Open
Bug 1983670
Opened 2 months ago
Updated 1 month ago
Assertion failure: uint32_t(startOffset) <= startContainer->Length() && uint32_t(endOffset) <= endContainer->Length(), at /builds/worker/checkouts/gecko/dom/base/ContentIterator.cpp:1197
Categories
(Core :: DOM: Selection, defect)
Core
DOM: Selection
Tracking
()
NEW
| Tracking | Status | |
|---|---|---|
| firefox-esr115 | --- | unaffected |
| firefox-esr128 | --- | unaffected |
| firefox-esr140 | --- | unaffected |
| firefox142 | --- | wontfix |
| firefox143 | --- | wontfix |
| firefox144 | --- | fix-optional |
People
(Reporter: tsmith, Unassigned, NeedInfo)
References
(Blocks 1 open bug, Regression)
Details
(4 keywords, Whiteboard: [bugmon:bisected,confirmed])
Attachments
(1 file)
|
270 bytes,
text/html
|
Details |
Found while fuzzing 20250713-23185ed855a5 (--enable-debug --enable-fuzzing)
To reproduce via Grizzly Replay:
$ pip install fuzzfetch grizzly-framework --upgrade
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>
Assertion failure: uint32_t(startOffset) <= startContainer->Length() && uint32_t(endOffset) <= endContainer->Length(), at /builds/worker/checkouts/gecko/dom/base/ContentIterator.cpp:1197
#0 0x77fad5260365 in MOZ_CrashSequence /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:248:3
#1 0x77fad5260365 in mozilla::ContentSubtreeIterator::InitWithRange() /builds/worker/checkouts/gecko/dom/base/ContentIterator.cpp:1196:3
#2 0x77fad5260811 in mozilla::ContentSubtreeIterator::InitWithAllowCrossShadowBoundary(mozilla::dom::AbstractRange*) /builds/worker/checkouts/gecko/dom/base/ContentIterator.cpp:1020:10
#3 0x77fad54e9166 in operator() /builds/worker/checkouts/gecko/dom/base/Selection.cpp:366:35
#4 0x77fad54e9166 in OrInsertWith<(lambda at /builds/worker/checkouts/gecko/dom/base/Selection.cpp:323:56)> /builds/worker/checkouts/gecko/xpcom/ds/nsBaseHashtable.h:739:23
#5 0x77fad54e9166 in operator()<nsBaseHashtable<nsPtrHashKey<const mozilla::dom::Selection>, nsTBaseHashSet<nsPtrHashKey<const nsINode> >, nsTBaseHashSet<nsPtrHashKey<const nsINode> >, nsDefaultConverter<nsTBaseHashSet<nsPtrHashKey<const nsINode> >, nsTBaseHashSet<nsPtrHashKey<const nsINode> > > >::EntryHandle> /builds/worker/checkouts/gecko/xpcom/ds/nsBaseHashtable.h:436:26
#6 0x77fad54e9166 in operator()<nsTHashtable<nsBaseHashtableET<nsPtrHashKey<const mozilla::dom::Selection>, nsTBaseHashSet<nsPtrHashKey<const nsINode> > > >::EntryHandle> /builds/worker/checkouts/gecko/xpcom/ds/nsBaseHashtable.h:849:18
#7 0x77fad54e9166 in operator()<PLDHashTable::EntryHandle> /builds/worker/checkouts/gecko/xpcom/ds/nsTHashtable.h:439:18
#8 0x77fad54e9166 in WithEntryHandle<(lambda at /builds/worker/checkouts/gecko/xpcom/ds/nsTHashtable.h:438:9)> /builds/worker/checkouts/gecko/xpcom/ds/PLDHashTable.h:605:12
#9 0x77fad54e9166 in WithEntryHandle<(lambda at /builds/worker/checkouts/gecko/xpcom/ds/nsBaseHashtable.h:848:15)> /builds/worker/checkouts/gecko/xpcom/ds/nsTHashtable.h:436:25
#10 0x77fad54e9166 in WithEntryHandle<(lambda at /builds/worker/checkouts/gecko/xpcom/ds/nsBaseHashtable.h:435:34)> /builds/worker/checkouts/gecko/xpcom/ds/nsBaseHashtable.h:847:18
#11 0x77fad54e9166 in LookupOrInsertWith<(lambda at /builds/worker/checkouts/gecko/dom/base/Selection.cpp:323:56)> /builds/worker/checkouts/gecko/xpcom/ds/nsBaseHashtable.h:435:12
#12 0x77fad54e9166 in mozilla::dom::SelectionNodeCache::MaybeCollect(mozilla::dom::Selection const*) /builds/worker/checkouts/gecko/dom/base/Selection.cpp:323:25
#13 0x77fad54e8e13 in MaybeCollectNodesAndCheckIfFullySelected /builds/worker/checkouts/gecko/dom/base/Selection.h:108:12
#14 0x77fad54e8e13 in mozilla::dom::SelectionNodeCache::MaybeCollectNodesAndCheckIfFullySelectedInAnyOf(nsINode const*, nsTArray<mozilla::dom::Selection*> const&) /builds/worker/checkouts/gecko/dom/base/Selection.cpp:313:9
#15 0x77fad5632711 in nsINode::IsSelected(unsigned int, unsigned int, mozilla::dom::SelectionNodeCache*) const /builds/worker/checkouts/gecko/dom/base/nsINode.cpp:429:25
#16 0x77fad956ed62 in nsTextFrame::IsFrameSelected() const /builds/worker/checkouts/gecko/layout/generic/nsTextFrame.cpp:7638:23
#17 0x77fad971b71a in IsSelected /builds/worker/checkouts/gecko/layout/generic/nsIFrame.h:4049:64
#18 0x77fad971b71a in mozilla::nsDisplayText::CreateWebRenderCommands(mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, mozilla::layers::RenderRootStateManager*, mozilla::nsDisplayListBuilder*) /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:7728:10
#19 0x77fad49a44e6 in mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommands(mozilla::nsDisplayItem*, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, mozilla::nsDisplayListBuilder*) /builds/worker/checkouts/gecko/gfx/layers/wr/WebRenderCommandBuilder.cpp:1860:41
#20 0x77fad49a2c89 in mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommandsFromDisplayList(mozilla::nsDisplayList*, mozilla::nsDisplayItem*, mozilla::nsDisplayListBuilder*, mozilla::layers::StackingContextHelper const&, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, bool) /builds/worker/checkouts/gecko/gfx/layers/wr/WebRenderCommandBuilder.cpp:2154:7
#21 0x77fad970deb5 in CreateWebRenderCommandsNewClipListOption /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:4648:30
#22 0x77fad970deb5 in CreateWebRenderCommands /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.h:5044:12
#23 0x77fad970deb5 in mozilla::nsDisplayOwnLayer::CreateWebRenderCommands(mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, mozilla::layers::RenderRootStateManager*, mozilla::nsDisplayListBuilder*, bool) /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:5313:22
#24 0x77fad970ffc3 in mozilla::nsDisplayOwnLayer::CreateWebRenderCommands(mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, mozilla::layers::RenderRootStateManager*, mozilla::nsDisplayListBuilder*) /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.h:5545:12
#25 0x77fad49a44e6 in mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommands(mozilla::nsDisplayItem*, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, mozilla::nsDisplayListBuilder*) /builds/worker/checkouts/gecko/gfx/layers/wr/WebRenderCommandBuilder.cpp:1860:41
#26 0x77fad49a2c89 in mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommandsFromDisplayList(mozilla::nsDisplayList*, mozilla::nsDisplayItem*, mozilla::nsDisplayListBuilder*, mozilla::layers::StackingContextHelper const&, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, bool) /builds/worker/checkouts/gecko/gfx/layers/wr/WebRenderCommandBuilder.cpp:2154:7
#27 0x77fad49a0f2a in mozilla::layers::WebRenderCommandBuilder::BuildWebRenderCommands(mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::nsDisplayList*, mozilla::nsDisplayListBuilder*, mozilla::layers::WebRenderScrollData&, WrFiltersHolder&&) /builds/worker/checkouts/gecko/gfx/layers/wr/WebRenderCommandBuilder.cpp:1781:5
#28 0x77fad49b6cf7 in mozilla::layers::WebRenderLayerManager::EndTransactionWithoutLayer(mozilla::nsDisplayList*, mozilla::nsDisplayListBuilder*, WrFiltersHolder&&, mozilla::layers::WebRenderBackgroundData*, double, bool) /builds/worker/checkouts/gecko/gfx/layers/wr/WebRenderLayerManager.cpp:386:30
#29 0x77fad96fd25b in mozilla::nsDisplayList::PaintRoot(mozilla::nsDisplayListBuilder*, gfxContext*, unsigned int, mozilla::Maybe<double>) /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:2298:18
#30 0x77fad93976f4 in nsLayoutUtils::PaintFrame(gfxContext*, nsIFrame*, nsRegion const&, unsigned int, mozilla::nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) /builds/worker/checkouts/gecko/layout/base/nsLayoutUtils.cpp:3249:9
#31 0x77fad931583d in mozilla::PresShell::PaintInternal(nsView*, mozilla::PaintInternalFlags) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:6894:5
#32 0x77fad8e7fe1a in nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*) /builds/worker/checkouts/gecko/view/nsViewManager.cpp:399:18
#33 0x77fad8e7f8ee in nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) /builds/worker/checkouts/gecko/view/nsViewManager.cpp:334:22
#34 0x77fad8e809cc in nsViewManager::ProcessPendingUpdates() /builds/worker/checkouts/gecko/view/nsViewManager.cpp:784:5
#35 0x77fad92d47fd in nsRefreshDriver::PaintIfNeeded() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2640:9
#36 0x77fad92d4107 in operator() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2560:60
#37 0x77fad92d4107 in void nsRefreshDriver::RunRenderingPhaseLegacy<nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick)::$_13>(mozilla::RenderingPhase, nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick)::$_13&&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:1289:3
#38 0x77fad92cef52 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2558:3
#39 0x77fad92d8771 in TickDriver /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:371:13
#40 0x77fad92d8771 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver>>&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:349:7
#41 0x77fad92d8670 in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:365:5
#42 0x77fad92d851d in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:955:5
#43 0x77fad92d7aba in mozilla::VsyncRefreshDriverTimer::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:865:5
#44 0x77fad92d6fb6 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsyncTimerOnMainThread() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:596:14
#45 0x77fad86b3ffb in mozilla::dom::VsyncMainChild::RecvNotify(mozilla::VsyncEvent const&, float const&) /builds/worker/checkouts/gecko/dom/ipc/VsyncMainChild.cpp:66:15
#46 0x77fad89344fd in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:229:78
#47 0x77fad40cb102 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundChild.cpp:5097:32
#48 0x77fad406b23e in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1797:25
#49 0x77fad40687c0 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, std::unique_ptr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1723:9
#50 0x77fad40691c7 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1512:3
#51 0x77fad406a1a9 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1614:14
#52 0x77fad3495877 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:703:16
#53 0x77fad348e97e in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:1310:20
#54 0x77fad348d6b7 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:1133:15
#55 0x77fad348db35 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:639:36
#56 0x77fad349c919 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:336:37
#57 0x77fad349c919 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_1>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548:5
#58 0x77fad34ae4b3 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1159:16
#59 0x77fad34b4bdf in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10
#60 0x77fad4070993 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:107:5
#61 0x77fad3fcafc1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:367:3
#62 0x77fad3fcafc1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:349:3
#63 0x77fad8ee4428 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
#64 0x77fad8fb08f4 in nsAppShell::Run() /builds/worker/checkouts/gecko/widget/gtk/nsAppShell.cpp:471:33
#65 0x77fad9edb9cb in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:657:20
#66 0x77fad4071884 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
#67 0x77fad3fcafc1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:367:3
#68 0x77fad3fcafc1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:349:3
#69 0x77fad9edacc5 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:595:34
#70 0x6314ed43bd0f in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:397:22
Flags: in-testsuite?
|
||
Comment 1•2 months ago
|
||
Verified bug as reproducible on mozilla-central 20250818213914-658cb05d36b5.
The bug appears to have been introduced in the following build range:
Start: 6dbc7b5217213f8fdae8212f46b881aa4b0eb3c6 (20250711024624)
End: 2fae5e8435bb7aacd36b752009048cb51f306c4a (20250711042814)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=6dbc7b5217213f8fdae8212f46b881aa4b0eb3c6&tochange=2fae5e8435bb7aacd36b752009048cb51f306c4a
Keywords: regression
Whiteboard: [bugmon:bisected,confirmed]
|
||
Updated•2 months ago
|
status-firefox142:
--- → affected
status-firefox143:
--- → affected
status-firefox-esr115:
--- → unaffected
status-firefox-esr128:
--- → unaffected
status-firefox-esr140:
--- → unaffected
Flags: needinfo?(smaug)
Flags: needinfo?(sean)
Regressed by: 1975990
|
||
Updated•2 months ago
|
|
|
||
Updated•1 month ago
|
You need to log in
before you can comment on or make changes to this bug.
Description
•