1841689 - Assertion failure: IsValid(), at /builds/worker/checkouts/gecko/widget/ContentCache.cpp:235

Status: VERIFIED FIXED

(Core :: DOM: UI Events & Focus Handling, defect, P2)

Description

[Tyson Smith [:tsmith]]

Attachment: testcase.html

Found while fuzzing m-c 20230702-8a50b880c83f (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

Assertion failure: IsValid(), at /builds/worker/checkouts/gecko/widget/ContentCache.cpp:235

#0 0x7f550ad2d9ca in mozilla::ContentCacheInChild::CacheCaret(nsIWidget*, mozilla::widget::IMENotification const*) /builds/worker/checkouts/gecko/widget/ContentCache.cpp:235:3
#1 0x7f550ad30452 in mozilla::ContentCacheInChild::SetSelection(nsIWidget*, mozilla::widget::IMENotification::SelectionChangeDataBase const&) /builds/worker/checkouts/gecko/widget/ContentCache.cpp:650:3
#2 0x7f550ad4be42 in mozilla::widget::PuppetWidget::NotifyIMEOfSelectionChange(mozilla::widget::IMENotification const&) /builds/worker/checkouts/gecko/widget/PuppetWidget.cpp:837:7
#3 0x7f550ad5bbcf in mozilla::widget::TextEventDispatcher::NotifyIME(mozilla::widget::IMENotification const&) /builds/worker/checkouts/gecko/widget/TextEventDispatcher.cpp:486:40
#4 0x7f550ad2202a in nsBaseWidget::NotifyIME(mozilla::widget::IMENotification const&) /builds/worker/checkouts/gecko/widget/nsBaseWidget.cpp:1901:43
#5 0x7f55091a44d4 in mozilla::IMEStateManager::NotifyIME(mozilla::widget::IMENotification const&, nsIWidget*, mozilla::dom::BrowserParent*) /builds/worker/checkouts/gecko/dom/events/IMEStateManager.cpp
#6 0x7f55091abaed in mozilla::IMEContentObserver::IMENotificationSender::SendSelectionChange() /builds/worker/checkouts/gecko/dom/events/IMEContentObserver.cpp:1924:3
#7 0x7f55091aaaa9 in mozilla::IMEContentObserver::IMENotificationSender::Run() /builds/worker/checkouts/gecko/dom/events/IMEContentObserver.cpp:1747:7
#8 0x7f550b124eb3 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2534:13
#9 0x7f550b12e9b1 in TickDriver /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:373:13
#10 0x7f550b12e9b1 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver>>&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:351:7
#11 0x7f550b12e8b0 in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:367:5
#12 0x7f550b12e74d in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:911:5
#13 0x7f550b12dac6 in mozilla::VsyncRefreshDriverTimer::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:825:5
#14 0x7f550b12cdf9 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsyncTimerOnMainThread() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:592:14
#15 0x7f550a4af4eb in mozilla::dom::VsyncMainChild::RecvNotify(mozilla::VsyncEvent const&, float const&) /builds/worker/checkouts/gecko/dom/ipc/VsyncMainChild.cpp:66:15
#16 0x7f550a784eae in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:220:78
#17 0x7f550a673560 in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PContentChild.cpp:8742:32
#18 0x7f550650130f in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1811:25
#19 0x7f55064fe062 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1736:9
#20 0x7f55064fece2 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1536:3
#21 0x7f55064ffe2f in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1634:14
#22 0x7f5505835487 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:555:16
#23 0x7f550582d181 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:880:26
#24 0x7f550582bb17 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:704:15
#25 0x7f550582bf75 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:491:36
#26 0x7f5505839306 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:218:37
#27 0x7f5505839306 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548:5
#28 0x7f550584fa4a in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1199:16
#29 0x7f550585680d in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10
#30 0x7f5506507275 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#31 0x7f5506421f31 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#32 0x7f5506421f31 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#33 0x7f550ad7b828 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
#34 0x7f550d0a05db in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:717:20
#35 0x7f5506508156 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
#36 0x7f5506421f31 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#37 0x7f5506421f31 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#38 0x7f550d09feaa in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:652:34
#39 0x55d23ac75566 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#40 0x55d23ac75566 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:375:18
#41 0x7f5519429d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#42 0x7f5519429e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#43 0x55d23ac4c808 in _start (/home/user/workspace/browsers/m-c-20230704093019-fuzzing-debug/firefox-bin+0x58808) (BuildId: 88cd755a7d9b470225e9952c450599a2629c0dfc)

