1982406 - Assertion failure: mOldContainer, at /builds/worker/checkouts/gecko/editor/libeditor/MoveNodeTransaction.cpp:148

Status: NEW

(Core :: DOM: Editor, defect)

Description

[Tyson Smith [:tsmith]]

Attachment: testcase.html

Found while fuzzing 20250809-7c811cd3bb44 (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework --upgrade
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>

Assertion failure: mOldContainer, at /builds/worker/checkouts/gecko/editor/libeditor/MoveNodeTransaction.cpp:148

#0 0x78a95714658d in MOZ_CrashSequence /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:248:3
#1 0x78a95714658d in mozilla::MoveNodeTransaction::DoTransactionInternal() /builds/worker/checkouts/gecko/editor/libeditor/MoveNodeTransaction.cpp:148:3
#2 0x78a957147373 in mozilla::MoveNodeTransaction::RedoTransaction() /builds/worker/checkouts/gecko/editor/libeditor/MoveNodeTransaction.cpp:305:17
#3 0x78a956fc31d0 in mozilla::EditAggregateTransaction::RedoTransaction() /builds/worker/checkouts/gecko/editor/libeditor/EditAggregateTransaction.cpp:90:52
#4 0x78a95714d579 in mozilla::PlaceholderTransaction::RedoTransaction() /builds/worker/checkouts/gecko/editor/libeditor/PlaceholderTransaction.cpp:114:43
#5 0x78a9571a8399 in mozilla::TransactionItem::RedoTransaction(mozilla::TransactionManager*) /builds/worker/checkouts/gecko/editor/txmgr/TransactionItem.cpp:155:32
#6 0x78a9571a9f40 in mozilla::TransactionManager::Redo() /builds/worker/checkouts/gecko/editor/txmgr/TransactionManager.cpp:148:34
#7 0x78a956fcfef7 in mozilla::EditorBase::RedoAsAction(unsigned int, nsIPrincipal*) /builds/worker/checkouts/gecko/editor/libeditor/EditorBase.cpp:1126:11
#8 0x78a956ff0f55 in mozilla::RedoCommand::DoCommandParam(mozilla::Command, mozilla::EditorBase&, nsIPrincipal*) const /builds/worker/checkouts/gecko/editor/libeditor/EditorCommands.cpp:307:29
#9 0x78a9533548e2 in mozilla::dom::Document::ExecCommand(nsTSubstring<char16_t> const&, bool, mozilla::dom::TrustedHTMLOrString const&, nsIPrincipal&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/Document.cpp:5810:37
#10 0x78a9544d2360 in mozilla::dom::Document_Binding::execCommand(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/./DocumentBinding.cpp:4181:36
#11 0x78a95479804d in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3308:13
#12 0x78a958029d24 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:501:13
#13 0x78a95802957f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:597:12
#14 0x78a958bae832 in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICFallbackStub*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/jit/BaselineIC.cpp:1705:10
#15 0x03f3c2e5e0fe  ([anon:js-executable-memory]+0x1c0fe)

Comment 1

[Mayank Bansal]

Got a crash from the testcase on Nightly: https://crash-stats.mozilla.org/report/index/204de193-3947-4004-affd-9bb7e0250811

Comment 2

[Masayuki Nakano [:masayuki] (he/him)(JST, +0900)]

Hmm, tricky case, but it's possible to use this as a DOS to the testers.

Comment 3

[Bugmon [:jkratzer for issues]]

Verified bug as reproducible on mozilla-central 20250811212651-bba8b54545d1.
Unable to bisect testcase (Unable to launch the start build!):

Start: 6a2726e60f57ab0a4179b75d229a1c483d207179 (20240813093307)
End: 7c811cd3bb44a991d533a4ed2e2eda1b96f97d62 (20250809095729)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False, nyx=False, searchfox=False, afl=False)