Closed
Bug 1649572
Opened 4 years ago
Closed 3 years ago
Assertion failure: !mPointToInsert.IsInDataNode(), at /builds/worker/checkouts/gecko/editor/libeditor/CreateElementTransaction.cpp:58
Categories
(Core :: DOM: Editor, defect, P5)
Core
DOM: Editor
Tracking
()
RESOLVED
FIXED
99 Branch
People
(Reporter: jkratzer, Assigned: masayuki)
References
(Blocks 1 open bug, Regression)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:bisected,confirmed], [wptsync upstream])
Attachments
(2 files)
Testcase found while fuzzing mozilla-central rev 933c9f34edfa (built with --enable-debug).
Assertion failure: !mPointToInsert.IsInDataNode(), at /builds/worker/checkouts/gecko/editor/libeditor/CreateElementTransaction.cpp:58
rax = 0x00007f0007363883 rdx = 0x0000000000000000
rcx = 0x000055978dfc2a58 rbx = 0x000055978f570ea0
rsi = 0x00007f00183ee8b0 rdi = 0x00007f00183ed680
rbp = 0x00007ffec5112ec0 rsp = 0x00007ffec5112e70
r8 = 0x00007f00183ee8b0 r9 = 0x00007f0019554780
r10 = 0x0000000000000002 r11 = 0x0000000000000000
r12 = 0x000055978f5229a0 r13 = 0x0000000000000010
r14 = 0x00007ffec5113040 r15 = 0x000055978f570ec8
rip = 0x00007f0001a32125
OS|Linux|0.0.0 Linux 5.3.0-51-generic #44~18.04.2-Ubuntu SMP Thu Apr 23 14:27:18 UTC 2020 x86_64
CPU|amd64|family 6 model 94 stepping 3|8
GPU|||
Crash|SIGSEGV|0x0|0
0|0|libxul.so|mozilla::CreateElementTransaction::CreateElementTransaction<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent> >(mozilla::EditorBase&, nsAtom&, mozilla::EditorDOMPointBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent> > const&)|hg:hg.mozilla.org/mozilla-central:editor/libeditor/CreateElementTransaction.cpp:933c9f34edfab8d5cf2a5389304cf3708889eb1c|58|0x29
0|1|libxul.so|already_AddRefed<mozilla::CreateElementTransaction> mozilla::CreateElementTransaction::Create<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent> >(mozilla::EditorBase&, nsAtom&, mozilla::EditorDOMPointBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent> > const&)|hg:hg.mozilla.org/mozilla-central:editor/libeditor/CreateElementTransaction.cpp:933c9f34edfab8d5cf2a5389304cf3708889eb1c|46|0x1e
0|2|libxul.so|mozilla::EditorBase::CreateNodeWithTransaction(nsAtom&, mozilla::EditorDOMPointBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent> > const&)|hg:hg.mozilla.org/mozilla-central:editor/libeditor/EditorBase.cpp:933c9f34edfab8d5cf2a5389304cf3708889eb1c|1460|0x15
0|3|libxul.so|mozilla::HTMLEditor::InsertBRElementWithTransaction(mozilla::EditorDOMPointBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent> > const&, short)|hg:hg.mozilla.org/mozilla-central:editor/libeditor/HTMLEditor.cpp:933c9f34edfab8d5cf2a5389304cf3708889eb1c|3479|0x1d
0|4|libxul.so|mozilla::HTMLEditor::InsertBRElementAtSelectionWithTransaction()|hg:hg.mozilla.org/mozilla-central:editor/libeditor/HTMLEditor.cpp:933c9f34edfab8d5cf2a5389304cf3708889eb1c|1167|0x10
0|5|libxul.so|mozilla::HTMLEditor::InsertLineBreakAsAction(nsIPrincipal*)|hg:hg.mozilla.org/mozilla-central:editor/libeditor/HTMLEditor.cpp:933c9f34edfab8d5cf2a5389304cf3708889eb1c|986|0x8
0|6|libxul.so|mozilla::InsertLineBreakCommand::DoCommand(mozilla::Command, mozilla::TextEditor&, nsIPrincipal*) const|hg:hg.mozilla.org/mozilla-central:editor/libeditor/EditorCommands.cpp:933c9f34edfab8d5cf2a5389304cf3708889eb1c|921|0xb
0|7|libxul.so|mozilla::dom::Document::ExecCommand(nsTSubstring<char16_t> const&, bool, nsTSubstring<char16_t> const&, nsIPrincipal&, mozilla::ErrorResult&)|hg:hg.mozilla.org/mozilla-central:dom/base/Document.cpp:933c9f34edfab8d5cf2a5389304cf3708889eb1c|4880|0x33
0|8|libxul.so|mozilla::dom::Document_Binding::execCommand(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&)|s3:gecko-generated-sources:8f7281e3ba1d600673dcaa1ac04d192ebae5bd1389403ef4cb1737261df8d246aba5da557aa502b708e3a3d18afebea6aedb14885532cb2904ce3fbf2ec40b9f/dom/bindings/DocumentBinding.cpp:|3469|0x34
0|9|libxul.so|bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*)|hg:hg.mozilla.org/mozilla-central:dom/bindings/BindingUtils.cpp:933c9f34edfab8d5cf2a5389304cf3708889eb1c|3219|0x21
0|10|libxul.so|CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:933c9f34edfab8d5cf2a5389304cf3708889eb1c|484|0x12
0|11|libxul.so|js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:933c9f34edfab8d5cf2a5389304cf3708889eb1c|576|0xe
0|12|libxul.so|InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:933c9f34edfab8d5cf2a5389304cf3708889eb1c|639|0x10
0|13|libxul.so|Interpret(JSContext*, js::RunState&)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:933c9f34edfab8d5cf2a5389304cf3708889eb1c|643|0xa
0|14|libxul.so|js::RunScript(JSContext*, js::RunState&)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:933c9f34edfab8d5cf2a5389304cf3708889eb1c|456|0xb
0|15|libxul.so|js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:933c9f34edfab8d5cf2a5389304cf3708889eb1c|611|0x8
0|16|libxul.so|InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:933c9f34edfab8d5cf2a5389304cf3708889eb1c|639|0x10
0|17|libxul.so|<name omitted>|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:933c9f34edfab8d5cf2a5389304cf3708889eb1c|656|0xb
0|18|libxul.so|JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>)|hg:hg.mozilla.org/mozilla-central:js/src/jsapi.cpp:933c9f34edfab8d5cf2a5389304cf3708889eb1c|2846|0x23
0|19|libxul.so|mozilla::dom::EventListener::HandleEvent(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&)|s3:gecko-generated-sources:2563ad09677feb8ddf64827a409899848ef6a80bfacaa11f581c512536a6fb0c779d8b29517ba6358a054c6d475f770bf7bac2913a941d0394881c5649b08603/dom/bindings/EventListenerBinding.cpp:|55|0xe
0|20|libxul.so|void mozilla::dom::EventListener::HandleEvent<mozilla::dom::EventTarget*>(mozilla::dom::EventTarget* const&, mozilla::dom::Event&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*)|s3:gecko-generated-sources:99837b3cdc69c5eb1234f9d2b3e771dcff734d56a022bedb1d00c0cf4ee6243fb5c91397a058f2ddab63bda8ed6b581ea1232a0229033866910c7289d24cbc2d/dist/include/mozilla/dom/EventListenerBinding.h:|66|0x21
0|21|libxul.so|mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*)|hg:hg.mozilla.org/mozilla-central:dom/events/EventListenerManager.cpp:933c9f34edfab8d5cf2a5389304cf3708889eb1c|1082|0x2c
0|22|libxul.so|mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool)|hg:hg.mozilla.org/mozilla-central:dom/events/EventListenerManager.cpp:933c9f34edfab8d5cf2a5389304cf3708889eb1c|1279|0x15
0|23|libxul.so|mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:933c9f34edfab8d5cf2a5389304cf3708889eb1c|355|0xb
0|24|libxul.so|mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:933c9f34edfab8d5cf2a5389304cf3708889eb1c|557|0x19
0|25|libxul.so|mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:933c9f34edfab8d5cf2a5389304cf3708889eb1c|1054|0x5
0|26|libxul.so|mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:933c9f34edfab8d5cf2a5389304cf3708889eb1c|0|0x8
0|27|libxul.so|nsINode::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&)|hg:hg.mozilla.org/mozilla-central:dom/base/nsINode.cpp:933c9f34edfab8d5cf2a5389304cf3708889eb1c|1301|0x10
0|28|libxul.so|nsContentUtils::DispatchEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, mozilla::Trusted, bool*, mozilla::ChromeOnlyDispatch)|hg:hg.mozilla.org/mozilla-central:dom/base/nsContentUtils.cpp:933c9f34edfab8d5cf2a5389304cf3708889eb1c|4051|0x23
0|29|libxul.so|nsContentUtils::DispatchTrustedEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, bool*)|hg:hg.mozilla.org/mozilla-central:dom/base/nsContentUtils.cpp:933c9f34edfab8d5cf2a5389304cf3708889eb1c|4021|0x23
0|30|libxul.so|mozilla::dom::Document::DispatchContentLoadedEvents()|hg:hg.mozilla.org/mozilla-central:dom/base/Document.cpp:933c9f34edfab8d5cf2a5389304cf3708889eb1c|7197|0x21
0|31|libxul.so|mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run()|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.h:933c9f34edfab8d5cf2a5389304cf3708889eb1c|1240|0x17
0|32|libxul.so|mozilla::SchedulerGroup::Runnable::Run()|hg:hg.mozilla.org/mozilla-central:xpcom/threads/SchedulerGroup.cpp:933c9f34edfab8d5cf2a5389304cf3708889eb1c|146|0x11
0|33|libxul.so|nsThread::ProcessNextEvent(bool, bool*)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:933c9f34edfab8d5cf2a5389304cf3708889eb1c|1234|0xe
0|34|libxul.so|NS_ProcessNextEvent(nsIThread*, bool)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:933c9f34edfab8d5cf2a5389304cf3708889eb1c|513|0xc
0|35|libxul.so|mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:933c9f34edfab8d5cf2a5389304cf3708889eb1c|87|0x7
0|36|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:933c9f34edfab8d5cf2a5389304cf3708889eb1c|334|0x17
0|37|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:933c9f34edfab8d5cf2a5389304cf3708889eb1c|309|0x8
0|38|libxul.so|nsBaseAppShell::Run()|hg:hg.mozilla.org/mozilla-central:widget/nsBaseAppShell.cpp:933c9f34edfab8d5cf2a5389304cf3708889eb1c|137|0xd
0|39|libxul.so|XRE_RunAppShell()|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:933c9f34edfab8d5cf2a5389304cf3708889eb1c|913|0xe
0|40|libxul.so|mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:933c9f34edfab8d5cf2a5389304cf3708889eb1c|237|0x5
0|41|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:933c9f34edfab8d5cf2a5389304cf3708889eb1c|334|0x17
0|42|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:933c9f34edfab8d5cf2a5389304cf3708889eb1c|309|0x8
0|43|libxul.so|XRE_InitChildProcess(int, char**, XREChildData const*)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:933c9f34edfab8d5cf2a5389304cf3708889eb1c|744|0x5
0|44|firefox-bin|content_process_main(mozilla::Bootstrap*, int, char**)|hg:hg.mozilla.org/mozilla-central:ipc/contentproc/plugin-container.cpp:933c9f34edfab8d5cf2a5389304cf3708889eb1c|56|0x11
0|45|firefox-bin|main|hg:hg.mozilla.org/mozilla-central:browser/app/nsBrowserApp.cpp:933c9f34edfab8d5cf2a5389304cf3708889eb1c|303|0x20
0|46|libc.so.6||||0x21b97
0|47|firefox-bin|<name omitted>|hg:hg.mozilla.org/mozilla-central:mfbt/UniquePtr.h:933c9f34edfab8d5cf2a5389304cf3708889eb1c|253|0x17
Flags: in-testsuite?
|
Reporter | |
Updated•4 years ago
|
Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]
|
|
Reporter | |
Comment 1•4 years ago
|
||
Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20200702152109-2d709e60c76e.
The bug appears to have been introduced in the following build range:
> Start: 1c8115a9a6842c045e0a75f268dd3a59e4f92833 (20200403182703)
> End: b9ebe58001d787bb0bbad6d39ae8681966d5a77f (20200403182815)
> Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=1c8115a9a6842c045e0a75f268dd3a59e4f92833&tochange=b9ebe58001d787bb0bbad6d39ae8681966d5a77f
|
||
Comment 2•3 years ago
|
||
Bugmon Analysis
Testcase crashes using the initial build (mozilla-central 20201212092303-8491ac4866e8) but not with tip (mozilla-central 20211210215852-9eb74149f75b.)
The bug appears to have been fixed in the following build range:
Start: dcbd261bc72b516b97cc9141c89dab9daf4df16d (20211126030414)
End: d4bd94bc7b58345d02f59b22f35ba6269d8fd2b0 (20211126053501)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=dcbd261bc72b516b97cc9141c89dab9daf4df16d&tochange=d4bd94bc7b58345d02f59b22f35ba6269d8fd2b0
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Keywords: bugmon
|
Assignee | |
Comment 3•3 years ago
|
||
Yeah, bug 1742744 stops using CreateElementTransaction so that the crash in it never occurs.
Currently, it can be backed out by flipping the pref if we'd get a regression report in important websites. Therefore, we should not add the testcase into the tree for making the backout work simpler. When we delete CreateElementTransaction from the tree completely, we should add the reported testcase into the tree.
Assignee: nobody → masayuki
Severity: normal → S3
Status: NEW → ASSIGNED
status-firefox95:
--- → wontfix
status-firefox96:
--- → fixed
status-firefox97:
--- → fixed
Depends on: 1742744
OS: Unspecified → All
Priority: -- → P5
Hardware: Unspecified → All
|
||
Comment 4•3 years ago
|
||
:masayuki, since this bug contains a bisection range, could you fill (if possible) the regressed_by field?
For more information, please visit auto_nag documentation.
Flags: needinfo?(masayuki)
|
||
Updated•3 years ago
|
Has Regression Range: --- → yes
Keywords: regression
|
|
||
Comment 5•3 years ago
|
||
Set release status flags based on info from the regressing bug 1619914
status-firefox-esr91:
--- → affected
|
|
Assignee | |
Comment 6•3 years ago
|
||
The reported issue is hitting MOZ_ASSERT in the constructor of
CreateElementTransaction, and CreateElementTransaction is now replaced
with InsertNodeTransaction. Therefore, the bug itself is never reproducible.
We should just add the reported testcase as a crashtest of WPT for now.
Perhaps, we should add tests for the cases that selection is collapsed in
comment node. However, it's not urgent and I don't have much time to do it
right now.
Depends on D139718
Pushed by masayuki@d-toybox.com:
https://hg.mozilla.org/integration/autoland/rev/1a80adc83c36
Add reported automated testcase r=m_kato
Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/33011 for changes under testing/web-platform/tests
Whiteboard: [bugmon:bisected,confirmed] → [bugmon:bisected,confirmed], [wptsync upstream]
|
||
Comment 9•3 years ago
|
||
| bugherder | ||
Status: ASSIGNED → RESOLVED
Closed: 3 years ago
status-firefox99:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 99 Branch
Upstream PR merged by moz-wptsync-bot
|
|
||
Comment 11•3 years ago
|
||
Change the status for beta to have the same as nightly and release.
For more information, please visit auto_nag documentation.
status-firefox98:
--- → fixed
|
||
Updated•3 years ago
|
Flags: in-testsuite? → in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•