Content process crashes in mozilla::TextComposition::GetSelectionStartOffset()

RESOLVED FIXED in Firefox 50

Status

()

Core
Event Handling
RESOLVED FIXED
2 years ago
2 years ago

People

(Reporter: cyu, Assigned: masayuki)

Tracking

({inputmethod, regression})

Trunk
mozilla50
All
Linux
inputmethod, regression
Points:
---

Firefox Tracking Flags

(firefox50 fixed)

Details

MozReview Requests

()

Submitter Diff Changes Open Issues Last Updated
Loading...
Error loading review requests:

Attachments

(1 attachment)

(Reporter)

Description

2 years ago
Content process crashes when I enter some specific key combinations in iBus Chewing input method in one input field. The key combination is "Shift + p", which outputs "÷".

Crash stack:
#0  mozilla::TextComposition::GetSelectionStartOffset (this=this@entry=0x7f57fc71f8f0) at /mnt/SSD/data/hg/mozilla-central/dom/events/TextComposition.cpp:444
#1  0x00007f58250764d6 in mozilla::TextComposition::OnCompositionEventDispatched (this=this@entry=0x7f57fc71f8f0, aCompositionEvent=aCompositionEvent@entry=0x7ffe26159b20) at /mnt/SSD/data/hg/mozilla-central/dom/events/TextComposition.cpp:503
#2  0x00007f5825076621 in mozilla::TextComposition::DispatchEvent (this=this@entry=0x7f57fc71f8f0, aDispatchEvent=aDispatchEvent@entry=0x7ffe26159b20, aStatus=<optimized out>, aCallBack=aCallBack@entry=0x7ffe26159760, aOriginalEvent=aOriginalEvent@entry=0x0) at /mnt/SSD/data/hg/mozilla-central/dom/events/TextComposition.cpp:157
#3  0x00007f5825076df3 in mozilla::TextComposition::DispatchCompositionEvent (this=this@entry=0x7f57fc71f8f0, aCompositionEvent=aCompositionEvent@entry=0x7ffe26159b20, aStatus=aStatus@entry=0x7ffe26159a34, aCallBack=aCallBack@entry=0x7ffe26159760, aIsSynthesized=aIsSynthesized@entry=false) at /mnt/SSD/data/hg/mozilla-central/dom/events/TextComposition.cpp:384
#4  0x00007f58250684db in mozilla::IMEStateManager::DispatchCompositionEvent (aEventTargetNode=<optimized out>, aPresContext=0x7f57ff5a5800, aCompositionEvent=0x7ffe26159b20, aStatus=aStatus@entry=0x7ffe26159a34, aCallBack=aCallBack@entry=0x7ffe26159760, aIsSynthesized=aIsSynthesized@entry=false) at /mnt/SSD/data/hg/mozilla-central/dom/events/IMEStateManager.cpp:1214
#5  0x00007f5825a6e6e3 in PresShell::DispatchEventToDOM (this=this@entry=0x7f58006c2000, aEvent=aEvent@entry=0x7ffe26159b20, aStatus=aStatus@entry=0x7ffe26159a34, aEventCB=aEventCB@entry=0x7ffe26159760) at /mnt/SSD/data/hg/mozilla-central/layout/base/nsPresShell.cpp:8616
#6  0x00007f5825a8f0aa in PresShell::HandleEventInternal (this=this@entry=0x7f58006c2000, aEvent=aEvent@entry=0x7ffe26159b20, aStatus=aStatus@entry=0x7ffe26159a34, aIsHandlingNativeEvent=aIsHandlingNativeEvent@entry=true) at /mnt/SSD/data/hg/mozilla-central/layout/base/nsPresShell.cpp:8498
#7  0x00007f5825a90750 in PresShell::HandleEvent (this=0x7f58006c2000, aFrame=<optimized out>, aEvent=<optimized out>, aDontRetargetEvents=<optimized out>, aEventStatus=0x7ffe26159a34, aTargetContent=0x0) at /mnt/SSD/data/hg/mozilla-central/layout/base/nsPresShell.cpp:8207
#8  0x00007f582577f524 in nsViewManager::DispatchEvent (this=this@entry=0x7f57ff529240, aEvent=aEvent@entry=0x7ffe26159b20, aView=aView@entry=0x7f57fc8eda00, aStatus=aStatus@entry=0x7ffe26159a34) at /mnt/SSD/data/hg/mozilla-central/view/nsViewManager.cpp:814
#9  0x00007f582577c9c3 in nsView::HandleEvent (this=<optimized out>, aEvent=0x7ffe26159b20, aUseAttachedEvents=<optimized out>) at /mnt/SSD/data/hg/mozilla-central/view/nsView.cpp:1121
#10 0x00007f582579ec54 in mozilla::widget::PuppetWidget::DispatchEvent (this=0x7f5802f3a000, event=0x7ffe26159b20, aStatus=@0x7ffe26159af4: nsEventStatus_eIgnore) at /mnt/SSD/data/hg/mozilla-central/widget/PuppetWidget.cpp:350
#11 0x00007f58242c644e in mozilla::layers::APZCCallbackHelper::DispatchWidgetEvent (aEvent=...) at /mnt/SSD/data/hg/mozilla-central/gfx/layers/apz/util/APZCCallbackHelper.cpp:469
#12 0x00007f582559bc9a in mozilla::dom::TabChild::RecvCompositionEvent (this=0x7f5802f39000, event=...) at /mnt/SSD/data/hg/mozilla-central/dom/ipc/TabChild.cpp:2197
#13 0x00007f5823dcce82 in mozilla::dom::PBrowserChild::OnMessageReceived (this=0x7f5802f39060, msg__=...) at /home/cervantes/hg/firefox-nightly/ipc/ipdl/PBrowserChild.cpp:4315
#14 0x00007f5823e82f1c in mozilla::dom::PContentChild::OnMessageReceived (this=0x7f581739a030, msg__=...) at /home/cervantes/hg/firefox-nightly/ipc/ipdl/PContentChild.cpp:7373
#15 0x00007f58239cbe84 in mozilla::ipc::MessageChannel::DispatchAsyncMessage (this=this@entry=0x7f581739a098, aMsg=...) at /mnt/SSD/data/hg/mozilla-central/ipc/glue/MessageChannel.cpp:1658
#16 0x00007f58239d6a14 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) (this=this@entry=0x7f581739a098, aMsg=aMsg@entry=<unknown type in /home/cervantes/hg/firefox-nightly/dist/bin/libxul.so, CU 0x2a32340, DIE 0x2b15b94>) at /mnt/SSD/data/hg/mozilla-central/ipc/glue/MessageChannel.cpp:1596
#17 0x00007f58239d8bdb in mozilla::ipc::MessageChannel::OnMaybeDequeueOne (this=0x7f581739a098) at /mnt/SSD/data/hg/mozilla-central/ipc/glue/MessageChannel.cpp:1563
#18 0x00007f58239d96bf in nsRunnableMethodArguments<>::applyImpl<mozilla::ipc::MessageChannel, bool (mozilla::ipc::MessageChannel::*)()>(mozilla::ipc::MessageChannel*, bool (mozilla::ipc::MessageChannel::*)(), mozilla::Tuple<>&, mozilla::IndexSequence<>) (args=..., m=<optimized out>, o=<optimized out>) at /home/cervantes/hg/firefox-nightly/dist/include/nsThreadUtils.h:722
#19 nsRunnableMethodArguments<>::apply<mozilla::ipc::MessageChannel, bool (mozilla::ipc::MessageChannel::*)()>(mozilla::ipc::MessageChannel*, bool (mozilla::ipc::MessageChannel::*)()) (m=<optimized out>, o=<optimized out>, this=<optimized out>) at /home/cervantes/hg/firefox-nightly/dist/include/nsThreadUtils.h:729
#20 nsRunnableMethodImpl<bool (mozilla::ipc::MessageChannel::*)(), false, true>::Run (this=<optimized out>) at /home/cervantes/hg/firefox-nightly/dist/include/nsThreadUtils.h:756
#21 0x00007f58239d9417 in mozilla::ipc::MessageChannel::RefCountedTask::Run (this=<optimized out>) at /home/cervantes/hg/firefox-nightly/dist/include/mozilla/ipc/MessageChannel.h:476
#22 mozilla::ipc::MessageChannel::DequeueTask::Run (this=<optimized out>) at /home/cervantes/hg/firefox-nightly/dist/include/mozilla/ipc/MessageChannel.h:495
#23 0x00007f58234f85f4 in nsThread::ProcessNextEvent (this=0x7f581731e120, aMayWait=<optimized out>, aResult=0x7ffe2615a4c7) at /mnt/SSD/data/hg/mozilla-central/xpcom/threads/nsThread.cpp:1067
#24 0x00007f58235213ea in NS_ProcessNextEvent (aThread=<optimized out>, aMayWait=<optimized out>) at /mnt/SSD/data/hg/mozilla-central/xpcom/glue/nsThreadUtils.cpp:290
#25 0x00007f58239c565a in mozilla::ipc::MessagePump::Run (this=0x7f58173756a0, aDelegate=0x7ffe2615a6a0) at /mnt/SSD/data/hg/mozilla-central/ipc/glue/MessagePump.cpp:100
#26 0x00007f582397a72d in MessageLoop::RunInternal (this=<optimized out>) at /mnt/SSD/data/hg/mozilla-central/ipc/chromium/src/base/message_loop.cc:235
#27 MessageLoop::RunHandler (this=<optimized out>) at /mnt/SSD/data/hg/mozilla-central/ipc/chromium/src/base/message_loop.cc:228
#28 MessageLoop::Run (this=<optimized out>) at /mnt/SSD/data/hg/mozilla-central/ipc/chromium/src/base/message_loop.cc:208
#29 0x00007f58257a6d18 in nsBaseAppShell::Run (this=0x7f58099e6b00) at /mnt/SSD/data/hg/mozilla-central/widget/nsBaseAppShell.cpp:156
#30 0x00007f5826195757 in XRE_RunAppShell () at /mnt/SSD/data/hg/mozilla-central/toolkit/xre/nsEmbedFunctions.cpp:834
#31 0x00007f582397a72d in MessageLoop::RunInternal (this=0x7ffe2615a6a0) at /mnt/SSD/data/hg/mozilla-central/ipc/chromium/src/base/message_loop.cc:235
#32 MessageLoop::RunHandler (this=0x7ffe2615a6a0) at /mnt/SSD/data/hg/mozilla-central/ipc/chromium/src/base/message_loop.cc:228
#33 MessageLoop::Run (this=this@entry=0x7ffe2615a6a0) at /mnt/SSD/data/hg/mozilla-central/ipc/chromium/src/base/message_loop.cc:208
#34 0x00007f5826195d37 in XRE_InitChildProcess (aArgc=3, aArgc@entry=5, aArgv=aArgv@entry=0x7ffe2615ba48, aChildData=aChildData@entry=0x7ffe2615b920) at /mnt/SSD/data/hg/mozilla-central/toolkit/xre/nsEmbedFunctions.cpp:664
#35 0x0000000000408c47 in content_process_main (argc=5, argv=0x7ffe2615ba48) at /mnt/SSD/data/hg/mozilla-central/ipc/app/../contentproc/plugin-container.cpp:224
#36 0x00007f58219f8830 in __libc_start_main () from /lib/x86_64-linux-gnu/libc.so.6
#37 0x0000000000408409 in _start ()

The contents of mozilla::TextComposition::mRanges (there are 2 elements in it)
(rr) rc
Continuing.

Thread 1 hit Breakpoint 3, mozilla::TextRangeArray::GetFirstClause (this=<optimized out>) at /home/cervantes/hg/firefox-nightly/dist/include/mozilla/TextRange.h:303
303           if (range.IsClause() && !range.mStartOffset) {
(rr) p range
$16 = (const mozilla::TextRange &) @0x7f57fc7462ac: {
  mStartOffset = 1, 
  mEndOffset = 1, 
  mRangeStyle = {
    mDefinedStyles = 0 '\000', 
    mLineStyle = 0 '\000', 
    mIsBoldLine = false, 
    mForegroundColor = 0, 
    mBackgroundColor = 0, 
    mUnderlineColor = 0
  }, 
  mRangeType = mozilla::TextRangeType::eCaret
}
(rr) rc
Continuing.

Thread 1 hit Breakpoint 3, mozilla::TextRangeArray::GetFirstClause (this=<optimized out>) at /home/cervantes/hg/firefox-nightly/dist/include/mozilla/TextRange.h:303
303           if (range.IsClause() && !range.mStartOffset) {
(rr) p range
$17 = (const mozilla::TextRange &) @0x7f57fc746290: {
  mStartOffset = 1, 
  mEndOffset = 1, 
  mRangeStyle = {
    mDefinedStyles = 5 '\005', 
    mLineStyle = 0 '\000', 
    mIsBoldLine = false, 
    mForegroundColor = 0, 
    mBackgroundColor = 4278190335, 
    mUnderlineColor = 0
  }, 
  mRangeType = mozilla::TextRangeType::eConvertedClause
}

We can see that element that returns true in mozilla::TextRange::IsClause() has mStartOffset == 1 so mozilla::TextRangeArray::GetFirstClause() returns nullptr and crashes the expression 
mRanges->GetFirstClause()->mRangeType at TextComposition.cpp:444
(Reporter)

Comment 1

2 years ago
Entering this combination in the URL bar crashes the browser chrome.

Comment 2

2 years ago
Is this a regression? If so, what regressed this? Just wondering if we need to fix something on branches.
Should be a regression of bug 1275914.

But I'm not sure how to fix this is the best. The range list is too odd for TextComposition. So, I guess that we should add a hack to widget/gtk/IMContextWrapper.cpp
Assignee: nobody → masayuki
Blocks: 1275914
Status: NEW → ASSIGNED
Keywords: inputmethod, regression
OS: Unspecified → Linux
Hardware: Unspecified → All
Created attachment 8766155 [details]
Bug 1282043 IMContextWrapper shouldn't append 0 length clause to TextRangeArray and if IME doesn't specify clause at beginning of the composition, it should insert dummy clause

Here is the patched build's log:

[Main Thread]: I/nsGtkIMModuleWidgets GTKIM: 7fab5a60a2c0 CreateTextRangeArray(aContext=7fab5a7bbbf0, aCompositionString="÷" (Length()=1))
[Main Thread]: W/nsGtkIMModuleWidgets GTKIM: 7fab5a60a2c0   SetTextRange(), FAILED, due to no attr, aTextRange= { mStartOffset=0, mEndOffset=1 }
[Main Thread]: W/nsGtkIMModuleWidgets GTKIM: 7fab5a60a2c0   SetTextRange(), FAILED, due to current clause length is 0
[Main Thread]: E/nsGtkIMModuleWidgets GTKIM: 7fab5a60a2c0   SetTextRange(), FAILED, due to g_utf8_to_utf16() failure (retrieving current clause)
[Main Thread]: W/nsGtkIMModuleWidgets GTKIM: 7fab5a60a2c0   CreateTextRangeArray(), inserting a dummy clause at the beginning of the composition string mStartOffset=0, mEndOffset=1, mRangeType=TextRangeType::eRawClause

iBus Chewing IME has two clauses when user presses Shift+p, one doesn't have pango_attr, the other is empty.  These clauses are not useful in Gecko. Additionally, TextRangeArray assumes that there is a clause at beginning of the composition when there is one or more clauses.  Therefore, this patch tries to insert dummy clause at the beggining of composition in such case.

Review commit: https://reviewboard.mozilla.org/r/61162/diff/#index_header
See other reviews: https://reviewboard.mozilla.org/r/61162/
Attachment #8766155 - Flags: review?(m_kato)
Comment on attachment 8766155 [details]
Bug 1282043 IMContextWrapper shouldn't append 0 length clause to TextRangeArray and if IME doesn't specify clause at beginning of the composition, it should insert dummy clause

https://reviewboard.mozilla.org/r/61162/#review58122
Attachment #8766155 - Flags: review?(m_kato) → review+

Comment 7

2 years ago
Pushed by masayuki@d-toybox.com:
https://hg.mozilla.org/integration/autoland/rev/5126bee4abb9
IMContextWrapper shouldn't append 0 length clause to TextRangeArray and if IME doesn't specify clause at beginning of the composition, it should insert dummy clause r=m_kato

Comment 8

2 years ago
bugherder
https://hg.mozilla.org/mozilla-central/rev/5126bee4abb9
Status: ASSIGNED → RESOLVED
Last Resolved: 2 years ago
status-firefox50: affected → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla50
You need to log in before you can comment on or make changes to this bug.