Open Bug 1824143 Opened 2 years ago Updated 1 year ago

Crash in [@ RaiseFailFastException | FailFastWithHR] with mozilla::widget::TSFTextStore::RequestLock(unsigned long, HRESULT*) on the stack

Categories

(Core :: DOM: UI Events & Focus Handling, defect)

Product:
Core
Component:
DOM: UI Events & Focus Handling
Platform:
Unspecified
Windows
Type:
defect

Tracking

()

Tracking Flags:
Tracking Status
firefox-esr102 --- affected
firefox111 --- wontfix
firefox112 --- affected
firefox113 --- affected

People

(Reporter: RyanVM, Unassigned)

References

Details

(Keywords: crash, inputmethod)

Crash Data

Looks like this has been around for awhile, but the stack is also pretty consistent. All crashes are on Windows 10+.

Crash report: https://crash-stats.mozilla.org/report/index/664810b3-8f97-4315-9675-aa80f0230323

Reason: ERROR_FAIL_FAST_EXCEPTION

Top 10 frames of crashing thread:

0  KERNELBASE.dll  RaiseFailFastException  
1  textinputframework.dll  FailFastWithHR  
2  textinputframework.dll  <lambda_6fe91ccfd8641a50c744e846aa145b71>::operator  
3  textinputframework.dll  CQueryTextAsync::RunContinuation  
4  textinputframework.dll  CAsyncTaskScheduler::ContinueTask  
5  textinputframework.dll  CQueryTextAsync::Then  
6  textinputframework.dll  <lambda_fb3f73c307d1788214df99eeb85befb4>::operator  
7  textinputframework.dll  CQueryTextAsync::RunContinuation  
8  textinputframework.dll  CAsyncTaskScheduler::ContinueTask  
9  textinputframework.dll  CQueryTextAsync::Then

masayuki, does this look actionable on our side, or does this look like a Windows bug?

Flags: needinfo?(masayuki)

Unless we send invalid selection data at the crash or sent mismatched text data before, it seems that we can do nothing.

Flags: needinfo?(masayuki)

According to the comments of crash reports, Ctrl-A triggered this, and some of them meet this in Gmail and Tumblr. Once we get STR, we could fix this if we send odd selection range to TSF.

I tried to reproduce this in Tumblr, but I cannot reproduce this...

Keywords: inputmethod

According to this crash, this may occur during a text change notification too.
https://crash-stats.mozilla.org/report/index/e33c500f-b009-4695-ab60-619190230327

Marking as S3. Please upgrade to S2 if you think it would be more appropriate.

Severity: -- → S3

If it's caused by invalid selection range notification from text content point of view, it's worthwhile to make IPC messages return IPC_FAIL and stop notifying IME of the invalid selection. Then, we can avoid the crash of all tabs.

It seems that there is still a path to make invalid data relation.
https://crash-stats.mozilla.org/report/index/0f49439b-0c8a-4443-8f6e-8e0a20230701

Sorry, this comment is for another bug.

All of the remaining crash reports are during a selection change notification. So, it suspects that there are still some paths which may notify selection range out of the reported text length.

Must be the earlier assertion failure in early beta or earlier is bug 1845198.

Depends on: 1845198
You need to log in before you can comment on or make changes to this bug.