Closed Bug 2008590 Opened 8 days ago Closed 5 days ago

Assertion failure: isSingleInsert (root node insertion should be a single insertion), at /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:6241

Categories

(Core :: CSS Parsing and Computation, defect)

Product:
Core
Component:
CSS Parsing and Computation
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
148 Branch
Tracking Flags:
Tracking Status
firefox-esr140 --- unaffected
firefox146 --- unaffected
firefox147 --- unaffected
firefox148 --- verified

People

(Reporter: tsmith, Assigned: emilio)

References

(Blocks 2 open bugs, Regression,
URL
)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:bisected,confirmed], [wptsync upstream])

Attachments

(2 files)

testcase.html
162 bytes, text/html
Details
Bug 2008590 - Deal with range insertions that contain the document element. r=TYLin,#layout
48 bytes, text/x-phabricator-request
Details | Review
Attached file testcase.html

Found while fuzzing m-c 20260103-bd631654e320 (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework --upgrade
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>

Assertion failure: isSingleInsert (root node insertion should be a single insertion), at /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:6241

#0 0x7fffec7a5598 in MOZ_CrashSequence /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:237:3
#1 0x7fffec7a5598 in nsCSSFrameConstructor::ContentRangeInserted(nsIContent*, nsIContent*, nsCSSFrameConstructor::InsertionKind) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:6240:5
#2 0x7fffec694e25 in mozilla::RestyleManager::ProcessRestyledFrames(nsStyleChangeList&) /builds/worker/checkouts/gecko/layout/style/RestyleManager.cpp:1620:27
#3 0x7fffec69c31d in mozilla::RestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) /builds/worker/checkouts/gecko/layout/style/RestyleManager.cpp:3250:7
#4 0x7fffec69d591 in mozilla::RestyleManager::ProcessPendingRestyles() /builds/worker/checkouts/gecko/layout/style/RestyleManager.cpp:3340:3
#5 0x7fffec74c127 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4471:37
#6 0x7fffe867b095 in FlushPendingNotifications /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:1526:5
#7 0x7fffe867b095 in mozilla::dom::Document::FlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/dom/base/Document.cpp:11635:16
#8 0x7fffe864f540 in FlushPendingNotifications /builds/worker/checkouts/gecko/dom/base/Document.cpp:11567:3
#9 0x7fffe864f540 in mozilla::dom::Document::AutoEditorCommandTarget::AutoEditorCommandTarget(mozilla::dom::Document&, mozilla::dom::Document::InternalCommandData const&) /builds/worker/checkouts/gecko/dom/base/Document.cpp:5537:13
#10 0x7fffe865376e in mozilla::dom::Document::QueryCommandValue(nsTSubstring<char16_t> const&, nsTSubstring<char16_t>&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/Document.cpp:6230:27
#11 0x7fffe9905081 in mozilla::dom::Document_Binding::queryCommandValue(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/./DocumentBinding.cpp:4894:24
#12 0x7fffe9b26efd in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3306:13
#13 0x7fffee6c70e4 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:490:13
#14 0x7fffee6c698f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:586:12
#15 0x7fffee6d7672 in CallFromStack /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:658:10
#16 0x7fffee6d7672 in js::Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3272:16
#17 0x7fffee6c5fda in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:460:13
#18 0x7fffee6c69b5 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:618:13
#19 0x7fffee6c7d8c in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:685:8
#20 0x7fffee7bb4c7 in js::CallSelfHostedFunction(JSContext*, JS::Handle<js::PropertyName*>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/SelfHosting.cpp:1223:10
#21 0x7fffede86ef2 in js::jit::InterpretResume(JSContext*, JS::Handle<JSObject*>, JS::Value*, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/jit/VMFunctions.cpp:1157:10
#22 0x3b83fa92d409  ([anon:js-executable-memory]+0x12409)
Flags: in-testsuite?

This has also been reported via live site testing.

Blocks: site-scout
URL: http://www.gamestar.de/

Verified bug as reproducible on mozilla-central 20260105211017-f3c4f3651e2d.
Unable to bisect testcase (Unable to launch the end build!):

Start: 114a69547c262e92d13156de8a309ee3de9ac35a (20250107165124)
End: bd631654e320cdf77cc5dcc7292f3989b5c63983 (20260103212557)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False, nyx=False, searchfox=False, afl=False)

Whiteboard: [bugmon:bisected,confirmed]
Keywords: regression
Regressed by: 2008148

Before the regressing bug we relied on GetRangeInsertionPoint to do
this, but it's not really necessary. If the root element is on the range
deal with it, otherwise bail, which is what we were already doing.

Assignee: nobody → emilio
Status: NEW → ASSIGNED

Set release status flags based on info from the regressing bug 2008148

status-firefox146: --- → unaffected
status-firefox147: --- → unaffected
status-firefox-esr140: --- → unaffected
Pushed by ealvarez@mozilla.com: https://github.com/mozilla-firefox/firefox/commit/1377eb0f8e3a https://hg.mozilla.org/integration/autoland/rev/917ca4d28090 Deal with range insertions that contain the document element. r=TYLin,layout-reviewers
Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/57070 for changes under testing/web-platform/tests
Whiteboard: [bugmon:bisected,confirmed] → [bugmon:bisected,confirmed], [wptsync upstream]

https://hg.mozilla.org/mozilla-central/rev/917ca4d28090

Status: ASSIGNED → RESOLVED
Closed: 5 days ago
status-firefox148: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 148 Branch

Verified bug as fixed on rev mozilla-central 20260108165448-9af669f3df03.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
status-firefox148: fixedverified
Keywords: bugmon
Upstream PR merged by moz-wptsync-bot
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: