Bug 1760160 Comment 0 Edit History

Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.

Original comment by

Tyson Smith [:tsmith]

on 2022-03-17 11:56:52 PDT

Found while fuzzing m-c 20220314-b3eceffcdc4e (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:
```
$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html
```

This test case uses `window.printPreview()` to trigger the issue with requires an `--enable-fuzzing` build.

Assertion failure: mText.isSome(), at /builds/worker/checkouts/gecko/widget/ContentCache.cpp:724
```
#0 0x7ff82516a2f4 in mozilla::ContentCacheInParent::HandleQueryContentEvent(mozilla::WidgetQueryContentEvent&, nsIWidget*) const /gecko/widget/ContentCache.cpp:724:7
#1 0x7ff8245287d0 in mozilla::dom::BrowserParent::HandleQueryContentEvent(mozilla::WidgetQueryContentEvent&) /gecko/dom/ipc/BrowserParent.cpp:3054:7
#2 0x7ff822716f4b in mozilla::EventStateManager::HandleQueryContentEvent(mozilla::WidgetQueryContentEvent*) /gecko/dom/events/EventStateManager.cpp:1029:32
#3 0x7ff82271569b in mozilla::EventStateManager::PreHandleEvent(nsPresContext*, mozilla::WidgetEvent*, nsIFrame*, nsIContent*, nsEventStatus*, nsIContent*) /gecko/dom/events/EventStateManager.cpp:617:5
#4 0x7ff82580502d in mozilla::PresShell::EventHandler::DispatchEvent(mozilla::EventStateManager*, mozilla::WidgetEvent*, bool, nsEventStatus*, nsIContent*) /gecko/layout/base/PresShell.cpp:8163:39
#5 0x7ff8257fefb1 in mozilla::PresShell::EventHandler::HandleEventWithCurrentEventInfo(mozilla::WidgetEvent*, nsEventStatus*, bool, nsIContent*) /gecko/layout/base/PresShell.cpp:8132:17
#6 0x7ff8257ff75b in mozilla::PresShell::EventHandler::HandleEventAtFocusedContent(mozilla::WidgetGUIEvent*, nsEventStatus*) /gecko/layout/base/PresShell.cpp:7861:7
#7 0x7ff8257fcbf6 in mozilla::PresShell::EventHandler::HandleEvent(nsIFrame*, mozilla::WidgetGUIEvent*, bool, nsEventStatus*) /gecko/layout/base/PresShell.cpp:6878:12
#8 0x7ff8257fb7a9 in mozilla::PresShell::HandleEvent(nsIFrame*, mozilla::WidgetGUIEvent*, bool, nsEventStatus*) /gecko/layout/base/PresShell.cpp:6796:23
#9 0x7ff82513046d in nsViewManager::DispatchEvent(mozilla::WidgetGUIEvent*, nsView*, nsEventStatus*) /gecko/view/nsViewManager.cpp:685:18
#10 0x7ff8251300a5 in nsView::HandleEvent(mozilla::WidgetGUIEvent*, bool) /gecko/view/nsView.cpp:1129:9
#11 0x7ff82529f44a in nsWindow::DispatchEvent(mozilla::WidgetGUIEvent*, nsEventStatus&) /gecko/widget/gtk/nsWindow.cpp:513:25
#12 0x7ff8251ddd9b in mozilla::widget::TextEventDispatcher::DispatchEvent(nsIWidget*, mozilla::WidgetGUIEvent&, nsEventStatus&) /gecko/widget/TextEventDispatcher.cpp:263:25
#13 0x7ff8251dd780 in mozilla::widget::TextEventDispatcher::MaybeQueryWritingModeAtSelection() const /gecko/widget/TextEventDispatcher.cpp:246:43
#14 0x7ff8251dee3b in mozilla::widget::TextEventDispatcher::NotifyIME(mozilla::widget::IMENotification const&) /gecko/widget/TextEventDispatcher.cpp:416:22
#15 0x7ff825152c2f in nsBaseWidget::NotifyIME(mozilla::widget::IMENotification const&) /gecko/widget/nsBaseWidget.cpp:1701:43
#16 0x7ff8227e3bf4 in mozilla::IMEStateManager::NotifyIME(mozilla::widget::IMENotification const&, nsIWidget*, mozilla::dom::BrowserParent*) /gecko/dom/events/IMEStateManager.cpp:1834:22
#17 0x7ff8245215f0 in mozilla::dom::BrowserParent::RecvNotifyIMEFocus(mozilla::ContentCache const&, mozilla::widget::IMENotification const&, std::function<void (mozilla::widget::IMENotificationRequests const&)>&&) /gecko/dom/ipc/BrowserParent.cpp:2357:3
#18 0x7ff8246b8f22 in mozilla::dom::PBrowserParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBrowserParent.cpp:3436:57
#19 0x7ff824782108 in mozilla::dom::PContentParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PContentParent.cpp:6989:32
#20 0x7ff81e5a4a89 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /gecko/ipc/glue/MessageChannel.cpp:1674:25
#21 0x7ff81e5a25a2 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message&&) /gecko/ipc/glue/MessageChannel.cpp:1599:9
#22 0x7ff81e5a3b59 in mozilla::ipc::MessageChannel::MessageTask::Run() /gecko/ipc/glue/MessageChannel.cpp:1496:14
#23 0x7ff81cebcea2 in mozilla::RunnableTask::Run() /gecko/xpcom/threads/TaskController.cpp:467:16
#24 0x7ff81ce813cd in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:770:26
#25 0x7ff81ce7e928 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:606:15
#26 0x7ff81ce7f039 in mozilla::TaskController::ProcessPendingMTTask(bool) /gecko/xpcom/threads/TaskController.cpp:390:36
#27 0x7ff81cec5844 in operator() /gecko/xpcom/threads/TaskController.cpp:127:37
#28 0x7ff81cec5844 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_1>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
#29 0x7ff81cea2167 in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1173:16
#30 0x7ff81cead6dc in NS_ProcessNextEvent(nsIThread*, bool) /gecko/xpcom/threads/nsThreadUtils.cpp:467:10
#31 0x7ff81e5abce4 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /gecko/ipc/glue/MessagePump.cpp:107:5
#32 0x7ff81e429091 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:331:10
#33 0x7ff81e429091 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:324:3
#34 0x7ff81e429091 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:306:3
#35 0x7ff82522b617 in nsBaseAppShell::Run() /gecko/widget/nsBaseAppShell.cpp:137:27
#36 0x7ff829e7f797 in nsAppStartup::Run() /gecko/toolkit/components/startup/nsAppStartup.cpp:295:30
#37 0x7ff82a0afaf4 in XREMain::XRE_mainRun() /gecko/toolkit/xre/nsAppRunner.cpp:5739:22
#38 0x7ff82a0b1659 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /gecko/toolkit/xre/nsAppRunner.cpp:5924:8
#39 0x7ff82a0b2393 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /gecko/toolkit/xre/nsAppRunner.cpp:5983:21
#40 0x5639d3893e71 in do_main /gecko/browser/app/nsBrowserApp.cpp:225:22
#41 0x5639d3893e71 in main /gecko/browser/app/nsBrowserApp.cpp:395:16
#42 0x7ff8419e40b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
#43 0x5639d37e2569 in _start (/home/worker/builds/m-c-20220314154526-fuzzing-asan-opt/firefox+0x5e569)
```

Revision 1 by

Tyson Smith [:tsmith]

on 2022-03-17 12:18:20 PDT

Found while fuzzing m-c 20220314-b3eceffcdc4e (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:
```
$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html
```

This test case uses `window.printPreview()` to trigger the issue which requires an `--enable-fuzzing` build.

Assertion failure: mText.isSome(), at /builds/worker/checkouts/gecko/widget/ContentCache.cpp:724
```
#0 0x7ff82516a2f4 in mozilla::ContentCacheInParent::HandleQueryContentEvent(mozilla::WidgetQueryContentEvent&, nsIWidget*) const /gecko/widget/ContentCache.cpp:724:7
#1 0x7ff8245287d0 in mozilla::dom::BrowserParent::HandleQueryContentEvent(mozilla::WidgetQueryContentEvent&) /gecko/dom/ipc/BrowserParent.cpp:3054:7
#2 0x7ff822716f4b in mozilla::EventStateManager::HandleQueryContentEvent(mozilla::WidgetQueryContentEvent*) /gecko/dom/events/EventStateManager.cpp:1029:32
#3 0x7ff82271569b in mozilla::EventStateManager::PreHandleEvent(nsPresContext*, mozilla::WidgetEvent*, nsIFrame*, nsIContent*, nsEventStatus*, nsIContent*) /gecko/dom/events/EventStateManager.cpp:617:5
#4 0x7ff82580502d in mozilla::PresShell::EventHandler::DispatchEvent(mozilla::EventStateManager*, mozilla::WidgetEvent*, bool, nsEventStatus*, nsIContent*) /gecko/layout/base/PresShell.cpp:8163:39
#5 0x7ff8257fefb1 in mozilla::PresShell::EventHandler::HandleEventWithCurrentEventInfo(mozilla::WidgetEvent*, nsEventStatus*, bool, nsIContent*) /gecko/layout/base/PresShell.cpp:8132:17
#6 0x7ff8257ff75b in mozilla::PresShell::EventHandler::HandleEventAtFocusedContent(mozilla::WidgetGUIEvent*, nsEventStatus*) /gecko/layout/base/PresShell.cpp:7861:7
#7 0x7ff8257fcbf6 in mozilla::PresShell::EventHandler::HandleEvent(nsIFrame*, mozilla::WidgetGUIEvent*, bool, nsEventStatus*) /gecko/layout/base/PresShell.cpp:6878:12
#8 0x7ff8257fb7a9 in mozilla::PresShell::HandleEvent(nsIFrame*, mozilla::WidgetGUIEvent*, bool, nsEventStatus*) /gecko/layout/base/PresShell.cpp:6796:23
#9 0x7ff82513046d in nsViewManager::DispatchEvent(mozilla::WidgetGUIEvent*, nsView*, nsEventStatus*) /gecko/view/nsViewManager.cpp:685:18
#10 0x7ff8251300a5 in nsView::HandleEvent(mozilla::WidgetGUIEvent*, bool) /gecko/view/nsView.cpp:1129:9
#11 0x7ff82529f44a in nsWindow::DispatchEvent(mozilla::WidgetGUIEvent*, nsEventStatus&) /gecko/widget/gtk/nsWindow.cpp:513:25
#12 0x7ff8251ddd9b in mozilla::widget::TextEventDispatcher::DispatchEvent(nsIWidget*, mozilla::WidgetGUIEvent&, nsEventStatus&) /gecko/widget/TextEventDispatcher.cpp:263:25
#13 0x7ff8251dd780 in mozilla::widget::TextEventDispatcher::MaybeQueryWritingModeAtSelection() const /gecko/widget/TextEventDispatcher.cpp:246:43
#14 0x7ff8251dee3b in mozilla::widget::TextEventDispatcher::NotifyIME(mozilla::widget::IMENotification const&) /gecko/widget/TextEventDispatcher.cpp:416:22
#15 0x7ff825152c2f in nsBaseWidget::NotifyIME(mozilla::widget::IMENotification const&) /gecko/widget/nsBaseWidget.cpp:1701:43
#16 0x7ff8227e3bf4 in mozilla::IMEStateManager::NotifyIME(mozilla::widget::IMENotification const&, nsIWidget*, mozilla::dom::BrowserParent*) /gecko/dom/events/IMEStateManager.cpp:1834:22
#17 0x7ff8245215f0 in mozilla::dom::BrowserParent::RecvNotifyIMEFocus(mozilla::ContentCache const&, mozilla::widget::IMENotification const&, std::function<void (mozilla::widget::IMENotificationRequests const&)>&&) /gecko/dom/ipc/BrowserParent.cpp:2357:3
#18 0x7ff8246b8f22 in mozilla::dom::PBrowserParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBrowserParent.cpp:3436:57
#19 0x7ff824782108 in mozilla::dom::PContentParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PContentParent.cpp:6989:32
#20 0x7ff81e5a4a89 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /gecko/ipc/glue/MessageChannel.cpp:1674:25
#21 0x7ff81e5a25a2 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message&&) /gecko/ipc/glue/MessageChannel.cpp:1599:9
#22 0x7ff81e5a3b59 in mozilla::ipc::MessageChannel::MessageTask::Run() /gecko/ipc/glue/MessageChannel.cpp:1496:14
#23 0x7ff81cebcea2 in mozilla::RunnableTask::Run() /gecko/xpcom/threads/TaskController.cpp:467:16
#24 0x7ff81ce813cd in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:770:26
#25 0x7ff81ce7e928 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:606:15
#26 0x7ff81ce7f039 in mozilla::TaskController::ProcessPendingMTTask(bool) /gecko/xpcom/threads/TaskController.cpp:390:36
#27 0x7ff81cec5844 in operator() /gecko/xpcom/threads/TaskController.cpp:127:37
#28 0x7ff81cec5844 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_1>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
#29 0x7ff81cea2167 in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1173:16
#30 0x7ff81cead6dc in NS_ProcessNextEvent(nsIThread*, bool) /gecko/xpcom/threads/nsThreadUtils.cpp:467:10
#31 0x7ff81e5abce4 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /gecko/ipc/glue/MessagePump.cpp:107:5
#32 0x7ff81e429091 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:331:10
#33 0x7ff81e429091 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:324:3
#34 0x7ff81e429091 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:306:3
#35 0x7ff82522b617 in nsBaseAppShell::Run() /gecko/widget/nsBaseAppShell.cpp:137:27
#36 0x7ff829e7f797 in nsAppStartup::Run() /gecko/toolkit/components/startup/nsAppStartup.cpp:295:30
#37 0x7ff82a0afaf4 in XREMain::XRE_mainRun() /gecko/toolkit/xre/nsAppRunner.cpp:5739:22
#38 0x7ff82a0b1659 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /gecko/toolkit/xre/nsAppRunner.cpp:5924:8
#39 0x7ff82a0b2393 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /gecko/toolkit/xre/nsAppRunner.cpp:5983:21
#40 0x5639d3893e71 in do_main /gecko/browser/app/nsBrowserApp.cpp:225:22
#41 0x5639d3893e71 in main /gecko/browser/app/nsBrowserApp.cpp:395:16
#42 0x7ff8419e40b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
#43 0x5639d37e2569 in _start (/home/worker/builds/m-c-20220314154526-fuzzing-asan-opt/firefox+0x5e569)
```

Back to Bug 1760160 Comment 0