Closed Bug 1589497 Opened 10 months ago Closed 4 months ago

[TSF] Crash in [@ mozilla::widget::NativeKey::InitWithKeyOrChar] because of `TSFTextStore` trying to dispatch keyboard event with unexpected message

Categories

(Core :: DOM: UI Events & Focus Handling, defect, P3)

All
Windows
defect

Tracking

()

RESOLVED FIXED
mozilla76
Tracking Status
firefox-esr68 --- wontfix
firefox69 --- wontfix
firefox70 --- wontfix
firefox71 --- wontfix
firefox74 --- wontfix
firefox75 --- wontfix
firefox76 --- fixed

People

(Reporter: philipp, Assigned: masayuki)

References

(Regression)

Details

(Keywords: crash, inputmethod, regression)

Crash Data

Attachments

(1 file)

This bug is for crash report bp-dbcd6cf0-6ea1-4afe-9d9f-f90410191017.

Top 10 frames of crashing thread:

0 xul.dll void mozilla::widget::NativeKey::InitWithKeyOrChar widget/windows/KeyboardLayout.cpp:1564
1 xul.dll mozilla::widget::NativeKey::NativeKey widget/windows/KeyboardLayout.cpp:1304
2 xul.dll void mozilla::widget::TSFTextStore::DispatchKeyboardEventAsProcessedByIME widget/windows/TSFTextStore.cpp:2684
3 xul.dll void mozilla::widget::TSFTextStore::FlushPendingActions widget/windows/TSFTextStore.cpp:2348
4 xul.dll HRESULT mozilla::widget::TSFTextStore::RequestLock widget/windows/TSFTextStore.cpp
5 msctf.dll CInputContext::OnLayoutChange 
6 msctf.dll CACPWrap::OnLayoutChange 
7 xul.dll mozilla::widget::TSFTextStore::NotifyTSFOfLayoutChange widget/windows/TSFTextStore.cpp:6252
8 xul.dll mozilla::widget::TSFTextStore::OnLayoutChangeInternal widget/windows/TSFTextStore.cpp:6200
9 xul.dll mozilla::widget::IMEHandler::NotifyIME widget/windows/WinIMEHandler.cpp:336

this is a long-standing but low volume crash signature with reports containing MOZ_CRASH(Unsupported message) and 95% affecting users of chinese locale builds.

This is unexpected case. While TSFTextStore is handling a key press, it shouldn't receive notifications from child process. And that should be impossible. Actually, the stack tells us that it's truly kicked by another event loop. So, I guess that TSFTextStore failed to clear pending actions at previous key handling.

philipp: Can you check whether there are useful comments about the STR? I cannot check it with my permission.

Assignee: nobody → masayuki
Status: NEW → ASSIGNED
Component: DOM: Events → Widget: Win32
Flags: needinfo?(madperson)
Keywords: inputmethod
Priority: -- → P3

i'm afraid the current comments don't point to any obvious STR (or the meaning is lost to me in google translation) - some of the more helpful extracts:

crashing urls seem to be just popular pages in the locale:
1 https://home.firefoxchina.cn/ 31 5.18 %
2 https://offlintab.firefoxchina.cn/ 26 4.34 %
3 http://iot.ddsaas.cn/ 20 3.34 %
4 http://pmp.ddsaas.cn/ 13 2.17 %
5 https://www.baidu.com/ 13 2.17 %
7 https://hao.360.com/ 9 1.50 %
8 https://mail.google.com/mail/u/0/ 9 1.50 %
9 https://wx.qq.com/?&lang=zh_CN 8 1.34 %
10 https://wx.qq.com/ 7 1.17 %
11 about:newtab

wading though a number of reports, LenovoTSF.ime 1.0.1.0 is the most common IME in use in these reports, though it's not the only one showing up in there.

Flags: needinfo?(madperson)

Moving all open keyboard/IME handling bugs to DOM: UI Events & Focus Handling component.

Component: Widget: Win32 → DOM: UI Events & Focus Handling
Assignee: masayuki → nobody
Status: ASSIGNED → NEW
Regressed by: 1259692, 354358
Summary: Crash in [@ mozilla::widget::NativeKey::InitWithKeyOrChar] → [TSF] Crash in [@ mozilla::widget::NativeKey::InitWithKeyOrChar] because of `TSFTextStore` trying to dispatch keyboard event with unexpected message

TSFTextStore::sHandlingKeyMsg refers pointer of struct, but referred via
TSFTextStore::PendingAction so that we should make it has a copy of
sHandlingKeyMsg because of for async handling.

Assignee: nobody → masayuki
Status: NEW → ASSIGNED
Pushed by masayuki@d-toybox.com:
https://hg.mozilla.org/integration/autoland/rev/46bf06a42ba6
Make PendingAction of TSFStore copy of key message r=m_kato
Status: ASSIGNED → RESOLVED
Closed: 4 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla76
You need to log in before you can comment on or make changes to this bug.