecko/widget/gtk/nsAppShell.cpp:470:33
#50 0x7fdc85e71cbb in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:721:20
#51 0x7fdc7f73d886 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
#52 0x7fdc7f656471 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#53 0x7fdc7f656471 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#54 0x7fdc85e71522 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:656:34
#55 0x563ae71c5156 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#56 0x563ae71c5156 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:375:18
#57 0x7fdc93c29d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#58 0x7fdc93c29e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#59 0x563ae719ae88 in _start (/home/user/workspace/browsers/m-c-20231229205714-fuzzing-debug/firefox-bin+0x58e88) (BuildId: 5f307722611ed43ee5f9e3e1fd0314e185bd83a6)
Flags: in-testsuite?
|
||
Comment 1•6 months ago
|
||
Verified bug as reproducible on mozilla-central 20231229205714-52b5c5b51719.
The bug appears to have been introduced in the following build range:
Start: ffaaa99c517223770b014031e25b54d585f95ef2 (20231126211752)
End: edf9292c0bc9c671afa4de12648c16622e9d418c (20231127014937)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=ffaaa99c517223770b014031e25b54d585f95ef2&tochange=edf9292c0bc9c671afa4de12648c16622e9d418c
Keywords: regression
Whiteboard: [bugmon:bisected,confirmed]
|
||
Comment 2•6 months ago
|
||
Set release status flags based on info from the regressing bug 1865729
:masayuki, since you are the author of the regressor, bug 1865729, could you take a look? Also, could you set the severity field?
For more information, please visit BugBot documentation.
status-firefox121:
--- → unaffected
status-firefox122:
--- → affected
status-firefox-esr115:
--- → unaffected
Flags: needinfo?(masayuki)
|
||
Comment 3•6 months ago
|
||
:hsinyi could this be triaged for severity?
Next week is the final week of beta, maybe Masayuki is on PTO. Wondering if there's a user impact and we need a fix for Fx122
Flags: needinfo?(htsai)
|
Assignee | |
Comment 4•6 months ago
|
||
The assertion just detects a case of "unhandled" case, so must be not serious.
Assignee: nobody → masayuki
Severity: -- → S3
Status: NEW → ASSIGNED
Flags: needinfo?(masayuki)
OS: Unspecified → All
Hardware: Unspecified → All
|
||
Updated•6 months ago
|
Flags: needinfo?(htsai)
|
|
||
Updated•5 months ago
|
|
|
Assignee | |
Comment 5•5 months ago
|
||
The test case removes entire the <output> during deleting its content and
that occurs during it moves the content in <div> into the preceding <ruby>.
Therefore, the destination becomes not connected to the document so that it
fails to track the range of moved contents in the document.
Then, the code does not explicitly mark the caret position is not necessary.
So, we just need to do it.
Pushed by masayuki@d-toybox.com: https://hg.mozilla.org/integration/autoland/rev/fb88413de9c1 Make `AutoMoveOneLineHandler::Run` explicitly ignore caret position when the destination is removed r=m_kato
Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/43962 for changes under testing/web-platform/tests
Whiteboard: [bugmon:bisected,confirmed] → [bugmon:bisected,confirmed], [wptsync upstream]
|
||
Comment 8•5 months ago
|
||
| bugherder | ||
Status: ASSIGNED → RESOLVED
Closed: 5 months ago
Resolution: --- → FIXED
Target Milestone: --- → 123 Branch
|
||
Updated•5 months ago
|
Flags: in-testsuite? → in-testsuite+
|
|
||
Comment 9•5 months ago
|
||
Verified bug as fixed on rev mozilla-central 20240112173417-734e2e027196.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Upstream PR merged by moz-wptsync-bot
You need to log in
before you can comment on or make changes to this bug.
Description
•