1897248 - Assertion failure: aNode1 != aNode2, at /builds/worker/checkouts/gecko/dom/base/nsContentUtils.cpp:2974

Status: VERIFIED FIXED

(Core :: DOM: Selection, defect)

Description

[Tyson Smith [:tsmith]]

Attachment: testcase.html

Found while fuzzing m-c 20240416-7e8c4adc46e1 (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework --upgrade
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>

Assertion failure: aNode1 != aNode2, at /builds/worker/checkouts/gecko/dom/base/nsContentUtils.cpp:2974

#0 0x79002b7e5b25 in GetCommonAncestorInternal<nsIContent, (lambda at /builds/worker/checkouts/gecko/dom/base/nsContentUtils.cpp:3037:29)> /builds/worker/checkouts/gecko/dom/base/nsContentUtils.cpp:2974:3
#1 0x79002b7e5b25 in nsContentUtils::GetCommonFlattenedTreeAncestorForSelection(nsIContent*, nsIContent*) /builds/worker/checkouts/gecko/dom/base/nsContentUtils.cpp:3036:10
#2 0x79002b9167c2 in mozilla::dom::AbstractRange::RegisterSelection(mozilla::dom::Selection&) /builds/worker/checkouts/gecko/dom/base/AbstractRange.cpp:400:31
#3 0x79002bbd5100 in mozilla::dom::Selection::StyledRanges::MaybeAddRangeAndTruncateOverlaps(nsRange*, mozilla::Maybe<unsigned long>*) /builds/worker/checkouts/gecko/dom/base/Selection.cpp:1213:13
#4 0x79002bbde732 in mozilla::dom::Selection::AddRangeAndSelectFramesAndNotifyListenersInternal(nsRange&, mozilla::dom::Document*, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/Selection.cpp:2378:14
#5 0x79002bbe4137 in mozilla::dom::Selection::SetStartAndEndInternal(mozilla::dom::Selection::InLimiter, mozilla::RangeBoundaryBase<nsINode*, nsIContent*> const&, mozilla::RangeBoundaryBase<nsINode*, nsIContent*> const&, nsDirection, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/Selection.cpp:4178:3
#6 0x79002bbe9d12 in mozilla::dom::Selection::SetBaseAndExtentInternal(mozilla::dom::Selection::InLimiter, mozilla::RangeBoundaryBase<nsINode*, nsIContent*> const&, mozilla::RangeBoundaryBase<nsINode*, nsIContent*> const&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/Selection.cpp
#7 0x79002bbe9632 in SetBaseAndExtent /builds/worker/checkouts/gecko/dom/base/Selection.cpp:4041:3
#8 0x79002bbe9632 in mozilla::dom::Selection::SetBaseAndExtent(nsINode&, unsigned int, nsINode&, unsigned int, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/Selection.cpp:4028:3
#9 0x79002bbe9300 in mozilla::dom::Selection::SetBaseAndExtentJS(nsINode&, unsigned int, nsINode&, unsigned int, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/Selection.cpp:4011:3
#10 0x79002c5f2a11 in mozilla::dom::Selection_Binding::setBaseAndExtent(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/./SelectionBinding.cpp:981:24
#11 0x79002cff7dc7 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3268:13
#12 0x79003162c424 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:480:13
#13 0x79003162bd3d in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:574:12
#14 0x79003163ba3d in CallFromStack /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:646:10
#15 0x79003163ba3d in js::Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3071:16
#16 0x79003162b302 in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:452:13
#17 0x79003162bd59 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:606:13
#18 0x79003162d207 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:673:8
#19 0x79003174e6c7 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/CallAndConstruct.cpp:119:10
#20 0x79002ccfb478 in mozilla::dom::EventHandlerNonNull::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/./EventHandlerBinding.cpp:65:37
#21 0x79002d69a9d9 in void mozilla::dom::EventHandlerNonNull::Call<nsCOMPtr<mozilla::dom::EventTarget>>(nsCOMPtr<mozilla::dom::EventTarget> const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventHandlerBinding.h:82:12
#22 0x79002d699a52 in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) /builds/worker/checkouts/gecko/dom/events/JSEventHandler.cpp:199:12
#23 0x79002d6763d5 in mozilla::EventListenerManager::HandleEventSingleListener(mozilla::EventListenerManager::Listener*, nsAtom*, mozilla::WidgetEvent*, mozilla::dom::Event*, mozilla::dom::EventTarget*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1313:22
#24 0x79002d6774d4 in mozilla::EventListenerManager::HandleEventWithListenerArray(mozilla::EventListenerManager::ListenerArray*, nsAtom*, mozilla::EventMessage, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1630:12
#25 0x79002d676d49 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1527:35
#26 0x79002d66a48f in HandleEvent /builds/worker/workspace/obj-build/dist/include/mozilla/EventListenerManager.h:465:5
#27 0x79002d66a48f in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:365:17
#28 0x79002d669a81 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:606:16
#29 0x79002d66c3df in mozilla::EventDispatcher::Dispatch(mozilla::dom::EventTarget*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:1221:11
#30 0x79002f92e801 in nsDocumentViewer::LoadComplete(nsresult) /builds/worker/checkouts/gecko/layout/base/nsDocumentViewer.cpp:1030:7
#31 0x790030bd1019 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:6245:13
#32 0x790030bd0491 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:5637:7
#33 0x790030bd20f6 in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp
#34 0x79002ae0f249 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:1356:3
#35 0x79002ae0e7c2 in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:962:14
#36 0x79002ae0ca0b in nsDocLoader::DocLoaderIsEmpty(bool, mozilla::Maybe<nsresult> const&) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:784:9
#37 0x79002ae0dc71 in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:667:5
#38 0x790030c0922f in nsDocShell::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:13701:23
#39 0x790029feae6f in mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:632:22
#40 0x790029fec3b0 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:536:10
#41 0x79002ba7a5fc in mozilla::dom::Document::DoUnblockOnload() /builds/worker/checkouts/gecko/dom/base/Document.cpp:11737:18
#42 0x79002ba606c6 in mozilla::dom::Document::DispatchContentLoadedEvents() /builds/worker/checkouts/gecko/dom/base/Document.cpp:8161:3
#43 0x79002bb1a939 in operator()<> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1085:18
#44 0x79002bb1a939 in __invoke_impl<void, (lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1084:9)> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/invoke.h:60:14
#45 0x79002bb1a939 in __invoke<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1084:9)> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/invoke.h:95:14
#46 0x79002bb1a939 in __apply_impl<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1084:9), std::tuple<> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/tuple:1678:14
#47 0x79002bb1a939 in apply<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1084:9), std::tuple<> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/tuple:1687:14
#48 0x79002bb1a939 in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1083:12
#49 0x79002bb1a939 in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1134:13
#50 0x790029da1a27 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:580:16
#51 0x790029d97096 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:907:26
#52 0x790029d95877 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:730:15
#53 0x790029d95cf5 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:516:36
#54 0x790029da59c6 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:234:37
#55 0x790029da59c6 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548:5
#56 0x790029dbacf2 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1199:16
#57 0x790029dc1e3d in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10
#58 0x79002aacb235 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#59 0x79002a9e10a1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#60 0x79002a9e10a1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#61 0x79002f498868 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
#62 0x79002f55a628 in nsAppShell::Run() /builds/worker/checkouts/gecko/widget/gtk/nsAppShell.cpp:469:33
#63 0x7900313ec03b in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:712:20
#64 0x79002aacc116 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
#65 0x79002a9e10a1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#66 0x79002a9e10a1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#67 0x7900313eb862 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:647:34
#68 0x619554297496 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#69 0x619554297496 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:378:18
#70 0x79003ec29d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#71 0x79003ec29e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#72 0x61955426d1c8 in _start (/home/user/workspace/browsers/m-c-20240515032356-fuzzing-debug/firefox-bin+0x591c8) (BuildId: cd63beb80afcf153b4d505f337606914124f9b4d)

Comment 1

[Bugmon [:jkratzer for issues]]

Verified bug as reproducible on mozilla-central 20240516214828-0bf6bf2b8921.
The bug appears to have been introduced in the following build range:

Start: dc457f8b9d19e0f363bc114d41ab1d92ec09b71e (20240403225208)
End: 1d9c4672f9f5ee5ec7faa0fdfcf2aa0f740da476 (20240404034404)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=dc457f8b9d19e0f363bc114d41ab1d92ec09b71e&tochange=1d9c4672f9f5ee5ec7faa0fdfcf2aa0f740da476

Comment 2

[Sean Feng [:sefeng]]

Jason, I clicked the regression range and it looks empty?

Comment 3

[Takanori MATSUURA]

Bugmon should use mozilla-unified or integration/autoland repositories instead of mozilla-central.

https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=dc457f8b9d19e0f363bc114d41ab1d92ec09b71e&tochange=1d9c4672f9f5ee5ec7faa0fdfcf2aa0f740da476
https://hg.mozilla.org/mozilla-unified/pushloghtml?fromchange=dc457f8b9d19e0f363bc114d41ab1d92ec09b71e&tochange=1d9c4672f9f5ee5ec7faa0fdfcf2aa0f740da476

Comment 4

[BugBot [:suhaib / :marco/ :calixte]]

Set release status flags based on info from the regressing bug 1887963

Comment 5

[Liz Henry (:lizzard) (relman/hg->git project)]

sefeng, can you take another look since you are the author of the regressing patch? thanks!

Comment 6

[Sean Feng [:sefeng]]

Attachment: Bug 1897248 - Make GetCommonFlattenedTreeAncestorForSelection stop crashing when two contents are equal

Comment 7

[Donal Meehan [:dmeehan]]

:sefeng is there any user impact on this? Wondering if this will need an uplift or can ride the train?

Comment 8

[Sean Feng [:sefeng]]

So far this GetCommonFlattenedTreeAncestorForSelection method is only used in ShadowDOM selection, only nightly users are impacted. So we don't need an uplift.

Comment 9

[Pulsebot]

Pushed by sefeng@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/44da8b3b5fd1
Make GetCommonFlattenedTreeAncestorForSelection stop crashing when two contents are equal r=jjaschke

Comment 10

[Aron Cseh]

https://hg.mozilla.org/mozilla-central/rev/44da8b3b5fd1

Comment 11

[Bugmon [:jkratzer for issues]]

Verified bug as fixed on rev mozilla-central 20240521213834-d70074e160c5.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.