Closed
Bug 1922149
Opened 4 months ago
Closed 4 months ago
Assertion failure: editingHost == selectionContainerElement->GetEditingHost(), at /builds/worker/checkouts/gecko/editor/libeditor/HTMLAnonymousNodeEditor.cpp:383
Categories
(Core :: DOM: Editor, defect)
Core
DOM: Editor
Tracking
()
VERIFIED
FIXED
133 Branch
| Tracking | Status | |
|---|---|---|
| firefox-esr128 | --- | unaffected |
| firefox131 | --- | unaffected |
| firefox132 | --- | unaffected |
| firefox133 | --- | verified |
People
(Reporter: tsmith, Assigned: masayuki)
References
(Blocks 2 open bugs, Regression)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:bisected,confirmed], [wptsync upstream])
Attachments
(2 files)
Found while fuzzing m-c 20241001-0546d4eb6429 (--enable-debug --enable-fuzzing)
To reproduce via Grizzly Replay:
$ pip install fuzzfetch grizzly-framework --upgrade
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>
Assertion failure: editingHost == selectionContainerElement->GetEditingHost(), at /builds/worker/checkouts/gecko/editor/libeditor/HTMLAnonymousNodeEditor.cpp:383
#0 0x72e9e4cf9f8f in mozilla::HTMLEditor::RefreshEditingUI() /builds/worker/checkouts/gecko/editor/libeditor/HTMLAnonymousNodeEditor.cpp:383:3
#1 0x72e9e4d63537 in mozilla::HTMLEditor::NotifySelectionChanged(mozilla::dom::Document*, mozilla::dom::Selection*, short, int) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditor.cpp:653:32
#2 0x72e9e150a995 in mozilla::dom::Selection::NotifySelectionListeners() /builds/worker/checkouts/gecko/dom/base/Selection.cpp:3916:30
#3 0x72e9e51139bc in NotifySelectionListeners /builds/worker/checkouts/gecko/layout/generic/nsFrameSelection.cpp:2080:16
#4 0x72e9e51139bc in nsFrameSelection::EndBatchChanges(char const*, short) /builds/worker/checkouts/gecko/layout/generic/nsFrameSelection.cpp:2066:17
#5 0x72e9e1510c11 in EndBatchChanges /builds/worker/checkouts/gecko/dom/base/Selection.cpp:3930:21
#6 0x72e9e1510c11 in ~SelectionBatcher /builds/worker/checkouts/gecko/dom/base/Selection.h:1200:19
#7 0x72e9e1510c11 in mozilla::dom::Selection::SetStartAndEndInternal(mozilla::dom::Selection::InLimiter, mozilla::RangeBoundaryBase<nsINode*, nsIContent*> const&, mozilla::RangeBoundaryBase<nsINode*, nsIContent*> const&, nsDirection, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/Selection.cpp:4312:1
#8 0x72e9e151060a in mozilla::dom::Selection::SelectAllChildren(nsINode&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/Selection.cpp:3381:3
#9 0x72e9e4d78101 in mozilla::HTMLEditor::SelectAllInternal() /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditor.cpp:4914:18
#10 0x72e9e4cc8ddb in mozilla::EditorBase::SelectAll() /builds/worker/checkouts/gecko/editor/libeditor/EditorBase.cpp:1277:17
#11 0x72e9e4ce6231 in mozilla::SelectAllCommand::DoCommandParam(mozilla::Command, mozilla::EditorBase&, nsIPrincipal*) const /builds/worker/checkouts/gecko/editor/libeditor/EditorCommands.cpp:662:29
#12 0x72e9e1375ab5 in mozilla::dom::Document::ExecCommand(nsTSubstring<char16_t> const&, bool, nsTSubstring<char16_t> const&, nsIPrincipal&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/Document.cpp:5600:37
#13 0x72e9e2391a03 in mozilla::dom::Document_Binding::execCommand(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/./DocumentBinding.cpp:4160:36
#14 0x72e9e2615537 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3268:13
#15 0x72e9e5cd7ea4 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:528:13
#16 0x72e9e5cd768f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:624:12
#17 0x72e9e5ce6e59 in CallFromStack /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:696:10
#18 0x72e9e5ce6e59 in js::Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3521:16
#19 0x72e9e5cd6cbf in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:498:13
#20 0x72e9e5cd7788 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:656:13
#21 0x72e9e5cd8c8f in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:723:8
#22 0x72e9e5ddb0b7 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/CallAndConstruct.cpp:119:10
#23 0x72e9e2373478 in mozilla::dom::EventHandlerNonNull::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/./EventHandlerBinding.cpp:65:37
#24 0x72e9e2ed11b9 in void mozilla::dom::EventHandlerNonNull::Call<nsCOMPtr<mozilla::dom::EventTarget>>(nsCOMPtr<mozilla::dom::EventTarget> const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventHandlerBinding.h:82:12
#25 0x72e9e2ed029e in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) /builds/worker/checkouts/gecko/dom/events/JSEventHandler.cpp:200:12
#26 0x72e9e2ea9e8d in mozilla::EventListenerManager::HandleEventSingleListener(mozilla::EventListenerManager::Listener*, nsAtom*, mozilla::WidgetEvent*, mozilla::dom::Event*, mozilla::dom::EventTarget*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1345:22
#27 0x72e9e2eaaf94 in mozilla::EventListenerManager::HandleEventWithListenerArray(mozilla::EventListenerManager::ListenerArray*, nsAtom*, mozilla::EventMessage, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1662:12
#28 0x72e9e2eaa809 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1559:35
#29 0x72e9e2e9e7bf in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:365:17
#30 0x72e9e2e9de31 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:606:16
#31 0x72e9e2ea071f in mozilla::EventDispatcher::Dispatch(mozilla::dom::EventTarget*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:1221:11
#32 0x72e9e4ff3a26 in nsDocumentViewer::LoadComplete(nsresult) /builds/worker/checkouts/gecko/layout/base/nsDocumentViewer.cpp:1032:7
#33 0x72e9e5455495 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:6229:13
#34 0x72e9e5454801 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:5623:7
#35 0x72e9e5456536 in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp
#36 0x72e9e03928b9 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:1355:3
#37 0x72e9e0391fa2 in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:961:14
