Open
Bug 1918825
Opened 9 months ago
Updated 8 months ago
Assertion failure: !mIsPositioned (unexpected disconnected nodes), at /builds/worker/checkouts/gecko/dom/base/AbstractRange.cpp:504
Categories
(Core :: DOM: Selection, defect)
Core
DOM: Selection
Tracking
()
NEW
| Tracking | Status | |
|---|---|---|
| firefox132 | --- | affected |
People
(Reporter: tsmith, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: assertion, pernosco)
Found while fuzzing m-c 20240730-c756f74154bf (--enable-debug --enable-fuzzing)
I don't have a reduced test case but I do have a Pernosco session: https://pernos.co/debug/Y2RQQqGidYFCCisgxIt_0g/index.html
Assertion failure: !mIsPositioned (unexpected disconnected nodes), at /builds/worker/checkouts/gecko/dom/base/AbstractRange.cpp:504
#0 0x7ff2b0b719a0 in mozilla::dom::AbstractRange::UpdateCommonAncestorIfNecessary() /builds/worker/checkouts/gecko/dom/base/AbstractRange.cpp:504:7
#1 0x7ff2b0c0b8e3 in void nsRange::DoSetRange<nsINode*, nsIContent*, nsINode*, nsIContent*>(mozilla::RangeBoundaryBase<nsINode*, nsIContent*> const&, mozilla::RangeBoundaryBase<nsINode*, nsIContent*> const&, nsINode*, bool, mozilla::dom::RangeBehaviour) /builds/worker/checkouts/gecko/dom/base/nsRange.cpp:1076:5
#2 0x7ff2b0c1137a in nsRange::ContentRemoved(nsIContent*, nsIContent*) /builds/worker/checkouts/gecko/dom/base/nsRange.cpp:737:5
#3 0x7ff2b0dd65c2 in operator() /builds/worker/checkouts/gecko/dom/base/MutationObservers.cpp:188:19
#4 0x7ff2b0dd65c2 in ForEachAncestorObserver<(lambda at /builds/worker/checkouts/gecko/dom/base/MutationObservers.cpp:188:19)> /builds/worker/checkouts/gecko/dom/base/MutationObservers.cpp:60:11
#5 0x7ff2b0dd65c2 in Notify<(NotifyPresShell)1, (lambda at /builds/worker/checkouts/gecko/dom/base/MutationObservers.cpp:188:19)> /builds/worker/checkouts/gecko/dom/base/MutationObservers.cpp:94:19
#6 0x7ff2b0dd65c2 in mozilla::dom::MutationObservers::NotifyContentRemoved(nsINode*, nsIContent*, nsIContent*) /builds/worker/checkouts/gecko/dom/base/MutationObservers.cpp:187:3
#7 0x7ff2b0f6e060 in nsINode::RemoveChildNode(nsIContent*, bool) /builds/worker/checkouts/gecko/dom/base/nsINode.cpp:2328:5
#8 0x7ff2b0f70063 in nsINode::ReplaceOrInsertBefore(bool, nsINode*, nsINode*, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/nsINode.cpp:2698:18
#9 0x7ff2b1339241 in InsertBefore /builds/worker/checkouts/gecko/dom/base/nsINode.h:2241:12
#10 0x7ff2b1339241 in AppendChild /builds/worker/checkouts/gecko/dom/base/nsINode.h:2248:12
#11 0x7ff2b1339241 in mozilla::dom::Node_Binding::appendChild(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/./NodeBinding.cpp:950:60
#12 0x7ff2b1f16a07 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3268:13
#13 0x7ff2b558d874 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:518:13
#14 0x7ff2b558d05f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:612:12
#15 0x7ff2b559c629 in CallFromStack /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:684:10
#16 0x7ff2b559c629 in js::Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3495:16
#17 0x7ff2b558c7a6 in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:490:13
#18 0x7ff2b558d158 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:644:13
#19 0x7ff2b558e65f in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:711:8
#20 0x7ff2b5690a67 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/CallAndConstruct.cpp:119:10
#21 0x7ff2b1c854d8 in mozilla::dom::EventHandlerNonNull::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/./EventHandlerBinding.cpp:65:37
#22 0x7ff2b27b6a49 in void mozilla::dom::EventHandlerNonNull::Call<nsCOMPtr<mozilla::dom::EventTarget>>(nsCOMPtr<mozilla::dom::EventTarget> const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventHandlerBinding.h:82:12
#23 0x7ff2b27b5b2e in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) /builds/worker/checkouts/gecko/dom/events/JSEventHandler.cpp:200:12
#24 0x7ff2b278f71d in mozilla::EventListenerManager::HandleEventSingleListener(mozilla::EventListenerManager::Listener*, nsAtom*, mozilla::WidgetEvent*, mozilla::dom::Event*, mozilla::dom::EventTarget*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1345:22
#25 0x7ff2b2790824 in mozilla::EventListenerManager::HandleEventWithListenerArray(mozilla::EventListenerManager::ListenerArray*, nsAtom*, mozilla::EventMessage, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1662:12
#26 0x7ff2b2790099 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1559:35
#27 0x7ff2b278404f in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:365:17
#28 0x7ff2b27836c1 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:606:16
#29 0x7ff2b2785faf in mozilla::EventDispatcher::Dispatch(mozilla::dom::EventTarget*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:1221:11
#30 0x7ff2b27891f3 in mozilla::EventDispatcher::DispatchDOMEvent(mozilla::dom::EventTarget*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp
#31 0x7ff2b0f66f6c in nsINode::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/nsINode.cpp:1468:17
#32 0x7ff2b0a4c09c in nsContentUtils::DispatchEvent(mozilla::dom::Document*, mozilla::dom::EventTarget*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, mozilla::Trusted, bool*, mozilla::ChromeOnlyDispatch) /builds/worker/checkouts/gecko/dom/base/nsContentUtils.cpp:4819:29
#33 0x7ff2b0a4bf02 in nsContentUtils::DispatchTrustedEvent(mozilla::dom::Document*, mozilla::dom::EventTarget*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, bool*) /builds/worker/checkouts/gecko/dom/base/nsContentUtils.cpp:4785:10
#34 0x7ff2b2a1f707 in mozilla::dom::HTMLMediaElement::DispatchEvent(nsTSubstring<char16_t> const&) /builds/worker/checkouts/gecko/dom/html/HTMLMediaElement.cpp:6363:10
#35 0x7ff2aee76017 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:618:16
#36 0x7ff2aee6ba86 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:945:26
#37 0x7ff2aee6a497 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:768:15
#38 0x7ff2aee6a915 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:554:36
#39 0x7ff2aee79986 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:268:37
#40 0x7ff2aee79986 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548:5
#41 0x7ff2aee8d0ab in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1155:16
#42 0x7ff2aee93d8f in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10
#43 0x7ff2af9fc365 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#44 0x7ff2af94fbc1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#45 0x7ff2af94fbc1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#46 0x7ff2b4472c68 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
#47 0x7ff2b4520438 in nsAppShell::Run() /builds/worker/checkouts/gecko/widget/gtk/nsAppShell.cpp:469:33
#48 0x7ff2b53e1f0b in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:710:20
#49 0x7ff2af9fd1b6 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
#50 0x7ff2af94fbc1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#51 0x7ff2af94fbc1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#52 0x7ff2b53e179b in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:645:34
#53 0x5581700fb08e in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:403:22
#54 0x7ff2c2985d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#55 0x7ff2c2985e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#56 0x5581700d0dc8 in _start (/home/twsmith/workspace/browsers/m-c-20240912092307-fuzzing-debug/firefox-bin+0x54dc8) (BuildId: cea502a873bddd0cf2ec2c3f6b42b8179a4f99d6)
|
||
Updated•9 months ago
|
Severity: -- → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•