Open Bug 1826272 Opened 2 years ago Updated 2 years ago

Crash in [@ mozilla::TextInputListener::SettingValue]

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Type:
defect

Tracking

()

People

(Reporter: m_kato, Unassigned)

Details

(Keywords: crash)

Crash Data

Attachments

(1 file)

Bug 1826272 - Make the content process crash if `TextControlState` becomes odd state r=m_kato!
48 bytes, text/x-phabricator-request
Details | Review

I don't know how to reproduce this, but mTextInputListener seems to be null.

Crash report: https://crash-stats.mozilla.org/report/index/367ccea6-10a7-4c31-89e8-b1e4c0230404

Reason: EXCEPTION_ACCESS_VIOLATION_WRITE

Top 10 frames of crashing thread:

0  xul.dll  mozilla::TextInputListener::SettingValue  dom/html/TextInputListener.h:34
0  xul.dll  mozilla::AutoTextControlHandlingState::WillSetValueWithTextEditor  dom/html/TextControlState.cpp:1219
0  xul.dll  mozilla::TextControlState::SetValueWithTextEditor  dom/html/TextControlState.cpp:2764
1  xul.dll  mozilla::TextControlState::SetValue  dom/html/TextControlState.cpp:2697
2  xul.dll  mozilla::dom::HTMLInputElement::SetValueInternal  dom/html/HTMLInputElement.cpp:2682
2  xul.dll  mozilla::dom::HTMLInputElement::SetValue  dom/html/HTMLInputElement.cpp:1658
3  xul.dll  mozilla::dom::HTMLInputElement_Binding::set_value  dom/bindings/HTMLInputElementBinding.cpp:2976
4  xul.dll  mozilla::dom::binding_detail::GenericSetter<mozilla::dom::binding_detail::NormalThisPolicy>  dom/bindings/BindingUtils.cpp:3266
5  xul.dll  CallJSNative  js/src/vm/Interpreter.cpp:459
5  xul.dll  js::InternalCallOrConstruct  js/src/vm/Interpreter.cpp:547

AutoTextControlHandlingState::mTextInputListener is never cleared and it's initialized only by the constructors. They initialize it with aTextControlState.mTextListener. It's initialized in BindToFrame and cleared by Clear (called in the CC or the destructor) and UnbindFromFrame. In the reported stack, it's initialized in TextControlState::SetValue, and going into SetValueWithTextEditor means that either mTextEditor or mBoundFrame is not nullptr...

If TextControlState:mTextListener is set to nullptr, at least one of
TextControlState::mBoundFrame or TextControlFrame::mTextEditor must be
set to nullptr. Therefore, when TextControlState realizes the odd state,
it should crash immediately. Then, we can investigate how to reproduce the
situation from crash reports.

Assignee: nobody → masayuki
Status: NEW → ASSIGNED
Pushed by masayuki@d-toybox.com: https://hg.mozilla.org/integration/autoland/rev/948cf466f3f2 Make the content process crash if `TextControlState` becomes odd state r=m_kato

Fairly low volume crash. Interestingly, most of the crashes appear to be on Android.

Severity: -- → S3
Assignee: masayuki → nobody
Status: ASSIGNED → NEW
Keywords: leave-open

(In reply to Kris Maglione [:kmag] from comment #6)

Fairly low volume crash. Interestingly, most of the crashes appear to be on Android.

I guess that reflow occurs more than desktop browser.

Crash Signature: [@ mozilla::TextInputListener::SettingValue] → [@ mozilla::TextInputListener::SettingValue] [@ mozilla::AutoTextControlHandlingState::AutoTextControlHandlingState] [@ mozilla::TextControlState::Clear]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: