Closed Bug 1949897 Opened 5 months ago Closed 8 days ago

Assertion failure: (mContent->IsText() && !mContent->IsEditable()) || (!mContent->IsHTMLElement(nsGkAtoms::br) && ..., at /builds/worker/checkouts/gecko/editor/libeditor/WSRunScanner.cpp:79

Categories

(Core :: DOM: Editor, defect)

Product:
Core
Component:
DOM: Editor
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
142 Branch
Tracking Flags:
Tracking Status
firefox-esr128 --- unaffected
firefox-esr140 --- disabled
firefox137 --- wontfix
firefox140 --- disabled
firefox141 --- disabled
firefox142 --- fixed

People

(Reporter: tsmith, Assigned: masayuki)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:bisected,confirmed], [wptsync upstream])

Attachments

(2 files)

testcase.html
282 bytes, text/html
Details
Bug 1949897 - Add the reported testcase into `editing/crashtests` of WPT r=#dom-core
48 bytes, text/x-phabricator-request
Details | Review

Found while fuzzing m-c 20250124-50b5bccbceda (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework --upgrade
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>

Assertion failure: (mContent->IsText() && !mContent->IsEditable()) || (!mContent->IsHTMLElement(nsGkAtoms::br) && !HTMLEditUtils::IsBlockElement( *mContent, aScanner.BlockInlineCheckMode())), at /builds/worker/checkouts/gecko/editor/libeditor/WSRunScanner.cpp:79

#0 0x7904a956b0a2 in MOZ_CrashSequence /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:267:3
#1 0x7904a956b0a2 in mozilla::WSScanResult::AssertIfInvalidData(mozilla::WSRunScanner const&) const /builds/worker/checkouts/gecko/editor/libeditor/WSRunScanner.cpp:75:3
#2 0x7904a958620f in mozilla::WSScanResult mozilla::WSRunScanner::ScanInclusiveNextVisibleNodeOrBlockBoundaryFrom<nsINode*, nsIContent*>(mozilla::EditorDOMPointBase<nsINode*, nsIContent*> const&) const /builds/worker/checkouts/gecko/editor/libeditor/WSRunScanner.cpp
#3 0x7904a94785c9 in mozilla::WSScanResult mozilla::WSRunScanner::ScanInclusiveNextVisibleNodeOrBlockBoundary<nsINode*, nsIContent*>(mozilla::WSRunScanner::Scan, mozilla::EditorDOMPointBase<nsINode*, nsIContent*> const&, mozilla::BlockInlineCheck, mozilla::dom::Element const*) /builds/worker/checkouts/gecko/editor/libeditor/WSRunScanner.h:395:10
#4 0x7904a947f121 in mozilla::HTMLEditor::DocumentModifiedEvent::MaybeAppendNewInvisibleWhiteSpace(nsIContent const*) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditor.cpp:7895:7
#5 0x7904a947eefa in mozilla::HTMLEditor::OnDocumentModified(nsIContent const*) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditSubActionHandler.cpp:12473:35
#6 0x7904a949c526 in mozilla::HTMLEditor::ContentWillBeRemoved(nsIContent*, BatchRemovalState const*) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditor.cpp:5055:19
#7 0x7904a5a269e2 in operator() /builds/worker/checkouts/gecko/dom/base/MutationObservers.cpp:187:19
#8 0x7904a5a269e2 in ForEachAncestorObserver<(lambda at /builds/worker/checkouts/gecko/dom/base/MutationObservers.cpp:187:19)> /builds/worker/checkouts/gecko/dom/base/MutationObservers.cpp:60:11
#9 0x7904a5a269e2 in Notify<(NotifyPresShell)1, (lambda at /builds/worker/checkouts/gecko/dom/base/MutationObservers.cpp:187:19)> /builds/worker/checkouts/gecko/dom/base/MutationObservers.cpp:94:19
#10 0x7904a5a269e2 in mozilla::dom::MutationObservers::NotifyContentWillBeRemoved(nsINode*, nsIContent*, BatchRemovalState const*) /builds/worker/checkouts/gecko/dom/base/MutationObservers.cpp:186:3
#11 0x7904a5bd1622 in nsINode::RemoveChildNode(nsIContent*, bool, BatchRemovalState const*) /builds/worker/checkouts/gecko/dom/base/nsINode.cpp:2350:5
#12 0x7904a5bd2f47 in nsINode::ReplaceOrInsertBefore(bool, nsINode*, nsINode*, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/nsINode.cpp:2726:18
#13 0x7904a6010b94 in InsertBefore /builds/worker/checkouts/gecko/dom/base/nsINode.h:2316:12
#14 0x7904a6010b94 in mozilla::dom::Node_Binding::insertBefore(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/./NodeBinding.cpp:889:60
#15 0x7904a6cac49d in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3302:13
#16 0x7904aa413eb4 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:494:13
#17 0x7904aa41370f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:590:12
#18 0x7904aa4272c2 in CallFromStack /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:662:10
#19 0x7904aa4272c2 in js::Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3271:16
#20 0x7904aa412d51 in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:464:13
#21 0x7904aa413735 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:622:13
#22 0x7904aa414b5b in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:689:8
#23 0x7904aa4e7ceb in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/CallAndConstruct.cpp:119:10
#24 0x7904a69b3565 in mozilla::dom::EventHandlerNonNull::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/./EventHandlerBinding.cpp:65:37
#25 0x7904a758b6f9 in void mozilla::dom::EventHandlerNonNull::Call<nsCOMPtr<mozilla::dom::EventTarget>>(nsCOMPtr<mozilla::dom::EventTarget> const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventHandlerBinding.h:82:12
#26 0x7904a758a1fb in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) /builds/worker/checkouts/gecko/dom/events/JSEventHandler.cpp:200:12
#27 0x7904a7565221 in mozilla::EventListenerManager::HandleEventSingleListener(mozilla::EventListenerManager::Listener*, nsAtom*, mozilla::WidgetEvent*, mozilla::dom::Event*, mozilla::dom::EventTarget*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1362:22
#28 0x7904a7566429 in mozilla::EventListenerManager::HandleEventWithListenerArray(mozilla::EventListenerManager::ListenerArray*, nsAtom*, mozilla::EventMessage, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1679:12
#29 0x7904a7565c91 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1576:35
#30 0x7904a755a1ce in HandleEvent /builds/worker/workspace/obj-build/dist/include/mozilla/EventListenerManager.h:466:5
#31 0x7904a755a1ce in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:365:17
#32 0x7904a755989c in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:606:16
#33 0x7904a755bf6d in mozilla::EventDispatcher::Dispatch(mozilla::dom::EventTarget*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:1221:11
#34 0x7904a9725bae in nsDocumentViewer::LoadComplete(nsresult) /builds/worker/checkouts/gecko/layout/base/nsDocumentViewer.cpp:1030:7
#35 0x7904a9b7d7c3 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:6246:13
#36 0x7904a9b7cd28 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:5634:7
#37 0x7904a9b7e6c2 in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp
#38 0x7904a491a909 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:1425:3
#39 0x7904a491a0c2 in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:961:14
#40 0x7904a4918451 in nsDocLoader::DocLoaderIsEmpty(bool, mozilla::Maybe<nsresult> const&) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:783:9
#41 0x7904a49195b9 in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:666:5
#42 0x7904a9bb1ccf in nsDocShell::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:13833:23
#43 0x7904a3cfddbf in mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:636:22
#44 0x7904a3cfef46 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:532:10
#45 0x7904a592abfc in mozilla::dom::Document::DoUnblockOnload() /builds/worker/checkouts/gecko/dom/base/Document.cpp:12145:18
#46 0x7904a59115fc in mozilla::dom::Document::DispatchContentLoadedEvents() /builds/worker/checkouts/gecko/dom/base/Document.cpp:8457:3
#47 0x7904a59d0195 in operator()<> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1085:18
#48 0x7904a59d0195 in __invoke_impl<void, (lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1084:9)> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/invoke.h:60:14
#49 0x7904a59d0195 in __invoke<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1084:9)> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/invoke.h:95:14
#50 0x7904a59d0195 in __apply_impl<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1084:9), std::tuple<> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/tuple:1678:14
#51 0x7904a59d0195 in apply<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1084:9), std::tuple<> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/tuple:1687:14
#52 0x7904a59d0195 in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1083:12
#53 0x7904a59d0195 in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1134:13
#54 0x7904a3acc5b7 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:703:16
#55 0x7904a3ac5a8e in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:1250:20
#56 0x7904a3ac47c7 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:1073:15
#57 0x7904a3ac4c45 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:639:36
#58 0x7904a3ad3686 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:333:37
#59 0x7904a3ad3686 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548:5
#60 0x7904a3ae56e3 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1159:16
#61 0x7904a3aebd0f in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10
#62 0x7904a464c2e7 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#63 0x7904a45a23a1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:362:3
#64 0x7904a45a23a1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:344:3
#65 0x7904a92c0248 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
#66 0x7904a93822d4 in nsAppShell::Run() /builds/worker/checkouts/gecko/widget/gtk/nsAppShell.cpp:470:33
#67 0x7904aa26feab in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:646:20
#68 0x7904a464d194 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
#69 0x7904a45a23a1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:362:3
#70 0x7904a45a23a1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:344:3
#71 0x7904aa26f2e7 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:584:34
#72 0x5dbf5964548e in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:397:22
Flags: in-testsuite?
Attached file testcase.html

