Closed Bug 1935565 Opened 10 months ago Closed 1 month ago

Assertion failure: pointToPutCaret.IsSet(), at /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditorDeleteHandler.cpp:4905

Categories

(Core :: DOM: Editor, defect)

Product:
Core
Component:
DOM: Editor
Type:
defect

Tracking

()

Status:
RESOLVED WONTFIX
Tracking Flags:
Tracking Status
firefox-esr115 --- unaffected
firefox-esr128 --- wontfix
firefox133 --- wontfix
firefox134 --- wontfix
firefox135 --- wontfix

People

(Reporter: tsmith, Unassigned)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(1 file)

testcase.html
399 bytes, text/html
Details
Attached file testcase.html

Found while fuzzing m-c 20241204-9a8cc59e9dab (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework --upgrade
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>

Assertion failure: pointToPutCaret.IsSet(), at /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditorDeleteHandler.cpp:4905

#0 0x7fffed6c095c in mozilla::HTMLEditor::AutoDeleteRangesHandler::AutoBlockElementsJoiner::HandleDeleteNonCollapsedRange(mozilla::HTMLEditor&, short, short, nsRange&, mozilla::HTMLEditor::AutoDeleteRangesHandler::SelectionWasCollapsed, mozilla::dom::Element const&)::$_1::operator()() const /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditorDeleteHandler.cpp:4905:7
#1 0x7fffed6ad96e in mozilla::HTMLEditor::AutoDeleteRangesHandler::AutoBlockElementsJoiner::HandleDeleteNonCollapsedRange(mozilla::HTMLEditor&, short, short, nsRange&, mozilla::HTMLEditor::AutoDeleteRangesHandler::SelectionWasCollapsed, mozilla::dom::Element const&) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditorDeleteHandler.cpp:4852:7
#2 0x7fffed6b62ed in mozilla::HTMLEditor::AutoDeleteRangesHandler::AutoBlockElementsJoiner::Run(mozilla::HTMLEditor&, short, short, nsRange&, mozilla::HTMLEditor::AutoDeleteRangesHandler::SelectionWasCollapsed, mozilla::dom::Element const&) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditorDeleteHandler.cpp:759:15
#3 0x7fffed6a4bbb in mozilla::HTMLEditor::AutoDeleteRangesHandler::HandleDeleteNonCollapsedRanges(mozilla::HTMLEditor&, short, short, mozilla::AutoRangeArray&, mozilla::HTMLEditor::AutoDeleteRangesHandler::SelectionWasCollapsed, mozilla::dom::Element const&) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditorDeleteHandler.cpp:3828:16
#4 0x7fffed69ee9f in mozilla::HTMLEditor::AutoDeleteRangesHandler::Run(mozilla::HTMLEditor&, short, short, mozilla::AutoRangeArray&, mozilla::dom::Element const&) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditorDeleteHandler.cpp:1839:47
#5 0x7fffed69dd0a in mozilla::HTMLEditor::HandleDeleteSelection(short, short) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditorDeleteHandler.cpp:1299:61
#6 0x7fffed5ce0ec in mozilla::EditorBase::DeleteSelectionAsSubAction(short, short) /builds/worker/checkouts/gecko/editor/libeditor/EditorBase.cpp:4565:9
#7 0x7fffed66ebc5 in mozilla::HTMLEditor::DeleteSelectionAndPrepareToCreateNode() /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditor.cpp:6023:9
#8 0x7fffed66df72 in mozilla::HTMLEditor::InsertElementAtSelectionAsAction(mozilla::dom::Element*, mozilla::EnumSet<mozilla::HTMLEditor::InsertElementOption, unsigned int>, nsIPrincipal*) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditor.cpp:2207:19
#9 0x7fffed6874ac in mozilla::InsertTagCommand::DoCommand(mozilla::Command, mozilla::EditorBase&, nsIPrincipal*) const /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditorCommands.cpp:1248:13
#10 0x7fffe9a4a46c in mozilla::dom::Document::ExecCommand(nsTSubstring<char16_t> const&, bool, mozilla::dom::TrustedHTMLOrString const&, nsIPrincipal&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/Document.cpp:5627:37
#11 0x7fffeab44179 in mozilla::dom::Document_Binding::execCommand(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/./DocumentBinding.cpp:4169:36
#12 0x7fffeae0a48d in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3290:13
#13 0x7fffee60c29a in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:532:13
#14 0x7fffee60ba73 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:628:12
#15 0x7fffef17eede in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICFallbackStub*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/jit/BaselineIC.cpp:1701:10
#16 0x3769e4362e0e  ([anon:js-executable-memory]+0xbe0e)
Flags: in-testsuite?

Ah, if the point becomes non-editable, HTMLEditUtils::GetDeepestEditableStartPointOf returns unset point. This does not cause a crash and happens only with the legacy mutation event listener, so, this is not so urgent.

Severity: -- → S4
OS: Unspecified → All
Hardware: Unspecified → All

Verified bug as reproducible on mozilla-central 20241205213207-9dfed8478876.
The bug appears to have been introduced in the following build range:

Start: 7b85c82d731ddab976c6abe7e54685cacaebba41 (20240426225436)
End: 45defed78aafc90410c68310027bf771bcfc5968 (20240427034615)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=7b85c82d731ddab976c6abe7e54685cacaebba41&tochange=45defed78aafc90410c68310027bf771bcfc5968

Keywords: regression
Whiteboard: [bugmon:bisected,confirmed]
Regressed by: 1877513

Set release status flags based on info from the regressing bug 1877513

status-firefox133: --- → affected
status-firefox134: --- → affected
status-firefox-esr128: --- → affected

Testcase crashes using the initial build (mozilla-central 20241204215713-9a8cc59e9dab) but not with tip (mozilla-central 20250412090848-ab9a67e8cbbd.)

The bug appears to have been fixed in the following build range:

Start: 9d547b90a4073f5906b1220472f69fbc2fdff928 (20250305042859)
End: b00d78bcd328cf80893a4725b8664db65d8fdf10 (20250304235021)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=9d547b90a4073f5906b1220472f69fbc2fdff928&tochange=b00d78bcd328cf80893a4725b8664db65d8fdf10

tsmith, can you confirm that the above bisection range is responsible for fixing this issue?
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Flags: needinfo?(twsmith)
Keywords: bugmon
Depends on: removemutationevents
Flags: needinfo?(twsmith)

DOMNodeRemoved is completely dropped in bug 769207. Although users can manually do the same thing with breaking at the node removal from DevTools. However, it's not testable within the automated tests anymore and it's just an unsupported case from the product point of view. Therefore, we don't need to take care this bug anymore.

Status: NEW → RESOLVED
Closed: 1 month ago
status-firefox135: fix-optionalwontfix
Flags: in-testsuite? → in-testsuite-
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: