Open Bug 1613211 Opened 5 years ago Updated 2 years ago

Assertion failure: sPresContext->GetTextInputHandlingWidget() == widget, at /builds/worker/workspace/build/src/dom/events/IMEStateManager.cpp:1864

Categories

(Core :: DOM: UI Events & Focus Handling, defect, P3)

defect

Tracking

()

Tracking Status
firefox74 --- affected

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, testcase, Whiteboard: [bugmon:confirmed])

Attachments

(1 file)

Attached file testcase.html

Testcase found while fuzzing mozilla-central rev b95921676bb4. Testcase must be served via a local webserver in order to reproduce.

Assertion failure: sPresContext->GetTextInputHandlingWidget() == widget, at /builds/worker/workspace/build/src/dom/events/IMEStateManager.cpp:1864

rcx = 0x00007f747566222c   rbx = 0x00007ffcb8931438
rsi = 0x00007f748125b8b0   rdi = 0x00007f748125a680
rbp = 0x00007ffcb89314a0   rsp = 0x00007ffcb8931430
r8 = 0x00007f748125b8b0    r9 = 0x00007f74823c2780
r10 = 0x0000000000000000   r11 = 0x0000000000000000
r12 = 0x0000000000000001   r13 = 0x00007ffcb8931430
r14 = 0x00007f7467c7f270   r15 = 0x00007f7467c08000
rip = 0x00007f747116dcbe
OS|Linux|0.0.0 Linux 5.3.0-28-generic #30~18.04.1-Ubuntu SMP Fri Jan 17 06:14:09 UTC 2020 x86_64
CPU|amd64|family 6 model 94 stepping 3|8
GPU|||
Crash|SIGSEGV|0x0|0
0|0|libxul.so|mozilla::IMEStateManager::CreateIMEContentObserver(mozilla::EditorBase*)|hg:hg.mozilla.org/mozilla-central:dom/events/IMEStateManager.cpp:b95921676bb48bf84d429f0a4ab9c53a1bdd7933|1849|0x45
0|1|libxul.so|mozilla::IMEStateManager::OnFocusInEditor(nsPresContext*, nsIContent*, mozilla::EditorBase&)|hg:hg.mozilla.org/mozilla-central:dom/events/IMEStateManager.cpp:b95921676bb48bf84d429f0a4ab9c53a1bdd7933|772|0x8
0|2|libxul.so|mozilla::EditorBase::ReinitializeSelection(mozilla::dom::Element&)|hg:hg.mozilla.org/mozilla-central:editor/libeditor/EditorBase.cpp:b95921676bb48bf84d429f0a4ab9c53a1bdd7933|4884|0x12
0|3|libxul.so|mozilla::dom::Document::TurnEditingOff()|hg:hg.mozilla.org/mozilla-central:dom/base/Document.cpp:b95921676bb48bf84d429f0a4ab9c53a1bdd7933|5267|0xb
0|4|libxul.so|mozilla::dom::Document::DeletePresShell()|hg:hg.mozilla.org/mozilla-central:dom/base/Document.cpp:b95921676bb48bf84d429f0a4ab9c53a1bdd7933|6301|0x8
0|5|libxul.so|mozilla::PresShell::Destroy()|hg:hg.mozilla.org/mozilla-central:layout/base/PresShell.cpp:b95921676bb48bf84d429f0a4ab9c53a1bdd7933|1165|0x574
0|6|libxul.so|nsDocumentViewer::DestroyPresShell()|hg:hg.mozilla.org/mozilla-central:layout/base/nsDocumentViewer.cpp:b95921676bb48bf84d429f0a4ab9c53a1bdd7933|4103|0x11
0|7|libxul.so|nsDocumentViewer::Hide()|hg:hg.mozilla.org/mozilla-central:layout/base/nsDocumentViewer.cpp:b95921676bb48bf84d429f0a4ab9c53a1bdd7933|2289|0x8
0|8|libxul.so|nsDocShell::SetVisibility(bool)|hg:hg.mozilla.org/mozilla-central:docshell/base/nsDocShell.cpp:b95921676bb48bf84d429f0a4ab9c53a1bdd7933|5070|0x11
0|9|libxul.so|nsFrameLoader::Hide()|hg:hg.mozilla.org/mozilla-central:dom/base/nsFrameLoader.cpp:b95921676bb48bf84d429f0a4ab9c53a1bdd7933|1074|0x13
0|10|libxul.so|nsHideViewer::Run()|hg:hg.mozilla.org/mozilla-central:layout/generic/nsSubDocumentFrame.cpp:b95921676bb48bf84d429f0a4ab9c53a1bdd7933|919|0x11
0|11|libxul.so|nsContentUtils::RemoveScriptBlocker()|hg:hg.mozilla.org/mozilla-central:dom/base/nsContentUtils.cpp:b95921676bb48bf84d429f0a4ab9c53a1bdd7933|5380|0x9
0|12|libxul.so|mozilla::dom::Document::EndUpdate()|hg:hg.mozilla.org/mozilla-central:dom/base/Document.cpp:b95921676bb48bf84d429f0a4ab9c53a1bdd7933|7116|0x5
0|13|libxul.so|mozAutoDocUpdate::~mozAutoDocUpdate()|hg:hg.mozilla.org/mozilla-central:dom/base/mozAutoDocUpdate.h:b95921676bb48bf84d429f0a4ab9c53a1bdd7933|34|0xd
0|14|libxul.so|mozilla::dom::Document::DisconnectNodeTree()|hg:hg.mozilla.org/mozilla-central:dom/base/Document.cpp:b95921676bb48bf84d429f0a4ab9c53a1bdd7933|2479|0x5
0|15|libxul.so|mozilla::dom::Document::Open(mozilla::dom::Optional<nsTSubstring<char16_t> > const&, mozilla::dom::Optional<nsTSubstring<char16_t> > const&, mozilla::ErrorResult&)|hg:hg.mozilla.org/mozilla-central:dom/base/Document.cpp:b95921676bb48bf84d429f0a4ab9c53a1bdd7933|8853|0x5
0|16|libxul.so|mozilla::dom::Document::WriteCommon(nsTSubstring<char16_t> const&, bool, mozilla::ErrorResult&)|hg:hg.mozilla.org/mozilla-central:dom/base/Document.cpp:b95921676bb48bf84d429f0a4ab9c53a1bdd7933|8997|0x25b
0|17|libxul.so|mozilla::dom::Document::WriteCommon(mozilla::dom::Sequence<nsTString<char16_t> > const&, bool, mozilla::ErrorResult&)|hg:hg.mozilla.org/mozilla-central:dom/base/Document.cpp:b95921676bb48bf84d429f0a4ab9c53a1bdd7933|8980|0x1c
0|18|libxul.so|mozilla::dom::Document_Binding::write|s3:gecko-generated-sources:d2ef72c71c794d0feb59c5b46b697c524e1f593b0430173abf3c676f7ce5601264f410930dcd6ce2856b188618109a15c7a3b4fedda47d3a6f2d41d1945f7ca4/dom/bindings/DocumentBinding.cpp:|3129|0xe
0|19|libxul.so|bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*)|hg:hg.mozilla.org/mozilla-central:dom/bindings/BindingUtils.cpp:b95921676bb48bf84d429f0a4ab9c53a1bdd7933|3151|0x21
0|20|libxul.so|CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:b95921676bb48bf84d429f0a4ab9c53a1bdd7933|470|0x19
0|21|libxul.so|js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:b95921676bb48bf84d429f0a4ab9c53a1bdd7933|562|0x12
0|22|libxul.so|InternalCall|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:b95921676bb48bf84d429f0a4ab9c53a1bdd7933|625|0x10
0|23|libxul.so|Interpret|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:b95921676bb48bf84d429f0a4ab9c53a1bdd7933|3042|0x16
0|24|libxul.so|js::RunScript(JSContext*, js::RunState&)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:b95921676bb48bf84d429f0a4ab9c53a1bdd7933|406|0xfe
0|25|libxul.so|js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:b95921676bb48bf84d429f0a4ab9c53a1bdd7933|597|0xf
0|26|libxul.so|InternalCall|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:b95921676bb48bf84d429f0a4ab9c53a1bdd7933|625|0x10
0|27|libxul.so|js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:b95921676bb48bf84d429f0a4ab9c53a1bdd7933|642|0x8
0|28|libxul.so|JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>)|hg:hg.mozilla.org/mozilla-central:js/src/jsapi.cpp:b95921676bb48bf84d429f0a4ab9c53a1bdd7933|2797|0x1f
0|29|libxul.so|mozilla::dom::EventListener::HandleEvent(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&)|s3:gecko-generated-sources:9ca8646d8042e9b4b76d2e1b358b984be17743b71b832c0897d61bb500e0fecbe38fa54273dc522878c87fcb2c9bfd274a8190c7bc56fbbb58cb3ca68462e527/dom/bindings/EventListenerBinding.cpp:|52|0x5
0|30|libxul.so|mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*)|s3:gecko-generated-sources:f3d9c01258576daaac3afc4fb3b283652e7f1168abb5287eff6775451ebd0ab6a0e4c8d88d3a67f7147042501bc091c6dfed25b4b8ccf4e4f420897b8d0ba906/dist/include/mozilla/dom/EventListenerBinding.h:|66|0x1c
0|31|libxul.so|mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool)|hg:hg.mozilla.org/mozilla-central:dom/events/EventListenerManager.cpp:b95921676bb48bf84d429f0a4ab9c53a1bdd7933|1271|0x1c
0|32|libxul.so|mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:b95921676bb48bf84d429f0a4ab9c53a1bdd7933|326|0x6b
0|33|libxul.so|mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:b95921676bb48bf84d429f0a4ab9c53a1bdd7933|558|0x12
0|34|libxul.so|mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:b95921676bb48bf84d429f0a4ab9c53a1bdd7933|1055|0x1a
0|35|libxul.so|mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:b95921676bb48bf84d429f0a4ab9c53a1bdd7933|1160|0x16
0|36|libxul.so|nsINode::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&)|hg:hg.mozilla.org/mozilla-central:dom/base/nsINode.cpp:b95921676bb48bf84d429f0a4ab9c53a1bdd7933|1260|0x5
0|37|libxul.so|nsContentUtils::DispatchEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, mozilla::Trusted, bool*, mozilla::ChromeOnlyDispatch)|hg:hg.mozilla.org/mozilla-central:dom/base/nsContentUtils.cpp:b95921676bb48bf84d429f0a4ab9c53a1bdd7933|4095|0x2a
0|38|libxul.so|nsContentUtils::DispatchTrustedEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, bool*)|hg:hg.mozilla.org/mozilla-central:dom/base/nsContentUtils.cpp:b95921676bb48bf84d429f0a4ab9c53a1bdd7933|4065|0x21
0|39|libxul.so|mozilla::dom::Document::DispatchContentLoadedEvents()|hg:hg.mozilla.org/mozilla-central:dom/base/Document.cpp:b95921676bb48bf84d429f0a4ab9c53a1bdd7933|7204|0x5
0|40|libxul.so|mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run()|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.h:b95921676bb48bf84d429f0a4ab9c53a1bdd7933|1215|0x5
0|41|libxul.so|mozilla::SchedulerGroup::Runnable::Run()|hg:hg.mozilla.org/mozilla-central:xpcom/threads/SchedulerGroup.cpp:b95921676bb48bf84d429f0a4ab9c53a1bdd7933|282|0x14
0|42|libxul.so|nsThread::ProcessNextEvent(bool, bool*)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:b95921676bb48bf84d429f0a4ab9c53a1bdd7933|1220|0xe
0|43|libxul.so|NS_ProcessNextEvent(nsIThread*, bool)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:b95921676bb48bf84d429f0a4ab9c53a1bdd7933|486|0x11
0|44|libxul.so|mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:b95921676bb48bf84d429f0a4ab9c53a1bdd7933|87|0xa
0|45|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:b95921676bb48bf84d429f0a4ab9c53a1bdd7933|315|0x19
0|46|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:b95921676bb48bf84d429f0a4ab9c53a1bdd7933|290|0x8
0|47|libxul.so|nsBaseAppShell::Run()|hg:hg.mozilla.org/mozilla-central:widget/nsBaseAppShell.cpp:b95921676bb48bf84d429f0a4ab9c53a1bdd7933|137|0xd
0|48|libxul.so|XRE_RunAppShell()|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:b95921676bb48bf84d429f0a4ab9c53a1bdd7933|943|0x6
0|49|libxul.so|mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:b95921676bb48bf84d429f0a4ab9c53a1bdd7933|237|0x5
0|50|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:b95921676bb48bf84d429f0a4ab9c53a1bdd7933|315|0x19
0|51|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:b95921676bb48bf84d429f0a4ab9c53a1bdd7933|290|0x8
0|52|libxul.so|XRE_InitChildProcess(int, char**, XREChildData const*)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:b95921676bb48bf84d429f0a4ab9c53a1bdd7933|778|0x8
0|53|firefox-bin|content_process_main(mozilla::Bootstrap*, int, char**)|hg:hg.mozilla.org/mozilla-central:ipc/contentproc/plugin-container.cpp:b95921676bb48bf84d429f0a4ab9c53a1bdd7933|56|0x14
0|54|firefox-bin|main|hg:hg.mozilla.org/mozilla-central:browser/app/nsBrowserApp.cpp:b95921676bb48bf84d429f0a4ab9c53a1bdd7933|303|0x12
0|55|libc-2.27.so||||0x21b97
0|56|firefox-bin|__cxa_throw_bad_array_new_length|hg:hg.mozilla.org/mozilla-central:build/unix/stdc++compat/stdc++compat.cpp:b95921676bb48bf84d429f0a4ab9c53a1bdd7933|82|0x12
0|57|firefox-bin||||0x10e30
0|58|ld-2.27.so||||0x10733
0|59|libdl-2.27.so||||0x202d80
0|60|libpthread-2.27.so||||0x219bb0
0|61|firefox-bin||||0x10e30
0|62|firefox-bin|_start|||0x29
Flags: in-testsuite?

I'm still not sure where is the good method to stop handling reinitializing the selection, though.

Anyway, looks like that sPresContext has already been cleared its members and must return nullptr.

Component: DOM: Core & HTML → DOM: UI Events & Focus Handling
Priority: -- → P3

Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20210224215151-69be3221f49a.

Whiteboard: [bugmon:confirmed]

Maybe worth a look in pernosco?

Flags: needinfo?(masayuki)
Flags: needinfo?(jkratzer)

A pernosco session for this issue can be found at:
https://pernos.co/debug/MBuZX-uibVHqNdoSpEfNSw/index.html

Flags: needinfo?(jkratzer)

(In reply to Jason Kratzer [:jkratzer] from comment #4)

A pernosco session for this issue can be found at:
https://pernos.co/debug/MBuZX-uibVHqNdoSpEfNSw/index.html

Well, I cannot see it (expired or not authorized). Looks like that this is caused by race of getting focus between iframes and initialize editor asynchronously.

Flags: needinfo?(masayuki)
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: