Open Bug 1926735 Opened 9 months ago Updated 9 months ago

Assertion failure: aPoint.GetContainer()->IsInclusiveFlatTreeDescendantOf(&aEditingHost), at /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditUtils.cpp:2362

Categories

(Core :: DOM: Editor, defect)

Product:
Core
Component:
DOM: Editor
Type:
defect

Tracking

()

Tracking Flags:
Tracking Status
firefox-esr128 --- unaffected
firefox131 --- unaffected
firefox132 --- wontfix
firefox133 --- wontfix

People

(Reporter: tsmith, Unassigned)

References

(Blocks 1 open bug)

Details

(5 keywords, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(1 file, 1 obsolete file)

testcase.html
440 bytes, text/html
Details
Attached file testcase.html (obsolete) —

Found while fuzzing m-c 20241017-d9805f1059e4 (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework --upgrade
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>

Assertion failure: aPoint.GetContainer()->IsInclusiveFlatTreeDescendantOf(&aEditingHost), at /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditUtils.cpp:2362

#0 0x74000233a187 in mozilla::EditorDOMPointBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent>> mozilla::HTMLEditUtils::GetBetterCaretPositionToInsertText<mozilla::EditorDOMPointBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent>>, mozilla::EditorDOMPointBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent>>>(mozilla::EditorDOMPointBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent>> const&, mozilla::dom::Element const&) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditUtils.cpp:2361:3
#1 0x74000234d78b in mozilla::HTMLEditor::AutoInlineStyleSetter::GetEmptyTextNodeToApplyNewStyle(mozilla::HTMLEditor&, mozilla::EditorDOMPointBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent>> const&, mozilla::dom::Element const&) /builds/worker/checkouts/gecko/editor/libeditor/HTMLStyleEditor.cpp:583:7
#2 0x740002393fe0 in nsresult mozilla::HTMLEditor::SetInlinePropertiesAroundRanges<1ul>(mozilla::AutoRangeArray&, AutoTArray<mozilla::EditorInlineStyleAndValue, 1ul> const&, mozilla::dom::Element const&) /builds/worker/checkouts/gecko/editor/libeditor/HTMLStyleEditor.cpp:394:13
#3 0x740002272411 in mozilla::HTMLEditor::CreateStyleForInsertText(mozilla::EditorDOMPointBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent>> const&, mozilla::dom::Element const&) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditSubActionHandler.cpp:6959:7
#4 0x74000226f8c9 in mozilla::HTMLEditor::HandleInsertText(mozilla::EditSubAction, nsTSubstring<char16_t> const&, mozilla::EditorBase::SelectionHandling) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditSubActionHandler.cpp:1183:7
#5 0x74000223237b in mozilla::EditorBase::InsertTextAsSubAction(nsTSubstring<char16_t> const&, mozilla::EditorBase::SelectionHandling) /builds/worker/checkouts/gecko/editor/libeditor/EditorBase.cpp:6376:7
#6 0x740002245637 in mozilla::EditorBase::InsertTextAsAction(nsTSubstring<char16_t> const&, nsIPrincipal*) /builds/worker/checkouts/gecko/editor/libeditor/EditorBase.cpp:6339:8
#7 0x740002249f77 in mozilla::InsertPlaintextCommand::DoCommandParam(mozilla::Command, nsTSubstring<char16_t> const&, mozilla::EditorBase&, nsIPrincipal*) const /builds/worker/checkouts/gecko/editor/libeditor/EditorCommands.cpp:859:19
#8 0x73fffe77da4d in mozilla::dom::Document::ExecCommand(nsTSubstring<char16_t> const&, bool, nsTSubstring<char16_t> const&, nsIPrincipal&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/Document.cpp:5635:27
#9 0x73ffff85e69b in mozilla::dom::Document_Binding::execCommand(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/./DocumentBinding.cpp:4160:36
#10 0x73ffffb0cad7 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3266:13
#11 0x740003249b04 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:528:13
#12 0x7400032492ef in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:624:12
#13 0x740003d130e6 in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICFallbackStub*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/jit/BaselineIC.cpp:1677:10
#14 0x19eab4f49d5e  ([anon:js-executable-memory]+0xbd5e)
Flags: in-testsuite?
Summary: aPoint.GetContainer()->IsInclusiveFlatTreeDescendantOf(&aEditingHost) → Assertion failure: aPoint.GetContainer()->IsInclusiveFlatTreeDescendantOf(&aEditingHost), at /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditUtils.cpp:2362

Got a crash from the testcase on the latest Nightly: https://crash-stats.mozilla.org/report/index/040c6181-8d87-45a3-a3dd-00dfa0241024 ,which shows crash in gfx. The crash should have been around the editor module.

Crash Signature: [@ mozilla::gfx::DrawTargetRecording::CreateSimilarDrawTargetForFilter ]
Keywords: crash

Bisection:
Bug 1918838 - Make CSS zoom apply to themed widgets properly. r=dshin

Differential Revision: https://phabricator.services.mozilla.com/D222320

Component: DOM: Editor → CSS Parsing and Computation
Flags: needinfo?(emilio)
Keywords: regression
Regressed by: 1918838

Set release status flags based on info from the regressing bug 1918838

status-firefox131: --- → unaffected
status-firefox132: --- → affected
status-firefox-esr128: --- → unaffected

The stack in comment 0 can't match the test-case does it? Wrong test-case?

Flags: needinfo?(emilio) → needinfo?(twsmith)

Yeah, it should contain document.execCommand("insertText", false, "something").

Verified bug as reproducible on mozilla-central 20241024041107-6d1c1782e6ff.
The bug appears to have been introduced in the following build range:
> Start: 6503e8e0e009fa3fb9e91d2d1b10b7c454e284cc (20240919090626)
> End: 474e1a3ab5f0aa8772343cf7188b246acc3e64bd (20240919110414)
> Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?~fromchange=6503e8e0e009fa3fb9e91d2d1b10b7c454e284cc&tochange=474e1a3ab5f0aa8772343cf7188b246acc3e64bd

Whiteboard: [bugmon:bisected,confirmed]
Attached file testcase.html

Sorry about that.

Attachment #9432994 - Attachment is obsolete: true
Flags: needinfo?(twsmith)
Crash Signature: [@ mozilla::gfx::DrawTargetRecording::CreateSimilarDrawTargetForFilter ]
Whiteboard: [bugmon:bisected,confirmed]
Component: CSS Parsing and Computation → DOM: Editor
No longer regressed by: 1918838

Verified bug as reproducible on mozilla-central 20241024094434-7936ca01a900.
Unable to bisect testcase (Testcase reproduces on start build!):

Start: 99f1297a102b4c1fc2156cbc8b49be4856cce481 (20231026091345)
End: d9805f1059e476496c4c050099543e7e310bfd95 (20241017205015)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False, nyx=False)

Whiteboard: [bugmon:bisected,confirmed]
Severity: -- → S3
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: