Closed
Bug 1955146
Opened 1 month ago
Closed 29 days ago
crash near null in [@ mozilla::WhiteSpaceVisibilityKeeper::MergeFirstLineOfRightBlockElementIntoAncestorLeftBlockElement]
Categories
(Core :: DOM: Editor, defect)
Core
DOM: Editor
Tracking
()
VERIFIED
FIXED
138 Branch
| Tracking | Status | |
|---|---|---|
| firefox-esr128 | --- | unaffected |
| firefox136 | --- | unaffected |
| firefox137 | --- | unaffected |
| firefox138 | --- | verified |
People
(Reporter: tsmith, Assigned: masayuki)
References
(Blocks 1 open bug, Regression)
Details
(Keywords: crash, regression, testcase, Whiteboard: [bugmon:bisected,confirmed], [wptsync upstream])
Attachments
(2 files)
Found while fuzzing 20250319-86fa024dcccb (--enable-address-sanitizer --enable-fuzzing)
To reproduce via Grizzly Replay:
$ pip install fuzzfetch grizzly-framework --upgrade
$ python -m fuzzfetch -a --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>
#0 0x7b75da518d02 in CharAt /builds/worker/checkouts/gecko/dom/base/nsTextFragment.h:214:54
#1 0x7b75da518d02 in mozilla::EditorDOMPointBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent>>::Char() const /builds/worker/workspace/obj-build/dist/include/mozilla/EditorDOMPoint.h:436:53
#2 0x7b75da715497 in IsCharASCIISpaceOrNBSP /builds/worker/workspace/obj-build/dist/include/mozilla/EditorDOMPoint.h:443:19
#3 0x7b75da715497 in operator() /builds/worker/checkouts/gecko/editor/libeditor/WhiteSpaceVisibilityKeeper.cpp:606:44
#4 0x7b75da715497 in mozilla::WhiteSpaceVisibilityKeeper::MergeFirstLineOfRightBlockElementIntoAncestorLeftBlockElement(mozilla::HTMLEditor&, mozilla::dom::Element&, mozilla::dom::Element&, mozilla::EditorDOMPointBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent>> const&, nsIContent&, mozilla::Maybe<nsAtom*> const&, mozilla::dom::HTMLBRElement const*, mozilla::dom::Element const&) /builds/worker/checkouts/gecko/editor/libeditor/WhiteSpaceVisibilityKeeper.cpp:597:29
#5 0x7b75da602484 in mozilla::HTMLEditor::AutoDeleteRangesHandler::AutoBlockElementsJoiner::AutoInclusiveAncestorBlockElementsJoiner::Run(mozilla::HTMLEditor&, mozilla::dom::Element const&) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditorDeleteHandler.cpp:6892:9
#6 0x7b75da5faef3 in operator() /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditorDeleteHandler.cpp:5632:16
#7 0x7b75da5faef3 in mozilla::HTMLEditor::AutoDeleteRangesHandler::AutoBlockElementsJoiner::HandleDeleteNonCollapsedRange(mozilla::HTMLEditor&, short, short, nsRange&, mozilla::HTMLEditor::AutoDeleteRangesHandler::SelectionWasCollapsed, mozilla::dom::Element const&) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditorDeleteHandler.cpp:5596:7
#8 0x7b75da60a8f9 in mozilla::HTMLEditor::AutoDeleteRangesHandler::AutoBlockElementsJoiner::Run(mozilla::HTMLEditor&, mozilla::LimitersAndCaretData const&, short, short, nsRange&, mozilla::HTMLEditor::AutoDeleteRangesHandler::SelectionWasCollapsed, mozilla::dom::Element const&) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditorDeleteHandler.cpp:770:15
#9 0x7b75da5eacff in mozilla::HTMLEditor::AutoDeleteRangesHandler::HandleDeleteNonCollapsedRanges(mozilla::HTMLEditor&, short, short, mozilla::AutoClonedSelectionRangeArray&, mozilla::HTMLEditor::AutoDeleteRangesHandler::SelectionWasCollapsed, mozilla::dom::Element const&) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditorDeleteHandler.cpp:4430:16
#10 0x7b75da5ddacb in mozilla::HTMLEditor::AutoDeleteRangesHandler::Run(mozilla::HTMLEditor&, short, short, mozilla::AutoClonedSelectionRangeArray&, mozilla::dom::Element const&) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditorDeleteHandler.cpp:2024:47
#11 0x7b75da5dbe0f in mozilla::HTMLEditor::HandleDeleteSelection(short, short) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditorDeleteHandler.cpp:1326:61
#12 0x7b75da487bd4 in mozilla::EditorBase::DeleteSelectionAsSubAction(short, short) /builds/worker/checkouts/gecko/editor/libeditor/EditorBase.cpp:4769:9
#13 0x7b75da591fbb in mozilla::HTMLEditor::DeleteSelectionAndPrepareToCreateNode() /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditor.cpp:6441:9
#14 0x7b75da591141 in mozilla::HTMLEditor::InsertElementAtSelectionAsAction(mozilla::dom::Element*, mozilla::EnumSet<mozilla::HTMLEditor::InsertElementOption, unsigned int>, nsIPrincipal*) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditor.cpp:2216:19
#15 0x7b75da5bab33 in mozilla::InsertTagCommand::DoCommand(mozilla::Command, mozilla::EditorBase&, nsIPrincipal*) const /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditorCommands.cpp:1260:13
#16 0x7b75d3a40250 in mozilla::dom::Document::ExecCommand(nsTSubstring<char16_t> const&, bool, mozilla::dom::TrustedHTMLOrString const&, nsIPrincipal&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/Document.cpp:5660:37
#17 0x7b75d53925df in mozilla::dom::Document_Binding::execCommand(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/./DocumentBinding.cpp:4164:36
#18 0x7b75d580645f in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3302:13
#19 0x7b75dc3af677 in CallJSNative /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:493:13
#20 0x7b75dc3af677 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:589:12
#21 0x7b75dc3ce699 in InternalCall /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:656:10
#22 0x7b75dc3ce699 in CallFromStack /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:661:10
#23 0x7b75dc3ce699 in js::Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3265:16
#24 0x7b75dc3ae478 in MaybeEnterInterpreterTrampoline /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:394:10
#25 0x7b75dc3ae478 in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:463:13
#26 0x7b75dc3af7ed in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:621:13
#27 0x7b75dc3b14d1 in InternalCall /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:656:10
#28 0x7b75dc3b14d1 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:688:8
#29 0x7b75dc4e71fa in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/CallAndConstruct.cpp:119:10
#30 0x7b75d5361b92 in mozilla::dom::EventHandlerNonNull::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/./EventHandlerBinding.cpp:65:37
#31 0x7b75d66b6a26 in void mozilla::dom::EventHandlerNonNull::Call<nsCOMPtr<mozilla::dom::EventTarget>>(nsCOMPtr<mozilla::dom::EventTarget> const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventHandlerBinding.h:82:12
#32 0x7b75d66b543e in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) /builds/worker/checkouts/gecko/dom/events/JSEventHandler.cpp:200:12
#33 0x7b75d666cb60 in mozilla::EventListenerManager::HandleEventSingleListener(mozilla::EventListenerManager::Listener*, nsAtom*, mozilla::WidgetEvent*, mozilla::dom::Event*, mozilla::dom::EventTarget*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1355:22
#34 0x7b75d666ebaa in mozilla::EventListenerManager::HandleEventWithListenerArray(mozilla::EventListenerManager::ListenerArray*, nsAtom*, mozilla::EventMessage, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1672:12
#35 0x7b75d666db27 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1569:35
#36 0x7b75d6656809 in HandleEvent /builds/worker/workspace/obj-build/dist/include/mozilla/EventListenerManager.h:465:5
#37 0x7b75d6656809 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:365:17
#38 0x7b75d6654348 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:606:16
#39 0x7b75d665adfe in mozilla::EventDispatcher::Dispatch(mozilla::dom::EventTarget*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:1220:11
#40 0x7b75daa6da3f in nsDocumentViewer::LoadComplete(nsresult) /builds/worker/checkouts/gecko/layout/base/nsDocumentViewer.cpp:1031:7
#41 0x7b75db33f5bb in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:6250:13
#42 0x7b75db33e50c in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:5637:7
#43 0x7b75db3409c2 in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp
#44 0x7b75d1794cb5 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:1425:3
#45 0x7b75d1793aa5 in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:961:14
#46 0x7b75d1790632 in nsDocLoader::DocLoaderIsEmpty(bool, mozilla::Maybe<nsresult> const&) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:783:9
#47 0x7b75d1792db0 in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:666:5
#48 0x7b75db3885a4 in nsDocShell::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:13863:23
#49 0x7b75d0023a54 in mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:636:22
#50 0x7b75d0025e53 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:532:10
#51 0x7b75d3a32852 in DoUnblockOnload /builds/worker/checkouts/gecko/dom/base/Document.cpp:12154:18
#52 0x7b75d3a32852 in mozilla::dom::Document::UnblockOnload(bool) /builds/worker/checkouts/gecko/dom/base/Document.cpp:12092:9
#53 0x7b75d3a6277c in mozilla::dom::Document::DispatchContentLoadedEvents() /builds/worker/checkouts/gecko/dom/base/Document.cpp:8466:3
#54 0x7b75d3b8487f in operator()<> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1085:18
#55 0x7b75d3b8487f in __invoke_impl<void, (lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1084:9)> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/invoke.h:60:14
#56 0x7b75d3b8487f in __invoke<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1084:9)> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/invoke.h:95:14
#57 0x7b75d3b8487f in __apply_impl<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1084:9), std::tuple<> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/tuple:1678:14
#58 0x7b75d3b8487f in apply<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1084:9), std::tuple<> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/tuple:1687:14
#59 0x7b75d3b8487f in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1083:12
#60 0x7b75d3b8487f in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1134:13
#61 0x7b75cfcc811a in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:703:16
#62 0x7b75cfcb6508 in mozilla::TaskController::RunTask(mozilla::Task*) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:196:19
#63 0x7b75cfcbd5bd in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:1252:20
#64 0x7b75cfcbb0f8 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:1075:15
#65 0x7b75cfcbb716 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:639:36
#66 0x7b75cfcd7771 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:333:37
#67 0x7b75cfcd7771 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548:5
#68 0x7b75cfcf80cb in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1159:16
#69 0x7b75cfd02a48 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10
#70 0x7b75d12bba4e in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#71 0x7b75d11a3e74 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:369:10
#72 0x7b75d11a3e74 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:362:3
#73 0x7b75d11a3e74 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:344:3
#74 0x7b75da1e4806 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
#75 0x7b75da3b5dbb in nsAppShell::Run() /builds/worker/checkouts/gecko/widget/gtk/nsAppShell.cpp:539:33
#76 0x7b75dc0fd46d in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:646:20
#77 0x7b75d11a3e74 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:369:10
#78 0x7b75d11a3e74 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:362:3
#79 0x7b75d11a3e74 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:344:3
#80 0x7b75dc0fba8e in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:584:34
#81 0x626a28bf8121 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:397:22
Flags: in-testsuite?
|
Assignee | |
Updated•1 month ago
|
Assignee: nobody → masayuki
Blocks: better-white-space-normalizer
Status: NEW → ASSIGNED
Keywords: regression
Regressed by: 1938528
|
|
Assignee | |
Updated•1 month ago
|
|
|
Assignee | |
Updated•1 month ago
|
Severity: -- → S2
OS: Unspecified → All
Hardware: Unspecified → All
|
||
Comment 1•1 month ago
|
||
Set release status flags based on info from the regressing bug 1951832
status-firefox136:
--- → unaffected
status-firefox137:
--- → unaffected
status-firefox-esr128:
--- → unaffected
|
||
Comment 2•1 month ago
|
||
Verified bug as reproducible on mozilla-central 20250319204742-168ba991246a.
The bug appears to have been introduced in the following build range:
Start: e70c7d40b6829d29cb279d159c1f468f8f89d78a (20250319070758)
End: 1209c2a794ce1508f211b8f02bd2d5b5c60afa83 (20250319095450)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=e70c7d40b6829d29cb279d159c1f468f8f89d78a&tochange=1209c2a794ce1508f211b8f02bd2d5b5c60afa83
Whiteboard: [bugmon:bisected,confirmed]
|
|
Assignee | |
Comment 3•1 month ago
|
||
Although, the empty text should've been removed, but it may happen without the
normalization. Therefore, the lambda should keep scanning the first visible
char with ignoring empty Text nodes.
Additionally, there are similar methods which have the same lambda. Therefore,
this fixes them too.
I think we should make the scanner method take an option parameter to ignore
empty Text in a follow up bug.
Pushed by masayuki@d-toybox.com:
https://hg.mozilla.org/integration/autoland/rev/7a66a04b4fb0
Make `WhiteSpaceVisibilityKeeper::MergeFirstLineOfRightBlockElementIntoAncestorLeftBlockElement` ignore empty `Text` nodes when scanning first character of the right block r=m_kato
Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/51517 for changes under testing/web-platform/tests
Whiteboard: [bugmon:bisected,confirmed] → [bugmon:bisected,confirmed], [wptsync upstream]
|
||
Comment 6•29 days ago
|
||
| bugherder | ||
Status: ASSIGNED → RESOLVED
Closed: 29 days ago
Resolution: --- → FIXED
Target Milestone: --- → 138 Branch
Upstream PR merged by moz-wptsync-bot
|
|
||
Comment 8•27 days ago
|
||
Verified bug as fixed on rev mozilla-central 20250322090207-127b6a99bc17.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
You need to log in
before you can comment on or make changes to this bug.
Description
•