#38 0x72e9e039027c in nsDocLoader::DocLoaderIsEmpty(bool, mozilla::Maybe<nsresult> const&) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:783:9
#39 0x72e9e0391494 in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:666:5
#40 0x72e9e548d3df in nsDocShell::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:13759:23
#41 0x72e9df74f4cf in mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:642:22
#42 0x72e9df7507ee in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:536:10
#43 0x72e9e13a5adc in mozilla::dom::Document::DoUnblockOnload() /builds/worker/checkouts/gecko/dom/base/Document.cpp:12041:18
#44 0x72e9e138b8c9 in mozilla::dom::Document::DispatchContentLoadedEvents() /builds/worker/checkouts/gecko/dom/base/Document.cpp:8429:3
#45 0x72e9e1449009 in operator()<> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1085:18
#46 0x72e9e1449009 in __invoke_impl<void, (lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1084:9)> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/invoke.h:60:14
#47 0x72e9e1449009 in __invoke<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1084:9)> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/invoke.h:95:14
#48 0x72e9e1449009 in __apply_impl<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1084:9), std::tuple<> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/tuple:1678:14
#49 0x72e9e1449009 in apply<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1084:9), std::tuple<> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/tuple:1687:14
#50 0x72e9e1449009 in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1083:12
#51 0x72e9e1449009 in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1134:13
#52 0x72e9df522cd7 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:618:16
#53 0x72e9df518766 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:945:26
#54 0x72e9df517177 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:768:15
#55 0x72e9df5175f5 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:554:36
#56 0x72e9df526646 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:268:37
#57 0x72e9df526646 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548:5
#58 0x72e9df539d6b in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1155:16
#59 0x72e9df540a4f in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10
#60 0x72e9e00af6e5 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#61 0x72e9e0002ac1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#62 0x72e9e0002ac1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#63 0x72e9e4bb5248 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
#64 0x72e9e4c62848 in nsAppShell::Run() /builds/worker/checkouts/gecko/widget/gtk/nsAppShell.cpp:469:33
#65 0x72e9e5b2b80b in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:710:20
#66 0x72e9e00b0536 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
#67 0x72e9e0002ac1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#68 0x72e9e0002ac1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#69 0x72e9e5b2b09b in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:645:34
#70 0x63ae4ffa308e in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:403:22
Flags: in-testsuite?
|
Assignee | |
Comment 1•4 months ago
|
||
Ah, the assertion is just wrong. The condition should be true only when editingHost is not nullptr.
Assignee: nobody → masayuki
Severity: -- → S4
Status: NEW → ASSIGNED
Keywords: regression
OS: Unspecified → All
Regressed by: 1920647
Hardware: Unspecified → All
|
|
Assignee | |
Comment 2•4 months ago
|
||
Oh, but in this case, editingHost is not nullptr. So, it seems that the test case and the new assertion detect a hidden bug.
Severity: S4 → S3
|
|
Assignee | |
Comment 3•4 months ago
|
||
When hits the assertion failure, editingHost is the <figcaption contenteditable>. However, selectionContainerElement is the <body> and its editing host is of course nullptr and there is no focused element. So, editingHost should be nullptr in this case...
|
||
Comment 4•4 months ago
|
||
Set release status flags based on info from the regressing bug 1920647
status-firefox131:
--- → unaffected
status-firefox132:
--- → unaffected
status-firefox-esr128:
--- → unaffected
|
|
Assignee | |
Comment 5•4 months ago
|
||
Selection ranges can cross editing host boundaries if no editing host has focus.
Therefore, Selection.focusNode may be in an editing host but there may be
no active/focused editing host.
The computation may be expensive if there are a lot of ranges and selecting
in slotted shadow tree. However, it's rare case, so, I think it's okay for
now.
|
||
Comment 6•4 months ago
|
||
Verified bug as reproducible on mozilla-central 20241001155138-0546d4eb6429.
The bug appears to have been introduced in the following build range:
Start: 1959c4c1d8a2e96c728dd2779dda5b7470be4797 (20241001034947)
End: c7e0882717cc1e842ffb0adb3745c95c021093bb (20241001055903)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=1959c4c1d8a2e96c728dd2779dda5b7470be4797&tochange=c7e0882717cc1e842ffb0adb3745c95c021093bb
Whiteboard: [bugmon:bisected,confirmed]
Pushed by masayuki@d-toybox.com:
https://hg.mozilla.org/integration/autoland/rev/356daac9fcd1
Make `HTMLEditor::ComputeEditingHostInternal` use common ancestor of all selection ranges r=m_kato
Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/48510 for changes under testing/web-platform/tests
Whiteboard: [bugmon:bisected,confirmed] → [bugmon:bisected,confirmed], [wptsync upstream]
|
||
Comment 9•4 months ago
|
||
| bugherder | ||
Status: ASSIGNED → RESOLVED
Closed: 4 months ago
Resolution: --- → FIXED
Target Milestone: --- → 133 Branch
Upstream PR merged by moz-wptsync-bot
|
|
||
Comment 11•4 months ago
|
||
Verified bug as fixed on rev mozilla-central 20241008042228-b48e31d47d1f.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
You need to log in
before you can comment on or make changes to this bug.
Description
•