1843608 - Assertion failure: point == GetPointFromIterator(iter, properties) (character position error!), at /builds/worker/checkouts/gecko/layout/generic/nsTextFrame.cpp:7472

Status: RESOLVED FIXED

(Core :: Disability Access APIs, defect)

Description

[Tyson Smith [:tsmith]]

Attachment: testcase.html

Found while fuzzing m-c 20230713-a097691d609b (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

Assertion failure: point == GetPointFromIterator(iter, properties) (character position error!), at /builds/worker/checkouts/gecko/layout/generic/nsTextFrame.cpp:7472

#0 0x7fcb904e5706 in nsTextFrame::GetCharacterRectsInRange(int, int, nsTArray<nsRect>&) /builds/worker/checkouts/gecko/layout/generic/nsTextFrame.cpp:7471:5
#1 0x7fcb91afbb89 in mozilla::a11y::LocalAccessible::BundleFieldsForCache(unsigned long, mozilla::a11y::CacheUpdateType) /builds/worker/checkouts/gecko/accessible/generic/LocalAccessible.cpp:3418:28
#2 0x7fcb91b2cd24 in mozilla::a11y::DocAccessibleChild::SerializeTree(nsTArray<mozilla::a11y::LocalAccessible*>&, nsTArray<mozilla::a11y::AccessibleData>&) /builds/worker/checkouts/gecko/accessible/ipc/DocAccessibleChild.cpp:69:16
#3 0x7fcb91b2d172 in mozilla::a11y::DocAccessibleChild::InsertIntoIpcTree(mozilla::a11y::LocalAccessible*, mozilla::a11y::LocalAccessible*, unsigned int, bool) /builds/worker/checkouts/gecko/accessible/ipc/DocAccessibleChild.cpp:93:3
#4 0x7fcb91b009e8 in mozilla::a11y::DocAccessible::DoInitialUpdate() /builds/worker/checkouts/gecko/accessible/generic/DocAccessible.cpp:1632:17
#5 0x7fcb91ab747b in mozilla::a11y::NotificationController::WillRefresh(mozilla::TimeStamp) /builds/worker/checkouts/gecko/accessible/base/NotificationController.cpp:726:16
#6 0x7fcb902214f4 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2580:12
#7 0x7fcb9022ae01 in TickDriver /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:373:13
#8 0x7fcb9022ae01 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver>>&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:351:7
#9 0x7fcb9022ad00 in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:367:5
#10 0x7fcb9022ab9d in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:911:5
#11 0x7fcb90229f16 in mozilla::VsyncRefreshDriverTimer::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:825:5
#12 0x7fcb90229249 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsyncTimerOnMainThread() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:592:14
#13 0x7fcb8f5762bb in mozilla::dom::VsyncMainChild::RecvNotify(mozilla::VsyncEvent const&, float const&) /builds/worker/checkouts/gecko/dom/ipc/VsyncMainChild.cpp:66:15
#14 0x7fcb8f86cccd in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:220:78
#15 0x7fcb8f74f470 in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PContentChild.cpp:8742:32
#16 0x7fcb8b55a04f in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1811:25
#17 0x7fcb8b556da2 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1736:9
#18 0x7fcb8b557a22 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1536:3
#19 0x7fcb8b558b6f in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1634:14
#20 0x7fcb8a8960a7 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:555:16
#21 0x7fcb8a88dc33 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:880:26
#22 0x7fcb8a88c487 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:704:15
#23 0x7fcb8a88c8e5 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:491:36
#24 0x7fcb8a899dc6 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:218:37
#25 0x7fcb8a899dc6 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548:5
#26 0x7fcb8a8b05da in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1199:16
#27 0x7fcb8a8b743d in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10
#28 0x7fcb8b55ffb5 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#29 0x7fcb8b47ab71 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#30 0x7fcb8b47ab71 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#31 0x7fcb8fe76f58 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
#32 0x7fcb921a278b in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:717:20
#33 0x7fcb8b560e96 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
#34 0x7fcb8b47ab71 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#35 0x7fcb8b47ab71 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#36 0x7fcb921a1fdc in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:652:34
#37 0x55b97a1d0566 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#38 0x55b97a1d0566 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:375:18
#39 0x7fcba0029d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#40 0x7fcba0029e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#41 0x55b97a1a7808 in _start (/home/user/workspace/browsers/m-c-20230714094120-fuzzing-debug/firefox-bin+0x58808) (BuildId: 11be84c11618875809fac8c6477691c9c0decf31)

Comment 1

[Tyson Smith [:tsmith]]

Attachment: prefs.js

prefs.js file for bugmon

Comment 2

[Jonathan Kew [:jfkthame]]

This'll be from bug 1838250. I'll take a look.

Comment 3

[BugBot [:suhaib / :marco/ :calixte]]

Set release status flags based on info from the regressing bug 1838250

Comment 4

[Bugmon [:jkratzer for issues]]

Unable to reproduce bug 1843608 using build mozilla-central 20230713214846-a097691d609b. Without a baseline, bugmon is unable to analyze this bug.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Comment 5

[Jonathan Kew [:jfkthame]]

Attachment: Bug 1843608 - Correct the handling of IsTextCombined in nsTextFrame::GetPointFromIterator and GetCharacterRectsInRange. r=#layout-reviewers

Comment 6

[Pulsebot]

Pushed by jkew@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/64c2cee22579
Correct the handling of IsTextCombined in nsTextFrame::GetPointFromIterator and GetCharacterRectsInRange. r=emilio

Comment 7

[Sandor Molnar[:smolnar]]

https://hg.mozilla.org/mozilla-central/rev/64c2cee22579