Open
Bug 1848888
Opened 1 year ago
Updated 1 year ago
Assertion failure: uint32_t(startOffset) <= startContainer->Length() && uint32_t(endOffset) <= endContainer->Length(), at /builds/worker/checkouts/gecko/dom/base/ContentIterator.cpp:1011
Categories
(Core :: DOM: Selection, defect)
Core
DOM: Selection
Tracking
()
NEW
| Tracking | Status | |
|---|---|---|
| firefox118 | --- | affected |
People
(Reporter: tsmith, Assigned: masayuki)
References
(Blocks 1 open bug)
Details
(Keywords: assertion, bugmon, testcase, Whiteboard: [bugmon:bisected,confirmed])
Attachments
(1 file)
|
(deleted),
text/html
|
Details |
Found while fuzzing m-c 20230815-0f010e753b74 (--enable-debug --enable-fuzzing)
To reproduce via Grizzly Replay:
$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html
Assertion failure: uint32_t(startOffset) <= startContainer->Length() && uint32_t(endOffset) <= endContainer->Length(), at /builds/worker/checkouts/gecko/dom/base/ContentIterator.cpp:1011
#0 0x7f9c98242cc9 in mozilla::ContentSubtreeIterator::InitWithRange() /builds/worker/checkouts/gecko/dom/base/ContentIterator.cpp:1010:3
#1 0x7f9c98242573 in mozilla::ContentSubtreeIterator::Init(mozilla::dom::AbstractRange*) /builds/worker/checkouts/gecko/dom/base/ContentIterator.cpp:872:10
#2 0x7f9c984b2647 in mozilla::dom::Selection::SelectFrames(nsPresContext*, mozilla::dom::AbstractRange&, bool) const /builds/worker/checkouts/gecko/dom/base/Selection.cpp:1756:15
#3 0x7f9c984b1e59 in mozilla::dom::Selection::Clear(nsPresContext*) /builds/worker/checkouts/gecko/dom/base/Selection.cpp:1321:5
#4 0x7f9c984acc32 in mozilla::dom::Selection::RemoveAllRangesInternal(mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/Selection.cpp:2129:3
#5 0x7f9c9c2d5ac9 in nsFrameSelection::ClearNormalSelection() /builds/worker/checkouts/gecko/layout/generic/nsFrameSelection.cpp:2325:14
#6 0x7f9c9c2d83b8 in nsFrameSelection::SetAncestorLimiter(nsIContent*) /builds/worker/checkouts/gecko/layout/generic/nsFrameSelection.cpp:3217:7
#7 0x7f9c984b617e in mozilla::dom::Selection::SetAncestorLimiter(nsIContent*) /builds/worker/checkouts/gecko/dom/base/Selection.cpp:1982:21
#8 0x7f9c9be9c872 in mozilla::EditorBase::FinalizeSelection() /builds/worker/checkouts/gecko/editor/libeditor/EditorBase.cpp:5493:18
#9 0x7f9c98594c56 in nsFocusManager::ContentRemoved(mozilla::dom::Document*, nsIContent*) /builds/worker/checkouts/gecko/dom/base/nsFocusManager.cpp:923:23
#10 0x7f9c9a09a599 in mozilla::EventStateManager::ContentRemoved(mozilla::dom::Document*, nsIContent*) /builds/worker/checkouts/gecko/dom/events/EventStateManager.cpp:5939:9
#11 0x7f9c9c161397 in mozilla::PresShell::ContentRemoved(nsIContent*, nsIContent*) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4548:38
#12 0x7f9c984537ca in operator() /builds/worker/checkouts/gecko/dom/base/MutationObservers.cpp:188:19
#13 0x7f9c984537ca in Notify<(NotifyPresShell)1, (lambda at /builds/worker/checkouts/gecko/dom/base/MutationObservers.cpp:188:19)> /builds/worker/checkouts/gecko/dom/base/MutationObservers.cpp:91:7
#14 0x7f9c984537ca in mozilla::dom::MutationObservers::NotifyContentRemoved(nsINode*, nsIContent*, nsIContent*) /builds/worker/checkouts/gecko/dom/base/MutationObservers.cpp:187:3
#15 0x7f9c985e6371 in nsINode::RemoveChildNode(nsIContent*, bool) /builds/worker/checkouts/gecko/dom/base/nsINode.cpp:2227:5
#16 0x7f9c985e89ef in nsINode::ReplaceOrInsertBefore(bool, nsINode*, nsINode*, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/nsINode.cpp:2756:5
#17 0x7f9c9a4566ab in ReplaceChild /builds/worker/checkouts/gecko/dom/base/nsINode.h:2132:12
#18 0x7f9c9a4566ab in nsGenericHTMLElement::SetOuterText(nsTSubstring<char16_t> const&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/html/nsGenericHTMLElement.cpp:3183:11
#19 0x7f9c99976c43 in mozilla::dom::HTMLElement_Binding::set_outerText(JSContext*, JS::Handle<JSObject*>, void*, JSJitSetterCallArgs) /builds/worker/workspace/obj-build/dom/bindings/HTMLElementBinding.cpp:487:24
#20 0x7f9c99a945ee in bool mozilla::dom::binding_detail::GenericSetter<mozilla::dom::binding_detail::NormalThisPolicy>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3275:8
#21 0x7f9c9e22e024 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:486:13
#22 0x7f9c9e22d93d in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:580:12
#23 0x7f9c9e22edfd in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:679:8
#24 0x7f9c9e2301a4 in js::CallSetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:810:10
#25 0x7f9c9e4a759f in SetExistingProperty(JSContext*, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<js::NativeObject*>, js::PropertyResult const&, JS::ObjectOpResult&) /builds/worker/checkouts/gecko/js/src/vm/NativeObject.cpp:2588:8
#26 0x7f9c9e4a6535 in bool js::NativeSetProperty<(js::QualifiedBool)1>(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) /builds/worker/checkouts/gecko/js/src/vm/NativeObject.cpp:2622:14
#27 0x7f9c9e23fbe7 in SetObjectElementOperation /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:1881:10
#28 0x7f9c9e23fbe7 in js::Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3141:12
#29 0x7f9c9e22ce92 in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:458:13
#30 0x7f9c9e22d959 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:612:13
#31 0x7f9c9e22edfd in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:679:8
#32 0x7f9c9e31f184 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/CallAndConstruct.cpp:119:10
#33 0x7f9c9976b7eb in mozilla::dom::EventHandlerNonNull::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventHandlerBinding.cpp:65:37
#34 0x7f9c9a115ce9 in void mozilla::dom::EventHandlerNonNull::Call<nsCOMPtr<mozilla::dom::EventTarget>>(nsCOMPtr<mozilla::dom::EventTarget> const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventHandlerBinding.h:82:12
#35 0x7f9c9a114db9 in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) /builds/worker/checkouts/gecko/dom/events/JSEventHandler.cpp:199:12
#36 0x7f9c9a0f2f4d in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1257:22
#37 0x7f9c9a0f39fc in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1453:21
#38 0x7f9c9a0e8150 in HandleEvent /builds/worker/workspace/obj-build/dist/include/mozilla/EventListenerManager.h:412:5
#39 0x7f9c9a0e8150 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:342:17
#40 0x7f9c9a0e769a in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:559:18
#41 0x7f9c9a0e9f35 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:1152:11
#42 0x7f9c9c1dd0a3 in nsDocumentViewer::LoadComplete(nsresult) /builds/worker/checkouts/gecko/layout/base/nsDocumentViewer.cpp:1083:7
#43 0x7f9c9d7e7782 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:6412:20
#44 0x7f9c9d7e6ca3 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:5805:7
#45 0x7f9c9d7e8856 in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp
#46 0x7f9c97744c89 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:1378:3
#47 0x7f9c97744212 in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:976:14
#48 0x7f9c977423cb in nsDocLoader::DocLoaderIsEmpty(bool, mozilla::Maybe<nsresult> const&) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:795:9
#49 0x7f9c97743664 in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:678:5
#50 0x7f9c9d81e95f in nsDocShell::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:13901:23
#51 0x7f9c9696c19f in mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:631:22
#52 0x7f9c9696d6c0 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:535:10
#53 0x7f9c98360e0c in mozilla::dom::Document::DoUnblockOnload() /builds/worker/checkouts/gecko/dom/base/Document.cpp:11719:18
#54 0x7f9c981e8aba in mozilla::LoadBlockingAsyncEventDispatcher::~LoadBlockingAsyncEventDispatcher() /builds/worker/workspace/obj-build/dist/include/mozilla/AsyncEventDispatcher.h:201:54
#55 0x7f9c981e8c17 in mozilla::LoadBlockingAsyncEventDispatcher::~LoadBlockingAsyncEventDispatcher() /builds/worker/workspace/obj-build/dist/include/mozilla/AsyncEventDispatcher.h:201:39
#56 0x7f9c96737107 in mozilla::Runnable::Release() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:66:1
#57 0x7f9c9672cb2e in Release /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:54:40
#58 0x7f9c9672cb2e in Release /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:420:36
#59 0x7f9c9672cb2e in assign_assuming_AddRef /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:73:7
#60 0x7f9c9672cb2e in operator= /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:188:5
#61 0x7f9c9672cb2e in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:560:15
#62 0x7f9c96724693 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:886:26
#63 0x7f9c96722ee7 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:709:15
#64 0x7f9c96723345 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:495:36
#65 0x7f9c96730836 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:218:37
#66 0x7f9c96730836 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548:5
#67 0x7f9c9674705a in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1199:16
#68 0x7f9c9674df4d in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10
#69 0x7f9c973f7b05 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#70 0x7f9c97311c91 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#71 0x7f9c97311c91 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#72 0x7f9c9bd72908 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
#73 0x7f9c9dfecdcb in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:717:20
#74 0x7f9c973f89e6 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
#75 0x7f9c97311c91 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#76 0x7f9c97311c91 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#77 0x7f9c9dfec61c in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:652:34
#78 0x564039cba986 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#79 0x564039cba986 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:375:18
#80 0x7f9cabe29d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#81 0x7f9cabe29e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#82 0x564039c91c28 in _start (/home/user/workspace/browsers/m-c-20230815091726-fuzzing-debug/firefox-bin+0x58c28) (BuildId: ccc1ae61ea8ea7ebae34f48a549e55f6965f792a)
Flags: in-testsuite?
|
||
Comment 1•1 year ago
|
||
Verified bug as reproducible on mozilla-central 20230815091726-0f010e753b74.
Unable to bisect testcase (Testcase reproduces on start build!):
Start: 7fd0b1b3fc981e3028c91df299ce29a2d834179e (20220817091029)
End: 0f010e753b74a51ee002d8d5d857c18f71ba2599 (20230815091726)
BuildFlags: BuildFlags(asan=None, tsan=None, debug=True, fuzzing=True, coverage=None, valgrind=None, no_opt=None, fuzzilli=None, nyx=None)
Whiteboard: [bugmon:bisected,confirmed]
|
||
Comment 2•1 year ago
|
||
Dup. of bug 1414893?
|
||
Comment 3•1 year ago
|
||
The severity field is not set for this bug.
:farre, could you have a look please?
For more information, please visit BugBot documentation.
Flags: needinfo?(afarre)
|
||
Comment 4•1 year ago
|
||
Masayuki, this does indeed look like bug Bug 1414893, which you couldn't reproduce (see Bug 1414893 comment 3). Does this help?
Flags: needinfo?(afarre) → needinfo?(masayuki)
|
Assignee | |
Comment 5•1 year ago
|
||
Thank you! I'll try to be back late this week or next week.
Assignee: nobody → masayuki
Severity: -- → S3
Flags: needinfo?(masayuki)
You need to log in
before you can comment on or make changes to this bug.
Description
•