Closed Bug 1771780 Opened 3 years ago Closed 3 years ago

Assertion failure: !mForbiddenToFlush (This is bad!), at /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4184

Categories

(Core :: DOM: Editor, defect, P1)

Product:
Core
Component:
DOM: Editor
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
103 Branch
Tracking Flags:
Tracking Status
firefox-esr91 --- unaffected
firefox-esr102 --- unaffected
firefox101 --- unaffected
firefox102 --- unaffected
firefox103 --- fixed

People

(Reporter: tsmith, Assigned: masayuki)

References

(Blocks 1 open bug, Regression)

Details

(4 keywords, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(2 files)

testcase.html
346 bytes, text/html
Details
Bug 1771780 - Make `TextEditor::ReinitializeSelection` skip things which are necessary to be handled only at getting `focus` event r=m_kato!
48 bytes, text/x-phabricator-request
Details | Review
Attached file testcase.html

Found while fuzzing m-c 20220528-c7f47d9896aa (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

Assertion failure: !mForbiddenToFlush (This is bad!), at /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4184

#0 0x7fc1d3c43d56 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /gecko/layout/base/PresShell.cpp:4184:3
#1 0x7fc1d39eb8f7 in FlushPendingNotifications /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:1439:5
#2 0x7fc1d39eb8f7 in mozilla::TextEditor::OnFocus(nsINode const&) /gecko/editor/libeditor/TextEditor.cpp:660:14
#3 0x7fc1d39eb711 in mozilla::TextEditor::ReinitializeSelection(mozilla::dom::Element&) /gecko/editor/libeditor/TextEditor.cpp:646:3
#4 0x7fc1ce1d0dad in mozilla::dom::Document::TurnEditingOff() /gecko/dom/base/Document.cpp:6078:21
#5 0x7fc1ce1da738 in mozilla::dom::Document::DeletePresShell() /gecko/dom/base/Document.cpp:7106:5
#6 0x7fc1d3c2830a in mozilla::PresShell::Destroy() /gecko/layout/base/PresShell.cpp:1382:16
#7 0x7fc1d3d0d58a in nsDocumentViewer::DestroyPresShell() /gecko/layout/base/nsDocumentViewer.cpp:3515:15
#8 0x7fc1d3d06993 in nsDocumentViewer::Hide() /gecko/layout/base/nsDocumentViewer.cpp:2198:3
#9 0x7fc1d76fcb16 in nsDocShell::SetVisibility(bool) /gecko/docshell/base/nsDocShell.cpp
#10 0x7fc1ce51ffe8 in nsFrameLoader::Hide() /gecko/dom/base/nsFrameLoader.cpp:1183:12
#11 0x7fc1d4074471 in nsSubDocumentFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) /gecko/layout/generic/nsSubDocumentFrame.cpp:956:22
#12 0x7fc1d4035166 in nsLineBox::DeleteLineList(nsPresContext*, nsLineList&, nsIFrame*, nsFrameList*, mozilla::layout::PostFrameDestroyData&) /gecko/layout/generic/nsLineBox.cpp:387:14
#13 0x7fc1d3e0612a in nsBlockFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) /gecko/layout/generic/nsBlockFrame.cpp:480:3
#14 0x7fc1d4035166 in nsLineBox::DeleteLineList(nsPresContext*, nsLineList&, nsIFrame*, nsFrameList*, mozilla::layout::PostFrameDestroyData&) /gecko/layout/generic/nsLineBox.cpp:387:14
#15 0x7fc1d3e0612a in nsBlockFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) /gecko/layout/generic/nsBlockFrame.cpp:480:3
#16 0x7fc1d4035166 in nsLineBox::DeleteLineList(nsPresContext*, nsLineList&, nsIFrame*, nsFrameList*, mozilla::layout::PostFrameDestroyData&) /gecko/layout/generic/nsLineBox.cpp:387:14
#17 0x7fc1d3e0612a in nsBlockFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) /gecko/layout/generic/nsBlockFrame.cpp:480:3
#18 0x7fc1d3ea642c in nsFrameList::DestroyFramesFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) /gecko/layout/generic/nsFrameList.cpp:50:12
#19 0x7fc1d3e06971 in nsContainerFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) /gecko/layout/generic/nsContainerFrame.cpp:227:11
#20 0x7fc1d3e3d71c in nsCanvasFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) /gecko/layout/generic/nsCanvasFrame.cpp:233:21
#21 0x7fc1d3ea642c in nsFrameList::DestroyFramesFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) /gecko/layout/generic/nsFrameList.cpp:50:12
#22 0x7fc1d3e06971 in nsContainerFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) /gecko/layout/generic/nsContainerFrame.cpp:227:11
#23 0x7fc1d3e4f249 in Destroy /gecko/layout/generic/nsIFrame.h:672:5
#24 0x7fc1d3e4f249 in nsContainerFrame::RemoveFrame(mozilla::layout::FrameChildListID, nsIFrame*) /gecko/layout/generic/nsContainerFrame.cpp:181:19
#25 0x7fc1d3ce9f92 in nsCSSFrameConstructor::ContentRemoved(nsIContent*, nsIContent*, nsCSSFrameConstructor::RemoveFlags) /gecko/layout/base/nsCSSFrameConstructor.cpp:7735:5
#26 0x7fc1d3cde1b8 in nsCSSFrameConstructor::RecreateFramesForContent(nsIContent*, nsCSSFrameConstructor::InsertionKind) /gecko/layout/base/nsCSSFrameConstructor.cpp:8708:7
#27 0x7fc1d3c75930 in mozilla::RestyleManager::ProcessRestyledFrames(nsStyleChangeList&) /gecko/layout/base/RestyleManager.cpp:1565:25
#28 0x7fc1d3c7e4d5 in mozilla::RestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) /gecko/layout/base/RestyleManager.cpp:3117:9
#29 0x7fc1d3c44c36 in mozilla::RestyleManager::ProcessPendingRestyles() /gecko/layout/base/RestyleManager.cpp:3197:3
#30 0x7fc1d3c43434 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /gecko/layout/base/PresShell.cpp:4320:39
#31 0x7fc1ce2071e0 in mozilla::dom::Document::FlushPendingNotifications(mozilla::ChangesToFlush) /gecko/dom/base/Document.cpp:10884:16
#32 0x7fc1ce207175 in mozilla::dom::Document::FlushPendingNotifications(mozilla::ChangesToFlush) /gecko/dom/base/Document.cpp:10880:22
#33 0x7fc1ccda7d9c in nsDocLoader::DocLoaderIsEmpty(bool, mozilla::Maybe<nsresult> const&) /gecko/uriloader/base/nsDocLoader.cpp:739:14
#34 0x7fc1ccdaa911 in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /gecko/uriloader/base/nsDocLoader.cpp:677:5
#35 0x7fc1d7740b2b in nsDocShell::OnStopRequest(nsIRequest*, nsresult) /gecko/docshell/base/nsDocShell.cpp:13850:23
#36 0x7fc1cb4c1d1e in mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) /gecko/netwerk/base/nsLoadGroup.cpp:614:22
#37 0x7fc1cb4c4714 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /gecko/netwerk/base/nsLoadGroup.cpp:518:10
#38 0x7fc1ce20f024 in mozilla::dom::Document::DoUnblockOnload() /gecko/dom/base/Document.cpp:11665:18
#39 0x7fc1ce1bb840 in mozilla::dom::Document::UnblockOnload(bool) /gecko/dom/base/Document.cpp:11603:9
#40 0x7fc1ce1e6ad9 in mozilla::dom::Document::DispatchContentLoadedEvents() /gecko/dom/base/Document.cpp:8137:3
#41 0x7fc1ce2d7c9d in applyImpl<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1147:12
#42 0x7fc1ce2d7c9d in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1153:12
#43 0x7fc1ce2d7c9d in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1200:13
#44 0x7fc1cb120d4f in mozilla::SchedulerGroup::Runnable::Run() /gecko/xpcom/threads/SchedulerGroup.cpp:140:20
#45 0x7fc1cb16dac2 in mozilla::RunnableTask::Run() /gecko/xpcom/threads/TaskController.cpp:475:16
#46 0x7fc1cb133b25 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:788:26
#47 0x7fc1cb130cd8 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:620:15
#48 0x7fc1cb131400 in mozilla::TaskController::ProcessPendingMTTask(bool) /gecko/xpcom/threads/TaskController.cpp:398:36
#49 0x7fc1cb176611 in operator() /gecko/xpcom/threads/TaskController.cpp:124:37
#50 0x7fc1cb176611 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
#51 0x7fc1cb154487 in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1180:16
#52 0x7fc1cb15e5ec in NS_ProcessNextEvent(nsIThread*, bool) /gecko/xpcom/threads/nsThreadUtils.cpp:465:10
#53 0x7fc1cc873dff in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /gecko/ipc/glue/MessagePump.cpp:85:21
#54 0x7fc1cc6f9ab1 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:380:10
#55 0x7fc1cc6f9ab1 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:373:3
#56 0x7fc1cc6f9ab1 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:355:3
#57 0x7fc1d3640ee7 in nsBaseAppShell::Run() /gecko/widget/nsBaseAppShell.cpp:137:27
#58 0x7fc1d852e8df in XRE_RunAppShell() /gecko/toolkit/xre/nsEmbedFunctions.cpp:875:20
#59 0x7fc1cc6f9ab1 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:380:10
#60 0x7fc1cc6f9ab1 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:373:3
#61 0x7fc1cc6f9ab1 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:355:3
#62 0x7fc1d852da8b in XRE_InitChildProcess(int, char**, XREChildData const*) /gecko/toolkit/xre/nsEmbedFunctions.cpp:734:34
#63 0x559bd671cc1d in content_process_main(mozilla::Bootstrap*, int, char**) /gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#64 0x559bd671d050 in main /gecko/browser/app/nsBrowserApp.cpp:338:18
#65 0x7fc1f0e78082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
#66 0x559bd665d069 in _start (/home/worker/builds/m-c-20220528091325-fuzzing-asan-opt/firefox+0x5f069) (BuildId: 25e70f52c48058fe6bb22805b6464ceb2fe8bd9e)
Flags: in-testsuite?

A Pernosco session is available here: https://pernos.co/debug/gcuMHG2t8kRnacy3AXFnTQ/index.html

Bugmon Analysis
Verified bug as reproducible on mozilla-central 20220530140717-87e39a7da999.
The bug appears to have been introduced in the following build range:

Start: b635369043bdbc4e9085c4403ca11c7cacd108b4 (20220527035447)
End: e0d03b74ed8352d3e52f44f48641bef88272e6e0 (20220527073811)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=b635369043bdbc4e9085c4403ca11c7cacd108b4&tochange=e0d03b74ed8352d3e52f44f48641bef88272e6e0

Keywords: regression
Whiteboard: [bugmon:bisected,confirmed]
Flags: needinfo?(masayuki)

Ah, the previous code before bug 1770874 was tricky... Can fix this quickly.

Assignee: nobody → masayuki
Status: NEW → ASSIGNED
Flags: needinfo?(masayuki)
Severity: -- → S2
Priority: -- → P1
Regressed by: 1770874

Currently, TextEditor::OnFocus does the things which were in
EditorEventListener::OnFocus, and they are not necessary at re-initializing
Selection in the anonymous subtree. Therefore, we should make it call
EditorBase::OnFocus directly.

Depends on D147623

Has Regression Range: --- → yes

Olli thinks this is sec-high, because we may run JS at an unexpected time.

Keywords: sec-high

Make TextEditor::ReinitializeSelection skip things which are necessary to be handled only at getting focus event r=m_kato
https://hg.mozilla.org/integration/autoland/rev/f6b6083e77c9416f20659728143f136d4cd9f090
https://hg.mozilla.org/mozilla-central/rev/f6b6083e77c9

Group: dom-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 3 years ago
status-firefox103: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 103 Branch

Bugmon Analysis
Verified bug as fixed on rev mozilla-central 20220601154702-ead7dd146ec4.

Status: RESOLVED → VERIFIED
Flags: in-testsuite? → in-testsuite+
Group: core-security-release
Keywords: bugmon
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: