Closed Bug 1890899 Opened 1 year ago Closed 10 months ago

Assertion failure: mClosestCommonInclusiveAncestor && startContainer && endContainer, at /builds/worker/checkouts/gecko/dom/base/ContentIterator.cpp:1137

Categories

(Core :: DOM: Selection, defect)

Product:
Core
Component:
DOM: Selection
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
128 Branch
Tracking Flags:
Tracking Status
firefox-esr115 --- unaffected
firefox124 --- unaffected
firefox125 --- unaffected
firefox126 --- disabled
firefox127 --- disabled
firefox128 --- verified

People

(Reporter: tsmith, Assigned: sefeng)

References

(Blocks 1 open bug, Regression)

Details

(5 keywords, Whiteboard: [bugmon:bisected,confirmed])

Crash Data

Attachments

(2 files)

testcase.html
341 bytes, text/html
Details
Bug 1890899 - Make CrossShadowBoundaryRange an mutation observer to observe DOM nodes removal
48 bytes, text/x-phabricator-request
Details | Review
Attached file testcase.html

Found while fuzzing m-c 20240408-1b56c653a5ee (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>

Assertion failure: mClosestCommonInclusiveAncestor && startContainer && endContainer, at /builds/worker/checkouts/gecko/dom/base/ContentIterator.cpp:1137

#0 0x7aff200e56ac in mozilla::ContentSubtreeIterator::InitWithRange() /builds/worker/checkouts/gecko/dom/base/ContentIterator.cpp:1137:3
#1 0x7aff200e5c5a in mozilla::ContentSubtreeIterator::InitWithAllowCrossShadowBoundary(mozilla::dom::AbstractRange*) /builds/worker/checkouts/gecko/dom/base/ContentIterator.cpp:999:10
#2 0x7aff20366a65 in mozilla::dom::Selection::SelectFrames(nsPresContext*, mozilla::dom::AbstractRange&, bool) const /builds/worker/checkouts/gecko/dom/base/Selection.cpp:1860:15
#3 0x7aff2036a8f0 in mozilla::dom::Selection::Repaint(nsPresContext*) /builds/worker/checkouts/gecko/dom/base/Selection.cpp:2021:9
#4 0x7aff2405e6c6 in operator() /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:1565:14
#5 0x7aff2405e6c6 in mozilla::detail::RunnableFunction<RepaintNormalSelectionWhenSafe(nsFrameSelection&)::$_0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:548:5
#6 0x7aff1ff8d98e in nsContentUtils::RemoveScriptBlocker() /builds/worker/checkouts/gecko/dom/base/nsContentUtils.cpp:6164:17
#7 0x7aff201ec115 in mozilla::dom::Document::EndUpdate() /builds/worker/checkouts/gecko/dom/base/Document.cpp:7984:3
#8 0x7aff204a7149 in ~mozAutoDocUpdate /builds/worker/checkouts/gecko/dom/base/mozAutoDocUpdate.h:34:18
#9 0x7aff204a7149 in nsINode::ReplaceOrInsertBefore(bool, nsINode*, nsINode*, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/nsINode.cpp:2931:1
#10 0x7aff2025c344 in ReplaceChild /builds/worker/checkouts/gecko/dom/base/nsINode.h:2196:12
#11 0x7aff2025c344 in mozilla::dom::Element::SetOuterHTML(nsTSubstring<char16_t> const&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/Element.cpp:3982:13
#12 0x7aff2151a99b in mozilla::dom::Element_Binding::set_outerHTML(JSContext*, JS::Handle<JSObject*>, void*, JSJitSetterCallArgs) /builds/worker/workspace/obj-build/dom/bindings/./ElementBinding.cpp:4452:24
#13 0x7aff217a241c in bool mozilla::dom::binding_detail::GenericSetter<mozilla::dom::binding_detail::NormalThisPolicy>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3217:8
#14 0x7aff25d60084 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:479:13
#15 0x7aff25d5f99d in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:573:12
#16 0x7aff25d60e77 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:672:8
#17 0x7aff25d62114 in js::CallSetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:803:10
#18 0x7aff260119b6 in SetExistingProperty(JSContext*, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<js::NativeObject*>, js::PropertyResult const&, JS::ObjectOpResult&) /builds/worker/checkouts/gecko/js/src/vm/NativeObject.cpp:2667:8
#19 0x7aff260108cd in bool js::NativeSetProperty<(js::QualifiedBool)1>(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) /builds/worker/checkouts/gecko/js/src/vm/NativeObject.cpp:2701:14
#20 0x7aff25d6d3e4 in SetObjectElementOperation /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:1593:10
#21 0x7aff25d6d3e4 in js::Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:2806:12
#22 0x7aff25d5ef62 in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:451:13
#23 0x7aff25d5f9b9 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:605:13
#24 0x7aff25d60e77 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:672:8
#25 0x7aff25e80697 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/CallAndConstruct.cpp:119:10
#26 0x7aff2149b758 in mozilla::dom::EventHandlerNonNull::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/./EventHandlerBinding.cpp:65:37
#27 0x7aff21e46e79 in void mozilla::dom::EventHandlerNonNull::Call<nsCOMPtr<mozilla::dom::EventTarget>>(nsCOMPtr<mozilla::dom::EventTarget> const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventHandlerBinding.h:82:12
#28 0x7aff21e45f47 in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) /builds/worker/checkouts/gecko/dom/events/JSEventHandler.cpp:199:12
#29 0x7aff21e228e5 in mozilla::EventListenerManager::HandleEventSingleListener(mozilla::EventListenerManager::Listener*, nsAtom*, mozilla::WidgetEvent*, mozilla::dom::Event*, mozilla::dom::EventTarget*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1313:22
#30 0x7aff21e239e4 in mozilla::EventListenerManager::HandleEventWithListenerArray(mozilla::EventListenerManager::ListenerArray*, nsAtom*, mozilla::EventMessage, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1630:12
#31 0x7aff21e23259 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1527:35
#32 0x7aff21e1699f in HandleEvent /builds/worker/workspace/obj-build/dist/include/mozilla/EventListenerManager.h:465:5
#33 0x7aff21e1699f in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:365:17
#34 0x7aff21e15f91 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:606:16
#35 0x7aff21e188ef in mozilla::EventDispatcher::Dispatch(mozilla::dom::EventTarget*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:1221:11
#36 0x7aff240aa6be in nsDocumentViewer::LoadComplete(nsresult) /builds/worker/checkouts/gecko/layout/base/nsDocumentViewer.cpp:1030:7
#37 0x7aff25307ed9 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:6267:13
#38 0x7aff25307351 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:5659:7
#39 0x7aff25308fb6 in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp
#40 0x7aff1f5a0e89 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:1356:3
#41 0x7aff1f5a0402 in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:962:14
#42 0x7aff1f59e64b in nsDocLoader::DocLoaderIsEmpty(bool, mozilla::Maybe<nsresult> const&) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:784:9
#43 0x7aff1f59f8b1 in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:667:5
#44 0x7aff253400ef in nsDocShell::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:13723:23
#45 0x7aff1e77415f in mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:632:22
#46 0x7aff1e7756a0 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:536:10
#47 0x7aff20206cfc in mozilla::dom::Document::DoUnblockOnload() /builds/worker/checkouts/gecko/dom/base/Document.cpp:11731:18
#48 0x7aff201ecda6 in mozilla::dom::Document::DispatchContentLoadedEvents() /builds/worker/checkouts/gecko/dom/base/Document.cpp:8157:3
#49 0x7aff202a7e49 in operator()<> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1085:18
#50 0x7aff202a7e49 in __invoke_impl<void, (lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1084:9)> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/invoke.h:60:14
#51 0x7aff202a7e49 in __invoke<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1084:9)> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/invoke.h:95:14
#52 0x7aff202a7e49 in __apply_impl<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1084:9), std::tuple<> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/tuple:1678:14
#53 0x7aff202a7e49 in apply<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1084:9), std::tuple<> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/tuple:1687:14
#54 0x7aff202a7e49 in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1083:12
#55 0x7aff202a7e49 in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1134:13
#56 0x7aff1e52cf57 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:578:16
#57 0x7aff1e5225c6 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:905:26
#58 0x7aff1e520da7 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:728:15
#59 0x7aff1e521225 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:514:36
#60 0x7aff1e530ef6 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:232:37
#61 0x7aff1e530ef6 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548:5
#62 0x7aff1e546222 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1199:16
#63 0x7aff1e54d36d in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10
#64 0x7aff1f254785 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#65 0x7aff1f16a6e1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#66 0x7aff1f16a6e1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#67 0x7aff23c1c6e8 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
#68 0x7aff23ce0398 in nsAppShell::Run() /builds/worker/checkouts/gecko/widget/gtk/nsAppShell.cpp:470:33
#69 0x7aff25b2134b in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:712:20
#70 0x7aff1f255666 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
#71 0x7aff1f16a6e1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#72 0x7aff1f16a6e1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#73 0x7aff25b20b72 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:647:34
#74 0x5c8bc1c165c6 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#75 0x5c8bc1c165c6 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:375:18
#76 0x7aff34229d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#77 0x7aff34229e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#78 0x5c8bc1bec2f8 in _start (/home/user/workspace/browsers/m-c-20240410204322-fuzzing-debug/firefox-bin+0x592f8) (BuildId: cf00ac6c926690e72bea040e79530f7cf84757fc)
Flags: in-testsuite?

Got a crash from the testcase: https://crash-stats.mozilla.org/report/index/cfe99fe6-eb61-42f8-b04e-c73b60240411

Crash Signature: [@ mozilla::ContentSubtreeIterator::DetermineFirstContent ]
Keywords: crash
See Also: → 1703040

Hi Sean,
this crash looks like it's related to your shadow DOM selection work?

Flags: needinfo?(sefeng)

Verified bug as reproducible on mozilla-central 20240411042626-008989a6a743.
The bug appears to have been introduced in the following build range:

Start: 5969005dae85cc8ac486b2f0bdbb7454b660f252 (20240325134037)
End: 19dcff1ee3fcbb431110e0639c80a3ba51ee0a34 (20240325140555)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=5969005dae85cc8ac486b2f0bdbb7454b660f252&tochange=19dcff1ee3fcbb431110e0639c80a3ba51ee0a34

Keywords: regression
Whiteboard: [bugmon:bisected,confirmed]

Set release status flags based on info from the regressing bug 1867058

status-firefox127: --- → affected

Could this be triaged for severity?
Fx126 is now in beta, wondering if a fix will be prioritized before the end of beta?

Flags: needinfo?(masayuki)

I guess that this is reproducible only in the Nightly channel because there is no crash report from the beta channel and dom.shadowdom.selection_across_boundary.enabled is enabled only in the Nightly channel. So I think S3 is reasonable for this bug, but it needs to be considered by sefeng.

Flags: needinfo?(masayuki)
Severity: -- → S3

So that when a node is removed and this node is related to the start or
the end point of the CrossShadowBoundaryRange, we can clear this
CrossShadowBoundaryRange. We clear it for now because we aren't sure
about what the new points should be.

nsRange does a similar thing to mRoot, and we can't rely on nsRange to
observer mRoot because mRoot could be root of a collapsed range, so
it's not the root of CrossShadowBoundaryRange.

Assignee: nobody → sefeng
Status: NEW → ASSIGNED
Flags: needinfo?(sefeng)

There is a spike in these crashes in Nightly 128, with 56 crashes in 34 installs in the last week.

The bug is linked to a topcrash signature, which matches the following criterion:

  • Top 10 desktop browser crashes on nightly

:sefeng, could you consider increasing the severity of this top-crash bug?

For more information, please visit BugBot documentation.

Flags: needinfo?(sefeng)
Keywords: topcrash
Pushed by sefeng@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/96c453489a51 Make CrossShadowBoundaryRange an mutation observer to observe DOM nodes removal r=jjaschke,dom-core

Backed out for causing crashtests in dom/base/crashtests/1890899.html.

Pushed by sefeng@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/9efed96f1bf9 Make CrossShadowBoundaryRange an mutation observer to observe DOM nodes removal r=jjaschke,dom-core
Flags: needinfo?(sefeng)

https://hg.mozilla.org/mozilla-central/rev/9efed96f1bf9

Status: ASSIGNED → RESOLVED
Closed: 10 months ago
status-firefox128: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 128 Branch

Verified bug as fixed on rev mozilla-central 20240529214854-fd0f25542804.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
status-firefox128: fixedverified
Keywords: bugmon
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: