1835353 - Assertion failure: IsValid(), at /builds/worker/checkouts/gecko/widget/ContentCache.cpp:234

Status: VERIFIED FIXED

(Core :: DOM: UI Events & Focus Handling, defect, P1)

Description

[Tyson Smith [:tsmith]]

Attachment: testcase.html

Found while fuzzing m-c 20230526-ccd237b210e9 (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

Assertion failure: IsValid(), at /builds/worker/checkouts/gecko/widget/ContentCache.cpp:234

#0 0x7f1e5c20d27a in mozilla::ContentCacheInChild::CacheCaret(nsIWidget*, mozilla::widget::IMENotification const*) /builds/worker/checkouts/gecko/widget/ContentCache.cpp:234:3
#1 0x7f1e5c20f7e2 in mozilla::ContentCacheInChild::SetSelection(nsIWidget*, mozilla::widget::IMENotification::SelectionChangeDataBase const&) /builds/worker/checkouts/gecko/widget/ContentCache.cpp:649:3
#2 0x7f1e5c2290c2 in mozilla::widget::PuppetWidget::NotifyIMEOfSelectionChange(mozilla::widget::IMENotification const&) /builds/worker/checkouts/gecko/widget/PuppetWidget.cpp:837:7
#3 0x7f1e5c2389ef in mozilla::widget::TextEventDispatcher::NotifyIME(mozilla::widget::IMENotification const&) /builds/worker/checkouts/gecko/widget/TextEventDispatcher.cpp:486:40
#4 0x7f1e5c201bda in nsBaseWidget::NotifyIME(mozilla::widget::IMENotification const&) /builds/worker/checkouts/gecko/widget/nsBaseWidget.cpp:1897:43
#5 0x7f1e5a8049f7 in mozilla::IMEStateManager::NotifyIME(mozilla::widget::IMENotification const&, nsIWidget*, mozilla::dom::BrowserParent*) /builds/worker/checkouts/gecko/dom/events/IMEStateManager.cpp
#6 0x7f1e5a80b58d in mozilla::IMEContentObserver::IMENotificationSender::SendSelectionChange() /builds/worker/checkouts/gecko/dom/events/IMEContentObserver.cpp:1910:3
#7 0x7f1e5a80a855 in mozilla::IMEContentObserver::IMENotificationSender::Run() /builds/worker/checkouts/gecko/dom/events/IMEContentObserver.cpp:1733:7
#8 0x7f1e5c5d4ce5 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2522:13
#9 0x7f1e5c5defbd in TickDriver /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:373:13
#10 0x7f1e5c5defbd in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver>>&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:351:7
#11 0x7f1e5c5deec0 in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:367:5
#12 0x7f1e5c5ded9d in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:911:5
#13 0x7f1e5c5de156 in mozilla::VsyncRefreshDriverTimer::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:825:5
#14 0x7f1e5c5dd419 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsyncTimerOnMainThread() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:592:14
#15 0x7f1e5b9e42cb in mozilla::dom::VsyncMainChild::RecvNotify(mozilla::VsyncEvent const&, float const&) /builds/worker/checkouts/gecko/dom/ipc/VsyncMainChild.cpp:66:15
#16 0x7f1e5bca6cfe in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:220:78
#17 0x7f1e5bb9c980 in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PContentChild.cpp:8770:32
#18 0x7f1e57bca0ff in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1799:25
#19 0x7f1e57bc6db2 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1724:9
#20 0x7f1e57bc78e4 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1524:3
#21 0x7f1e57bc8c0f in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1622:14
#22 0x7f1e56f64437 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:555:16
#23 0x7f1e56f5f63a in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:879:26
#24 0x7f1e56f5e117 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:702:15
#25 0x7f1e56f5e495 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:491:36
#26 0x7f1e56f679e6 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:218:37
#27 0x7f1e56f679e6 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548:5
#28 0x7f1e56f7dd7a in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1240:16
#29 0x7f1e56f8439d in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:479:10
#30 0x7f1e57bd00a5 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#31 0x7f1e57af1a11 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:361:3
#32 0x7f1e57af1a11 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:343:3
#33 0x7f1e5c257e88 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
#34 0x7f1e5e4ac96b in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:724:20
#35 0x7f1e57bd0f56 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
#36 0x7f1e57af1a11 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:361:3
#37 0x7f1e57af1a11 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:343:3
#38 0x7f1e5e4ac232 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:659:34
#39 0x55a2222c57a6 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#40 0x55a2222c57a6 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:375:18
#41 0x7f1e6bc29d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#42 0x7f1e6bc29e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#43 0x55a22229ca28 in _start (/home/user/workspace/browsers/m-c-20230526162417-fuzzing-debug/firefox-bin+0x58a28) (BuildId: 5ecb48ba200c9d08fec0efd0f8e5740595c50ad1)

Comment 1

[Andrew McCreight [:mccr8]]

Possibly related to bug 1825693? I think that changed some code in PuppetWidget::NotifyIMEOfSelectionChange.

Comment 2

[Bugmon [:jkratzer for issues]]

Verified bug as reproducible on mozilla-central 20230526215433-fc6056442a0f.
The bug appears to have been introduced in the following build range:

Start: d49f009b89ad3ae1616d96cb1d2d9234ef3f6cda (20230526040655)
End: ffc18acbe9c027a3d6c960322b40a9d0576af311 (20230526045844)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=d49f009b89ad3ae1616d96cb1d2d9234ef3f6cda&tochange=ffc18acbe9c027a3d6c960322b40a9d0576af311

Comment 3

[Masayuki Nakano [:masayuki] (he/him)(JST, +0900)]

I'm still not sure what's going on in the tricky testcase, though.

Comment 4

[Masayuki Nakano [:masayuki] (he/him)(JST, +0900)]

This detects a bug of IMEContentObserver, that is, it observes mutations of the anonymous <div> in <input> or <textarea>. The anonymous <div> element is available only while the TextControlState manages it with an nsTextControlFrame. However, setting the type attribute causes reframing it and IMEContentObserver cannot observer the text changes during it. However, Selection is observed without the frame. Therefore, only Selection is updated and the range may be out of bounds of the text content which has not been updated.

Comment 5

[Masayuki Nakano [:masayuki] (he/him)(JST, +0900)]

This detects a traditional bug of IMEContentObserver which it does not notify IME of text change in the focused text control if and only if the text control element does not have frame. Therefore, this is not a security bug unless native IME can be crashed with this bug.

Comment 6

[Masayuki Nakano [:masayuki] (he/him)(JST, +0900)]

First try: https://treeherder.mozilla.org/jobs?repo=try&revision=62f47487af75d3d1e9cf3e5fffce4b8d27090f1c

Comment 7

[BugBot [:suhaib / :marco/ :calixte]]

Based on comment #2, this bug contains a bisection range found by bugmon. However, the Regressed by field is still not filled.

:masayuki, if possible, could you fill the Regressed by field and investigate this regression?

For more information, please visit BugBot documentation.

Comment 8

[Masayuki Nakano [:masayuki] (he/him)(JST, +0900)]

The assertion itself was introduced in bug 1825693, but the root cause is there from first version of IMEContentObserver (nsTextStateManager, IIRC).

Comment 9

[Masayuki Nakano [:masayuki] (he/him)(JST, +0900)]

Attachment: Bug 1835353 - Make `TextControlState` notify `IMEContentObserver` of setting new value during no frame r=smaug!

IMEContentObserver can observe the value changes only while the text control
has anonymous <div> element because it observers the DOM mutation. The
anonymous <div> is alive (connected) only while the text control element
has a frame (recreated at each reframe). Therefore, IMEContentObserver
cannot observe the value changed during reframing.

This patch makes TextControlState notify IMEContentObserver of setting
new value directly only when it does not have mBoundFrame.

Comment 10

[BugBot [:suhaib / :marco/ :calixte]]

Set release status flags based on info from the regressing bug 1825693

Comment 11

[Andrew McCreight [:mccr8]]

Unhiding per comment 5.

Comment 12

[BugBot [:suhaib / :marco/ :calixte]]

The bug is marked as tracked for firefox115 (nightly). However, the bug still has low severity.

:hsinyi, could you please increase the severity for this tracked bug? If you disagree with the tracking decision, please talk with the release managers.

For more information, please visit BugBot documentation.

Comment 13

[Masayuki Nakano [:masayuki] (he/him)(JST, +0900)]

It's being landed right now.

Comment 14

[Pulsebot]

Pushed by masayuki@d-toybox.com:
https://hg.mozilla.org/integration/autoland/rev/266547f5163f
Make `TextControlState` notify `IMEContentObserver` of setting new value during no frame r=smaug

Comment 15

[Sandor Molnar[:smolnar]]

https://hg.mozilla.org/mozilla-central/rev/266547f5163f

Comment 16

[Bugmon [:jkratzer for issues]]

Verified bug as fixed on rev mozilla-central 20230531214354-860d4ed91dff.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.