1910800 - Assertion failure: EditorUtils::IsEditableContent(*leafContent->GetParent(), EditorType::HTML), at /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditor.cpp:1130

Status: VERIFIED FIXED

(Core :: DOM: Editor, defect)

Description

[Tyson Smith [:tsmith]]

Attachment: testcase.html

Found while fuzzing m-c 20240724-a0e3db73fd24 (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework --upgrade
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>

Assertion failure: EditorUtils::IsEditableContent(*leafContent->GetParent(), EditorType::HTML), at /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditor.cpp:1130

#0 0x780d5d27e864 in mozilla::HTMLEditor::MaybeCollapseSelectionAtFirstEditableNode(bool) const /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditor.cpp:1129:7
#1 0x780d5d28f6e6 in mozilla::HTMLEditor::NotifyRootChanged() /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditor.cpp:7076:8
#2 0x780d57aeb746 in operator()<> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1085:18
#3 0x780d57aeb746 in __invoke_impl<nsresult, (lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1084:9)> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/invoke.h:60:14
#4 0x780d57aeb746 in __invoke<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1084:9)> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/invoke.h:95:14
#5 0x780d57aeb746 in __apply_impl<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1084:9), std::tuple<> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/tuple:1678:14
#6 0x780d57aeb746 in apply<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1084:9), std::tuple<> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/tuple:1687:14
#7 0x780d57aeb746 in apply<nsIThread, nsresult (nsIThread::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1083:12
#8 0x780d57aeb746 in mozilla::detail::RunnableMethodImpl<nsUpdateProcessor*, void (nsUpdateProcessor::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1134:13
#9 0x780d5997cd75 in nsContentUtils::RemoveScriptBlocker() /builds/worker/checkouts/gecko/dom/base/nsContentUtils.cpp:6258:17
#10 0x780d59bd7bd5 in mozilla::dom::Document::EndUpdate() /builds/worker/checkouts/gecko/dom/base/Document.cpp:8115:3
#11 0x780d59c484bf in ~mozAutoDocUpdate /builds/worker/checkouts/gecko/dom/base/mozAutoDocUpdate.h:34:18
#12 0x780d59c484bf in mozilla::dom::FragmentOrElement::SetInnerHTMLInternal(nsTSubstring<char16_t> const&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/FragmentOrElement.cpp:2008:1
#13 0x780d5ac2653d in mozilla::dom::Element_Binding::set_innerHTML(JSContext*, JS::Handle<JSObject*>, void*, JSJitSetterCallArgs) /builds/worker/workspace/obj-build/dom/bindings/./ElementBinding.cpp:4506:24
#14 0x780d5ae42efc in bool mozilla::dom::binding_detail::GenericSetter<mozilla::dom::binding_detail::NormalThisPolicy>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3216:8
#15 0x780d5e1c9ad4 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:491:13
#16 0x780d5e1c92bf in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:585:12
#17 0x780d5e1ca8bf in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:684:8
#18 0x780d5e1cbb54 in js::CallSetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:815:10
#19 0x780d5e41e3fa in SetExistingProperty(JSContext*, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<js::NativeObject*>, js::PropertyResult const&, JS::ObjectOpResult&) /builds/worker/checkouts/gecko/js/src/vm/NativeObject.cpp:2667:8
#20 0x780d5e41d30d in bool js::NativeSetProperty<(js::QualifiedBool)1>(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) /builds/worker/checkouts/gecko/js/src/vm/NativeObject.cpp:2701:14
#21 0x780d5ec75a4f in js::jit::DoSetPropFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICFallbackStub*, JS::Value*, JS::Handle<JS::Value>, JS::Handle<JS::Value>) /builds/worker/checkouts/gecko/js/src/jit/BaselineIC.cpp:1484:10

Comment 1

[Masayuki Nakano [:masayuki] (he/him)(JST, +0900)]

Oh, another pattern of bug 1908239...

Comment 2

[Bugmon [:jkratzer for issues]]

Verified bug as reproducible on mozilla-central 20240730164742-c756f74154bf.
The bug appears to have been introduced in the following build range:

Start: ae67a0e098b4518b9760482c91ef32871a0153d7 (20240712095045)
End: 336d18e0fd55f78b598e776eea6a6de597f0392a (20240712090038)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=ae67a0e098b4518b9760482c91ef32871a0153d7&tochange=336d18e0fd55f78b598e776eea6a6de597f0392a

Comment 3

[BugBot [:suhaib / :marco/ :calixte]]

Set release status flags based on info from the regressing bug 1798379

Comment 4

[BugBot [:suhaib / :marco/ :calixte]]

Set release status flags based on info from the regressing bug 1798379

Comment 5

[Masayuki Nakano [:masayuki] (he/him)(JST, +0900)]

Attachment: Bug 1910800 - Make `HTMLEditor::ComputeEditingHostInternal()` stop referring `mIsInDesignMode` and refer focused element in the window r=m_kato!,#dom-core

The method may be called without focus. Therefore, it shouldn't refer
mIsInDesignMode and it should refer focused element in the window (including
shadows) if there is no selection ranges.

Comment 6

[Pulsebot]

Pushed by masayuki@d-toybox.com:
https://hg.mozilla.org/integration/autoland/rev/e837df1a96c6
Make `HTMLEditor::ComputeEditingHostInternal()` stop referring `mIsInDesignMode` and refer focused element in the window r=m_kato

Comment 7

[Web Platform Test Sync Bot [:wpt-sync] (Matrix: #interop:mozilla.org)]

Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/47580 for changes under testing/web-platform/tests

Comment 8

[Iulian Moraru]

https://hg.mozilla.org/mozilla-central/rev/e837df1a96c6

Comment 9

[Web Platform Test Sync Bot [:wpt-sync] (Matrix: #interop:mozilla.org)]

Upstream PR merged by moz-wptsync-bot

Comment 10

[Web Platform Test Sync Bot [:wpt-sync] (Matrix: #interop:mozilla.org)]

Upstream PR merged by moz-wptsync-bot

Comment 11

[BugBot [:suhaib / :marco/ :calixte]]

The patch landed in nightly and beta is affected.
:masayuki, is this bug important enough to require an uplift?

• If yes, please nominate the patch for beta approval.
• If no, please set status-firefox130 to wontfix.

For more information, please visit BugBot documentation.

Comment 12

[Bugmon [:jkratzer for issues]]

Verified bug as fixed on rev mozilla-central 20240813093307-6a2726e60f57.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Comment 13

[Masayuki Nakano [:masayuki] (he/him)(JST, +0900)]

It touches traditional code. Therefore, it's risky to uplift.