Open
Bug 2007716
Opened 9 days ago
Updated 9 days ago
Assertion failure: mRanges.Contains(mAnchorFocusRange.get()), at /builds/worker/checkouts/gecko/editor/libeditor/AutoClonedRangeArray.cpp:1148
Categories
(Core :: DOM: Editor, defect)
Core
DOM: Editor
Tracking
()
NEW
| Tracking | Status | |
|---|---|---|
| firefox-esr140 | --- | unaffected |
| firefox146 | --- | unaffected |
| firefox147 | --- | unaffected |
| firefox148 | --- | affected |
People
(Reporter: tsmith, Unassigned)
References
(Blocks 1 open bug, Regression)
Details
(4 keywords, Whiteboard: [bugmon:bisected,confirmed])
Attachments
(1 file)
|
478 bytes,
text/html
|
Details |
Found while fuzzing m-c 20251224-e6bd2e6947fb (--enable-debug --enable-fuzzing)
To reproduce via Grizzly Replay:
$ pip install fuzzfetch grizzly-framework --upgrade
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>
Assertion failure: mRanges.Contains(mAnchorFocusRange.get()), at /builds/worker/checkouts/gecko/editor/libeditor/AutoClonedRangeArray.cpp:1148
#0 0x76fe0c0034b4 in MOZ_CrashSequence /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:237:3
#1 0x76fe0c0034b4 in mozilla::AutoClonedRangeArray::RemoveCollapsedRanges() /builds/worker/checkouts/gecko/editor/libeditor/AutoClonedRangeArray.cpp:1148:5
#2 0x76fe0c1122f3 in mozilla::HTMLEditor::AutoDeleteRangesHandler::HandleDeleteNonCollapsedRanges(mozilla::HTMLEditor&, short, short, mozilla::AutoClonedSelectionRangeArray&, mozilla::HTMLEditor::AutoDeleteRangesHandler::SelectionWasCollapsed, mozilla::dom::Element const&) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditorDeleteHandler.cpp:3115:21
#3 0x76fe0c10a77f in mozilla::HTMLEditor::AutoDeleteRangesHandler::Run(mozilla::HTMLEditor&, short, short, mozilla::AutoClonedSelectionRangeArray&, mozilla::dom::Element const&) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditorDeleteHandler.cpp:1241:47
#4 0x76fe0c109ab5 in mozilla::HTMLEditor::HandleDeleteSelection(short, short) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditorDeleteHandler.cpp:549:61
#5 0x76fe0c02747a in mozilla::EditorBase::DeleteSelectionAsSubAction(short, short) /builds/worker/checkouts/gecko/editor/libeditor/EditorBase.cpp:4801:9
#6 0x76fe0c0c3a37 in mozilla::HTMLEditor::InsertElementAtSelectionAsAction(mozilla::dom::Element*, mozilla::EnumSet<mozilla::HTMLEditor::InsertElementOption, unsigned int>, nsIPrincipal*) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditor.cpp:1858:21
#7 0x76fe0c0e33b5 in mozilla::InsertTagCommand::DoCommandParam(mozilla::Command, nsTSubstring<char16_t> const&, mozilla::EditorBase&, nsIPrincipal*) const /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditorCommands.cpp:1331:13
#8 0x76fe08231283 in mozilla::dom::Document::ExecCommand(nsTSubstring<char16_t> const&, bool, mozilla::dom::TrustedHTMLOrString const&, nsIPrincipal&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/Document.cpp:5906:27
#9 0x76fe094e35cc in mozilla::dom::Document_Binding::execCommand(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/./DocumentBinding.cpp:4663:36
#10 0x76fe09706d6d in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3306:13
#11 0x76fe0e2a5734 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:490:13
#12 0x76fe0e2a4fdf in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:586:12
#13 0x76fe0d8b7ed3 in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICFallbackStub*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/jit/BaselineIC.cpp:1698:10
#14 0x1a7ff0778c5e ([anon:js-executable-memory]+0xbc5e)
Flags: in-testsuite?
When "insertImage" command is performed, the HTML is:
<body><textarea></textarea>
<progeress></progress>{
<strike>
<iframe>{
}</iframe>}</strike></body>
I.e., the 2 ranges are overlapped, this is illegal situation... This could be caused by a bug of Selection. We need to investigate this more.
Severity: -- → S3
OS: Unspecified → All
Hardware: Unspecified → All
|
||
Comment 2•9 days ago
|
||
Verified bug as reproducible on mozilla-central 20251224210403-bd70d95c6560.
The bug appears to have been introduced in the following build range:
Start: fd59d9ca1a42be760546c8414bcfaef9e5c74949 (20251212091729)
End: 65728879c98324632c79148c5a6290a1c6c0613a (20251212082138)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=fd59d9ca1a42be760546c8414bcfaef9e5c74949&tochange=65728879c98324632c79148c5a6290a1c6c0613a
Keywords: regression
Whiteboard: [bugmon:bisected,confirmed]
|
||
Comment 3•9 days ago
|
||
Set release status flags based on info from the regressing bug 2003973
status-firefox146:
--- → unaffected
status-firefox147:
--- → unaffected
status-firefox-esr140:
--- → unaffected
You need to log in
before you can comment on or make changes to this bug.
Description
•