The path is a hack for specific case until we ship the new white-space normalizer which will be implemented in bug 1940377. So, it's not so important to fix this since it's designed for the specific situation.

Severity: -- → S4

Verified bug as reproducible on mozilla-central 20250221165821-2cf34b3c9e61.
The bug appears to have been introduced in the following build range:

Start: 6da2f152d57b1d53d526ce821330553db4947c84 (20250109093225)
End: 419c5be09fedecd0a4d27258ba0deed9b3e1e312 (20250109091445)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=6da2f152d57b1d53d526ce821330553db4947c84&tochange=419c5be09fedecd0a4d27258ba0deed9b3e1e312

Keywords: regression
Whiteboard: [bugmon:bisected,confirmed]

This bug has been marked as a regression. Setting status flag for Nightly to affected.

status-firefox137: --- → affected

Testcase crashes using the initial build (mozilla-central 20250124093526-50b5bccbceda) but not with tip (mozilla-central 20250404213723-9333e3c91a58.)

The bug appears to have been fixed in the following build range:

Start: e70c7d40b6829d29cb279d159c1f468f8f89d78a (20250319070758)
End: 1209c2a794ce1508f211b8f02bd2d5b5c60afa83 (20250319095450)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=e70c7d40b6829d29cb279d159c1f468f8f89d78a&tochange=1209c2a794ce1508f211b8f02bd2d5b5c60afa83

tsmith, can you confirm that the above bisection range is responsible for fixing this issue?
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Flags: needinfo?(twsmith)
Keywords: bugmon

This is just hidden by stop using the legacy white-space normalization rules and the testcase detects a bug of an edge case which shouldn't occur in usual apps. Therefore, I think that shipping the new white-space normalizer would fix this actually. On the other hand, I think that the testcases should be added as a crashtest after shipping it.

Depends on: better-white-space-normalizer
Flags: needinfo?(twsmith)

The bug itself has gone because the legacy white-space normalizer was
removed in bug 1951038.

Assignee: nobody → masayuki
Status: NEW → ASSIGNED

Based on comment #3, this bug contains a bisection range found by bugmon. However, the Regressed by field is still not filled.

:masayuki, if possible, could you fill the Regressed by field and investigate this regression?

For more information, please visit BugBot documentation.

Flags: needinfo?(masayuki)
Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/53842 for changes under testing/web-platform/tests
Whiteboard: [bugmon:bisected,confirmed] → [bugmon:bisected,confirmed], [wptsync upstream]

https://hg.mozilla.org/mozilla-central/rev/903d4d0a2fa2

Status: ASSIGNED → RESOLVED
Closed: 8 days ago
status-firefox142: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 142 Branch
Flags: needinfo?(masayuki)
Regressed by: 1940278

Set release status flags based on info from the regressing bug 1940278

status-firefox140: --- → affected
status-firefox141: --- → affected
status-firefox-esr128: --- → unaffected
status-firefox-esr140: --- → affected
Upstream PR merged by moz-wptsync-bot
QA Whiteboard: [qa-triage-done-c143/b142]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: