Closed Bug 1421504 Opened 7 years ago Closed 7 years ago

Assertion failure: childNode, at /builds/worker/workspace/build/src/editor/libeditor/EditorBase.cpp:3015

Categories

(Core :: DOM: Editor, defect, P1)

Product:
Core
Component:
DOM: Editor
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla59
Tracking Flags:
Tracking Status
firefox-esr52 --- unaffected
firefox57 --- unaffected
firefox58 --- unaffected
firefox59 --- fixed

People

(Reporter: jkratzer, Assigned: masayuki)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, testcase)

Crash Data

Attachments

(2 files, 1 obsolete file)

trigger.html
(deleted), text/html
Details
Bug 1421504 - EditorBase should move children carefully
(deleted), text/x-review-board-request
m_kato
: review+
Details
Attached file trigger.html (deleted) —
Testcase found while fuzzing mozilla-central rev c2248f853469. OS|Linux|0.0.0 Linux 4.4.0-98-generic #121-Ubuntu SMP Tue Oct 10 14:24:03 UTC 2017 x86_64 CPU|amd64|family 6 model 69 stepping 1|1 GPU||| Crash|SIGSEGV|0x0|0 0|0|libxul.so|mozilla::EditorBase::SplitNodeImpl|hg:hg.mozilla.org/mozilla-central:editor/libeditor/EditorBase.cpp:c2248f853469|2965|0x0 0|1|libxul.so|mozilla::SplitNodeTransaction::DoTransaction|hg:hg.mozilla.org/mozilla-central:editor/libeditor/SplitNodeTransaction.cpp:c2248f853469|76|0x15 0|2|libxul.so|nsTransactionManager::BeginTransaction|hg:hg.mozilla.org/mozilla-central:editor/txmgr/nsTransactionManager.cpp:c2248f853469|639|0x10 0|3|libxul.so|nsTransactionManager::DoTransaction|hg:hg.mozilla.org/mozilla-central:editor/txmgr/nsTransactionManager.cpp:c2248f853469|72|0xd 0|4|libxul.so|mozilla::EditorBase::DoTransaction|hg:hg.mozilla.org/mozilla-central:editor/libeditor/EditorBase.cpp:c2248f853469|762|0x13 0|5|libxul.so|mozilla::EditorBase::SplitNode|hg:hg.mozilla.org/mozilla-central:editor/libeditor/EditorBase.cpp:c2248f853469|1566|0x10 0|6|libxul.so|mozilla::EditorBase::SplitNodeDeep|hg:hg.mozilla.org/mozilla-central:editor/libeditor/EditorBase.cpp:c2248f853469|4089|0x1d 0|7|libxul.so|mozilla::HTMLEditRules::BustUpInlinesAtRangeEndpoints|hg:hg.mozilla.org/mozilla-central:editor/libeditor/HTMLEditRules.cpp:c2248f853469|6466|0x18 0|8|libxul.so|mozilla::HTMLEditRules::GetNodesForOperation|hg:hg.mozilla.org/mozilla-central:editor/libeditor/HTMLEditRules.cpp:c2248f853469|6119|0x17 0|9|libxul.so|mozilla::HTMLEditRules::GetNodesFromSelection|hg:hg.mozilla.org/mozilla-central:editor/libeditor/HTMLEditRules.cpp:c2248f853469|6634|0x5 0|10|libxul.so|mozilla::HTMLEditRules::MakeBasicBlock|hg:hg.mozilla.org/mozilla-central:editor/libeditor/HTMLEditRules.cpp:c2248f853469|3822|0x21 0|11|libxul.so|mozilla::HTMLEditRules::WillInsertBreak|hg:hg.mozilla.org/mozilla-central:editor/libeditor/HTMLEditRules.cpp:c2248f853469|1732|0xe 0|12|libxul.so|mozilla::HTMLEditRules::WillDoAction|hg:hg.mozilla.org/mozilla-central:editor/libeditor/HTMLEditRules.cpp:c2248f853469|651|0x15 0|13|libxul.so|mozilla::TextEditor::InsertLineBreak|hg:hg.mozilla.org/mozilla-central:editor/libeditor/TextEditor.cpp:c2248f853469|757|0x27 0|14|libxul.so|mozilla::TextEditor::TypedText|hg:hg.mozilla.org/mozilla-central:editor/libeditor/TextEditor.cpp:c2248f853469|412|0xc 0|15|libxul.so|mozilla::HTMLEditor::TypedText|hg:hg.mozilla.org/mozilla-central:editor/libeditor/HTMLEditor.cpp:c2248f853469|960|0xb 0|16|libxul.so|mozilla::InsertParagraphCommand::DoCommand|hg:hg.mozilla.org/mozilla-central:editor/libeditor/EditorCommands.cpp:c2248f853469|1154|0x1d 0|17|libxul.so|nsControllerCommandTable::DoCommand|hg:hg.mozilla.org/mozilla-central:dom/commandhandler/nsControllerCommandTable.cpp:c2248f853469|147|0x17 0|18|libxul.so|nsBaseCommandController::DoCommand|hg:hg.mozilla.org/mozilla-central:dom/commandhandler/nsBaseCommandController.cpp:c2248f853469|136|0x18 0|19|libxul.so|nsCommandManager::DoCommand|hg:hg.mozilla.org/mozilla-central:dom/commandhandler/nsCommandManager.cpp:c2248f853469|212|0x14 0|20|libxul.so|nsHTMLDocument::ExecCommand|hg:hg.mozilla.org/mozilla-central:dom/html/nsHTMLDocument.cpp:c2248f853469|3276|0x22 0|21|libxul.so|mozilla::dom::HTMLDocumentBinding::execCommand|s3:gecko-generated-sources:e3a57f98750b393f9f24b3621d7726e3ff401aa0874ab396b449c82cd15e9839b68fc3dd8ab9193c02e65990012510f56b500d79867ce12e0b59f4b6942fb555/dom/bindings/HTMLDocumentBinding.cpp:|854|0x2e 0|22|libxul.so|mozilla::dom::GenericBindingMethod|hg:hg.mozilla.org/mozilla-central:dom/bindings/BindingUtils.cpp:c2248f853469|3042|0x9 0|23|||||0x1b37d07f50d1 0|24|||||0x7fdbb0dd61e8 0|25|||||0x1b37d0719add 0|26|libxul.so|EnterJit|hg:hg.mozilla.org/mozilla-central:js/src/jit/Jit.cpp:c2248f853469|101|0x22 0|27|libxul.so|js::RunScript|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:c2248f853469|408|0xb 0|28|libxul.so|js::InternalCallOrConstruct|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:c2248f853469|495|0xf 0|29|libxul.so|InternalCall|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:c2248f853469|522|0xd 0|30|libxul.so|js::Call|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:c2248f853469|541|0x5 0|31|libxul.so|JS::Call|hg:hg.mozilla.org/mozilla-central:js/src/jsapi.cpp:c2248f853469|3036|0x1c 0|32|libxul.so|mozilla::dom::EventListener::HandleEvent|s3:gecko-generated-sources:11dcc5f3aa4382b1117fa0b86a3cf43bb87c7f5f278e2943cc5311d11c6a1f0eeb861ca2ee05b0a80a616ed128aa73c18065f0eee6f709d1e9a246f773e75752/dom/bindings/EventListenerBinding.cpp:|47|0x5 0|33|libxul.so|mozilla::dom::EventListener::HandleEvent<mozilla::dom::EventTarget*>|s3:gecko-generated-sources:5fb27134dec5c683a890d7dc45ae33c1a6940b182eb54e11127bf808c94b1a4a3cfcdb8b5ea706a480e12d29f14e84233dba5438c016cf1e8418b54fcb42f1d8/dist/include/mozilla/dom/EventListenerBinding.h:|65|0x1c 0|34|libxul.so|mozilla::EventListenerManager::HandleEventSubType|hg:hg.mozilla.org/mozilla-central:dom/events/EventListenerManager.cpp:c2248f853469|1108|0x36 0|35|libxul.so|mozilla::EventListenerManager::HandleEventInternal|hg:hg.mozilla.org/mozilla-central:dom/events/EventListenerManager.cpp:c2248f853469|1286|0x15 0|36|libxul.so|mozilla::EventTargetChainItem::HandleEvent|hg:hg.mozilla.org/mozilla-central:dom/events/EventListenerManager.h:c2248f853469|376|0xa 0|37|libxul.so|mozilla::EventTargetChainItem::HandleEventTargetChain|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:c2248f853469|486|0xf 0|38|libxul.so|mozilla::EventDispatcher::Dispatch|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:c2248f853469|827|0x5 0|39|libxul.so|mozilla::EventDispatcher::DispatchDOMEvent|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:c2248f853469|896|0x19 0|40|libxul.so|nsINode::DispatchEvent|hg:hg.mozilla.org/mozilla-central:dom/base/nsINode.cpp:c2248f853469|1356|0x5 0|41|libxul.so|mozilla::AsyncEventDispatcher::Run|hg:hg.mozilla.org/mozilla-central:dom/events/AsyncEventDispatcher.cpp:c2248f853469|70|0x1b 0|42|libxul.so|nsContentUtils::RemoveScriptBlocker|hg:hg.mozilla.org/mozilla-central:dom/base/nsContentUtils.cpp:c2248f853469|5676|0xe 0|43|libxul.so|nsDocument::EndUpdate|hg:hg.mozilla.org/mozilla-central:dom/base/nsDocument.cpp:c2248f853469|5407|0x5 0|44|libxul.so|nsHTMLDocument::EndUpdate|hg:hg.mozilla.org/mozilla-central:dom/html/nsHTMLDocument.cpp:c2248f853469|2449|0x5 0|45|libxul.so|mozAutoDocUpdate::~mozAutoDocUpdate|hg:hg.mozilla.org/mozilla-central:dom/base/mozAutoDocUpdate.h:c2248f853469|40|0x14 0|46|libxul.so|nsINode::ReplaceOrInsertBefore|hg:hg.mozilla.org/mozilla-central:dom/base/nsINode.cpp:c2248f853469|2405|0xc 0|47|libxul.so|mozilla::EditorBase::SplitNodeImpl|hg:hg.mozilla.org/mozilla-central:editor/libeditor/EditorBase.cpp:c2248f853469|2984|0x15 0|48|libxul.so|mozilla::SplitNodeTransaction::DoTransaction|hg:hg.mozilla.org/mozilla-central:editor/libeditor/SplitNodeTransaction.cpp:c2248f853469|76|0x15 0|49|libxul.so|nsTransactionManager::BeginTransaction|hg:hg.mozilla.org/mozilla-central:editor/txmgr/nsTransactionManager.cpp:c2248f853469|639|0x10 0|50|libxul.so|nsTransactionManager::DoTransaction|hg:hg.mozilla.org/mozilla-central:editor/txmgr/nsTransactionManager.cpp:c2248f853469|72|0xd 0|51|libxul.so|mozilla::EditorBase::DoTransaction|hg:hg.mozilla.org/mozilla-central:editor/libeditor/EditorBase.cpp:c2248f853469|762|0x13 0|52|libxul.so|mozilla::EditorBase::SplitNode|hg:hg.mozilla.org/mozilla-central:editor/libeditor/EditorBase.cpp:c2248f853469|1566|0x10 0|53|libxul.so|mozilla::EditorBase::SplitNodeDeep|hg:hg.mozilla.org/mozilla-central:editor/libeditor/EditorBase.cpp:c2248f853469|4089|0x1d 0|54|libxul.so|mozilla::HTMLEditRules::BustUpInlinesAtRangeEndpoints|hg:hg.mozilla.org/mozilla-central:editor/libeditor/HTMLEditRules.cpp:c2248f853469|6466|0x18 0|55|libxul.so|mozilla::HTMLEditRules::GetNodesForOperation|hg:hg.mozilla.org/mozilla-central:editor/libeditor/HTMLEditRules.cpp:c2248f853469|6119|0x17 0|56|libxul.so|mozilla::HTMLEditRules::GetNodesFromSelection|hg:hg.mozilla.org/mozilla-central:editor/libeditor/HTMLEditRules.cpp:c2248f853469|6634|0x5 0|57|libxul.so|mozilla::HTMLEditRules::MakeBasicBlock|hg:hg.mozilla.org/mozilla-central:editor/libeditor/HTMLEditRules.cpp:c2248f853469|3822|0x21 0|58|libxul.so|mozilla::HTMLEditRules::WillInsertBreak|hg:hg.mozilla.org/mozilla-central:editor/libeditor/HTMLEditRules.cpp:c2248f853469|1732|0xe 0|59|libxul.so|mozilla::HTMLEditRules::WillDoAction|hg:hg.mozilla.org/mozilla-central:editor/libeditor/HTMLEditRules.cpp:c2248f853469|651|0x15 0|60|libxul.so|mozilla::TextEditor::InsertLineBreak|hg:hg.mozilla.org/mozilla-central:editor/libeditor/TextEditor.cpp:c2248f853469|757|0x27 0|61|libxul.so|mozilla::TextEditor::TypedText|hg:hg.mozilla.org/mozilla-central:editor/libeditor/TextEditor.cpp:c2248f853469|412|0xc 0|62|libxul.so|mozilla::HTMLEditor::TypedText|hg:hg.mozilla.org/mozilla-central:editor/libeditor/HTMLEditor.cpp:c2248f853469|960|0xb 0|63|libxul.so|mozilla::InsertParagraphCommand::DoCommand|hg:hg.mozilla.org/mozilla-central:editor/libeditor/EditorCommands.cpp:c2248f853469|1154|0x1d 0|64|libxul.so|nsControllerCommandTable::DoCommand|hg:hg.mozilla.org/mozilla-central:dom/commandhandler/nsControllerCommandTable.cpp:c2248f853469|147|0x17 0|65|libxul.so|nsBaseCommandController::DoCommand|hg:hg.mozilla.org/mozilla-central:dom/commandhandler/nsBaseCommandController.cpp:c2248f853469|136|0x18 0|66|libxul.so|nsCommandManager::DoCommand|hg:hg.mozilla.org/mozilla-central:dom/commandhandler/nsCommandManager.cpp:c2248f853469|212|0x14 0|67|libxul.so|nsHTMLDocument::ExecCommand|hg:hg.mozilla.org/mozilla-central:dom/html/nsHTMLDocument.cpp:c2248f853469|3276|0x22 0|68|libxul.so|mozilla::dom::HTMLDocumentBinding::execCommand|s3:gecko-generated-sources:e3a57f98750b393f9f24b3621d7726e3ff401aa0874ab396b449c82cd15e9839b68fc3dd8ab9193c02e65990012510f56b500d79867ce12e0b59f4b6942fb555/dom/bindings/HTMLDocumentBinding.cpp:|854|0x2e 0|69|libxul.so|mozilla::dom::GenericBindingMethod|hg:hg.mozilla.org/mozilla-central:dom/bindings/BindingUtils.cpp:c2248f853469|3042|0x9 0|70|||||0x1b37d07f50d1 0|71|||||0x7fdbb0dd61e8 0|72|||||0x1b37d0719add 0|73|libxul.so|EnterJit|hg:hg.mozilla.org/mozilla-central:js/src/jit/Jit.cpp:c2248f853469|101|0x22 0|74|libxul.so|js::RunScript|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:c2248f853469|408|0xb 0|75|libxul.so|js::InternalCallOrConstruct|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:c2248f853469|495|0xf 0|76|libxul.so|InternalCall|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:c2248f853469|522|0xd 0|77|libxul.so|js::Call|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:c2248f853469|541|0x5 0|78|libxul.so|JS::Call|hg:hg.mozilla.org/mozilla-central:js/src/jsapi.cpp:c2248f853469|3036|0x1c 0|79|libxul.so|mozilla::dom::EventListener::HandleEvent|s3:gecko-generated-sources:11dcc5f3aa4382b1117fa0b86a3cf43bb87c7f5f278e2943cc5311d11c6a1f0eeb861ca2ee05b0a80a616ed128aa73c18065f0eee6f709d1e9a246f773e75752/dom/bindings/EventListenerBinding.cpp:|47|0x5 0|80|libxul.so|mozilla::dom::EventListener::HandleEvent<mozilla::dom::EventTarget*>|s3:gecko-generated-sources:5fb27134dec5c683a890d7dc45ae33c1a6940b182eb54e11127bf808c94b1a4a3cfcdb8b5ea706a480e12d29f14e84233dba5438c016cf1e8418b54fcb42f1d8/dist/include/mozilla/dom/EventListenerBinding.h:|65|0x1c 0|81|libxul.so|mozilla::EventListenerManager::HandleEventSubType|hg:hg.mozilla.org/mozilla-central:dom/events/EventListenerManager.cpp:c2248f853469|1108|0x36 0|82|libxul.so|mozilla::EventListenerManager::HandleEventInternal|hg:hg.mozilla.org/mozilla-central:dom/events/EventListenerManager.cpp:c2248f853469|1286|0x15 0|83|libxul.so|mozilla::EventTargetChainItem::HandleEvent|hg:hg.mozilla.org/mozilla-central:dom/events/EventListenerManager.h:c2248f853469|376|0xa 0|84|libxul.so|mozilla::EventTargetChainItem::HandleEventTargetChain|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:c2248f853469|486|0xf 0|85|libxul.so|mozilla::EventDispatcher::Dispatch|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:c2248f853469|827|0x5 0|86|libxul.so|mozilla::EventDispatcher::DispatchDOMEvent|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:c2248f853469|896|0x19 0|87|libxul.so|nsINode::DispatchEvent|hg:hg.mozilla.org/mozilla-central:dom/base/nsINode.cpp:c2248f853469|1356|0x5 0|88|libxul.so|mozilla::AsyncEventDispatcher::Run|hg:hg.mozilla.org/mozilla-central:dom/events/AsyncEventDispatcher.cpp:c2248f853469|70|0x1b 0|89|libxul.so|nsContentUtils::RemoveScriptBlocker|hg:hg.mozilla.org/mozilla-central:dom/base/nsContentUtils.cpp:c2248f853469|5676|0xe 0|90|libxul.so|nsDocument::EndUpdate|hg:hg.mozilla.org/mozilla-central:dom/base/nsDocument.cpp:c2248f853469|5407|0x5 0|91|libxul.so|nsHTMLDocument::EndUpdate|hg:hg.mozilla.org/mozilla-central:dom/html/nsHTMLDocument.cpp:c2248f853469|2449|0x5 0|92|libxul.so|mozAutoDocUpdate::~mozAutoDocUpdate|hg:hg.mozilla.org/mozilla-central:dom/base/mozAutoDocUpdate.h:c2248f853469|40|0x14 0|93|libxul.so|nsINode::ReplaceOrInsertBefore|hg:hg.mozilla.org/mozilla-central:dom/base/nsINode.cpp:c2248f853469|2405|0xc 0|94|libxul.so|mozilla::EditorBase::SplitNodeImpl|hg:hg.mozilla.org/mozilla-central:editor/libeditor/EditorBase.cpp:c2248f853469|2984|0x15 0|95|libxul.so|mozilla::SplitNodeTransaction::DoTransaction|hg:hg.mozilla.org/mozilla-central:editor/libeditor/SplitNodeTransaction.cpp:c2248f853469|76|0x15 0|96|libxul.so|nsTransactionManager::BeginTransaction|hg:hg.mozilla.org/mozilla-central:editor/txmgr/nsTransactionManager.cpp:c2248f853469|639|0x10 0|97|libxul.so|nsTransactionManager::DoTransaction|hg:hg.mozilla.org/mozilla-central:editor/txmgr/nsTransactionManager.cpp:c2248f853469|72|0xd 0|98|libxul.so|mozilla::EditorBase::DoTransaction|hg:hg.mozilla.org/mozilla-central:editor/libeditor/EditorBase.cpp:c2248f853469|762|0x13 0|99|libxul.so|mozilla::EditorBase::SplitNode|hg:hg.mozilla.org/mozilla-central:editor/libeditor/EditorBase.cpp:c2248f853469|1566|0x10 0|100|libxul.so|mozilla::EditorBase::SplitNodeDeep|hg:hg.mozilla.org/mozilla-central:editor/libeditor/EditorBase.cpp:c2248f853469|4089|0x1d 0|101|libxul.so|mozilla::HTMLEditRules::BustUpInlinesAtRangeEndpoints|hg:hg.mozilla.org/mozilla-central:editor/libeditor/HTMLEditRules.cpp:c2248f853469|6466|0x18 0|102|libxul.so|mozilla::HTMLEditRules::GetNodesForOperation|hg:hg.mozilla.org/mozilla-central:editor/libeditor/HTMLEditRules.cpp:c2248f853469|6119|0x17 0|103|libxul.so|mozilla::HTMLEditRules::GetNodesFromSelection|hg:hg.mozilla.org/mozilla-central:editor/libeditor/HTMLEditRules.cpp:c2248f853469|6634|0x5 0|104|libxul.so|mozilla::HTMLEditRules::MakeBasicBlock|hg:hg.mozilla.org/mozilla-central:editor/libeditor/HTMLEditRules.cpp:c2248f853469|3822|0x21 0|105|libxul.so|mozilla::HTMLEditRules::WillInsertBreak|hg:hg.mozilla.org/mozilla-central:editor/libeditor/HTMLEditRules.cpp:c2248f853469|1732|0xe 0|106|libxul.so|mozilla::HTMLEditRules::WillDoAction|hg:hg.mozilla.org/mozilla-central:editor/libeditor/HTMLEditRules.cpp:c2248f853469|651|0x15 0|107|libxul.so|mozilla::TextEditor::InsertLineBreak|hg:hg.mozilla.org/mozilla-central:editor/libeditor/TextEditor.cpp:c2248f853469|757|0x27 0|108|libxul.so|mozilla::TextEditor::TypedText|hg:hg.mozilla.org/mozilla-central:editor/libeditor/TextEditor.cpp:c2248f853469|412|0xc 0|109|libxul.so|mozilla::HTMLEditor::TypedText|hg:hg.mozilla.org/mozilla-central:editor/libeditor/HTMLEditor.cpp:c2248f853469|960|0xb 0|110|libxul.so|mozilla::InsertParagraphCommand::DoCommand|hg:hg.mozilla.org/mozilla-central:editor/libeditor/EditorCommands.cpp:c2248f853469|1154|0x1d 0|111|libxul.so|nsControllerCommandTable::DoCommand|hg:hg.mozilla.org/mozilla-central:dom/commandhandler/nsControllerCommandTable.cpp:c2248f853469|147|0x17 0|112|libxul.so|nsBaseCommandController::DoCommand|hg:hg.mozilla.org/mozilla-central:dom/commandhandler/nsBaseCommandController.cpp:c2248f853469|136|0x18 0|113|libxul.so|nsCommandManager::DoCommand|hg:hg.mozilla.org/mozilla-central:dom/commandhandler/nsCommandManager.cpp:c2248f853469|212|0x14 0|114|libxul.so|nsHTMLDocument::ExecCommand|hg:hg.mozilla.org/mozilla-central:dom/html/nsHTMLDocument.cpp:c2248f853469|3276|0x22 0|115|libxul.so|mozilla::dom::HTMLDocumentBinding::execCommand|s3:gecko-generated-sources:e3a57f98750b393f9f24b3621d7726e3ff401aa0874ab396b449c82cd15e9839b68fc3dd8ab9193c02e65990012510f56b500d79867ce12e0b59f4b6942fb555/dom/bindings/HTMLDocumentBinding.cpp:|854|0x2e 0|116|libxul.so|mozilla::dom::GenericBindingMethod|hg:hg.mozilla.org/mozilla-central:dom/bindings/BindingUtils.cpp:c2248f853469|3042|0x9 0|117|||||0x1b37d07f50d1 0|118|||||0x7fdbb0dd61e8 0|119|||||0x1b37d0719add 0|120|libxul.so|EnterJit|hg:hg.mozilla.org/mozilla-central:js/src/jit/Jit.cpp:c2248f853469|101|0x22 0|121|libxul.so|js::RunScript|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:c2248f853469|408|0xb 0|122|libxul.so|js::InternalCallOrConstruct|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:c2248f853469|495|0xf 0|123|libxul.so|InternalCall|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:c2248f853469|522|0xd 0|124|libxul.so|js::Call|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:c2248f853469|541|0x5 0|125|libxul.so|JS::Call|hg:hg.mozilla.org/mozilla-central:js/src/jsapi.cpp:c2248f853469|3036|0x1c 0|126|libxul.so|mozilla::dom::EventListener::HandleEvent|s3:gecko-generated-sources:11dcc5f3aa4382b1117fa0b86a3cf43bb87c7f5f278e2943cc5311d11c6a1f0eeb861ca2ee05b0a80a616ed128aa73c18065f0eee6f709d1e9a246f773e75752/dom/bindings/EventListenerBinding.cpp:|47|0x5 0|127|libxul.so|mozilla::dom::EventListener::HandleEvent<mozilla::dom::EventTarget*>|s3:gecko-generated-sources:5fb27134dec5c683a890d7dc45ae33c1a6940b182eb54e11127bf808c94b1a4a3cfcdb8b5ea706a480e12d29f14e84233dba5438c016cf1e8418b54fcb42f1d8/dist/include/mozilla/dom/EventListenerBinding.h:|65|0x1c 0|128|libxul.so|mozilla::EventListenerManager::HandleEventSubType|hg:hg.mozilla.org/mozilla-central:dom/events/EventListenerManager.cpp:c2248f853469|1108|0x36 0|129|libxul.so|mozilla::EventListenerManager::HandleEventInternal|hg:hg.mozilla.org/mozilla-central:dom/events/EventListenerManager.cpp:c2248f853469|1286|0x15 0|130|libxul.so|mozilla::EventTargetChainItem::HandleEvent|hg:hg.mozilla.org/mozilla-central:dom/events/EventListenerManager.h:c2248f853469|376|0xa 0|131|libxul.so|mozilla::EventTargetChainItem::HandleEventTargetChain|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:c2248f853469|486|0xf 0|132|libxul.so|mozilla::EventDispatcher::Dispatch|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:c2248f853469|827|0x5 0|133|libxul.so|mozilla::EventDispatcher::DispatchDOMEvent|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:c2248f853469|896|0x19 0|134|libxul.so|mozilla::EventDispatcher::DispatchDOMEvent|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:c2248f853469|882|0x10
Flags: in-testsuite?
Crash Signature: [@ mozilla::EditorBase::SplitNodeImpl]
Priority: -- → P1
Looks like that the first splitting node causes a mutation event before each selection range is modified by mutation observers. Therefore, some ranges may be not position at here?: https://searchfox.org/mozilla-central/rev/7a8c667bdd2a4a32746c9862356e199627c0896d/editor/libeditor/EditorBase.cpp#2965
Assignee: nobody → masayuki
Status: NEW → ASSIGNED
Comment on attachment 8932946 [details] Bug 1421504 - EditorBase should move children carefully https://reviewboard.mozilla.org/r/203882/#review209620 Oh, this has a permanent orange. Sorry for the spam.
Attachment #8932946 - Flags: review-
Attachment #8932946 - Attachment is obsolete: true
Attachment #8932946 - Flags: review?(m_kato)
Note that the test might cause infinite loop with ~58. The patch also fixes it but still taking a long time. So, we shouldn't include the testcase into automated test.
Comment on attachment 8933218 [details] Bug 1421504 - EditorBase should move children carefully https://reviewboard.mozilla.org/r/204154/#review209682 C/C++ static analysis found 1 defect in this patch. You can run this analysis locally with: `./mach static-analysis check path/to/file.cpp` ::: editor/libeditor/EditorBase.cpp:3097 (Diff revision 1) > aError.Throw(NS_ERROR_FAILURE); > return; > } > > + // Grab the child node and container before changing the DOM tree. > + EditorDOMPoint atStartOfRightNode(aStartOfRightNode); Warning: Local copy 'atstartofrightnode' of the variable 'astartofrightnode' is never modified; consider avoiding the copy [clang-tidy: performance-unnecessary-copy-initialization] EditorDOMPoint atStartOfRightNode(aStartOfRightNode); ^ const &
Comment on attachment 8933218 [details] Bug 1421504 - EditorBase should move children carefully https://reviewboard.mozilla.org/r/204154/#review209682 > Warning: Local copy 'atstartofrightnode' of the variable 'astartofrightnode' is never modified; consider avoiding the copy [clang-tidy: performance-unnecessary-copy-initialization] > > EditorDOMPoint atStartOfRightNode(aStartOfRightNode); > ^ > const & Oh, aStartOfRightNode is const EditorDOMPoint&, not const EditorRawDOMPoint.
(Hmm, if the given argument were a class member and it'd be modified during the call, such copy would be necessary though.)
Comment on attachment 8933218 [details] Bug 1421504 - EditorBase should move children carefully https://reviewboard.mozilla.org/r/204154/#review210022
Attachment #8933218 - Flags: review?(m_kato) → review+
Pushed by masayuki@d-toybox.com: https://hg.mozilla.org/integration/autoland/rev/7d20fee48462 EditorBase should move children carefully r=m_kato
https://hg.mozilla.org/mozilla-central/rev/7d20fee48462
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
status-firefox59: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla59
Blocks: 1413181
Has Regression Range: --- → yes
status-firefox57: --- → unaffected
status-firefox58: --- → unaffected
status-firefox-esr52: --- → unaffected
Flags: in-testsuite? → in-testsuite-
Version: unspecified → Trunk
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: