Closed
Bug 1881377
Opened 4 months ago
Closed 4 months ago
Assertion failure: mFrameSelection->GetPresShell()->GetDocument() == content->GetComposedDoc(), at /builds/worker/checkouts/gecko/dom/base/Selection.cpp:1619
Categories
(Core :: DOM: Selection, defect)
Core
DOM: Selection
Tracking
()
VERIFIED
FIXED
125 Branch
| Tracking | Status | |
|---|---|---|
| firefox-esr115 | --- | unaffected |
| firefox123 | --- | wontfix |
| firefox124 | --- | wontfix |
| firefox125 | --- | verified |
People
(Reporter: tsmith, Assigned: masayuki)
References
(Blocks 2 open bugs, Regression)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:bisected,confirmed], [wptsync upstream])
Attachments
(2 files)
Found while fuzzing m-c 20240210-a4ac5f36f609 (--enable-debug --enable-fuzzing)
To reproduce via Grizzly Replay:
$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>
Assertion failure: mFrameSelection->GetPresShell()->GetDocument() == content->GetComposedDoc(), at /builds/worker/checkouts/gecko/dom/base/Selection.cpp:1619
#0 0x7f85cb2bb8bc in mozilla::dom::Selection::GetPrimaryFrameForCaretAtFocusNode(bool) const /builds/worker/checkouts/gecko/dom/base/Selection.cpp:1618:3
#1 0x7f85cb2c8862 in mozilla::dom::Selection::Modify(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/Selection.cpp:3778:7
#2 0x7f85cbc90fd1 in mozilla::dom::Selection_Binding::modify(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/./SelectionBinding.cpp:1073:24
#3 0x7f85cc660b1e in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3258:13
#4 0x7f85d0b778b4 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:480:13
#5 0x7f85d0b7720b in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:574:12
#6 0x7f85d0b86b28 in CallFromStack /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:646:10
#7 0x7f85d0b86b28 in js::Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3061:16
#8 0x7f85d0b76792 in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:452:13
#9 0x7f85d0b77228 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:606:13
#10 0x7f85d0b784dd in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:673:8
#11 0x7f85d0c92504 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/CallAndConstruct.cpp:119:10
#12 0x7f85cc39a63b in mozilla::dom::EventHandlerNonNull::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/./EventHandlerBinding.cpp:65:37
#13 0x7f85cccf6ae9 in void mozilla::dom::EventHandlerNonNull::Call<nsCOMPtr<mozilla::dom::EventTarget>>(nsCOMPtr<mozilla::dom::EventTarget> const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventHandlerBinding.h:82:12
#14 0x7f85cccf5bb7 in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) /builds/worker/checkouts/gecko/dom/events/JSEventHandler.cpp:199:12
#15 0x7f85cccd2105 in mozilla::EventListenerManager::HandleEventSingleListener(mozilla::EventListenerManager::Listener*, nsAtom*, mozilla::WidgetEvent*, mozilla::dom::Event*, mozilla::dom::EventTarget*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1346:22
#16 0x7f85cccd3204 in mozilla::EventListenerManager::HandleEventWithListenerArray(mozilla::EventListenerManager::ListenerArray*, nsAtom*, mozilla::EventMessage, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1661:12
#17 0x7f85cccd2a79 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1558:35
#18 0x7f85cccc60cf in HandleEvent /builds/worker/workspace/obj-build/dist/include/mozilla/EventListenerManager.h:465:5
#19 0x7f85cccc60cf in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:364:17
#20 0x7f85cccc5681 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:605:16
#21 0x7f85cccc8086 in mozilla::EventDispatcher::Dispatch(mozilla::dom::EventTarget*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:1222:11
#22 0x7f85ccccb556 in mozilla::EventDispatcher::DispatchDOMEvent(mozilla::dom::EventTarget*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp
#23 0x7f85cb3fd189 in nsINode::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/nsINode.cpp:1406:17
#24 0x7f85caf0d8dc in nsContentUtils::DispatchEvent(mozilla::dom::Document*, mozilla::dom::EventTarget*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, mozilla::Trusted, bool*, mozilla::ChromeOnlyDispatch) /builds/worker/checkouts/gecko/dom/base/nsContentUtils.cpp:4754:29
#25 0x7f85caf0d742 in nsContentUtils::DispatchTrustedEvent(mozilla::dom::Document*, mozilla::dom::EventTarget*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, bool*) /builds/worker/checkouts/gecko/dom/base/nsContentUtils.cpp:4720:10
#26 0x7f85ccfaf74a in mozilla::dom::HTMLMediaElement::DispatchEvent(nsTSubstring<char16_t> const&) /builds/worker/checkouts/gecko/dom/html/HTMLMediaElement.cpp:6313:10
#27 0x7f85c94e9f27 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:578:16
#28 0x7f85c94df696 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:905:26
#29 0x7f85c94dde77 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:728:15
#30 0x7f85c94de2f5 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:514:36
#31 0x7f85c94edec6 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:232:37
#32 0x7f85c94edec6 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548:5
#33 0x7f85c9503232 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1199:16
#34 0x7f85c950a37d in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10
#35 0x7f85ca1ec3c5 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#36 0x7f85ca102751 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#37 0x7f85ca102751 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#38 0x7f85cea50128 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
#39 0x7f85ceb0ff18 in nsAppShell::Run() /builds/worker/checkouts/gecko/widget/gtk/nsAppShell.cpp:470:33
#40 0x7f85d0943dfb in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:721:20
#41 0x7f85ca1ed2a6 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
#42 0x7f85ca102751 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#43 0x7f85ca102751 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#44 0x7f85d0943662 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:656:34
#45 0x5616dd7d03b6 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#46 0x5616dd7d03b6 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:375:18
#47 0x7f85de029d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#48 0x7f85de029e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#49 0x5616dd7a60e8 in _start (/home/user/workspace/browsers/m-c-20240221213323-fuzzing-debug/firefox-bin+0x590e8) (BuildId: c162947dc2f025b1b7870e81310d1341a8a9b38d)
Flags: in-testsuite?
|
||
Comment 1•4 months ago
|
||
Verified bug as reproducible on mozilla-central 20240222043825-445c60e096fe.
The bug appears to have been introduced in the following build range:
Start: 6d9a0abd0a3c26f4337aff723c15795fe91fe884 (20231227091935)
End: 856e86584c4c811f064f93e2b734dd374c787eaf (20231227145854)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=6d9a0abd0a3c26f4337aff723c15795fe91fe884&tochange=856e86584c4c811f064f93e2b734dd374c787eaf
Keywords: regression
Whiteboard: [bugmon:bisected,confirmed]
|
||
Comment 2•4 months ago
|
||
Based on comment #1, this bug contains a bisection range found by bugmon. However, the Regressed by field is still not filled.
:masayuki and :lsalzman, since you are the authors of the changes in the range, if possible, could you fill the Regressed by field and investigate this regression?
For more information, please visit BugBot documentation.
Flags: needinfo?(masayuki)
Flags: needinfo?(lsalzman)
|
|
||
Comment 3•4 months ago
|
||
Set release status flags based on info from the regressing bug 1816581
status-firefox123:
--- → affected
status-firefox124:
--- → affected
status-firefox-esr115:
--- → unaffected
|
||
Updated•4 months ago
|
Flags: needinfo?(lsalzman)
|
||
Comment 4•4 months ago
|
||
Edgar, it would be helpful for release tracking to have Priority/Severity values assigned here.
Flags: needinfo?(echen)
|
Assignee | |
Updated•4 months ago
|
Assignee: nobody → masayuki
Blocks: 1703040
Severity: -- → S3
Status: NEW → ASSIGNED
Flags: needinfo?(masayuki)
Flags: needinfo?(echen)
OS: Unspecified → All
Hardware: Unspecified → All
|
|
Assignee | |
Comment 5•4 months ago
|
||
Even if <details> does not have a <summary>, it creates a closed shadow DOM
as a UA widget to show the triangle icon and the default summary. Chrome allows
to move select the default summary with this API, but in that case, Chrome sets
Selection.focusNode and Selection.anchorNode to undefined. Therefore,
anyway, moving selection into the default summary is not useful for web apps.
Therefore, I think that we can just avoid to move selection into any native
anonymous subtree for keeping the things simple.
Pushed by masayuki@d-toybox.com: https://hg.mozilla.org/integration/autoland/rev/dfa36a548564 Make `nsIFrame.cpp` stop moving selection into a child frame in a native anonymous subtree r=emilio
Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/44786 for changes under testing/web-platform/tests
Whiteboard: [bugmon:bisected,confirmed] → [bugmon:bisected,confirmed], [wptsync upstream]
Status: ASSIGNED → RESOLVED
Closed: 4 months ago
Resolution: --- → FIXED
Target Milestone: --- → 125 Branch
Upstream PR merged by moz-wptsync-bot
|
|
||
Comment 10•4 months ago
|
||
Verified bug as fixed on rev mozilla-central 20240226165659-a5c1fbe78e43.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
|
|
||
Comment 11•4 months ago
|
||
The patch landed in nightly and beta is affected.
:masayuki, is this bug important enough to require an uplift?
- If yes, please nominate the patch for beta approval.
- If no, please set
status-firefox124towontfix.
For more information, please visit BugBot documentation.
Flags: needinfo?(masayuki)
|
|
Assignee | |
Comment 12•4 months ago
|
||
Just ride the train unless we'd get real issues in the wild.
Flags: needinfo?(masayuki)
You need to log in
before you can comment on or make changes to this bug.
Description
•