Closed Bug 1549885 Opened 6 years ago Closed 2 years ago

Assertion failure: mPreCharacterDataChangeLength < 0 (CharacterDataChanged() should've reset mPreCharacterDataChangeLength), at src/dom/events/IMEContentObserver.cpp:859

Categories

(Core :: DOM: Core & HTML, defect, P2)

Product:
Core
Component:
DOM: Core & HTML
Type:
defect

Tracking

()

Status:
RESOLVED WORKSFORME
Tracking Flags:
Tracking Status
firefox-esr68 --- affected
firefox68 --- wontfix
firefox69 --- affected
firefox70 --- affected

People

(Reporter: tsmith, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, regression, testcase)

Attachments

(1 file)

testcase.html
264 bytes, text/html
Details
Attached file testcase.html

Assertion failure: mPreCharacterDataChangeLength < 0 (CharacterDataChanged() should've reset mPreCharacterDataChangeLength), at src/dom/events/IMEContentObserver.cpp:859

#0 mozilla::IMEContentObserver::CharacterDataWillChange(nsIContent*, CharacterDataChangeInfo const&) src/dom/events/IMEContentObserver.cpp:857:3
#1 nsNodeUtils::CharacterDataWillChange(nsIContent*, CharacterDataChangeInfo const&) src/dom/base/nsNodeUtils.cpp:134:3
#2 mozilla::dom::CharacterData::SetTextInternal(unsigned int, unsigned int, char16_t const*, unsigned int, bool, CharacterDataChangeInfo::Details*) src/dom/base/CharacterData.cpp:248:5
#3 mozilla::dom::CharacterData::SetData(nsTSubstring<char16_t> const&, mozilla::ErrorResult&) src/dom/base/CharacterData.cpp:145:17
#4 mozilla::EditorBase::SetTextImpl(nsTSubstring<char16_t> const&, mozilla::dom::Text&) src/editor/libeditor/EditorBase.cpp:2773:13
#5 mozilla::TextEditRules::WillSetText(bool*, bool*, nsTSubstring<char16_t> const*, int) src/editor/libeditor/TextEditRules.cpp:1003:24
#6 mozilla::TextEditRules::WillDoAction(mozilla::EditSubActionInfo&, bool*, bool*) src/editor/libeditor/TextEditRules.cpp:319:14
#7 mozilla::TextEditor::SetTextAsSubAction(nsTSubstring<char16_t> const&) src/editor/libeditor/TextEditor.cpp:1189:24
#8 mozilla::TextEditor::SetText(nsTSubstring<char16_t> const&) src/editor/libeditor/TextEditor.cpp:1108:17
#9 nsTextEditorState::SetValue(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const*, unsigned int) src/dom/html/nsTextEditorState.cpp:2387:25
#10 mozilla::dom::HTMLTextAreaElement::SetValueInternal(nsTSubstring<char16_t> const&, unsigned int) src/dom/html/HTMLTextAreaElement.cpp:281:15
#11 mozilla::dom::HTMLTextAreaElement::Reset() src/dom/html/HTMLTextAreaElement.cpp:652:7
#12 mozilla::dom::HTMLTextAreaElement::ContentChanged(nsIContent*) src/dom/html/HTMLTextAreaElement.cpp:849:5
#13 nsNodeUtils::CharacterDataChanged(nsIContent*, CharacterDataChangeInfo const&) src/dom/base/nsNodeUtils.cpp:142:3
#14 mozilla::dom::CharacterData::SetTextInternal(unsigned int, unsigned int, char16_t const*, unsigned int, bool, CharacterDataChangeInfo::Details*) src/dom/base/CharacterData.cpp:326:5
#15 mozilla::dom::CharacterData::SetText(char16_t const*, unsigned int, bool) src/dom/base/CharacterData.cpp:554:10
#16 nsContentUtils::SetNodeTextContent(nsIContent*, nsTSubstring<char16_t> const&, bool) src/dom/base/nsContentUtils.cpp:4832:38
#17 mozilla::dom::HTMLTextAreaElement::SetDefaultValue(nsTSubstring<char16_t> const&, mozilla::ErrorResult&) src/dom/html/HTMLTextAreaElement.cpp:348:17
#18 mozilla::dom::HTMLTextAreaElement_Binding::set_defaultValue(JSContext*, JS::Handle<JSObject*>, mozilla::dom::HTMLTextAreaElement*, JSJitSetterCallArgs) src/obj-firefox/dom/bindings/HTMLTextAreaElementBinding.cpp:1111:9
#19 bool mozilla::dom::binding_detail::GenericSetter<mozilla::dom::binding_detail::NormalThisPolicy>(JSContext*, unsigned int, JS::Value*) src/dom/bindings/BindingUtils.cpp:3106:8
#20 CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) src/js/src/vm/Interpreter.cpp:443:13
#21 js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:535:12
#22 InternalCall(JSContext*, js::AnyInvokeArgs const&) src/js/src/vm/Interpreter.cpp:590:10
#23 js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) src/js/src/vm/Interpreter.cpp:606:8
#24 js::CallSetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<JS::Value>) src/js/src/vm/Interpreter.cpp:744:10
#25 SetExistingProperty(JSContext*, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<js::NativeObject*>, JS::Handle<JS::PropertyResult>, JS::ObjectOpResult&) src/js/src/vm/NativeObject.cpp:2879:8
#26 bool js::NativeSetProperty<(js::QualifiedBool)1>(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) src/js/src/vm/NativeObject.cpp:2908:14
#27 js::SetProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) src/js/src/vm/ObjectOperations-inl.h:283:10
#28 SetPropertyOperation(JSContext*, JSOp, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>) src/js/src/vm/Interpreter.cpp:268:10
#29 Interpret(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:2847:12
#30 js::RunScript(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:423:10
#31 js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:563:13
#32 InternalCall(JSContext*, js::AnyInvokeArgs const&) src/js/src/vm/Interpreter.cpp:590:10
#33 js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) src/js/src/vm/Interpreter.cpp:606:8
#34 JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) src/js/src/jsapi.cpp:2647:10
#35 mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) src/obj-firefox/dom/bindings/EventHandlerBinding.cpp:267:37
#36 void mozilla::dom::EventHandlerNonNull::Call<nsCOMPtr<mozilla::dom::EventTarget> >(nsCOMPtr<mozilla::dom::EventTarget> const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) src/obj-firefox/dist/include/mozilla/dom/EventHandlerBinding.h:363:12
#37 mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) src/dom/events/JSEventHandler.cpp:205:12
#38 mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) src/dom/events/EventListenerManager.cpp:1045:22
#39 mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) src/dom/events/EventListenerManager.cpp:1240:17
#40 mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) src/dom/events/EventDispatcher.cpp:349:17
#41 mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) src/dom/events/EventDispatcher.cpp:551:16
#42 mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) src/dom/events/EventDispatcher.cpp:1047:11
#43 nsDocumentViewer::LoadComplete(nsresult) src/layout/base/nsDocumentViewer.cpp:1104:7
#44 nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) src/docshell/base/nsDocShell.cpp:6641:20
#45 nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) src/docshell/base/nsDocShell.cpp:6441:7
#46 non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) src/docshell/base/nsDocShell.cpp
#47 nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) src/uriloader/base/nsDocLoader.cpp:1313:3
#48 nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) src/uriloader/base/nsDocLoader.cpp:872:14
#49 nsDocLoader::DocLoaderIsEmpty(bool) src/uriloader/base/nsDocLoader.cpp:710:9
#50 nsDocLoader::OnStopRequest(nsIRequest*, nsresult) src/uriloader/base/nsDocLoader.cpp:598:5
#51 non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsresult) src/uriloader/base/nsDocLoader.cpp
#52 mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) src/netwerk/base/nsLoadGroup.cpp:568:22
#53 mozilla::dom::Document::DoUnblockOnload() src/dom/base/Document.cpp:8012:18
#54 mozilla::dom::Document::UnblockOnload(bool) src/dom/base/Document.cpp:7944:9
#55 mozilla::dom::Document::DispatchContentLoadedEvents() src/dom/base/Document.cpp:5101:3
#56 mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() src/obj-firefox/dist/include/nsThreadUtils.h:1174:13
#57 mozilla::SchedulerGroup::Runnable::Run() src/xpcom/threads/SchedulerGroup.cpp:295:32
#58 nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1180:14
#59 NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:486:10
#60 mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:88:21
#61 MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:315:10
#62 MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:290:3
#63 nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:137:27
#64 XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:919:20
#65 mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:238:9
#66 MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:315:10
#67 MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:290:3
#68 XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:757:34
#69 content_process_main(mozilla::Bootstrap*, int, char**) src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
#70 main src/browser/app/nsBrowserApp.cpp:263:18
Flags: in-testsuite?
Priority: -- → P2

Here's another test-case for this:

<!DOCTYPE html>
<textarea readonly>
  foobar
</textarea>
<script>
  document.designMode = "on";
</script>

Typing into the textarea insta-crashes, because HTMLTextAreaElement::CharacterDataChanged may call Reset(), which reenters into CharacterDataWillChange before IMEContentObserver has a chance to unset the value.

Masayuki, you added this assertion, and it seems it doesn't really hold... thoughts?

Flags: needinfo?(masayuki)

Bugbug thinks this bug is a regression, but please revert this change in case of error.

Keywords: regression

Hmm, nested DOM mutation is not expected by IMEContentObserver... I'll take a look, but I'm not sure I can fix the root cause safely.

Assignee: nobody → masayuki
Status: NEW → ASSIGNED
Flags: needinfo?(masayuki)

Tested with Chrome, <textarea readonly> isn't editable even in designMode. Perhaps, we should follow this behavior for the case.

But perhaps, we need to modify the IMEContentObserver too for avoiding the root cause.

masayuki: The fuzzers are still hitting this fairly frequently, any updates?

Flags: needinfo?(masayuki)

Currently, we don't have any symptom caused by this, it might be caused by that the scenario is not used in actual web apps. So, I think that we don't need to fix so soon because at least I don't have much time until shipping beforeinput event.

Status: ASSIGNED → NEW
Flags: needinfo?(masayuki)

Resetting assignee which I don't work on in this several months.

Assignee: masayuki → nobody
Severity: normal → S3

The attached test case no longer reproduces the issue. This issue was last reported by fuzzers targeting m-c 20230127-f75c73066b88.

Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: