1945260 - Assertion failure: mParent == mChild->GetParentNode(), at /builds/worker/workspace/obj-build/dist/include/mozilla/EditorDOMPoint.h:1134

Status: NEW

(Core :: DOM: Editor, defect)

Description

[Tyson Smith [:tsmith]]

Attachment: testcase.html

Found while fuzzing m-c 20241209-e3b3fa7a28a0 (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework --upgrade
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>

Assertion failure: mParent == mChild->GetParentNode(), at /builds/worker/workspace/obj-build/dist/include/mozilla/EditorDOMPoint.h:1134

#0 0xea59213b in mozilla::EditorDOMPointBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent>>::ToRawRangeBoundary() const /builds/worker/workspace/obj-build/dist/include/mozilla/EditorDOMPoint.h:1134:9
#1 0xea5d701c in operator RangeBoundaryBase /builds/worker/workspace/obj-build/dist/include/mozilla/EditorDOMPoint.h:1117:52
#2 0xea5d701c in void mozilla::EditorBase::CollapseSelectionTo<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent>>(mozilla::EditorDOMPointBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent>> const&, mozilla::ErrorResult&) const /builds/worker/checkouts/gecko/editor/libeditor/EditorBase.h:1981:38
#3 0xea69672b in CollapseSelectionTo<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent> > /builds/worker/checkouts/gecko/editor/libeditor/EditorBase.h:1962:5
#4 0xea69672b in mozilla::HTMLEditor::AutoDeleteRangesHandler::AutoBlockElementsJoiner::HandleDeleteAtCurrentBlockBoundary(mozilla::HTMLEditor&, short, mozilla::EditorDOMPointBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent>> const&, mozilla::dom::Element const&) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditorDeleteHandler.cpp:3527:29
#5 0xea68d7ab in mozilla::HTMLEditor::AutoDeleteRangesHandler::AutoBlockElementsJoiner::Run(mozilla::HTMLEditor&, short, short, mozilla::EditorDOMPointBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent>> const&, nsRange&, mozilla::dom::Element const&) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditorDeleteHandler.cpp:621:15
#6 0xea68756b in mozilla::HTMLEditor::AutoDeleteRangesHandler::HandleDeleteAroundCollapsedRanges(mozilla::HTMLEditor&, short, short, mozilla::AutoRangeArray&, mozilla::WSRunScanner const&, mozilla::WSScanResult const&, mozilla::dom::Element const&) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditorDeleteHandler.cpp:2144:18
#7 0xea683103 in mozilla::HTMLEditor::AutoDeleteRangesHandler::Run(mozilla::HTMLEditor&, short, short, mozilla::AutoRangeArray&, mozilla::dom::Element const&) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditorDeleteHandler.cpp:1829:11
#8 0xea68217d in mozilla::HTMLEditor::HandleDeleteSelection(short, short) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditorDeleteHandler.cpp:1299:61
#9 0xea5b23fc in mozilla::EditorBase::DeleteSelectionAsSubAction(short, short) /builds/worker/checkouts/gecko/editor/libeditor/EditorBase.cpp:4642:9
#10 0xea5ac1e8 in mozilla::EditorBase::DeleteSelectionAsAction(short, short, nsIPrincipal*) /builds/worker/checkouts/gecko/editor/libeditor/EditorBase.cpp:4605:8
#11 0xea5cd0c3 in mozilla::DeleteCommand::DoCommandParam(mozilla::Command, mozilla::EditorBase&, nsIPrincipal*) const /builds/worker/checkouts/gecko/editor/libeditor/EditorCommands.cpp:626:29
#12 0xe696da46 in mozilla::dom::Document::AutoEditorCommandTarget::DoCommand(nsIPrincipal*) const /builds/worker/checkouts/gecko/dom/base/Document.cpp:5420:9
#13 0xe696e4d3 in mozilla::dom::Document::ExecCommand(nsTSubstring<char16_t> const&, bool, mozilla::dom::TrustedHTMLOrString const&, nsIPrincipal&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/Document.cpp:5628:37
#14 0xe7a0dbed in mozilla::dom::Document_Binding::execCommand(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/./DocumentBinding.cpp:4169:36
#15 0xe7cacd51 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3290:13
#16 0xeb602603 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:532:13
#17 0xeb601ed2 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:628:12
#18 0xeb6032e9 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:695:10
#19 0xeb603261 in js::CallFromStack(JSContext*, JS::CallArgs const&, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:700:10
#20 0xec1577dd in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICFallbackStub*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/jit/BaselineIC.cpp:1701:10
#21 0x3ad0cbe7  ([anon:js-executable-memory]+0x6be7)

Comment 1

[Bugmon [:jkratzer for issues]]

Unable to reproduce bug 1945260 using build mozilla-central 20241209213901-e3b3fa7a28a0. Without a baseline, bugmon is unable to analyze this bug.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.