Closed Bug 1774383 Opened 3 years ago Closed 3 years ago

Assertion failure: !mForbiddenToFlush (This is bad!), at /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4181

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1584674

People

(Reporter: arminius, Unassigned)

References

Details

(Keywords: reporter-external)

Attachments

(1 file, 1 obsolete file)

testcase.xml
189 bytes, text/xml
Details
Attached file testcase.xml (obsolete) —

The assertion failure can be triggered by scrolling a container in an XML document that has a contenteditable element.

The testcase uses <input autofocus> to cause scrolling, but JS would work here as well.

Build: m-c-20220614164425-asan-opt

Assertion failure: !mForbiddenToFlush (This is bad!), at /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4181

    #0 0x7fefdb4b85c0 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4181:3
    #1 0x7fefd5df0b7c in mozilla::dom::Document::FlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/dom/base/Document.cpp:10887:16
    #2 0x7fefdb2e5f4a in nsEditingSession::SetupEditorOnWindow(nsPIDOMWindowOuter&) /builds/worker/checkouts/gecko/editor/composer/nsEditingSession.cpp:288:10
    #3 0x7fefdb2e474d in nsEditingSession::MakeWindowEditable(mozIDOMWindowProxy*, char const*, bool, bool, bool) /builds/worker/checkouts/gecko/editor/composer/nsEditingSession.cpp:164:10
    #4 0x7fefd5db307c in mozilla::dom::Document::EditingStateChanged() /builds/worker/checkouts/gecko/dom/base/Document.cpp:6250:25
    #5 0x7fefd5dc2e74 in mozilla::dom::Document::MaybeEditingStateChanged() /builds/worker/checkouts/gecko/dom/base/Document.cpp:6013:7
    #6 0x7fefd5dd4124 in mozilla::dom::Document::EndUpdate() /builds/worker/checkouts/gecko/dom/base/Document.cpp:7957:3
    #7 0x7fefd5a81ed6 in mozAutoDocUpdate::~mozAutoDocUpdate() /builds/worker/checkouts/gecko/dom/base/mozAutoDocUpdate.h:34:18
    #8 0x7fefd5e395da in mozilla::dom::Element::SetAttr(int, nsAtom*, nsAtom*, nsTSubstring<char16_t> const&, nsIPrincipal*, bool) /builds/worker/checkouts/gecko/dom/base/Element.cpp:2437:1
    #9 0x7fefdb781ba4 in SetAttr /builds/worker/workspace/obj-build/dist/include/mozilla/dom/Element.h:948:12
    #10 0x7fefdb781ba4 in SetAttr /builds/worker/workspace/obj-build/dist/include/mozilla/dom/Element.h:944:12
    #11 0x7fefdb781ba4 in mozilla::ScrollFrameHelper::SetCoordAttribute(mozilla::dom::Element*, nsAtom*, int) /builds/worker/checkouts/gecko/layout/generic/nsGfxScrollFrame.cpp:7114:13
    #12 0x7fefdb76ae4b in mozilla::ScrollFrameHelper::UpdateScrollbarPosition() /builds/worker/checkouts/gecko/layout/generic/nsGfxScrollFrame.cpp:5772:5
    #13 0x7fefdb762634 in mozilla::ScrollFrameHelper::ScrollToImpl(nsPoint, nsRect const&, mozilla::ScrollOrigin, mozilla::ScrollTriggeredByScript) /builds/worker/checkouts/gecko/layout/generic/nsGfxScrollFrame.cpp:3306:5
    #14 0x7fefdb7638a8 in mozilla::ScrollFrameHelper::CompleteAsyncScroll(nsRect const&, mozilla::ScrollOrigin) /builds/worker/checkouts/gecko/layout/generic/nsGfxScrollFrame.cpp:2426:3
    #15 0x7fefdb7644ec in mozilla::ScrollFrameHelper::ScrollToWithOrigin(nsPoint, mozilla::ScrollMode, mozilla::ScrollOrigin, nsRect const*, mozilla::ScrollSnapFlags, mozilla::ScrollTriggeredByScript) /builds/worker/checkouts/gecko/layout/generic/nsGfxScrollFrame.cpp:2554:5
    #16 0x7fefdb846532 in ScrollTo /builds/worker/checkouts/gecko/layout/generic/nsGfxScrollFrame.cpp:2448:3
    #17 0x7fefdb846532 in ScrollTo /builds/worker/checkouts/gecko/layout/generic/nsGfxScrollFrame.h:1032:13
    #18 0x7fefdb846532 in non-virtual thunk to nsHTMLScrollFrame::ScrollTo(nsPoint, mozilla::ScrollMode, nsRect const*, mozilla::ScrollSnapFlags, mozilla::ScrollTriggeredByScript) /builds/worker/checkouts/gecko/layout/generic/nsGfxScrollFrame.h
    #19 0x7fefdb4b3a4a in ScrollToShowRect(nsIScrollableFrame*, nsRect const&, nsMargin const&, mozilla::ScrollAxis, mozilla::ScrollAxis, mozilla::ScrollFlags) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:3571:23
    #20 0x7fefdb4b23d2 in mozilla::PresShell::ScrollFrameRectIntoView(nsIFrame*, nsRect const&, nsMargin const&, mozilla::ScrollAxis, mozilla::ScrollAxis, mozilla::ScrollFlags) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:3776:9
    #21 0x7fefdb4b123b in mozilla::PresShell::DoScrollContentIntoView() /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:3725:3
    #22 0x7fefdb4b80cc in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4360:11
    #23 0x7fefd5df0b7c in mozilla::dom::Document::FlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/dom/base/Document.cpp:10887:16
    #24 0x7fefdb4b09b7 in mozilla::PresShell::ScrollContentIntoView(nsIContent*, mozilla::ScrollAxis, mozilla::ScrollAxis, mozilla::ScrollFlags) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:3619:16
    #25 0x7fefd605a9ef in nsFocusManager::ScrollIntoView(mozilla::PresShell*, nsIContent*, unsigned int) /builds/worker/checkouts/gecko/dom/base/nsFocusManager.cpp:2892:15
    #26 0x7fefd6047113 in nsFocusManager::SetFocusInner(mozilla::dom::Element*, int, bool, bool, unsigned long) /builds/worker/checkouts/gecko/dom/base/nsFocusManager.cpp:1764:11
    #27 0x7fefd60490a5 in nsFocusManager::SetFocus(mozilla::dom::Element*, unsigned int) /builds/worker/checkouts/gecko/dom/base/nsFocusManager.cpp:486:3
    #28 0x7fefd5e304f5 in mozilla::dom::Element::Focus(mozilla::dom::FocusOptions const&, mozilla::dom::CallerType, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/Element.cpp:468:16
    #29 0x7fefd5e7d7b4 in mozilla::dom::nsAutoFocusEvent::Run() /builds/worker/checkouts/gecko/dom/base/Document.cpp:12834:15
    #30 0x7fefd30df772 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:475:16
    #31 0x7fefd30a4e75 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:788:26
    #32 0x7fefd30a2028 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:620:15
    #33 0x7fefd30a2750 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:398:36
    #34 0x7fefd30e8471 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:124:37
    #35 0x7fefd30e8471 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
    #36 0x7fefd30c5b57 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1180:16
    #37 0x7fefd30cff84 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:465:10
    #38 0x7fefd46b3308 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
    #39 0x7fefd45511e1 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:380:10
    #40 0x7fefd45511e1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:373:3
    #41 0x7fefd45511e1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:355:3
    #42 0x7fefdaea85e7 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137:27
    #43 0x7fefdfbc3677 in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:875:20
    #44 0x7fefd45511e1 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:380:10
    #45 0x7fefd45511e1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:373:3
    #46 0x7fefd45511e1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:355:3
    #47 0x7fefdfbc281b in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:734:34
    #48 0x5613117d0825 in content_process_main(mozilla::Bootstrap*, int, char**) /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
    #49 0x5613117d0bd6 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:338:18
    #50 0x7feff482928f  (/usr/lib/libc.so.6+0x2928f) (BuildId: 388993b6ef62f964bc7bf473c069fbfe957b9e44)
    #51 0x7feff4829349 in __libc_start_main (/usr/lib/libc.so.6+0x29349) (BuildId: 388993b6ef62f964bc7bf473c069fbfe957b9e44)
    #52 0x561311710c80 in _start (./m-c-20220614164425-asan-opt/firefox+0x72c80) (BuildId: 79598e739588636f285bb905f2f953875c772419)
Flags: sec-bounty?
Attached file testcase.xml
Attachment #9281390 - Attachment is obsolete: true

Thanks for the bug report!

It looks like this is the same as bug 1584674; it's the same assertion, and the testcase looks quite similar (<input contenteditable="" autofocus=""> in a scrollable area).

Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → DUPLICATE
Group: core-security → layout-core-security
Flags: sec-bounty? → sec-bounty-
Group: layout-core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: