Open Bug 992748 Opened 7 years ago Updated 4 years ago

copy and paste leads to crash: Assertion failure: selection->GetAnchorFocusRange() && selection->GetAnchorFocusRange()->Collapsed() (Selection not collapsed after delete), at ../../../../editor/libeditor/base/nsEditor.cpp

Categories

(Core :: DOM: Editor, defect)

28 Branch
x86_64
FreeBSD
defect
Not set
normal

Tracking

()

UNCONFIRMED

People

(Reporter: lists, Unassigned)

Details

(Keywords: crash)

User Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:28.0) Gecko/20100101 Firefox/28.0 (Beta/Release)
Build ID: 20140405165353

Steps to reproduce:

1. Open two Google Docs docs 
2. Copy from one
3. paste in the other


Actual results:

Crash:
Assertion failure: selection->GetAnchorFocusRange() && selection->GetAnchorFocusRange()->Collapsed() (Selection not collapsed after delete), at ../../../../editor/libeditor/base/nsEditor.cpp

* thread #1: tid = 0, 0x0000000800fd2f2a libc.so.7`__sys_thr_kill + 10 at thr_kill.S:3, name = 'firefox', stop reason = signal SIGSEGV
  * frame #0: 0x0000000800fd2f2a libc.so.7`__sys_thr_kill + 10 at thr_kill.S:3
    frame #1: 0x000000080430c019 libxul.so`nsProfileLock::FatalSignalHandler(signo=11, info=<unavailable>, context=<unavailable>) + 361 at nsProfileLock.cpp:180
    frame #2: 0x0000000800d4e456 libthr.so.3`handle_signal(actp=<unavailable>, sig=11, info=0x00007fffffffa8b0, ucp=0x00007fffffffa540) + 214 at thr_sig.c:238
    frame #3: 0x0000000800d4e04c libthr.so.3`thr_sighandler(sig=<unavailable>, info=<unavailable>, _ucp=<unavailable>) + 332 at thr_sig.c:183
    frame #4: 0x00007ffffffff193
    frame #5: 0x0000000803aeb205 libxul.so`nsHTMLEditor::DoInsertHTMLWithContext(this=0x000000082dcf3c00, aInputString=<unavailable>, aContextStr=<unavailable>, aInfoStr=<unavailable>, aFlavor=<unavailable>, aSourceDoc=<unavailable>, aDestNode=<unavailable>, aDestOffset=<unavailable>, aDeleteSelection=<unavailable>, aTrustedInput=<unavailable>, aClearStyle=<unavailable>) + 1141 at nsHTMLDataTransfer.cpp:365
    frame #6: 0x0000000803af3789 libxul.so`nsHTMLEditor::InsertFromTransferable(this=<unavailable>, transferable=<unavailable>, aSourceDoc=<unavailable>, aContextStr=<unavailable>, aInfoStr=<unavailable>, aDestinationNode=<unavailable>, aDestOffset=<unavailable>, aDoDeleteSelection=<unavailable>) + 2601 at nsHTMLDataTransfer.cpp:1204
    frame #7: 0x0000000803af5145 libxul.so`nsHTMLEditor::Paste(this=0x000000082dcf3c00, aSelectionType=<unavailable>) + 2325 at nsHTMLDataTransfer.cpp:1417
    frame #8: 0x0000000803abc9c0 libxul.so`nsPasteCommand::DoCommand(this=<unavailable>, aCommandName=<unavailable>, aCommandRefCon=<unavailable>) + 96 at nsEditorCommands.cpp:410
    frame #9: 0x000000080418f20e libxul.so`nsControllerCommandTable::DoCommand(this=<unavailable>, aCommandName=0x00007fffffffb718, aCommandRefCon=0x000000082dcf3c00) + 94 at nsControllerCommandTable.cpp:158
    frame #10: 0x000000080418adcf libxul.so`nsBaseCommandController::DoCommand(this=<unavailable>, aCommand=0x00007fffffffb718) + 175 at nsBaseCommandController.cpp:137
    frame #11: 0x0000000803a1420d libxul.so`nsXBLPrototypeHandler::DispatchXBLCommand(this=<unavailable>, aTarget=<unavailable>, aEvent=<unavailable>) + 2413 at nsXBLPrototypeHandler.cpp:523
    frame #12: 0x0000000803a03d64 libxul.so`nsXBLPrototypeHandler::ExecuteHandler(this=0x000000082941cd00, aTarget=0x000000081db9eb50, aEvent=0x000000081fed7658) + 212 at nsXBLPrototypeHandler.cpp:218
    frame #13: 0x0000000803a203df libxul.so`nsXBLWindowKeyHandler::WalkHandlersAndExecute(this=0x000000081db9a340, aKeyEvent=0x000000081fed7658, aEventType=0x0000000817d670a0, aHandler=<unavailable>, aCharCode=118, aIgnoreShiftKey=<unavailable>) + 1759 at nsXBLWindowKeyHandler.cpp:568
    frame #14: 0x0000000803a1f786 libxul.so`nsXBLWindowKeyHandler::WalkHandlersInternal(this=0x000000081db9a340, aKeyEvent=0x000000081fed7658, aEventType=0x0000000817d670a0, aHandler=0x000000082941c980) + 182 at nsXBLWindowKeyHandler.cpp:486
    frame #15: 0x0000000803a1f4ed libxul.so`nsXBLWindowKeyHandler::WalkHandlers(this=0x000000081db9a340, aKeyEvent=0x000000081fed7658, aEventType=0x0000000817d670a0) + 413 at nsXBLWindowKeyHandler.cpp:344
    frame #16: 0x0000000803a1fbc5 libxul.so`nsXBLWindowKeyHandler::HandleEvent(this=0x000000081db9a340, aEvent=<unavailable>) + 421 at nsXBLWindowKeyHandler.cpp:407
    frame #17: 0x00000008036e71c0 libxul.so`nsEventListenerManager::HandleEventSubType(this=0x000000081dbe53e0, aListenerStruct=<unavailable>, aDOMEvent=0x000000081fed75c0, aCurrentTarget=0x000000081db9eb50, aPusher=<unavailable>) + 128 at nsEventListenerManager.cpp:930
    frame #18: 0x00000008036e756a libxul.so`nsEventListenerManager::HandleEventInternal(this=0x000000081dbe53e0, aPresContext=0x000000082c5b2c00, aEvent=0x00007fffffffc8e8, aDOMEvent=0x00007fffffffc120, aCurrentTarget=0x000000081db9eb50, aEventStatus=0x00007fffffffc128, aPusher=<unavailable>) + 826 at nsEventListenerManager.cpp:1007
    frame #19: 0x00000008036f018b libxul.so`nsEventTargetChainItem::HandleEvent(nsEventChainPostVisitor&, ELMCreationDetector&, nsCxPusher*) [inlined] nsRefPtr<nsEventListenerManager>::operator->(this=0x000000081dbe53e0, aPresContext=<unavailable>, aEvent=<unavailable>, aDOMEvent=<unavailable>, aCurrentTarget=<unavailable>, aEventStatus=<unavailable>, aPusher=0x00007fffffffc0c0) const + 475 at nsEventListenerManager.h:325
    frame #20: 0x00000008036f017f libxul.so`nsEventTargetChainItem::HandleEvent(this=<unavailable>, aVisitor=0x00007fffffffc110, aCd=<unavailable>, aPusher=0x00007fffffffc0c0) + 463 at nsEventDispatcher.cpp:193
    frame #21: 0x00000008036e0993 libxul.so`nsEventTargetChainItem::HandleEventTargetChain(aChain=0x00007fffffffc190, aVisitor=0x00007fffffffc110, aCallback=0x00007fffffffc288, aCd=0x00007fffffffc198, aPusher=0x00007fffffffc0c0) + 1043 at nsEventDispatcher.cpp:313
    frame #22: 0x00000008036e0b9c libxul.so`nsEventTargetChainItem::HandleEventTargetChain(aChain=0x00007fffffffc190, aVisitor=0x00007fffffffc110, aCallback=0x00007fffffffc288, aCd=0x00007fffffffc198, aPusher=0x00007fffffffc0c0) + 1564 at nsEventDispatcher.cpp:342
    frame #23: 0x00000008036e20ee libxul.so`nsEventDispatcher::Dispatch(aTarget=<unavailable>, aPresContext=0x000000082c5b2c00, aEvent=0x00007fffffffc8e8, aDOMEvent=<unavailable>, aEventStatus=0x00007fffffffc764, aCallback=0x00007fffffffc288, aTargets=<unavailable>) + 4750 at nsEventDispatcher.cpp:605
    frame #24: 0x0000000803cb95a3 libxul.so`PresShell::HandleEventInternal(this=0x000000082c593d00, aEvent=0x00007fffffffc8e8, aStatus=0x00007fffffffc764) + 4579 at nsPresShell.cpp:7127
    frame #25: 0x0000000803cb744c libxul.so`PresShell::HandleEvent(this=0x000000082c593d00, aFrame=<unavailable>, aEvent=0x00007fffffffc8e8, aDontRetargetEvents=<unavailable>, aEventStatus=0x00007fffffffc764) + 5260 at nsPresShell.cpp:6744
    frame #26: 0x0000000803cb638a libxul.so`PresShell::HandleEvent(this=0x000000081b4a8b00, aFrame=0x000000081c4bd948, aEvent=0x00007fffffffc8e8, aDontRetargetEvents=<unavailable>, aEventStatus=0x00007fffffffc764) + 970 at nsPresShell.cpp:6336
    frame #27: 0x000000080349e150 libxul.so`nsViewManager::DispatchEvent(this=<unavailable>, aEvent=0x00007fffffffc8e8, aView=<unavailable>, aStatus=0x00007fffffffc764) + 432 at nsViewManager.cpp:753
    frame #28: 0x000000080349be69 libxul.so`nsView::HandleEvent(this=<unavailable>, aEvent=0x00007fffffffc8e8, aUseAttachedEvents=<unavailable>) + 265 at nsView.cpp:1084
    frame #29: 0x000000080304e5a3 libxul.so`nsWindow::DispatchEvent(this=0x000000081d692080, aEvent=0x00007fffffffc8e8, aStatus=0x00007fffffffc99c) + 211 at nsWindow.cpp:466
    frame #30: 0x0000000803055772 libxul.so`nsWindow::OnKeyPressEvent(this=0x000000081d692080, aEvent=<unavailable>) + 1106 at nsWindow.cpp:3054
    frame #31: 0x0000000803057b21 libxul.so`key_press_event_cb(widget=<unavailable>, event=0x000000081e158cb0) + 305 at nsWindow.cpp:5474
    frame #32: 0x000000080c702a20 libgtk-x11-2.0.so.0`_gtk_marshal_BOOLEAN__BOXED(closure=0x000000081db96cb0, return_value=0x00007fffffffcc40, n_param_values=2, param_values=0x00007fffffffccf0, invocation_hint=0x00007fffffffcc70, marshal_data=0x0000000000000000) + 304 at gtkmarshalers.c:86
    frame #33: 0x000000080bde13c1 libgobject-2.0.so.0`g_closure_invoke + 273
    frame #34: 0x000000080bdf5d3a libgobject-2.0.so.0`??? + 2138
    frame #35: 0x000000080bdf6a8d libgobject-2.0.so.0`g_signal_emit_valist + 2237
    frame #36: 0x000000080bdf70cc libgobject-2.0.so.0`g_signal_emit + 124
    frame #37: 0x000000080c8d8d84 libgtk-x11-2.0.so.0`gtk_widget_event_internal(widget=0x0000000813652240, event=0x000000081e158cb0) + 772 at gtkwidget.c:5010
    frame #38: 0x000000080c8d8a6a libgtk-x11-2.0.so.0`IA__gtk_widget_event(widget=0x0000000813652240, event=0x000000081e158cb0) + 346 at gtkwidget.c:4807
    frame #39: 0x000000080c8f16de libgtk-x11-2.0.so.0`IA__gtk_window_propagate_key_event(window=0x0000000816ed2440, event=0x000000081e158cb0) + 382 at gtkwindow.c:5199
    frame #40: 0x000000080c8fa486 libgtk-x11-2.0.so.0`gtk_window_key_press_event(widget=0x0000000816ed2440, event=0x000000081e158cb0) + 86 at gtkwindow.c:5229
    frame #41: 0x000000080c702a20 libgtk-x11-2.0.so.0`_gtk_marshal_BOOLEAN__BOXED(closure=0x0000000817ccd120, return_value=0x00007fffffffd240, n_param_values=2, param_values=0x00007fffffffd2f0, invocation_hint=0x00007fffffffd270, marshal_data=0x000000080c8fa430) + 304 at gtkmarshalers.c:86
    frame #42: 0x000000080bde13c1 libgobject-2.0.so.0`g_closure_invoke + 273
    frame #43: 0x000000080bdf5ec3 libgobject-2.0.so.0`??? + 2531
    frame #44: 0x000000080bdf6a8d libgobject-2.0.so.0`g_signal_emit_valist + 2237
    frame #45: 0x000000080bdf70cc libgobject-2.0.so.0`g_signal_emit + 124
    frame #46: 0x000000080c8d8d84 libgtk-x11-2.0.so.0`gtk_widget_event_internal(widget=0x0000000816ed2440, event=0x000000081e158cb0) + 772 at gtkwidget.c:5010
    frame #47: 0x000000080c8d8a6a libgtk-x11-2.0.so.0`IA__gtk_widget_event(widget=0x0000000816ed2440, event=0x000000081e158cb0) + 346 at gtkwidget.c:4807
    frame #48: 0x000000080c6fee13 libgtk-x11-2.0.so.0`IA__gtk_propagate_event(widget=0x0000000816ed2440, event=0x000000081e158cb0) + 675 at gtkmain.c:2464
    frame #49: 0x000000080c6fe622 libgtk-x11-2.0.so.0`IA__gtk_main_do_event(event=0x000000081e158cb0) + 1330 at gtkmain.c:1685
    frame #50: 0x000000080d1d5c74 libgdk-x11-2.0.so.0`gdk_event_dispatch(source=0x00000008017dd5c0, callback=0x0000000000000000, user_data=0x0000000000000000) + 148 at gdkevents-x11.c:2403
    frame #51: 0x000000080c070a82 libglib-2.0.so.0`g_main_context_dispatch + 322
    frame #52: 0x000000080c070e23 libglib-2.0.so.0`??? + 483
    frame #53: 0x000000080c070eb4 libglib-2.0.so.0`g_main_context_iteration + 100
    frame #54: 0x000000080304830f libxul.so`nsAppShell::ProcessNextNativeEvent(this=<unavailable>, mayWait=<unavailable>) + 15 at nsAppShell.cpp:138
    frame #55: 0x0000000803093273 libxul.so`nsBaseAppShell::OnProcessNextEvent(nsIThreadInternal*, bool, unsigned int) [inlined] nsBaseAppShell::DoProcessNextNativeEvent(this=0x000000081369a4a0) + 30 at nsBaseAppShell.cpp:137
    frame #56: 0x0000000803093255 libxul.so`nsBaseAppShell::OnProcessNextEvent(this=0x000000081369a4a0, thr=0x000000080177a520, mayWait=true, recursionDepth=0) + 453 at nsBaseAppShell.cpp:295
    frame #57: 0x0000000803093410 libxul.so`non-virtual thunk to nsBaseAppShell::OnProcessNextEvent(this=<unavailable>, thr=<unavailable>, mayWait=<unavailable>, recursionDepth=<unavailable>) + 16 at Unified_cpp_widget_xpwidgets0.cpp:312
    frame #58: 0x0000000802171e1e libxul.so`nsThread::ProcessNextEvent(this=0x000000080177a520, mayWait=true, result=0x00007fffffffda47) + 958 at nsThread.cpp:585
    frame #59: 0x00000008020e2633 libxul.so`NS_ProcessNextEvent(thread=<unavailable>, mayWait=true) + 51 at nsThreadUtils.cpp:263
    frame #60: 0x0000000802499ffa libxul.so`mozilla::ipc::MessagePump::Run(this=0x0000000813617480, aDelegate=0x000000080177e680) + 522 at MessagePump.cpp:124
    frame #61: 0x0000000802463ee3 libxul.so`MessageLoop::Run() [inlined] MessageLoop::RunInternal(this=0x000000080177e680) + 131 at message_loop.cc:222
    frame #62: 0x0000000802463e9f libxul.so`MessageLoop::Run() [inlined] MessageLoop::RunHandler(this=0x000000080177e680) at message_loop.cc:215
    frame #63: 0x0000000802463e9f libxul.so`MessageLoop::Run(this=0x000000080177e680) + 63 at message_loop.cc:189
    frame #64: 0x0000000803092ee9 libxul.so`nsBaseAppShell::Run(this=0x000000081369a4a0) + 41 at nsBaseAppShell.cpp:161
    frame #65: 0x000000080435ba4c libxul.so`nsAppStartup::Run(this=0x0000000816e6c830) + 124 at nsAppStartup.cpp:276
    frame #66: 0x00000008042fbf53 libxul.so`XREMain::XRE_mainRun(this=<unavailable>) + 4515 at nsAppRunner.cpp:4059
    frame #67: 0x00000008042fc470 libxul.so`XREMain::XRE_main(this=0x00007fffffffdda0, argc=<unavailable>, argv=<unavailable>, aAppData=<unavailable>) + 256 at nsAppRunner.cpp:4127
    frame #68: 0x00000008042fca70 libxul.so`XRE_main(argc=<unavailable>, argv=<unavailable>, aAppData=<unavailable>, aFlags=<unavailable>) + 256 at nsAppRunner.cpp:4337
    frame #69: 0x0000000000404b94 firefox`main [inlined] do_main(argc=<unavailable>, argv=<unavailable>, xreDirectory=0x00000008017183c0) + 981 at nsBrowserApp.cpp:282
    frame #70: 0x00000000004047bf firefox`main(argc=<unavailable>, argv=<unavailable>) + 735 at nsBrowserApp.cpp:636
    frame #71: 0x00000000004043ff firefox`_start(ap=<unavailable>, cleanup=<unavailable>) + 367 at crt1.c:78



Expected results:

copy and paste - not a crash ;)
note: while I am able to reproduce this easily on one system it is not clear to be that I provided sufficient conditions to repro for others.  I am happy to provide additional details when requested.
Component: Untriaged → Layout: Text
Product: Firefox → Core
Component: Layout: Text → Editor
Can you still reproduce on 50.1.0 ? Output from about:support would also be helpful.

For debugging using *unmodified* trunk build is preferred to avoid bias from downstream defaults, patches, etc. While default build includes debug symbols, looking at comment 0 and frame #34, system dependencies like devel/glib20 and x11-toolkits/gtk30 need them as well.

  $ pkg install python27
  $ hg clone https://hg.mozilla.org/mozilla-unified firefox ||
    git clone https://github.com/mozilla/gecko-dev firefox
  $ cd firefox
  $ ./mach bootstrap # select Firefox for Desktop
  $ hash rustc cargo 2>/dev/null || pkg install rust cargo
  $ nice ./mach build
  $ ./mach run
Keywords: crash
You need to log in before you can comment on or make changes to this bug.