Closed Bug 1824143 Opened 2 years ago Closed 2 months ago

Crash in [@ RaiseFailFastException | FailFastWithHR] with mozilla::widget::TSFTextStore::RequestLock(unsigned long, HRESULT*) on the stack

Categories

(Core :: DOM: UI Events & Focus Handling, defect)

Product:
Core
Component:
DOM: UI Events & Focus Handling
Platform:
Unspecified
Windows
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
147 Branch
Tracking Flags:
Tracking Status
firefox-esr102 --- wontfix
firefox-esr115 --- wontfix
firefox-esr140 --- verified
firefox111 --- wontfix
firefox112 --- wontfix
firefox113 --- wontfix
firefox144 --- wontfix
firefox145 + verified
firefox146 --- verified
firefox147 --- verified

People

(Reporter: RyanVM, Assigned: masayuki)

References

(Regression)

Details

(5 keywords)

Crash Data

User Story

user-impact-score:1050

Attachments

(7 files)

Bug 1824143 - part 1: Log `TextEditor` creation/destruction/focus/blur and when `input` and `beforeinput` events are fired r=m_kato!
48 bytes, text/x-phabricator-request
Details | Review
Bug 1824143 - part 2: Make `TSFTextStore::FlushPendingActions()` set `mDeferNotifyingTSFUntilNextUpdate` before dispatching composition events r=m_kato!
48 bytes, text/x-phabricator-request
Details | Review
Bug 1824143 - part 1: Log `TextEditor` creation/destruction/focus/blur and when `input` and `beforeinput` events are fired
48 bytes, text/x-phabricator-request
phab-bot
: approval-mozilla-beta+
Details | Review
Bug 1824143 - part 2: Make `TSFTextStore::FlushPendingActions()` set `mDeferNotifyingTSFUntilNextUpdate` before dispatching composition events
48 bytes, text/x-phabricator-request
phab-bot
: approval-mozilla-beta+
Details | Review
Bug 1824143 - part 1: Log `TextEditor` creation/destruction/focus/blur and when `input` and `beforeinput` events are fired
48 bytes, text/x-phabricator-request
phab-bot
: approval-mozilla-release+
Details | Review
Bug 1824143 - part 2: Make `TSFTextStore::FlushPendingActions()` set `mDeferNotifyingTSFUntilNextUpdate` before dispatching composition events
48 bytes, text/x-phabricator-request
phab-bot
: approval-mozilla-release+
Details | Review
Bug 1824143 - part 2: Make `TSFTextStore::FlushPendingActions()` set `mDeferNotifyingTSFUntilNextUpdate` before dispatching composition events
48 bytes, text/x-phabricator-request
phab-bot
: approval-mozilla-esr140+
Details | Review

Looks like this has been around for awhile, but the stack is also pretty consistent. All crashes are on Windows 10+.

Crash report: https://crash-stats.mozilla.org/report/index/664810b3-8f97-4315-9675-aa80f0230323

Reason: ERROR_FAIL_FAST_EXCEPTION

Top 10 frames of crashing thread:

0  KERNELBASE.dll  RaiseFailFastException  
1  textinputframework.dll  FailFastWithHR  
2  textinputframework.dll  <lambda_6fe91ccfd8641a50c744e846aa145b71>::operator  
3  textinputframework.dll  CQueryTextAsync::RunContinuation  
4  textinputframework.dll  CAsyncTaskScheduler::ContinueTask  
5  textinputframework.dll  CQueryTextAsync::Then  
6  textinputframework.dll  <lambda_fb3f73c307d1788214df99eeb85befb4>::operator  
7  textinputframework.dll  CQueryTextAsync::RunContinuation  
8  textinputframework.dll  CAsyncTaskScheduler::ContinueTask  
9  textinputframework.dll  CQueryTextAsync::Then

masayuki, does this look actionable on our side, or does this look like a Windows bug?

Flags: needinfo?(masayuki)

Unless we send invalid selection data at the crash or sent mismatched text data before, it seems that we can do nothing.

Flags: needinfo?(masayuki)

According to the comments of crash reports, Ctrl-A triggered this, and some of them meet this in Gmail and Tumblr. Once we get STR, we could fix this if we send odd selection range to TSF.

I tried to reproduce this in Tumblr, but I cannot reproduce this...

Keywords: inputmethod

According to this crash, this may occur during a text change notification too.
https://crash-stats.mozilla.org/report/index/e33c500f-b009-4695-ab60-619190230327

Marking as S3. Please upgrade to S2 if you think it would be more appropriate.

Severity: -- → S3

If it's caused by invalid selection range notification from text content point of view, it's worthwhile to make IPC messages return IPC_FAIL and stop notifying IME of the invalid selection. Then, we can avoid the crash of all tabs.

It seems that there is still a path to make invalid data relation.
https://crash-stats.mozilla.org/report/index/0f49439b-0c8a-4443-8f6e-8e0a20230701

Sorry, this comment is for another bug.

All of the remaining crash reports are during a selection change notification. So, it suspects that there are still some paths which may notify selection range out of the reported text length.

Must be the earlier assertion failure in early beta or earlier is bug 1845198.

Depends on: 1845198

The bug is linked to a topcrash signature, which matches the following criterion:

  • Top 20 desktop browser crashes on release

:masayuki, could you consider increasing the severity of this top-crash bug?

For more information, please visit BugBot documentation.

Flags: needinfo?(masayuki)
Keywords: topcrash
Duplicate of this bug: 1997738

The severity field for this bug is set to S3. However, the following bug duplicate has higher severity:

:masayuki, could you consider increasing the severity of this bug to S2?

For more information, please visit BugBot documentation.

Flags: needinfo?(masayuki)
Severity: S3 → S2
Flags: needinfo?(masayuki)

Before returning error in Baidu (see bug 1997738 for the detail), ContentCacheInChild failed to create the cache so that ContentCacheInParent won't have new content. So, that could cause unexpected behavior in the main process due to shorter content in the cache but IME may expect longer one.

While handling the first type, the text control frame of <textarea> is reframed. Then, TextEditor may be recreated by the new text control frame or anyway the anonymous editable nodes are recreated. However, the query content events are not handled with the new ones correctly.

Assignee: nobody → masayuki
Status: NEW → ASSIGNED

Log at typing "n" in the field in Baidu. (Some redundant lines are omitted.)

[Child 72504: Main Thread]: D/IMEContentObserver 0x1dfd03a9190 HandleQueryContentEvent(aEvent={ mMessage=eQuerySelectedText, mReply={ mOffsetAndData={ mOffset=0, mData="" (Length()=0), Length()=0, EndOffset()=0 }, , mWritingMode=h-ltr, mContentsRoot=0x000001DFD00594C0, mIsEditableContent=true, mFocusedWidget=0x0000000000000000 } })
[Child 72504: Main Thread]: I/IMEStateManager DispatchCompositionEvent(aNode=0x1dfd000c300, aPresContext=0x1dfce4e4000, aCompositionEvent={ mMessage=eCompositionStart, mNativeIMEContext={ mRawNativeIMEContext=0x20FF39CB450, mOriginProcessID=0x0 }, mWidget(0x1dfce4de800)={ GetNativeIMEContext()={ mRawNativeIMEContext=0x20FF39CB450, mOriginProcessID=0x0 }, Destroyed()=false }, mFlags={ mIsTrusted=true, mPropagationStopped=false } }, aIsSynthesized=false), browserParent=0
[Child 72504: Main Thread]: D/IMEStateManager   DispatchCompositionEvent(), adding new TextComposition to the array
[Child 72504: Main Thread]: I/IMEStateManager DispatchCompositionEvent(aNode=0x1dfd000c300, aPresContext=0x1dfce4e4000, aCompositionEvent={ mMessage=eCompositionChange, mNativeIMEContext={ mRawNativeIMEContext=0x20FF39CB450, mOriginProcessID=0x0 }, mWidget(0x1dfce4de800)={ GetNativeIMEContext()={ mRawNativeIMEContext=0x20FF39CB450, mOriginProcessID=0x0 }, Destroyed()=false }, mFlags={ mIsTrusted=true, mPropagationStopped=false } }, aIsSynthesized=false), browserParent=0
[Child 72504: Main Thread]: D/IMEContentObserver 0x1dfd03a9190 HandleQueryContentEvent(aEvent={ mMessage=eQuerySelectedText, mReply={ mOffsetAndData={ mOffset=0, mData="" (Length()=0), Length()=0, EndOffset()=0 }, , mWritingMode=h-ltr, mContentsRoot=0x000001DFD00594C0, mIsEditableContent=true, mFocusedWidget=0x0000000000000000 } })
[Child 72504: Main Thread]: I/InputEvent Dispatching eEditorBeforeInput, safe?=Yes, inputType=EditorInputType::eInsertCompositionText, aEditorBase=1dfd02126a0, aEventTargetElement=textarea['chat-textarea'].div['chat-input-area'].div[class="chat-input-container"].div[class="chat-input-wrapper chat-normal-wrapper"].div['chat-input-main'].div[class="chat-input-anchor "].div['input-root'].div[class="chat-input-background_3edHa"].div[class="san-card"].div['main-wrapper'].div[class="s_form_wrapper soutu-env-nomac soutu-env-index"].div[class="s_form s_form_nologin s_form_fresh"].div['head_wrapper'].div['head'].div['wrapper'].body[class="cos-pc home-index-middle pc-fresh-wrapper pc-fresh-wrapper-con pc-fresh-title-con pc-fresh-smooth pc-fresh-smooth-page pc-fresh-icon"].html.#document @ 000001DFD000C300
[Child 72504: Main Thread]: I/TextEditor 1dfd02126a0: PreDestroy() mDidPreDestroy=false
[Child 72504: Main Thread]: I/IMEStateManager OnEditorDestroying(aEditorBase=0x1dfd02126a0)
[Child 72504: Main Thread]: D/IMEContentObserver 0x1dfd03a9190 SuppressNotifyingIME(), mSuppressNotifications=1
[Child 72504: Main Thread]: I/TextEditor 1dfd02126a0: Init(aDocument=1dfce407200, aAnonymousDivElement=div.textarea['chat-textarea'].div['chat-input-area'].div[class="chat-input-container"].div[class="chat-input-wrapper chat-normal-wrapper"].div['chat-input-main'].div[class="chat-input-anchor "].div['input-root'].div[class="chat-input-background_3edHa"].div[class="san-card"].div['main-wrapper'].div[class="s_form_wrapper soutu-env-nomac soutu-env-index"].div[class="s_form s_form_nologin s_form_fresh"].div['head_wrapper'].div['head'].div['wrapper'].body[class="cos-pc home-index-middle pc-fresh-wrapper pc-fresh-wrapper-con pc-fresh-title-con pc-fresh-smooth pc-fresh-smooth-page pc-fresh-icon"].html.#document @ 000001DFD00729D0, aSelectionController=1dfd5b76a10, aPasswordMaskData=0)
[Child 72504: Main Thread]: D/IMEContentObserver 0x1dfd03a9190 MaybeNotifyIMEOfSelectionChange(aCausedByComposition=false, aCausedBySelectionEvent=false, aOccurredDuringComposition)
[Child 72504: Main Thread]: D/IMEContentObserver 0x1dfd03a9190 PostSelectionChangeNotification(), mSelectionData={ mCausedByComposition=false, mCausedBySelectionEvent=false }      
[Child 72504: Main Thread]: D/IMEContentObserver 0x1dfd03a9190   IsSafeToNotifyIME(), it's not safe because of no widget
[Child 72504: Main Thread]: W/IMEContentObserver 0x1dfd03a9190   FlushMergeableNotifications(), Warning, do nothing due to unsafe to notify IME
[Child 72504: Main Thread]: I/TextEditor 1dfd02126a0: PostCreate(), mDidPostCreate=false
[Child 72504, Main Thread] WARNING: Editor was destroyed during an edit action being handled: file M:/fx64-dbg/dist/include\mozilla/EditorBase.h:1021
[Child 72504: Main Thread]: E/TextEditor 1dfd02126a0: AutoEditActionDataSetter::CanHandle() failed
[Child 72504: Main Thread]: D/IMEContentObserver 0x1dfd03a9190 MaybeNotifyIMEOfSelectionChange(aCausedByComposition=false, aCausedBySelectionEvent=false, aOccurredDuringComposition)
[Child 72504: Main Thread]: D/IMEContentObserver 0x1dfd03a9190 PostSelectionChangeNotification(), mSelectionData={ mCausedByComposition=false, mCausedBySelectionEvent=false }      
[Child 72504: Main Thread]: D/IMEContentObserver 0x1dfd03a9190   IsSafeToNotifyIME(), it's not safe because of no widget
[Child 72504: Main Thread]: W/IMEContentObserver 0x1dfd03a9190   FlushMergeableNotifications(), Warning, do nothing due to unsafe to notify IME
[Child 72504: Main Thread]: D/IMEContentObserver 0x1dfd03a9190 BeforeEditAction()
[Child 72504: Main Thread]: D/IMEContentObserver 0x1dfd03a9190 BeginDocumentUpdate()
[Child 72504: Main Thread]: D/IMEContentObserver 0x1dfd03a9190 EndDocumentUpdate()
[Child 72504: Main Thread]: D/IMEContentObserver 0x1dfd03a9190 MaybeNotifyIMEOfSelectionChange(aCausedByComposition=true, aCausedBySelectionEvent=false, aOccurredDuringComposition)
[Child 72504: Main Thread]: D/IMEContentObserver 0x1dfd03a9190 PostSelectionChangeNotification(), mSelectionData={ mCausedByComposition=true, mCausedBySelectionEvent=false }       
[Child 72504: Main Thread]: D/IMEContentObserver 0x1dfd03a9190   IsSafeToNotifyIME(), it's not safe because of no widget
[Child 72504: Main Thread]: W/IMEContentObserver 0x1dfd03a9190   FlushMergeableNotifications(), Warning, do nothing due to unsafe to notify IME
[Child 72504, Main Thread] WARNING: Editor was destroyed during an edit action being handled: file M:/src2/editor/libeditor\EditorBase.h:1021
[Child 72504, Main Thread] WARNING: '!editActionData.CanHandle()', file M:/src2/editor/libeditor/EditorBase.cpp:748
[Child 72504: Main Thread]: D/IMEContentObserver 0x1dfd03a9190 OnEditActionHandled()
[Child 72504: Main Thread]: D/IMEContentObserver 0x1dfd03a9190   IsSafeToNotifyIME(), it's not safe because of no widget
[Child 72504: Main Thread]: W/IMEContentObserver 0x1dfd03a9190   FlushMergeableNotifications(), Warning, do nothing due to unsafe to notify IME
[Child 72504, Main Thread] WARNING: '!targetElement', file M:/src2/editor/libeditor/EditorBase.cpp:2891
[Child 72504, Main Thread] WARNING: 'contentObserver->GetPresContext() == mPresContext', file M:/src2/dom/events/TextComposition.cpp:594
[Child 72504: Main Thread]: I/IMEStateManager NotifyIME(aMessage=NOTIFY_IME_OF_COMPOSITION_EVENT_HANDLED, aPresContext=0x1dfce4e4000, aBrowserParent=0x0)
[Child 72504: Main Thread]: I/IMEStateManager NotifyIME(aNotification={ mMessage=NOTIFY_IME_OF_COMPOSITION_EVENT_HANDLED }, aWidget=0x1dfce4de800, aBrowserParent=0x0), sFocusedIMEWidget=0x1dfce4de800, BrowserParent::GetFocused()=0x0, sFocusedIMEBrowserParent=0x0, aBrowserParent == BrowserParent::GetFocused()=true, aBrowserParent == sFocusedIMEBrowserParent=true, CanSendNotificationToWidget()=true

Okay, while dispatching a beforeinput event, the <textarea> is reframed and the handling TextEditor is destroyed temporarily. Then, the TextEditor is initialized again with the new editable anonymous nodes. However, it fails everything here. So, it seems that mEditorWasDestroyedDuringHandlingEditAction is not reset at the re-initialization.

Okay, there are 2 bugs. One is TextEditor stops working even after reinitialized, this is bug 1992288. The other is, one of a regression of bug 1137561. We made TSFTextStore block to notify TSF of content changes when dispatching a composition event until getting NOTIFY_IME_OF_COMPOSITION_EVENT_HANDLED. However, bug 1137561 makes TSFTextStore use TextEventDispatcher instead of TSFTextStore::DispatchEvent. Therefore, TSFTextStore started returning E_FAIL from various ITextStoreACP methods a lot.

Depends on: 1992288
Keywords: regression
Regressed by: 1137561

Set release status flags based on info from the regressing bug 1137561

status-firefox144: --- → affected
status-firefox145: --- → affected
status-firefox146: --- → affected
status-firefox-esr140: --- → affected

It's important to verify that when TextEditor is destroyed temporarily
if the text control frame is reframed by the web app during text input.
Therefore, this patch adds the logger for the timings of TextEditor
creation, destruction, focus and blur and the common InputEvent
dispatcher.

This fixes a regression of bug 1137561. That made TSFTextStore stop
dispatching composition events directly. However, its dispatcher sets
mDeferNotifyingTSFUntilNextUpdate to notify TSF of anything until
it receives NOTIFY_IME_OF_COMPOSITION_EVENT_HANDLED since
GetTextExt() etc will return error if the layout has not be updated.
So, we started return E_FAIL a lot from various ITextStoreACP
methods if TSF/TIP queries something immediately after updating
the composition.

Blocks: 1998851
User Story: (updated)
User Story: (updated)

Set release status flags based on info from the regressing bug 1137561

status-firefox147: --- → affected
Pushed by masayuki@d-toybox.com: https://github.com/mozilla-firefox/firefox/commit/6ba307dd8f60 https://hg.mozilla.org/integration/autoland/rev/24715a2dee55 part 1: Log `TextEditor` creation/destruction/focus/blur and when `input` and `beforeinput` events are fired r=m_kato https://github.com/mozilla-firefox/firefox/commit/905d0f6bed20 https://hg.mozilla.org/integration/autoland/rev/672a69840972 part 2: Make `TSFTextStore::FlushPendingActions()` set `mDeferNotifyingTSFUntilNextUpdate` before dispatching composition events r=m_kato

https://hg.mozilla.org/mozilla-central/rev/24715a2dee55
https://hg.mozilla.org/mozilla-central/rev/672a69840972

Status: ASSIGNED → RESOLVED
Closed: 2 months ago
status-firefox147: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 147 Branch

It's important to verify that when TextEditor is destroyed temporarily
if the text control frame is reframed by the web app during text input.
Therefore, this patch adds the logger for the timings of TextEditor
creation, destruction, focus and blur and the common InputEvent
dispatcher.

Original Revision: https://phabricator.services.mozilla.com/D271558

Attachment #9526394 - Flags: approval-mozilla-beta?

firefox-beta Uplift Approval Request

  • User impact if declined: Returning error from Gecko to TSF/TIP leads the topcrash in TSF in Windows OS. To prevent the crash we should fix this in the beta channel at least (additionally, in the other channels too if the drivers believe these patches enough safe to do that).
  • Code covered by automated testing: no
  • Fix verified in Nightly: no
  • Needs manual QE test: yes
  • Steps to reproduce for manual QE testing: 1. Install Sogou IME from https://pinyin.sogou.com/index.php and use it
  1. Run debug build on Windows
  2. Load https://www.baidu.com/
  3. Type "nihao" into the search form at center of the page

Then, you should be able to type text after the form is moved to top of the page and you shouldn't see a lot of warnings in the terminal:

WARNING: 'queryTextRectEvent.Failed()', file D:/firefox2/widget/windows/TSFTextStore.cpp:2020

(The line number may become different after applying the last patch.)

  • Risk associated with taking this patch: low
  • Explanation of risk level: The first one is just adding the logger of TextEditor creation, etc. So, it does not affect to the behavior.

The second one is covered by the automated test.

The last one makes TSFTextStore stops notifying TSF of "layout available notifiecation" immediately after dispatching composition events. This can be checked by the manual QE testing.

(About "Is Android affected": Only the second bug fix is cross-platform bug. Therefore, only that is "yes", but the last patch is "no".)

  • String changes made/needed: no
  • Is Android affected?: yes
Attachment #9526396 - Flags: approval-mozilla-beta?
Flags: qe-verify+

This fixes a regression of bug 1137561. That made TSFTextStore stop
dispatching composition events directly. However, its dispatcher sets
mDeferNotifyingTSFUntilNextUpdate to notify TSF of anything until
it receives NOTIFY_IME_OF_COMPOSITION_EVENT_HANDLED since
GetTextExt() etc will return error if the layout has not be updated.
So, we started return E_FAIL a lot from various ITextStoreACP
methods if TSF/TIP queries something immediately after updating
the composition.

Original Revision: https://phabricator.services.mozilla.com/D271560

QA Whiteboard: [uplift][qa-ver-needed-c147/b146]
QA Contact: cgeorgiu
Attachment #9526394 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Attachment #9526396 - Flags: approval-mozilla-beta? → approval-mozilla-beta+

Masayuki, I can see this warning in the terminal after typing the word “nihao” in the search field on https://www.baidu.com
and pressing the spacebar:

[Parent 26352, Main Thread] WARNING: 'queryTextRectEvent.Failed()', file /builds/worker/checkouts/gecko/widget/windows/TSFTextStore.cpp:2054

I've tested this with the latest Nightly debug build (20251114094637) on Windows 11. Can you please take a look?

Flags: needinfo?(masayuki)

Oh, thanks. Yeah, there is one warning message remains. I saw the following set of warnings after choosing "你好" from the candidate list:

[Parent 65348, Main Thread] WARNING: 'mSelection->mHasRange', file M:/src2/widget/ContentCache.cpp:829
[Parent 65348, Main Thread] WARNING: 'queryTextRectEvent.Failed()', file M:/src2/widget/windows/TSFTextStore.cpp:2054

Before that the content process logs:

I/ContentCacheWidgets 0x28df6f9da28 SetSelection(aSelectionChangeData={ mOffset=2, mString="" (Length()=0), GetWritingMode()=h-ltr, mReversed=false, mCausedByComposition=true, mCausedBySelectionEvent=false, mOccurredDuringComposition=false }), mText="'你' (0x4F60) '好' (0x597D)" (Length()=2)
I/ContentCacheWidgets 0x28df6f9da28 CacheCaret(aWidget=0x28df6f9d800, aNotification=Not notification)
2025-11-17 02:01:01.152000 UTC - [Child 70508: Main Thread]: I/ContentCacheWidgets 0x28df6f9da28   CacheCaret(), Succeeded, mSelection={ mAnchor=2, mFocus=2, mWritingMode=h-ltr, Reversed()=false, StartOffset()=2, EndOffset()=2, IsCollapsed()=true, Length()=0 }, mCaret={ mOffset=2, mRect=(x=321, y=53, w=2, h=33) }
I/ContentCacheWidgets 0x28df6f9da28 CacheTextRects(aWidget=0x28df6f9d800, aNotification=Not notification), mCaret={ mOffset=2, mRect=(x=321, y=53, w=2, h=33) }
I/ContentCacheWidgets 0x28df6f9da28   CacheTextRects(), Succeeded, mText="'你' (0x4F60) '好' (0x597D)" (Length()=2), mTextRectArray=<Nothing>, mSelection={ mAnchor=2, mFocus=2, mWritingMode=h-ltr, mAnchorCharRects[ePrevCharRect]=(x=293, y=49, w=29, h=43), mAnchorCharRects[eNextCharRect]=(x=321, y=53, w=1, h=33), mFocusCharRects[ePrevCharRect]=(x=293, y=49, w=29, h=43), mFocusCharRects[eNextCharRect]=(x=321, y=53, w=1, h=33), mRect=(x=0, y=0, w=0, h=0), Reversed()=false, StartOffset()=2, EndOffset()=2, IsCollapsed()=true, Length()=0 }, mFirstCharRect=(x=264, y=49, w=30, h=43), mLastCommitStringTextRectArray={ mStart=0, mRects={ Length()=2, Elements()=[ (x=264, y=49, w=30, h=43), (x=293, y=49, w=29, h=43) ] } }
I/ContentCacheWidgets 0x28df6f9da28 CacheEditorRect(aWidget=0x28df6f9d800, aNotification=NOTIFY_IME_OF_POSITION_CHANGE)    
I/ContentCacheWidgets 0x28df6f9da28   CacheEditorRect(), Succeeded, mEditorRect=(x=264, y=46, w=1275, h=46)
I/ContentCacheWidgets 0x28df6f9da28 CacheCaretAndTextRects(aWidget=0x28df6f9d800, aNotification=NOTIFY_IME_OF_POSITION_CHANGE)
I/ContentCacheWidgets 0x28df6f9da28 CacheCaret(aWidget=0x28df6f9d800, aNotification=NOTIFY_IME_OF_POSITION_CHANGE)
I/ContentCacheWidgets 0x28df6f9da28   CacheCaret(), Succeeded, mSelection={ mAnchor=2, mFocus=2, mWritingMode=h-ltr, mAnchorCharRects[ePrevCharRect]=(x=293, y=49, w=29, h=43), mAnchorCharRects[eNextCharRect]=(x=321, y=53, w=1, h=33), mFocusCharRects[ePrevCharRect]=(x=293, y=49, w=29, h=43), mFocusCharRects[eNextCharRect]=(x=321, y=53, w=1, h=33), mRect=(x=0, y=0, w=0, h=0), Reversed()=false, StartOffset()=2, EndOffset()=2, IsCollapsed()=true, Length()=0 }, mCaret={ mOffset=2, mRect=(x=321, y=53, w=2, h=33) }
I/ContentCacheWidgets 0x28df6f9da28 CacheTextRects(aWidget=0x28df6f9d800, aNotification=NOTIFY_IME_OF_POSITION_CHANGE), mCaret={ mOffset=2, mRect=(x=321, y=53, w=2, h=33) }
I/ContentCacheWidgets 0x28df6f9da28   CacheTextRects(), Succeeded, mText="'你' (0x4F60) '好' (0x597D)" (Length()=2), mTextRectArray=<Nothing>, mSelection={ mAnchor=2, mFocus=2, mWritingMode=h-ltr, mAnchorCharRects[ePrevCharRect]=(x=293, y=49, w=29, h=43), mAnchorCharRects[eNextCharRect]=(x=321, y=53, w=1, h=33), mFocusCharRects[ePrevCharRect]=(x=293, y=49, w=29, h=43), mFocusCharRects[eNextCharRect]=(x=321, y=53, w=1, h=33), mRect=(x=0, y=0, w=0, h=0), Reversed()=false, StartOffset()=2, EndOffset()=2, IsCollapsed()=true, Length()=0 }, mFirstCharRect=(x=264, y=49, w=30, h=43), mLastCommitStringTextRectArray={ mStart=0, mRects={ Length()=2, Elements()=[ (x=264, y=49, w=30, h=43), (x=293, y=49, w=29, h=43) ] } }
I/ContentCacheWidgets 0x28df6f9da28 CacheCaretAndTextRects(aWidget=0x28df6f9d800, aNotification=NOTIFY_IME_OF_COMPOSITION_EVENT_HANDLED)
I/ContentCacheWidgets 0x28df6f9da28 CacheCaret(aWidget=0x28df6f9d800, aNotification=NOTIFY_IME_OF_COMPOSITION_EVENT_HANDLED)
2025-11-17 02:01:01.152000 UTC - [Child 70508: Main Thread]: I/ContentCacheWidgets 0x28df6f9da28   CacheCaret(), Succeeded, mSelection={ mAnchor=2, mFocus=2, mWritingMode=h-ltr, mAnchorCharRects[ePrevCharRect]=(x=293, y=49, w=29, h=43), mAnchorCharRects[eNextCharRect]=(x=321, y=53, w=1, h=33), mFocusCharRects[ePrevCharRect]=(x=293, y=49, w=29, h=43), mFocusCharRects[eNextCharRect]=(x=321, y=53, w=1, h=33), mRect=(x=0, y=0, w=0, h=0), Reversed()=false, StartOffset()=2, EndOffset()=2, IsCollapsed()=true, Length()=0 }, mCaret={ mOffset=2, mRect=(x=321, y=53, w=2, h=33) }
I/ContentCacheWidgets 0x28df6f9da28 CacheTextRects(aWidget=0x28df6f9d800, aNotification=NOTIFY_IME_OF_COMPOSITION_EVENT_HANDLED), mCaret={ mOffset=2, mRect=(x=321, y=53, w=2, h=33) }
I/ContentCacheWidgets 0x28df6f9da28   CacheTextRects(), Succeeded, mText="'你' (0x4F60) '好' (0x597D)" (Length()=2), mTextRectArray=<Nothing>, mSelection={ mAnchor=2, mFocus=2, mWritingMode=h-ltr, mAnchorCharRects[ePrevCharRect]=(x=293, y=49, w=29, h=43), mAnchorCharRects[eNextCharRect]=(x=321, y=53, w=1, h=33), mFocusCharRects[ePrevCharRect]=(x=293, y=49, w=29, h=43), mFocusCharRects[eNextCharRect]=(x=321, y=53, w=1, h=33), mRect=(x=0, y=0, w=0, h=0), Reversed()=false, StartOffset()=2, EndOffset()=2, IsCollapsed()=true, Length()=0 }, mFirstCharRect=(x=264, y=49, w=30, h=43), mLastCommitStringTextRectArray={ mStart=0, mRects={ Length()=2, Elements()=[ (x=264, y=49, w=30, h=43), (x=293, y=49, w=29, h=43) ] } }

Then, the parent process logged:

I/ContentCacheWidgets 0x28cef3d1160 OnEventNeedingAckHandled(aWidget=0x28cdadc1400, aMessage=eCompositionCommit, aCompositionId=1), PendingEventsNeedingAck()=1, WidgetHasComposition()=false, mHandlingCompositions.Length()=1, HasPendingCommit()=true, mIsChildIgnoringCompositionEvents=false, handlingCompositionData=0x28cef3d1338
I/ContentCacheWidgets 0x28cef3d1160   AssignContent(aNotification=NOTIFY_IME_OF_TEXT_CHANGE), Succeeded, mText="'你' (0x4F60) '好' (0x597D)" (Length()=2), mSelection={ mAnchor=2, mFocus=2, mWritingMode=h-ltr, mAnchorCharRects[ePrevCharRect]=(x=293, y=49, w=29, h=43), mAnchorCharRects[eNextCharRect]=(x=321, y=53, w=1, h=33), mFocusCharRects[ePrevCharRect]=(x=293, y=49, w=29, h=43), mFocusCharRects[eNextCharRect]=(x=321, y=53, w=1, h=33), mRect=(x=0, y=0, w=0, h=0), Reversed()=false, StartOffset()=2, EndOffset()=2, IsCollapsed()=true, Length()=0 }, mFirstCharRect=(x=264, y=49, w=30, h=43), mCaret={ mOffset=2, mRect=(x=321, y=53, w=2, h=33) }, mTextRectArray=<Nothing>, WidgetHasComposition()=false, mHandlingCompositions.Length()=0, mCompositionStart=<Nothing>, mPendingCommitLength=0, mEditorRect=(x=264, y=46, w=1275, h=46), mLastCommitStringTextRectArray={ mStart=0, mRects={ Length()=2, Elements()=[ (x=264, y=49, w=30, h=43), (x=293, y=49, w=29, h=43) ] } }
I/ContentCacheWidgets 0x28cef3d1160   AssignContent(aNotification=NOTIFY_IME_OF_SELECTION_CHANGE), Succeeded, mText="'你' (0x4F60) '好' (0x597D)" (Length()=2), mSelection={ mAnchor=2, mFocus=2, mWritingMode=h-ltr, mAnchorCharRects[ePrevCharRect]=(x=293, y=49, w=29, h=43), mAnchorCharRects[eNextCharRect]=(x=321, y=53, w=1, h=33), mFocusCharRects[ePrevCharRect]=(x=293, y=49, w=29, h=43), mFocusCharRects[eNextCharRect]=(x=321, y=53, w=1, h=33), mRect=(x=0, y=0, w=0, h=0), Reversed()=false, StartOffset()=2, EndOffset()=2, IsCollapsed()=true, Length()=0 }, mFirstCharRect=(x=264, y=49, w=30, h=43), mCaret={ mOffset=2, mRect=(x=321, y=53, w=2, h=33) }, mTextRectArray=<Nothing>, WidgetHasComposition()=false, mHandlingCompositions.Length()=0, mCompositionStart=<Nothing>, mPendingCommitLength=0, mEditorRect=(x=264, y=46, w=1275, h=46), mLastCommitStringTextRectArray={ mStart=0, mRects={ Length()=2, Elements()=[ (x=264, y=49, w=30, h=43), (x=293, y=49, w=29, h=43) ] } }
I/ContentCacheWidgets 0x28cef3d1160   AssignContent(aNotification=NOTIFY_IME_OF_POSITION_CHANGE), Succeeded, mText="'你' (0x4F60) '好' (0x597D)" (Length()=2), mSelection={ mAnchor=2, mFocus=2, mWritingMode=h-ltr, mAnchorCharRects[ePrevCharRect]=(x=293, y=49, w=29, h=43), mAnchorCharRects[eNextCharRect]=(x=321, y=53, w=1, h=33), mFocusCharRects[ePrevCharRect]=(x=293, y=49, w=29, h=43), mFocusCharRects[eNextCharRect]=(x=321, y=53, w=1, h=33), mRect=(x=0, y=0, w=0, h=0), Reversed()=false, StartOffset()=2, EndOffset()=2, IsCollapsed()=true, Length()=0 }, mFirstCharRect=(x=264, y=49, w=30, h=43), mCaret={ mOffset=2, mRect=(x=321, y=53, w=2, h=33) }, mTextRectArray=<Nothing>, WidgetHasComposition()=false, mHandlingCompositions.Length()=0, mCompositionStart=<Nothing>, mPendingCommitLength=0, mEditorRect=(x=264, y=46, w=1275, h=46), mLastCommitStringTextRectArray={ mStart=0, mRects={ Length()=2, Elements()=[ (x=264, y=49, w=30, h=43), (x=293, y=49, w=29, h=43) ] } }

Then,

I/ContentCacheWidgets 0x28cef3d1160 HandleQueryContentEvent(aEvent={ mMessage=eQueryEditorRect }, aWidget=0x28cdadc1400)  
I/ContentCacheWidgets 0x28cef3d1160   HandleQueryContentEvent(), Succeeded, aEvent={ mMessage=eQueryEditorRect, mReply={ , mContentsRoot=0x0000000000000000, mIsEditableContent=false, mFocusedWidget=0x0000028CDADC1400 } }
D/ContentCacheWidgets 0x28cef3d1160 HandleQueryContentEvent(), making offset absolute... aEvent={ mMessage=eQueryTextRect, mInput={ mOffset=0, mLength=1 } }, WidgetHasComposition()=false, HasPendingCommit()=false, mCompositionStart=4294967295, mPendingCommitLength=0, mSelection={ mAnchor=2, mFocus=2, mWritingMode=h-ltr, mAnchorCharRects[ePrevCharRect]=(x=293, y=49, w=29, h=43), mAnchorCharRects[eNextCharRect]=(x=321, y=53, w=1, h=33), mFocusCharRects[ePrevCharRect]=(x=293, y=49, w=29, h=43), mFocusCharRects[eNextCharRect]=(x=321, y=53, w=1, h=33), mRect=(x=0, y=0, w=0, h=0), Reversed()=false, StartOffset()=2, EndOffset()=2, IsCollapsed()=true, Length()=0 }
E/ContentCacheWidgets 0x28cef3d1160 HandleQueryContentEvent(), FAILED due to there is no selection range, but the query requested with relative offset from selection

... Oh! NS_WARN_IF(mSelection->mHasRange) should be NS_WARN_IF(!mSelection->mHasRange)!!

I'll file a follow up bug.

Flags: needinfo?(masayuki)

Thanks! I'll leave this bug open for now!

Flags: qe-verify+

[Tracking Requested - why for this release]: Although I'm still not sure whether we need to rebase the series of patches for 145, if the number of crash reports keeps high enough or active Chinese users are decreased by this bug, we should uplift this to the release.

(We need to uplift the patches for bug 1992288 and bug 2000479 too.)

tracking-firefox145: --- → ?

It's important to verify that when TextEditor is destroyed temporarily
if the text control frame is reframed by the web app during text input.
Therefore, this patch adds the logger for the timings of TextEditor
creation, destruction, focus and blur and the common InputEvent
dispatcher.

Original Revision: https://phabricator.services.mozilla.com/D271558

Attachment #9527613 - Flags: approval-mozilla-release?

This fixes a regression of bug 1137561. That made TSFTextStore stop
dispatching composition events directly. However, its dispatcher sets
mDeferNotifyingTSFUntilNextUpdate to notify TSF of anything until
it receives NOTIFY_IME_OF_COMPOSITION_EVENT_HANDLED since
GetTextExt() etc will return error if the layout has not be updated.
So, we started return E_FAIL a lot from various ITextStoreACP
methods if TSF/TIP queries something immediately after updating
the composition.

Original Revision: https://phabricator.services.mozilla.com/D271560

Attachment #9527615 - Flags: approval-mozilla-release?

This fixes a regression of bug 1137561. That made TSFTextStore stop
dispatching composition events directly. However, its dispatcher sets
mDeferNotifyingTSFUntilNextUpdate to notify TSF of anything until
it receives NOTIFY_IME_OF_COMPOSITION_EVENT_HANDLED since
GetTextExt() etc will return error if the layout has not be updated.
So, we started return E_FAIL a lot from various ITextStoreACP
methods if TSF/TIP queries something immediately after updating
the composition.

Original Revision: https://phabricator.services.mozilla.com/D271560

Attachment #9527633 - Flags: approval-mozilla-esr140?
Attachment #9527615 - Flags: approval-mozilla-release? → approval-mozilla-release+
Attachment #9527613 - Flags: approval-mozilla-release? → approval-mozilla-release+
Attachment #9527633 - Flags: approval-mozilla-esr140? → approval-mozilla-esr140+

I've retested this issue using the latest debug builds avaialble, latest Nighlty 147.0a1, Release 145.0.2, Beta 146.0b7 and Esr 140.6.0. Confirming that I cannot reproduce the bug anymore on Win 11.

Status: RESOLVED → VERIFIED
QA Whiteboard: [uplift][qa-ver-needed-c147/b146] → [uplift][qa-ver-done-c147/b146]
status-firefox145: fixedverified
status-firefox146: fixedverified
status-firefox147: fixedverified
status-firefox-esr140: fixedverified
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: