Assertion failure: mText.isSome(), at /builds/worker/checkouts/gecko/widget/ContentCache.cpp:724
Categories
(Core :: DOM: UI Events & Focus Handling, defect, P2)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr91 | --- | unaffected |
| firefox98 | --- | unaffected |
| firefox99 | --- | wontfix |
| firefox100 | --- | verified |
| firefox101 | --- | verified |
People
(Reporter: tsmith, Assigned: masayuki)
References
(Blocks 1 open bug, Regression)
Details
(4 keywords, Whiteboard: [bugmon:bisected,confirmed][adv-main100+r])
Attachments
(3 files)
|
302 bytes,
text/html
|
Details | |
|
48 bytes,
text/x-phabricator-request
|
diannaS
:
approval-mozilla-beta+
tjr
:
sec-approval+
|
Details | Review |
|
582 bytes,
text/html
|
Details |
Found while fuzzing m-c 20220314-b3eceffcdc4e (--enable-debug --enable-fuzzing)
To reproduce via Grizzly Replay:
$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html
This test case uses window.printPreview() to trigger the issue which requires an --enable-fuzzing build.
Assertion failure: mText.isSome(), at /builds/worker/checkouts/gecko/widget/ContentCache.cpp:724
#0 0x7ff82516a2f4 in mozilla::ContentCacheInParent::HandleQueryContentEvent(mozilla::WidgetQueryContentEvent&, nsIWidget*) const /gecko/widget/ContentCache.cpp:724:7
#1 0x7ff8245287d0 in mozilla::dom::BrowserParent::HandleQueryContentEvent(mozilla::WidgetQueryContentEvent&) /gecko/dom/ipc/BrowserParent.cpp:3054:7
#2 0x7ff822716f4b in mozilla::EventStateManager::HandleQueryContentEvent(mozilla::WidgetQueryContentEvent*) /gecko/dom/events/EventStateManager.cpp:1029:32
#3 0x7ff82271569b in mozilla::EventStateManager::PreHandleEvent(nsPresContext*, mozilla::WidgetEvent*, nsIFrame*, nsIContent*, nsEventStatus*, nsIContent*) /gecko/dom/events/EventStateManager.cpp:617:5
#4 0x7ff82580502d in mozilla::PresShell::EventHandler::DispatchEvent(mozilla::EventStateManager*, mozilla::WidgetEvent*, bool, nsEventStatus*, nsIContent*) /gecko/layout/base/PresShell.cpp:8163:39
#5 0x7ff8257fefb1 in mozilla::PresShell::EventHandler::HandleEventWithCurrentEventInfo(mozilla::WidgetEvent*, nsEventStatus*, bool, nsIContent*) /gecko/layout/base/PresShell.cpp:8132:17
#6 0x7ff8257ff75b in mozilla::PresShell::EventHandler::HandleEventAtFocusedContent(mozilla::WidgetGUIEvent*, nsEventStatus*) /gecko/layout/base/PresShell.cpp:7861:7
#7 0x7ff8257fcbf6 in mozilla::PresShell::EventHandler::HandleEvent(nsIFrame*, mozilla::WidgetGUIEvent*, bool, nsEventStatus*) /gecko/layout/base/PresShell.cpp:6878:12
#8 0x7ff8257fb7a9 in mozilla::PresShell::HandleEvent(nsIFrame*, mozilla::WidgetGUIEvent*, bool, nsEventStatus*) /gecko/layout/base/PresShell.cpp:6796:23
#9 0x7ff82513046d in nsViewManager::DispatchEvent(mozilla::WidgetGUIEvent*, nsView*, nsEventStatus*) /gecko/view/nsViewManager.cpp:685:18
#10 0x7ff8251300a5 in nsView::HandleEvent(mozilla::WidgetGUIEvent*, bool) /gecko/view/nsView.cpp:1129:9
#11 0x7ff82529f44a in nsWindow::DispatchEvent(mozilla::WidgetGUIEvent*, nsEventStatus&) /gecko/widget/gtk/nsWindow.cpp:513:25
#12 0x7ff8251ddd9b in mozilla::widget::TextEventDispatcher::DispatchEvent(nsIWidget*, mozilla::WidgetGUIEvent&, nsEventStatus&) /gecko/widget/TextEventDispatcher.cpp:263:25
#13 0x7ff8251dd780 in mozilla::widget::TextEventDispatcher::MaybeQueryWritingModeAtSelection() const /gecko/widget/TextEventDispatcher.cpp:246:43
#14 0x7ff8251dee3b in mozilla::widget::TextEventDispatcher::NotifyIME(mozilla::widget::IMENotification const&) /gecko/widget/TextEventDispatcher.cpp:416:22
#15 0x7ff825152c2f in nsBaseWidget::NotifyIME(mozilla::widget::IMENotification const&) /gecko/widget/nsBaseWidget.cpp:1701:43
#16 0x7ff8227e3bf4 in mozilla::IMEStateManager::NotifyIME(mozilla::widget::IMENotification const&, nsIWidget*, mozilla::dom::BrowserParent*) /gecko/dom/events/IMEStateManager.cpp:1834:22
#17 0x7ff8245215f0 in mozilla::dom::BrowserParent::RecvNotifyIMEFocus(mozilla::ContentCache const&, mozilla::widget::IMENotification const&, std::function<void (mozilla::widget::IMENotificationRequests const&)>&&) /gecko/dom/ipc/BrowserParent.cpp:2357:3
#18 0x7ff8246b8f22 in mozilla::dom::PBrowserParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBrowserParent.cpp:3436:57
#19 0x7ff824782108 in mozilla::dom::PContentParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PContentParent.cpp:6989:32
#20 0x7ff81e5a4a89 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /gecko/ipc/glue/MessageChannel.cpp:1674:25
#21 0x7ff81e5a25a2 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message&&) /gecko/ipc/glue/MessageChannel.cpp:1599:9
#22 0x7ff81e5a3b59 in mozilla::ipc::MessageChannel::MessageTask::Run() /gecko/ipc/glue/MessageChannel.cpp:1496:14
#23 0x7ff81cebcea2 in mozilla::RunnableTask::Run() /gecko/xpcom/threads/TaskController.cpp:467:16
#24 0x7ff81ce813cd in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:770:26
#25 0x7ff81ce7e928 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:606:15
#26 0x7ff81ce7f039 in mozilla::TaskController::ProcessPendingMTTask(bool) /gecko/xpcom/threads/TaskController.cpp:390:36
#27 0x7ff81cec5844 in operator() /gecko/xpcom/threads/TaskController.cpp:127:37
#28 0x7ff81cec5844 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_1>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
#29 0x7ff81cea2167 in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1173:16
#30 0x7ff81cead6dc in NS_ProcessNextEvent(nsIThread*, bool) /gecko/xpcom/threads/nsThreadUtils.cpp:467:10
#31 0x7ff81e5abce4 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /gecko/ipc/glue/MessagePump.cpp:107:5
#32 0x7ff81e429091 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:331:10
#33 0x7ff81e429091 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:324:3
#34 0x7ff81e429091 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:306:3
#35 0x7ff82522b617 in nsBaseAppShell::Run() /gecko/widget/nsBaseAppShell.cpp:137:27
#36 0x7ff829e7f797 in nsAppStartup::Run() /gecko/toolkit/components/startup/nsAppStartup.cpp:295:30
#37 0x7ff82a0afaf4 in XREMain::XRE_mainRun() /gecko/toolkit/xre/nsAppRunner.cpp:5739:22
#38 0x7ff82a0b1659 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /gecko/toolkit/xre/nsAppRunner.cpp:5924:8
#39 0x7ff82a0b2393 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /gecko/toolkit/xre/nsAppRunner.cpp:5983:21
#40 0x5639d3893e71 in do_main /gecko/browser/app/nsBrowserApp.cpp:225:22
#41 0x5639d3893e71 in main /gecko/browser/app/nsBrowserApp.cpp:395:16
#42 0x7ff8419e40b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
#43 0x5639d37e2569 in _start (/home/worker/builds/m-c-20220314154526-fuzzing-asan-opt/firefox+0x5e569)
|
Reporter | |
Comment 1•4 years ago
|
||
A Pernosco session is available here: https://pernos.co/debug/uN0Z26glSljJz-UpHz9muQ/index.html
|
||
Comment 2•4 years ago
|
||
Bugmon Analysis
Verified bug as reproducible on mozilla-central 20220318040844-eae985ca32d8.
The bug appears to have been introduced in the following build range:
Start: 8e9c1ffdeed84e460a9ba7f9e83ca24319a15c87 (20220207222603)
End: 858cdf7acc36f5c2fcf348188fdcb3461ba1672f (20220208033131)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=8e9c1ffdeed84e460a9ba7f9e83ca24319a15c87&tochange=858cdf7acc36f5c2fcf348188fdcb3461ba1672f
|
||
Comment 3•4 years ago
|
||
bug 1752956 adds those assertion, Masayuki, could you take a look? Thanks!
|
Assignee | |
Comment 4•4 years ago
|
||
Of course... The testcase is really tricky. I need to understand what's going on at running it. However, the regression is going to be shipped. So I think that I should post a simple patch ASAP.
|
||
Comment 5•4 years ago
|
||
Set release status flags based on info from the regressing bug 1752956
|
|
Assignee | |
Comment 6•4 years ago
|
||
This test case uses
window.printPreview()to trigger the issue which requires an--enable-fuzzingbuild.
Ah, this is probably not so urgent because of impossible to reproduce with normal user's operation at least for the scenario of the testcase.
|
|
||
Updated•4 years ago
|
|
||
Updated•4 years ago
|
|
|
Assignee | |
Comment 7•4 years ago
|
||
It's designed for caching content information of focused editor. However, at
sending focus notification to the main process, the editor may have already
been blurred but IMEContentObserver may have not known it yet. In this edge
case, only query selection succeeds, but query the others failed because of root
content node check of IMEContentObserver::HandleQueryContentEvent. If a
content process meets this case, it should not send focus notification and
stop storing the content since IME shouldn't get focus nor query non-editable
content.
On the other hand, the reported testcase reproduces this with launching the
print preview with a fuzzing API called in the content process. Therefore,
I have no idea how to reproduce it without it. That's the reason why this
patch does not contain new tests.
|
||
Comment 8•4 years ago
|
||
Tyson was able to reproduce by changing window.printPreview() to window.print(), which can be called by web content.
|
|
Assignee | |
Comment 9•4 years ago
|
||
(In reply to Daniel Veditz [:dveditz] from comment #8)
Tyson was able to reproduce by changing
window.printPreview()towindow.print(), which can be called by web content.
Thanks! That's helpful when I write automated test in a follow up bug!
|
|
Assignee | |
Updated•4 years ago
|
|
|
Assignee | |
Comment 10•4 years ago
|
||
Comment on attachment 9269011 [details]
Bug 1760160 - Make ContentCacheInChild stop storing content if editable element has already been blurred r=m_kato!
Security Approval Request
- How easily could an exploit be constructed based on the patch?: There is no hint to use
window.print()to reproduce the crash in this patch so that it must be hard to guess what's wrong. - Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
- Which older supported branches are affected by this flaw?: 99
- If not all supported branches, which bug introduced the flaw?: Bug 1752956
- Do you have backports for the affected branches?: Yes
- If not, how different, hard to create, and risky will they be?: Cleanly graftable.
- How likely is this patch to cause regressions; how much testing does it need?: Currently this requires calling
window.print()in specific timing and it's not usual case for normal apps. And this patch handles such edge case as stopping handling focus of IME. Therefore, this shouldn't cause regression in usual apps.
|
|
||
Updated•4 years ago
|
|
|
||
Updated•4 years ago
|
|
||
Comment 11•4 years ago
|
||
Comment on attachment 9269011 [details]
Bug 1760160 - Make ContentCacheInChild stop storing content if editable element has already been blurred r=m_kato!
Approved to land and uplift
|
|
Assignee | |
Comment 12•4 years ago
|
||
|
|
Assignee | |
Comment 13•4 years ago
|
||
Comment on attachment 9269011 [details]
Bug 1760160 - Make ContentCacheInChild stop storing content if editable element has already been blurred r=m_kato!
Beta/Release Uplift Approval Request
- User impact if declined: Might access non-initialized
Maybe<nsString>storage. - Is this code covered by automated tests?: No
- Has the fix been verified in Nightly?: No
- Needs manual test from QE?: Yes
- If yes, steps to reproduce: 1. Load https://bugzilla.mozilla.org/attachment.cgi?id=9271191
And check whether the tab is or not crashed in debug build.
- List of other uplifts needed: None
- Risk to taking this patch: Medium
- Why is the change risky/not risky? (and alternatives if risky): The patch makes
ContentCachestop storing (even temporarily) non-editable content and it means that IMEmight not get expected query content result in such edge case. I think that doing such tricky apps is rare, but it may lead a crash bug of IME like bug 1741515. Anyway, not-widely users' tests, i.e., landing only into mozilla-central, may not catch such edge cases if regression reports come in a couple of days. - String changes made/needed: No
|
|
Assignee | |
Updated•4 years ago
|
|
||
Comment 14•4 years ago
|
||
Make ContentCacheInChild stop storing content if editable element has already been blurred r=m_kato
https://hg.mozilla.org/integration/autoland/rev/59c496c3cc7054b1dfe692318468a52135dfbeb9
https://hg.mozilla.org/mozilla-central/rev/59c496c3cc70
|
|
||
Comment 15•4 years ago
|
||
Bugmon Analysis
Verified bug as fixed on rev mozilla-central 20220407153722-9da4eda47412.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
|
||
Comment 16•4 years ago
|
||
Comment on attachment 9269011 [details]
Bug 1760160 - Make ContentCacheInChild stop storing content if editable element has already been blurred r=m_kato!
Approved for 100.0b3
|
|
||
Comment 17•4 years ago
|
||
| uplift | ||
|
||
Updated•4 years ago
|
|
||
Comment 18•4 years ago
|
||
I was able to reproduce the issue on Win10 using build 100.0a1 (from 17th of march).
Could not reproduce the issue on Win10 using build 100.0b4(20220408132935).
Hi bugmon@mozilla.com,
Can you please confirm issue is not reproducing on latest Beta (https://archive.mozilla.org/pub/firefox/candidates/100.0b4-candidates/)? Thank you.
|
||
Comment 19•4 years ago
|
||
Bugmon is a bot, so probably can't answer :)
Tyson, maybe you can confirm it's fixed on beta?
|
|
Reporter | |
Comment 20•4 years ago
|
||
Sure, verified with mozilla-beta 20220411-1d6438173487.
|
|
||
Updated•3 years ago
|
|
||
Updated•3 years ago
|
|
|
||
Updated•3 years ago
|
Description
•