1982411 - Assertion failure: startContent->IsInComposedDoc(), at /builds/worker/checkouts/gecko/dom/base/Selection.cpp:2006

Status: VERIFIED FIXED

(Core :: DOM: Selection, defect)

Description

[Tyson Smith [:tsmith]]

Attachment: testcase.html

Found while fuzzing 20250616-87e010ebac62 (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework --upgrade
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>

Assertion failure: startContent->IsInComposedDoc(), at /builds/worker/checkouts/gecko/dom/base/Selection.cpp:2006

#0 0x7cc387ee85cd in MOZ_CrashSequence /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:248:3
#1 0x7cc387ee85cd in mozilla::dom::Selection::SelectFrames(nsPresContext*, mozilla::dom::AbstractRange&, bool) const /builds/worker/checkouts/gecko/dom/base/Selection.cpp:2006:3
#2 0x7cc387ee78c9 in mozilla::dom::Selection::Clear(nsPresContext*, mozilla::dom::AbstractRange::IsUnlinking) /builds/worker/checkouts/gecko/dom/base/Selection.cpp:1524:5
#3 0x7cc387ee1c37 in mozilla::dom::Selection::RemoveAllRangesInternal(mozilla::ErrorResult&, mozilla::dom::AbstractRange::IsUnlinking) /builds/worker/checkouts/gecko/dom/base/Selection.cpp:2564:3
#4 0x7cc38884440f in mozilla::dom::Selection_Binding::removeAllRanges(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/./SelectionBinding.cpp:1023:24
#5 0x7cc38919804d in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3308:13
#6 0x7cc38ca29d24 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:501:13
#7 0x7cc38ca2957f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:597:12
#8 0x7cc38d5ae832 in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICFallbackStub*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/jit/BaselineIC.cpp:1705:10
#9 0x2f7757fe80fe  ([anon:js-executable-memory]+0xc0fe)

Comment 1

[Mayank Bansal]

Got crash from the testcase on latest Nightly: https://crash-stats.mozilla.org/report/index/e7ee0ba8-5025-4c3e-8e61-1a4e10250811

Comment 2

[Bugmon [:jkratzer for issues]]

Verified bug as reproducible on mozilla-central 20250811212651-bba8b54545d1.
The bug appears to have been introduced in the following build range:

Start: 6c26024ddf5e28e2f78806d31d5778d4ab32d7a0 (20250317114244)
End: bf16ee951c466392ac1a3988f79e9ed0ece942b3 (20250317130457)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=6c26024ddf5e28e2f78806d31d5778d4ab32d7a0&tochange=bf16ee951c466392ac1a3988f79e9ed0ece942b3

Comment 3

[Ryan VanderMeulen [:RyanVM]]

Presumably one of the bugs from this push, though unsure which one:
https://hg-edge.mozilla.org/integration/autoland/pushloghtml?changeset=3a168fc3064f7d582f8559e7974eda6227d4399a

Comment 4

[Masayuki Nakano [:masayuki] (he/him)(JST, +0900)(PTO: 6/26-6/30))]

The assertion was added in bug 1820445. So, not a wrong assertion. Additionally, the testcase does not do something tricky. So, this bug must detect a true regression of Selection.

Comment 5

[Masayuki Nakano [:masayuki] (he/him)(JST, +0900)(PTO: 6/26-6/30))]

Ah, okay, perhaps, this is not an actual regression. <select> has anonymous nodes for the pull-down button and a label to show the selected option. I guess getSelection().modify("extend", "forward", "line") causes the selection range into the anonymous subtree. Then, the anonymous subtree is destroyed by document.documentElement.style.display = "none". Therefor the range becomes invalid. At Selection.modify, the range boundary should go into the anonymous subtree.

Comment 6

[Masayuki Nakano [:masayuki] (he/him)(JST, +0900)(PTO: 6/26-6/30))]

Err, no, at getSelection().modify("move", "left", "word"), the selection is collapsed into the anonymous <label>.

Comment 7

[Masayuki Nakano [:masayuki] (he/him)(JST, +0900)(PTO: 6/26-6/30))]

Attachment: Bug 1982411 - Style the anonymous `<label>` in `<select>` as not selectable r=emilio!,#layout-reviewers

nsIFrame::GetFrameFromDirection() considers the text node in the
anonymous <select> as selectable. Therefore,
nsIFrame::PeekOffset*() may return the text node as selectable point.
Thus, Selection::Modify() may move its range into the anonymous
subtree of a <select>.

The anonymous content of <details> needs to be selectable. Therefore,
we cannot consider whether the anonymous content is selectable or not
with DOM API in nsIFrame. Therefore, this patch changes the browser
style instead.

Comment 8

[BugBot [:suhaib / :marco/ :calixte]]

Based on comment #2, this bug contains a bisection range found by bugmon. However, the Regressed by field is still not filled.

:masayuki, if possible, could you fill the Regressed by field and investigate this regression?

For more information, please visit BugBot documentation.

Comment 9

[Pulsebot]

Pushed by masayuki@d-toybox.com:
https://github.com/mozilla-firefox/firefox/commit/99d7ebc6bfa5
https://hg.mozilla.org/integration/autoland/rev/bbd5f93e7f23
Style the anonymous `<label>` in `<select>` as not selectable r=emilio,layout-reviewers,firefox-style-system-reviewers

Comment 10

[Web Platform Test Sync Bot [:wpt-sync] (Matrix: #interop:mozilla.org)]

Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/54614 for changes under testing/web-platform/tests

Comment 11

[Masayuki Nakano [:masayuki] (he/him)(JST, +0900)(PTO: 6/26-6/30))]

I added the assertion in bug 1820445, so, I mark it as the regressor. Although this is not an actual regression for the users.

Comment 12

[pstanciu]

https://hg.mozilla.org/mozilla-central/rev/bbd5f93e7f23

Comment 13

[BugBot [:suhaib / :marco/ :calixte]]

The patch landed in nightly and beta is affected.
:masayuki, is this bug important enough to require an uplift?

• If yes, please nominate the patch for beta approval.
  • See https://wiki.mozilla.org/Release_Management/Requesting_an_Uplift for documentation on how to request an uplift.
• If no, please set status-firefox143 to wontfix.

For more information, please visit BugBot documentation.

Comment 14

[Bugmon [:jkratzer for issues]]

Verified bug as fixed on rev mozilla-central 20250901094023-bbd5f93e7f23.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Comment 15

[Masayuki Nakano [:masayuki] (he/him)(JST, +0900)(PTO: 6/26-6/30))]

Maybe, one of the cause of bug 1703040. I think we don't need to uplift this from the most release build users point of view. Although this could make some users inconvenient like the users of the caret browsing mode. However, perhaps, it must be acceptable bug to wait a release cycle. I'm not sure about ESR users. If there were some bug reports about the caret browsing mode around <select> and my patch fixed the issue, it might be worthwhile to uplift for ESR users. However, I'm not sure.

Comment 16

[Web Platform Test Sync Bot [:wpt-sync] (Matrix: #interop:mozilla.org)]

Upstream PR merged by moz-wptsync-bot

Comment 17

[Web Platform Test Sync Bot [:wpt-sync] (Matrix: #interop:mozilla.org)]

Upstream PR merged by moz-wptsync-bot