Closed
Bug 1874075
Opened 5 months ago
Closed 4 months ago
Assertion failure: !newEditingHost->IsInNativeAnonymousSubtree(), at /builds/worker/checkouts/gecko/dom/base/Selection.cpp:3442
Categories
(Core :: DOM: Selection, defect)
Core
DOM: Selection
Tracking
()
RESOLVED
FIXED
125 Branch
| Tracking | Status | |
|---|---|---|
| firefox-esr115 | --- | unaffected |
| firefox123 | --- | fixed |
| firefox124 | --- | fixed |
| firefox125 | --- | fixed |
People
(Reporter: tsmith, Assigned: masayuki)
References
(Blocks 1 open bug)
Details
(Keywords: assertion, pernosco, testcase, Whiteboard: [bugmon:bisected,confirmed], [wptsync upstream])
Attachments
(2 files)
Found while fuzzing m-c 20231111-03298dc094d1 (--enable-debug --enable-fuzzing)
To reproduce via Grizzly Replay:
$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>
Assertion failure: !newEditingHost->IsInNativeAnonymousSubtree(), at /builds/worker/checkouts/gecko/dom/base/Selection.cpp:3442
#0 0x7f1eec632220 in mozilla::dom::Selection::StyledRanges::MaybeFocusCommonEditingHost(mozilla::PresShell*) const /builds/worker/checkouts/gecko/dom/base/Selection.cpp:3442:7
#1 0x7f1eec629e82 in mozilla::dom::Selection::NotifySelectionListeners() /builds/worker/checkouts/gecko/dom/base/Selection.cpp:3479:19
#2 0x7f1eec62c26f in mozilla::dom::Selection::CollapseInternal(mozilla::dom::Selection::InLimiter, mozilla::RangeBoundaryBase<nsINode*, nsIContent*> const&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/Selection.cpp:2433:3
#3 0x7f1eec62cae4 in mozilla::dom::Selection::CollapseToStart(mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/Selection.cpp:2478:3
#4 0x7f1eec62c8ea in mozilla::dom::Selection::CollapseToStartJS(mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/Selection.cpp:2448:3
#5 0x7f1eecfcda6c in mozilla::dom::Selection_Binding::collapseToStart(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/./SelectionBinding.cpp:650:24
#6 0x7f1eed9a16de in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3258:13
#7 0x7f1ef1ed3d74 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:479:13
#8 0x7f1ef1ed36cb in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:573:12
#9 0x7f1ef1ee2fc8 in CallFromStack /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:645:10
#10 0x7f1ef1ee2fc8 in js::Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3060:16
#11 0x7f1ef1ed2c52 in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:451:13
#12 0x7f1ef1ed36e8 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:605:13
#13 0x7f1ef1ed499d in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:672:8
#14 0x7f1ef1fc75d4 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/CallAndConstruct.cpp:119:10
#15 0x7f1eed6d6b6b in mozilla::dom::EventHandlerNonNull::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/./EventHandlerBinding.cpp:65:37
#16 0x7f1eee03cfb9 in void mozilla::dom::EventHandlerNonNull::Call<nsCOMPtr<mozilla::dom::EventTarget>>(nsCOMPtr<mozilla::dom::EventTarget> const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventHandlerBinding.h:82:12
#17 0x7f1eee03c087 in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) /builds/worker/checkouts/gecko/dom/events/JSEventHandler.cpp:199:12
#18 0x7f1eee018945 in mozilla::EventListenerManager::HandleEventSingleListener(mozilla::EventListenerManager::Listener*, nsAtom*, mozilla::WidgetEvent*, mozilla::dom::Event*, mozilla::dom::EventTarget*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1349:22
#19 0x7f1eee019a44 in mozilla::EventListenerManager::HandleEventWithListenerArray(mozilla::EventListenerManager::ListenerArray*, nsAtom*, mozilla::EventMessage, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1664:12
#20 0x7f1eee0192b9 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1561:35
#21 0x7f1eee00c9df in HandleEvent /builds/worker/workspace/obj-build/dist/include/mozilla/EventListenerManager.h:465:5
#22 0x7f1eee00c9df in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:364:17
#23 0x7f1eee00bf5b in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:611:18
#24 0x7f1eee00e996 in mozilla::EventDispatcher::Dispatch(mozilla::dom::EventTarget*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:1232:11
#25 0x7f1ef0214bd2 in nsDocumentViewer::LoadComplete(nsresult) /builds/worker/checkouts/gecko/layout/base/nsDocumentViewer.cpp:1077:7
#26 0x7f1ef14b9432 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:6329:13
#27 0x7f1ef14b883b in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:5721:7
#28 0x7f1ef14ba506 in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp
#29 0x7f1eeb880a49 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:1372:3
#30 0x7f1eeb87ffc2 in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:978:14
#31 0x7f1eeb87e1cb in nsDocLoader::DocLoaderIsEmpty(bool, mozilla::Maybe<nsresult> const&) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:795:9
#32 0x7f1eeb87f471 in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:678:5
#33 0x7f1ef14f0abf in nsDocShell::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:13822:23
#34 0x7f1eeaa9222f in mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:631:22
#35 0x7f1eeaa93770 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:535:10
#36 0x7f1eec1352fa in imgRequestProxy::RemoveFromLoadGroup() /builds/worker/checkouts/gecko/image/imgRequestProxy.cpp:336:15
#37 0x7f1eec13c243 in imgRequestProxy::OnLoadComplete(bool) /builds/worker/checkouts/gecko/image/imgRequestProxy.cpp:1016:7
#38 0x7f1eec108949 in operator() /builds/worker/checkouts/gecko/image/ProgressTracker.cpp:354:13
#39 0x7f1eec108949 in void mozilla::image::ImageObserverNotifier<mozilla::image::ObserverTable const*>::operator()<void mozilla::image::SyncNotifyInternal<mozilla::image::ObserverTable const*>(mozilla::image::ObserverTable const* const&, bool, unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&)::'lambda5'(mozilla::image::IProgressObserver*)>(mozilla::image::ObserverTable const*) /builds/worker/checkouts/gecko/image/ProgressTracker.cpp:284:9
#40 0x7f1eec1075ed in void mozilla::image::SyncNotifyInternal<mozilla::image::ObserverTable const*>(mozilla::image::ObserverTable const* const&, bool, unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /builds/worker/checkouts/gecko/image/ProgressTracker.cpp:353:5
#41 0x7f1eec0cbd2b in operator() /builds/worker/checkouts/gecko/image/ProgressTracker.cpp:372:5
#42 0x7f1eec0cbd2b in Read<(lambda at /builds/worker/checkouts/gecko/image/ProgressTracker.cpp:371:19)> /builds/worker/checkouts/gecko/image/CopyOnWrite.h:155:12
#43 0x7f1eec0cbd2b in mozilla::image::ProgressTracker::SyncNotifyProgress(unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /builds/worker/checkouts/gecko/image/ProgressTracker.cpp:371:14
#44 0x7f1eec0f751b in mozilla::image::VectorImage::OnSVGDocumentLoaded() /builds/worker/checkouts/gecko/image/VectorImage.cpp:1493:23
#45 0x7f1eec0fae88 in mozilla::image::SVGLoadEventListener::HandleEvent(mozilla::dom::Event*) /builds/worker/checkouts/gecko/image/VectorImage.cpp:212:13
#46 0x7f1eee018945 in mozilla::EventListenerManager::HandleEventSingleListener(mozilla::EventListenerManager::Listener*, nsAtom*, mozilla::WidgetEvent*, mozilla::dom::Event*, mozilla::dom::EventTarget*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1349:22
#47 0x7f1eee019a44 in mozilla::EventListenerManager::HandleEventWithListenerArray(mozilla::EventListenerManager::ListenerArray*, nsAtom*, mozilla::EventMessage, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1664:12
#48 0x7f1eee0192b9 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1561:35
#49 0x7f1eee00c9df in HandleEvent /builds/worker/workspace/obj-build/dist/include/mozilla/EventListenerManager.h:465:5
#50 0x7f1eee00c9df in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:364:17
#51 0x7f1eee00beee in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:603:16
#52 0x7f1eee00e996 in mozilla::EventDispatcher::Dispatch(mozilla::dom::EventTarget*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:1232:11
#53 0x7f1eee011d43 in mozilla::EventDispatcher::DispatchDOMEvent(mozilla::dom::EventTarget*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp
#54 0x7f1eec755999 in nsINode::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/nsINode.cpp:1404:17
#55 0x7f1eee020f22 in mozilla::dom::EventTarget::DispatchEvent(mozilla::dom::Event&) /builds/worker/checkouts/gecko/dom/events/EventTarget.cpp:214:13
#56 0x7f1eedfc37dd in mozilla::AsyncEventDispatcher::DispatchEventOnTarget(mozilla::dom::EventTarget*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::ChromeOnlyDispatch, mozilla::Composed) /builds/worker/checkouts/gecko/dom/events/AsyncEventDispatcher.cpp:75:3
#57 0x7f1eedfc3429 in mozilla::AsyncEventDispatcher::Run() /builds/worker/checkouts/gecko/dom/events/AsyncEventDispatcher.cpp:62:5
#58 0x7f1eea84dd67 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:568:16
#59 0x7f1eea8434d6 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:895:26
#60 0x7f1eea841cb7 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:718:15
#61 0x7f1eea842135 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:504:36
#62 0x7f1eea851d06 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:222:37
#63 0x7f1eea851d06 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548:5
#64 0x7f1eea867072 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1199:16
#65 0x7f1eea86e1bd in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10
#66 0x7f1eeb541fe5 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#67 0x7f1eeb45b6b1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#68 0x7f1eeb45b6b1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#69 0x7f1eefd92748 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
#70 0x7f1eefe4f698 in nsAppShell::Run() /builds/worker/checkouts/gecko/widget/gtk/nsAppShell.cpp:470:33
#71 0x7f1ef1c9a04b in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:721:20
#72 0x7f1eeb542ec6 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
#73 0x7f1eeb45b6b1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#74 0x7f1eeb45b6b1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#75 0x7f1ef1c998b2 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:656:34
#76 0x55f8022fe156 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#77 0x55f8022fe156 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:375:18
#78 0x7f1efee29d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#79 0x7f1efee29e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#80 0x55f8022d3e88 in _start (/home/user/workspace/browsers/m-c-20240109162901-fuzzing-debug/firefox-bin+0x58e88) (BuildId: e4c62efaf5851b0d60578cde9670049ea317e982)
Flags: in-testsuite?
|
||
Comment 1•5 months ago
|
||
Verified bug as reproducible on mozilla-central 20240110213539-1c750a173258.
Unable to bisect testcase (Testcase reproduces on start build!):
Start: 539f28c1de729aac0a9676536b9fde47fb25d79f (20230112041059)
End: 03298dc094d12359e06605347462a19dcd6a510f (20231111211250)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False, nyx=False)
Whiteboard: [bugmon:bisected,confirmed]
|
||
Updated•5 months ago
|
Severity: -- → S3
Keywords: pernosco-wanted
|
|
||
Comment 2•5 months ago
|
||
Successfully recorded a pernosco session. A link to the pernosco session will be added here shortly.
Keywords: pernosco-wanted → pernosco
| Comment hidden (obsolete) |
| Comment hidden (obsolete) |
| Comment hidden (obsolete) |
| Comment hidden (obsolete) |
|
|
||
Comment 8•5 months ago
|
||
Testcase crashes using the initial build (mozilla-central 20231111211250-03298dc094d1) but not with tip (mozilla-central 20240119221343-1ccd39433268.)
The bug appears to have been fixed in the following build range:
Start: 2a7dd75d1bfc1693115b94b3e424e58b331cefab (20240117040825)
End: 71000174812fc0992b6793e53ac5f11f1b87bdc0 (20240117050436)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=2a7dd75d1bfc1693115b94b3e424e58b331cefab&tochange=71000174812fc0992b6793e53ac5f11f1b87bdc0
tsmith, can you confirm that the above bisection range is responsible for fixing this issue?
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Flags: needinfo?(twsmith)
Keywords: bugmon
|
Reporter | |
Comment 9•4 months ago
|
||
I can no longer reproduce the issue.
masayuki: Is it possible this issue was fixed by the patch in Bug 1872302?
Flags: needinfo?(twsmith) → needinfo?(masayuki)
|
Assignee | |
Comment 10•4 months ago
|
||
Yeah, should be so. I'll add the testcase into the tree.
Assignee: nobody → masayuki
Status: NEW → ASSIGNED
Flags: needinfo?(masayuki)
|
|
Assignee | |
Comment 11•4 months ago
|
||
The bug itself was fixed in bug 1872302. Let's add the reported testcase into
the tree.
|
||
Comment 12•4 months ago
|
||
Pushed by masayuki@d-toybox.com: https://hg.mozilla.org/integration/autoland/rev/823b3712a4c8 Add reported testcase into WPT r=emilio
Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/44726 for changes under testing/web-platform/tests
Whiteboard: [bugmon:bisected,confirmed] → [bugmon:bisected,confirmed], [wptsync upstream]
|
||
Comment 14•4 months ago
|
||
| bugherder | ||
Status: ASSIGNED → RESOLVED
Closed: 4 months ago
status-firefox125:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 125 Branch
|
||
Comment 15•4 months ago
|
||
Since nightly and release are affected, beta will likely be affected too.
For more information, please visit BugBot documentation.
status-firefox124:
--- → affected
Upstream PR merged by moz-wptsync-bot
|
||
Updated•4 months ago
|
|
||
Updated•4 months ago
|
status-firefox-esr115:
--- → unaffected
Flags: in-testsuite? → in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•