Open Bug 1613211 Opened 2 months ago Updated 2 months ago

Assertion failure: sPresContext->GetTextInputHandlingWidget() == widget, at /builds/worker/workspace/build/src/dom/events/IMEStateManager.cpp:1864

Categories

(Core :: DOM: UI Events & Focus Handling, defect, P3)

defect

Tracking

()

Tracking Status
firefox74 --- affected

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, testcase)

Attachments

(1 file)

Attached file testcase.html

Testcase found while fuzzing mozilla-central rev b95921676bb4. Testcase must be served via a local webserver in order to reproduce.

Assertion failure: sPresContext->GetTextInputHandlingWidget() == widget, at /builds/worker/workspace/build/src/dom/events/IMEStateManager.cpp:1864

rcx = 0x00007f747566222c   rbx = 0x00007ffcb8931438
rsi = 0x00007f748125b8b0   rdi = 0x00007f748125a680
rbp = 0x00007ffcb89314a0   rsp = 0x00007ffcb8931430
r8 = 0x00007f748125b8b0    r9 = 0x00007f74823c2780
r10 = 0x0000000000000000   r11 = 0x0000000000000000
r12 = 0x0000000000000001   r13 = 0x00007ffcb8931430
r14 = 0x00007f7467c7f270   r15 = 0x00007f7467c08000
rip = 0x00007f747116dcbe
OS|Linux|0.0.0 Linux 5.3.0-28-generic #30~18.04.1-Ubuntu SMP Fri Jan 17 06:14:09 UTC 2020 x86_64
CPU|amd64|family 6 model 94 stepping 3|8
GPU|||
Crash|SIGSEGV|0x0|0
0|0|libxul.so|mozilla::IMEStateManager::CreateIMEContentObserver(mozilla::EditorBase*)|hg:hg.mozilla.org/mozilla-central:dom/events/IMEStateManager.cpp:b95921676bb48bf84d429f0a4ab9c53a1bdd7933|1849|0x45
0|1|libxul.so|mozilla::IMEStateManager::OnFocusInEditor(nsPresContext*, nsIContent*, mozilla::EditorBase&)|hg:hg.mozilla.org/mozilla-central:dom/events/IMEStateManager.cpp:b95921676bb48bf84d429f0a4ab9c53a1bdd7933|772|0x8
0|2|libxul.so|mozilla::EditorBase::ReinitializeSelection(mozilla::dom::Element&)|hg:hg.mozilla.org/mozilla-central:editor/libeditor/EditorBase.cpp:b95921676bb48bf84d429f0a4ab9c53a1bdd7933|4884|0x12
0|3|libxul.so|mozilla::dom::Document::TurnEditingOff()|hg:hg.mozilla.org/mozilla-central:dom/base/Document.cpp:b95921676bb48bf84d429f0a4ab9c53a1bdd7933|5267|0xb
0|4|libxul.so|mozilla::dom::Document::DeletePresShell()|hg:hg.mozilla.org/mozilla-central:dom/base/Document.cpp:b95921676bb48bf84d429f0a4ab9c53a1bdd7933|6301|0x8
0|5|libxul.so|mozilla::PresShell::Destroy()|hg:hg.mozilla.org/mozilla-central:layout/base/PresShell.cpp:b95921676bb48bf84d429f0a4ab9c53a1bdd7933|1165|0x574
0|6|libxul.so|nsDocumentViewer::DestroyPresShell()|hg:hg.mozilla.org/mozilla-central:layout/base/nsDocumentViewer.cpp:b95921676bb48bf84d429f0a4ab9c53a1bdd7933|4103|0x11
0|7|libxul.so|nsDocumentViewer::Hide()|hg:hg.mozilla.org/mozilla-central:layout/base/nsDocumentViewer.cpp:b95921676bb48bf84d429f0a4ab9c53a1bdd7933|2289|0x8
0|8|libxul.so|nsDocShell::SetVisibility(bool)|hg:hg.mozilla.org/mozilla-central:docshell/base/nsDocShell.cpp:b95921676bb48bf84d429f0a4ab9c53a1bdd7933|5070|0x11
0|9|libxul.so|nsFrameLoader::Hide()|hg:hg.mozilla.org/mozilla-central:dom/base/nsFrameLoader.cpp:b95921676bb48bf84d429f0a4ab9c53a1bdd7933|1074|0x13
0|10|libxul.so|nsHideViewer::Run()|hg:hg.mozilla.org/mozilla-central:layout/generic/nsSubDocumentFrame.cpp:b95921676bb48bf84d429f0a4ab9c53a1bdd7933|919|0x11
0|11|libxul.so|nsContentUtils::RemoveScriptBlocker()|hg:hg.mozilla.org/mozilla-central:dom/base/nsContentUtils.cpp:b95921676bb48bf84d429f0a4ab9c53a1bdd7933|5380|0x9
0|12|libxul.so|mozilla::dom::Document::EndUpdate()|hg:hg.mozilla.org/mozilla-central:dom/base/Document.cpp:b95921676bb48bf84d429f0a4ab9c53a1bdd7933|7116|0x5
0|13|libxul.so|mozAutoDocUpdate::~mozAutoDocUpdate()|hg:hg.mozilla.org/mozilla-central:dom/base/mozAutoDocUpdate.h:b95921676bb48bf84d429f0a4ab9c53a1bdd7933|34|0xd
0|14|libxul.so|mozilla::dom::Document::DisconnectNodeTree()|hg:hg.mozilla.org/mozilla-central:dom/base/Document.cpp:b95921676bb48bf84d429f0a4ab9c53a1bdd7933|2479|0x5
0|15|libxul.so|mozilla::dom::Document::Open(mozilla::dom::Optional<nsTSubstring<char16_t> > const&, mozilla::dom::Optional<nsTSubstring<char16_t> > const&, mozilla::ErrorResult&)|hg:hg.mozilla.org/mozilla-central:dom/base/Document.cpp:b95921676bb48bf84d429f0a4ab9c53a1bdd7933|8853|0x5
0|16|libxul.so|mozilla::dom::Document::WriteCommon(nsTSubstring<char16_t> const&, bool, mozilla::ErrorResult&)|hg:hg.mozilla.org/mozilla-central:dom/base/Document.cpp:b95921676bb48bf84d429f0a4ab9c53a1bdd7933|8997|0x25b
0|17|libxul.so|mozilla::dom::Document::WriteCommon(mozilla::dom::Sequence<nsTString<char16_t> > const&, bool, mozilla::ErrorResult&)|hg:hg.mozilla.org/mozilla-central:dom/base/Document.cpp:b95921676bb48bf84d429f0a4ab9c53a1bdd7933|8980|0x1c
0|18|libxul.so|mozilla::dom::Document_Binding::write|s3:gecko-generated-sources:d2ef72c71c794d0feb59c5b46b697c524e1f593b0430173abf3c676f7ce5601264f410930dcd6ce2856b188618109a15c7a3b4fedda47d3a6f2d41d1945f7ca4/dom/bindings/DocumentBinding.cpp:|3129|0xe
0|19|libxul.so|bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*)|hg:hg.mozilla.org/mozilla-central:dom/bindings/BindingUtils.cpp:b95921676bb48bf84d429f0a4ab9c53a1bdd7933|3151|0x21
0|20|libxul.so|CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:b95921676bb48bf84d429f0a4ab9c53a1bdd7933|470|0x19
0|21|libxul.so|js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:b95921676bb48bf84d429f0a4ab9c53a1bdd7933|562|0x12
0|22|libxul.so|InternalCall|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:b95921676bb48bf84d429f0a4ab9c53a1bdd7933|625|0x10
0|23|libxul.so|Interpret|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:b95921676bb48bf84d429f0a4ab9c53a1bdd7933|3042|0x16
0|24|libxul.so|js::RunScript(JSContext*, js::RunState&)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:b95921676bb48bf84d429f0a4ab9c53a1bdd7933|406|0xfe
0|25|libxul.so|js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:b95921676bb48bf84d429f0a4ab9c53a1bdd7933|597|0xf
0|26|libxul.so|InternalCall|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:b95921676bb48bf84d429f0a4ab9c53a1bdd7933|625|0x10
0|27|libxul.so|js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:b95921676bb48bf84d429f0a4ab9c53a1bdd7933|642|0x8
0|28|libxul.so|JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>)|hg:hg.mozilla.org/mozilla-central:js/src/jsapi.cpp:b95921676bb48bf84d429f0a4ab9c53a1bdd7933|2797|0x1f
0|29|libxul.so|mozilla::dom::EventListener::HandleEvent(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&)|s3:gecko-generated-sources:9ca8646d8042e9b4b76d2e1b358b984be17743b71b832c0897d61bb500e0fecbe38fa54273dc522878c87fcb2c9bfd274a8190c7bc56fbbb58cb3ca68462e527/dom/bindings/EventListenerBinding.cpp:|52|0x5
0|30|libxul.so|mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*)|s3:gecko-generated-sources:f3d9c01258576daaac3afc4fb3b283652e7f1168abb5287eff6775451ebd0ab6a0e4c8d88d3a67f7147042501bc091c6dfed25b4b8ccf4e4f420897b8d0ba906/dist/include/mozilla/dom/EventListenerBinding.h:|66|0x1c
0|31|libxul.so|mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool)|hg:hg.mozilla.org/mozilla-central:dom/events/EventListenerManager.cpp:b95921676bb48bf84d429f0a4ab9c53a1bdd7933|1271|0x1c
0|32|libxul.so|mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:b95921676bb48bf84d429f0a4ab9c53a1bdd7933|326|0x6b
0|33|libxul.so|mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:b95921676bb48bf84d429f0a4ab9c53a1bdd7933|558|0x12
0|34|libxul.so|mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:b95921676bb48bf84d429f0a4ab9c53a1bdd7933|1055|0x1a
0|35|libxul.so|mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:b95921676bb48bf84d429f0a4ab9c53a1bdd7933|1160|0x16
0|36|libxul.so|nsINode::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&)|hg:hg.mozilla.org/mozilla-central:dom/base/nsINode.cpp:b95921676bb48bf84d429f0a4ab9c53a1bdd7933|1260|0x5
0|37|libxul.so|nsContentUtils::DispatchEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, mozilla::Trusted, bool*, mozilla::ChromeOnlyDispatch)|hg:hg.mozilla.org/mozilla-central:dom/base/nsContentUtils.cpp:b95921676bb48bf84d429f0a4ab9c53a1bdd7933|4095|0x2a
0|38|libxul.so|nsContentUtils::DispatchTrustedEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, bool*)|hg:hg.mozilla.org/mozilla-central:dom/base/nsContentUtils.cpp:b95921676bb48bf84d429f0a4ab9c53a1bdd7933|4065|0x21
0|39|libxul.so|mozilla::dom::Document::DispatchContentLoadedEvents()|hg:hg.mozilla.org/mozilla-central:dom/base/Document.cpp:b95921676bb48bf84d429f0a4ab9c53a1bdd7933|7204|0x5
0|40|libxul.so|mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run()|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.h:b95921676bb48bf84d429f0a4ab9c53a1bdd7933|1215|0x5
0|41|libxul.so|mozilla::SchedulerGroup::Runnable::Run()|hg:hg.mozilla.org/mozilla-central:xpcom/threads/SchedulerGroup.cpp:b95921676bb48bf84d429f0a4ab9c53a1bdd7933|282|0x14
0|42|libxul.so|nsThread::ProcessNextEvent(bool, bool*)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:b95921676bb48bf84d429f0a4ab9c53a1bdd7933|1220|0xe
0|43|libxul.so|NS_ProcessNextEvent(nsIThread*, bool)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:b95921676bb48bf84d429f0a4ab9c53a1bdd7933|486|0x11
0|44|libxul.so|mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:b95921676bb48bf84d429f0a4ab9c53a1bdd7933|87|0xa
0|45|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:b95921676bb48bf84d429f0a4ab9c53a1bdd7933|315|0x19
0|46|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:b95921676bb48bf84d429f0a4ab9c53a1bdd7933|290|0x8
0|47|libxul.so|nsBaseAppShell::Run()|hg:hg.mozilla.org/mozilla-central:widget/nsBaseAppShell.cpp:b95921676bb48bf84d429f0a4ab9c53a1bdd7933|137|0xd
0|48|libxul.so|XRE_RunAppShell()|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:b95921676bb48bf84d429f0a4ab9c53a1bdd7933|943|0x6
0|49|libxul.so|mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:b95921676bb48bf84d429f0a4ab9c53a1bdd7933|237|0x5
0|50|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:b95921676bb48bf84d429f0a4ab9c53a1bdd7933|315|0x19
0|51|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:b95921676bb48bf84d429f0a4ab9c53a1bdd7933|290|0x8
0|52|libxul.so|XRE_InitChildProcess(int, char**, XREChildData const*)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:b95921676bb48bf84d429f0a4ab9c53a1bdd7933|778|0x8
0|53|firefox-bin|content_process_main(mozilla::Bootstrap*, int, char**)|hg:hg.mozilla.org/mozilla-central:ipc/contentproc/plugin-container.cpp:b95921676bb48bf84d429f0a4ab9c53a1bdd7933|56|0x14
0|54|firefox-bin|main|hg:hg.mozilla.org/mozilla-central:browser/app/nsBrowserApp.cpp:b95921676bb48bf84d429f0a4ab9c53a1bdd7933|303|0x12
0|55|libc-2.27.so||||0x21b97
0|56|firefox-bin|__cxa_throw_bad_array_new_length|hg:hg.mozilla.org/mozilla-central:build/unix/stdc++compat/stdc++compat.cpp:b95921676bb48bf84d429f0a4ab9c53a1bdd7933|82|0x12
0|57|firefox-bin||||0x10e30
0|58|ld-2.27.so||||0x10733
0|59|libdl-2.27.so||||0x202d80
0|60|libpthread-2.27.so||||0x219bb0
0|61|firefox-bin||||0x10e30
0|62|firefox-bin|_start|||0x29
Flags: in-testsuite?

I'm still not sure where is the good method to stop handling reinitializing the selection, though.

Anyway, looks like that sPresContext has already been cleared its members and must return nullptr.

Component: DOM: Core & HTML → DOM: UI Events & Focus Handling
Priority: -- → P3
You need to log in before you can comment on or make changes to this bug.