1697076 - Assertion failure: !IsCombiningDiacritic(aCh) (This character needs to be skipped), at src/intl/unicharutil/util/nsUnicodeProperties.cpp:312

Status: VERIFIED FIXED

(Core :: Internationalization, defect, P2)

Description

[Tyson Smith [:tsmith]]

Attachment: testcase.html

Assertion failure: !IsCombiningDiacritic(aCh) (This character needs to be skipped), at src/intl/unicharutil/util/nsUnicodeProperties.cpp:312

#0 0x7fd5e5017237 in mozilla::unicode::GetNaked(unsigned int) src/intl/unicharutil/util/nsUnicodeProperties.cpp:312:3
#1 0x7fd5eac930f7 in nsFind::Find(nsTSubstring<char16_t> const&, nsRange*, nsRange*, nsRange*, nsRange**) src/toolkit/components/find/nsFind.cpp:810:13
#2 0x7fd5eac94d65 in nsWebBrowserFind::SearchInFrame(nsPIDOMWindowOuter*, bool, bool*) src/toolkit/components/find/nsWebBrowserFind.cpp:666:14
#3 0x7fd5eac943e0 in nsWebBrowserFind::FindNext(bool*) src/toolkit/components/find/nsWebBrowserFind.cpp:108:8
#4 0x7fd5e6a77a65 in nsGlobalWindowOuter::FindOuter(nsTSubstring<char16_t> const&, bool, bool, bool, bool, bool, bool, mozilla::ErrorResult&) src/dom/base/nsGlobalWindowOuter.cpp:6565:20
#5 0x7fd5e799012f in mozilla::dom::Window_Binding::find(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/WindowBinding.cpp:6574:36
#6 0x7fd5e7f1ddfc in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::MaybeCrossOriginObjectThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) src/dom/bindings/BindingUtils.cpp:3238:13
#7 0x7fd5eafd2b40 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) src/js/src/vm/Interpreter.cpp:435:13
#8 0x7fd5eafd22ac in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) src/js/src/vm/Interpreter.cpp:520:12
#9 0x7fd5eafd3aa9 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) src/js/src/vm/Interpreter.cpp:580:10
#10 0x7fd5eafc861f in CallFromStack src/js/src/vm/Interpreter.cpp:584:10
#11 0x7fd5eafc861f in Interpret(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:3244:16
#12 0x7fd5eafbfad1 in js::RunScript(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:405:13
#13 0x7fd5eafd22c9 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) src/js/src/vm/Interpreter.cpp:552:13
#14 0x7fd5eafd3aa9 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) src/js/src/vm/Interpreter.cpp:580:10
#15 0x7fd5eafd3ccf in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) src/js/src/vm/Interpreter.cpp:597:8
#16 0x7fd5eb54a20b in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) src/js/src/jsapi.cpp:2856:10
#17 0x7fd5e7c3c333 in mozilla::dom::EventHandlerNonNull::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventHandlerBinding.cpp:278:37
#18 0x7fd5e82e0501 in void mozilla::dom::EventHandlerNonNull::Call<nsCOMPtr<mozilla::dom::EventTarget> >(nsCOMPtr<mozilla::dom::EventTarget> const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventHandlerBinding.h:366:12
#19 0x7fd5e82df5c3 in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) src/dom/events/JSEventHandler.cpp:201:12
#20 0x7fd5e82c1fbf in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) src/dom/events/EventListenerManager.cpp:1114:22
#21 0x7fd5e82c2c00 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) src/dom/events/EventListenerManager.cpp:1305:17
#22 0x7fd5e82b7f55 in HandleEvent /builds/worker/workspace/obj-build/dist/include/mozilla/EventListenerManager.h:390:5
#23 0x7fd5e82b7f55 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) src/dom/events/EventDispatcher.cpp:354:17
#24 0x7fd5e82b7503 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) src/dom/events/EventDispatcher.cpp:556:16
#25 0x7fd5e82ba0d5 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) src/dom/events/EventDispatcher.cpp:1099:11
#26 0x7fd5e99a26f3 in nsDocumentViewer::LoadComplete(nsresult) src/layout/base/nsDocumentViewer.cpp:1103:7
#27 0x7fd5ea96d440 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) src/docshell/base/nsDocShell.cpp:6574:20
#28 0x7fd5ea96cdf2 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) src/docshell/base/nsDocShell.cpp:5930:7
#29 0x7fd5ea96dd7f in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) src/docshell/base/nsDocShell.cpp
#30 0x7fd5e6194a7c in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) src/uriloader/base/nsDocLoader.cpp:1332:3
#31 0x7fd5e619402a in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) src/uriloader/base/nsDocLoader.cpp:938:14
#32 0x7fd5e6192577 in nsDocLoader::DocLoaderIsEmpty(bool, mozilla::Maybe<nsresult> const&) src/uriloader/base/nsDocLoader.cpp:757:9
#33 0x7fd5e61934ad in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) src/uriloader/base/nsDocLoader.cpp:640:5
#34 0x7fd5e6193c4c in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsresult) src/uriloader/base/nsDocLoader.cpp
#35 0x7fd5e50c1eb6 in mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) src/netwerk/base/nsLoadGroup.cpp:616:22
#36 0x7fd5e50c33c3 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) src/netwerk/base/nsLoadGroup.cpp:523:10
#37 0x7fd5e6b605b1 in mozilla::dom::Document::DoUnblockOnload() src/dom/base/Document.cpp:11075:18
#38 0x7fd5e6b3ef40 in mozilla::dom::Document::UnblockOnload(bool) src/dom/base/Document.cpp:11005:9
#39 0x7fd5e6b4fab6 in mozilla::dom::Document::DispatchContentLoadedEvents() src/dom/base/Document.cpp:7564:3
#40 0x7fd5e6bc19d6 in applyImpl<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1148:12
#41 0x7fd5e6bc19d6 in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1154:12
#42 0x7fd5e6bc19d6 in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1201:13
#43 0x7fd5e4f176f2 in mozilla::SchedulerGroup::Runnable::Run() src/xpcom/threads/SchedulerGroup.cpp:146:20
#44 0x7fd5e4f1dcbf in mozilla::RunnableTask::Run() src/xpcom/threads/TaskController.cpp:472:16
#45 0x7fd5e4f1c230 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) src/xpcom/threads/TaskController.cpp:760:26
#46 0x7fd5e4f1aff4 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) src/xpcom/threads/TaskController.cpp:611:15
#47 0x7fd5e4f1b1a7 in mozilla::TaskController::ProcessPendingMTTask(bool) src/xpcom/threads/TaskController.cpp:395:36
#48 0x7fd5e4f21ad6 in operator() src/xpcom/threads/TaskController.cpp:133:37
#49 0x7fd5e4f21ad6 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_3>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:534:5
#50 0x7fd5e4f32fc7 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1158:16
#51 0x7fd5e4f399da in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:548:10
#52 0x7fd5e585f1a6 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:87:21
#53 0x7fd5e57ca603 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:335:10
#54 0x7fd5e57ca51d in RunHandler src/ipc/chromium/src/base/message_loop.cc:328:3
#55 0x7fd5e57ca51d in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:310:3
#56 0x7fd5e964ad78 in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:137:27
#57 0x7fd5eae9b093 in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:902:20
#58 0x7fd5e586008c in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:237:9
#59 0x7fd5e57ca603 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:335:10
#60 0x7fd5e57ca51d in RunHandler src/ipc/chromium/src/base/message_loop.cc:328:3
#61 0x7fd5e57ca51d in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:310:3
#62 0x7fd5eae9ac68 in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:733:34
#63 0x55d2da7cffa6 in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#64 0x55d2da7cffa6 in main src/browser/app/nsBrowserApp.cpp:309:18
#65 0x7fd5fa0300b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
#66 0x55d2da7add4c in _start (/home/worker/builds/m-c-20210308094833-fuzzing-debug/firefox-bin+0x14d4c)

Comment 1

[Tyson Smith [:tsmith]]

A Pernosco session is available here: https://pernos.co/debug/z24YK3CgHwD7lLw8xbt8Dg/index.html

Comment 2

[Bugmon [:jkratzer for issues]]

Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20210309094921-b332567cbbca.
The bug appears to have been introduced in the following build range:

Start: c021c6541346f143f726bcb57060525a6c613f63 (20210307161902)
End: d61a3c845eb6b4c8ab9fae03a8d9b3eb4ca2806f (20210307162004)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=c021c6541346f143f726bcb57060525a6c613f63&tochange=d61a3c845eb6b4c8ab9fae03a8d9b3eb4ca2806f

Comment 3

[Jonathan Kew [:jfkthame]]

Alex, this appears to arise because the added !IsMathSymbol condition at https://searchfox.org/mozilla-central/rev/2b99ea2e97eef00a8a1c7e24e5fe51ab5304bc42/toolkit/components/find/nsFind.cpp#777 means that it's now possible for a combining diacritic (when preceded by a symbol) to make it down to ToNaked at line 810.

Should we just make ToNaked return any combining diacritic unchanged, or do you see a better option to handle this?

Comment 4

[BugBot [:suhaib / :marco/ :calixte]]

Set release status flags based on info from the regressing bug 1649187

Comment 5

[Alex Henrie]

Sorry, I should have realized that this was going to be a problem. We can just drop the assertion.

Comment 6

[Jonathan Kew [:jfkthame]]

Yes, that looks fine to me. If you'd like to post the (minimal) patch I'll go ahead and review/land it.

Comment 7

[Alex Henrie]

Attachment: Bug 1697076 - Drop assertion from mozilla::unicode::GetNaked.

Comment 8

[Pulsebot]

Pushed by jkew@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/bfdc3d20b85a
Drop assertion from mozilla::unicode::GetNaked. r=jfkthame

Comment 9

[Natalia Csoregi [:nataliaCs]]

https://hg.mozilla.org/mozilla-central/rev/bfdc3d20b85a

Comment 10

[Bugmon [:jkratzer for issues]]

Bugmon Analysis:
Verified bug as fixed on rev mozilla-central 20210311220018-fe11dc32ac20.
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.