Open Bug 1945281 Opened 17 days ago Updated 14 days ago

Assertion failure: isNewLinePreformatted, at /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditor.cpp:4554

Categories

(Core :: DOM: Editor, defect)

defect

Tracking

()

Tracking Status
firefox-esr115 --- unaffected
firefox-esr128 --- unaffected
firefox134 --- unaffected
firefox135 --- wontfix
firefox136 --- wontfix

People

(Reporter: tsmith, Unassigned)

References

(Blocks 1 open bug, Regression)

Details

(4 keywords, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(1 file)

Attached file testcase.html

Found while fuzzing m-c 20241214-df965ece56c1 (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework --upgrade
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>

Assertion failure: isNewLinePreformatted, at /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditor.cpp:4554

#0 0x7a11a0fbbafb in mozilla::HTMLEditor::EnsureNoFollowingUnnecessaryLineBreak(mozilla::EditorDOMPointBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent>> const&) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditor.cpp:4554:3
#1 0x7a11a106b2d8 in mozilla::HTMLEditor::AutoDeleteRangesHandler::DeleteUnnecessaryNodes(mozilla::HTMLEditor&, mozilla::EditorDOMRangeBase<mozilla::EditorDOMPointBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent>>> const&, mozilla::dom::Element const&) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditorDeleteHandler.cpp:5653:21
#2 0x7a11a106d698 in mozilla::HTMLEditor::AutoDeleteRangesHandler::AutoBlockElementsJoiner::DeleteContentInRange(mozilla::HTMLEditor&, mozilla::LimitersAndCaretData const&, short, short, nsRange&, mozilla::dom::Element const&) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditorDeleteHandler.cpp:4436:39
#3 0x7a11a106be3e in mozilla::HTMLEditor::AutoDeleteRangesHandler::AutoBlockElementsJoiner::Run(mozilla::HTMLEditor&, mozilla::LimitersAndCaretData const&, short, short, nsRange&, mozilla::HTMLEditor::AutoDeleteRangesHandler::SelectionWasCollapsed, mozilla::dom::Element const&) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditorDeleteHandler.cpp:696:55
#4 0x7a11a105788c in mozilla::HTMLEditor::AutoDeleteRangesHandler::HandleDeleteNonCollapsedRanges(mozilla::HTMLEditor&, short, short, mozilla::AutoClonedSelectionRangeArray&, mozilla::HTMLEditor::AutoDeleteRangesHandler::SelectionWasCollapsed, mozilla::dom::Element const&) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditorDeleteHandler.cpp:4155:16
#5 0x7a11a104ef70 in mozilla::HTMLEditor::AutoDeleteRangesHandler::Run(mozilla::HTMLEditor&, short, short, mozilla::AutoClonedSelectionRangeArray&, mozilla::dom::Element const&) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditorDeleteHandler.cpp:1917:47
#6 0x7a11a104e53b in mozilla::HTMLEditor::HandleDeleteSelection(short, short) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditorDeleteHandler.cpp:1260:61
#7 0x7a11a0f7546c in mozilla::EditorBase::DeleteSelectionAsSubAction(short, short) /builds/worker/checkouts/gecko/editor/libeditor/EditorBase.cpp:4738:9
#8 0x7a11a0f6f3b2 in mozilla::EditorBase::DeleteSelectionAsAction(short, short, nsIPrincipal*) /builds/worker/checkouts/gecko/editor/libeditor/EditorBase.cpp:4701:8
#9 0x7a11a0f90cf8 in mozilla::DeleteCommand::DoCommandParam(mozilla::Command, mozilla::EditorBase&, nsIPrincipal*) const /builds/worker/checkouts/gecko/editor/libeditor/EditorCommands.cpp:626:29
#10 0x7a119d34cacc in mozilla::dom::Document::ExecCommand(nsTSubstring<char16_t> const&, bool, mozilla::dom::TrustedHTMLOrString const&, nsIPrincipal&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/Document.cpp:5619:37
#11 0x7a119e478ea9 in mozilla::dom::Document_Binding::execCommand(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/./DocumentBinding.cpp:4165:36
#12 0x7a119e74346d in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3290:13
#13 0x33bfcf81ab98  ([anon:js-executable-memory]+0x2b98)
Flags: in-testsuite?
Severity: -- → S3

Verified bug as reproducible on mozilla-central 20250202210625-fc959685b9d9.
The bug appears to have been introduced in the following build range:

Start: 855890e2cd16cf21ac6f740b83aa69ab2519b1b9 (20241213012346)
End: 3a912704bc24872e037fe3102cd5483ba5105993 (20241213025822)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=855890e2cd16cf21ac6f740b83aa69ab2519b1b9&tochange=3a912704bc24872e037fe3102cd5483ba5105993

Keywords: regression
Whiteboard: [bugmon:bisected,confirmed]

https://searchfox.org/mozilla-central/rev/b2693d317fbcf5ff17e438a2c2833fda0b05fdf4/editor/libeditor/HTMLEditor.cpp#4528-4530,4532-4533,4538,4554

Ah, it's just a bug of the assertion. The found unnecessary preformatted linefeed may be in different Text whose white-space is different from the scan start position. So, this does not detect a bug of HTMLEditor itself.

Severity: S3 → S4
OS: Unspecified → All
Regressed by: 1923251
Hardware: Unspecified → All
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: