1896225 - Assertion failure: !startRoot && !endRoot, at /builds/worker/checkouts/gecko/dom/base/CrossShadowBoundaryRange.cpp:107

Status: VERIFIED FIXED

(Core :: DOM: Selection, defect)

Description

[Tyson Smith [:tsmith]]

Attachment: testcase.html

Found while fuzzing m-c 20240426-462f013c08ca (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework --upgrade
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>

Assertion failure: !startRoot && !endRoot, at /builds/worker/checkouts/gecko/dom/base/CrossShadowBoundaryRange.cpp:107

#0 0x77c0bf14aafc in void mozilla::dom::CrossShadowBoundaryRange::DoSetRange<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent>, nsCOMPtr<nsINode>, nsCOMPtr<nsIContent>>(mozilla::RangeBoundaryBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent>> const&, mozilla::RangeBoundaryBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent>> const&, nsINode*) /builds/worker/checkouts/gecko/dom/base/CrossShadowBoundaryRange.cpp:107:5
#1 0x77c0bf14a9f9 in already_AddRefed<mozilla::dom::CrossShadowBoundaryRange> mozilla::dom::CrossShadowBoundaryRange::Create<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent>, nsCOMPtr<nsINode>, nsCOMPtr<nsIContent>>(mozilla::RangeBoundaryBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent>> const&, mozilla::RangeBoundaryBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent>> const&) /builds/worker/checkouts/gecko/dom/base/CrossShadowBoundaryRange.cpp:90:10
#2 0x77c0bf182465 in void nsRange::CreateOrUpdateCrossShadowBoundaryRangeIfNeeded<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent>, nsCOMPtr<nsINode>, nsCOMPtr<nsIContent>>(mozilla::RangeBoundaryBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent>> const&, mozilla::RangeBoundaryBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent>> const&) /builds/worker/checkouts/gecko/dom/base/nsRange.cpp:3533:9
#3 0x77c0bf18213e in nsRange::CloneRange() const /builds/worker/checkouts/gecko/dom/base/nsRange.cpp:2421:12
#4 0x77c0c2d857b2 in mozilla::AutoRangeArray::Initialize(mozilla::dom::Selection const&) /builds/worker/checkouts/gecko/editor/libeditor/AutoRangeArray.h:58:55
#5 0x77c0c2ebaf45 in mozilla::ListElementSelectionState::ListElementSelectionState(mozilla::HTMLEditor&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditorState.cpp:81:20
#6 0x77c0c2e6a321 in mozilla::GetListState(mozilla::HTMLEditor*, bool*, nsTSubstring<char16_t>&) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditorCommands.cpp:1328:29
#7 0x77c0c2e6a1ab in mozilla::ListCommand::GetCurrentState(nsStaticAtom&, mozilla::HTMLEditor&, nsCommandParams&) const /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditorCommands.cpp:226:17
#8 0x77c0c2e6a4d2 in mozilla::ListCommand::ToggleState(nsStaticAtom&, mozilla::HTMLEditor&, nsIPrincipal*) const /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditorCommands.cpp:243:17
#9 0x77c0c2e68aef in mozilla::StateUpdatingCommandBase::DoCommand(mozilla::Command, mozilla::EditorBase&, nsIPrincipal*) const /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditorCommands.cpp:75:17
#10 0x77c0bf20a6af in mozilla::dom::Document::ExecCommand(nsTSubstring<char16_t> const&, bool, nsTSubstring<char16_t> const&, nsIPrincipal&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/Document.cpp:5507:37
#11 0x77c0c04ef9a4 in mozilla::dom::Document_Binding::execCommand(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/./DocumentBinding.cpp:3994:36
#12 0x77c0c07d7e47 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3268:13
#13 0x77c0c4dda564 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:480:13
#14 0x77c0c4dd9e7d in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:574:12
#15 0x77c0c4de9b7d in CallFromStack /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:646:10
#16 0x77c0c4de9b7d in js::Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3071:16
#17 0x77c0c4dd9442 in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:452:13
#18 0x77c0c4dd9e99 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:606:13
#19 0x77c0c4ddb347 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:673:8
#20 0x77c0c4efc2a7 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/CallAndConstruct.cpp:119:10
#21 0x77c0c04ce2b8 in mozilla::dom::EventHandlerNonNull::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/./EventHandlerBinding.cpp:65:37
#22 0x77c0c0e7cf99 in void mozilla::dom::EventHandlerNonNull::Call<nsCOMPtr<mozilla::dom::EventTarget>>(nsCOMPtr<mozilla::dom::EventTarget> const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventHandlerBinding.h:82:12
#23 0x77c0c0e7c067 in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) /builds/worker/checkouts/gecko/dom/events/JSEventHandler.cpp:199:12
#24 0x77c0c0e589f5 in mozilla::EventListenerManager::HandleEventSingleListener(mozilla::EventListenerManager::Listener*, nsAtom*, mozilla::WidgetEvent*, mozilla::dom::Event*, mozilla::dom::EventTarget*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1313:22
#25 0x77c0c0e59af4 in mozilla::EventListenerManager::HandleEventWithListenerArray(mozilla::EventListenerManager::ListenerArray*, nsAtom*, mozilla::EventMessage, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1630:12
#26 0x77c0c0e59369 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1527:35
#27 0x77c0c0e4caaf in HandleEvent /builds/worker/workspace/obj-build/dist/include/mozilla/EventListenerManager.h:465:5
#28 0x77c0c0e4caaf in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:365:17
#29 0x77c0c0e4c0a1 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:606:16
#30 0x77c0c0e4e9ff in mozilla::EventDispatcher::Dispatch(mozilla::dom::EventTarget*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:1221:11
#31 0x77c0c31120fe in nsDocumentViewer::LoadComplete(nsresult) /builds/worker/checkouts/gecko/layout/base/nsDocumentViewer.cpp:1030:7
#32 0x77c0c437fce9 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:6245:13
#33 0x77c0c437f161 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:5637:7
#34 0x77c0c4380dc6 in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp
#35 0x77c0be5cd9d9 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:1356:3
#36 0x77c0be5ccf52 in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:962:14
#37 0x77c0be5cb19b in nsDocLoader::DocLoaderIsEmpty(bool, mozilla::Maybe<nsresult> const&) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:784:9
#38 0x77c0be5cc401 in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:667:5
#39 0x77c0c43b7eff in nsDocShell::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:13701:23
#40 0x77c0bd7a961f in mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:632:22
#41 0x77c0bd7aab60 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:536:10
#42 0x77c0bf23858c in mozilla::dom::Document::DoUnblockOnload() /builds/worker/checkouts/gecko/dom/base/Document.cpp:11737:18
#43 0x77c0bf21e636 in mozilla::dom::Document::DispatchContentLoadedEvents() /builds/worker/checkouts/gecko/dom/base/Document.cpp:8161:3
#44 0x77c0bf2d8d89 in operator()<> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1085:18
#45 0x77c0bf2d8d89 in __invoke_impl<void, (lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1084:9)> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/invoke.h:60:14
#46 0x77c0bf2d8d89 in __invoke<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1084:9)> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/invoke.h:95:14
#47 0x77c0bf2d8d89 in __apply_impl<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1084:9), std::tuple<> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/tuple:1678:14
#48 0x77c0bf2d8d89 in apply<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1084:9), std::tuple<> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/tuple:1687:14
#49 0x77c0bf2d8d89 in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1083:12
#50 0x77c0bf2d8d89 in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1134:13
#51 0x77c0bd55fe07 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:580:16
#52 0x77c0bd555476 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:907:26
#53 0x77c0bd553c57 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:730:15
#54 0x77c0bd5540d5 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:516:36
#55 0x77c0bd563da6 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:234:37
#56 0x77c0bd563da6 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548:5
#57 0x77c0bd5790d2 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1199:16
#58 0x77c0bd58021d in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10
#59 0x77c0be289d45 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#60 0x77c0be19fbb1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#61 0x77c0be19fbb1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#62 0x77c0c2c7e3f8 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
#63 0x77c0c2d40a08 in nsAppShell::Run() /builds/worker/checkouts/gecko/widget/gtk/nsAppShell.cpp:470:33
#64 0x77c0c4b9a17b in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:712:20
#65 0x77c0be28ac26 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
#66 0x77c0be19fbb1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#67 0x77c0be19fbb1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#68 0x77c0c4b999a2 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:647:34
#69 0x62384d9f9496 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#70 0x62384d9f9496 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:378:18
#71 0x77c0d2429d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#72 0x77c0d2429e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#73 0x62384d9cf1c8 in _start (/home/user/workspace/browsers/m-c-20240509094442-fuzzing-debug/firefox-bin+0x591c8) (BuildId: b78e3ca5ece73f5abd762005d6af6243a318d5bc)

Comment 1

[Bugmon [:jkratzer for issues]]

Verified bug as reproducible on mozilla-central 20240510213620-b09dd768d80e.
The bug appears to have been introduced in the following build range:

Start: fcfbb607fde2264f93b96674e69515b5414d54cc (20240415160004)
End: 4897460458d13272e6016fd9e4c184c3c41cbd74 (20240415145812)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=fcfbb607fde2264f93b96674e69515b5414d54cc&tochange=4897460458d13272e6016fd9e4c184c3c41cbd74

Comment 2

[Donal Meehan [:dmeehan]]

Bug 1289609 from the pushlog in Comment 1 looks likely. Please correct if needed.

Comment 3

[BugBot [:suhaib / :marco/ :calixte]]

Set release status flags based on info from the regressing bug 1881097

Comment 4

[Sean Feng [:sefeng][PTO, back July 1st]]

Attachment: Bug 1896225 - Add the crashtest for bug 1896225 r=jjaschke

The crash itself was about when the selection crossed the
shadow boundary first, and then got moved to the same boundary later.

This bug was fixed in bug 1891783, so we just need to add the
crashtest.

Comment 5

[Pulsebot]

Pushed by sefeng@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/f775ae5b7daf
Add the crashtest for bug 1896225 r=jjaschke

Comment 6

[Haik Aftandilian [:haik]]

Since the assert was fixed via 1891783 and (per Sean) is Nightly-specific, marking this as disabled for 127.

Comment 7

[Iulian Moraru]

https://hg.mozilla.org/mozilla-central/rev/f775ae5b7daf

Comment 8

[Bugmon [:jkratzer for issues]]

Verified bug as fixed on rev mozilla-central 20240523041055-5f3215269002.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.