Closed Bug 1645983 Opened 4 years ago Closed 4 years ago

Crash in [@ mozilla::WSRunObject::NormalizeWhiteSpacesAtEndOf]

Categories

(Core :: DOM: Editor, defect, P2)

Unspecified
Windows 10
defect

Tracking

()

VERIFIED FIXED
mozilla79
Tracking Status
firefox-esr68 --- unaffected
firefox-esr78 --- unaffected
firefox77 --- unaffected
firefox78 --- unaffected
firefox79 + verified

People

(Reporter: calixte, Assigned: masayuki)

References

(Blocks 1 open bug, Regression, )

Details

(Keywords: crash, regression)

Crash Data

Attachments

(1 file)

This bug is for crash report bp-458b0c5d-0fba-4fca-9452-b97cc0200616.

Top 10 frames of crashing thread:

0 xul.dll mozilla::WSRunObject::NormalizeWhiteSpacesAtEndOf editor/libeditor/WSRunObject.cpp
1 xul.dll mozilla::WSRunObject::AdjustWhiteSpace editor/libeditor/WSRunObject.cpp:693
2 xul.dll mozilla::HTMLEditor::OnEndHandlingTopLevelEditSubActionInternal editor/libeditor/HTMLEditSubActionHandler.cpp:547
3 xul.dll mozilla::HTMLEditor::OnEndHandlingTopLevelEditSubAction editor/libeditor/HTMLEditSubActionHandler.cpp:360
4 xul.dll mozilla::EditorBase::InsertTextAsSubAction editor/libeditor/EditorBase.cpp:5160
5 xul.dll mozilla::TextEditor::OnInputText editor/libeditor/TextEditor.cpp:402
6 xul.dll mozilla::HTMLEditor::HandleKeyPressEvent editor/libeditor/HTMLEditor.cpp:800
7 xul.dll mozilla::EditorEventListener::KeyPress editor/libeditor/EditorEventListener.cpp:625
8 xul.dll mozilla::EventListenerManager::HandleEventInternal dom/events/EventListenerManager.cpp:1279
9 xul.dll static mozilla::EventTargetChainItem::HandleEventTargetChain dom/events/EventDispatcher.cpp:593

There are 4 crashes (from 3 installations) in nightly 79 with buildid 20200615214838. In analyzing the backtrace, the regression may have been introduced by patch [1] to fix bug 1642594.
The moz_crash_reason is MOZ_DIAGNOSTIC_ASSERT(isSome()).

[1] https://hg.mozilla.org/mozilla-central/rev?node=8e0e2c27bc4b

Flags: needinfo?(masayuki)
Assignee: nobody → masayuki
Severity: -- → S3
Status: NEW → ASSIGNED
Flags: needinfo?(masayuki)
Priority: -- → P2

Hmm, similar, but different crash point.
https://crash-stats.mozilla.org/report/index/9598d434-8624-49d1-8ce2-15fd00200616

I have no idea how to make GetPreviousEditableCharPoint() return unset point without mutation event listener...

I guess that the Maybe is mOffset of EditorDOMPointBase because new
Maybe::value()s are called with checking Maybe::isSome(). So, accessing
EditorDOMPointBase::mOffset newly should cause the assertion.

Then, I found a new caller IsCharASCIISpace() which calls Char() without
validation here:
https://hg.mozilla.org/mozilla-central/diff/289c293af80b12744b5d35c5b8427ba8d8ebf13e/editor/libeditor/WSRunObject.cpp#l1.383

That could be unset, but I cannot reproduce it, but I succeeded to reproduce
similar assertion hit with using empty text node (see the crashtest). I hope
this fixes the original crash too.

I can reproduce this in Gmail very reliably. When composing an email, paste something, then hit space.

(In reply to Anne (:annevk) from comment #4)

I can reproduce this in Gmail very reliably. When composing an email, paste something, then hit space.

Oddly, I cannot reproduce this even in Gmail. Could you tell me exact STR for the crash? It's helpful to add the true STR into crashtests.

Flags: needinfo?(annevk)

(In reply to Masayuki Nakano [:masayuki] (he/him)(JST, +0900) from comment #5)

(In reply to Anne (:annevk) from comment #4)

I can reproduce this in Gmail very reliably. When composing an email, paste something, then hit space.

Oddly, I cannot reproduce this even in Gmail. Could you tell me exact STR for the crash? It's helpful to add the true STR into crashtests.

FWIW, I cannot reproduce, either. I was using Nightly on Win10.

For now, landing with the testcase which I found. I'll add more testcases if there are.

Pushed by masayuki@d-toybox.com:
https://hg.mozilla.org/integration/autoland/rev/64a1bcea93be
Check whether `EditorDOMPointInText` is set before calling `IsCharASCIISpace()` r=m_kato

On macOS using Firefox Nightly (could reproduce yesterday and can reproduce today in 79.0a1 (2020-06-16)):

  1. Go to Gmail
  2. Click Compose
  3. Focus the message body textarea with a click
  4. Paste something
  5. Press space (maybe twice)

See https://crash-stats.mozilla.org/report/index/f22bd9c7-67c8-463f-a5c9-238440200617.

Flags: needinfo?(annevk)
Status: ASSIGNED → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla79

Ah, I see. I reproduced the crash within plaintext mode of Gmail composer.

Root Cause: --- → Coding: Unhandled Exceptions
Flags: qe-verify+

Confirmed issue with attached test-case(s) on Windows 10 with 79.0a1 (2020-06-16).
Fix verified with 80.0a1 (2020-07-02), 79.0b3 on both test cases provided by :masayuki.

Status: RESOLVED → VERIFIED
Flags: qe-verify+
Has Regression Range: --- → yes
You need to log in before you can comment on or make changes to this bug.