Comment 1

[Bugmon [:jkratzer for issues]]

Verified bug as reproducible on mozilla-central 20230704214905-bb6a5e451dac.
The bug appears to have been introduced in the following build range:

Start: d49f009b89ad3ae1616d96cb1d2d9234ef3f6cda (20230526040655)
End: ffc18acbe9c027a3d6c960322b40a9d0576af311 (20230526045844)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=d49f009b89ad3ae1616d96cb1d2d9234ef3f6cda&tochange=ffc18acbe9c027a3d6c960322b40a9d0576af311

Comment 2

[Mayank Bansal]

Got a crash from the attached testcase: https://crash-stats.mozilla.org/report/index/f5a6c443-39bc-4f92-9ea3-6f17c0230705#tab-bugzilla

Comment 3

[BugBot [:suhaib / :marco/ :calixte]]

:masayuki, since you are the author of the regressor, bug 1825693, could you take a look? Also, could you set the severity field?

For more information, please visit BugBot documentation.

Comment 4

[Masayuki Nakano [:masayuki] (he/him)(JST, +0900)]

Thank you very much, Tyson Smith! This is what I'd like to know how to reproduce the remaining crash reports.

Comment 5

[Bugmon [:jkratzer for issues]]

Successfully recorded a pernosco session. A link to the pernosco session will be added here shortly.

Comment 6

[Bugmon [:jkratzer for issues]]

A pernosco session for this bug can be found here.

Comment 7

[BugBot [:suhaib / :marco/ :calixte]]

Set release status flags based on info from the regressing bug 1825693

Comment 8

[Masayuki Nakano [:masayuki] (he/him)(JST, +0900)]

Attachment: Bug 1841689 - Make `nsFocusManager::ContentRemoved` let `IMEStateManager` of focus change when focused element is removed from the tree r=emilio!,#dom-core

When an element in the shadow DOM of UA widget of <input> gets focus,
IMEStateManger let know the element instead of <input>. Then, when
HTMLInputElement destroys the shadow DOM at changing type attribute,
IMEStateManager may not let know the focus change until TextEditor
is created. Then, IMEContentObserver is created by UpdateIMEState
notification from EditorBase::PostCreateInternal, but
TextControlState::GetIMEContentObserver() fails to check whether it's
observed by an IMEContentObserver instance (*1). Therefore,
TextControlState fails to notify IMEContentObserver of the value change
while TextEditor is not ready (*2). Then, IMEContentObserver will let
IME know only a selection change without text change. Therefore,
ContentCacheInChild will get invalid data due to outdated mText value
and latest mSelection value (*3).

For solving this issue, this patch makes HTMLInputElement::HandleTypeChange
let IMEStateManager know the focus change synchronously because TextEditor
may be initialized for some API calls of HTMLInputElement before
nsFocusManager handles the focus change.

1. https://searchfox.org/mozilla-central/rev/1bcef85eb36da6de8fab890bc724e214dde68ecb/dom/html/TextControlState.cpp#3055
2. https://searchfox.org/mozilla-central/rev/1bcef85eb36da6de8fab890bc724e214dde68ecb/dom/html/TextControlState.cpp#2959
3. https://searchfox.org/mozilla-central/rev/1bcef85eb36da6de8fab890bc724e214dde68ecb/widget/ContentCache.cpp#54

Comment 9

[Pulsebot]

Pushed by masayuki@d-toybox.com:
https://hg.mozilla.org/integration/autoland/rev/ce811b4b8e62
Make `nsFocusManager::ContentRemoved` let `IMEStateManager` of focus change when focused element is removed from the tree r=emilio

Comment 10

[Web Platform Test Sync Bot [:wpt-sync] (Matrix: #interop:mozilla.org)]

Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/41035 for changes under testing/web-platform/tests

Comment 11

[Iulian Moraru]

https://hg.mozilla.org/mozilla-central/rev/ce811b4b8e62

Comment 12

[Web Platform Test Sync Bot [:wpt-sync] (Matrix: #interop:mozilla.org)]

Upstream PR merged by moz-wptsync-bot

Comment 13

[Bugmon [:jkratzer for issues]]

Verified bug as fixed on rev mozilla-central 20230714094120-196cda3a1052.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.