Open
Bug 1982458
Opened 10 days ago
Updated 10 days ago
Assertion failure: aPoint.IsSetAndValid(), at /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditUtils.cpp:1203
Categories
(Core :: DOM: Editor, defect)
Core
DOM: Editor
Tracking
()
NEW
| Tracking | Status | |
|---|---|---|
| firefox-esr128 | --- | unaffected |
| firefox-esr140 | --- | affected |
| firefox141 | --- | wontfix |
| firefox142 | --- | wontfix |
| firefox143 | --- | fix-optional |
People
(Reporter: tsmith, Unassigned)
References
(Blocks 1 open bug, Regression)
Details
(4 keywords, Whiteboard: [bugmon:bisected,confirmed])
Attachments
(1 file)
|
393 bytes,
text/html
|
Details |
Found while fuzzing 20250727-0a2d8d2aa122 (--enable-debug --enable-fuzzing)
To reproduce via Grizzly Replay:
$ pip install fuzzfetch grizzly-framework --upgrade
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>
Assertion failure: aPoint.IsSetAndValid(), at /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditUtils.cpp:1203
#0 0x73408647c5f2 in MOZ_CrashSequence /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:248:3
#1 0x73408647c5f2 in mozilla::Maybe<mozilla::EditorLineBreakBase<nsCOMPtr<nsIContent>>> mozilla::HTMLEditUtils::GetFollowingUnnecessaryLineBreak<mozilla::EditorLineBreakBase<nsCOMPtr<nsIContent>>, mozilla::EditorDOMPointBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent>>>(mozilla::EditorDOMPointBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent>> const&) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditUtils.cpp:1203:3
#2 0x73408641a969 in mozilla::HTMLEditor::EnsureNoFollowingUnnecessaryLineBreak(mozilla::EditorDOMPointBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent>> const&) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditor.cpp:4352:7
#3 0x7340864cf7da in mozilla::HTMLEditor::AutoDeleteRangesHandler::AutoBlockElementsJoiner::HandleDeleteNonCollapsedRange(mozilla::HTMLEditor&, short, short, nsRange&, mozilla::HTMLEditor::AutoDeleteRangesHandler::SelectionWasCollapsed, mozilla::dom::Element const&)::$_4::operator()(mozilla::EditorDOMPointBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent>> const&) const /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditorDeleteHandler.cpp:4513:29
#4 0x7340864b0d05 in mozilla::HTMLEditor::AutoDeleteRangesHandler::AutoBlockElementsJoiner::HandleDeleteNonCollapsedRange(mozilla::HTMLEditor&, short, short, nsRange&, mozilla::HTMLEditor::AutoDeleteRangesHandler::SelectionWasCollapsed, mozilla::dom::Element const&) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditorDeleteHandler.cpp:4565:19
#5 0x7340864ad9c8 in mozilla::HTMLEditor::AutoDeleteRangesHandler::AutoBlockElementsJoiner::Run(mozilla::HTMLEditor&, mozilla::LimitersAndCaretData const&, short, short, nsRange&, mozilla::HTMLEditor::AutoDeleteRangesHandler::SelectionWasCollapsed, mozilla::dom::Element const&) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditorDeleteHandler.cpp:340:51
#6 0x7340864bc3ad in mozilla::HTMLEditor::AutoDeleteRangesHandler::HandleDeleteNonCollapsedRanges(mozilla::HTMLEditor&, short, short, mozilla::AutoClonedSelectionRangeArray&, mozilla::HTMLEditor::AutoDeleteRangesHandler::SelectionWasCollapsed, mozilla::dom::Element const&) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditorDeleteHandler.cpp:3217:16
#7 0x7340864b4250 in mozilla::HTMLEditor::AutoDeleteRangesHandler::Run(mozilla::HTMLEditor&, short, short, mozilla::AutoClonedSelectionRangeArray&, mozilla::dom::Element const&) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditorDeleteHandler.cpp:1206:47
#8 0x7340864b381a in mozilla::HTMLEditor::HandleDeleteSelection(short, short) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditorDeleteHandler.cpp:508:61
#9 0x7340863d5344 in mozilla::EditorBase::DeleteSelectionAsSubAction(short, short) /builds/worker/checkouts/gecko/editor/libeditor/EditorBase.cpp:4864:9
#10 0x734086415fc7 in mozilla::HTMLEditor::HandleInsertText(nsTSubstring<char16_t> const&, mozilla::EditorBase::InsertTextFor) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditSubActionHandler.cpp:994:9
#11 0x7340863d7e6c in mozilla::EditorBase::InsertTextAsSubAction(nsTSubstring<char16_t> const&, mozilla::EditorBase::InsertTextFor) /builds/worker/checkouts/gecko/editor/libeditor/EditorBase.cpp:6601:7
#12 0x7340863ec8f7 in mozilla::EditorBase::InsertTextAsAction(nsTSubstring<char16_t> const&, nsIPrincipal*) /builds/worker/checkouts/gecko/editor/libeditor/EditorBase.cpp:6560:8
#13 0x7340863f1ff7 in mozilla::InsertPlaintextCommand::DoCommandParam(mozilla::Command, nsTSubstring<char16_t> const&, mozilla::EditorBase&, nsIPrincipal*) const /builds/worker/checkouts/gecko/editor/libeditor/EditorCommands.cpp:859:19
#14 0x734082754a11 in mozilla::dom::Document::ExecCommand(nsTSubstring<char16_t> const&, bool, mozilla::dom::TrustedHTMLOrString const&, nsIPrincipal&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/Document.cpp:5833:27
#15 0x7340838d2360 in mozilla::dom::Document_Binding::execCommand(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/./DocumentBinding.cpp:4181:36
#16 0x734083b9804d in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3308:13
#17 0x734087429d24 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:501:13
#18 0x73408742957f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:597:12
#19 0x734087fae832 in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICFallbackStub*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/jit/BaselineIC.cpp:1705:10
#20 0x1700296f90fe ([anon:js-executable-memory]+0xc0fe)
Flags: in-testsuite?
|
||
Comment 1•10 days ago
|
||
Verified bug as reproducible on mozilla-central 20250811212651-bba8b54545d1.
The bug appears to have been introduced in the following build range:
Start: e70c7d40b6829d29cb279d159c1f468f8f89d78a (20250319070758)
End: 1209c2a794ce1508f211b8f02bd2d5b5c60afa83 (20250319095450)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=e70c7d40b6829d29cb279d159c1f468f8f89d78a&tochange=1209c2a794ce1508f211b8f02bd2d5b5c60afa83
Keywords: regression
Whiteboard: [bugmon:bisected,confirmed]
|
||
Comment 2•10 days ago
|
||
Set release status flags based on info from the regressing bug 1951832
:masayuki, since you are the author of the regressor, bug 1951832, could you take a look? Also, could you set the severity field?
For more information, please visit BugBot documentation.
status-firefox141:
--- → affected
status-firefox142:
--- → affected
status-firefox-esr128:
--- → unaffected
status-firefox-esr140:
--- → affected
Flags: needinfo?(masayuki)
|
||
Comment 3•10 days ago
|
||
Hmm, at here, the EndRef() is not already valid. However, it's tracked here, so, that could be already invalid when it's returned from here.
Severity: -- → S3
Flags: needinfo?(masayuki)
|
||
Updated•10 days ago
|
|
||
Updated•10 days ago
|
You need to log in
before you can comment on or make changes to this bug.
Description
•