Open Bug 1535112 Opened 6 years ago Updated 10 months ago

Assertion failure: !mRootContent->IsText(), at src/dom/events/ContentEventHandler.cpp:1216

Categories

(Core :: DOM: Selection, defect, P2)

Product:
Core
Component:
DOM: Selection
Type:
defect

Tracking

()

Tracking Flags:
Tracking Status
firefox67 --- affected
firefox68 --- affected

People

(Reporter: tsmith, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, testcase)

Attachments

(1 file)

testcase.html
426 bytes, text/html
Details
Attached file testcase.html

Assertion failure: !mRootContent->IsText(), at src/dom/events/ContentEventHandler.cpp:1216

#0 mozilla::ContentEventHandler::SetRawRangeFromFlatTextOffset(mozilla::ContentEventHandler::RawRange*, unsigned int, unsigned int, mozilla::LineBreakType, bool, unsigned int*, nsIContent**) src/dom/events/ContentEventHandler.cpp:1216:5
#1 mozilla::ContentEventHandler::OnQueryTextContent(mozilla::WidgetQueryContentEvent*) src/dom/events/ContentEventHandler.cpp:1425:8
#2 mozilla::IMEContentObserver::HandleQueryContentEvent(mozilla::WidgetQueryContentEvent*) src/dom/events/IMEContentObserver.cpp:756:25
#3 mozilla::EventStateManager::HandleQueryContentEvent(mozilla::WidgetQueryContentEvent*) src/dom/events/EventStateManager.cpp:900:22
#4 mozilla::EventStateManager::PreHandleEvent(nsPresContext*, mozilla::WidgetEvent*, nsIFrame*, nsIContent*, nsEventStatus*, nsIContent*) src/dom/events/EventStateManager.cpp:494:5
#5 mozilla::PresShell::EventHandler::DispatchEvent(mozilla::EventStateManager*, mozilla::WidgetEvent*, bool, nsEventStatus*, nsIContent*) src/layout/base/PresShell.cpp:7727:39
#6 mozilla::PresShell::EventHandler::HandleEventWithCurrentEventInfo(mozilla::WidgetEvent*, nsEventStatus*, bool, nsIContent*) src/layout/base/PresShell.cpp:7696:17
#7 mozilla::PresShell::EventHandler::HandleEventAtFocusedContent(mozilla::WidgetGUIEvent*, nsEventStatus*) src/layout/base/PresShell.cpp:7455:17
#8 mozilla::PresShell::EventHandler::HandleEvent(nsIFrame*, mozilla::WidgetGUIEvent*, bool, nsEventStatus*) src/layout/base/PresShell.cpp:6544:12
#9 mozilla::PresShell::HandleEvent(nsIFrame*, mozilla::WidgetGUIEvent*, bool, nsEventStatus*) src/layout/base/PresShell.cpp:6448:23
#10 nsViewManager::DispatchEvent(mozilla::WidgetGUIEvent*, nsView*, nsEventStatus*) src/view/nsViewManager.cpp:755:14
#11 nsView::HandleEvent(mozilla::WidgetGUIEvent*, bool) src/view/nsView.cpp:1070:9
#12 mozilla::widget::PuppetWidget::DispatchEvent(mozilla::WidgetGUIEvent*, nsEventStatus&) src/widget/PuppetWidget.cpp:380:37
#13 mozilla::ContentCacheInChild::CacheText(nsIWidget*, mozilla::widget::IMENotification const*) src/widget/ContentCache.cpp:234:12
#14 mozilla::widget::PuppetWidget::NotifyIMEOfTextChange(mozilla::widget::IMENotification const&) src/widget/PuppetWidget.cpp:817:7
#15 mozilla::widget::TextEventDispatcher::NotifyIME(mozilla::widget::IMENotification const&) src/widget/TextEventDispatcher.cpp:461:40
#16 nsBaseWidget::NotifyIME(mozilla::widget::IMENotification const&) src/widget/nsBaseWidget.cpp:1724:43
#17 mozilla::IMEStateManager::NotifyIME(mozilla::widget::IMENotification const&, nsIWidget*, mozilla::dom::TabParent*) src/dom/events/IMEStateManager.cpp:1684:22
#18 mozilla::IMEContentObserver::IMENotificationSender::SendTextChange() src/dom/events/IMEContentObserver.cpp:1972:3
#19 mozilla::IMEContentObserver::IMENotificationSender::Run() src/dom/events/IMEContentObserver.cpp:1728:5
#20 nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:1827:13
#21 mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) src/layout/base/nsRefreshDriver.cpp:319:7
#22 mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:336:5
#23 mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:697:16
#24 mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) src/layout/base/nsRefreshDriver.cpp:592:9
#25 mozilla::layout::VsyncChild::RecvNotify(mozilla::VsyncEvent const&) src/layout/ipc/VsyncChild.cpp:65:16
#26 mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) src/obj-firefox/ipc/ipdl/PVsyncChild.cpp:168:54
#27 mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) src/obj-firefox/ipc/ipdl/PBackgroundChild.cpp:2828:28
#28 mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) src/ipc/glue/MessageChannel.cpp:2151:21
#29 mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) src/ipc/glue/MessageChannel.cpp:2078:9
#30 mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) src/ipc/glue/MessageChannel.cpp:1937:3
#31 mozilla::ipc::MessageChannel::MessageTask::Run() src/ipc/glue/MessageChannel.cpp:1968:13
#32 nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1179:14
#33 NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:482:10
#34 mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:88:21
#35 MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:315:10
#36 MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:290:3
#37 nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:137:27
#38 XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:933:20
#39 mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:238:9
#40 MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:315:10
#41 MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:290:3
#42 XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:771:34
#43 content_process_main(mozilla::Bootstrap*, int, char**) src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
#44 main src/browser/app/nsBrowserApp.cpp:265:18
Flags: in-testsuite?

Hi Andrew, since you added this assertion, I guess you may want to take a look. :)

Flags: needinfo?(continuation)

Hopefully Boris has more of a quick idea of what might be going wrong here.

Flags: needinfo?(continuation) → needinfo?(bzbarsky)

The assert before Andrew touched it should have been equivalent...

I tried loading the testcase on Linux, as both an https:// URL from bugzilla and a file:// URL, but it doesn't assert for me. Tyson, do you see the problem reliably? Any hints on reproducing?

Flags: needinfo?(bzbarsky) → needinfo?(twsmith)

Hmm strange.
I just tested with debug build m-c:
BuildID=20190321001227
SourceStamp=74b3bf36f5e8de101af0cc683bd1f20845e2087d

I was able to reproduce it by opening the test case from the filesystem and hitting F5 a couple times. I did use a clean profile (default prefs). I tested on Ubuntu 16.04.

status-firefox68: --- → affected
Flags: needinfo?(twsmith)

Hmm. I got this to reproduce after a few reloads now.

mRootContent is an nsTextNode. So the assert from before 1449670 would have triggered as well. We do in fact have text here.

I have an rr trace now (which I packed in case someone else wants to debug; for my later reference it's ~/.local/share/rr/firefox-126, and the assert is in process 2070 at event 908045).

What seems to be going on is that mozilla::ContentEventHandler::InitRootContent is called with a selection containing one range. That range starts and ends at offset 10 in a textnode. The textnode contains the text "High Grade"; it's autogenerated by the keygen. The parent of the textnode is a <select>. The textnode is a root of a native anonymous subtree.

We call startNode->GetSelectionRootContent(), which returns the node itself, because it's not in the same anonymous subtree as the editor root (the <body> in this case).

All of that seems kind of plausible. So the real question is why this code think mRootContent shouldn't be text... Nakano-san, do you happen to know?

Flags: needinfo?(masayuki)

The reason is, ContentEventHandler::mRootContent in such case should be <body> or <html> (I forgot the detail) and not in native anonymous subtree since selection shouldn't be in it. Sounds like that this is another case of bug 1511563. My patch in it might fix this crash.

Flags: needinfo?(masayuki)

https://phabricator.services.mozilla.com/D14847 would certainly avoid the state that I was seeing; that is exactly what is going on here: selection in a textnode inside the <select> generated for <keygen>.

masayuki, could you take a look at this once you have time?

Assignee: nobody → masayuki
Priority: -- → P1

Sure. But the nsFrameSelection::MoveCaret() wasn't agreed in bug 1511563. I need to investigate more though.

Status: NEW → ASSIGNED
Priority: P1 → P2

Resetting assignee which I don't work on in this several months.

Assignee: masayuki → nobody
Status: ASSIGNED → NEW
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: