Adding letters to textarea inside shadow dom crashes tab on linux, digits crash on Android

RESOLVED FIXED in Firefox 59

Status

()

defect
P2
critical
RESOLVED FIXED
2 years ago
4 months ago

People

(Reporter: anaran, Assigned: jessica)

Tracking

Trunk
mozilla59
Unspecified
All
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox59 fixed)

Details

Attachments

(4 attachments, 1 obsolete attachment)

Just type a key, or copy text, into the textarea at
https://anaran.github.io/import/
and notice how the tab crashes on linux.

(Trying this in nightly fennec (Firefox for Android) does not crash, but exposes another proplem affecting both textarea and input elements inside custom elements: Characters are duplicated, digits are inserted in reverse order.)
Severity: normal → critical
Could you possibly upload a minimal testcase?
Hi Olli, I thought this was a pretty small testcase.

It currently serves 3 open bugs.

To review and reproduce testcase locally, use this:

git clone https://github.com/anaran/import.git
git checkout gh-pages
python -m SimpleHTTPServer

Visit http://localhost:8000/
Priority: -- → P2
Minimal testcase is really something which is attached to a bug. That helps with storing them for the future testing too.
Test case produced from commit-id 3342355 in cloned repo using
git archive -o import-3342355.tar.gz 3342355 .

Extracts files into current directory with
tar -xvzf import-3342355.tar.gz

Run with
python -m SimpleHTTPServer
and visit
http://localhost:8000/
OS: Unspecified → All
Summary: Adding content to textarea inside customElement crashes tab on linux → Adding letters to textarea inside customElement crashes tab on linux, digits crash on Android
Just noticed in further testing that entering digits or punctuation from the builtin Android virtual keyboard crash the tab on that platform. Letters do not crash the tab on Android.

Don't know how the specify affected OSs Linux and Android, so I have changed OS from Unspecified to All for now.
I tried to reproduce the issue with the steps of comment #4 and comment #0 on both Linux and Mac, but I didn't see the textarea and crash. I tested on revision da90245d47b1 with the "dom.webcomponents.enabled" and "dom.webcomponents.customelements.enabled" enabled. What revision you meet this crash? Could this still be reproduced on recent nightly? And I am not sure why I didn't see the textarea. Maybe I missed something?
Flags: needinfo?(adrian.aichner)
(In reply to Edgar Chen [:edgar] from comment #6)
> I tried to reproduce the issue with the steps of comment #4 and comment #0
> on both Linux and Mac, but I didn't see the textarea and crash. I tested on
> revision da90245d47b1 with the "dom.webcomponents.enabled" and
> "dom.webcomponents.customelements.enabled" enabled. What revision you meet
> this crash? Could this still be reproduced on recent nightly? And I am not
> sure why I didn't see the textarea. Maybe I missed something?


Do you get any messages in Web Console or Browser Console?

I can still reproduce the issue loading https://anaran.github.io/import/
Flags: needinfo?(adrian.aichner)
Got it!

You also need:
pref set dom.moduleScripts.enabled true

Please do go ahead with this while I might still work on a more minimal testcase.
(In reply to Adrian Aichner [:anaran] from comment #8)
> You also need:
> pref set dom.moduleScripts.enabled true

I can see the textarea and the crash now. Thank you.
Assertion failure: !Failed(), at /Volumes/workspace/mercurial/mozilla-central/obj-x86_64-apple-darwin16.7.0/dist/include/mozilla/ErrorResult.h:485
#01: mozilla::binding_danger::TErrorResult<mozilla::binding_danger::AssertAndSuppressCleanupPolicy>::AssertReportedOrSuppressed()[/Volumes/workspace/mercurial/mozilla-central/obj-x86_64-apple-darwin16.7.0/dist/NightlyDebug.app/Contents/MacOS/XUL +0x13d311e]
#02: mozilla::binding_danger::TErrorResult<mozilla::binding_danger::AssertAndSuppressCleanupPolicy>::~TErrorResult()[/Volumes/workspace/mercurial/mozilla-central/obj-x86_64-apple-darwin16.7.0/dist/NightlyDebug.app/Contents/MacOS/XUL +0x13d3082]
#03: mozilla::ErrorResult::~ErrorResult()[/Volumes/workspace/mercurial/mozilla-central/obj-x86_64-apple-darwin16.7.0/dist/NightlyDebug.app/Contents/MacOS/XUL +0x13d3055]
#04: mozilla::ErrorResult::~ErrorResult()[/Volumes/workspace/mercurial/mozilla-central/obj-x86_64-apple-darwin16.7.0/dist/NightlyDebug.app/Contents/MacOS/XUL +0x13b2cc5]
#05: mozilla::TextEditRules::WillInsertText(EditAction, mozilla::dom::Selection*, bool*, bool*, nsTSubstring<char16_t> const*, nsTSubstring<char16_t>*, int)[/Volumes/workspace/mercurial/mozilla-central/obj-x86_64-apple-darwin16.7.0/dist/NightlyDebug.app/Contents/MacOS/XUL +0x5480d77]
#06: mozilla::TextEditRules::WillDoAction(mozilla::dom::Selection*, mozilla::RulesInfo*, bool*, bool*)[/Volumes/workspace/mercurial/mozilla-central/obj-x86_64-apple-darwin16.7.0/dist/NightlyDebug.app/Contents/MacOS/XUL +0x547f8a7]
#07: mozilla::TextEditor::InsertText(nsTSubstring<char16_t> const&)[/Volumes/workspace/mercurial/mozilla-central/obj-x86_64-apple-darwin16.7.0/dist/NightlyDebug.app/Contents/MacOS/XUL +0x5489091]
#08: mozilla::TextEditor::TypedText(nsTSubstring<char16_t> const&, mozilla::TextEditor::ETypingAction)[/Volumes/workspace/mercurial/mozilla-central/obj-x86_64-apple-darwin16.7.0/dist/NightlyDebug.app/Contents/MacOS/XUL +0x5487eb2]
#09: mozilla::TextEditor::HandleKeyPressEvent(mozilla::WidgetKeyboardEvent*)[/Volumes/workspace/mercurial/mozilla-central/obj-x86_64-apple-darwin16.7.0/dist/NightlyDebug.app/Contents/MacOS/XUL +0x5487dfc]
#10: mozilla::EditorEventListener::KeyPress(mozilla::WidgetKeyboardEvent*)[/Volumes/workspace/mercurial/mozilla-central/obj-x86_64-apple-darwin16.7.0/dist/NightlyDebug.app/Contents/MacOS/XUL +0x53b4e0e]
#11: mozilla::EditorEventListener::HandleEvent(nsIDOMEvent*)[/Volumes/workspace/mercurial/mozilla-central/obj-x86_64-apple-darwin16.7.0/dist/NightlyDebug.app/Contents/MacOS/XUL +0x53b3c98]
#12: mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*)[/Volumes/workspace/mercurial/mozilla-central/obj-x86_64-apple-darwin16.7.0/dist/NightlyDebug.app/Contents/MacOS/XUL +0x3eb3a2e]
#13: mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*)[/Volumes/workspace/mercurial/mozilla-central/obj-x86_64-apple-darwin16.7.0/dist/NightlyDebug.app/Contents/MacOS/XUL +0x3eb4794]
#14: mozilla::EventListenerManager::HandleEvent(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*)[/Volumes/workspace/mercurial/mozilla-central/obj-x86_64-apple-darwin16.7.0/dist/NightlyDebug.app/Contents/MacOS/XUL +0x3ee216d]
#15: mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&)[/Volumes/workspace/mercurial/mozilla-central/obj-x86_64-apple-darwin16.7.0/dist/NightlyDebug.app/Contents/MacOS/XUL +0x3eaa540]
[Parent 44718, Main Thread] WARNING: '!IsSelectionValid()', file /Volumes/workspace/mercurial/mozilla-central/widget/ContentCache.cpp, line 696
[Parent 44718, Main Thread] WARNING: '!aEvent.mSucceeded', file /Volumes/workspace/mercurial/mozilla-central/dom/ipc/TabParent.cpp, line 2282
#16: mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&)[/Volumes/workspace/mercurial/mozilla-central/obj-x86_64-apple-darwin16.7.0/dist/NightlyDebug.app/Contents/MacOS/XUL +0x3ea9f3a]
[Parent 44718, Main Thread] WARNING: '!IsSelectionValid()', file /Volumes/workspace/mercurial/mozilla-central/widget/ContentCache.cpp, line 696
[Parent 44718, Main Thread] WARNING: '!aEvent.mSucceeded', file /Volumes/workspace/mercurial/mozilla-central/dom/ipc/TabParent.cpp, line 2282
#17: mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&)[/Volumes/workspace/mercurial/mozilla-central/obj-x86_64-apple-darwin16.7.0/dist/NightlyDebug.app/Contents/MacOS/XUL +0x3eaa1ae]
#18: mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*)[/Volumes/workspace/mercurial/mozilla-central/obj-x86_64-apple-darwin16.7.0/dist/NightlyDebug.app/Contents/MacOS/XUL +0x3eabad9]
#19: mozilla::PresShell::DispatchEventToDOM(mozilla::WidgetEvent*, nsEventStatus*, nsPresShellEventCB*)[/Volumes/workspace/mercurial/mozilla-central/obj-x86_64-apple-darwin16.7.0/dist/NightlyDebug.app/Contents/MacOS/XUL +0x578780c]
#20: mozilla::PresShell::HandleEventInternal(mozilla::WidgetEvent*, nsEventStatus*, bool)[/Volumes/workspace/mercurial/mozilla-central/obj-x86_64-apple-darwin16.7.0/dist/NightlyDebug.app/Contents/MacOS/XUL +0x57857a7]
#21: mozilla::PresShell::HandleEvent(nsIFrame*, mozilla::WidgetGUIEvent*, bool, nsEventStatus*, nsIContent**)[/Volumes/workspace/mercurial/mozilla-central/obj-x86_64-apple-darwin16.7.0/dist/NightlyDebug.app/Contents/MacOS/XUL +0x5784b11]
#22: nsViewManager::DispatchEvent(mozilla::WidgetGUIEvent*, nsView*, nsEventStatus*)[/Volumes/workspace/mercurial/mozilla-central/obj-x86_64-apple-darwin16.7.0/dist/NightlyDebug.app/Contents/MacOS/XUL +0x520bbd5]
#23: nsView::HandleEvent(mozilla::WidgetGUIEvent*, bool)[/Volumes/workspace/mercurial/mozilla-central/obj-x86_64-apple-darwin16.7.0/dist/NightlyDebug.app/Contents/MacOS/XUL +0x520b8ac]
#24: mozilla::widget::PuppetWidget::DispatchEvent(mozilla::WidgetGUIEvent*, nsEventStatus&)[/Volumes/workspace/mercurial/mozilla-central/obj-x86_64-apple-darwin16.7.0/dist/NightlyDebug.app/Contents/MacOS/XUL +0x524874f]
#25: mozilla::layers::APZCCallbackHelper::DispatchWidgetEvent(mozilla::WidgetGUIEvent&)[/Volumes/workspace/mercurial/mozilla-central/obj-x86_64-apple-darwin16.7.0/dist/NightlyDebug.app/Contents/MacOS/XUL +0x219d60c]
#26: mozilla::dom::TabChild::DispatchWidgetEventViaAPZ(mozilla::WidgetGUIEvent&)[/Volumes/workspace/mercurial/mozilla-central/obj-x86_64-apple-darwin16.7.0/dist/NightlyDebug.app/Contents/MacOS/XUL +0x4cfbf85]
#27: mozilla::dom::TabChild::RecvRealKeyEvent(mozilla::WidgetKeyboardEvent const&)[/Volumes/workspace/mercurial/mozilla-central/obj-x86_64-apple-darwin16.7.0/dist/NightlyDebug.app/Contents/MacOS/XUL +0x4cfdb3a]
#28: non-virtual thunk to mozilla::dom::TabChild::RecvRealKeyEvent(mozilla::WidgetKeyboardEvent const&)[/Volumes/workspace/mercurial/mozilla-central/obj-x86_64-apple-darwin16.7.0/dist/NightlyDebug.app/Contents/MacOS/XUL +0x4cfdd0c]
#29: mozilla::dom::PBrowserChild::OnMessageReceived(IPC::Message const&)[/Volumes/workspace/mercurial/mozilla-central/obj-x86_64-apple-darwin16.7.0/dist/NightlyDebug.app/Contents/MacOS/XUL +0x135ccc1]
#30: mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&)[/Volumes/workspace/mercurial/mozilla-central/obj-x86_64-apple-darwin16.7.0/dist/NightlyDebug.app/Contents/MacOS/XUL +0x14de367]
#31: mozilla::dom::ContentChild::OnMessageReceived(IPC::Message const&)[/Volumes/workspace/mercurial/mozilla-central/obj-x86_64-apple-darwin16.7.0/dist/NightlyDebug.app/Contents/MacOS/XUL +0x4c9ff57]
#32: mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&)[/Volumes/workspace/mercurial/mozilla-central/obj-x86_64-apple-darwin16.7.0/dist/NightlyDebug.app/Contents/MacOS/XUL +0xcdb213]
#33: mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&)[/Volumes/workspace/mercurial/mozilla-central/obj-x86_64-apple-darwin16.7.0/dist/NightlyDebug.app/Contents/MacOS/XUL +0xcd985b]
#34: mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&)[/Volumes/workspace/mercurial/mozilla-central/obj-x86_64-apple-darwin16.7.0/dist/NightlyDebug.app/Contents/MacOS/XUL +0xcda283]
#35: mozilla::ipc::MessageChannel::MessageTask::Run()[/Volumes/workspace/mercurial/mozilla-central/obj-x86_64-apple-darwin16.7.0/dist/NightlyDebug.app/Contents/MacOS/XUL +0xcda9d8]
#36: mozilla::SchedulerGroup::Runnable::Run()[/Volumes/workspace/mercurial/mozilla-central/obj-x86_64-apple-darwin16.7.0/dist/NightlyDebug.app/Contents/MacOS/XUL +0x1badd2]
#37: nsThread::ProcessNextEvent(bool, bool*)[/Volumes/workspace/mercurial/mozilla-central/obj-x86_64-apple-darwin16.7.0/dist/NightlyDebug.app/Contents/MacOS/XUL +0x1ec470]
#38: NS_ProcessPendingEvents(nsIThread*, unsigned int)[/Volumes/workspace/mercurial/mozilla-central/obj-x86_64-apple-darwin16.7.0/dist/NightlyDebug.app/Contents/MacOS/XUL +0x20cbec]
#39: nsBaseAppShell::NativeEventCallback()[/Volumes/workspace/mercurial/mozilla-central/obj-x86_64-apple-darwin16.7.0/dist/NightlyDebug.app/Contents/MacOS/XUL +0x527069e]
#40: nsAppShell::ProcessGeckoEvents(void*)[/Volumes/workspace/mercurial/mozilla-central/obj-x86_64-apple-darwin16.7.0/dist/NightlyDebug.app/Contents/MacOS/XUL +0x530e6e1]
#41: __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__[/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation +0xa7321]
#42: __CFRunLoopDoSources0[/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation +0x8821d]
#43: __CFRunLoopRun[/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation +0x87716]
#44: CFRunLoopRunSpecific[/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation +0x87114]
#45: RunCurrentEventLoopInMode[/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox +0x30ebc]
#46: ReceiveNextEventCommon[/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox +0x30cf1]
#47: _BlockUntilNextEventMatchingListInModeWithFilter[/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox +0x30b26]
#48: _DPSNextEvent[/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit +0x46a54]
#49: -[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:][/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit +0x7c27ee]
#50: -[GeckoNSApplication nextEventMatchingMask:untilDate:inMode:dequeue:][/Volumes/workspace/mercurial/mozilla-central/obj-x86_64-apple-darwin16.7.0/dist/NightlyDebug.app/Contents/MacOS/XUL +0x530d0d4]
#51: -[NSApplication run][/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit +0x3b3db]
#52: nsAppShell::Run()[/Volumes/workspace/mercurial/mozilla-central/obj-x86_64-apple-darwin16.7.0/dist/NightlyDebug.app/Contents/MacOS/XUL +0x530f307]
#53: XRE_RunAppShell()[/Volumes/workspace/mercurial/mozilla-central/obj-x86_64-apple-darwin16.7.0/dist/NightlyDebug.app/Contents/MacOS/XUL +0x879f960]
#54: mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*)[/Volumes/workspace/mercurial/mozilla-central/obj-x86_64-apple-darwin16.7.0/dist/NightlyDebug.app/Contents/MacOS/XUL +0xce0111]
#55: MessageLoop::RunInternal()[/Volumes/workspace/mercurial/mozilla-central/obj-x86_64-apple-darwin16.7.0/dist/NightlyDebug.app/Contents/MacOS/XUL +0xbb5b85]
#56: MessageLoop::RunHandler()[/Volumes/workspace/mercurial/mozilla-central/obj-x86_64-apple-darwin16.7.0/dist/NightlyDebug.app/Contents/MacOS/XUL +0xbb5ae5]
#57: MessageLoop::Run()[/Volumes/workspace/mercurial/mozilla-central/obj-x86_64-apple-darwin16.7.0/dist/NightlyDebug.app/Contents/MacOS/XUL +0xbb5a8d]
#58: XRE_InitChildProcess(int, char**, XREChildData const*)[/Volumes/workspace/mercurial/mozilla-central/obj-x86_64-apple-darwin16.7.0/dist/NightlyDebug.app/Contents/MacOS/XUL +0x879ef95]
#59: mozilla::BootstrapImpl::XRE_InitChildProcess(int, char**, XREChildData const*)[/Volumes/workspace/mercurial/mozilla-central/obj-x86_64-apple-darwin16.7.0/dist/NightlyDebug.app/Contents/MacOS/XUL +0x87ac667]
#60: content_process_main(mozilla::Bootstrap*, int, char**)[/Volumes/workspace/mercurial/mozilla-central/obj-x86_64-apple-darwin16.7.0/dist/NightlyDebug.app/Contents/MacOS/plugin-container.app/Contents/MacOS/plugin-container +0x141c]
#61: main[/Volumes/workspace/mercurial/mozilla-central/obj-x86_64-apple-darwin16.7.0/dist/NightlyDebug.app/Contents/MacOS/plugin-container.app/Contents/MacOS/plugin-container +0x14d5]
The assertion in comment #10 is because the ErrorResult in https://searchfox.org/mozilla-central/rev/9f3bd430c2b132c86c46126a0548661de876799a/editor/libeditor/TextEditRules.cpp#788 doesn't be reported or suppressed. We should suppress the error or use IgnoredErrorResult.

But after fixing ErrorResult, I got another assertion,

Assertion failure: uint32_t(startOffset) <= startContainer->Length() && uint32_t(endOffset) <= endContainer->Length(), at /Volumes/workspace/mercurial/mozilla-central/dom/base/nsContentIterator.cpp:1370
#01: nsContentSubtreeIterator::InitWithRange()[/Volumes/workspace/mercurial/mozilla-central/obj-x86_64-apple-darwin16.7.0/dist/NightlyDebug.app/Contents/MacOS/XUL +0x29016c8]
#02: nsContentSubtreeIterator::Init(nsIDOMRange*)[/Volumes/workspace/mercurial/mozilla-central/obj-x86_64-apple-darwin16.7.0/dist/NightlyDebug.app/Contents/MacOS/XUL +0x290142f]
#03: mozilla::dom::Selection::SelectFrames(nsPresContext*, nsRange*, bool)[/Volumes/workspace/mercurial/mozilla-central/obj-x86_64-apple-darwin16.7.0/dist/NightlyDebug.app/Contents/MacOS/XUL +0x28a0e0e]
#04: mozilla::dom::Selection::Clear(nsPresContext*)[/Volumes/workspace/mercurial/mozilla-central/obj-x86_64-apple-darwin16.7.0/dist/NightlyDebug.app/Contents/MacOS/XUL +0x28a09cf]
#05: mozilla::dom::Selection::RemoveAllRanges(mozilla::ErrorResult&)[/Volumes/workspace/mercurial/mozilla-central/obj-x86_64-apple-darwin16.7.0/dist/NightlyDebug.app/Contents/MacOS/XUL +0x28a4713]
#06: mozilla::dom::Selection::RemoveAllRangesTemporarily()[/Volumes/workspace/mercurial/mozilla-central/obj-x86_64-apple-darwin16.7.0/dist/NightlyDebug.app/Contents/MacOS/XUL +0x28a4a04]
#07: nsTextEditorState::SetValue(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const*, unsigned int)[/Volumes/workspace/mercurial/mozilla-central/obj-x86_64-apple-darwin16.7.0/dist/NightlyDebug.app/Contents/MacOS/XUL +0x4176ff5]
#08: nsTextEditorState::SetValue(nsTSubstring<char16_t> const&, unsigned int)[/Volumes/workspace/mercurial/mozilla-central/obj-x86_64-apple-darwin16.7.0/dist/NightlyDebug.app/Contents/MacOS/XUL +0x4116aac]
#09: mozilla::dom::HTMLTextAreaElement::SetValueInternal(nsTSubstring<char16_t> const&, unsigned int)[/Volumes/workspace/mercurial/mozilla-central/obj-x86_64-apple-darwin16.7.0/dist/NightlyDebug.app/Contents/MacOS/XUL +0x4115de4]
#10: mozilla::dom::HTMLTextAreaElement::Reset()[/Volumes/workspace/mercurial/mozilla-central/obj-x86_64-apple-darwin16.7.0/dist/NightlyDebug.app/Contents/MacOS/XUL +0x4116f52]
#11: mozilla::dom::HTMLTextAreaElement::ContentChanged(nsIContent*)[/Volumes/workspace/mercurial/mozilla-central/obj-x86_64-apple-darwin16.7.0/dist/NightlyDebug.app/Contents/MacOS/XUL +0x4119022]
#12: mozilla::dom::HTMLTextAreaElement::ContentRemoved(nsIDocument*, nsIContent*, nsIContent*, nsIContent*)[/Volumes/workspace/mercurial/mozilla-central/obj-x86_64-apple-darwin16.7.0/dist/NightlyDebug.app/Contents/MacOS/XUL +0x41191b9]
#13: non-virtual thunk to mozilla::dom::HTMLTextAreaElement::ContentRemoved(nsIDocument*, nsIContent*, nsIContent*, nsIContent*)[/Volumes/workspace/mercurial/mozilla-central/obj-x86_64-apple-darwin16.7.0/dist/NightlyDebug.app/Contents/MacOS/XUL +0x4119207]
#14: nsNodeUtils::ContentRemoved(nsINode*, nsIContent*, nsIContent*)[/Volumes/workspace/mercurial/mozilla-central/obj-x86_64-apple-darwin16.7.0/dist/NightlyDebug.app/Contents/MacOS/XUL +0x2a5c130]
#15: nsINode::doRemoveChildAt(unsigned int, bool, nsIContent*, nsAttrAndChildArray&)[/Volumes/workspace/mercurial/mozilla-central/obj-x86_64-apple-darwin16.7.0/dist/NightlyDebug.app/Contents/MacOS/XUL +0x2a12c69]
#16: mozilla::dom::FragmentOrElement::RemoveChildAt(unsigned int, bool)[/Volumes/workspace/mercurial/mozilla-central/obj-x86_64-apple-darwin16.7.0/dist/NightlyDebug.app/Contents/MacOS/XUL +0x2836788]
#17: nsINode::RemoveChild(nsINode&, mozilla::ErrorResult&)[/Volumes/workspace/mercurial/mozilla-central/obj-x86_64-apple-darwin16.7.0/dist/NightlyDebug.app/Contents/MacOS/XUL +0x2a0e579]
#18: mozilla::DeleteNodeTransaction::DoTransaction()[/Volumes/workspace/mercurial/mozilla-central/obj-x86_64-apple-darwin16.7.0/dist/NightlyDebug.app/Contents/MacOS/XUL +0x538ac27]
#19: mozilla::EditAggregateTransaction::DoTransaction()[/Volumes/workspace/mercurial/mozilla-central/obj-x86_64-apple-darwin16.7.0/dist/NightlyDebug.app/Contents/MacOS/XUL +0x538c630]
#20: mozilla::DeleteRangeTransaction::DoTransaction()[/Volumes/workspace/mercurial/mozilla-central/obj-x86_64-apple-darwin16.7.0/dist/NightlyDebug.app/Contents/MacOS/XUL +0x538b9a7]
#21: mozilla::EditAggregateTransaction::DoTransaction()[/Volumes/workspace/mercurial/mozilla-central/obj-x86_64-apple-darwin16.7.0/dist/NightlyDebug.app/Contents/MacOS/XUL +0x538c630]
#22: nsTransactionItem::DoTransaction()[/Volumes/workspace/mercurial/mozilla-central/obj-x86_64-apple-darwin16.7.0/dist/NightlyDebug.app/Contents/MacOS/XUL +0x54a4401]
#23: nsTransactionManager::BeginTransaction(nsITransaction*, nsISupports*)[/Volumes/workspace/mercurial/mozilla-central/obj-x86_64-apple-darwin16.7.0/dist/NightlyDebug.app/Contents/MacOS/XUL +0x54a6188]
#24: nsTransactionManager::DoTransaction(nsITransaction*)[/Volumes/workspace/mercurial/mozilla-central/obj-x86_64-apple-darwin16.7.0/dist/NightlyDebug.app/Contents/MacOS/XUL +0x54a5ebf]
#25: mozilla::EditorBase::DoTransaction(mozilla::dom::Selection*, nsITransaction*)[/Volumes/workspace/mercurial/mozilla-central/obj-x86_64-apple-darwin16.7.0/dist/NightlyDebug.app/Contents/MacOS/XUL +0x5392b40]
#26: mozilla::EditorBase::DoTransaction(nsITransaction*)[/Volumes/workspace/mercurial/mozilla-central/obj-x86_64-apple-darwin16.7.0/dist/NightlyDebug.app/Contents/MacOS/XUL +0x537fb64]
#27: mozilla::EditorBase::DeleteSelectionImpl(short, short)[/Volumes/workspace/mercurial/mozilla-central/obj-x86_64-apple-darwin16.7.0/dist/NightlyDebug.app/Contents/MacOS/XUL +0x53a6086]
#28: mozilla::TextEditor::DeleteSelection(short, short)[/Volumes/workspace/mercurial/mozilla-central/obj-x86_64-apple-darwin16.7.0/dist/NightlyDebug.app/Contents/MacOS/XUL +0x5488dd4]
#29: mozilla::TextEditor::SetText(nsTSubstring<char16_t> const&)[/Volumes/workspace/mercurial/mozilla-central/obj-x86_64-apple-darwin16.7.0/dist/NightlyDebug.app/Contents/MacOS/XUL +0x5489edf]
#30: nsTextEditorState::SetValue(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const*, unsigned int)[/Volumes/workspace/mercurial/mozilla-central/obj-x86_64-apple-darwin16.7.0/dist/NightlyDebug.app/Contents/MacOS/XUL +0x417702b]
#31: nsTextEditorState::SetValue(nsTSubstring<char16_t> const&, unsigned int)[/Volumes/workspace/mercurial/mozilla-central/obj-x86_64-apple-darwin16.7.0/dist/NightlyDebug.app/Contents/MacOS/XUL +0x4116aac]
#32: mozilla::dom::HTMLTextAreaElement::SetValueInternal(nsTSubstring<char16_t> const&, unsigned int)[/Volumes/workspace/mercurial/mozilla-central/obj-x86_64-apple-darwin16.7.0/dist/NightlyDebug.app/Contents/MacOS/XUL +0x4115de4]
#33: mozilla::dom::HTMLTextAreaElement::Reset()[/Volumes/workspace/mercurial/mozilla-central/obj-x86_64-apple-darwin16.7.0/dist/NightlyDebug.app/Contents/MacOS/XUL +0x4116f52]
#34: mozilla::dom::HTMLTextAreaElement::ContentChanged(nsIContent*)[/Volumes/workspace/mercurial/mozilla-central/obj-x86_64-apple-darwin16.7.0/dist/NightlyDebug.app/Contents/MacOS/XUL +0x4119022]
#35: mozilla::dom::HTMLTextAreaElement::ContentAppended(nsIDocument*, nsIContent*, nsIContent*)[/Volumes/workspace/mercurial/mozilla-central/obj-x86_64-apple-darwin16.7.0/dist/NightlyDebug.app/Contents/MacOS/XUL +0x41190b5]
#36: non-virtual thunk to mozilla::dom::HTMLTextAreaElement::ContentAppended(nsIDocument*, nsIContent*, nsIContent*)[/Volumes/workspace/mercurial/mozilla-central/obj-x86_64-apple-darwin16.7.0/dist/NightlyDebug.app/Contents/MacOS/XUL +0x41190ff]
#37: nsNodeUtils::ContentAppended(nsIContent*, nsIContent*)[/Volumes/workspace/mercurial/mozilla-central/obj-x86_64-apple-darwin16.7.0/dist/NightlyDebug.app/Contents/MacOS/XUL +0x2a5ba97]
#38: nsINode::doInsertChildAt(nsIContent*, unsigned int, bool, nsAttrAndChildArray&)[/Volumes/workspace/mercurial/mozilla-central/obj-x86_64-apple-darwin16.7.0/dist/NightlyDebug.app/Contents/MacOS/XUL +0x2a118a2]
#39: mozilla::dom::FragmentOrElement::InsertChildAt(nsIContent*, unsigned int, bool)[/Volumes/workspace/mercurial/mozilla-central/obj-x86_64-apple-darwin16.7.0/dist/NightlyDebug.app/Contents/MacOS/XUL +0x2836688]
#40: nsINode::ReplaceOrInsertBefore(bool, nsINode*, nsINode*, mozilla::ErrorResult&)[/Volumes/workspace/mercurial/mozilla-central/obj-x86_64-apple-darwin16.7.0/dist/NightlyDebug.app/Contents/MacOS/XUL +0x2a14853]
#41: nsINode::InsertBefore(nsINode&, nsINode*, mozilla::ErrorResult&)[/Volumes/workspace/mercurial/mozilla-central/obj-x86_64-apple-darwin16.7.0/dist/NightlyDebug.app/Contents/MacOS/XUL +0x281fbf1]
#42: nsINode::AppendChild(nsINode&, mozilla::ErrorResult&)[/Volumes/workspace/mercurial/mozilla-central/obj-x86_64-apple-darwin16.7.0/dist/NightlyDebug.app/Contents/MacOS/XUL +0x281fc34]
#43: mozilla::CreateElementTransaction::InsertNewNode(mozilla::ErrorResult&)[/Volumes/workspace/mercurial/mozilla-central/obj-x86_64-apple-darwin16.7.0/dist/NightlyDebug.app/Contents/MacOS/XUL +0x5389a6f]
#44: mozilla::CreateElementTransaction::DoTransaction()[/Volumes/workspace/mercurial/mozilla-central/obj-x86_64-apple-darwin16.7.0/dist/NightlyDebug.app/Contents/MacOS/XUL +0x5389606]
#45: nsTransactionItem::DoTransaction()[/Volumes/workspace/mercurial/mozilla-central/obj-x86_64-apple-darwin16.7.0/dist/NightlyDebug.app/Contents/MacOS/XUL +0x54a4401]
#46: nsTransactionManager::BeginTransaction(nsITransaction*, nsISupports*)[/Volumes/workspace/mercurial/mozilla-central/obj-x86_64-apple-darwin16.7.0/dist/NightlyDebug.app/Contents/MacOS/XUL +0x54a6188]
#47: nsTransactionManager::DoTransaction(nsITransaction*)[/Volumes/workspace/mercurial/mozilla-central/obj-x86_64-apple-darwin16.7.0/dist/NightlyDebug.app/Contents/MacOS/XUL +0x54a5ebf]
#48: mozilla::EditorBase::DoTransaction(mozilla::dom::Selection*, nsITransaction*)[/Volumes/workspace/mercurial/mozilla-central/obj-x86_64-apple-darwin16.7.0/dist/NightlyDebug.app/Contents/MacOS/XUL +0x5392b40]
#49: mozilla::EditorBase::DoTransaction(nsITransaction*)[/Volumes/workspace/mercurial/mozilla-central/obj-x86_64-apple-darwin16.7.0/dist/NightlyDebug.app/Contents/MacOS/XUL +0x537fb64]
...
Posted file shadowy_testcase.js
New minimal testcase now available at
https://raw.githubusercontent.com/anaran/import/9bf3e184ad4bfffb4b5377f0e03ff64018cf6164/shadowy_testcase.js

Just run it in a Scratchpad on a newly opened tab (Ctrl+T) or just about:blank.

Use Scratchpad in WebIDE to remotely debug on Android device.
(In reply to Edgar Chen [:edgar] from comment #13)
> Created attachment 8934060 [details]
> bug_1419799_test.html

This is a similar testcase that triggering same crash in comment #11 on Mac (I didn't test it on Android).
It looks like a frame selection issue (?) on shadow dom. AFAIK, we are moving our shadow dom implementation from v0 to v1, I am not sure if it is worth to take a look at this issue in current stage.
Flags: needinfo?(jjong)
Flags: needinfo?(btian)
Summary: Adding letters to textarea inside customElement crashes tab on linux, digits crash on Android → Adding letters to textarea inside shadow dom crashes tab on linux, digits crash on Android
In Shadow DOM case, we accidentally call Reset() [1] when inserting text for the first time.
This is because we check if the content changed (in this case is the textnode being appended to the anonymous div) is in the same anonymous tree as the textarea element, and in the Shadow DOM case it returns true because of [2].

I think we can remove the condition in [2] because we no longer support multiple shadow roots.

[1] https://searchfox.org/mozilla-central/rev/f5f1c3f294f89cfd242c3af9eb2c40d19d5e04e7/dom/html/HTMLTextAreaElement.cpp#1034
[2] https://searchfox.org/mozilla-central/rev/f5f1c3f294f89cfd242c3af9eb2c40d19d5e04e7/dom/base/nsContentUtils.cpp#5458-5461
Flags: needinfo?(jjong)
Posted patch patch, v1. (obsolete) — Splinter Review
No need to consider multiple shadow roots in nsContentUtils::IsInSameAnonymousTree.
Attachment #8935282 - Flags: review?(bugs)
See Also: → 1423583
Attachment #8935282 - Flags: review?(bugs) → review+
Duplicate of this bug: 1423583
(Please do land the crashtest from bug 1423583 if you don't mind)
(In reply to Emilio Cobos Álvarez [:emilio] from comment #18)
> (Please do land the crashtest from bug 1423583 if you don't mind)

Sure, thanks for the crashtest :)
Flags: needinfo?(btian)
Posted patch patch, v2.Splinter Review
Added crashtest from bug 1423583. Carrying r+.
Assignee: nobody → jjong
Attachment #8935282 - Attachment is obsolete: true
Status: NEW → ASSIGNED
Attachment #8935621 - Flags: review+
Pushed by jjong@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/91180b88caea
Fix nsContentUtils::IsInSameAnonymousTree in Shadow DOM. r=smaug
https://hg.mozilla.org/mozilla-central/rev/91180b88caea
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla59
I am glad to report my latest nightly installations on linux and android no longer show these tab crashes!
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.