Closed
Bug 1863759
Opened 7 months ago
Closed 7 months ago
Assertion failure: !mIsTextControl, at /dom/events/IMEContentObserver.cpp:270
Categories
(Core :: DOM: UI Events & Focus Handling, defect)
Tracking
()
VERIFIED
FIXED
122 Branch
| Tracking | Status | |
|---|---|---|
| firefox-esr115 | --- | unaffected |
| firefox119 | --- | wontfix |
| firefox120 | --- | wontfix |
| firefox121 | --- | wontfix |
| firefox122 | --- | verified |
People
(Reporter: jkratzer, Assigned: masayuki)
References
(Blocks 1 open bug, Regression)
Details
(Keywords: regression, testcase, Whiteboard: [bugmon:bisected,confirmed], [wptsync upstream])
Attachments
(2 files)
Testcase found while fuzzing mozilla-central rev 5d6699b34edc (built with: --enable-debug --enable-fuzzing).
Testcase can be reproduced using the following commands:
$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build 5d6699b34edc --debug --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html
Assertion failure: !mIsTextControl, at /dom/events/IMEContentObserver.cpp:270
==3972403==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f9424a0ec7e bp 0x7ffd6f0e4580 sp 0x7ffd6f0e4540 T3972403)
==3972403==The signal is caused by a WRITE memory access.
==3972403==Hint: address points to the zero page.
#0 0x7f9424a0ec7e in mozilla::IMEContentObserver::InitWithEditor(nsPresContext&, mozilla::dom::Element*, mozilla::EditorBase&) /dom/events/IMEContentObserver.cpp:270:5
#1 0x7f9424a0e574 in mozilla::IMEContentObserver::Init(nsIWidget&, nsPresContext&, mozilla::dom::Element*, mozilla::EditorBase&) /dom/events/IMEContentObserver.cpp:154:8
#2 0x7f9424a106cd in mozilla::IMEContentObserver::MaybeReinitialize(nsIWidget&, nsPresContext&, mozilla::dom::Element*, mozilla::EditorBase&) /dom/events/IMEContentObserver.cpp:457:5
#3 0x7f9424a1ff5e in mozilla::IMEStateManager::UpdateIMEState(mozilla::widget::IMEState const&, mozilla::dom::Element*, mozilla::EditorBase&, mozilla::EnumSet<mozilla::IMEStateManager::UpdateIMEStateOption, unsigned int> const&) /dom/events/IMEStateManager.cpp:1242:27
#4 0x7f94267dc010 in mozilla::EditorBase::PostCreateInternal() /editor/libeditor/EditorBase.cpp:446:5
#5 0x7f9426882367 in mozilla::HTMLEditor::PostCreate() /editor/libeditor/HTMLEditor.cpp:470:17
#6 0x7f94269b896d in nsEditingSession::SetupEditorOnWindow(nsPIDOMWindowOuter&) /editor/composer/nsEditingSession.cpp:436:22
#7 0x7f94269b7256 in nsEditingSession::MakeWindowEditable(mozIDOMWindowProxy*, char const*, bool, bool, bool) /editor/composer/nsEditingSession.cpp:166:10
#8 0x7f9422d8647d in mozilla::dom::Document::EditingStateChanged() /dom/base/Document.cpp:6166:25
#9 0x7f9422d91291 in mozilla::dom::Document::DeferredContentEditableCountChange(mozilla::dom::Element*) /dom/base/Document.cpp:6328:17
#10 0x7f9422e42120 in mozilla::dom::DeferredContentEditableCountChangeEvent::Run() /dom/base/Document.cpp:6266:12
#11 0x7f9422b60804 in nsContentUtils::RemoveScriptBlocker() /dom/base/nsContentUtils.cpp:5994:17
#12 0x7f9422d9ec75 in mozilla::dom::Document::EndUpdate() /dom/base/Document.cpp:7959:3
#13 0x7f9422dfc6cf in ~mozAutoDocUpdate /dom/base/mozAutoDocUpdate.h:34:18
#14 0x7f9422dfc6cf in mozilla::dom::Element::SetAttr(int, nsAtom*, nsAtom*, nsTSubstring<char16_t> const&, nsIPrincipal*, bool) /dom/base/Element.cpp:2530:1
#15 0x7f9422dfc18f in SetAttr /builds/worker/workspace/obj-build/dist/include/mozilla/dom/Element.h:963:12
#16 0x7f9422dfc18f in mozilla::dom::Element::SetAttribute(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsIPrincipal*, mozilla::ErrorResult&) /dom/base/Element.cpp:1523:14
#17 0x7f94240c95fa in mozilla::dom::Element_Binding::setAttribute(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/./ElementBinding.cpp:1772:24
#18 0x7f942438f618 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /dom/bindings/BindingUtils.cpp:3330:13
#19 0x7f9428b55734 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /js/src/vm/Interpreter.cpp:472:13
#20 0x7f9428b5504d in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:566:12
#21 0x7f9428b65618 in CallFromStack /js/src/vm/Interpreter.cpp:638:10
#22 0x7f9428b65618 in js::Interpret(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:3053:16
#23 0x7f9428b545a2 in js::RunScript(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:444:13
#24 0x7f9428b55069 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:598:13
#25 0x7f9428b5650d in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /js/src/vm/Interpreter.cpp:665:8
#26 0x7f9428c3d2e4 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /js/src/vm/CallAndConstruct.cpp:119:10
#27 0x7f94240a59ec in mozilla::dom::EventListener::HandleEvent(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/./EventListenerBinding.cpp:62:8
#28 0x7f9424a016c6 in void mozilla::dom::EventListener::HandleEvent<mozilla::dom::EventTarget*>(mozilla::dom::EventTarget* const&, mozilla::dom::Event&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventListenerBinding.h:65:12
#29 0x7f9424a01282 in mozilla::EventListenerManager::HandleEventSingleListener(mozilla::EventListenerManager::Listener*, nsAtom*, mozilla::WidgetEvent*, mozilla::dom::Event*, mozilla::dom::EventTarget*, bool) /dom/events/EventListenerManager.cpp:1342:43
#30 0x7f9424a023c4 in mozilla::EventListenerManager::HandleEventWithListenerArray(mozilla::EventListenerManager::ListenerArray*, nsAtom*, mozilla::EventMessage, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, bool) /dom/events/EventListenerManager.cpp:1663:12
#31 0x7f9424a01c39 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /dom/events/EventListenerManager.cpp:1560:35
#32 0x7f94249f522f in HandleEvent /builds/worker/workspace/obj-build/dist/include/mozilla/EventListenerManager.h:465:5
#33 0x7f94249f522f in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /dom/events/EventDispatcher.cpp:364:17
#34 0x7f94249f47ab in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /dom/events/EventDispatcher.cpp:611:18
#35 0x7f94249f71e6 in mozilla::EventDispatcher::Dispatch(mozilla::dom::EventTarget*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /dom/events/EventDispatcher.cpp:1232:11
#36 0x7f94249fa576 in mozilla::EventDispatcher::DispatchDOMEvent(mozilla::dom::EventTarget*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) /dom/events/EventDispatcher.cpp
#37 0x7f9423040409 in nsINode::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) /dom/base/nsINode.cpp:1401:17
#38 0x7f9422b554dc in nsContentUtils::DispatchEvent(mozilla::dom::Document*, mozilla::dom::EventTarget*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, mozilla::Trusted, bool*, mozilla::ChromeOnlyDispatch) /dom/base/nsContentUtils.cpp:4635:29
#39 0x7f9422b55342 in nsContentUtils::DispatchTrustedEvent(mozilla::dom::Document*, mozilla::dom::EventTarget*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, bool*) /dom/base/nsContentUtils.cpp:4601:10
#40 0x7f9422d9f555 in mozilla::dom::Document::DispatchContentLoadedEvents() /dom/base/Document.cpp:8044:3
#41 0x7f9422e525a9 in operator()<> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1164:18
#42 0x7f9422e525a9 in __invoke_impl<void, (lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1163:9)> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/invoke.h:60:14
#43 0x7f9422e525a9 in __invoke<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1163:9)> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/invoke.h:95:14
#44 0x7f9422e525a9 in __apply_impl<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1163:9), std::tuple<> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/tuple:1678:14
#45 0x7f9422e525a9 in apply<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1163:9), std::tuple<> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/tuple:1687:14
#46 0x7f9422e525a9 in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1162:12
#47 0x7f9422e525a9 in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1213:13
#48 0x7f9421196bc7 in mozilla::RunnableTask::Run() /xpcom/threads/TaskController.cpp:549:16
#49 0x7f942118e793 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:876:26
#50 0x7f942118cfd7 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:699:15
#51 0x7f942118d435 in mozilla::TaskController::ProcessPendingMTTask(bool) /xpcom/threads/TaskController.cpp:485:36
#52 0x7f942119a8d6 in operator() /xpcom/threads/TaskController.cpp:211:37
#53 0x7f942119a8d6 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /xpcom/threads/nsThreadUtils.h:548:5
#54 0x7f94211b1432 in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1198:16
#55 0x7f94211b851d in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:480:10
#56 0x7f9421e74845 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:85:21
#57 0x7f9421d8e831 in RunHandler /ipc/chromium/src/base/message_loop.cc:363:3
#58 0x7f9421d8e831 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:345:3
#59 0x7f94266cad18 in nsBaseAppShell::Run() /widget/nsBaseAppShell.cpp:148:27
#60 0x7f942891682b in XRE_RunAppShell() /toolkit/xre/nsEmbedFunctions.cpp:721:20
#61 0x7f9421e75726 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:235:9
#62 0x7f9421d8e831 in RunHandler /ipc/chromium/src/base/message_loop.cc:363:3
#63 0x7f9421d8e831 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:345:3
#64 0x7f9428916092 in XRE_InitChildProcess(int, char**, XREChildData const*) /toolkit/xre/nsEmbedFunctions.cpp:656:34
#65 0x5638577ce276 in content_process_main /browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#66 0x5638577ce276 in main /browser/app/nsBrowserApp.cpp:375:18
#67 0x7f9435525d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#68 0x7f9435525e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#69 0x5638577a3fa8 in _start (/home/jkratzer/builds/m-c-20231107214948-fuzzing-debug/firefox-bin+0x58fa8) (BuildId: e85916198980a98c4e9f8fdbf0edfb81a869e8a7)
UndefinedBehaviorSanitizer can not provide additional info.
SUMMARY: UndefinedBehaviorSanitizer: SEGV /dom/events/IMEContentObserver.cpp:270:5 in mozilla::IMEContentObserver::InitWithEditor(nsPresContext&, mozilla::dom::Element*, mozilla::EditorBase&)
==3972403==ABORTING
|
Reporter | |
Comment 1•7 months ago
|
||
|
||
Comment 2•7 months ago
|
||
Verified bug as reproducible on mozilla-central 20231107214948-5d6699b34edc.
The bug appears to have been introduced in the following build range:
Start: d44458b9c71f8290cf9c3c4344097d738a674a44 (20230823042133)
End: 8c77943ef9dd7363e800c8bae780d2501e640bac (20230823020304)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=d44458b9c71f8290cf9c3c4344097d738a674a44&tochange=8c77943ef9dd7363e800c8bae780d2501e640bac
Keywords: regression
Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]
|
||
Comment 3•7 months ago
|
||
Set release status flags based on info from the regressing bug 1849286
:masayuki, since you are the author of the regressor, bug 1849286, could you take a look? Also, could you set the severity field?
For more information, please visit BugBot documentation.
status-firefox119:
--- → affected
status-firefox120:
--- → affected
status-firefox121:
--- → affected
status-firefox-esr115:
--- → unaffected
Flags: needinfo?(masayuki)
|
Assignee | |
Updated•7 months ago
|
Assignee: nobody → masayuki
Severity: -- → S3
Status: NEW → ASSIGNED
Component: DOM: Core & HTML → DOM: UI Events & Focus Handling
Flags: needinfo?(masayuki)
|
||
Updated•7 months ago
|
|
|
Assignee | |
Comment 4•7 months ago
|
||
The test case is a special case that change focused element from a text control
to an editing host. Therefore, without a focus change, focused editor is
changed from a TextEditor to HTMLEditor.
I guess that in this case, we need to kick focus event listener of the
HTMLEditor, but anyway, users cannot change the content because it's the
case that an atomic content is the editing host. Therefore, I don't touch
about that in this patch.
|
|
||
Comment 5•7 months ago
|
||
Set release status flags based on info from the regressing bug 1849286
status-firefox122:
--- → affected
|
||
Updated•7 months ago
|
|
||
Updated•7 months ago
|
Attachment #9362944 -
Attachment description: Bug 1863759 - Make `IMEStateManager` recreate `IMEContentObserver` if the active one was initialized for different type of editor r=smaug!,m_kato!,#dom-core → Bug 1863759 - Make `IMEStateManager` recreate `IMEContentObserver` if the active one is not observing editable content of focused element r=smaug!,m_kato!,#dom-core
Pushed by masayuki@d-toybox.com: https://hg.mozilla.org/integration/autoland/rev/39486bb8305a Make `IMEStateManager` recreate `IMEContentObserver` if the active one is not observing editable content of focused element r=smaug,m_kato
Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/43509 for changes under testing/web-platform/tests
Whiteboard: [bugmon:bisected,confirmed] → [bugmon:bisected,confirmed], [wptsync upstream]
|
||
Comment 8•7 months ago
|
||
| bugherder | ||
Status: ASSIGNED → RESOLVED
Closed: 7 months ago
Resolution: --- → FIXED
Target Milestone: --- → 122 Branch
Upstream PR merged by moz-wptsync-bot
|
|
||
Comment 10•7 months ago
|
||
Verified bug as fixed on rev mozilla-central 20231205090844-775ade8b04da.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
You need to log in
before you can comment on or make changes to this bug.
Description
•