Open Bug 1951153 Opened 3 months ago Updated 2 months ago

Assertion failure: movedContentRange.StartRef().EqualsOrIsBefore(pointToInsert), at /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditorDeleteHandler.cpp:7115

Categories

(Core :: DOM: Editor, defect)

Product:
Core
Component:
DOM: Editor
Type:
defect

Tracking

()

Tracking Flags:
Tracking Status
firefox-esr115 --- unaffected
firefox-esr128 --- unaffected
firefox136 --- wontfix
firefox137 --- wontfix
firefox138 --- wontfix

People

(Reporter: tsmith, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(1 file)

testcase.html
354 bytes, text/html
Details
Attached file testcase.html

Found while fuzzing m-c 20250226-ab543854c3d8 (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework --upgrade
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>

Assertion failure: movedContentRange.StartRef().EqualsOrIsBefore(pointToInsert), at /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditorDeleteHandler.cpp:7115

#0 0x7b6dab50b102 in MOZ_CrashSequence /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:267:3
#1 0x7b6dab50b102 in mozilla::HTMLEditor::AutoMoveOneLineHandler::Run(mozilla::HTMLEditor&, mozilla::dom::Element const&) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditorDeleteHandler.cpp:7115:7
#2 0x7b6dab58ffe3 in mozilla::WhiteSpaceVisibilityKeeper::MergeFirstLineOfRightBlockElementIntoDescendantLeftBlockElement(mozilla::HTMLEditor&, mozilla::dom::Element&, mozilla::dom::Element&, mozilla::EditorDOMPointBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent>> const&, mozilla::Maybe<nsAtom*> const&, mozilla::dom::HTMLBRElement const*, mozilla::dom::Element const&)::$_0::operator()() const /builds/worker/checkouts/gecko/editor/libeditor/WhiteSpaceVisibilityKeeper.cpp:267:35
#3 0x7b6dab58eb0a in mozilla::WhiteSpaceVisibilityKeeper::MergeFirstLineOfRightBlockElementIntoDescendantLeftBlockElement(mozilla::HTMLEditor&, mozilla::dom::Element&, mozilla::dom::Element&, mozilla::EditorDOMPointBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent>> const&, mozilla::Maybe<nsAtom*> const&, mozilla::dom::HTMLBRElement const*, mozilla::dom::Element const&) /builds/worker/checkouts/gecko/editor/libeditor/WhiteSpaceVisibilityKeeper.cpp:218:28
#4 0x7b6dab4f2b9f in mozilla::HTMLEditor::AutoDeleteRangesHandler::AutoBlockElementsJoiner::AutoInclusiveAncestorBlockElementsJoiner::Run(mozilla::HTMLEditor&, mozilla::dom::Element const&) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditorDeleteHandler.cpp:6551:9
#5 0x7b6dab503782 in mozilla::HTMLEditor::AutoDeleteRangesHandler::AutoBlockElementsJoiner::HandleDeleteNonCollapsedRange(mozilla::HTMLEditor&, short, short, nsRange&, mozilla::HTMLEditor::AutoDeleteRangesHandler::SelectionWasCollapsed, mozilla::dom::Element const&)::$_2::operator()() const /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditorDeleteHandler.cpp:5347:16
#6 0x7b6dab4ee60d in mozilla::HTMLEditor::AutoDeleteRangesHandler::AutoBlockElementsJoiner::HandleDeleteNonCollapsedRange(mozilla::HTMLEditor&, short, short, nsRange&, mozilla::HTMLEditor::AutoDeleteRangesHandler::SelectionWasCollapsed, mozilla::dom::Element const&) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditorDeleteHandler.cpp:5311:7
#7 0x7b6dab4f8537 in mozilla::HTMLEditor::AutoDeleteRangesHandler::AutoBlockElementsJoiner::Run(mozilla::HTMLEditor&, mozilla::LimitersAndCaretData const&, short, short, nsRange&, mozilla::HTMLEditor::AutoDeleteRangesHandler::SelectionWasCollapsed, mozilla::dom::Element const&) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditorDeleteHandler.cpp:707:15
#8 0x7b6dab4e3a6c in mozilla::HTMLEditor::AutoDeleteRangesHandler::HandleDeleteNonCollapsedRanges(mozilla::HTMLEditor&, short, short, mozilla::AutoClonedSelectionRangeArray&, mozilla::HTMLEditor::AutoDeleteRangesHandler::SelectionWasCollapsed, mozilla::dom::Element const&) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditorDeleteHandler.cpp:4182:16
#9 0x7b6dab4db290 in mozilla::HTMLEditor::AutoDeleteRangesHandler::Run(mozilla::HTMLEditor&, short, short, mozilla::AutoClonedSelectionRangeArray&, mozilla::dom::Element const&) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditorDeleteHandler.cpp:1929:47
#10 0x7b6dab4da85a in mozilla::HTMLEditor::HandleDeleteSelection(short, short) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditorDeleteHandler.cpp:1260:61
#11 0x7b6dab4004e4 in mozilla::EditorBase::DeleteSelectionAsSubAction(short, short) /builds/worker/checkouts/gecko/editor/libeditor/EditorBase.cpp:4764:9
#12 0x7b6dab4a6e46 in mozilla::HTMLEditor::DeleteSelectionAndPrepareToCreateNode() /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditor.cpp:6289:9
#13 0x7b6dab4a5fc1 in mozilla::HTMLEditor::InsertElementAtSelectionAsAction(mozilla::dom::Element*, mozilla::EnumSet<mozilla::HTMLEditor::InsertElementOption, unsigned int>, nsIPrincipal*) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditor.cpp:2202:19
#14 0x7b6dab4c3f5c in mozilla::InsertTagCommand::DoCommand(mozilla::Command, mozilla::EditorBase&, nsIPrincipal*) const /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditorCommands.cpp:1249:13
#15 0x7b6da790bf4c in mozilla::dom::Document::ExecCommand(nsTSubstring<char16_t> const&, bool, mozilla::dom::TrustedHTMLOrString const&, nsIPrincipal&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/Document.cpp:5635:37
#16 0x7b6da89e9ea0 in mozilla::dom::Document_Binding::execCommand(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/./DocumentBinding.cpp:4164:36
#17 0x7b6da8cc297d in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3302:13
#18 0x7b6dac422a14 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:493:13
#19 0x7b6dac42226f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:589:12
#20 0x7b6dacf4d1d2 in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICFallbackStub*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/jit/BaselineIC.cpp:1705:10
#21 0x23c259775f7e  ([anon:js-executable-memory]+0x1bf7e)
Flags: in-testsuite?

Verified bug as reproducible on mozilla-central 20250228171535-c8dfbf5b0342.
The bug appears to have been introduced in the following build range:

Start: abc92a41910764a2dc98aea04074bc746fa2c194 (20250112090142)
End: 44910f21eb087422dbc3e28ac1e819797bc45f0b (20250112092746)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=abc92a41910764a2dc98aea04074bc746fa2c194&tochange=44910f21eb087422dbc3e28ac1e819797bc45f0b

Keywords: regression
Whiteboard: [bugmon:bisected,confirmed]

(In reply to Bugmon [:jkratzer for issues] from comment #1)

Verified bug as reproducible on mozilla-central 20250228171535-c8dfbf5b0342.
The bug appears to have been introduced in the following build range:

Start: abc92a41910764a2dc98aea04074bc746fa2c194 (20250112090142)
End: 44910f21eb087422dbc3e28ac1e819797bc45f0b (20250112092746)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=abc92a41910764a2dc98aea04074bc746fa2c194&tochange=44910f21eb087422dbc3e28ac1e819797bc45f0b

Hmm, this range does not make sense...

Although this detects a bug of the edge case, this will cause making an invalid range for the further handling. Therefore, this should be fixed.

Severity: -- → S3
OS: Unspecified → All
Hardware: Unspecified → All

Based on comment #1, this bug contains a bisection range found by bugmon. However, the Regressed by field is still not filled.

:valentin and :sotaro, since you are the authors of the changes in the range, if possible, could you fill the Regressed by field and investigate this regression?

For more information, please visit BugBot documentation.

Flags: needinfo?(valentin.gosu)
Flags: needinfo?(sotaro.ikeda.g)

Doesn't seem related to Bug 1941128.

Flags: needinfo?(valentin.gosu)

It does not seems to related to Bug 1929465. Bug 1929465 affects only to WebGPU with DMABuf enabled. Its config is not used with current CI tests.

Flags: needinfo?(sotaro.ikeda.g)

:jkratzer is it possible the bisection is incorrect?

Flags: needinfo?(jkratzer)

I just re-ran the bisection and came up with a different range.

:masayuki, could this have been introduced via bug 1923251?

Flags: needinfo?(jkratzer) → needinfo?(masayuki)

The range is reasonable, although I'm not sure whether bug 1923251 or bug 1925635 yet.

Flags: needinfo?(masayuki)

Testcase crashes using the initial build (mozilla-central 20250226090206-ab543854c3d8) but not with tip (mozilla-central 20250411214234-3a992acd30fc.)

The bug appears to have been fixed in the following build range:

Start: e70c7d40b6829d29cb279d159c1f468f8f89d78a (20250319070758)
End: 1209c2a794ce1508f211b8f02bd2d5b5c60afa83 (20250319095450)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=e70c7d40b6829d29cb279d159c1f468f8f89d78a&tochange=1209c2a794ce1508f211b8f02bd2d5b5c60afa83

tsmith, can you confirm that the above bisection range is responsible for fixing this issue?
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Flags: needinfo?(twsmith)
Keywords: bugmon

:masayuki can we close this as fixed in 138?

Flags: needinfo?(masayuki)

No, we need to wait for shipping the new normalizer in all channels.

Flags: needinfo?(masayuki)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: