Crash in [@ mozilla::WSRunObject::NormalizeWhiteSpacesAtEndOf]
Categories
(Core :: DOM: Editor, defect, P2)
Tracking
()
Tracking | Status | |
---|---|---|
firefox-esr68 | --- | unaffected |
firefox-esr78 | --- | unaffected |
firefox77 | --- | unaffected |
firefox78 | --- | unaffected |
firefox79 | + | verified |
People
(Reporter: calixte, Assigned: masayuki)
References
(Blocks 1 open bug, Regression, )
Details
(Keywords: crash, regression)
Crash Data
Attachments
(1 file)
This bug is for crash report bp-458b0c5d-0fba-4fca-9452-b97cc0200616.
Top 10 frames of crashing thread:
0 xul.dll mozilla::WSRunObject::NormalizeWhiteSpacesAtEndOf editor/libeditor/WSRunObject.cpp
1 xul.dll mozilla::WSRunObject::AdjustWhiteSpace editor/libeditor/WSRunObject.cpp:693
2 xul.dll mozilla::HTMLEditor::OnEndHandlingTopLevelEditSubActionInternal editor/libeditor/HTMLEditSubActionHandler.cpp:547
3 xul.dll mozilla::HTMLEditor::OnEndHandlingTopLevelEditSubAction editor/libeditor/HTMLEditSubActionHandler.cpp:360
4 xul.dll mozilla::EditorBase::InsertTextAsSubAction editor/libeditor/EditorBase.cpp:5160
5 xul.dll mozilla::TextEditor::OnInputText editor/libeditor/TextEditor.cpp:402
6 xul.dll mozilla::HTMLEditor::HandleKeyPressEvent editor/libeditor/HTMLEditor.cpp:800
7 xul.dll mozilla::EditorEventListener::KeyPress editor/libeditor/EditorEventListener.cpp:625
8 xul.dll mozilla::EventListenerManager::HandleEventInternal dom/events/EventListenerManager.cpp:1279
9 xul.dll static mozilla::EventTargetChainItem::HandleEventTargetChain dom/events/EventDispatcher.cpp:593
There are 4 crashes (from 3 installations) in nightly 79 with buildid 20200615214838. In analyzing the backtrace, the regression may have been introduced by patch [1] to fix bug 1642594.
The moz_crash_reason is MOZ_DIAGNOSTIC_ASSERT(isSome())
.
[1] https://hg.mozilla.org/mozilla-central/rev?node=8e0e2c27bc4b
Reporter | ||
Updated•4 years ago
|
Assignee | ||
Updated•4 years ago
|
Assignee | ||
Comment 1•4 years ago
|
||
Okay, I got a testcase.
Assignee | ||
Comment 2•4 years ago
|
||
Hmm, similar, but different crash point.
https://crash-stats.mozilla.org/report/index/9598d434-8624-49d1-8ce2-15fd00200616
I have no idea how to make GetPreviousEditableCharPoint()
return unset point without mutation event listener...
Assignee | ||
Comment 3•4 years ago
|
||
I guess that the Maybe
is mOffset
of EditorDOMPointBase
because new
Maybe::value()
s are called with checking Maybe::isSome()
. So, accessing
EditorDOMPointBase::mOffset
newly should cause the assertion.
Then, I found a new caller IsCharASCIISpace()
which calls Char()
without
validation here:
https://hg.mozilla.org/mozilla-central/diff/289c293af80b12744b5d35c5b8427ba8d8ebf13e/editor/libeditor/WSRunObject.cpp#l1.383
That could be unset, but I cannot reproduce it, but I succeeded to reproduce
similar assertion hit with using empty text node (see the crashtest). I hope
this fixes the original crash too.
Comment 4•4 years ago
|
||
I can reproduce this in Gmail very reliably. When composing an email, paste something, then hit space.
Assignee | ||
Comment 5•4 years ago
|
||
(In reply to Anne (:annevk) from comment #4)
I can reproduce this in Gmail very reliably. When composing an email, paste something, then hit space.
Oddly, I cannot reproduce this even in Gmail. Could you tell me exact STR for the crash? It's helpful to add the true STR into crashtests.
Updated•4 years ago
|
Comment 6•4 years ago
|
||
(In reply to Masayuki Nakano [:masayuki] (he/him)(JST, +0900) from comment #5)
(In reply to Anne (:annevk) from comment #4)
I can reproduce this in Gmail very reliably. When composing an email, paste something, then hit space.
Oddly, I cannot reproduce this even in Gmail. Could you tell me exact STR for the crash? It's helpful to add the true STR into crashtests.
FWIW, I cannot reproduce, either. I was using Nightly on Win10.
Assignee | ||
Comment 7•4 years ago
|
||
For now, landing with the testcase which I found. I'll add more testcases if there are.
Pushed by masayuki@d-toybox.com: https://hg.mozilla.org/integration/autoland/rev/64a1bcea93be Check whether `EditorDOMPointInText` is set before calling `IsCharASCIISpace()` r=m_kato
Comment 9•4 years ago
•
|
||
On macOS using Firefox Nightly (could reproduce yesterday and can reproduce today in 79.0a1 (2020-06-16)):
- Go to Gmail
- Click Compose
- Focus the message body textarea with a click
- Paste something
- Press space (maybe twice)
See https://crash-stats.mozilla.org/report/index/f22bd9c7-67c8-463f-a5c9-238440200617.
Comment 10•4 years ago
|
||
bugherder |
Assignee | ||
Comment 11•4 years ago
|
||
Ah, I see. I reproduced the crash within plaintext mode of Gmail composer.
Assignee | ||
Comment 12•4 years ago
|
||
I got another testcase! https://jsfiddle.net/d_toybox/oj1cxs4b/1/
Assignee | ||
Updated•4 years ago
|
Updated•4 years ago
|
Comment 14•4 years ago
|
||
Confirmed issue with attached test-case(s) on Windows 10 with 79.0a1 (2020-06-16).
Fix verified with 80.0a1 (2020-07-02), 79.0b3 on both test cases provided by :masayuki.
Updated•4 years ago
|
Description
•