Closed Bug 1539773 Opened 6 years ago Closed 6 years ago

Firefox with Wayland crash on wl_abort() when selecting more than 4000 characters in a <textarea>

Categories

(Core :: Widget: Gtk, defect)

Product:
Core
Component:
Widget: Gtk
Version:
66 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: vstinner, Unassigned)

References

(Regression,
URL
)

Details

(Keywords: regression)

User Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:66.0) Gecko/20100101 Firefox/66.0

Steps to reproduce:

Go to any webpage which has a <textarea> field. I found the bug in Gmail, but you can use way simpler website like http://paste.alacon.org/ to trigger the bug. Paste more than 4000 characters in the field, right click: Select All -> Firefox does crash. Same crash when using CTRL+a (same action).

I'm using MOZ_ENABLE_WAYLAND=1 in /etc/environment to run Firefox in Wayland.

Actual results:

According to gdb, wl_proxy_marshal_array_constructor_versioned() calls wl_abort() because the buffer is too short. It seems like wl_buffer_put() fails with E2BIG:

https://chromium.googlesource.com/external/wayland/wayland/+/refs/heads/master/src/connection.c#66

The problem comes from zwp_text_input_v3@39.set_surrounding_text("...") call (where "..." is a UTF-8 string with more than 4096 bytes): zwp_text_input_v3_set_surrounding_text() function.

The selected text is longer than 4096 bytes:

(gdb) p strlen(args->s)
$5 = 4154

whereas the wayland message uses a signature which only allows up to around 4000 bytes:

(gdb) p *closure->message
$1 = {
name = 0x7ffff73ef0cb "set_surrounding_text",
signature = 0x7ffff73ef094 "sii",
types = 0x7ffff76bbc60 <types>
}

"set_surrounding_text" description in text-input/text-input-unstable-v3.xml warns about this 4000 bytes limitation:
https://cgit.freedesktop.org/wayland/wayland-protocols/tree/unstable/text-input/text-input-unstable-v3.xml#n138

    Text is UTF-8 encoded, and should include the cursor position, the
    complete selection and additional characters before and after them.
    There is a maximum length of wayland messages, so text can not be
    longer than 4000 bytes.

On #wayland IRC channel on Freenode, Pekka Paalanen aka "pq" told me that the Wayland protocol cannot carry messages that exceed 4096 bytes, and a few bytes are needed for message header.

Expected results:

One problem is that wl_abort() is called which exit Firefox. Maybe wayland-client should be modified to handle such error differently?

Firefox should avoid passing more than 4000 bytes to "set_surrounding_text" call.

I reported the bug to gtk since the crash occurs in notify_surrounding_text() which seems to come from gtk:
https://gitlab.gnome.org/GNOME/gtk/issues/1783

Has STR: --- → yes
Component: Untriaged → Widget: Gtk
Product: Firefox → Core

Do I understand correctly that this is already fixed by Gtk? Thanks.

Flags: needinfo?(vstinner)

btw. I'm unable to reproduce on Fedora 30 system with gtk3-3.24.7.

Do I understand correctly that this is already fixed by Gtk? Thanks.

Yes. The good news is that gtk-3.24.3 contains a fix. More info in Gtk issue:
https://gitlab.gnome.org/GNOME/gtk/issues/1783

This issue can be closed.

btw. I'm unable to reproduce on Fedora 30 system with gtk3-3.24.7.

Yeah, this gtk version already contains the fix.

Flags: needinfo?(vstinner)

Great, Thanks.

Status: UNCONFIRMED → RESOLVED
Closed: 6 years ago
Resolution: --- → WORKSFORME
No longer blocks: wayland
Regressed by: wayland
Keywords: regression
Has Regression Range: --- → yes
You need to log in before you can comment on or make changes to this bug.