Assertion failure: !aRootNode || aNotInsertedYet || (aStartBoundary.Container()->IsInclusiveDescendantOf(aRootNode) && aEndBoundary.Container()->IsInclusiveDescendantOf(aRootNode) && aRootNode == RangeUtils::ComputeRootNode(aStartBoundary.Container()) && aRootNode == RangeUtils::ComputeRootNode(aEndBoundary.Container())) (Wrong root), at src/dom/base/nsRange.cpp:854

#0 void nsRange::DoSetRange<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent>, nsCOMPtr<nsINode>, nsCOMPtr<nsIContent> >(mozilla::RangeBoundaryBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent> > const&, mozilla::RangeBoundaryBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent> > const&, nsINode*, bool) src/dom/base/nsRange.cpp:843:3
#1 nsRange::CloneRange() const src/dom/base/nsRange.cpp:2204:10
#2 nsHTMLCopyEncoder::SetSelection(mozilla::dom::Selection*) src/dom/base/nsDocumentEncoder.cpp:1387:38
#3 EncodeForTextUnicode(nsIDocumentEncoder&, mozilla::dom::Document&, mozilla::dom::Selection*, unsigned int, bool&, nsTAutoStringN<char16_t, 64ul>&) src/dom/base/nsCopySupport.cpp:104:17
#4 EncodeDocumentWithContext(mozilla::dom::Document&, mozilla::dom::Selection*, unsigned int, EncodedDocumentWithContext&) src/dom/base/nsCopySupport.cpp:206:17
#5 nsCopySupport::EncodeDocumentWithContextAndPutToClipboard(mozilla::dom::Selection*, mozilla::dom::Document*, short, bool) src/dom/base/nsCopySupport.cpp:347:17
#6 mozilla::AutoCopyListener::OnSelectionChange(mozilla::dom::Document*, mozilla::dom::Selection&, short) src/layout/generic/nsFrameSelection.cpp:2908:7
#7 mozilla::dom::Selection::NotifySelectionListeners() src/dom/base/Selection.cpp:3067:5
#8 nsFrameSelection::NotifySelectionListeners(mozilla::SelectionType) src/layout/generic/nsFrameSelection.cpp:1981:23
#9 mozilla::dom::Selection::Extend(nsINode&, unsigned int, mozilla::ErrorResult&) src/dom/base/Selection.cpp:2573:25
#10 mozilla::dom::Selection::Extend(nsINode*, int) src/dom/base/Selection.cpp:2274:3
#11 nsFrameSelection::TakeFocus(nsIContent*, unsigned int, unsigned int, mozilla::CaretAssociationHint, nsFrameSelection::FocusMode) src/layout/generic/nsFrameSelection.cpp
#12 nsFrameSelection::MoveCaret(nsDirection, bool, nsSelectionAmount, nsFrameSelection::CaretMovementStyle) src/layout/generic/nsFrameSelection.cpp:815:14
#13 mozilla::dom::Selection::Modify(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, mozilla::ErrorResult&) src/dom/base/Selection.cpp:3235:24
#14 mozilla::dom::Selection_Binding::modify(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) src/obj-firefox/dom/bindings/SelectionBinding.cpp:1100:24
#15 bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) src/dom/bindings/BindingUtils.cpp:3170:13
#16 CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) src/js/src/vm/Interpreter.cpp:477:13
#17 js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) src/js/src/vm/Interpreter.cpp:569:12
#18 InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) src/js/src/vm/Interpreter.cpp:632:10
#19 Interpret(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:3049:16
#20 js::RunScript(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:449:10
#21 js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) src/js/src/vm/Interpreter.cpp:604:13
#22 InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) src/js/src/vm/Interpreter.cpp:632:10
#23 js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) src/js/src/vm/Interpreter.cpp:649:8
#24 JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) src/js/src/jsapi.cpp:2797:10
#25 mozilla::dom::EventListener::HandleEvent(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) src/obj-firefox/dom/bindings/EventListenerBinding.cpp:52:8
#26 void mozilla::dom::EventListener::HandleEvent<mozilla::dom::EventTarget*>(mozilla::dom::EventTarget* const&, mozilla::dom::Event&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) src/obj-firefox/dist/include/mozilla/dom/EventListenerBinding.h:66:12
#27 mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) src/dom/events/EventListenerManager.cpp:1073:43
#28 mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) src/dom/events/EventListenerManager.cpp:1271:17
#29 mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) src/dom/events/EventDispatcher.cpp:356:17
#30 mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) src/dom/events/EventDispatcher.cpp:558:16
#31 mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) src/dom/events/EventDispatcher.cpp:1055:11
#32 mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) src/dom/events/EventDispatcher.cpp
#33 nsINode::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) src/dom/base/nsINode.cpp:1269:17
#34 nsContentUtils::DispatchEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, mozilla::Trusted, bool*, mozilla::ChromeOnlyDispatch) src/dom/base/nsContentUtils.cpp:4077:28
#35 nsContentUtils::DispatchTrustedEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, bool*) src/dom/base/nsContentUtils.cpp:4047:10
#36 mozilla::dom::Document::DispatchContentLoadedEvents() src/dom/base/Document.cpp:7249:3
#37 mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() src/obj-firefox/dist/include/nsThreadUtils.h:1212:13
#38 nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1220:14
#39 NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:481:10
#40 mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:87:21
#41 MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:315:10
#42 MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:290:3
#43 nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:137:27
#44 nsAppStartup::Run() src/toolkit/components/startup/nsAppStartup.cpp:272:30
#45 XREMain::XRE_mainRun() src/toolkit/xre/nsAppRunner.cpp:4566:22
#46 XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) src/toolkit/xre/nsAppRunner.cpp:4701:8
#47 XRE_main(int, char**, mozilla::BootstrapConfig const&) src/toolkit/xre/nsAppRunner.cpp:4752:21
#48 do_main(int, char**, char**) src/browser/app/nsBrowserApp.cpp:217:22
#49 main src/browser/app/nsBrowserApp.cpp:331:16

A Pernosco session is available here: https://pernos.co/debug/Om-NksilK-dSJLlnbi3vDQ/index.html

aStartBoundary.Container()->IsInclusiveDescendantOf(aRootNode) evaluates to false.

We're asserting the selection is in a subtree rooted at the details element, but the selection is in the anonymous text node that says "Details" that is part of the presentation of a details element and walking the parent chain up from that text node doesn't reach the details element node.

I have no experience with selection code in general or in the context of anonymous content in particular. smaug, who should take a look at the Pernosco trace before it expires considering that Mirko isn't available until the trace expires?

Blame suggests needinfoing masayuki, too.

(I left the above observations in the Pernosco notebook, too.)

Hmm, I don't have much time to investigate it deeper today, but I think that this is a bug of Selection because Selection API shouldn't move selection into anonymous nodes in theory since web apps shouldn't be able to access anonymous nodes.

It appears that nsIFrame::PeekOffset does not reject the anonymous text node as non-selectable.

Well, this is really similar to what I found when I worked on bug 1511563.
https://phabricator.services.mozilla.com/D14847

It's hard to tell what the practical implications of violating this assertion are, prioritizing as P2.

Hi Masayuki, can you give this a further look? We now have also bug 1669342 and had bug 1460740 as similar/identical intermittents.

Well, this is what I've tried to fix this in another bug (I forgot the bug number). Our Selection API may set range boundary into a native anonymous node. We should fix it in everywhere, but it's hard to understand what does it in nsFrameSelection::MoveCaret() and nsFrameSelection::PeekOffsetForCaretMove(). So, if I'd take this, I would need some days to fix this. Kagami may know around this because they worked on caret move of bidi text.

Kagami, do you know how to prevent nsIFrame::PeekOffset() to return a point in anonymous node such as "Details" text of <details> element etc for nsFrameSelection::PeekOffsetForCaretMove()?

When I was working on the similar bug, the bug is, caret is moved into text node in <select> element by nsFrameSelection::MoveCaret().

I haven't seen any logic to exclude anonymous nodes in peek offset functions, but I'll take a look.

Let's say this is fixed in bug 1460740.