Closed Bug 2005112 Opened 23 days ago Closed 16 days ago

Assertion failure: (mContent->IsText() && !mContent->IsEditable())..., at /builds/worker/checkouts/gecko/editor/libeditor/WSRunScanner.cpp:83

Categories

(Core :: DOM: Editor, defect)

Product:
Core
Component:
DOM: Editor
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
148 Branch
Tracking Flags:
Tracking Status
firefox-esr115 --- unaffected
firefox-esr140 --- wontfix
firefox146 --- wontfix
firefox147 --- wontfix
firefox148 --- fixed

People

(Reporter: tsmith, Assigned: masayuki)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:bisected,confirmed], [wptsync upstream])

Attachments

(2 files)

testcase.html
325 bytes, text/html
Details
Bug 2005112 - Add the reported testcase r=m_kato!
48 bytes, text/x-phabricator-request
Details | Review
Attached file testcase.html

Found while fuzzing m-c 20251101-3befa2ffc228 (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework --upgrade
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>

Assertion failure: (mContent->IsText() && !mContent->IsEditable()) || (!mContent->IsHTMLElement(nsGkAtoms::br) && !HTMLEditUtils::IsBlockElement( *mContent, aScanner.ReferredHTMLDefaultStyle() ? BlockInlineCheck::UseHTMLDefaultStyle : BlockInlineCheck::UseComputedDisplayOutsideStyle)), at /builds/worker/checkouts/gecko/editor/libeditor/WSRunScanner.cpp:83

#0 0x752e40c6bec9 in MOZ_CrashSequence /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:237:3
#1 0x752e40c6bec9 in mozilla::WSScanResult::AssertIfInvalidData(mozilla::WSRunScanner const&) const /builds/worker/checkouts/gecko/editor/libeditor/WSRunScanner.cpp:75:3
#2 0x752e40c8c315 in mozilla::WSScanResult mozilla::WSRunScanner::ScanInclusiveNextVisibleNodeOrBlockBoundaryFrom<nsINode*, nsIContent*>(mozilla::EditorDOMPointBase<nsINode*, nsIContent*> const&) const /builds/worker/checkouts/gecko/editor/libeditor/WSRunScanner.cpp:0:0
#3 0x752e40ab3d7d in mozilla::WSScanResult mozilla::WSRunScanner::ScanInclusiveNextVisibleNodeOrBlockBoundary<nsINode*, nsIContent*>(mozilla::EnumSet<mozilla::WSRunScanner::Option, unsigned int>, mozilla::EditorDOMPointBase<nsINode*, nsIContent*> const&, mozilla::dom::Element const*) /builds/worker/checkouts/gecko/editor/libeditor/WSRunScanner.h:455:10
#4 0x752e40b0f3a9 in nsIContent* mozilla::HTMLEditUtils::GetContentToPreserveInlineStyles<mozilla::EditorDOMPointBase<nsINode*, nsIContent*>>(mozilla::EditorDOMPointBase<nsINode*, nsIContent*> const&, mozilla::dom::Element const&) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditUtils.cpp:2751:9
#5 0x752e40b0eb8f in mozilla::HTMLEditor::OnStartToHandleTopLevelEditSubAction(mozilla::EditSubAction, short, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditSubActionHandler.cpp:286:9
#6 0x752e40ad1a47 in mozilla::EditorBase::AutoEditSubActionNotifier::AutoEditSubActionNotifier(mozilla::EditorBase&, mozilla::EditSubAction, short, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/editor/libeditor/EditorBase.h:2901:14
#7 0x752e40b522bb in mozilla::HTMLEditor::AlignAsSubAction(nsTSubstring<char16_t> const&, mozilla::dom::Element const&) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditSubActionHandler.cpp:6428:29
#8 0x752e40b7848d in mozilla::HTMLEditor::AlignAsAction(nsTSubstring<char16_t> const&, nsIPrincipal*) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditor.cpp:3014:7
#9 0x752e40b8f158 in mozilla::AlignCommand::SetState(mozilla::HTMLEditor*, nsTSubstring<char16_t> const&, nsIPrincipal*) const /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditorCommands.cpp:922:30
#10 0x752e40b8d31c in mozilla::MultiStateCommandBase::DoCommandParam(mozilla::Command, nsTSubstring<char16_t> const&, mozilla::EditorBase&, nsIPrincipal*) const /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditorCommands.cpp:497:17
#11 0x752e3cd0b511 in mozilla::dom::Document::ExecCommand(nsTSubstring<char16_t> const&, bool, mozilla::dom::TrustedHTMLOrString const&, nsIPrincipal&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/Document.cpp:5923:27
#12 0x752e3dfb01fc in mozilla::dom::Document_Binding::execCommand(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/./DocumentBinding.cpp:4663:36
#13 0x752e3e1d172d in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3306:13
#14 0x752e41c47024 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:490:13
#15 0x752e41c4687f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:586:12
#16 0x752e41c57912 in CallFromStack /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:658:10
#17 0x752e41c57912 in js::Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3272:16
#18 0x752e41c45eca in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:460:13
#19 0x752e41c468a5 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:618:13
#20 0x752e41c47ccc in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:685:8
#21 0x752e41d30afb in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/CallAndConstruct.cpp:119:10
#22 0x752e3df922d5 in mozilla::dom::EventHandlerNonNull::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/./EventHandlerBinding.cpp:65:37
#23 0x752e3eb01feb in void mozilla::dom::EventHandlerNonNull::Call<nsCOMPtr<mozilla::dom::EventTarget>>(nsCOMPtr<mozilla::dom::EventTarget> const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObjectBase::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventHandlerBinding.h:82:12
#24 0x752e3eb00b32 in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) /builds/worker/checkouts/gecko/dom/events/JSEventHandler.cpp:201:12
#25 0x752e3eadbc01 in mozilla::EventListenerManager::HandleEventSingleListener(mozilla::EventListenerManager::Listener*, nsAtom*, mozilla::WidgetEvent*, mozilla::dom::Event*, mozilla::dom::EventTarget*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1273:22
#26 0x752e3eadcd59 in mozilla::EventListenerManager::HandleEventWithListenerArray(mozilla::EventListenerManager::ListenerArray*, nsAtom*, mozilla::EventMessage, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1579:12
#27 0x752e3eadc641 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1484:35
#28 0x752e3ead10de in HandleEvent /builds/worker/workspace/obj-build/dist/include/mozilla/EventListenerManager.h:465:5
#29 0x752e3ead10de in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:364:17
#30 0x752e3ead07ac in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:605:16
#31 0x752e3ead2f62 in mozilla::EventDispatcher::Dispatch(mozilla::dom::EventTarget*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:1260:11
#32 0x752e3d01af87 in FocusInOutEvent::Run() /builds/worker/checkouts/gecko/dom/base/nsFocusManager.cpp:2974:14
#33 0x752e3ca9f155 in nsContentUtils::AddScriptRunner(already_AddRefed<nsIRunnable>) /builds/worker/checkouts/gecko/dom/base/nsContentUtils.cpp:6977:13
#34 0x752e3ca9f330 in nsContentUtils::AddScriptRunner(nsIRunnable*) /builds/worker/checkouts/gecko/dom/base/nsContentUtils.cpp:6983:3
#35 0x752e3cfa8bc2 in nsFocusManager::FireFocusOrBlurEvent(mozilla::EventMessage, mozilla::PresShell*, mozilla::dom::EventTarget*, bool, bool, mozilla::dom::EventTarget*) /builds/worker/checkouts/gecko/dom/base/nsFocusManager.cpp:3090:5
#36 0x752e3cfa7fa4 in nsFocusManager::SendFocusOrBlurEvent(mozilla::EventMessage, mozilla::PresShell*, mozilla::dom::Document*, mozilla::dom::EventTarget*, bool, bool, mozilla::dom::EventTarget*) /builds/worker/checkouts/gecko/dom/base/nsFocusManager.cpp:3047:3
#37 0x752e3cfad378 in nsFocusManager::BlurImpl(mozilla::dom::BrowsingContext*, mozilla::dom::BrowsingContext*, bool, bool, bool, mozilla::dom::Element*, unsigned long) /builds/worker/checkouts/gecko/dom/base/nsFocusManager.cpp:2539:5
#38 0x752e3cf9abf1 in nsFocusManager::Blur(mozilla::dom::BrowsingContext*, mozilla::dom::BrowsingContext*, bool, bool, bool, unsigned long, mozilla::dom::Element*) /builds/worker/checkouts/gecko/dom/base/nsFocusManager.cpp:2357:12
#39 0x752e3cfa31e8 in nsFocusManager::WindowLowered(mozIDOMWindowProxy*, unsigned long) /builds/worker/checkouts/gecko/dom/base/nsFocusManager.cpp:862:5
#40 0x752e4168c353 in nsWebBrowser::FocusDeactivate(unsigned long) /builds/worker/checkouts/gecko/toolkit/components/browser/nsWebBrowser.cpp:1074:11
#41 0x752e40167b7d in mozilla::dom::BrowserChild::RecvDeactivate(unsigned long) /builds/worker/checkouts/gecko/dom/ipc/BrowserChild.cpp:1498:16
#42 0x752e4028a7c2 in mozilla::dom::PBrowserChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBrowserChild.cpp:4358:80
#43 0x752e402f9163 in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PContentChild.cpp:8500:32
#44 0x752e3b922ede in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1793:25
#45 0x752e3b920460 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, std::unique_ptr<IPC::Message, std::default_delete<IPC::Message>>) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1719:9
#46 0x752e3b920e67 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1508:3
#47 0x752e3b921e49 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1610:14
#48 0x752e3ad16df7 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:705:16
#49 0x752e3ad11774 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:1325:20
#50 0x752e3ad103f7 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:1148:15
#51 0x752e3ad10875 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:641:36
#52 0x752e3ad1dcd9 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:336:37
#53 0x752e3ad1dcd9 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_1>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:549:5
#54 0x752e3ad2fd53 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1164:16
#55 0x752e3ad3664f in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:461:10
#56 0x752e40705817 in SpinEventLoopUntil<(mozilla::ProcessFailureBehavior)1, (lambda at /builds/worker/checkouts/gecko/dom/xhr/XMLHttpRequestMainThread.cpp:3262:74)> /builds/worker/workspace/obj-build/dist/include/mozilla/SpinEventLoopUntil.h:176:25
#57 0x752e40705817 in mozilla::dom::XMLHttpRequestMainThread::SendInternal(mozilla::dom::BodyExtractorBase const*, bool, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/xhr/XMLHttpRequestMainThread.cpp:3262:10
#58 0x752e3dd74357 in mozilla::dom::XMLHttpRequest_Binding::send(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/./XMLHttpRequestBinding.cpp:1663:24
#59 0x752e3e1d172d in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3306:13
#60 0x752e41c47024 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:490:13
#61 0x752e41c4687f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:586:12
#62 0x752e427cc553 in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICFallbackStub*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/jit/BaselineIC.cpp:1698:10
#63 0x095830d43c5e  ([anon:js-executable-memory]+0xbc5e)
Flags: in-testsuite?

Verified bug as reproducible on mozilla-central 20251210064334-deaf4cdda67a.
The bug appears to have been introduced in the following build range:

Start: e70c7d40b6829d29cb279d159c1f468f8f89d78a (20250319070758)
End: 1209c2a794ce1508f211b8f02bd2d5b5c60afa83 (20250319095450)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=e70c7d40b6829d29cb279d159c1f468f8f89d78a&tochange=1209c2a794ce1508f211b8f02bd2d5b5c60afa83

Keywords: regression
Whiteboard: [bugmon:bisected,confirmed]

:masayuki, since you are the author of the regressor, bug 1951832, could you take a look? Also, could you set the severity field?

For more information, please visit BugBot documentation.

Flags: needinfo?(masayuki)

Set release status flags based on info from the regressing bug 1951832

status-firefox146: --- → affected
status-firefox147: --- → affected
status-firefox-esr140: --- → affected

but not important. Although I'll take a look at early of 2026.

Severity: -- → S3
Flags: needinfo?(masayuki)
OS: Unspecified → All
Hardware: Unspecified → All

Testcase crashes using the initial build (mozilla-central 20251101164325-3befa2ffc228) but not with tip (mozilla-central 20251213091241-5da9551e15f3.)

The bug appears to have been fixed in the following build range:

Start: fd59d9ca1a42be760546c8414bcfaef9e5c74949 (20251212091729)
End: 65728879c98324632c79148c5a6290a1c6c0613a (20251212082138)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=fd59d9ca1a42be760546c8414bcfaef9e5c74949&tochange=65728879c98324632c79148c5a6290a1c6c0613a

tsmith, can you confirm that the above bisection range is responsible for fixing this issue?
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Flags: needinfo?(twsmith)
Keywords: bugmon

Masayuki: Was this also fixed by the patch for bug 2003973?

Flags: needinfo?(twsmith) → needinfo?(masayuki)

Yeah, it's possible. The patch adjusts handling position from raw Selection to move/extend the range boundary (boundaries) to outside either void or replaced elements. So, this kind of odd scan won't happen unless the builtin editor does that accidentally. I think I should add the reported test into the WPT.

Assignee: nobody → masayuki
Status: NEW → ASSIGNED
Flags: needinfo?(masayuki)

Oh... It seems that this detected a regression of bug 2003973. insertHorizontalRule does nothing, perhaps, the Selection is collapsed at the non-editable <br>.

Err, no, it works. Okay, I'll just add the testcase.

The bug itself was fixed by the patch for bug 2003973.

Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/56797 for changes under testing/web-platform/tests
Whiteboard: [bugmon:bisected,confirmed] → [bugmon:bisected,confirmed], [wptsync upstream]

https://hg.mozilla.org/mozilla-central/rev/eea9035cf34f

Status: ASSIGNED → RESOLVED
Closed: 16 days ago
status-firefox148: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 148 Branch
Upstream PR merged by moz-wptsync-bot
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: