Open Bug 1945267 Opened 4 months ago Updated 2 months ago

Assertion failure: aPoint.IsInComposedDoc(), at /builds/worker/checkouts/gecko/editor/libeditor/WSRunScanner.cpp:235

Categories

(Core :: DOM: Editor, defect)

Product:
Core
Component:
DOM: Editor
Type:
defect

Tracking

()

Tracking Flags:
Tracking Status
firefox-esr115 --- unaffected
firefox-esr128 --- unaffected
firefox134 --- unaffected
firefox135 --- wontfix
firefox136 --- wontfix

People

(Reporter: tsmith, Unassigned)

References

(Depends on 1 open bug, Blocks 1 open bug, Regression)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(1 file)

testcase.html
547 bytes, text/html
Details
Attached file testcase.html

Found while fuzzing m-c 20241213-3a912704bc24 (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework --upgrade
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>

Assertion failure: aPoint.IsInComposedDoc(), at /builds/worker/checkouts/gecko/editor/libeditor/WSRunScanner.cpp:235

#0 0x764778b10d38 in mozilla::WSScanResult mozilla::WSRunScanner::ScanInclusiveNextVisibleNodeOrBlockBoundaryFrom<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent>>(mozilla::EditorDOMPointBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent>> const&) const /builds/worker/checkouts/gecko/editor/libeditor/WSRunScanner.cpp:235:3
#1 0x7647789be4d1 in mozilla::WSScanResult mozilla::WSRunScanner::ScanInclusiveNextVisibleNodeOrBlockBoundary<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent>>(mozilla::WSRunScanner::Scan, mozilla::EditorDOMPointBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent>> const&, mozilla::BlockInlineCheck, mozilla::dom::Element const*) /builds/worker/checkouts/gecko/editor/libeditor/WSRunScanner.h:395:10
#2 0x764778a27798 in mozilla::Maybe<mozilla::EditorLineBreakBase<nsCOMPtr<nsIContent>>> mozilla::HTMLEditUtils::GetFollowingUnnecessaryLineBreak<mozilla::EditorLineBreakBase<nsCOMPtr<nsIContent>>, mozilla::EditorDOMPointBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent>>>(mozilla::EditorDOMPointBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent>> const&) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditUtils.cpp:1206:7
#3 0x7647789bb6e1 in mozilla::HTMLEditor::EnsureNoFollowingUnnecessaryLineBreak(mozilla::EditorDOMPointBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent>> const&) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditor.cpp:4533:7
#4 0x764778a77bea in mozilla::HTMLEditor::AutoDeleteRangesHandler::AutoBlockElementsJoiner::HandleDeleteNonCollapsedRange(mozilla::HTMLEditor&, short, short, nsRange&, mozilla::HTMLEditor::AutoDeleteRangesHandler::SelectionWasCollapsed, mozilla::dom::Element const&)::$_4::operator()(mozilla::EditorDOMPointBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent>> const&) const /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditorDeleteHandler.cpp:5413:29
#5 0x764778a62159 in mozilla::HTMLEditor::AutoDeleteRangesHandler::AutoBlockElementsJoiner::HandleDeleteNonCollapsedRange(mozilla::HTMLEditor&, short, short, nsRange&, mozilla::HTMLEditor::AutoDeleteRangesHandler::SelectionWasCollapsed, mozilla::dom::Element const&) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditorDeleteHandler.cpp:5527:11
#6 0x764778a6bde7 in mozilla::HTMLEditor::AutoDeleteRangesHandler::AutoBlockElementsJoiner::Run(mozilla::HTMLEditor&, mozilla::LimitersAndCaretData const&, short, short, nsRange&, mozilla::HTMLEditor::AutoDeleteRangesHandler::SelectionWasCollapsed, mozilla::dom::Element const&) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditorDeleteHandler.cpp:707:15
#7 0x764778a5788c in mozilla::HTMLEditor::AutoDeleteRangesHandler::HandleDeleteNonCollapsedRanges(mozilla::HTMLEditor&, short, short, mozilla::AutoClonedSelectionRangeArray&, mozilla::HTMLEditor::AutoDeleteRangesHandler::SelectionWasCollapsed, mozilla::dom::Element const&) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditorDeleteHandler.cpp:4155:16
#8 0x764778a4ef70 in mozilla::HTMLEditor::AutoDeleteRangesHandler::Run(mozilla::HTMLEditor&, short, short, mozilla::AutoClonedSelectionRangeArray&, mozilla::dom::Element const&) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditorDeleteHandler.cpp:1917:47
#9 0x764778a4e53b in mozilla::HTMLEditor::HandleDeleteSelection(short, short) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditorDeleteHandler.cpp:1260:61
#10 0x76477897546c in mozilla::EditorBase::DeleteSelectionAsSubAction(short, short) /builds/worker/checkouts/gecko/editor/libeditor/EditorBase.cpp:4738:9
#11 0x76477896f3b2 in mozilla::EditorBase::DeleteSelectionAsAction(short, short, nsIPrincipal*) /builds/worker/checkouts/gecko/editor/libeditor/EditorBase.cpp:4701:8
#12 0x764778990cf8 in mozilla::DeleteCommand::DoCommandParam(mozilla::Command, mozilla::EditorBase&, nsIPrincipal*) const /builds/worker/checkouts/gecko/editor/libeditor/EditorCommands.cpp:626:29
#13 0x764774d4cacc in mozilla::dom::Document::ExecCommand(nsTSubstring<char16_t> const&, bool, mozilla::dom::TrustedHTMLOrString const&, nsIPrincipal&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/Document.cpp:5619:37
#14 0x764775e78ea9 in mozilla::dom::Document_Binding::execCommand(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/./DocumentBinding.cpp:4165:36
#15 0x76477614346d in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3290:13
#16 0x3d234c3834fb  ([anon:js-executable-memory]+0x334fb)
Flags: in-testsuite?
Severity: -- → S3

Verified bug as reproducible on mozilla-central 20250202210625-fc959685b9d9.
The bug appears to have been introduced in the following build range:

Start: 855890e2cd16cf21ac6f740b83aa69ab2519b1b9 (20241213012346)
End: 3a912704bc24872e037fe3102cd5483ba5105993 (20241213025822)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=855890e2cd16cf21ac6f740b83aa69ab2519b1b9&tochange=3a912704bc24872e037fe3102cd5483ba5105993

Keywords: regression
Whiteboard: [bugmon:bisected,confirmed]

This detects a bug for better handling. However, this depends on the legacy mutation event and this won't cause any stability nor security issues. Therefore, we don't need to fix this so immediately.

Severity: S3 → S4
OS: Unspecified → All
Regressed by: 1923251
Hardware: Unspecified → All

(FYI: I'll take a look for assertion failures after fixing bug 1940377.)

Testcase crashes using the initial build (mozilla-central 20241213094257-3a912704bc24) but not with tip (mozilla-central 20250329091943-242368641aa1.)

The bug appears to have been fixed in the following build range:

Start: 9d547b90a4073f5906b1220472f69fbc2fdff928 (20250305042859)
End: b00d78bcd328cf80893a4725b8664db65d8fdf10 (20250304235021)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=9d547b90a4073f5906b1220472f69fbc2fdff928&tochange=b00d78bcd328cf80893a4725b8664db65d8fdf10

tsmith, can you confirm that the above bisection range is responsible for fixing this issue?
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Flags: needinfo?(twsmith)
Keywords: bugmon

mutation event listeners haven't been disabled in release builds. So, it's just suppressed in nightly builds.

Depends on: removemutationevents
Flags: needinfo?(twsmith)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: